Oblivious Signature Based
Envelope
Ninghui Li,Wenliang Du, and Dan Boneh. In Proceedings
of the 22nd ACM Symposium on Principles of Distributed
Computing (PODC 2003). ACM Press, July 2003.
Speaker:Jun-Ting Lai
Date:2010/04/15
Outline
Introduction
Other Applications And Related Concepts Of OSBE
Oblivious Signature Based Envelope(OSBE): Definition
AN OSBE SCHEME FOR RSA SIGNATURES
One round OSBE Using Identity Based Encryption
Conclusion
2
Introduction
Exchanging digitally signed certificates is an increasingly
popular approach for authentication and authorization in
distributed systems.
ATN protocols would conclude negotiation failure, because
there is cyclic interdependency between two negotiators’
AC policies.
3
2-party Secure Function
Evaluation(SFE) problem
The function F is defined as follows.
F [Verify, M , PK ]Alice ( P,  ) 
F [Verify, M , PK ]Bob ( P,  ) 
{
p if

VerifyPK ( M ,  )  true;
otherwise
In other words, our goal is that Alice learns nothing and
Bob learns F[Verify, M , PK ]Bob ( P,  ) without learning
anything else.
4
Other Applications And Related
Concepts Of OSBE
OSBE scheme enables the sender to send a message with the
assurance that it can be seen only by the receiver if it has
appropriate certificates while at the same time protecting the
receiver’s privacy such that the sender does not know
whether the receiver has the required certificates or not.
OSBE might also be used in the context of Private
Information Retrieval (PIR) to provide access control on the
information being retrieved.
5
Between OSBE and FES of Difference
First, the signatures involved in OSBE are not generated by the
two parties involved in the protocols, but rather generated by
certification authorities before the OSBE protocol is used.
Second, in FES protocols, at some stage, one party learns that
the other party has a signature without obtaining that signature.
This does not satisfy the security requirements of OSBE.
Because of the above two reasons, FES protocols cannot be
used directly to achieve OSBE.
Third, OSBE does not require a fair exchange of signatures.
6
Oblivious Signature Based
Envelope(OSBE): Definition
An Oblivious Signature-Based Envelope (OSBE) scheme is
parameterized by a signature scheme Sig. It involves a sender S and
two receivers R1 and R2. An OSBE scheme has the following three
phases:
Setup
Interaction
Open
7
Three phases
Setup: The Setup algorithm takes a security parameter t and
creates system parameters, which include a signing key
whose public key is denoted by pk . Two messages M and R1
are chosen. M and P are given to all three parties, namely, S , R1
and R2. In addition, the sender S is given P and the receiver R1
is given the signature   Sig PK ( M ) .
Interaction: One of R1 and R2 is chosen as R, without S
knowing which one. S and R run an interactive protocol.
Open: After the interaction phase, if R  R , i.e., R1 was chosen
in the interaction phase, R outputs the message P .
( R can do that because it knows Sig PK (M ).)
Otherwise , when R  R2 ,R does nothing.
8
1
Three properties
Sound
Oblivious
semantically secure against the receiver
9
AN OSBE SCHEME FOR RSA
SIGNATURES
The key space is defined
to be the following set:
K
{
,equal size primes,
}
ed .1(mod
(n, evalues
, d ) | n and
pq, pare
, q public, and the value is secret
The
For  n) ,
message , and na message
, define
d
e digest function
k  (n, e, d )
and
M
H :{0,1}*  Z n
Sig K ( M )  H ( M ) d mod n
VerifyK ( M ,  )  ture  H ( M )   e (mod n)
10
Three phases
Setup:The setup algorithm takes a security parameter t and
runs the RSA key generation algorithm to create an RSA
key (n, e, d ) ; in addition, it generates two security
parameters t1andt 2 , which are linear in t . In practice, t1  t2  128
suffices. Two messages M and P are chosen. Party S is
given (n, e) , M, and P . Party R1 is given (n, e) , M , and
  ( H (M )d mod n) . Party R2 is given (n, e) and M .
11
Three phases(2/2)
Interaction:
to
Rsends
1
S :,in
 (which
 h x mod n)
.
x  [1..2t n]
x'
to
,
in
which
.
S
:


(
h
mod n)
Rsends
x '  [1..2t n]
2
, picks  {0,1, n  1}
 that
Sreceives , checks
y
r  then
( ey hsends
mod
, tcomputes
and
ton)the pair:
y  [1..2
n]
1
1
2
ye


(
h
mod nthe
), C interaction
  H '( r ) [ p]
receives from
Open:
R1
, and decrypts
C using
.
R
phase; it computes
.( , C )
r '  ( x mod n)
H ' (r ' )
12
One round OSBE Using Identity Based
Encryption(1/2)
Setup: Let M
and bePtwo messages and let be the IBE private
Sig PK (M )
key corresponding to when is viewed as a public key. The
M senderM
is given and . The receiver is given
.
M
(Mreceiver
)
P
Interaction:The
sender wants to send Sig
toPKthe
so that
the receiver can only obtain if she has the signature
on .The
P
sender encrypts using as an IBE public key and sends the
P
M
resulting ciphertext to the receiver.
Sig PK (M )
P
M
C
13
One round OSBE Using Identity Based
Encryption(2/2)
Open:
The receiver, using the private key
C
can decrypt
to (obtain
.
Sig PK
M)
P
14
Conclusion
We introduced oblivious signature-based envelope (OSBE) as a
solution to the SFE problem and mentioned that OSBE can be used
in other privacy sensitive applications as well.
An open problem is to find an efficient and provably secure OSBE
scheme for DSA signatures. We are also investigating other
applications of the OSBE concept.
15