Oblivious Signature-Based Envelope scheme (OSBE) Presented By: - PowerPoint PPT Presentation

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr. Mohamed Mahmoud

Outline - What is Oblivious Signature-Based Envelope (OSBE)? - Applications - cryptosystem - Analysis 2

Problem Formulation - Alice and Bob need to communicate based on some attributes on their certificates. - They should exchange certificates - However, revealing some attributes in the certificate are sensitive such as top-secret clearance. Alice Bob Bob’s certificate Alice’s certificate Secure session 3

Oblivious Signature-Based Envelope - Alice can prove to Bob that it has a third party signature on m without revealing the signature to Bob Bob Alice m = I am an FBI Agent If you are FBI, decrypt this packet Enc(P) Bob can prove to Alice that he has a signature on m if he recovers P 4

Applications - Online Publishing library - OSBE enables users to gain access without disclosing which organizations they are members of. (Privacy preserving) Request for docs with out sending the certificate, Encrypted envelope that contains a certain message The user can recover the message if he has a valid certificate 5

OSBE based on RSA signature RSA Signature Choose p, q are two large random prime numbers • Compute n = p*q • Compute Φ (n) = (p-1) * (q-1) • Choose two random numbers e,d such that ed=1 mod Φ( n) • Public key is (e, n) • Private key is d • Signature is SIG(m) = δ = H(m) d • Verification (m, δ ) • Check if H(m) = δ e (mod n) = H(m) de =H(m) • 6

OSBE based on RSA signature  Party R1 needs to prove to S that he has a valid third party signature on a known message M R1 S 7

OSBE based on RSA signature Signature h = H(m) signature blinded with random secret X and y are random numbers Symmetric key 8

OSBE based on RSA signature h de =h RSA decryption Diffie-Hellman base 9

Analysis OSBE based on RSA signature  S can not extract the signature of R1 because it is blinded by h x .  S can be sure that R1 indeed has the signature if R1 decrypts Enc(P)  R1 proves to S that he has a valid signature though not revealing his sensitive attributes in his certificate. 10

Performance Analysis R1 needs 1 multiplication and 1 exponentiation to generate S needs 2 multiplications and 2 exponentiations to generate R1 needs 1 exponentiation operation to generate 11

Questions

OSBE based on BLS signatures  BLS signatures  There exists one multiplicative group G1 with generator g  There exists a bilinear map e such that e(G1,G1) =G2  Choose a random element x belongs to Z * p .  The public key is h=g x and x is a private key.  A hash function H that maps from {0,1}* to G1  To sign a message m, the signature δ = H(m) x  To verify a signature, check if e(g, δ ) == e(h,H(m)) 13

OSBE based on BLS signatures  A message P is encrypted using H(M)  Only the one who has the private key H(M) s decrypts the message P A signature proof 14