200 likes | 213 Views
Secure Obfuscation for Encrypted Signatures. Eurocrypt 2010 (May 31) Satoshi Hada IBM Research - Tokyo. Outline. Summary Motivation Theoretical perspective Application perspective Proposed obfuscation Basic idea Example Main result Remarks Relation to signcryption
E N D
Secure Obfuscation for Encrypted Signatures Eurocrypt 2010 (May 31) Satoshi Hada IBM Research - Tokyo
Outline • Summary • Motivation • Theoretical perspective • Application perspective • Proposed obfuscation • Basic idea • Example • Main result • Remarks • Relation to signcryption • Attacks we can (not) prevent • Generalization
The purpose of obfuscation is to hide private information contained in programs while preserving the functionality. Before Obfuscation After Obfuscation byte[] signcrypt(byte[] m){ byte[] key } Obfuscator
Summary: a new positive result on program obfuscation • We will show that we can securely obfuscate an encrypted signature scheme. We can obfuscate this program Encrypted Signature Alice’s private signing key Bob’s public encryption key Ciphertext Message Sign Encrypt m c σ NOTE: The message is not encrypted.
Outline • Summary • Motivation • Theoretical perspective • Application perspective • Proposed obfuscation • Basic idea • Example • Main result • Remarks • Relation to signcryption • Attacks we can (not) prevent • Generalization
Motivation: only a few positive results are known and we should look for more positive results.
Motivation: To use signcryption for Webmail services, service providers need to store users’ private signing keys and execute signcryption on servers. Key leakage is a serious security issue. Signcrypt@ Server Key leakage is a serious security issue!! Server Server Standard browsers have no capability of signcryption Bob’s Web Browser Alice’s Web Browser
A solution is to obfuscate the signcryption program so that the private signing key can not be abused. Signcrypt@ Server Server Server We can obfuscate this program Bob’s Web Browser Alice’s Web Browser
Outline • Summary • Motivation • Theoretical perspective • Application perspective • Proposed obfuscation • Basic idea • Example • Main result • Remarks • Relation to signcryption • Attacks we can (not) prevent • Generalization
The basic idea is to design a pair of signature and encryption schemes such that the following two are functionally equivalent: • signing a message and then encrypting the signature, • encrypting the signing key and then signing the message under the encrypted signing key. Bob’s encryption key Encrypted Signature (to be obfuscated) Alice’s signing key Sign Encrypt σ Ciphertext Message c Encrypt Obfuscator m Encrypted Alice’s signing key Obfuscatedprograms Sign The virtual black-box property reduces to the security of encryption.
Example : We realize the basic idea using the BLS signature scheme • BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001) • Key Pair: (v, s) such that v=gs • g is a generator of prime order q for a Bilinear group • v: public verification key • s: private signing key • Signature generation • σ=Sign(s, m)=H(m)s, where H is a hash function (a random oracle) • Key Encapsulation Mechanism (KEM) • Key Pair: (pk, sk) • pk: public encryption key • sk: private decryption key • Key encapsulation • (r,c)←KEM.Enc(pk) • r is a random key and c is its ciphertext • Two required properties • A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q). • c is rerandomizable • Example • Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements
Input m Stored Info private signing key: s public encryption key: pk Code σ=Sign(m, s )=H(m)s (r,c) ←KEM.Enc(pk) Compute σr Output (c, σr) Example: Encrypted signature program Sign Encrypt
Input m Stored Info private signing key: s public encryption key: pk Code σ=Sign(m, s )=H(m) s (r,c) ←KEM.Enc(pk) Compute σr Output (c, σr) Example: Obfuscation (initial attempt) Encrypted signing key After Obfuscation Before Obfuscation • Input m • Stored Info • c, where (r,c) ←KEM.Enc(pk) • s’=s*r mod q • Code • Sign(m, s’)= H(m)s’(=σr) • Output (c, σr) Obfuscation Output is fixed for each message Output is randomly generated
Example: Obfuscation Before Obfuscation After Obfuscation • Input m • Stored Info • c, where (r,c) ←KEM.Enc(pk) • s’=s*r mod q • Code • Use the scalar homomorphic property to compute (r’,c’) • s’’=s’*r’ mod q • Sign(m, s’’)=H(m)s’’ (=σr*r’ ) • Rerandomize c’ • Output (c’, σr*r’ ) • Input m • Stored Info • private signing key: s • public encryption key: pk • Code • σ=Sign(m, s )=H(m)s • (r,c) ←KEM.Enc(pk) • Compute σr • Output (c, σr) Obfuscation Randomization was added The output distributions are identical
Main Result: We can securely obfuscate an encrypted signature scheme in the standard model Our contribution: • Apply the basic idea to the encrypted signature scheme defined as the sequential composition of Waters’s signature and linear encryption schemes. • Theorem 4: The obfuscator satisfies a virtual black-box property (VBP) under the DL assumption. • What does this mean?
Main Result: The security of Waters’s signature scheme is preserved even when adversaries are given obfuscated encrypted signature programs Concrete Abstract Stronger Security Thm 2: Waters’s signature scheme satisfies Def 3 under DBDH Def 3: A signature scheme is EU against adversaries having signing oracle Thms 1& 4 trivial trivial Thm 1 Def 5: A signature scheme is EU against adversaries having signing oracle and obfuscated encrypted signature program Corollary 1: Waters’s signature scheme satisfies Def 5 under DL and DBDH Thm 1: if the obfuscator satisfies the VBP, then Def 4 implies Def 5.
Outline • Summary • Motivation • Theoretical perspective • Application perspective • Proposed obfuscation • Basic idea • Example • Main result • Remarks • Relation to signcryption • Attacks we can (not) prevent • Generalization
We can use encrypted signature as a building block to construct a secure signcryption scheme. Using our proposed obfuscation, we can obfuscate the signcryption scheme. EncryptedSignature-then-Encryption (EStE) Encrypted Signature Alice’s private signing key Bob’s public encryption key Message (Hybrid) Encrypt Sign Encrypt m σ Ciphertext c m • Formal discussion would be a future work item: • The security of EStE-based signcryption • The security of obfuscation for EStE
There are some attacks that our proposed obfuscation cannot prevent.
Generalization: we can apply the basic idea to other signature schemes We can generalize our construction to clarify the properties that a pair of encryption and signature schemes should satisfy so that the encrypted signature can be securely obfuscated