1
Deniable Ring Authentication
Moni Naor
Weizmann Institute of Science
2
AuthenticationOne of the fundamental tasks of cryptography• Alice (sender) wants to send a message m to Bob
(receiver).• They want to prevent Eve from interfering
– Bob should be sure that the message he receives is the message m Alice sent.
Alice Bob
Eve
3
Is authentication transferable?
• Shared key authentication: non-transferable• except in a limited sense.
• Key idea of modern cryptography (Diffie and Hellman): can make authentication (signatures) transferable to third party - Non-repudiation.– Essential to contract signing, e-commerce…
Digital Signatures: last 25 years major effort in– Research
• Notions of security• Computationally efficient constructions
– Technology, Infrastructure, Commerce, Legal
4
Is non-repudiation always desirable?Not necessarily so:• Privacy of conversation, no (verifiable) record.
– Do you want everything you ever said to be held against you?
• Bob pays for the authentication, shouldn't be able to transfer it for free
• Perhaps can gain efficiency
In this talk - merge two approaches for privacy• Deniable Authentication• Ring Authentication
5
Talk• Authentication
– Traditional– Deniable– Ring
• Some Old Protocols:– Interactive Authentication (Dwork, Dolev, Naor)– Deniable Authentication (Dwork, Naor, Sahai)
• Some New Ones:– Deniable Ring Authentication– Threshold scheme– Dealing with Big Brother
6
Deniable AuthenticationWant to come up with an (perhaps interactive) authentication
scheme such that the receiver keeps no receipt of conversation. This means:• Any receiver could have generated the conversation itself.
– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.
– Similar to Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!
Proof of security consists of Unforgeability and Deniability
7
Ring Signatures and Authentication
Can we keep the sender anonymous?Idea: prove that the signer is a member of an ad hoc set
– Other members do not cooperate– Use their `regular’ public-keys
• Signature keys [RST], Encryption [This Talk]
– Should be indistinguishable which member of the set is actually doing the authentication
Bob
Alice?? Eve
8
Related Notions
Deniability has many meanings…• Undeniable signatures(Chaum and van Antwerpen 89, GKR)
– Chameleon signatures (Krawczyk and Rabin 98).• Group signaturesThe signature is intended for ultimate adjudication by a third
party (judge).– Not deniable if secret keys are revealed!
• Designated verifier proofs
• Ring Signatures [RST] ad hoc sets (users choose their keys)
9
Ring Signatures [RST]
Rivest, Shamir and Tauman proposed Ring Signatures:• Signature on message m by a member of an ad hoc set of
participants– Using existing Infrastructure for signatures
• For a generated signature the source is (statistically) indistinguishable
• Non-repudiation - recipient can convince a third party of the authenticity of a signature
• Non-interactive - single round • Efficient - if underlying signature is low exponent RSA/Rabin
– Need Ideal Cipher for combining function
10
Deniable Ring AuthenticationWant the properties of Ring Signatures but• With deniability - no third part authentication
– Willing to trade with interaction - essential without model changes• Use Public Encryption Keys
• Some of the keys maybe badly formedUnforgeability and Deniability - as before plus Source Hiding:
– For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys
11
Security of Authentication Schemes
The Golswasser-Micali-Rivest classification of signature schemes can be applied to interactive authentication schemes:
The classification is according to:• Attacks• What it means to breakStrongest type: Existential unforgeable against adaptive chosen
message attack– Adversary can choose any sequence of messages m1, m2 … and receive an authentication on them.
If he then succeeds in convincing an honest verifier that some m’ not in m1, m2 … then he has broken the system
12
Ring Authentication Setting
• A ring is an arbitrary set of participants including the authenticator
• Each member i of the ring has a public key Ei.– Generated according to some protocol– Good players follow it, bad ones the adversary fixes.– Example: signature, Encryption
• To run a ring authentication protocol both sides need to know E1, E2, …, En - the public key of the ring members
...
13
Deniable Ring AuthenticationCompleteness for any good sender and receiver possible to complete the
authentication on any message Unforgeability Existential unforgeable against adaptive chosen message
attackDeniability
– For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate indistinguishable conversations.
Source Hiding:– For any verifier, for any arbitrary set of keys, some good some bad,
the source is computationally indistinguishable among the good keys
Source Hiding and Deniability – incomparable
14
The Protocols
• Some background Protocols• Main Protocol for deniable ring authentication• Extended Protocol for Threshold Schemes• A protocol for deniable ring authentication in the
presence of big brother
All the protocols are based on encryption
15
Encryption
• Assume an encryption scheme E• Public key K – knowing K can encrypt message m
– generate Y=EK(m)
– With corresponding secret key, given Y can retrieve m
• Process is probabilistic: to generate EK(m) choose random string
16
A Public Key Authentication Protocol
[DDN,DN]P has a public key K of an encryption scheme E.To authenticate a message m:• V P : Choose r {0,1}n. Send EK(m r)
• P V : Verify that prefix of plaintext is m. If yes - send r.
Is it Unforgeable? Is it Deniable?
17
Encryption: attacks and security
• Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it.
• Chosen ciphertext attacks - the post-processing mode:– Adversary has access to decryption box. Challenge ciphertext is
known when the attacks takes place (but cannot submit it...).• Strongest type of cryptosystem (?):
– non-malleable against chosen ciphertext attacks in the post-processing mode. (Non-Malleable and Semantic Security are equivalent under this attack).
18
Encryption: Implementation
• Under any trapdoor permutation - rather inefficient [DDN].• Cramer & Shoup: Under the Decisional DH assumption
– Requires a few exponentiations.• With Random Oracles: several proposals
– RSA with OAEP - same complexity as vanilla RSA [Crypto’2001]– Can use low exponent RSA/Rabin
• With additional Interaction: J. Katz’s non malleable POKS?
19
Security of the schemeUnforgeability: depends on the strength of EK .• Sensitive to malleability:
– if given EK(m r) can generate EK(m’ r) - can forge messages.• The protocol allows a chosen ciphertext attack on EK.
– Even of the post-processing kind!• Can prove that any strategy for existential forgery can be
translated into a CCA strategy on E• Works even against concurrent executions.Deniability: does V retain a receipt??
– It is for honest V– Need to prove knowledge of r
20
Sender Receiver
Commit Phase
Reveal Phase
Sender ReceiverX
Regular Commitments
Receiver can verify X
Sender is bound to X
X
21
Encryption as Commitment
When the public key K is fixed and known EK(x) can be seen as commitment to x
To open x: reveal , the random bits used to generate EK(x).
Perfect binding: from unique decryption For any Y there are no two different x and x’ and and ’ s.t.
Y = EK(x,) = EK(x’ ,’)
Secrecy: no information about x leaked to those not knowing private key corresponding to LInsecure for others
22
Concurrency
Whether protocols remain secure when executed concurrently:– No online coordination between the good guys– Adversary controls schedule
Is a major issueSolutions:
– Timing– Added rounds– Non black-box?– Shared random string
23
Fiat-Shamir Heuristic
Remove interaction by oracles• Can convert a public coin identification protocol into a
signature scheme using random oracles
• Can such a protocol be converted into a signature scheme?
24
Deniable Protocol [DNS]
P has a public key K of an encryption scheme E.To authenticate message m:• V P: Choose r {0,1}n. Send EK(m r) - random bits used secret
• P V: Send EK(r) - random bits used secret
• V P: Send r and - opening EK(m r)
• P V: Open EK(r) by sending .
25
Security of the scheme
Unforgeability: as before - depends on the strength of EK
can simulate previous scheme (with access to DK )Important property: EK(r) is a non-malleable commitment (wrt
the encryption) to r (need unique opening).Deniability: can run simulator `as usual’:• Extract r by running with E(r’) and rewinding• Expected polynomial time• Need the semantic security of E - it acts as a
commitment scheme
26
Ring Signatures and Authentication
Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys
• Encryption [This Talk]
– Should be indistinguishable which member of the set is actually doing the authentication
Bob
?Alice Eve
27
Ring Authentication Setting
• A ring is an arbitrary set of participants including the authenticator
• Each member i of the ring has a public encryption key Ei.– Everyone that knows Ei can encrypt a message m and send Ei
(m).– Only i, that knows the secret key of Ei ,can decrypt Ei (m)
• To run a ring authentication protocol both sides need to know E1, E2, …, En - the public key of the ring members
...
28
A not so good Ring Authentication Protocol
Ring has public keys K1, K2, …, Kn of an encryption scheme To authenticate message m with jth decryption key:• V P: Choose r {0,1}n. Send EK1
(m r), EK2(m r), … EKn
(m r)
- random bits used i
• P V: Decrypt EKj(m r) and Send
EK1(r), EK2
(r), …, EKn(r) - random bits used i
• V P: Send r and i - opening EKi(m r)
• P V: Verify consistency and open all EKi(r) by revealing i
.
Problem: what if not all suffixes (r‘s) are equal
29
The Ring Authentication Protocol
Ring has public keys K1, K2, …, Kn of an encryption scheme
To authenticate message m with jth decryption key:• V P: Choose r {0,1}n. Send EK1
(m r), EK2(m r), … EKn
(m r)
- random bits used i
• P V: Decrypt EKj(m r) and Send
EK1(r1), EK2
(r2), …, EKn(rn) where
r1 + r2 …+ rn = r
• V P: Send r and i - opening EKi(m r)
• P V: Verify consistency and open all EKi(ri) by revealing i
30
Security of the scheme
Unforgeability: as before (assuming all keys are well chosen) since EK1
(r1), EK2(r2), …, EKn
(rn) is a non-malleable commitment to r
Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol
Deniability: Can run simulator `as before’: • Semantic security of one of the Ei‘s - is sufficient that
EK1(r1), …, acts as a commitment scheme
31
Comparison with Ring Signatures [RST]
Disadvantages• Ours Requires interaction
– But stronger notion of deniability
• Communication proportional to ring (subset) size (as compared to single element)
Advantages• Works with any (strong
enough) encryption– unwilling participants cannot
avoid it if they want good encryption
• Provable in the `real’ world – – no random oracles or ideal
ciphers– No additional primitives
• Extensions to threshold
•Assuming random oracles - comparable to RST (up to multiplicative factors)
32
Extension: Threshold and Other Access Structures
Instead of convincing a verifier that a single member of the ad hoc subset confirms the message want:– At least k members – More complex access structures
Can use secret sharing (for any access structure) without any member revealing their keys
Idea: split r according to the shares
33
Extended Protocol
Ring has public keys K1, K2, …, Kn
To authenticate message m with subset T of decryption keys:• V P : Choose r{0,1}n and split into shares x1, x2, … xn
Send EK1(m x1), …, EKn
(m xn)
• P V : For each jT decrypt EKj(m xj) and reconstruct r
Send EK1(r1), EK2
(r2), …, EKn(rn) where
r1 + r2 …+ rn = r
• V P: Send r and i for all i{1..n} - opening EKi(m xi)
• P V: Verify consistency of all xi and open all EKi(ri).
34
Deniable Ring authentication In the Presence Big Brother
Suppose that the adversary knows the private keys of all usersThen the protocol is not source hiding anymore:In Step 1 can encrypt different r’s and read them out in step 2
Why would they be known:– Identity Based Encryption– Revocation Schemes – Subset cover protocols.
• Enables covering any subsets by a relatively small number of keys!
Idea: use regular commitment W protocol and add a proof of knowledge to obtain non-malleability
35
In the Presence Big Brother
Subset has public keys K1, K2, …, Kn To authenticate message m with jth decryption key:• V P : Choose r{0,1}n and Send EK1
(m r), …, EKn(m r)
• P V : Decrypt EKj(m r) and reconstruct r and choose
(r01,r1
1) , (r02,r1
2) … (r0m,r1
1m) s.t. r = r0i+r1
i
Send (W(r01 ) ,W(r1
1 )), (W(r02 ) ,W(r1
2 )), … (W(r0m ),W(r1
m)) • V P: Choose m random bits b1 , b2 , … , bm • P V : Open W(r0
b1 ) , W(r0b2 ) , … , W(r1
bm)) • V P: Verify the opening. Open EK1
(m r), …, EKn(m r)
• P V: Verify consistency of EKi(m r) and open the remaining W(ri).
36
Open Problems• What is the communication complexity required of deniable
authentication? Is it possible to exchange o(|S|) bits (if the set is known)? – Low Communication is possible in principal
• Is source hiding alone easier than deniability– Is it possible in the shared key world (at reasonable costs)?
• What is the precise security requirement from E in the main protocol?– Katz’s NM POK
• In the access scheme is it possible for the members to be mutually untrusting wrt deniability
• Where is the border between possible and impossible in deniability• Fiat-Shamir heuristics• Social/legal implication to PKI?
37
Concurrency in Timing Model [DNS]
Timing based (,) assumption for <: If one processor measures , the second , then finishes after .
To achieve concurrent deniability add timing constraintsP requires that Step 3 message be received within (local time)
from Step 1P delays Step 4 message until time from Step 1
1234< <
38
...Concurrency
• Can achieve -knowledge (zero-knowledge where the simulator knows the distinguishing probability)
• Open Problem: Can Goldreich’s new simulator be used to show 0-knowledge?
39
What Are Zaps A zap for a language L is a• Two-round witness indistinguishable proof system for showing XL
1. verifier prover2. prover verifier
• First round message can be fixed ``once and for all” (before X is chosen)
• The verifier uses public coins– Single round non-constructively
Theorem: Zaps for L exists if NIZKs for L exist (~ and vice versa)
40
Tool: Timed Commitments [BN]
• Regular commitment
• Potential forced opening phase
X ReceiverSender
41
Sender Receiver
Commit Phase
Reveal Phase
Sender ReceiverX
Regular Commitments
Receiver can verify X
Sender is bound to X
X
42
Forced Open Phase
SenderX
Receiver
Receiver extracts X (+proof) in time T
Commitment is secure only for time t < T
Potential ForcedForced OpeningOpening
43
Requirements
• Future recoverability - verifiable following commit phase• Decommitment - value + proof. Ditto for forcibly recovered
values. Can act as genuine proof of knowledge to committed value• Immunity to parallel attacks
Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN].
We will substitute with a zap.
44
2-round Timed Deniable Auth.
Public key: keys K1 and K2 and string of zapTo authenticate m• Verifier prover:
– Choose r, y0, y1 {0,1}n. Send EK1
(m r), C(y0), C(y0)
Give zap of validity of at least one using . Random string for zaps
• Prover verifier: – Checks zap proof and decrypt r – Send Y=EK1
(r) Z= EK2(s) and zap using that either
(i) r = DK1(Y) or
(ii) DK2(Z) {y0, y1}
Timing requirement: verifier receives response within
45
References
• [Dolev, Dwork, Naor] Non-malleable Cryptography, SIAM J. Computing, 2000 (prelim. version STOC’91)
• [Dwork, Naor] Method for message authentication from non-malleable cryptosystems, US Patent 1996.
• [Dwork, Naor, Sahai] Concurrent Zero-Knowledge, STOC’98.
• [Boneh, Naor] Timed Commitments, Crypto’2000.• [Dwork,Naor] Zaps and their Applications, FOCS’2000.• [Naor] Deniable Ring Authentication, Crypto 2002
46
Comparison with Designated
Verifier/recipient
• No need for verifier to have a public-key• How to verify the independence of the keys of the
verifier? Interaction...
Top Related