Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Deniable Ring Authentication Moni Naor Weizmann Institute of Science.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Deniable Ring Authentication Moni Naor Weizmann Institute of Science."— Presentation transcript:

1

2 1 Deniable Ring Authentication Moni Naor Weizmann Institute of Science

3 2 Authentication One of the fundamental tasks of cryptography Alice (sender) wants to send a message m to Bob (receiver). They want to prevent Eve from interfering –Bob should be sure that the message he receives is the message m Alice sent. Alice Bob Eve

4 3 Is authentication transferable? Shared key authentication: non-transferable except in a limited sense. Key idea of modern cryptography (Diffie and Hellman): can make authentication (signatures) transferable to third party - Non-repudiation. –Essential to contract signing, e-commerce… Digital Signatures: last 25 years major effort in –Research Notions of security Computationally efficient constructions –Technology, Infrastructure, Commerce, Legal

5 4 Is non-repudiation always desirable? Not necessarily so: Privacy of conversation, no ( verifiable ) record. –Do you want everything you ever said to be held against you? Bob pays for the authentication, shouldn't be able to transfer it for free Perhaps can gain efficiency In this talk - merge two approaches for privacy Deniable Authentication Ring Authentication

6 5 Talk Authentication –Traditional –Deniable –Ring Some Old Protocols: –Interactive Authentication (Dwork, Dolev, Naor) –Deniable Authentication (Dwork, Naor, Sahai) Some New Ones: –Deniable Ring Authentication –Threshold scheme –Dealing with Big Brother

7 6 Deniable Authentication Want to come up with an (perhaps interactive) authentication scheme such that the receiver keeps no receipt of conversation. This means: Any receiver could have generated the conversation itself. –There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. –Similar to Zero-Knowledge! –An example where zero-knowledge is the ends, not the means! Proof of security consists of Unforgeability and Deniability

8 7 Ring Signatures and Authentication Can we keep the sender anonymous? Idea: prove that the signer is a member of an ad hoc set –Other members do not cooperate –Use their `regular’ public-keys Signature keys [RST], Encryption [This Talk] –Should be indistinguishable which member of the set is actually doing the authentication Bob Alice?? Eve

9 8 Related Notions Deniability has many meanings… Undeniable signatures(Chaum and van Antwerpen 89, GKR) –Chameleon signatures (Krawczyk and Rabin 98). Group signatures The signature is intended for ultimate adjudication by a third party (judge). –Not deniable if secret keys are revealed! Designated verifier proofs Ring Signatures [RST] ad hoc sets (users choose their keys)

10 9 Ring Signatures [RST] Rivest, Shamir and Tauman proposed Ring Signatures: Signature on message m by a member of an ad hoc set of participants –Using existing Infrastructure for signatures For a generated signature the source is (statistically) indistinguishable Non-repudiation - recipient can convince a third party of the authenticity of a signature Non-interactive - single round Efficient - if underlying signature is low exponent RSA/Rabin –Need Ideal Cipher for combining function

11 10 Deniable Ring Authentication Want the properties of Ring Signatures but With deniability - no third part authentication –Willing to trade with interaction - essential without model changes Use Public Encryption Keys Some of the keys maybe badly formed Unforgeability and Deniability - as before plus Source Hiding : –For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys

12 11 Security of Authentication Schemes The Golswasser-Micali-Rivest classification of signature schemes can be applied to interactive authentication schemes: The classification is according to: Attacks What it means to break Strongest type: Existential unforgeable against adaptive chosen message attack – Adversary can choose any sequence of messages m 1, m 2 … and receive an authentication on them. If he then succeeds in convincing an honest verifier that some m’ not in m 1, m 2 … then he has broken the system

13 12 Ring Authentication Setting A ring is an arbitrary set of participants including the authenticator Each member i of the ring has a public key E i. –Generated according to some protocol –Good players follow it, bad ones the adversary fixes. –Example: signature, Encryption To run a ring authentication protocol both sides need to know E 1, E 2, …, E n - the public key of the ring members...

14 13 Deniable Ring Authentication Completeness for any good sender and receiver possible to complete the authentication on any message Unforgeability Existential unforgeable against adaptive chosen message attack Deniability –For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate indistinguishable conversations. Source Hiding : –For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys Source Hiding and Deniability – incomparable

15 14 The Protocols Some background Protocols Main Protocol for deniable ring authentication Extended Protocol for Threshold Schemes A protocol for deniable ring authentication in the presence of big brother All the protocols are based on encryption

16 15 Encryption Assume an encryption scheme E Public key K – knowing K can encrypt message m –generate Y=E K (m) –With corresponding secret key, given Y can retrieve m Process is probabilistic: to generate E K (m) choose random string 

17 16 A Public Key Authentication Protocol [DDN,DN] P has a public key K of an encryption scheme E. To authenticate a message m: V  P : Choose r  {0,1} n. Send E K (m  r) P  V : Verify that prefix of plaintext is m. If yes - send r. Is it Unforgeable? Is it Deniable?

18 17 Encryption: attacks and security Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it. Chosen ciphertext attacks - the post-processing mode: –Adversary has access to decryption box. Challenge ciphertext is known when the attacks takes place (but cannot submit it...). Strongest type of cryptosystem (?): –non-malleable against chosen ciphertext attacks in the post- processing mode. (Non-Malleable and Semantic Security are equivalent under this attack).

19 18 Encryption: Implementation Under any trapdoor permutation - rather inefficient [DDN]. Cramer & Shoup: Under the Decisional DH assumption –Requires a few exponentiations. With Random Oracles: several proposals –RSA with OAEP - same complexity as vanilla RSA [Crypto’2001] –Can use low exponent RSA/Rabin With additional Interaction: J. Katz’s non malleable POKS?

20 19 Security of the scheme Unforgeability: depends on the strength of E K. Sensitive to malleability: –if given E K (m  r) can generate E K (m’  r) - can forge messages. The protocol allows a chosen ciphertext attack on E K. –Even of the post-processing kind! Can prove that any strategy for existential forgery can be translated into a CCA strategy on E Works even against concurrent executions. Deniability: does V retain a receipt?? –It is for honest V –Need to prove knowledge of r

21 20 SenderReceiver Commit Phase Reveal Phase Sende r Receiver X Regular Commitments Receiver can verify X Sender is bound to X X

22 21 Encryption as Commitment When the public key K is fixed and known E K (x) can be seen as commitment to x To open x: reveal , the random bits used to generate E K (x). Perfect binding: from unique decryption For any Y there are no two different x and x’ and  and  ’ s.t. Y = E K (x,  ) = E K (x’,  ’) Secrecy: no information about x leaked to those not knowing private key corresponding to L Insecure for others

23 22 Concurrency Whether protocols remain secure when executed concurrently: –No online coordination between the good guys –Adversary controls schedule Is a major issue Solutions: –Timing –Added rounds –Non black-box? –Shared random string

24 23 Fiat-Shamir Heuristic Remove interaction by oracles Can convert a public coin identification protocol into a signature scheme using random oracles Can such a protocol be converted into a signature scheme?

25 24 Deniable Protocol [DNS] P has a public key K of an encryption scheme E. To authenticate message m: V  P: Choose r  {0,1} n. Send E K (m  r) - random bits used  secret P  V: Send E K ( r ) - random bits used  secret V  P: Send r and  - opening E K (m  r) P  V: Open E K ( r ) by sending .

26 25 Security of the scheme Unforgeability: as before - depends on the strength of E K can simulate previous scheme (with access to D K ) Important property: E K ( r ) is a non-malleable commitment (wrt the encryption) to r (need unique opening). Deniability: can run simulator `as usual’: Extract r by running with E(r’) and rewinding Expected polynomial time Need the semantic security of E - it acts as a commitment scheme

27 26 Ring Signatures and Authentication Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set –Other members do not cooperate –Use their `regular’ public-keys Encryption [This Talk] –Should be indistinguishable which member of the set is actually doing the authentication Bob ?Alice Eve

28 27 Ring Authentication Setting A ring is an arbitrary set of participants including the authenticator Each member i of the ring has a public encryption key E i. –Everyone that knows E i can encrypt a message m and send E i (m). –Only i, that knows the secret key of E i,can decrypt E i (m) To run a ring authentication protocol both sides need to know E 1, E 2, …, E n - the public key of the ring members...

29 28 A not so good Ring Authentication Protocol Ring has public keys K 1, K 2, …, K n of an encryption scheme To authenticate message m with jth decryption key: V  P: Choose r  {0,1} n. Send E K 1 (m  r), E K 2 (m  r), … E K n (m  r) - random bits used  i P  V: Decrypt E K j (m  r) and Send E K 1 (r), E K 2 (r), …, E K n (r) - random bits used  i V  P: Send r and  i - opening E K i (m  r) P  V: Verify consistency and open all E K i ( r ) by revealing  i. Problem: what if not all suffixes ( r ‘s) are equal

30 29 The Ring Authentication Protocol Ring has public keys K 1, K 2, …, K n of an encryption scheme To authenticate message m with jth decryption key: V  P: Choose r  {0,1} n. Send E K 1 (m  r), E K 2 (m  r), … E K n (m  r) - random bits used  i P  V: Decrypt E K j (m  r) and Send E K 1 (r 1 ), E K 2 (r 2 ), …, E K n (r n ) where r 1 + r 2 …+ r n = r V  P: Send r and  i - opening E K i (m  r) P  V: Verify consistency and open all E K i ( r i ) by revealing  i

31 30 Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since E K 1 (r 1 ), E K 2 (r 2 ), …, E K n (r n ) is a non- malleable commitment to r Source Hiding: which key was used (among well chosen keys) is –Computationally indistinguishable during protocol –Statistically indistinguishable after protocol Deniability: Can run simulator `as before’: Semantic security of one of the E i ‘s - is sufficient that E K 1 (r 1 ), …, acts as a commitment scheme

32 31 Comparison with Ring Signatures [RST] Disadvantages Ours Requires interaction –But stronger notion of deniability Communication proportional to ring (subset) size (as compared to single element) Advantages Works with any (strong enough) encryption –unwilling participants cannot avoid it if they want good encryption Provable in the `real’ world – –no random oracles or ideal ciphers –No additional primitives Extensions to threshold Assuming random oracles - comparable to RST (up to multiplicative factors)

33 32 Extension: Threshold and Other Access Structures Instead of convincing a verifier that a single member of the ad hoc subset confirms the message want: –At least k members –More complex access structures Can use secret sharing (for any access structure) without any member revealing their keys Idea: split r according to the shares

34 33 Extended Protocol Ring has public keys K 1, K 2, …, K n To authenticate message m with subset T of decryption keys: V  P : Choose r  {0,1} n and split into shares x 1, x 2, … x n Send E K 1 (m  x 1 ), …, E K n (m  x n ) P  V : For each j  T decrypt E K j (m  x j ) and reconstruct r Send E K 1 (r 1 ), E K 2 (r 2 ), …, E K n (r n ) where r 1 + r 2 …+ r n = r V  P: Send r and  i for all i  {1..n} - opening E K i (m  x i ) P  V: Verify consistency of all x i and open all E K i ( r i ).

35 34 Deniable Ring authentication In the Presence Big Brother Suppose that the adversary knows the private keys of all users Then the protocol is not source hiding anymore: In Step 1 can encrypt different r’s and read them out in step 2 Why would they be known: –Identity Based Encryption –Revocation Schemes – Subset cover protocols. Enables covering any subsets by a relatively small number of keys! Idea: use regular commitment W protocol and add a proof of knowledge to obtain non-malleability

36 35 In the Presence Big Brother Subset has public keys K 1, K 2, …, K n To authenticate message m with jth decryption key: V  P : Choose r  {0,1} n and Send E K 1 (m  r), …, E K n (m  r) P  V : Decrypt E K j (m  r) and reconstruct r and choose (r 0 1,r 1 1 ), (r 0 2,r 1 2 ) … (r 0 m,r 1 1m ) s.t. r = r 0 i +r 1 i Send (W( r 0 1 ), W( r 1 1 )), (W( r 0 2 ), W( r 1 2 )), … (W( r 0 m ), W( r 1 m )) V  P: Choose m random bits b 1, b 2, …, b m P  V : Open W( r 0 b 1 ), W( r 0 b2 ), …, W( r 1 bm )) V  P: Verify the opening. Open E K 1 (m  r), …, E K n (m  r) P  V: Verify consistency of E K i (m  r) and open the remaining W( r i ).

37 36 Open Problems What is the communication complexity required of deniable authentication? Is it possible to exchange o(|S|) bits (if the set is known)? –Low Communication is possible in principal Is source hiding alone easier than deniability –Is it possible in the shared key world (at reasonable costs)? What is the precise security requirement from E in the main protocol? –Katz’s NM POK In the access scheme is it possible for the members to be mutually untrusting wrt deniability Where is the border between possible and impossible in deniability Fiat-Shamir heuristics Social/legal implication to PKI?

38 37 Concurrency in Timing Model [DNS] Timing based ( ,  ) assumption for  <  : If one processor measures , the second , then  finishes after . To achieve concurrent deniability add timing constraints P requires that Step 3 message be received within  (local time) from Step 1 P delays Step 4 message until time  from Step 1 1 2 3 4 << <<

39 38...Concurrency Can achieve   -knowledge (zero-knowledge where the simulator knows the distinguishing probability) Open Problem: Can Goldreich’s new simulator be used to show 0 -knowledge?

40 39 What Are Zaps A zap for a language L is a Two-round witness indistinguishable proof system for showing X  L 1. verifier  prover 2. prover  verifier First round message can be fixed `` once and for all ” (before X is chosen) The verifier uses public coins – Single round non-constructively Theorem : Zaps for L exists if NIZKs for L exist (~ and vice versa)

41 40 Tool: Timed Commitments [BN] Regular commitment Potential forced opening phase X Receiver Sender

42 41 SenderReceiver Commit Phase Reveal Phase Sende r Receiver X Regular Commitments Receiver can verify X Sender is bound to X X

43 42 Forced Open Phase Sende r X Receiver Receiver extracts X (+proof) in time T Commitment is secure only for time t < T ForcedOpening Potential Forced Opening

44 43 Requirements Future recoverability - verifiable following commit phase Decommitment - value + proof. Ditto for forcibly recovered values. Can act as genuine proof of knowledge to committed value Immunity to parallel attacks Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN]. We will substitute with a zap.

45 44 2-round Timed Deniable Auth. Public key: keys K 1 and K 2 and string   of zap To authenticate m Verifier  prover: –Choose r, y 0, y 1  {0,1} n. Send E K 1 (m  r),    C(y 0 ),    C(y 0 ) Give zap of validity of at least one   using  . Random string   for zaps Prover  verifier: –Checks zap proof and decrypt r –Send Y= E K 1 (r) Z= E K 2 (s) and zap using   that either (i) r = D K 1 (Y) or (ii) D K 2 (Z)  {y 0, y 1 } Timing requirement: verifier receives response within 

46 45 References [Dolev, Dwork, Naor] Non-malleable Cryptography, SIAM J. Computing, 2000 (prelim. version STOC’91) [Dwork, Naor] Method for message authentication from non-malleable cryptosystems, US Patent 1996. [Dwork, Naor, Sahai] Concurrent Zero-Knowledge, STOC’98. [Boneh, Naor] Timed Commitments, Crypto’2000. [Dwork,Naor] Zaps and their Applications, FOCS’2000. [Naor] Deniable Ring Authentication, Crypto 2002

47 46 Comparison with Designated Verifier/recipient No need for verifier to have a public-key How to verify the independence of the keys of the verifier? Interaction...

Download ppt "1 Deniable Ring Authentication Moni Naor Weizmann Institute of Science."

Similar presentations

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.

Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor.

Foundations of Cryptography Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem Lecturer: Moni Naor.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Similar presentations

Ads by Google