Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao.

Similar presentations


Presentation on theme: "Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao."— Presentation transcript:

1 Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao Presented by Yi-Jhih Jan 11/02/2004

2 Outlines Introductions The Fan et al’s protocol The proposed protocol Security analysis Conclusins

3 Introductions Deniable authentication protocol 1. It enables an intended receiver to identify the source of a given message.( 傳統 ) 2. The intended receiver cannot prove the source of a given message to any third party. ( 因 receiver 只要知道 protocol, 即可偽造此簽章, 所以 sender 可以否認 ) Application 1. It can provide Freedom from coercion in electronic voting systems 2. Secure negotiations over the Internet

4 YX’ D,M The Fan et al ’ s protocol Sender Receiver

5 The Fan et al ’ s protocol Weaknesses 1. INQ can impersonate the receiver and sends Y=g y mod p to the sender. 2.INQ can identify the source of X’. If INQ is sure that the M and X’ come from the same source, he can also identify the source of the message.

6 The proposed protocol Parameters: p: a large prime (bit size 1024-2048) q: a prime divisor of p-1 (160 bit size) g: a generator of order q H(.): a collision-free hash function X: private key Y: public key CA: a certification authority

7 The proposed protocol Sender(X s,Y s ) Receiver(X R,Y R )

8 Security analysis 1.Completeness

9 Security analysis 2. It can withstand forgery attacks. a) we first design a generalized ElGamal signature scheme (Harn proposed)

10 Security analysis If an adversary has an algorithm A(M,Y R ) and returns (r,s,MAC), he would forge the signature of the generalized ElGamal signature scheme for the message m’. M YRYR Algorithm (r,s,MAC)

11 H(w) =v Security analysis b) Define a function if X R is public, the h(.) is secure as long as H(.) is a secure hash function u v w h(u)=v

12 Security analysis 3. The proposed protocol is deniable. - If the receiver reveals the session key k, he can convince the third party the signature (r,s) of the sender - Then the third party can verfy MAC=H(k||M) by himself. - But, the third party can compute the Diffie-Hellman key of the sender and the receiver. - So the receiver would not reveal his secret informatino.

13 Security analysis - even though the receiver reveals k under coercion, the third party would also be skeptical. - because that the receiver can constuct other authenticator MAC’=H(k||M’) - that is, the receiver can simulate the authenticated message of the sender. - hence the protocol is deniable.

14 Security analysis 4. It can withstand impersonate attacks adversary: - assume that the adversary can obtain M and its authority (r,s,MAC). - if he can verify the message authenticator, he must find k’ such that - the adversary could compute - it’s impossible to do it under the Diffie-Hellman assumption.

15 Conclusions If an adversary could forge signature of this protocol, he would forge signatures of the generalized ElGamal signature scheme. Anyone can not impersonate the intended receiver.


Download ppt "Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao."

Similar presentations


Ads by Google