Anonymous Signcryption against Linear Related-Key Attacks

A related-key attack (RKA) occurs when an adversary tampers the private key stored in a cryptographic hardware device and observes the result of the cryptographic primitive under this modified private key. In this paper, we concentrate on the security of anonymous signcryption schemes under related-key attacks, in the sense that a signcryption system should contain no information that identifies the sender of the signcryption and the receiver of the message, and yet be decipherable by the targeted receiver. To achieve this, we consider our anonymous signcryption scheme being semantically secure against chosen ciphertext and related-key attacks (CC-RKA), existentially unforgeable against chosen message and related-key attacks (CM-RKA), and anonymous against chosen ciphertext and related-key attacks (ANON-RKA). Specifically, we require that an anonymous signcryption scheme remains secure even when an adversary is allowed to access the signcryption oracle and the designcryption oracle on linear shifts of the private keys of the sender and the receiver, respectively. After reviewing some basic definitions related to our construction, based on the existing work on cryptographic primitives in the setting of related-key attacks, we give a concrete anonymous signcryption scheme from BDH which achieves CCRKA security, CM-RKA security, ANON-RKA security in the random oracle model.