• Like
  • Save
Secure Obfuscation for Encrypted Signatures
Upcoming SlideShare
Loading in...5
×
 

Secure Obfuscation for Encrypted Signatures

on

  • 994 views

Eurocrypt 2010

Eurocrypt 2010

Statistics

Views

Total Views
994
Views on SlideShare
993
Embed Views
1

Actions

Likes
0
Downloads
4
Comments
0

1 Embed 1

http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Secure Obfuscation for Encrypted Signatures Secure Obfuscation for Encrypted Signatures Presentation Transcript

    • Secure Obfuscation for Encrypted Signatures Eurocrypt 2010 (May 31) Satoshi Hada IBM Research - Tokyo
    • Outline
      • Summary
      • Motivation
        • Theoretical perspective
        • Application perspective
      • Proposed obfuscation
        • Basic idea
        • Example
        • Main result
      • Remarks
        • Relation to signcryption
        • Attacks we can (not) prevent
        • Generalization
    • The purpose of obfuscation is to hide private information contained in programs while preserving the functionality. byte[] signcrypt(byte[] m){ byte[] key } Obfuscator Before Obfuscation After Obfuscation 2 1 # The obfuscated program preserves the functionality Functionality
      • Whatever adversaries can compute given an obfuscated program can be computed by black-box access to the functionality.
      • E.g., we cannot extract the private information from an obfuscated program if we cannot do so by black-box access to the functionality.
      Virtual Black-box Property Requirement Name
    • Summary: a new positive result on program obfuscation
      • We will show that we can securely obfuscate an encrypted signature scheme.
      Sign Encrypt Alice’s private signing key Bob’s public encryption key m c σ Message Ciphertext Encrypted Signature We can obfuscate this program NOTE: The message is not encrypted.
    • Outline
      • Summary
      • Motivation
        • Theoretical perspective
        • Application perspective
      • Proposed obfuscation
        • Basic idea
        • Example
        • Main result
      • Remarks
        • Relation to signcryption
        • Attacks we can (not) prevent
        • Generalization
    • Motivation: only a few positive results are known and we should look for more positive results.
      • Generic obfuscation is impossible (CRYPTO 2001 Barak et al. )
        • We need to find specific programs we can securely obfuscate.
      Negative
      • Point functions (CRYPTO’97 Canetti and many others)
      • Re-encryption (TCC’07 Hehenberger et al.)
      • Vote mixing (TCC’07 Adida et al.)
      Positive Results Type
    • Motivation: To use signcryption for Webmail services, service providers need to store users’ private signing keys and execute signcryption on servers. Key leakage is a serious security issue. Alice’s Web Browser Bob’s Web Browser Server Server Key leakage is a serious security issue!! Standard browsers have no capability of signcryption Signcrypt@ Server
    • A solution is to obfuscate the signcryption program so that the private signing key can not be abused. Server Server We can obfuscate this program Alice’s Web Browser Bob’s Web Browser Signcrypt@ Server
    • Outline
      • Summary
      • Motivation
        • Theoretical perspective
        • Application perspective
      • Proposed obfuscation
        • Basic idea
        • Example
        • Main result
      • Remarks
        • Relation to signcryption
        • Attacks we can (not) prevent
        • Generalization
    • The basic idea is to design a pair of signature and encryption schemes such that the following two are functionally equivalent: Sign Encrypt m c σ Encrypt Alice’s signing key Bob’s encryption key Sign Obfuscated programs Encrypted Alice’s signing key Encrypted Signature (to be obfuscated) Message Ciphertext
      • signing a message and then encrypting the signature,
      • encrypting the signing key and then signing the message under the encrypted signing key.
      Obfuscator The virtual black-box property reduces to the security of encryption.
    • Example : We realize the basic idea using the BLS signature scheme
      • BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001)
        • Key Pair: (v, s) such that v=g s
          • g is a generator of prime order q for a Bilinear group
          • v: public verification key
          • s: private signing key
        • Signature generation
          • σ=Sign(s, m)=H(m) s , where H is a hash function (a random oracle)
      • Key Encapsulation Mechanism (KEM)
        • Key Pair: (pk, sk)
          • pk: public encryption key
          • sk: private decryption key
        • Key encapsulation
          • (r,c)←KEM.Enc(pk)
          • r is a random key and c is its ciphertext
        • Two required properties
          • A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q).
          • c is rerandomizable
        • Example
          • Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements
    • Example: Encrypted signature program
      • Input m
      • Stored Info
        • private signing key: s
        • public encryption key: pk
      • Code
        • σ=Sign(m, s )=H(m) s
        • (r,c) ←KEM.E nc(pk)
        • Compute σ r
        • Output (c, σ r )
      Sign Encrypt
    • Example: Obfuscation (initial attempt)
      • Input m
      • Stored Info
        • private signing key: s
        • public encryption key: pk
      • Code
        • σ=Sign(m, s )=H(m) s
        • (r,c) ←KEM.E nc(pk)
        • Compute σ r
        • Output (c, σ r )
      Before Obfuscation
      • Input m
      • Stored Info
        • c, where (r,c) ←KEM.Enc(pk)
        • s’=s*r mod q
      • Code
        • Sign(m, s’)= H(m) s’ (=σ r )
        • Output (c, σ r )
      Obfuscation After Obfuscation Output is randomly generated Output is fixed for each message Encrypted signing key
    • Example: Obfuscation
      • Input m
      • Stored Info
        • c, where (r,c) ←KEM.Enc(pk)
        • s’=s*r mod q
      • Code
        • Use the scalar homomorphic property to compute (r’,c’)
        • s’’=s’*r’ mod q
        • Sign(m, s’’)=H(m) s’’ (=σ r*r’ )
        • Rerandomize c’
        • Output (c’, σ r*r’ )
      Obfuscation After Obfuscation The output distributions are identical
      • Input m
      • Stored Info
        • private signing key: s
        • public encryption key: pk
      • Code
        • σ=Sign(m, s )=H(m) s
        • (r,c) ←KEM.E nc(pk)
        • Compute σ r
        • Output (c, σ r )
      Before Obfuscation Randomization was added
    • Main Result: We can securely obfuscate an encrypted signature scheme in the standard model
      • Our contribution:
      • Apply the basic idea to the encrypted signature scheme defined as the sequential composition of Waters’s signature and linear encryption schemes.
      • Theorem 4: The obfuscator satisfies a virtual black-box property (VBP) under the DL assumption.
        • What does this mean?
      2 1 # Theorem 2: Waters’s signature scheme is existentially unforgeable (EU) against chosen message attacks under the decisional bilinear Diffie-Hellman (DBDH) assumption. Waters’s signature scheme (Eurocrypt’05) Theorem 3: Linear encryption scheme is IND-CPA under the decisional linear (DL) assumption. Linear encryption scheme (Crypto’04) Security (in the standard model) Building Block
    • Main Result: The security of Waters’s signature scheme is preserved even when adversaries are given obfuscated encrypted signature programs Def 3: A signature scheme is EU against adversaries having signing oracle Def 5: A signature scheme is EU against adversaries having signing oracle and obfuscated encrypted signature program trivial Thm 1 Thm 1: if the obfuscator satisfies the VBP, then Def 4 implies Def 5. Thm 2: Waters’s signature scheme satisfies Def 3 under DBDH Corollary 1: Waters’s signature scheme satisfies Def 5 under DL and DBDH trivial Thms 1& 4 Abstract Concrete Stronger Security
    • Outline
      • Summary
      • Motivation
        • Theoretical perspective
        • Application perspective
      • Proposed obfuscation
        • Basic idea
        • Example
        • Main result
      • Remarks
        • Relation to signcryption
        • Attacks we can (not) prevent
        • Generalization
    • We can use encrypted signature as a building block to construct a secure signcryption scheme. Using our proposed obfuscation, we can obfuscate the signcryption scheme. Sign Encrypt Alice’s private signing key Bob’s public encryption key m c σ Message Ciphertext Encrypted Signature (Hybrid) Encrypt m EncryptedSignature-then-Encryption (EStE)
      • Formal discussion would be a future work item:
        • The security of EStE-based signcryption
        • The security of obfuscation for EStE
    • There are some attacks that our proposed obfuscation cannot prevent.
      • Even if an adversary is given an obfuscated program for Alice-to-Bob, he/she cannot
      • forge Alice’s signature.
      • compute encrypted signatures for Alice-to-Carol, Alice-to-Dave, …
      Attacks we can prevent
      • If an adversary is given an obfuscated program for Alice-to-Bob,
      • He/she can compute encrypted signatures for Alice-to-Bob. It’s unavoidable…
      • If he/she has access to the decryption key (or decryption oracle) for Bob, the signing key can be recovered completely.
        • What kind of CCA security can we achieve in the context of encrypted signatures and signcryption?
      Attack we cannot prevent Attacks Type
    • Generalization: we can apply the basic idea to other signature schemes We can generalize our construction to clarify the properties that a pair of encryption and signature schemes should satisfy so that the encrypted signature can be securely obfuscated NO YES Pairing-based CRYPTO’02 Lysyanskaya’s unique signature scheme 1 CRYPTO’89 Undeniable signature scheme by Chaum and Antwerpen 3 J. ACM 2004 DDH-based Pseudoranom functions (MAC) 4 5 2 # PKC’02 Dodis’s verifiable random function JoC 1991 Schnorr’s signature scheme Reference Scheme