New Approaches to Deniable Authentication

1
New Approaches to Deniable Authentication

• Presented By
• KRISHNA KUMAR NAGAR
• 12/03/07

2
Deniable Authentication

• Alice sends a message to Bob then it is said to
  be deniable if the mutual confidence is
  maintained but cant be proved to third party
  that the communication ever took place.
• Finds application in electronic voting system,
  e-commerce etc.

3
CCA

• A chosen-ciphertext attack (CCA) is an attack
  model for cryptanalysis in which the cryptanalyst
  chooses a ciphertext and causes it to be
  decrypted with an unknown key.

4
Traditional Approaches

• Bob using Alice's public key encrypts a random
  key. Alice decrypts it MACs the message to Bob.
• Ring Signatures
• Designated Verifier Proofs
• Deniable Ring Signatures
• All these are CCA secure encryption based

5
Ring Signature

• Ring Signature is a type of digital signature
  that can be performed by any member of a group of
  users that each have keys. Therefore, a message
  signed with a ring signature is endorsed by
  someone in a particular group of people. One of
  the security properties of a ring signature is
  that it should be difficult to determine which of
  the group members' keys was used to produce the
  signature.

6
Other Approaches

• Deniable Ring Signature Combines the
  encryption-based approach and Ring Signatures.
  One member of a group can sign a message in a
  deniable way towards a receiver that is not
  required to have a public key.
• Designated Verifier Proofs permit to create
  signatures that convince only the intended
  recipient using his public key.

7
Short Coming!!!

• What if Alice preserves the information and
  reveals it to the third party?
• Can be proved that communication between Alice
  and Bob took place
• Authentication thus is not deniable

8
Model

• Based on modular approach introduced by Bellare
  et al
• Two kinds of networks
• Authenticated Network
• Unauthenticated network
• Modularity obtained by using Authenticators
• Authenticators make the protocols for
  authenticated networks compatible with
  unauthenticated networks

9
Basic Terms

• Message Driven Protocols p
• The Authentication Link Model AM
• The Unauthenticated Links Model UM
• Emulation of Protocols
• Compiler
• Authenticator
• Forward Deniability

10
Definitions

• A message-driven protocol is an iterative
  process that is initially invoked by a party with
  some initial state that includes the protocols
  input, randomness and the partys identity.
• In the authenticated-links model, A is restricted
  to delivering messages faithfully. But, A can
  change the order of delivery and can choose to
  not deliver at all some messages.

11
Definitions

• Unauthenticated Links Model
• The adversary U can activate parties with
  arbitrary incoming messages. Protocol p is
  augmented with an initialization function I that
  models an initial phase out-of-band and
  authenticated information exchange between the
  parties.

12
Definitions

• Emulation of protocols
• When we say that a protocol p in the
  unauthenticated-links model emulates a protocol p
  in the authenticated-link model we want to
  capture the idea that running p in an
  unauthenticated network has the same effect as
  running p in an authenticated network.

13
More Definitions

• Compilers
• A compiler C is an algorithm that takes for
  input descriptions of protocols and outputs
  descriptions of protocols.
• Authenticator
• An authenticator is a compiler C where for any
  protocol p, the protocol C(p) emulates p in
  unauthenticated networks.

14
More Definitions

• An MT-authenticator l is deniable if for any
  receiver B, there exists a simulator Sl(B) that
  given a message m sent by a party A to B produces
  a transcript of a session of l for m that is
  indistinguishable from a real one.
• Forward Deniability Sender can not prove his act.

15
Flavors of Deniable Authentication

• Zero-knowledge protocol is an interactive method
  for one party to prove to another that a (usually
  mathematical) statement is true, without
  revealing anything other than the veracity of the
  statement.
• A deniable authenticator is perfectly or
  statistically zero-knowledge if the real and
  simulated transcripts follow distributions which
  are either identical or statistically close.
• A deniable authenticator is computational
  zero-knowledge if the real and simulated
  transcripts follow distributions which are
  computationally indistinguishable

16
Trapdoor Commitment Schemes

• Commitment Sealed Envelope
• Trapdoor Commitment Scheme- Equivocating
  commitments
• Commitments can be opened using trapdoors BUT
  Trapdoors should be hard to compute.

17
Commitments

• Informally, commitment schemes can be described
  by lockable steely boxes. In the commitment
  phase, the sender puts a message into the box,
  locks the box and hands it over to the receiver.
  On one hand, the receiver does not learn anything
  about the message. On the other hand, the sender
  cannot change the message in the box anymore. In
  the decommitment phase the sender gives the
  receiver the key, and the receiver then opens the
  box and retrieves the message.

18
Trapdoor Commitment

• A Trapdoor commitment is a box with a tiny secret
  door. If someone knows the secret door, then this
  person is still able to change the committed
  message in the box, even after the commitment
  phase.
• Such trapdoors turn out to be very useful for the
  design of secure cryptographic protocols
  involving commitment schemes.

19
MT-Authentication using Multi-trapdoor
Commitment Schemes

• Adaptive
• Multi-trapdoor Commitment Scheme

20
Multi-Trapdoor Scheme

• Includes a family of TCS
• Versions of MTC
• Adaptive
• Static
• There is a Binding game where the adversary must
  choose the public keys to use with the oracle
  before seeing the master public key PK.

21
Security Properties of AMTC

• Information Theoretic Security For every message
  pair (M,M) the distributions of the commitments
  C(M) and C(M) are statistically close.
• AMTC Secure Binding Adversary A should not be
  able to equivocate a commitment using public key
  pk.

22
Adaptive Multi-TrapdoorCommitment (AMTC) Scheme

• Consists of five randomized algorithms
• CKG is the master key generation algorithm.
• Sel is the algorithm that selects a particular
  scheme in the family.
• Tkg is the algorithm that generates the
  trapdoors.
• Com is the commitment algorithm.
• Equiv is the algorithm that opens a commitment in
  any possible way given an original opening and
  the trapdoor.

23
AMTC-based MT-Authenticator lAMTC

• Master key generation algorithm CKG is invoked
  using initialization function I of protocol lATMC
  obtaining the pair (PKi,TKi).
• Public key of Pi is PKi (PKi,Hi)
• Secret key is the master trapdoor key TKi
• Public Information I0 PK1, PK2, ..,PKi
• Invokes a sub protocol

24
Protocol
25
Theorem

• If the underlying commitment scheme is an AMTC,
  then protocol lAMTC emulates protocol MT in
  unauthenticated networks.
• We need to show that all the things that an
  adversary can do against in an unauthenticated
  lAMTC can be done against the simple protocol mt
  in a hypothetical authenticated environment.

26
Proof

• A invokes the initialization function I of lAMTC.
• When U activates some imitated party A for
  sending a message m to imitated party B,
  adversary A activates the dual party A in the
  authenticated network to send m to B.
• A continues the interaction between U and the
  imitated parties running lAMTC.
• A outputs whatever U outputs.

27
Deniability???

• Protocol lAMTC is deniable only for an honest
  receiver.
• If receiver is honest then simulator can
• compute the public key pk associated to the
  particular commitment scheme
• choose at random the challenge string c and the
  randomness r and
• compute the commitment.
• What if receiver is dishonest
• B could compute c hash(C) for some complicated
  hash function hash after seeing the original
  commitment C.

28
Modification
29
How???

• The public key of A contains the public key t for
  a regular trapdoor commitment scheme. B uses t to
  commit to the challenge in advance.
• Protocol is a forward deniable
  authenticator if used sequentially.

30
MT-Authentication using Multi-trapdoor
Commitment Schemes

• A DDH-based
• MT-Authenticator

31
Number Theory

• Gq - cyclic group of prime order q
• Decisional Diffie-Hellman (DDH) Assumption holds
  in Gq
• Computationally Indistinguishable Distributions
• Hash Functions
• Universal One-way hash functions (UOWHFs)
• Smooth hash functions

32
DDH-based MT-authenticator lDDH

• Initialization function I invoked using group Gq
  and of the generators g1, g2
• Pair (PK, SK) generated at the end of
  initialization phase
• Public key of Pi PKi (c, d,H,H)
• Secret Key SKi (x1, x2, y1, y2)
• When lDDH activated within party Pi and with
  external request to send message m to party Pj,
  sub-protocol invoked between Pi and Pj

33
Protocol
34
Describing DDH.

• Assume that the DDH assumption holds on the group
  Gq then protocol lDDH emulates protocol MT in
  unauthenticated networks.
• Suppose that (g1, g2, u1, u2 ) belongs to
  Random. Then, the distinguisher D outputs DDH
  with probability equal to 1/2 plus a negligible
  quantity.
• Even after presenting challengem, u1 , u2 , h1
  to U, A answers invalid challenges only with
  negligible probability.

35
Deniability???

• lDDH deniable in case of honest receiver
• When the dishonest simulator sends a
  challengem, u1, u2, h1, simulation of the
  answer h2 is not possible.
• A challenge-response mechanism introduced where A
  commits to the answer h2 and reveals it only
  after B shows that he knows h2 as well.

36
Protocol
37
How???

• As public key includes an unconditionally
  binding commitment scheme COM.
• A commitment scheme that can be opened in only
  one way even if you have infinite computing
  power, but on the other hand its secrecy is
  computational.
• Protocol Den- lDDH is forward deniable
  authenticator if used sequentially.

38
Conclusion

• Previous schemes for deniable authentication were
  not actually deniable and were CCA based.
• Two New Schemes
• AMTC Based
• DDH Based
• Both proved to be deniable and forward deniable
  too.
• Efficient and Secure.

39

• ?