oblivious signature based envelope n.
Skip this Video
Loading SlideShow in 5 Seconds..
Oblivious Signature Based Envelope PowerPoint Presentation
Download Presentation
Oblivious Signature Based Envelope

Loading in 2 Seconds...

play fullscreen
1 / 15

Oblivious Signature Based Envelope - PowerPoint PPT Presentation

  • Uploaded on

Oblivious Signature Based Envelope. Speaker:Jun-Ting Lai Date:2010/04/15. Ninghui Li,Wenliang Du, and Dan Boneh. In Proceedings of the 22nd ACM Symposium on Principles of Distributed Computing (PODC 2003). ACM Press, July 2003. Outline. Introduction

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Oblivious Signature Based Envelope' - lorna

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
oblivious signature based envelope

Oblivious Signature BasedEnvelope

Speaker:Jun-Ting Lai


Ninghui Li,Wenliang Du, and Dan Boneh. In Proceedings

of the 22nd ACM Symposium on Principles of Distributed Computing (PODC 2003). ACM Press, July 2003.

  • Introduction
  • Other Applications And Related Concepts Of OSBE
  • Oblivious Signature Based Envelope(OSBE): Definition
  • One round OSBE Using Identity Based Encryption
  • Conclusion
  • Exchanging digitally signed certificates is an increasingly popular approach for authentication and authorization in distributed systems.
  • ATN protocols would conclude negotiation failure, because there is cyclic interdependency between two negotiators’ AC policies.
2 party secure function evaluation sfe problem
2-party Secure Function Evaluation(SFE) problem
  • The function F is defined as follows.


  • In other words, our goal is that Alice learns nothing and Bob learns without learning anything else.
other applications and related concepts of osbe
Other Applications And RelatedConcepts Of OSBE
  • OSBE scheme enables the sender to send a message with the assurance that it can be seen only by the receiver if it has appropriate certificates while at the same time protecting the receiver’s privacy such that the sender does not know whether the receiver has the required certificates or not.
  • OSBE might also be used in the context of Private Information Retrieval (PIR) to provide access control on the information being retrieved.
between osbe and fes of difference
Between OSBE and FES of Difference
  • First, the signatures involved in OSBE are not generated by the two parties involved in the protocols, but rather generated by certification authorities before the OSBE protocol is used.
  • Second, in FES protocols, at some stage, one party learns that the other party has a signature without obtaining that signature. This does not satisfy the security requirements of OSBE. Because of the above two reasons, FES protocols cannot be used directly to achieve OSBE.
  • Third, OSBE does not require a fair exchange of signatures.
oblivious signature based envelope osbe definition
Oblivious Signature Based Envelope(OSBE): Definition
  • An Oblivious Signature-Based Envelope (OSBE) scheme is parameterized by a signature scheme Sig. It involves a sender S and two receivers R1 and R2. An OSBE scheme has the following three phases:
    • Setup
    • Interaction
    • Open
three phases
Three phases
  • Setup: The Setup algorithm takes a security parameter and createssystem parameters, which include a signing key whose public key is denoted by . Two messages and are chosen. and are given to all three parties, namely, and . In addition, the sender S is given and the receiver is given the signature .
  • Interaction: One of R1 and R2 is chosen as R, without S knowing which one. S and R run an interactive protocol.
  • Open: After the interaction phase, if , i.e., was chosen in the interaction phase, outputs the message .

( can do that because it knows .)

Otherwise , when ,R does nothing.


three properties
Three properties
  • Sound
  • Oblivious
  • semantically secure against the receiver
an osbe scheme for rsa signatures
  • The key space is defined to be the following set:
  • { ,equal size primes, }
  • The values and are public, and the value is secret . For , message , and a message digest function , define


three phases1
Three phases
  • Setup:The setup algorithm takes a security parameter and runs the RSA key generation algorithm to create an RSA key ; in addition, it generates two security parameters and , which are linear in . In practice, suffices. Two messages and are chosen. Party S is given , , and . Party R1 is given , , and

. Party R2 is given and .

three phases 2 2
Three phases(2/2)
  • Interaction:
    • sends to , in which .
    • sends to , in which .
    • receives , checks that , picks

, computes and then sends to the pair: .

  • Open: receives from the interaction phase; it computes , and decrypts C using .
one round osbe using identity based encryption 1 2
One round OSBE Using Identity Based Encryption(1/2)
  • Setup: Let and be two messagesand let be the IBE private key correspondingto when is viewed as a public key. The sender isgiven and . The receiver is given.
  • Interaction: The sender wants to send to the receiver so that thereceiver can only obtain if she has the signature on.The sender encrypts using as an IBE public keyand sends the resulting ciphertext to the receiver.
one round osbe using identity based encryption 2 2
One round OSBE Using Identity Based Encryption(2/2)
  • Open:
    • The receiver, using the private key can decrypt to obtain .
  • We introduced oblivious signature-based envelope (OSBE) as a solution to the SFE problem and mentioned that OSBE can be used in other privacy sensitive applications as well.
  • An open problem is to find an efficient and provably secure OSBE scheme for DSA signatures. We are also investigating other applications of the OSBE concept.