Parallel Signcryption with OAEP, PSS-R, and other Feistel Paddings

We present a new, elegant composition method for joint signature and encryption, also referred to assigncryption. The new method, which we call Padding-based Parallel Signcryption (PbPS), builds an effi-cient signcryption scheme from any family of trapdoor permutations, such as RSA. Each user U generates asingle public/secret key pair fU/f −1Uused for both sending and receiving the data. To signcrypt a messagem to a recipient with key frcv, a sender with key fsnd efficiently transforms m into a pair 〈w, s〉, and simplysends frcv(w)‖f −1snd(s). PbPS enjoys many attractive properties: simplicity, efficiency, generality, paral-lelism of “encrypting”/“signing”, optimal exact security, flexible and ad-hoc key management, key reuse forsending/receiving data, optimally-low message expansion, long message and associated data support, and,finally, complete compatibility with the PKCS#1 infrastructure.The pairs 〈w, s〉 sufficient for the security of PbPS are called universal two-padding schemes. Usingone round of the Feistel transform, we give a very general construction of such schemes. Interestingly, wenotice that all popular padding schemes with message recovery used for plain signature or encryption, suchas OAEP, OAEP+, PSS-R, and “scramble all, encrypt small” [21], naturally consist of two pieces 〈w, s〉.Quite remarkably, we show that all such pairs become special cases of our construction. As a result, we finda natural generalization of all conventional padding schemes, and show that any such padding can be usedfor signcryption with PbPS. However, none of such paddings gives optimal message bandwidth. For thatpurpose and of independent interest, we define a new “hybrid” between PSS-R and OAEP, which we callProbabilistic Signature-Encryption Padding (PSEP). We recommend using PbPS with PSEP to achievethe most flexible and secure signcryption scheme up-to-date. To justify this point, we provide a detailedpractical comparison of PbPS/PSEP with other previously-proposed signcryption candidates.