Secure Obfuscation for Encrypted Signatures

© 2010 IBM Corporation

IBM Research - Tokyo

Secure Obfuscation for Encrypted Signatures

Eurocrypt 2010 (May 31)

Satoshi HadaIBM Research - Tokyo

2



Outline

1. Summary2. Motivation

Theoretical perspective

Application perspective

3. Proposed obfuscation Basic idea

Example

Main result

4. Remarks Relation to signcryption

Attacks we can (not) prevent

Generalization

3



The purpose of obfuscation is to hide private information contained in programs while preserving the functionality.

byte[] signcrypt(byte[] m){ byte[] key

}

Obfuscator

Before Obfuscation After Obfuscation

# Name Requirement

1 Functionality The obfuscated program preserves the functionality

2 Virtual Black-box Property

Whatever adversaries can compute given an obfuscated program can be computed by black-box access to the functionality.E.g., we cannot extract the private information from an obfuscated program if we cannot do so by black-box access to the functionality.

4



Summary: a new positive result on program obfuscation

We will show that we can securely obfuscate an encrypted signature scheme.

Sign Encrypt

Alice’s private signing key

Bob’s public encryption key

m cσ

Message Ciphertext

Encrypted Signature

We can obfuscate this

program

NOTE: The message is not encrypted.

5



Outline





Example

Main result



Generalization

6



Motivation: only a few positive results are known and we should look for more positive results.

Type Results

Negative Generic obfuscation is impossible (CRYPTO 2001 Barak et al. )

We need to find specific programs we can securely obfuscate.

Positive 1.Point functions (CRYPTO’97 Canetti and many others)

2.Re-encryption (TCC’07 Hehenberger et al.)3.Vote mixing (TCC’07 Adida et al.)

7



Motivation: To use signcryption for Webmail services, service providers need to store users’ private signing keys and execute signcryption on servers. Key leakage is a serious security issue.

Alice’s Web Browser Bob’s Web Browser

ServerServerKey leakage is

a serious security issue!!

Standard browsers have no capability of

signcryption

Signcrypt@Server

8



A solution is to obfuscate the signcryption program so that the private signing key can not be abused.

ServerServerWe can

obfuscate this program

Alice’s Web Browser Bob’s Web Browser

Signcrypt@Server

9



Outline





Example

Main result



Generalization

10



The basic idea is to design a pair of signature and encryption schemes such that the following two are functionally equivalent:

Sign Encrypt

mc

σ

Encrypt

Alice’s signing key

Bob’s encryption key

Sign

Obfuscatedprograms

Encrypted Alice’s

signing key

Encrypted Signature

(to be obfuscated)

Message Ciphertext

1. signing a message and then encrypting the signature,2. encrypting the signing key and then signing the message under the

encrypted signing key.

Obfuscator

The virtual black-box property reduces to the security of encryption.

11



Example : We realize the basic idea using the BLS signature scheme1. BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001)

Key Pair: (v, s) such that v=gs

g is a generator of prime order q for a Bilinear group v: public verification key s: private signing key

Signature generation σ=Sign(s, m)=H(m)s, where H is a hash function (a random oracle)

2. Key Encapsulation Mechanism (KEM) Key Pair: (pk, sk)

pk: public encryption key sk: private decryption key

Key encapsulation (r,c)←KEM.Enc(pk) r is a random key and c is its ciphertext

Two required properties

1. A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q).

2. c is rerandomizable Example

Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements

12



Example: Encrypted signature program

Input m Stored Info

private signing key: s

public encryption key: pk Code

1. σ=Sign(m, s )=H(m)s

2. (r,c) ←KEM.Enc(pk)

3. Compute σr

4. Output (c, σr)

Sign

Encrypt

13



Example: Obfuscation (initial attempt)

Input m Stored Info



1. σ=Sign(m, s )=H(m) s


3. Compute σr

4. Output (c, σr)

Before Obfuscation

Input m Stored Info

c, where (r,c) ←KEM.Enc(pk)

s’=s*r mod q Code

1. Sign(m, s’)= H(m)s’(=σr)

2. Output (c, σr)

Obfuscation

After Obfuscation

Output is randomly generated Output is fixed for each message

Encrypted signing key

14



Example: Obfuscation

Input m Stored Info

c, where (r,c) ←KEM.Enc(pk)

s’=s*r mod q Code

1. Use the scalar homomorphic property to compute (r’,c’)

2. s’’=s’*r’ mod q

3. Sign(m, s’’)=H(m)s’’ (=σr*r’ )

4. Rerandomize c’

5. Output (c’, σr*r’ )

Obfuscation

After Obfuscation

The output distributions are identical

Input m Stored Info



1. σ=Sign(m, s )=H(m)s


3. Compute σr

4. Output (c, σr)

Before Obfuscation

Randomization was added

15



Main Result: We can securely obfuscate an encrypted signature scheme in the standard model

Our contribution:1. Apply the basic idea to the encrypted signature scheme defined as

the sequential composition of Waters’s signature and linear encryption schemes.

2. Theorem 4: The obfuscator satisfies a virtual black-box property (VBP) under the DL assumption. What does this mean?

# Building Block Security (in the standard model)

1 Waters’s signature scheme (Eurocrypt’05)

Theorem 2: Waters’s signature scheme is existentially unforgeable (EU) against chosen message attacks under the decisional bilinear Diffie-Hellman (DBDH) assumption.

2 Linear encryption scheme (Crypto’04)

Theorem 3: Linear encryption scheme is IND-CPA under the decisional linear (DL) assumption.

16



Main Result: The security of Waters’s signature scheme is preserved even when adversaries are given obfuscated encrypted signature programs

Def 3: A signature scheme is EU against adversaries having signing oracle

Def 5: A signature scheme is EU against adversaries having signing oracle and obfuscated encrypted signature program

trivial Thm 1

Thm 1: if the obfuscator satisfies the VBP, then Def 4 implies Def 5.

Thm 2: Waters’s signature scheme satisfies Def 3 under DBDH

Corollary 1: Waters’s signature scheme satisfies Def 5 under DL and DBDH

trivial Thms 1& 4

Abstract Concrete

Stronger S

ecurity

17



Outline





Example

Main result



Generalization

18



We can use encrypted signature as a building block to construct a secure signcryption scheme. Using our proposed obfuscation, we can obfuscate the signcryption scheme.

Sign Encrypt

Alice’s private signing key

Bob’s public encryption key

m

cσ

Message

Ciphertext

Encrypted Signature

(Hybrid)Encrypt

m

EncryptedSignature-then-Encryption (EStE)

Formal discussion would be a future work item: The security of EStE-based signcryption

The security of obfuscation for EStE

19



There are some attacks that our proposed obfuscation cannot prevent.Type Attacks

Attacks we can prevent

Even if an adversary is given an obfuscated program for Alice-to-Bob, he/she cannotforge Alice’s signature.compute encrypted signatures for Alice-to-Carol, Alice-to-Dave, …

Attack we cannot prevent

If an adversary is given an obfuscated program for Alice-to-Bob,He/she can compute encrypted signatures for Alice-to-Bob. It’s unavoidable…If he/she has access to the decryption key (or decryption oracle) for Bob, the signing key can be recovered completely.

What kind of CCA security can we achieve in the context of encrypted signatures and signcryption?

20



Generalization: we can apply the basic idea to other signature schemes

# Scheme Pairing-based

Reference

1 Lysyanskaya’s unique signature scheme YES CRYPTO’02

2 Dodis’s verifiable random function PKC’02

3 Undeniable signature scheme by Chaum and Antwerpen

NO CRYPTO’89

4 DDH-based Pseudoranom functions (MAC)

J. ACM 2004

5 Schnorr’s signature scheme JoC 1991

We can generalize our construction to clarify the properties that a pair of encryption and signature schemes should satisfy so that the encrypted signature can be securely obfuscated

Technology

Secure Obfuscation for Encrypted Signatures