1 / 20

Secure Obfuscation for Encrypted Signatures

Secure Obfuscation for Encrypted Signatures. Eurocrypt 2010 (May 31) Satoshi Hada IBM Research - Tokyo. Outline. Summary Motivation Theoretical perspective Application perspective Proposed obfuscation Basic idea Example Main result Remarks Relation to signcryption

stevenf
Download Presentation

Secure Obfuscation for Encrypted Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Obfuscation for Encrypted Signatures Eurocrypt 2010 (May 31) Satoshi Hada IBM Research - Tokyo

  2. Outline • Summary • Motivation • Theoretical perspective • Application perspective • Proposed obfuscation • Basic idea • Example • Main result • Remarks • Relation to signcryption • Attacks we can (not) prevent • Generalization

  3. The purpose of obfuscation is to hide private information contained in programs while preserving the functionality. Before Obfuscation After Obfuscation byte[] signcrypt(byte[] m){ byte[] key } Obfuscator

  4. Summary: a new positive result on program obfuscation • We will show that we can securely obfuscate an encrypted signature scheme. We can obfuscate this program Encrypted Signature Alice’s private signing key Bob’s public encryption key Ciphertext Message Sign Encrypt m c σ NOTE: The message is not encrypted.

  5. Outline • Summary • Motivation • Theoretical perspective • Application perspective • Proposed obfuscation • Basic idea • Example • Main result • Remarks • Relation to signcryption • Attacks we can (not) prevent • Generalization

  6. Motivation: only a few positive results are known and we should look for more positive results.

  7. Motivation: To use signcryption for Webmail services, service providers need to store users’ private signing keys and execute signcryption on servers. Key leakage is a serious security issue. Signcrypt@ Server Key leakage is a serious security issue!! Server Server Standard browsers have no capability of signcryption Bob’s Web Browser Alice’s Web Browser

  8. A solution is to obfuscate the signcryption program so that the private signing key can not be abused. Signcrypt@ Server Server Server We can obfuscate this program Bob’s Web Browser Alice’s Web Browser

  9. Outline • Summary • Motivation • Theoretical perspective • Application perspective • Proposed obfuscation • Basic idea • Example • Main result • Remarks • Relation to signcryption • Attacks we can (not) prevent • Generalization

  10. The basic idea is to design a pair of signature and encryption schemes such that the following two are functionally equivalent: • signing a message and then encrypting the signature, • encrypting the signing key and then signing the message under the encrypted signing key. Bob’s encryption key Encrypted Signature (to be obfuscated) Alice’s signing key Sign Encrypt σ Ciphertext Message c Encrypt Obfuscator m Encrypted Alice’s signing key Obfuscatedprograms Sign The virtual black-box property reduces to the security of encryption.

  11. Example : We realize the basic idea using the BLS signature scheme • BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001) • Key Pair: (v, s) such that v=gs • g is a generator of prime order q for a Bilinear group • v: public verification key • s: private signing key • Signature generation • σ=Sign(s, m)=H(m)s, where H is a hash function (a random oracle) • Key Encapsulation Mechanism (KEM) • Key Pair: (pk, sk) • pk: public encryption key • sk: private decryption key • Key encapsulation • (r,c)←KEM.Enc(pk) • r is a random key and c is its ciphertext • Two required properties • A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q). • c is rerandomizable • Example • Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements

  12. Input m Stored Info private signing key: s public encryption key: pk Code σ=Sign(m, s )=H(m)s (r,c) ←KEM.Enc(pk) Compute σr Output (c, σr) Example: Encrypted signature program Sign Encrypt

  13. Input m Stored Info private signing key: s public encryption key: pk Code σ=Sign(m, s )=H(m) s (r,c) ←KEM.Enc(pk) Compute σr Output (c, σr) Example: Obfuscation (initial attempt) Encrypted signing key After Obfuscation Before Obfuscation • Input m • Stored Info • c, where (r,c) ←KEM.Enc(pk) • s’=s*r mod q • Code • Sign(m, s’)= H(m)s’(=σr) • Output (c, σr) Obfuscation Output is fixed for each message Output is randomly generated

  14. Example: Obfuscation Before Obfuscation After Obfuscation • Input m • Stored Info • c, where (r,c) ←KEM.Enc(pk) • s’=s*r mod q • Code • Use the scalar homomorphic property to compute (r’,c’) • s’’=s’*r’ mod q • Sign(m, s’’)=H(m)s’’ (=σr*r’ ) • Rerandomize c’ • Output (c’, σr*r’ ) • Input m • Stored Info • private signing key: s • public encryption key: pk • Code • σ=Sign(m, s )=H(m)s • (r,c) ←KEM.Enc(pk) • Compute σr • Output (c, σr) Obfuscation Randomization was added The output distributions are identical

  15. Main Result: We can securely obfuscate an encrypted signature scheme in the standard model Our contribution: • Apply the basic idea to the encrypted signature scheme defined as the sequential composition of Waters’s signature and linear encryption schemes. • Theorem 4: The obfuscator satisfies a virtual black-box property (VBP) under the DL assumption. • What does this mean?

  16. Main Result: The security of Waters’s signature scheme is preserved even when adversaries are given obfuscated encrypted signature programs Concrete Abstract Stronger Security Thm 2: Waters’s signature scheme satisfies Def 3 under DBDH Def 3: A signature scheme is EU against adversaries having signing oracle Thms 1& 4 trivial trivial Thm 1 Def 5: A signature scheme is EU against adversaries having signing oracle and obfuscated encrypted signature program Corollary 1: Waters’s signature scheme satisfies Def 5 under DL and DBDH Thm 1: if the obfuscator satisfies the VBP, then Def 4 implies Def 5.

  17. Outline • Summary • Motivation • Theoretical perspective • Application perspective • Proposed obfuscation • Basic idea • Example • Main result • Remarks • Relation to signcryption • Attacks we can (not) prevent • Generalization

  18. We can use encrypted signature as a building block to construct a secure signcryption scheme. Using our proposed obfuscation, we can obfuscate the signcryption scheme. EncryptedSignature-then-Encryption (EStE) Encrypted Signature Alice’s private signing key Bob’s public encryption key Message (Hybrid) Encrypt Sign Encrypt m σ Ciphertext c m • Formal discussion would be a future work item: • The security of EStE-based signcryption • The security of obfuscation for EStE

  19. There are some attacks that our proposed obfuscation cannot prevent.

  20. Generalization: we can apply the basic idea to other signature schemes We can generalize our construction to clarify the properties that a pair of encryption and signature schemes should satisfy so that the encrypted signature can be securely obfuscated

More Related