Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

Slides:



Advertisements
Similar presentations
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Advertisements

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Identity Based Encryption
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Diffie-Hellman Key Exchange
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
A Cryptography Tutorial Jim Xu College of Computing Georgia Tech
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
Computer Science Public Key Management Lecture 5.
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
8. Data Integrity Techniques
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Bob can sign a message using a digital signature generation algorithm
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl Chapter 10 – Digital Signatures.
Dan Boneh Public key encryption from Diffie-Hellman The ElGamal Public-key System Online Cryptography Course Dan Boneh.
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Chapter 21 Public-Key Cryptography and Message Authentication.
Software Security Seminar - 1 Chapter 5. Advanced Protocols 조미성 Applied Cryptography.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
CS555Topic 251 Cryptography CS 555 Topic 25: Quantum Crpytography.
Public Key Cryptosystems RSA Diffie-Hellman Department of Computer Engineering Sharif University of Technology 3/8/2006.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Key Management Network Systems Security Mort Anvari.
Dan Boneh Basic key exchange Trusted 3 rd parties Online Cryptography Course Dan Boneh.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
Elgamal Public Key Encryption CSCI 5857: Encoding and Encryption.
Cryptography and Network Security Chapter 13
Boneh-Franklin Identity Based Encryption Scheme
The power of Pairings towards standard model security
Oblivious Transfer.
Cryptography Lecture 26.
Presentation transcript:

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University

Motivation AliceBob I have an message P to report, but I want to make sure you are CIA. Please show me your CIA certificate. I won’t show my CIA certificate to you, just give me the message. ??????

Outline of This Presentation Introduce the Oblivious Signature- Based Envelope (OSBE) concept. An OSBE scheme for RSA signatures. OSBE using Identity Based Encryption (IBE). Summary and Future Work.

Public Key Certificate (an example) Bob’s CIA certificate: PK: the CIA’s public key. M: “Bob is with CIA”  = Sig PK (M): signature on M (certificate). The secret part is 

Oblivious Signature-Based Envelope (OSBE) Message P Sender Receiver Receiver can open the envelope if and only if he/she has the certificate. Sender cannot know whether the receiver has the certificate.

OSBE Definition Setup PK: the Certificate Authority’s public key. M: content of the certificate.  = Sig PK (M): signature on M (certificate). S: Sender of message P (P is given to S only). R 1 : Receiver with . R 2 : Receiver without . PK and M are given to all three parties.

OSBE Definition (cont’d) Interaction One of R 1 and R 2 is chosen as R, without S knowing which one. S and R run an interactive protocol. Open R outputs P if and only if R = R 1. Note: R 1 has the certificate, R 2 doesn’t.

Security Requirements Sound: R 1 can output P with overwhelming probability. Oblivious: S does not learn whether it is communicating with R 1 or R 2. Semantically secure against the receiver: R 2 learns nothing about P.

Outline of This Presentation Introduce the Oblivious Signature- Based Envelope (OSBE) concept. An OSBE scheme for RSA signatures. OSBE using Identity Based Encryption (IBE). Summary and Future Work.

An OSBE Scheme for RSA RSA Signatures: (e, n): public key PK. d: private key. h = hash(M): hash value of M.  = Sig PK (M) = h d (mod n): signature. (h d ) e = (h e ) d = h (mod n).

RSA-OSBE Scheme: Setup Setup: Everybody knows h, M, (e, n) Sender S knows: P Receiver R 1 knows:  = (h d mod n)

Using Key Agreement P Sender Receiver Sender knows the key; Receiver knows the key only if it has h d.

Diffie-Hellman Key Agreement Alice Bob x y h x mod n h y mod n (h x ) y mod n(h y ) x mod n = h x y mod n

Transforming Diffie-Hellman SR1R1 xy  = h d · h x mod n  = h e y mod n  e y = (h d+x ) e y r ‘ = (h e y ) x r = r’ if and only if Receiver knows h d = h e d y · h e x y = h y · h e x y r =  e y / h y = h e x y

Properties Theorem 1: RSA-OSBE is sound (r = r’) Theorem 2: RSA-OSBE is oblivious R 1 :  = h d+x R 2 :  = h x’ {h d+x | x random} and {h x’ | x’ random} are statistically indistinguishable. Theorem 3: RSA-OSBE is semantically secure against the receiver, i.e, R 2 cannot learn r.

Proof of Theorem 3 (Approach) Approach We show that, if there exists an adversary receiver R (who does know h d ) that can break RSA-OSBE i.e., R can learn r by interacting with S, Then we can build an attacker that can generate h d. i.e., we can use R to break RSA signatures

Proof of Theorem 3 R M, (e, n)   = h e y, y random r =  e y · h -y To construct RSA attacker using R, we can construct  such that we can get h d out of , r ? r’ = h exy

Proof of Theorem 3 (cont’d) R  = h ey r =  e y · h -y RSA Attacker randomly generates k, constructs  = h 1+ ek = h e (d+k) Attacker knows R outputs r =  e y · h -y =  e(d+k) · h -(d+k) =  1+ek · h -d · h -k, Let y = d+k, then  = h e y 

Outline of This Presentation Introduce the Oblivious Signature- Based Envelope (OSBE) concept. An OSBE scheme for RSA signatures. OSBE using Identity Based Encryption (IBE). Summary and Future Work.

Identity Based Encryption (IBE) Public encryption key “Bob is a CIA member”. System Parameters Cipher Text Message P Alice Master Key Private decryption key Bob Third Party

IBE implies Signatures Public encryption key “Bob is a CIA member”. System Parameters Alice Master Key Private decryption key Bob Third Party Message to be signed: M PK PK -1  = Sig PK (M)

OSBE Scheme Using IBE Sender Receiver (Bob) (1)Public key K = “Bob is a CIA member” (2) E K (Message) (3) Decrypt E K (Message) using the private key.

Comparisons IBE-OSBE is one round; RSA-OSBE needs two rounds. RSA-OSBE can be used on existing Public Key Infrastructure.

Summary and Future Work OSBE concept RSA-OSBE scheme and IBE-OSBE scheme Future Work: Find OSBE scheme for DSA signatures.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.