3.
The purpose of obfuscation is to hide private information contained in programs while preserving the functionality. byte[] signcrypt(byte[] m){ byte[] key } Obfuscator Before Obfuscation After Obfuscation 2 1 # The obfuscated program preserves the functionality Functionality
Whatever adversaries can compute given an obfuscated program can be computed by black-box access to the functionality.
E.g., we cannot extract the private information from an obfuscated program if we cannot do so by black-box access to the functionality.
Virtual Black-box Property Requirement Name
4.
Summary: a new positive result on program obfuscation
We will show that we can securely obfuscate an encrypted signature scheme.
Sign Encrypt Alice’s private signing key Bob’s public encryption key m c σ Message Ciphertext Encrypted Signature We can obfuscate this program NOTE: The message is not encrypted.
6.
Motivation: only a few positive results are known and we should look for more positive results.
Generic obfuscation is impossible (CRYPTO 2001 Barak et al. )
We need to find specific programs we can securely obfuscate.
Negative
Point functions (CRYPTO’97 Canetti and many others)
Re-encryption (TCC’07 Hehenberger et al.)
Vote mixing (TCC’07 Adida et al.)
Positive Results Type
7.
Motivation: To use signcryption for Webmail services, service providers need to store users’ private signing keys and execute signcryption on servers. Key leakage is a serious security issue. Alice’s Web Browser Bob’s Web Browser Server Server Key leakage is a serious security issue!! Standard browsers have no capability of signcryption Signcrypt@ Server
8.
A solution is to obfuscate the signcryption program so that the private signing key can not be abused. Server Server We can obfuscate this program Alice’s Web Browser Bob’s Web Browser Signcrypt@ Server
10.
The basic idea is to design a pair of signature and encryption schemes such that the following two are functionally equivalent: Sign Encrypt m c σ Encrypt Alice’s signing key Bob’s encryption key Sign Obfuscated programs Encrypted Alice’s signing key Encrypted Signature (to be obfuscated) Message Ciphertext
signing a message and then encrypting the signature,
encrypting the signing key and then signing the message under the encrypted signing key.
Obfuscator The virtual black-box property reduces to the security of encryption.
11.
Example : We realize the basic idea using the BLS signature scheme
BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001)
Key Pair: (v, s) such that v=g s
g is a generator of prime order q for a Bilinear group
v: public verification key
s: private signing key
Signature generation
σ=Sign(s, m)=H(m) s , where H is a hash function (a random oracle)
Key Encapsulation Mechanism (KEM)
Key Pair: (pk, sk)
pk: public encryption key
sk: private decryption key
Key encapsulation
(r,c)←KEM.Enc(pk)
r is a random key and c is its ciphertext
Two required properties
A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q).
c is rerandomizable
Example
Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements
Use the scalar homomorphic property to compute (r’,c’)
s’’=s’*r’ mod q
Sign(m, s’’)=H(m) s’’ (=σ r*r’ )
Rerandomize c’
Output (c’, σ r*r’ )
Obfuscation After Obfuscation The output distributions are identical
Input m
Stored Info
private signing key: s
public encryption key: pk
Code
σ=Sign(m, s )=H(m) s
(r,c) ←KEM.E nc(pk)
Compute σ r
Output (c, σ r )
Before Obfuscation Randomization was added
15.
Main Result: We can securely obfuscate an encrypted signature scheme in the standard model
Our contribution:
Apply the basic idea to the encrypted signature scheme defined as the sequential composition of Waters’s signature and linear encryption schemes.
Theorem 4: The obfuscator satisfies a virtual black-box property (VBP) under the DL assumption.
What does this mean?
2 1 # Theorem 2: Waters’s signature scheme is existentially unforgeable (EU) against chosen message attacks under the decisional bilinear Diffie-Hellman (DBDH) assumption. Waters’s signature scheme (Eurocrypt’05) Theorem 3: Linear encryption scheme is IND-CPA under the decisional linear (DL) assumption. Linear encryption scheme (Crypto’04) Security (in the standard model) Building Block
16.
Main Result: The security of Waters’s signature scheme is preserved even when adversaries are given obfuscated encrypted signature programs Def 3: A signature scheme is EU against adversaries having signing oracle Def 5: A signature scheme is EU against adversaries having signing oracle and obfuscated encrypted signature program trivial Thm 1 Thm 1: if the obfuscator satisfies the VBP, then Def 4 implies Def 5. Thm 2: Waters’s signature scheme satisfies Def 3 under DBDH Corollary 1: Waters’s signature scheme satisfies Def 5 under DL and DBDH trivial Thms 1& 4 Abstract Concrete Stronger Security
18.
We can use encrypted signature as a building block to construct a secure signcryption scheme. Using our proposed obfuscation, we can obfuscate the signcryption scheme. Sign Encrypt Alice’s private signing key Bob’s public encryption key m c σ Message Ciphertext Encrypted Signature (Hybrid) Encrypt m EncryptedSignature-then-Encryption (EStE)
Formal discussion would be a future work item:
The security of EStE-based signcryption
The security of obfuscation for EStE
19.
There are some attacks that our proposed obfuscation cannot prevent.
Even if an adversary is given an obfuscated program for Alice-to-Bob, he/she cannot
forge Alice’s signature.
compute encrypted signatures for Alice-to-Carol, Alice-to-Dave, …
Attacks we can prevent
If an adversary is given an obfuscated program for Alice-to-Bob,
He/she can compute encrypted signatures for Alice-to-Bob. It’s unavoidable…
If he/she has access to the decryption key (or decryption oracle) for Bob, the signing key can be recovered completely.
What kind of CCA security can we achieve in the context of encrypted signatures and signcryption?
Attack we cannot prevent Attacks Type
20.
Generalization: we can apply the basic idea to other signature schemes We can generalize our construction to clarify the properties that a pair of encryption and signature schemes should satisfy so that the encrypted signature can be securely obfuscated NO YES Pairing-based CRYPTO’02 Lysyanskaya’s unique signature scheme 1 CRYPTO’89 Undeniable signature scheme by Chaum and Antwerpen 3 J. ACM 2004 DDH-based Pseudoranom functions (MAC) 4 5 2 # PKC’02 Dodis’s verifiable random function JoC 1991 Schnorr’s signature scheme Reference Scheme
Be the first to comment