New Approaches to Deniable
Authentication
Presented By
KRISHNA KUMAR NAGAR
12/03/07
Deniable Authentication
 Alice sends a message to Bob then it is said
to be deniable if the mutual confidence is
maintained but can’t be proved to third party
that the communication ever took place.
 Finds application in electronic voting system,
e-commerce etc.
CCA
 A chosen-ciphertext attack (CCA) is an
attack model for cryptanalysis in which the
cryptanalyst chooses a ciphertext and causes
it to be decrypted with an unknown key.
Traditional Approaches
 Bob using Alice's public key encrypts a
random key. Alice decrypts it; MACs the
message to Bob.
 Ring Signatures
 Designated Verifier Proofs
 Deniable Ring Signatures
 All these are CCA secure encryption based
Ring Signature
 Ring Signature is a type of digital signature
that can be performed by any member of a
group of users that each have keys.
Therefore, a message signed with a ring
signature is endorsed by someone in a
particular group of people. One of the security
properties of a ring signature is that it should
be difficult to determine which of the group
members' keys was used to produce the
signature.
Other Approaches
 Deniable Ring Signature: Combines the
encryption-based approach and Ring
Signatures. One member of a group can sign
a message in a deniable way towards a
receiver that is not required to have a public
key.
 Designated Verifier Proofs permit to create
signatures that convince only the intended
recipient using his public key.
Short Coming!!!
 What if Alice preserves the information and
reveals it to the third party?
Can be proved that communication between
Alice and Bob took place
 Authentication thus is not deniable

Model
 Based on modular approach introduced by
Bellare et al
 Two kinds of networks:


Authenticated Network
Unauthenticated network
 Modularity obtained by using ‘Authenticators’
 Authenticators make the protocols for
authenticated networks compatible with
unauthenticated networks
Basic Terms
 Message Driven Protocols p
 The Authentication Link Model AM
 The Unauthenticated Links Model UM
 Emulation of Protocols
 Compiler
 Authenticator
 Forward Deniability
Definitions
 A message-driven protocol is an iterative
process that is initially invoked by a party with
some initial state that includes the protocol’s
input, randomness and the party’s identity.
 In the authenticated-links model, A is
restricted to delivering messages faithfully.
But, A can change the order of delivery and
can choose to not deliver at all some
messages.
Definitions
 Unauthenticated Links Model:
The adversary U can activate parties with
arbitrary incoming messages. Protocol p is
augmented with an initialization function I that
models an initial phase out-of-band and
authenticated information exchange between
the parties.
Definitions
 Emulation of protocols:
When we say that a protocol p’ in the
unauthenticated-links model emulates a protocol p in
the authenticated-link model we want to capture the
idea that ‘running p’ in an unauthenticated network
has the same effect as running p in an authenticated
network’.
More Definitions
 Compilers:
A compiler C is an algorithm that takes for
input descriptions of protocols and outputs
descriptions of protocols.
 Authenticator:
An authenticator is a compiler C where for
any protocol p, the protocol C(p) emulates p
in unauthenticated networks.
More Definitions
 An MT-authenticator l is deniable if for any
receiver B, there exists a simulator Sl(B) that
given a message m sent by a party A to B
produces a transcript of a session of l for m
that is indistinguishable from a real one.
 Forward Deniability: Sender can not prove his
act.
Flavors of Deniable Authentication
 Zero-knowledge protocol is an interactive method
for one party to prove to another that a (usually
mathematical) statement is true, without revealing
anything other than the veracity of the statement.
 A deniable authenticator is perfectly or statistically
zero-knowledge if the real and simulated transcripts
follow distributions which are either identical or
statistically close.
 A deniable authenticator is computational zeroknowledge if the real and simulated transcripts follow
distributions which are computationally
indistinguishable
Trapdoor Commitment Schemes
 Commitment: “Sealed Envelope”
 Trapdoor Commitment SchemeEquivocating commitments:
Commitments can be opened using trapdoors
BUT Trapdoors should be hard to compute.
Commitments
 Informally, commitment schemes can be described
by lockable steely boxes. In the commitment phase,
the sender puts a message into the box, locks the
box and hands it over to the receiver. On one hand,
the receiver does not learn anything about the
message. On the other hand, the sender cannot
change the message in the box anymore. In the
decommitment phase the sender gives the receiver
the key, and the receiver then opens the box and
retrieves the message.
Trapdoor Commitment
 A Trapdoor commitment is a box with a tiny
secret door. If someone knows the secret
door, then this person is still able to change
the committed message in the box, even after
the commitment phase.
 Such trapdoors turn out to be very useful for
the design of secure cryptographic protocols
involving commitment schemes.
MT-Authentication using
Multi-trapdoor
Commitment Schemes
Adaptive
Multi-trapdoor Commitment Scheme
Multi-Trapdoor Scheme
 Includes a family of TCS
 Versions of MTC


Adaptive
Static
 There is a Binding game where the adversary
must choose the public keys to use with the
oracle before seeing the master public key
PK.
Security Properties of AMTC
 Information Theoretic Security: For every
message pair (M,M’) the distributions of the
commitments C(M) and C(M’) are statistically
close.
 AMTC Secure Binding: Adversary A should
not be able to equivocate a commitment
using public key pk.
Adaptive Multi-Trapdoor
Commitment (AMTC) Scheme
 Consists of five randomized algorithms:





CKG is the master key generation algorithm.
Sel is the algorithm that selects a particular
scheme in the family.
Tkg is the algorithm that generates the
trapdoors.
Com is the commitment algorithm.
Equiv is the algorithm that opens a
commitment in any possible way given an
original opening and the trapdoor.
AMTC-based MT-Authenticator:
lAMTC
 Master key generation algorithm CKG is
invoked using initialization function I of
protocol lATMC obtaining the pair (PKi,TKi).
 Public key of Pi is PKi = (PKi,Hi)
 Secret key is the master trapdoor key TKi
 Public Information I0= PK1, PK2, …..,PKi
 Invokes a sub protocol
Protocol
Theorem
 If the underlying commitment scheme is an
AMTC, then protocol lAMTC emulates protocol
MT in unauthenticated networks.
 We need to show that all the things that an
adversary can do against in an
unauthenticated lAMTC can be done against
the simple protocol mt in a hypothetical
authenticated environment.
Proof
 A invokes the initialization function I of lAMTC.
 When U activates some imitated party A’ for
sending a message m to imitated party B’,
adversary A activates the dual party A in the
authenticated network to send m to B.
 A continues the interaction between U and
the imitated parties running lAMTC.
 A outputs whatever U outputs.
Deniability???
 Protocol lAMTC is deniable only for an honest receiver.
 If receiver is honest then simulator can
 compute the public key pk associated to the particular
commitment scheme;
 choose at random the challenge string c and the
randomness r’ and
 compute the commitment.
 What if receiver is dishonest:
 B could compute c = hash(C) for some complicated hash
function hash after seeing the original commitment C.
Modification
How???
 The public key of A contains the public key t
for a regular trapdoor commitment scheme. B
uses t to commit to the challenge in advance.
 Protocol
is a forward deniable
authenticator if used sequentially.
MT-Authentication using
Multi-trapdoor
Commitment Schemes
A DDH-based
MT-Authenticator
Number Theory
 Gq - cyclic group of prime order q
 Decisional Diffie-Hellman (DDH) Assumption holds in
Gq
 Computationally Indistinguishable Distributions
 Hash Functions


Universal One-way hash functions (UOWHFs)
Smooth hash functions
DDH-based MT-authenticator lDDH
 Initialization function I invoked using group Gq
and of the generators g1, g2
 Pair (PK, SK) generated at the end of
initialization phase
 Public key of Pi = PKi = (c, d,H,H)
 Secret Key= SKi = (x1, x2, y1, y2)
 When lDDH activated within party Pi and with
external request to send message m to party
Pj, sub-protocol
invoked between Pi
and Pj
Protocol
Describing DDH….
 Assume that the DDH assumption holds on
the group Gq then protocol lDDH emulates
protocol MT in unauthenticated networks.
 Suppose that (g1, g2, u*1, u*2 ) belongs to
Random. Then, the distinguisher D outputs
‘DDH’ with probability equal to 1/2 plus a
negligible quantity.
 Even after presenting ‘challenge:m, u1 , u2 ,
h1’ to U, A answers invalid challenges only
with negligible probability.
Deniability???
 lDDH deniable in case of honest receiver
 When the dishonest simulator sends a
‘challenge:m, u1, u2, h1’, simulation of the
answer h2 is not possible.
 A challenge-response mechanism introduced
where A commits to the answer h2 and
reveals it only after B shows that he knows h2
as well.
Protocol
How???
 A’s public key includes an unconditionally
binding commitment scheme COM.
 A commitment scheme that can be opened in
only one way even if you have infinite
computing power, but on the other hand its
secrecy is computational.
 Protocol Den- lDDH is forward deniable
authenticator if used sequentially.
Conclusion
 Previous schemes for deniable authentication
were not actually deniable and were CCA
based.
 Two New Schemes


AMTC Based
DDH Based
 Both proved to be deniable and forward
deniable too.
 Efficient and Secure.