240 likes | 577 Views
Oblivious Signature-Based Envelope. Ninghui Li , Stanford University Wenliang (Kevin) Du , Syracuse University Dan Boneh , Stanford University. Motivation. Alice . Bob. I have an message P to report, but I want to make sure you are CIA. Please show me your CIA certificate.
E N D
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University
Motivation Alice Bob I have an message P to report, but I want to make sure you are CIA. Please show me your CIA certificate. I won’t show my CIA certificate to you, just give me the message. ??????
Outline of This Presentation • Introduce the Oblivious Signature-Based Envelope (OSBE) concept. • An OSBE scheme for RSA signatures. • OSBE using Identity Based Encryption (IBE). • Summary and Future Work.
Public Key Certificate(an example) • Bob’s CIA certificate: • PK: the CIA’s public key. • M: “Bob is with CIA” • = SigPK(M): signature on M (certificate). • The secret part is
Oblivious Signature-Based Envelope (OSBE) Receiver Sender Message P • Receiver can open the envelope if and only if he/she has • the certificate. • Sender cannot know whether the receiver has the certificate.
OSBE Definition • Setup • PK: the Certificate Authority’s public key. • M: content of the certificate. • = SigPK(M): signature on M (certificate). • S: Sender of message P (P is given to S only). • R1: Receiver with . • R2: Receiver without . • PK and M are given to all three parties.
OSBE Definition (cont’d) • Interaction • One of R1 and R2 is chosen as R, without S knowing which one. • S and R run an interactive protocol. • Open • R outputs P if and only if R = R1. • Note: R1has the certificate, R2 doesn’t.
Security Requirements • Sound:R1 can output P with overwhelming probability. • Oblivious:S does not learn whether it is communicating with R1 or R2. • Semantically secure against the receiver:R2 learns nothing about P.
Outline of This Presentation • Introduce the Oblivious Signature-Based Envelope (OSBE) concept. • An OSBE scheme for RSA signatures. • OSBE using Identity Based Encryption (IBE). • Summary and Future Work.
An OSBE Scheme for RSA • RSA Signatures: • (e, n): public key PK. • d: private key. • h = hash(M):hash value of M. • = SigPK(M) = hd (mod n): signature. • (hd)e = (he)d = h (mod n).
RSA-OSBE Scheme: Setup • Setup: • Everybody knows h, M, (e, n) • Sender S knows: P • Receiver R1 knows: = (hd mod n)
Using Key Agreement Sender Receiver P Sender knows the key; Receiver knows the key only if it has hd.
Diffie-Hellman Key Agreement Bob Alice h xmod n x y h ymod n (h x)y mod n (h y)x mod n = h xy mod n
Transforming Diffie-Hellman S R1 = h d·h xmod n y x = h e ymod n ey=(h d+x)ey r ‘ = (h ey)x = h e d y· h e x y = h y· h e x y r = ey /h y= h e x y r = r’ if and only if Receiver knows h d
Properties • Theorem 1: RSA-OSBE is sound (r =r’) • Theorem 2: RSA-OSBE is oblivious • R1: = hd+x • R2: = hx’ • {hd+x|x random}and{hx’|x’ random}are statistically indistinguishable. • Theorem 3: RSA-OSBE is semantically secure against the receiver, i.e, R2 cannot learn r.
Proof of Theorem 3 (Approach) • Approach • We show that, if there exists an adversary receiver R (who does know hd) that can break RSA-OSBE • i.e., R can learn rby interacting with S, • Then we can build an attacker that can generate hd. i.e., we can use R to break RSA signatures
Proof of Theorem 3 R M, (e, n) = h ey, y random r’ = h exy r = e y·h -y To construct RSA attacker using R, we can construct such that we can get hd out of , r ?
Attacker knows Proof of Theorem 3 (cont’d) R = h ey r =e y·h -y RSA Attacker randomly generates k, constructs = h1+ek = h e(d+k) Let y = d+k, then = h e y R outputs r=ey·h -y =e(d+k)·h-(d+k)= 1+ek·h-d ·h-k,
Outline of This Presentation • Introduce the Oblivious Signature-Based Envelope (OSBE) concept. • An OSBE scheme for RSA signatures. • OSBE using Identity Based Encryption (IBE). • Summary and Future Work.
Master Key Bob Private decryption key Third Party Identity Based Encryption (IBE) System Parameters Alice Message P Public encryption key “Bob is a CIA member”. Cipher Text
IBE implies Signatures PK System Parameters Alice Message to be signed: M Public encryption key “Bob is a CIA member”. Master Key Bob Private decryption key PK-1 Third Party = SigPK(M)
OSBE Scheme Using IBE Receiver (Bob) Sender • Public key • K = “Bob is a CIA member” (2) EK(Message) • (3) Decrypt EK(Message) • using the private key.
Comparisons • IBE-OSBE is one round; RSA-OSBE needs two rounds. • RSA-OSBE can be used on existing Public Key Infrastructure.
Summary and Future Work • OSBE concept • RSA-OSBE scheme and IBE-OSBE scheme • Future Work: • Find OSBE scheme for DSA signatures.