Upload
satoshi-hada
View
1.160
Download
0
Embed Size (px)
DESCRIPTION
Eurocrypt 2010
Citation preview
© 2010 IBM Corporation
IBM Research - Tokyo
Secure Obfuscation for Encrypted Signatures
Eurocrypt 2010 (May 31)
Satoshi HadaIBM Research - Tokyo
2
IBM Research - Tokyo
© 2010 IBM Corporation
Outline
1. Summary2. Motivation
Theoretical perspective
Application perspective
3. Proposed obfuscation Basic idea
Example
Main result
4. Remarks Relation to signcryption
Attacks we can (not) prevent
Generalization
3
IBM Research - Tokyo
© 2010 IBM Corporation
The purpose of obfuscation is to hide private information contained in programs while preserving the functionality.
byte[] signcrypt(byte[] m){ byte[] key
}
Obfuscator
Before Obfuscation After Obfuscation
# Name Requirement
1 Functionality The obfuscated program preserves the functionality
2 Virtual Black-box Property
Whatever adversaries can compute given an obfuscated program can be computed by black-box access to the functionality.E.g., we cannot extract the private information from an obfuscated program if we cannot do so by black-box access to the functionality.
4
IBM Research - Tokyo
© 2010 IBM Corporation
Summary: a new positive result on program obfuscation
We will show that we can securely obfuscate an encrypted signature scheme.
Sign Encrypt
Alice’s private signing key
Bob’s public encryption key
m cσ
Message Ciphertext
Encrypted Signature
We can obfuscate this
program
NOTE: The message is not encrypted.
5
IBM Research - Tokyo
© 2010 IBM Corporation
Outline
1. Summary2. Motivation
Theoretical perspective
Application perspective
3. Proposed obfuscation Basic idea
Example
Main result
4. Remarks Relation to signcryption
Attacks we can (not) prevent
Generalization
6
IBM Research - Tokyo
© 2010 IBM Corporation
Motivation: only a few positive results are known and we should look for more positive results.
Type Results
Negative Generic obfuscation is impossible (CRYPTO 2001 Barak et al. )
We need to find specific programs we can securely obfuscate.
Positive 1.Point functions (CRYPTO’97 Canetti and many others)
2.Re-encryption (TCC’07 Hehenberger et al.)3.Vote mixing (TCC’07 Adida et al.)
7
IBM Research - Tokyo
© 2010 IBM Corporation
Motivation: To use signcryption for Webmail services, service providers need to store users’ private signing keys and execute signcryption on servers. Key leakage is a serious security issue.
Alice’s Web Browser Bob’s Web Browser
ServerServerKey leakage is
a serious security issue!!
Standard browsers have no capability of
signcryption
Signcrypt@Server
8
IBM Research - Tokyo
© 2010 IBM Corporation
A solution is to obfuscate the signcryption program so that the private signing key can not be abused.
ServerServerWe can
obfuscate this program
Alice’s Web Browser Bob’s Web Browser
Signcrypt@Server
9
IBM Research - Tokyo
© 2010 IBM Corporation
Outline
1. Summary2. Motivation
Theoretical perspective
Application perspective
3. Proposed obfuscation Basic idea
Example
Main result
4. Remarks Relation to signcryption
Attacks we can (not) prevent
Generalization
10
IBM Research - Tokyo
© 2010 IBM Corporation
The basic idea is to design a pair of signature and encryption schemes such that the following two are functionally equivalent:
Sign Encrypt
mc
σ
Encrypt
Alice’s signing key
Bob’s encryption key
Sign
Obfuscatedprograms
Encrypted Alice’s
signing key
Encrypted Signature
(to be obfuscated)
Message Ciphertext
1. signing a message and then encrypting the signature,2. encrypting the signing key and then signing the message under the
encrypted signing key.
Obfuscator
The virtual black-box property reduces to the security of encryption.
11
IBM Research - Tokyo
© 2010 IBM Corporation
Example : We realize the basic idea using the BLS signature scheme1. BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001)
Key Pair: (v, s) such that v=gs
g is a generator of prime order q for a Bilinear group v: public verification key s: private signing key
Signature generation σ=Sign(s, m)=H(m)s, where H is a hash function (a random oracle)
2. Key Encapsulation Mechanism (KEM) Key Pair: (pk, sk)
pk: public encryption key sk: private decryption key
Key encapsulation (r,c)←KEM.Enc(pk) r is a random key and c is its ciphertext
Two required properties
1. A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q).
2. c is rerandomizable Example
Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements
12
IBM Research - Tokyo
© 2010 IBM Corporation
Example: Encrypted signature program
Input m Stored Info
private signing key: s
public encryption key: pk Code
1. σ=Sign(m, s )=H(m)s
2. (r,c) ←KEM.Enc(pk)
3. Compute σr
4. Output (c, σr)
Sign
Encrypt
13
IBM Research - Tokyo
© 2010 IBM Corporation
Example: Obfuscation (initial attempt)
Input m Stored Info
private signing key: s
public encryption key: pk Code
1. σ=Sign(m, s )=H(m) s
2. (r,c) ←KEM.Enc(pk)
3. Compute σr
4. Output (c, σr)
Before Obfuscation
Input m Stored Info
c, where (r,c) ←KEM.Enc(pk)
s’=s*r mod q Code
1. Sign(m, s’)= H(m)s’(=σr)
2. Output (c, σr)
Obfuscation
After Obfuscation
Output is randomly generated Output is fixed for each message
Encrypted signing key
14
IBM Research - Tokyo
© 2010 IBM Corporation
Example: Obfuscation
Input m Stored Info
c, where (r,c) ←KEM.Enc(pk)
s’=s*r mod q Code
1. Use the scalar homomorphic property to compute (r’,c’)
2. s’’=s’*r’ mod q
3. Sign(m, s’’)=H(m)s’’ (=σr*r’ )
4. Rerandomize c’
5. Output (c’, σr*r’ )
Obfuscation
After Obfuscation
The output distributions are identical
Input m Stored Info
private signing key: s
public encryption key: pk Code
1. σ=Sign(m, s )=H(m)s
2. (r,c) ←KEM.Enc(pk)
3. Compute σr
4. Output (c, σr)
Before Obfuscation
Randomization was added
15
IBM Research - Tokyo
© 2010 IBM Corporation
Main Result: We can securely obfuscate an encrypted signature scheme in the standard model
Our contribution:1. Apply the basic idea to the encrypted signature scheme defined as
the sequential composition of Waters’s signature and linear encryption schemes.
2. Theorem 4: The obfuscator satisfies a virtual black-box property (VBP) under the DL assumption. What does this mean?
# Building Block Security (in the standard model)
1 Waters’s signature scheme (Eurocrypt’05)
Theorem 2: Waters’s signature scheme is existentially unforgeable (EU) against chosen message attacks under the decisional bilinear Diffie-Hellman (DBDH) assumption.
2 Linear encryption scheme (Crypto’04)
Theorem 3: Linear encryption scheme is IND-CPA under the decisional linear (DL) assumption.
16
IBM Research - Tokyo
© 2010 IBM Corporation
Main Result: The security of Waters’s signature scheme is preserved even when adversaries are given obfuscated encrypted signature programs
Def 3: A signature scheme is EU against adversaries having signing oracle
Def 5: A signature scheme is EU against adversaries having signing oracle and obfuscated encrypted signature program
trivial Thm 1
Thm 1: if the obfuscator satisfies the VBP, then Def 4 implies Def 5.
Thm 2: Waters’s signature scheme satisfies Def 3 under DBDH
Corollary 1: Waters’s signature scheme satisfies Def 5 under DL and DBDH
trivial Thms 1& 4
Abstract Concrete
Stronger S
ecurity
17
IBM Research - Tokyo
© 2010 IBM Corporation
Outline
1. Summary2. Motivation
Theoretical perspective
Application perspective
3. Proposed obfuscation Basic idea
Example
Main result
4. Remarks Relation to signcryption
Attacks we can (not) prevent
Generalization
18
IBM Research - Tokyo
© 2010 IBM Corporation
We can use encrypted signature as a building block to construct a secure signcryption scheme. Using our proposed obfuscation, we can obfuscate the signcryption scheme.
Sign Encrypt
Alice’s private signing key
Bob’s public encryption key
m
cσ
Message
Ciphertext
Encrypted Signature
(Hybrid)Encrypt
m
EncryptedSignature-then-Encryption (EStE)
Formal discussion would be a future work item: The security of EStE-based signcryption
The security of obfuscation for EStE
19
IBM Research - Tokyo
© 2010 IBM Corporation
There are some attacks that our proposed obfuscation cannot prevent.Type Attacks
Attacks we can prevent
Even if an adversary is given an obfuscated program for Alice-to-Bob, he/she cannotforge Alice’s signature.compute encrypted signatures for Alice-to-Carol, Alice-to-Dave, …
Attack we cannot prevent
If an adversary is given an obfuscated program for Alice-to-Bob,He/she can compute encrypted signatures for Alice-to-Bob. It’s unavoidable…If he/she has access to the decryption key (or decryption oracle) for Bob, the signing key can be recovered completely.
What kind of CCA security can we achieve in the context of encrypted signatures and signcryption?
20
IBM Research - Tokyo
© 2010 IBM Corporation
Generalization: we can apply the basic idea to other signature schemes
# Scheme Pairing-based
Reference
1 Lysyanskaya’s unique signature scheme YES CRYPTO’02
2 Dodis’s verifiable random function PKC’02
3 Undeniable signature scheme by Chaum and Antwerpen
NO CRYPTO’89
4 DDH-based Pseudoranom functions (MAC)
J. ACM 2004
5 Schnorr’s signature scheme JoC 1991
We can generalize our construction to clarify the properties that a pair of encryption and signature schemes should satisfy so that the encrypted signature can be securely obfuscated