1 / 24

Oblivious Signature-Based Envelope

Oblivious Signature-Based Envelope. Ninghui Li , Stanford University Wenliang (Kevin) Du , Syracuse University Dan Boneh , Stanford University. Motivation. Alice . Bob. I have an message P to report, but I want to make sure you are CIA. Please show me your CIA certificate.

morna
Télécharger la présentation

Oblivious Signature-Based Envelope

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University

  2. Motivation Alice Bob I have an message P to report, but I want to make sure you are CIA. Please show me your CIA certificate. I won’t show my CIA certificate to you, just give me the message. ??????

  3. Outline of This Presentation • Introduce the Oblivious Signature-Based Envelope (OSBE) concept. • An OSBE scheme for RSA signatures. • OSBE using Identity Based Encryption (IBE). • Summary and Future Work.

  4. Public Key Certificate(an example) • Bob’s CIA certificate: • PK: the CIA’s public key. • M: “Bob is with CIA” •  = SigPK(M): signature on M (certificate). • The secret part is 

  5. Oblivious Signature-Based Envelope (OSBE) Receiver Sender Message P • Receiver can open the envelope if and only if he/she has • the certificate. • Sender cannot know whether the receiver has the certificate.

  6. OSBE Definition • Setup • PK: the Certificate Authority’s public key. • M: content of the certificate. •  = SigPK(M): signature on M (certificate). • S: Sender of message P (P is given to S only). • R1: Receiver with . • R2: Receiver without . • PK and M are given to all three parties.

  7. OSBE Definition (cont’d) • Interaction • One of R1 and R2 is chosen as R, without S knowing which one. • S and R run an interactive protocol. • Open • R outputs P if and only if R = R1. • Note: R1has the certificate, R2 doesn’t.

  8. Security Requirements • Sound:R1 can output P with overwhelming probability. • Oblivious:S does not learn whether it is communicating with R1 or R2. • Semantically secure against the receiver:R2 learns nothing about P.

  9. Outline of This Presentation • Introduce the Oblivious Signature-Based Envelope (OSBE) concept. • An OSBE scheme for RSA signatures. • OSBE using Identity Based Encryption (IBE). • Summary and Future Work.

  10. An OSBE Scheme for RSA • RSA Signatures: • (e, n): public key PK. • d: private key. • h = hash(M):hash value of M. •  = SigPK(M) = hd (mod n): signature. • (hd)e = (he)d = h (mod n).

  11. RSA-OSBE Scheme: Setup • Setup: • Everybody knows h, M, (e, n) • Sender S knows: P • Receiver R1 knows:  = (hd mod n)

  12. Using Key Agreement Sender Receiver P Sender knows the key; Receiver knows the key only if it has hd.

  13. Diffie-Hellman Key Agreement Bob Alice h xmod n x y h ymod n (h x)y mod n (h y)x mod n = h xy mod n

  14. Transforming Diffie-Hellman S R1 = h d·h xmod n y x  = h e ymod n ey=(h d+x)ey r ‘ = (h ey)x = h e d y· h e x y = h y· h e x y r = ey /h y= h e x y r = r’ if and only if Receiver knows h d

  15. Properties • Theorem 1: RSA-OSBE is sound (r =r’) • Theorem 2: RSA-OSBE is oblivious • R1: = hd+x • R2:  = hx’ • {hd+x|x random}and{hx’|x’ random}are statistically indistinguishable. • Theorem 3: RSA-OSBE is semantically secure against the receiver, i.e, R2 cannot learn r.

  16. Proof of Theorem 3 (Approach) • Approach • We show that, if there exists an adversary receiver R (who does know hd) that can break RSA-OSBE • i.e., R can learn rby interacting with S, • Then we can build an attacker that can generate hd. i.e., we can use R to break RSA signatures

  17. Proof of Theorem 3 R M, (e, n)   = h ey, y random r’ = h exy r = e y·h -y To construct RSA attacker using R, we can construct  such that we can get hd out of , r ?

  18. Attacker knows Proof of Theorem 3 (cont’d)  R  = h ey r =e y·h -y RSA Attacker randomly generates k, constructs  = h1+ek = h e(d+k) Let y = d+k, then = h e y R outputs r=ey·h -y =e(d+k)·h-(d+k)= 1+ek·h-d ·h-k,

  19. Outline of This Presentation • Introduce the Oblivious Signature-Based Envelope (OSBE) concept. • An OSBE scheme for RSA signatures. • OSBE using Identity Based Encryption (IBE). • Summary and Future Work.

  20. Master Key Bob Private decryption key Third Party Identity Based Encryption (IBE) System Parameters Alice Message P Public encryption key “Bob is a CIA member”. Cipher Text

  21. IBE implies Signatures PK System Parameters Alice Message to be signed: M Public encryption key “Bob is a CIA member”. Master Key Bob Private decryption key PK-1 Third Party  = SigPK(M)

  22. OSBE Scheme Using IBE Receiver (Bob) Sender • Public key • K = “Bob is a CIA member” (2) EK(Message) • (3) Decrypt EK(Message) • using the private key.

  23. Comparisons • IBE-OSBE is one round; RSA-OSBE needs two rounds. • RSA-OSBE can be used on existing Public Key Infrastructure.

  24. Summary and Future Work • OSBE concept • RSA-OSBE scheme and IBE-OSBE scheme • Future Work: • Find OSBE scheme for DSA signatures.

More Related