Secure Obfuscation for Encrypted Signatures

Secure Obfuscation for Encrypted Signatures Eurocrypt 2010 (May 31) Satoshi Hada IBM Research - Tokyo

Outline Summary Motivation Theoretical perspective Application perspective Proposed obfuscation Basic idea Example Main result Remarks Relation to signcryption Attacks we can (not) prevent Generalization

The purpose of obfuscation is to hide private information contained in programs while preserving the functionality. byte[] signcrypt(byte[] m){ byte[] key } Obfuscator Before Obfuscation After Obfuscation 2 1 # The obfuscated program preserves the functionality Functionality Whatever adversaries can compute given an obfuscated program can be computed by black-box access to the functionality. E.g., we cannot extract the private information from an obfuscated program if we cannot do so by black-box access to the functionality. Virtual Black-box Property Requirement Name

Summary: a new positive result on program obfuscation We will show that we can securely obfuscate an encrypted signature scheme. Sign Encrypt Alice’s private signing key Bob’s public encryption key m c σ Message Ciphertext Encrypted Signature We can obfuscate this program NOTE: The message is not encrypted.

Motivation: only a few positive results are known and we should look for more positive results. Generic obfuscation is impossible (CRYPTO 2001 Barak et al. ) We need to find specific programs we can securely obfuscate. Negative Point functions (CRYPTO’97 Canetti and many others) Re-encryption (TCC’07 Hehenberger et al.) Vote mixing (TCC’07 Adida et al.) Positive Results Type

Motivation: To use signcryption for Webmail services, service providers need to store users’ private signing keys and execute signcryption on servers. Key leakage is a serious security issue. Alice’s Web Browser Bob’s Web Browser Server Server Key leakage is a serious security issue!! Standard browsers have no capability of signcryption Signcrypt@ Server

A solution is to obfuscate the signcryption program so that the private signing key can not be abused. Server Server We can obfuscate this program Alice’s Web Browser Bob’s Web Browser Signcrypt@ Server

The basic idea is to design a pair of signature and encryption schemes such that the following two are functionally equivalent: Sign Encrypt m c σ Encrypt Alice’s signing key Bob’s encryption key Sign Obfuscated programs Encrypted Alice’s signing key Encrypted Signature (to be obfuscated) Message Ciphertext signing a message and then encrypting the signature, encrypting the signing key and then signing the message under the encrypted signing key. Obfuscator The virtual black-box property reduces to the security of encryption.

Example : We realize the basic idea using the BLS signature scheme BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001) Key Pair: (v, s) such that v=g s g is a generator of prime order q for a Bilinear group v: public verification key s: private signing key Signature generation σ=Sign(s, m)=H(m) s , where H is a hash function (a random oracle) Key Encapsulation Mechanism (KEM) Key Pair: (pk, sk) pk: public encryption key sk: private decryption key Key encapsulation (r,c)←KEM.Enc(pk) r is a random key and c is its ciphertext Two required properties A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q). c is rerandomizable Example Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements

Example: Encrypted signature program Input m Stored Info private signing key: s public encryption key: pk Code σ=Sign(m, s )=H(m) s (r,c) ←KEM.E nc(pk) Compute σ r Output (c, σ r ) Sign Encrypt

Example: Obfuscation (initial attempt) Input m Stored Info private signing key: s public encryption key: pk Code σ=Sign(m, s )=H(m) s (r,c) ←KEM.E nc(pk) Compute σ r Output (c, σ r ) Before Obfuscation Input m Stored Info c, where (r,c) ←KEM.Enc(pk) s’=s*r mod q Code Sign(m, s’)= H(m) s’ (=σ r ) Output (c, σ r ) Obfuscation After Obfuscation Output is randomly generated Output is fixed for each message Encrypted signing key

Example: Obfuscation Input m Stored Info c, where (r,c) ←KEM.Enc(pk) s’=s*r mod q Code Use the scalar homomorphic property to compute (r’,c’) s’’=s’*r’ mod q Sign(m, s’’)=H(m) s’’ (=σ r*r’ ) Rerandomize c’ Output (c’, σ r*r’ ) Obfuscation After Obfuscation The output distributions are identical Input m Stored Info private signing key: s public encryption key: pk Code σ=Sign(m, s )=H(m) s (r,c) ←KEM.E nc(pk) Compute σ r Output (c, σ r ) Before Obfuscation Randomization was added

Main Result: We can securely obfuscate an encrypted signature scheme in the standard model Our contribution: Apply the basic idea to the encrypted signature scheme defined as the sequential composition of Waters’s signature and linear encryption schemes. Theorem 4: The obfuscator satisfies a virtual black-box property (VBP) under the DL assumption. What does this mean? 2 1 # Theorem 2: Waters’s signature scheme is existentially unforgeable (EU) against chosen message attacks under the decisional bilinear Diffie-Hellman (DBDH) assumption. Waters’s signature scheme (Eurocrypt’05) Theorem 3: Linear encryption scheme is IND-CPA under the decisional linear (DL) assumption. Linear encryption scheme (Crypto’04) Security (in the standard model) Building Block

Main Result: The security of Waters’s signature scheme is preserved even when adversaries are given obfuscated encrypted signature programs Def 3: A signature scheme is EU against adversaries having signing oracle Def 5: A signature scheme is EU against adversaries having signing oracle and obfuscated encrypted signature program trivial Thm 1 Thm 1: if the obfuscator satisfies the VBP, then Def 4 implies Def 5. Thm 2: Waters’s signature scheme satisfies Def 3 under DBDH Corollary 1: Waters’s signature scheme satisfies Def 5 under DL and DBDH trivial Thms 1& 4 Abstract Concrete Stronger Security

We can use encrypted signature as a building block to construct a secure signcryption scheme. Using our proposed obfuscation, we can obfuscate the signcryption scheme. Sign Encrypt Alice’s private signing key Bob’s public encryption key m c σ Message Ciphertext Encrypted Signature (Hybrid) Encrypt m EncryptedSignature-then-Encryption (EStE) Formal discussion would be a future work item: The security of EStE-based signcryption The security of obfuscation for EStE

There are some attacks that our proposed obfuscation cannot prevent. Even if an adversary is given an obfuscated program for Alice-to-Bob, he/she cannot forge Alice’s signature. compute encrypted signatures for Alice-to-Carol, Alice-to-Dave, … Attacks we can prevent If an adversary is given an obfuscated program for Alice-to-Bob, He/she can compute encrypted signatures for Alice-to-Bob. It’s unavoidable… If he/she has access to the decryption key (or decryption oracle) for Bob, the signing key can be recovered completely. What kind of CCA security can we achieve in the context of encrypted signatures and signcryption? Attack we cannot prevent Attacks Type

Generalization: we can apply the basic idea to other signature schemes We can generalize our construction to clarify the properties that a pair of encryption and signature schemes should satisfy so that the encrypted signature can be securely obfuscated NO YES Pairing-based CRYPTO’02 Lysyanskaya’s unique signature scheme 1 CRYPTO’89 Undeniable signature scheme by Chaum and Antwerpen 3 J. ACM 2004 DDH-based Pseudoranom functions (MAC) 4 5 2 # PKC’02 Dodis’s verifiable random function JoC 1991 Schnorr’s signature scheme Reference Scheme

Secure Obfuscation for Encrypted Signatures

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Secure Obfuscation for Encrypted Signatures (20)

Recently uploaded (20)

Secure Obfuscation for Encrypted Signatures