IBM Research - Tokyo
Secure Obfuscation for Encrypted Signatures
Eurocrypt 2010 (May 31)
Satoshi Hada
IBM Research - Tokyo
© 2010 IBM Corporation
IBM Research - Tokyo
Outline
1. Summary
2. Motivation
 Theoretical perspective
 Application perspective
3. Proposed obfuscation
 Basic idea
 Example
 Main result
4. Remarks
 Relation to signcryption
 Attacks we can (not) prevent
 Generalization
2
© 2010 IBM Corporation
IBM Research - Tokyo
The purpose of obfuscation is to hide private information
contained in programs while preserving the functionality.
Before Obfuscation
byte[] signcrypt(byte[] m){
byte[] key
After Obfuscation
Obfuscator
}
3
# Name
Requirement
1 Functionality
The obfuscated program preserves the functionality
2 Virtual Blackbox Property
Whatever adversaries can compute given an obfuscated
program can be computed by black-box access to the
functionality.
E.g., we cannot extract the private information from an
obfuscated program if we cannot do so by black-box
access to the functionality.
© 2010 IBM Corporation
IBM Research - Tokyo
Summary: a new positive result on program obfuscation
 We will show that we can securely obfuscate an
encrypted signature scheme.
We can
obfuscate this
program
Encrypted Signature
Alice’s private
signing key
Bob’s public
encryption key
Ciphertext
Message
m
Sign
σ
Encrypt
c
NOTE: The message is not encrypted.
4
© 2010 IBM Corporation
IBM Research - Tokyo
Outline
1. Summary
2. Motivation
 Theoretical perspective
 Application perspective
3. Proposed obfuscation
 Basic idea
 Example
 Main result
4. Remarks
 Relation to signcryption
 Attacks we can (not) prevent
 Generalization
5
© 2010 IBM Corporation
IBM Research - Tokyo
Motivation: only a few positive results are known
and we should look for more positive results.
Type
Results
Negative Generic obfuscation is impossible (CRYPTO 2001
Barak et al. )
We need to find specific programs we can securely
obfuscate.
Positive
6
1. Point functions (CRYPTO’97 Canetti and many
others)
2. Re-encryption (TCC’07 Hehenberger et al.)
3. Vote mixing (TCC’07 Adida et al.)
© 2010 IBM Corporation
IBM Research - Tokyo
Motivation: To use signcryption for Webmail services, service providers
need to store users’ private signing keys and execute signcryption on
servers. Key leakage is a serious security issue.
Signcrypt@
Server
Key leakage is
Server
a serious
security issue!!
Server
Standard
browsers have
no capability of
signcryption
Alice’s Web Browser
7
Bob’s Web Browser
© 2010 IBM Corporation
IBM Research - Tokyo
A solution is to obfuscate the signcryption program so that
the private signing key can not be abused.
Signcrypt@
Server
Server
Server
We can
obfuscate
this program
Alice’s Web Browser
8
Bob’s Web Browser
© 2010 IBM Corporation
IBM Research - Tokyo
Outline
1. Summary
2. Motivation
 Theoretical perspective
 Application perspective
3. Proposed obfuscation
 Basic idea
 Example
 Main result
4. Remarks
 Relation to signcryption
 Attacks we can (not) prevent
 Generalization
9
© 2010 IBM Corporation
IBM Research - Tokyo
The basic idea is to design a pair of signature and encryption schemes
such that the following two are functionally equivalent:
1. signing a message and then encrypting the signature,
2. encrypting the signing key and then signing the message under the
encrypted signing key.
Alice’s
signing key
Sign
Message
m
Encrypted
Signature
(to be obfuscated)
Bob’s
encryption key
Encrypt
σ
Ciphertext
Encrypt
Encrypted
Alice’s
signing key
c
Obfuscator
Obfuscated
programs
Sign
The virtual black-box property reduces to the security of encryption.
10
© 2010 IBM Corporation
IBM Research - Tokyo
Example : We realize the basic idea using the BLS
signature scheme
1. BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001)
 Key Pair: (v, s) such that v=gs
 g is a generator of prime order q for a Bilinear group
 v: public verification key
 s: private signing key
 Signature generation
 σ=Sign(s, m)=H(m)s, where H is a hash function (a random oracle)
2. Key Encapsulation Mechanism (KEM)
 Key Pair: (pk, sk)
 pk: public encryption key
 sk: private decryption key
 Key encapsulation
 (r,c)←KEM.Enc(pk)
 r is a random key and c is its ciphertext
 Two required properties
1. A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such
that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q).
2. c is rerandomizable
 Example
 Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements
11
© 2010 IBM Corporation
IBM Research - Tokyo
Example: Encrypted signature program
 Input m
 Stored Info
Sign
 private signing key: s
 public encryption key: pk
 Code
Encrypt
1. σ=Sign(m, s )=H(m)s
2. (r,c) ←KEM.Enc(pk)
3. Compute σr
4. Output (c, σr)
12
© 2010 IBM Corporation
IBM Research - Tokyo
Example: Obfuscation (initial attempt)
Before Obfuscation
 Input m
 Stored Info
Encrypted
signing key
After Obfuscation
 Input m
 Stored Info
 private signing key: s
 c, where (r,c) ←KEM.Enc(pk)
 public encryption key: pk Obfuscation
 s’=s*r mod q
 Code
1. σ=Sign(m, s )=H(m) s
2. (r,c) ←KEM.Enc(pk)
 Code
1. Sign(m, s’)= H(m)s’(=σr)
2. Output (c, σr)
3. Compute σr
4. Output (c, σr)
Output is randomly generated
13
Output is fixed for each message
© 2010 IBM Corporation
IBM Research - Tokyo
Example: Obfuscation
Before Obfuscation
After Obfuscation
 Input m
 Stored Info
 Input m
 Stored Info
 c, where (r,c) ←KEM.Enc(pk)
 private signing key: s
 public encryption key: pk
1. σ=Sign(m, s )=H(m)s
2. (r,c) ←KEM.Enc(pk)
4. Output (c, σr)
 s’=s*r mod q
 Code
 Code
3. Compute σr
Obfuscation
1. Use the scalar homomorphic
property to compute (r’,c’)
2. s’’=s’*r’ mod q
3. Sign(m, s’’)=H(m)s’’ (=σr*r’ )
4. Rerandomize c’
5. Output (c’, σr*r’ )
The output distributions are identical
14
Randomization
was added
© 2010 IBM Corporation
IBM Research - Tokyo
Main Result: We can securely obfuscate an encrypted
signature scheme in the standard model
# Building Block
Security (in the standard model)
1 Waters’s signature
scheme
(Eurocrypt’05)
Theorem 2: Waters’s signature scheme is
existentially unforgeable (EU) against chosen
message attacks under the decisional bilinear
Diffie-Hellman (DBDH) assumption.
2 Linear encryption
scheme (Crypto’04)
Theorem 3: Linear encryption scheme is IND-CPA
under the decisional linear (DL) assumption.
Our contribution:
1. Apply the basic idea to the encrypted signature scheme
defined as the sequential composition of Waters’s signature
and linear encryption schemes.
2. Theorem 4: The obfuscator satisfies a virtual black-box
property (VBP) under the DL assumption.
 What does this mean?
15
© 2010 IBM Corporation
IBM Research - Tokyo
Main Result: The security of Waters’s signature scheme is
preserved even when adversaries are given obfuscated encrypted
signature programs
Concrete
Abstract
Def 3: A signature scheme is EU against
adversaries having signing oracle
Stronger Security
trivial
Thm 1
Def 5: A signature scheme is EU against
adversaries having signing oracle and
obfuscated encrypted signature program
Thm 2: Waters’s signature scheme
satisfies Def 3 under DBDH
trivial
Thms 1& 4
Corollary 1: Waters’s signature
scheme satisfies Def 5 under DL and
DBDH
Thm 1: if the obfuscator satisfies the VBP,
then Def 4 implies Def 5.
16
© 2010 IBM Corporation
IBM Research - Tokyo
Outline
1. Summary
2. Motivation
 Theoretical perspective
 Application perspective
3. Proposed obfuscation
 Basic idea
 Example
 Main result
4. Remarks
 Relation to signcryption
 Attacks we can (not) prevent
 Generalization
17
© 2010 IBM Corporation
IBM Research - Tokyo
We can use encrypted signature as a building block to construct a
secure signcryption scheme. Using our proposed obfuscation, we can
obfuscate the signcryption scheme.
EncryptedSignature-then-Encryption (EStE)
Encrypted Signature
Alice’s private
signing key
Bob’s public
encryption key
Message
m
Sign
σ
Encrypt
(Hybrid)
Encrypt
Ciphertext
c
m

Formal discussion would be a future work item:
 The security of EStE-based signcryption
 The security of obfuscation for EStE
18
© 2010 IBM Corporation
IBM Research - Tokyo
There are some attacks that our proposed obfuscation
cannot prevent.
Type
Attacks
Attacks we can
prevent
Even if an adversary is given an obfuscated program
for Alice-to-Bob, he/she cannot
forge Alice’s signature.
compute encrypted signatures for Alice-to-Carol,
Alice-to-Dave, …
Attack we cannot If an adversary is given an obfuscated program for
prevent
Alice-to-Bob,
He/she can compute encrypted signatures for Aliceto-Bob. It’s unavoidable…
If he/she has access to the decryption key (or
decryption oracle) for Bob, the signing key can be
recovered completely.
What kind of CCA security can we achieve in the
context of encrypted signatures and signcryption?
19
© 2010 IBM Corporation
IBM Research - Tokyo
Generalization: we can apply the basic idea to
other signature schemes
We can generalize our construction to clarify the properties that a pair
of encryption and signature schemes should satisfy so that the
encrypted signature can be securely obfuscated
20
#
Scheme
Pairingbased
Reference
1
Lysyanskaya’s unique signature scheme
YES
CRYPTO’02
2
Dodis’s verifiable random function
3
Undeniable signature scheme by Chaum
and Antwerpen
4
DDH-based Pseudoranom functions
(MAC)
J. ACM 2004
5
Schnorr’s signature scheme
JoC 1991
PKC’02
NO
CRYPTO’89
© 2010 IBM Corporation