Post on 27-Dec-2015
Oblivious Signature-Based Envelope
Ninghui Li, Stanford UniversityWenliang (Kevin) Du, Syracuse UniversityDan Boneh, Stanford University
Motivation
Alice Bob
I have an message P to report,but I want to make sure you are CIA. Please show me your CIA certificate.
I won’t show my CIA certificate to you,just give me the message.
??????
Outline of This Presentation
Introduce the Oblivious Signature-Based Envelope (OSBE) concept.
An OSBE scheme for RSA signatures. OSBE using Identity Based
Encryption (IBE). Summary and Future Work.
Public Key Certificate(an example)
Bob’s CIA certificate: PK: the CIA’s public key. M: “Bob is with CIA” = SigPK(M): signature on M
(certificate). The secret part is
Oblivious Signature-Based Envelope (OSBE)
Message P
Sender Receiver
•Receiver can open the envelope if and only if he/she has
the certificate.• Sender cannot know whether the receiver has the certificate.
OSBE Definition Setup
PK: the Certificate Authority’s public key. M: content of the certificate. = SigPK(M): signature on M (certificate). S: Sender of message P (P is given to S only). R1: Receiver with .
R2: Receiver without .
PK and M are given to all three parties.
OSBE Definition (cont’d) Interaction
One of R1 and R2 is chosen as R, without S knowing which one.
S and R run an interactive protocol. Open
R outputs P if and only if R = R1. Note: R1 has the certificate, R2 doesn’t.
Security Requirements
Sound: R1 can output P with overwhelming probability.
Oblivious: S does not learn whether it is communicating with R1 or R2.
Semantically secure against the receiver: R2 learns nothing about P.
Outline of This Presentation
Introduce the Oblivious Signature-Based Envelope (OSBE) concept.
An OSBE scheme for RSA signatures. OSBE using Identity Based
Encryption (IBE). Summary and Future Work.
An OSBE Scheme for RSA RSA Signatures:
(e, n): public key PK. d: private key. h = hash(M): hash value of M. = SigPK(M) = hd (mod n): signature. (hd)e = (he)d = h (mod n).
RSA-OSBE Scheme: Setup
Setup: Everybody knows h, M, (e, n) Sender S knows: P Receiver R1 knows: = (hd mod n)
Using Key Agreement
PSender Receiver
Sender knows the key; Receiver knows the key only if it has hd.
Diffie-Hellman Key Agreement
Alice Bobxy h x mod n
h y mod n
(h x) y mod n (h y) x mod n
= h x y mod n
Transforming Diffie-Hellman
S R1xy = h d · h x mod n
= h e y mod n
e y = (h d+x) e y
r ‘ = (h e y) x
r = r’ if and only if Receiver knows h d
= h e d y · h e x y = h y · h e x y
r = e y /h y = h e x y
Properties
Theorem 1: RSA-OSBE is sound (r = r’)
Theorem 2: RSA-OSBE is obliviousR1: = hd+x
R2: = hx’ {hd+x | x random} and {hx’ | x’ random} are statistically indistinguishable.
Theorem 3: RSA-OSBE is semantically secure against the receiver,
i.e, R2 cannot learn r.
Proof of Theorem 3 (Approach) Approach
We show that, if there exists an adversary receiver R (who does know hd) that can break RSA-OSBE• i.e., R can learn r by interacting with S,
Then we can build an attacker that can generate hd. i.e., we can use R to break RSA signatures
Proof of Theorem 3
R
M, (e, n)
= h e y, y random
r = e y · h -y
To construct RSA attacker using R, we can construct such that we can get hd out of , r ?
r’ = h exy
Proof of Theorem 3 (cont’d)
R = h ey
r = e y · h -
y
RSA Attacker randomly generates k, constructs
= h1+ ek = h e (d+k)
Attacker knows
R outputs r = e y · h -y = e(d+k) · h-(d+k) = 1+ek · h-d ·
h-k,
Let y = d+k, then = h e y
Outline of This Presentation
Introduce the Oblivious Signature-Based Envelope (OSBE) concept.
An OSBE scheme for RSA signatures. OSBE using Identity Based
Encryption (IBE). Summary and Future Work.
Identity Based Encryption (IBE)
Public encryption key
“Bob is a CIA member”.
SystemParameters
Cipher Text
Message P
Alice
Master KeyPrivate decryption keyBob
Third Party
IBE implies Signatures
Public encryption key
“Bob is a CIA member”.
SystemParameters
Alice
Master KeyPrivate decryption keyBob
Third Party
Message to be signed: M
PK
PK-1
= SigPK(M)
OSBE Scheme Using IBE
Sender Receiver(Bob)
(1)Public keyK = “Bob is a CIA member”
(2) EK(Message)
(3) Decrypt EK(Message)using the private key.
Comparisons IBE-OSBE is one round; RSA-OSBE
needs two rounds. RSA-OSBE can be used on existing
Public Key Infrastructure.
Summary and Future Work OSBE concept RSA-OSBE scheme and IBE-OSBE
scheme Future Work:
Find OSBE scheme for DSA signatures.