IBM Research - Tokyo Secure Obfuscation for Encrypted Signatures Eurocrypt 2010 (May 31) Satoshi Hada IBM Research - Tokyo © 2010 IBM Corporation IBM Research - Tokyo Outline 1. Summary 2. Motivation Theoretical perspective Application perspective 3. Proposed obfuscation Basic idea Example Main result 4. Remarks Relation to signcryption Attacks we can (not) prevent Generalization 2 © 2010 IBM Corporation IBM Research - Tokyo The purpose of obfuscation is to hide private information contained in programs while preserving the functionality. Before Obfuscation byte[] signcrypt(byte[] m){ byte[] key After Obfuscation Obfuscator } 3 # Name Requirement 1 Functionality The obfuscated program preserves the functionality 2 Virtual Blackbox Property Whatever adversaries can compute given an obfuscated program can be computed by black-box access to the functionality. E.g., we cannot extract the private information from an obfuscated program if we cannot do so by black-box access to the functionality. © 2010 IBM Corporation IBM Research - Tokyo Summary: a new positive result on program obfuscation We will show that we can securely obfuscate an encrypted signature scheme. We can obfuscate this program Encrypted Signature Alice’s private signing key Bob’s public encryption key Ciphertext Message m Sign σ Encrypt c NOTE: The message is not encrypted. 4 © 2010 IBM Corporation IBM Research - Tokyo Outline 1. Summary 2. Motivation Theoretical perspective Application perspective 3. Proposed obfuscation Basic idea Example Main result 4. Remarks Relation to signcryption Attacks we can (not) prevent Generalization 5 © 2010 IBM Corporation IBM Research - Tokyo Motivation: only a few positive results are known and we should look for more positive results. Type Results Negative Generic obfuscation is impossible (CRYPTO 2001 Barak et al. ) We need to find specific programs we can securely obfuscate. Positive 6 1. Point functions (CRYPTO’97 Canetti and many others) 2. Re-encryption (TCC’07 Hehenberger et al.) 3. Vote mixing (TCC’07 Adida et al.) © 2010 IBM Corporation IBM Research - Tokyo Motivation: To use signcryption for Webmail services, service providers need to store users’ private signing keys and execute signcryption on servers. Key leakage is a serious security issue. Signcrypt@ Server Key leakage is Server a serious security issue!! Server Standard browsers have no capability of signcryption Alice’s Web Browser 7 Bob’s Web Browser © 2010 IBM Corporation IBM Research - Tokyo A solution is to obfuscate the signcryption program so that the private signing key can not be abused. Signcrypt@ Server Server Server We can obfuscate this program Alice’s Web Browser 8 Bob’s Web Browser © 2010 IBM Corporation IBM Research - Tokyo Outline 1. Summary 2. Motivation Theoretical perspective Application perspective 3. Proposed obfuscation Basic idea Example Main result 4. Remarks Relation to signcryption Attacks we can (not) prevent Generalization 9 © 2010 IBM Corporation IBM Research - Tokyo The basic idea is to design a pair of signature and encryption schemes such that the following two are functionally equivalent: 1. signing a message and then encrypting the signature, 2. encrypting the signing key and then signing the message under the encrypted signing key. Alice’s signing key Sign Message m Encrypted Signature (to be obfuscated) Bob’s encryption key Encrypt σ Ciphertext Encrypt Encrypted Alice’s signing key c Obfuscator Obfuscated programs Sign The virtual black-box property reduces to the security of encryption. 10 © 2010 IBM Corporation IBM Research - Tokyo Example : We realize the basic idea using the BLS signature scheme 1. BLS signature by Boneh, Lynn, and Shacham (Asiacrypt 2001) Key Pair: (v, s) such that v=gs g is a generator of prime order q for a Bilinear group v: public verification key s: private signing key Signature generation σ=Sign(s, m)=H(m)s, where H is a hash function (a random oracle) 2. Key Encapsulation Mechanism (KEM) Key Pair: (pk, sk) pk: public encryption key sk: private decryption key Key encapsulation (r,c)←KEM.Enc(pk) r is a random key and c is its ciphertext Two required properties 1. A scalar homomorphic property: Given a ciphertext c, we can compute (r’,c’) such that r’ is a new random key and c’ is a ciphertext of r*r’ (mod q). 2. c is rerandomizable Example Use Paillier encryption scheme as an KEM.Enc satisfying the two requirements 11 © 2010 IBM Corporation IBM Research - Tokyo Example: Encrypted signature program Input m Stored Info Sign private signing key: s public encryption key: pk Code Encrypt 1. σ=Sign(m, s )=H(m)s 2. (r,c) ←KEM.Enc(pk) 3. Compute σr 4. Output (c, σr) 12 © 2010 IBM Corporation IBM Research - Tokyo Example: Obfuscation (initial attempt) Before Obfuscation Input m Stored Info Encrypted signing key After Obfuscation Input m Stored Info private signing key: s c, where (r,c) ←KEM.Enc(pk) public encryption key: pk Obfuscation s’=s*r mod q Code 1. σ=Sign(m, s )=H(m) s 2. (r,c) ←KEM.Enc(pk) Code 1. Sign(m, s’)= H(m)s’(=σr) 2. Output (c, σr) 3. Compute σr 4. Output (c, σr) Output is randomly generated 13 Output is fixed for each message © 2010 IBM Corporation IBM Research - Tokyo Example: Obfuscation Before Obfuscation After Obfuscation Input m Stored Info Input m Stored Info c, where (r,c) ←KEM.Enc(pk) private signing key: s public encryption key: pk 1. σ=Sign(m, s )=H(m)s 2. (r,c) ←KEM.Enc(pk) 4. Output (c, σr) s’=s*r mod q Code Code 3. Compute σr Obfuscation 1. Use the scalar homomorphic property to compute (r’,c’) 2. s’’=s’*r’ mod q 3. Sign(m, s’’)=H(m)s’’ (=σr*r’ ) 4. Rerandomize c’ 5. Output (c’, σr*r’ ) The output distributions are identical 14 Randomization was added © 2010 IBM Corporation IBM Research - Tokyo Main Result: We can securely obfuscate an encrypted signature scheme in the standard model # Building Block Security (in the standard model) 1 Waters’s signature scheme (Eurocrypt’05) Theorem 2: Waters’s signature scheme is existentially unforgeable (EU) against chosen message attacks under the decisional bilinear Diffie-Hellman (DBDH) assumption. 2 Linear encryption scheme (Crypto’04) Theorem 3: Linear encryption scheme is IND-CPA under the decisional linear (DL) assumption. Our contribution: 1. Apply the basic idea to the encrypted signature scheme defined as the sequential composition of Waters’s signature and linear encryption schemes. 2. Theorem 4: The obfuscator satisfies a virtual black-box property (VBP) under the DL assumption. What does this mean? 15 © 2010 IBM Corporation IBM Research - Tokyo Main Result: The security of Waters’s signature scheme is preserved even when adversaries are given obfuscated encrypted signature programs Concrete Abstract Def 3: A signature scheme is EU against adversaries having signing oracle Stronger Security trivial Thm 1 Def 5: A signature scheme is EU against adversaries having signing oracle and obfuscated encrypted signature program Thm 2: Waters’s signature scheme satisfies Def 3 under DBDH trivial Thms 1& 4 Corollary 1: Waters’s signature scheme satisfies Def 5 under DL and DBDH Thm 1: if the obfuscator satisfies the VBP, then Def 4 implies Def 5. 16 © 2010 IBM Corporation IBM Research - Tokyo Outline 1. Summary 2. Motivation Theoretical perspective Application perspective 3. Proposed obfuscation Basic idea Example Main result 4. Remarks Relation to signcryption Attacks we can (not) prevent Generalization 17 © 2010 IBM Corporation IBM Research - Tokyo We can use encrypted signature as a building block to construct a secure signcryption scheme. Using our proposed obfuscation, we can obfuscate the signcryption scheme. EncryptedSignature-then-Encryption (EStE) Encrypted Signature Alice’s private signing key Bob’s public encryption key Message m Sign σ Encrypt (Hybrid) Encrypt Ciphertext c m Formal discussion would be a future work item: The security of EStE-based signcryption The security of obfuscation for EStE 18 © 2010 IBM Corporation IBM Research - Tokyo There are some attacks that our proposed obfuscation cannot prevent. Type Attacks Attacks we can prevent Even if an adversary is given an obfuscated program for Alice-to-Bob, he/she cannot forge Alice’s signature. compute encrypted signatures for Alice-to-Carol, Alice-to-Dave, … Attack we cannot If an adversary is given an obfuscated program for prevent Alice-to-Bob, He/she can compute encrypted signatures for Aliceto-Bob. It’s unavoidable… If he/she has access to the decryption key (or decryption oracle) for Bob, the signing key can be recovered completely. What kind of CCA security can we achieve in the context of encrypted signatures and signcryption? 19 © 2010 IBM Corporation IBM Research - Tokyo Generalization: we can apply the basic idea to other signature schemes We can generalize our construction to clarify the properties that a pair of encryption and signature schemes should satisfy so that the encrypted signature can be securely obfuscated 20 # Scheme Pairingbased Reference 1 Lysyanskaya’s unique signature scheme YES CRYPTO’02 2 Dodis’s verifiable random function 3 Undeniable signature scheme by Chaum and Antwerpen 4 DDH-based Pseudoranom functions (MAC) J. ACM 2004 5 Schnorr’s signature scheme JoC 1991 PKC’02 NO CRYPTO’89 © 2010 IBM Corporation