Oblivious SignatureBased Envelope - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Oblivious SignatureBased Envelope

Description:

I won't show my CIA certificate to you, just give me the message. Outline of This Presentation ... K = 'Bob is a CIA member' (2) EK(Message) (3) Decrypt EK ... – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 25
Provided by: wedu
Learn more at: https://web.ecs.syr.edu
Category:

less

Transcript and Presenter's Notes

Title: Oblivious SignatureBased Envelope


1
Oblivious Signature-Based Envelope
  • Ninghui Li, Stanford University
  • Wenliang (Kevin) Du, Syracuse University
  • Dan Boneh, Stanford University

2
Motivation
Alice
Bob
I have an message P to report, but I want to make
sure you are CIA. Please show me your CIA
certificate.
I wont show my CIA certificate to you, just give
me the message.
??????
3
Outline of This Presentation
  • Introduce the Oblivious Signature-Based Envelope
    (OSBE) concept.
  • An OSBE scheme for RSA signatures.
  • OSBE using Identity Based Encryption (IBE).
  • Summary and Future Work.

4
Public Key Certificate(an example)
  • Bobs CIA certificate
  • PK the CIAs public key.
  • M Bob is with CIA
  • ? SigPK(M) signature on M (certificate).
  • The secret part is ?

5
Oblivious Signature-Based Envelope (OSBE)
Receiver
Sender
Message P
  • Receiver can open the envelope if and only if
    he/she has
  • the certificate.
  • Sender cannot know whether the receiver has the
    certificate.

6
OSBE Definition
  • Setup
  • PK the Certificate Authoritys public key.
  • M content of the certificate.
  • ? SigPK(M) signature on M (certificate).
  • S Sender of message P (P is given to S only).
  • R1 Receiver with ?.
  • R2 Receiver without ?.
  • PK and M are given to all three parties.

7
OSBE Definition (contd)
  • Interaction
  • One of R1 and R2 is chosen as R, without S
    knowing which one.
  • S and R run an interactive protocol.
  • Open
  • R outputs P if and only if R R1.
  • Note R1 has the certificate, R2 doesnt.

8
Security Requirements
  • Sound R1 can output P with overwhelming
    probability.
  • Oblivious S does not learn whether it is
    communicating with R1 or R2.
  • Semantically secure against the receiver R2
    learns nothing about P.

9
Outline of This Presentation
  • Introduce the Oblivious Signature-Based Envelope
    (OSBE) concept.
  • An OSBE scheme for RSA signatures.
  • OSBE using Identity Based Encryption (IBE).
  • Summary and Future Work.

10
An OSBE Scheme for RSA
  • RSA Signatures
  • (e, n) public key PK.
  • d private key.
  • h hash(M) hash value of M.
  • ? SigPK(M) hd (mod n) signature.
  • (hd)e (he)d h (mod n).

11
RSA-OSBE Scheme Setup
  • Setup
  • Everybody knows h, M, (e, n)
  • Sender S knows P
  • Receiver R1 knows ? (hd mod n)

12
Using Key Agreement
Sender
Receiver
P
Sender knows the key Receiver knows the key
only if it has hd.
13
Diffie-Hellman Key Agreement
Bob
Alice
x
h x mod n
y
h y mod n
(h x) y mod n
(h y) x mod n
h x y mod n
14
Transforming Diffie-Hellman
S
R1
? h d h x mod n
x
y
? h e y mod n
? e y (h dx) e y
r (h e y) x
h e d y h e x y h y h e x y
r ? e y /h y h e x y
r r if and only if Receiver knows h d
15
Properties
  • Theorem 1 RSA-OSBE is sound (r r)
  • Theorem 2 RSA-OSBE is oblivious
  • R1 ? hdx
  • R2 ? hx
  • hdx x random and hx x random are
    statistically indistinguishable.
  • Theorem 3 RSA-OSBE is semantically secure
    against the receiver,
  • i.e, R2 cannot learn r.

16
Proof of Theorem 3 (Approach)
  • Approach
  • We show that, if there exists an adversary
    receiver R (who does know hd) that can break
    RSA-OSBE
  • i.e., R can learn r by interacting with S,
  • Then we can build an attacker that can generate
    hd.
  • i.e., we can use R to break RSA signatures

17
Proof of Theorem 3
R
M, (e, n)
?
? h e y, y random
r h exy
r ? e y h -y
To construct RSA attacker using R, we can
construct ? such that we can get hd out of ?, r ?
18
Proof of Theorem 3 (contd)
R
?
? h ey
r ? e y h -y
RSA Attacker randomly generates k, constructs
? h1 ek h e (dk)
Let y dk, then ? h e y
R outputs r ? e y h -y ? e(dk) h-(dk)
? 1ek h-d h-k,
19
Outline of This Presentation
  • Introduce the Oblivious Signature-Based Envelope
    (OSBE) concept.
  • An OSBE scheme for RSA signatures.
  • OSBE using Identity Based Encryption (IBE).
  • Summary and Future Work.

20
Identity Based Encryption (IBE)
System Parameters
Alice
Message P
Public encryption key Bob is a CIA member.
Cipher Text
21
IBE implies Signatures
PK
System Parameters
Alice
Message to be signed M
Public encryption key Bob is a CIA member.
Master Key
Bob
Private decryption key
PK-1
Third Party
? SigPK(M)
22
OSBE Scheme Using IBE
Receiver (Bob)
Sender
  • Public key
  • K Bob is a CIA member

(2) EK(Message)
(3) Decrypt EK(Message) using the private key.
23
Comparisons
  • IBE-OSBE is one round RSA-OSBE needs two rounds.
  • RSA-OSBE can be used on existing Public Key
    Infrastructure.

24
Summary and Future Work
  • OSBE concept
  • RSA-OSBE scheme and IBE-OSBE scheme
  • Future Work
  • Find OSBE scheme for DSA signatures.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Oblivious SignatureBased Envelope" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!