Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

Published byJade Barker Modified over 8 years ago

Similar presentations

Presentation on theme: "Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University."— Presentation transcript:

1

2 Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University

3 Motivation AliceBob I have an message P to report, but I want to make sure you are CIA. Please show me your CIA certificate. I won’t show my CIA certificate to you, just give me the message. ??????

4 Outline of This Presentation Introduce the Oblivious Signature- Based Envelope (OSBE) concept. An OSBE scheme for RSA signatures. OSBE using Identity Based Encryption (IBE). Summary and Future Work.

5 Public Key Certificate (an example) Bob’s CIA certificate: PK: the CIA’s public key. M: “Bob is with CIA”  = Sig PK (M): signature on M (certificate). The secret part is 

6 Oblivious Signature-Based Envelope (OSBE) Message P Sender Receiver Receiver can open the envelope if and only if he/she has the certificate. Sender cannot know whether the receiver has the certificate.

7 OSBE Definition Setup PK: the Certificate Authority’s public key. M: content of the certificate.  = Sig PK (M): signature on M (certificate). S: Sender of message P (P is given to S only). R 1 : Receiver with . R 2 : Receiver without . PK and M are given to all three parties.

8 OSBE Definition (cont’d) Interaction One of R 1 and R 2 is chosen as R, without S knowing which one. S and R run an interactive protocol. Open R outputs P if and only if R = R 1. Note: R 1 has the certificate, R 2 doesn’t.

9 Security Requirements Sound: R 1 can output P with overwhelming probability. Oblivious: S does not learn whether it is communicating with R 1 or R 2. Semantically secure against the receiver: R 2 learns nothing about P.

10 Outline of This Presentation Introduce the Oblivious Signature- Based Envelope (OSBE) concept. An OSBE scheme for RSA signatures. OSBE using Identity Based Encryption (IBE). Summary and Future Work.

11 An OSBE Scheme for RSA RSA Signatures: (e, n): public key PK. d: private key. h = hash(M): hash value of M.  = Sig PK (M) = h d (mod n): signature. (h d ) e = (h e ) d = h (mod n).

12 RSA-OSBE Scheme: Setup Setup: Everybody knows h, M, (e, n) Sender S knows: P Receiver R 1 knows:  = (h d mod n)

13 Using Key Agreement P Sender Receiver Sender knows the key; Receiver knows the key only if it has h d.

14 Diffie-Hellman Key Agreement Alice Bob x y h x mod n h y mod n (h x ) y mod n(h y ) x mod n = h x y mod n

15 Transforming Diffie-Hellman SR1R1 xy  = h d · h x mod n  = h e y mod n  e y = (h d+x ) e y r ‘ = (h e y ) x r = r’ if and only if Receiver knows h d = h e d y · h e x y = h y · h e x y r =  e y / h y = h e x y

16 Properties Theorem 1: RSA-OSBE is sound (r = r’) Theorem 2: RSA-OSBE is oblivious R 1 :  = h d+x R 2 :  = h x’ {h d+x | x random} and {h x’ | x’ random} are statistically indistinguishable. Theorem 3: RSA-OSBE is semantically secure against the receiver, i.e, R 2 cannot learn r.

17 Proof of Theorem 3 (Approach) Approach We show that, if there exists an adversary receiver R (who does know h d ) that can break RSA-OSBE i.e., R can learn r by interacting with S, Then we can build an attacker that can generate h d. i.e., we can use R to break RSA signatures

18 Proof of Theorem 3 R M, (e, n)   = h e y, y random r =  e y · h -y To construct RSA attacker using R, we can construct  such that we can get h d out of , r ? r’ = h exy

19 Proof of Theorem 3 (cont’d) R  = h ey r =  e y · h -y RSA Attacker randomly generates k, constructs  = h 1+ ek = h e (d+k) Attacker knows R outputs r =  e y · h -y =  e(d+k) · h -(d+k) =  1+ek · h -d · h -k, Let y = d+k, then  = h e y 

20 Outline of This Presentation Introduce the Oblivious Signature- Based Envelope (OSBE) concept. An OSBE scheme for RSA signatures. OSBE using Identity Based Encryption (IBE). Summary and Future Work.

21 Identity Based Encryption (IBE) Public encryption key “Bob is a CIA member”. System Parameters Cipher Text Message P Alice Master Key Private decryption key Bob Third Party

22 IBE implies Signatures Public encryption key “Bob is a CIA member”. System Parameters Alice Master Key Private decryption key Bob Third Party Message to be signed: M PK PK -1  = Sig PK (M)

23 OSBE Scheme Using IBE Sender Receiver (Bob) (1)Public key K = “Bob is a CIA member” (2) E K (Message) (3) Decrypt E K (Message) using the private key.

24 Comparisons IBE-OSBE is one round; RSA-OSBE needs two rounds. RSA-OSBE can be used on existing Public Key Infrastructure.

25 Summary and Future Work OSBE concept RSA-OSBE scheme and IBE-OSBE scheme Future Work: Find OSBE scheme for DSA signatures.

Download ppt "Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University."

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Identity Based Encryption

Identity Based Encryption
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.

Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Similar presentations

Ads by Google