Signcryption simultaneously offers authentication through
unforgeability and confidentiality through indistinguishability against
chosen ciphertext attacks by combining the functionality of digital signatures
and public-key encryption into a single operation. Libert and
Quisquater (PKC 2004) extended this set of basic requirements with the
notions of ciphertext anonymity (or key privacy) and key invisibility to
protect the identities of signcryption users and were able to prove that
key invisibility implies ciphertext anonymity by imposing certain conditions
on the underlying signcryption scheme.
This paper revisits the relationship amongst privacy notions for signcryption.
We prove that key invisibility implies ciphertext anonymity
without any additional restrictions. More surprisingly, we prove that key
invisibility also implies indistinguishability against chosen ciphertext attacks.
This places key invisibility on the top of privacy hierarchy for
public-key signcryption schemes.
On the constructive side, we show that general “sign-then-encrypt”
approach offers key invisibility if the underlying encryption scheme satisfies
two existing security notions, indistinguishable against adaptive
chosen ciphertext attacks and indistinguishability of keys against adaptive
chosen ciphertext attacks. By this method we obtain the first key
invisible signcryption construction in the standard model.