oblivious signature based envelope

15
Speaker:Jun-Ting Lai Date:2010/04/15 Oblivious Signature Based Envelope Ninghui Li,Wenliang Du, and Dan Boneh. In Proceedings of the 22nd ACM Symposium on Principles of Distributed Computing (PODC 2003). ACM Press, July 2003.

Upload: lorna

Post on 13-Jan-2016

27 views

Category:

Documents


2 download

DESCRIPTION

Oblivious Signature Based Envelope. Speaker:Jun-Ting Lai Date:2010/04/15. Ninghui Li,Wenliang Du, and Dan Boneh. In Proceedings of the 22nd ACM Symposium on Principles of Distributed Computing (PODC 2003). ACM Press, July 2003. Outline. Introduction - PowerPoint PPT Presentation

TRANSCRIPT

Speaker:Jun-Ting Lai

Date:2010/04/15

Oblivious Signature BasedEnvelope

Ninghui Li,Wenliang Du, and Dan Boneh. In Proceedingsof the 22nd ACM Symposium on Principles of Distributed Computing (PODC 2003). ACM Press, July 2003.

OutlineIntroductionOther Applications And Related Concepts Of OSBEOblivious Signature Based Envelope(OSBE): DefinitionAN OSBE SCHEME FOR RSA SIGNATURESOne round OSBE Using Identity Based EncryptionConclusion

2

IntroductionExchanging digitally signed certificates is an increasingly popular approach for authentication and authorization in distributed systems.

ATN protocols would conclude negotiation failure, because there is cyclic interdependency between two negotiators’ AC policies.

3

2-party Secure Function Evaluation(SFE) problem

The function F is defined as follows.

{

In other words, our goal is that Alice learns nothing and Bob learns without learning anything else.

4

[ , , ] ( , )

[ , , ] ( , )Alice

Bob

F Verify M PK P

F Verify M PK P

otherwise

p if ( , ) ;PKVerify M true

[ , , ] ( , )BobF Verify M PK P

Other Applications And RelatedConcepts Of OSBE

OSBE scheme enables the sender to send a message with the assurance that it can be seen only by the receiver if it has appropriate certificates while at the same time protecting the receiver’s privacy such that the sender does not know whether the receiver has the required certificates or not.

OSBE might also be used in the context of Private Information Retrieval (PIR) to provide access control on the information being retrieved.

5

Between OSBE and FES of Difference

First, the signatures involved in OSBE are not generated by the two parties involved in the protocols, but rather generated by certification authorities before the OSBE protocol is used.

Second, in FES protocols, at some stage, one party learns that the other party has a signature without obtaining that signature. This does not satisfy the security requirements of OSBE. Because of the above two reasons, FES protocols cannot be used directly to achieve OSBE.

Third, OSBE does not require a fair exchange of signatures.6

Oblivious Signature Based Envelope(OSBE): Definition

An Oblivious Signature-Based Envelope (OSBE) scheme is parameterized by a signature scheme Sig. It involves a sender S and two receivers R1 and R2. An OSBE scheme has the following three phases:

SetupInteractionOpen

7

Three phasesSetup: The Setup algorithm takes a security parameter and creates system parameters, which include a signing key whose public key is denoted by . Two messages and are chosen. and are given to all three parties, namely, and . In addition, the sender S is given and the receiver is given the signature .

Interaction: One of R1 and R2 is chosen as R, without S knowing which one. S and R run an interactive protocol.

Open: After the interaction phase, if , i.e., was chosen in the interaction phase, outputs the message .

( can do that because it knows .)

Otherwise , when ,R does nothing.

. 8

t

M 1RpkM

1,S R2R

P

1R( )PKSig M

P

1R R 1R

R PR ( )PKSig M

2R R

Three propertiesSoundOblivioussemantically secure against the receiver

9

AN OSBE SCHEME FOR RSA SIGNATURES

The key space is defined to be the following set:{ ,equal size primes, }The values and are public, and the value is secret . For , message , and a message digest function , define

and

10

K

( , , ) | , ,n e d n pq p q 1(mod )ed n

n e d

( , , )k n e d M*:{0,1} nH Z

( ) ( ) moddKSig M H M n ( , ) ( ) (mod )e

KVerify M ture H M n

Three phasesSetup:The setup algorithm takes a security parameter and runs the RSA key generation algorithm to create an RSA key ; in addition, it generates two security parameters and , which are linear in . In practice, suffices. Two messages and are chosen. Party S is given , , and . Party R1 is given , , and

. Party R2 is given and .

11

t

( , , )n e d

1t t 1 2 128t t

M PM P( , )n e ( , )n e

( ( ) mod )dH M n M( , )n e

2t

M

Three phases(2/2)Interaction:

sends to , in which . sends to , in which . receives , checks that , picks

, computes and then sends to the pair: .

Open: receives from the interaction phase; it computes , and decrypts C using .

12

S

1R : ( mod )xS h n 1[1..2 ]tx n

2R

{0,1, 1}n 2[1..2 ]ty n ( mod )ey yr h n R

'( )( mod ), [ ]yeH rh n C p

1R ( , )C' ( mod )xr n

' '( )H r

1' [1..2 ]tx n': ( mod )xS h n

One round OSBE Using Identity Based Encryption(1/2)

Setup: Let and be two messages and let be the IBE private key corresponding to when is viewed as a public key. The sender is given and . The receiver is given .Interaction: The sender wants to send to the receiver so that the receiver can only obtain if she has the signature on .The sender encrypts using as an IBE public key and sends the resulting ciphertext to the receiver.

13

M P ( )PKSig M

M MM

P ( )PKSig M

PP

( )PKSig M MP M

C

One round OSBE Using Identity Based Encryption(2/2)

Open: The receiver, using the private key can decrypt to obtain .

14

( )PKSig M

C P

ConclusionWe introduced oblivious signature-based envelope (OSBE) as a solution to the SFE problem and mentioned that OSBE can be used in other privacy sensitive applications as well.

An open problem is to find an efficient and provably secure OSBE scheme for DSA signatures. We are also investigating other applications of the OSBE concept.

15