oblivious signature-based envelope ninghui li, stanford university wenliang (kevin) du, syracuse...

Oblivious Signature-Based Envelope

Ninghui Li, Stanford UniversityWenliang (Kevin) Du, Syracuse UniversityDan Boneh, Stanford University

Motivation

Alice Bob

I have an message P to report,but I want to make sure you are CIA. Please show me your CIA certificate.

I won’t show my CIA certificate to you,just give me the message.

??????

Outline of This Presentation

Introduce the Oblivious Signature-Based Envelope (OSBE) concept.

An OSBE scheme for RSA signatures. OSBE using Identity Based

Encryption (IBE). Summary and Future Work.

Public Key Certificate(an example)

Bob’s CIA certificate: PK: the CIA’s public key. M: “Bob is with CIA” = SigPK(M): signature on M

(certificate). The secret part is

Oblivious Signature-Based Envelope (OSBE)

Message P

Sender Receiver

•Receiver can open the envelope if and only if he/she has

the certificate.• Sender cannot know whether the receiver has the certificate.

OSBE Definition Setup

PK: the Certificate Authority’s public key. M: content of the certificate. = SigPK(M): signature on M (certificate). S: Sender of message P (P is given to S only). R1: Receiver with .

R2: Receiver without .

PK and M are given to all three parties.

OSBE Definition (cont’d) Interaction

One of R1 and R2 is chosen as R, without S knowing which one.

S and R run an interactive protocol. Open

R outputs P if and only if R = R1. Note: R1 has the certificate, R2 doesn’t.

Security Requirements

Sound: R1 can output P with overwhelming probability.

Oblivious: S does not learn whether it is communicating with R1 or R2.

Semantically secure against the receiver: R2 learns nothing about P.

An OSBE Scheme for RSA RSA Signatures:

(e, n): public key PK. d: private key. h = hash(M): hash value of M. = SigPK(M) = hd (mod n): signature. (hd)e = (he)d = h (mod n).

RSA-OSBE Scheme: Setup

Setup: Everybody knows h, M, (e, n) Sender S knows: P Receiver R1 knows: = (hd mod n)

Using Key Agreement

PSender Receiver

Sender knows the key; Receiver knows the key only if it has hd.

Diffie-Hellman Key Agreement

Alice Bobxy h x mod n

h y mod n

(h x) y mod n (h y) x mod n

= h x y mod n

Transforming Diffie-Hellman

S R1xy = h d · h x mod n

= h e y mod n

e y = (h d+x) e y

r ‘ = (h e y) x

r = r’ if and only if Receiver knows h d

= h e d y · h e x y = h y · h e x y

r = e y /h y = h e x y

Properties

Theorem 1: RSA-OSBE is sound (r = r’)

Theorem 2: RSA-OSBE is obliviousR1: = hd+x

R2: = hx’ {hd+x | x random} and {hx’ | x’ random} are statistically indistinguishable.

Theorem 3: RSA-OSBE is semantically secure against the receiver,

i.e, R2 cannot learn r.

Proof of Theorem 3 (Approach) Approach

We show that, if there exists an adversary receiver R (who does know hd) that can break RSA-OSBE• i.e., R can learn r by interacting with S,

Then we can build an attacker that can generate hd. i.e., we can use R to break RSA signatures

Proof of Theorem 3

R

M, (e, n)

= h e y, y random

r = e y · h -y

To construct RSA attacker using R, we can construct such that we can get hd out of , r ?

r’ = h exy

Proof of Theorem 3 (cont’d)

R = h ey

r = e y · h -

y

RSA Attacker randomly generates k, constructs

= h1+ ek = h e (d+k)

Attacker knows

R outputs r = e y · h -y = e(d+k) · h-(d+k) = 1+ek · h-d ·

h-k,

Let y = d+k, then = h e y

Identity Based Encryption (IBE)

Public encryption key

“Bob is a CIA member”.

SystemParameters

Cipher Text

Message P

Alice

Master KeyPrivate decryption keyBob

Third Party

IBE implies Signatures

Public encryption key

“Bob is a CIA member”.

SystemParameters

Alice

Master KeyPrivate decryption keyBob

Third Party

Message to be signed: M

PK

PK-1

= SigPK(M)

OSBE Scheme Using IBE

Sender Receiver(Bob)

(1)Public keyK = “Bob is a CIA member”

(2) EK(Message)

(3) Decrypt EK(Message)using the private key.

Comparisons IBE-OSBE is one round; RSA-OSBE

needs two rounds. RSA-OSBE can be used on existing

Public Key Infrastructure.

Summary and Future Work OSBE concept RSA-OSBE scheme and IBE-OSBE

scheme Future Work:

Find OSBE scheme for DSA signatures.

oblivious signature-based envelope ninghui li, stanford university wenliang (kevin) du, syracuse...

Documents

h y h e x y r

h d x r

h e y x r

e y h y

h d x e y r

h e x y slide

h e d y h e x y

h d h x mod n