Download - Deniable Ring Authentication
![Page 1: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/1.jpg)
1
Deniable Ring Authentication
Moni Naor
Weizmann Institute of Science
![Page 2: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/2.jpg)
2
AuthenticationOne of the fundamental tasks of cryptography• Alice (sender) wants to send a message m to Bob
(receiver).• They want to prevent Eve from interfering
– Bob should be sure that the message he receives is the message m Alice sent.
Alice Bob
Eve
![Page 3: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/3.jpg)
3
Is authentication transferable?
• Shared key authentication: non-transferable• except in a limited sense.
• Key idea of modern cryptography (Diffie and Hellman): can make authentication (signatures) transferable to third party - Non-repudiation.– Essential to contract signing, e-commerce…
Digital Signatures: last 25 years major effort in– Research
• Notions of security• Computationally efficient constructions
– Technology, Infrastructure, Commerce, Legal
![Page 4: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/4.jpg)
4
Is non-repudiation always desirable?Not necessarily so:• Privacy of conversation, no (verifiable) record.
– Do you want everything you ever said to be held against you?
• Bob pays for the authentication, shouldn't be able to transfer it for free
• Perhaps can gain efficiency
In this talk - merge two approaches for privacy• Deniable Authentication• Ring Authentication
![Page 5: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/5.jpg)
5
Talk• Authentication
– Traditional– Deniable– Ring
• Some Old Protocols:– Interactive Authentication (Dwork, Dolev, Naor)– Deniable Authentication (Dwork, Naor, Sahai)
• Some New Ones:– Deniable Ring Authentication– Threshold scheme– Dealing with Big Brother
![Page 6: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/6.jpg)
6
Deniable AuthenticationWant to come up with an (perhaps interactive) authentication
scheme such that the receiver keeps no receipt of conversation. This means:• Any receiver could have generated the conversation itself.
– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.
– Similar to Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!
Proof of security consists of Unforgeability and Deniability
![Page 7: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/7.jpg)
7
Ring Signatures and Authentication
Can we keep the sender anonymous?Idea: prove that the signer is a member of an ad hoc set
– Other members do not cooperate– Use their `regular’ public-keys
• Signature keys [RST], Encryption [This Talk]
– Should be indistinguishable which member of the set is actually doing the authentication
Bob
Alice?? Eve
![Page 8: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/8.jpg)
8
Related Notions
Deniability has many meanings…• Undeniable signatures(Chaum and van Antwerpen 89, GKR)
– Chameleon signatures (Krawczyk and Rabin 98).• Group signaturesThe signature is intended for ultimate adjudication by a third
party (judge).– Not deniable if secret keys are revealed!
• Designated verifier proofs
• Ring Signatures [RST] ad hoc sets (users choose their keys)
![Page 9: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/9.jpg)
9
Ring Signatures [RST]
Rivest, Shamir and Tauman proposed Ring Signatures:• Signature on message m by a member of an ad hoc set of
participants– Using existing Infrastructure for signatures
• For a generated signature the source is (statistically) indistinguishable
• Non-repudiation - recipient can convince a third party of the authenticity of a signature
• Non-interactive - single round • Efficient - if underlying signature is low exponent RSA/Rabin
– Need Ideal Cipher for combining function
![Page 10: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/10.jpg)
10
Deniable Ring AuthenticationWant the properties of Ring Signatures but• With deniability - no third part authentication
– Willing to trade with interaction - essential without model changes• Use Public Encryption Keys
• Some of the keys maybe badly formedUnforgeability and Deniability - as before plus Source Hiding:
– For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys
![Page 11: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/11.jpg)
11
Security of Authentication Schemes
The Golswasser-Micali-Rivest classification of signature schemes can be applied to interactive authentication schemes:
The classification is according to:• Attacks• What it means to breakStrongest type: Existential unforgeable against adaptive chosen
message attack– Adversary can choose any sequence of messages m1, m2 … and receive an authentication on them.
If he then succeeds in convincing an honest verifier that some m’ not in m1, m2 … then he has broken the system
![Page 12: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/12.jpg)
12
Ring Authentication Setting
• A ring is an arbitrary set of participants including the authenticator
• Each member i of the ring has a public key Ei.– Generated according to some protocol– Good players follow it, bad ones the adversary fixes.– Example: signature, Encryption
• To run a ring authentication protocol both sides need to know E1, E2, …, En - the public key of the ring members
...
![Page 13: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/13.jpg)
13
Deniable Ring AuthenticationCompleteness for any good sender and receiver possible to complete the
authentication on any message Unforgeability Existential unforgeable against adaptive chosen message
attackDeniability
– For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate indistinguishable conversations.
Source Hiding:– For any verifier, for any arbitrary set of keys, some good some bad,
the source is computationally indistinguishable among the good keys
Source Hiding and Deniability – incomparable
![Page 14: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/14.jpg)
14
The Protocols
• Some background Protocols• Main Protocol for deniable ring authentication• Extended Protocol for Threshold Schemes• A protocol for deniable ring authentication in the
presence of big brother
All the protocols are based on encryption
![Page 15: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/15.jpg)
15
Encryption
• Assume an encryption scheme E• Public key K – knowing K can encrypt message m
– generate Y=EK(m)
– With corresponding secret key, given Y can retrieve m
• Process is probabilistic: to generate EK(m) choose random string
![Page 16: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/16.jpg)
16
A Public Key Authentication Protocol
[DDN,DN]P has a public key K of an encryption scheme E.To authenticate a message m:• V P : Choose r {0,1}n. Send EK(m r)
• P V : Verify that prefix of plaintext is m. If yes - send r.
Is it Unforgeable? Is it Deniable?
![Page 17: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/17.jpg)
17
Encryption: attacks and security
• Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it.
• Chosen ciphertext attacks - the post-processing mode:– Adversary has access to decryption box. Challenge ciphertext is
known when the attacks takes place (but cannot submit it...).• Strongest type of cryptosystem (?):
– non-malleable against chosen ciphertext attacks in the post-processing mode. (Non-Malleable and Semantic Security are equivalent under this attack).
![Page 18: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/18.jpg)
18
Encryption: Implementation
• Under any trapdoor permutation - rather inefficient [DDN].• Cramer & Shoup: Under the Decisional DH assumption
– Requires a few exponentiations.• With Random Oracles: several proposals
– RSA with OAEP - same complexity as vanilla RSA [Crypto’2001]– Can use low exponent RSA/Rabin
• With additional Interaction: J. Katz’s non malleable POKS?
![Page 19: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/19.jpg)
19
Security of the schemeUnforgeability: depends on the strength of EK .• Sensitive to malleability:
– if given EK(m r) can generate EK(m’ r) - can forge messages.• The protocol allows a chosen ciphertext attack on EK.
– Even of the post-processing kind!• Can prove that any strategy for existential forgery can be
translated into a CCA strategy on E• Works even against concurrent executions.Deniability: does V retain a receipt??
– It is for honest V– Need to prove knowledge of r
![Page 20: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/20.jpg)
20
Sender Receiver
Commit Phase
Reveal Phase
Sender ReceiverX
Regular Commitments
Receiver can verify X
Sender is bound to X
X
![Page 21: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/21.jpg)
21
Encryption as Commitment
When the public key K is fixed and known EK(x) can be seen as commitment to x
To open x: reveal , the random bits used to generate EK(x).
Perfect binding: from unique decryption For any Y there are no two different x and x’ and and ’ s.t.
Y = EK(x,) = EK(x’ ,’)
Secrecy: no information about x leaked to those not knowing private key corresponding to LInsecure for others
![Page 22: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/22.jpg)
22
Concurrency
Whether protocols remain secure when executed concurrently:– No online coordination between the good guys– Adversary controls schedule
Is a major issueSolutions:
– Timing– Added rounds– Non black-box?– Shared random string
![Page 23: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/23.jpg)
23
Fiat-Shamir Heuristic
Remove interaction by oracles• Can convert a public coin identification protocol into a
signature scheme using random oracles
• Can such a protocol be converted into a signature scheme?
![Page 24: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/24.jpg)
24
Deniable Protocol [DNS]
P has a public key K of an encryption scheme E.To authenticate message m:• V P: Choose r {0,1}n. Send EK(m r) - random bits used secret
• P V: Send EK(r) - random bits used secret
• V P: Send r and - opening EK(m r)
• P V: Open EK(r) by sending .
![Page 25: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/25.jpg)
25
Security of the scheme
Unforgeability: as before - depends on the strength of EK
can simulate previous scheme (with access to DK )Important property: EK(r) is a non-malleable commitment (wrt
the encryption) to r (need unique opening).Deniability: can run simulator `as usual’:• Extract r by running with E(r’) and rewinding• Expected polynomial time• Need the semantic security of E - it acts as a
commitment scheme
![Page 26: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/26.jpg)
26
Ring Signatures and Authentication
Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys
• Encryption [This Talk]
– Should be indistinguishable which member of the set is actually doing the authentication
Bob
?Alice Eve
![Page 27: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/27.jpg)
27
Ring Authentication Setting
• A ring is an arbitrary set of participants including the authenticator
• Each member i of the ring has a public encryption key Ei.– Everyone that knows Ei can encrypt a message m and send Ei
(m).– Only i, that knows the secret key of Ei ,can decrypt Ei (m)
• To run a ring authentication protocol both sides need to know E1, E2, …, En - the public key of the ring members
...
![Page 28: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/28.jpg)
28
A not so good Ring Authentication Protocol
Ring has public keys K1, K2, …, Kn of an encryption scheme To authenticate message m with jth decryption key:• V P: Choose r {0,1}n. Send EK1
(m r), EK2(m r), … EKn
(m r)
- random bits used i
• P V: Decrypt EKj(m r) and Send
EK1(r), EK2
(r), …, EKn(r) - random bits used i
• V P: Send r and i - opening EKi(m r)
• P V: Verify consistency and open all EKi(r) by revealing i
.
Problem: what if not all suffixes (r‘s) are equal
![Page 29: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/29.jpg)
29
The Ring Authentication Protocol
Ring has public keys K1, K2, …, Kn of an encryption scheme
To authenticate message m with jth decryption key:• V P: Choose r {0,1}n. Send EK1
(m r), EK2(m r), … EKn
(m r)
- random bits used i
• P V: Decrypt EKj(m r) and Send
EK1(r1), EK2
(r2), …, EKn(rn) where
r1 + r2 …+ rn = r
• V P: Send r and i - opening EKi(m r)
• P V: Verify consistency and open all EKi(ri) by revealing i
![Page 30: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/30.jpg)
30
Security of the scheme
Unforgeability: as before (assuming all keys are well chosen) since EK1
(r1), EK2(r2), …, EKn
(rn) is a non-malleable commitment to r
Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol
Deniability: Can run simulator `as before’: • Semantic security of one of the Ei‘s - is sufficient that
EK1(r1), …, acts as a commitment scheme
![Page 31: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/31.jpg)
31
Comparison with Ring Signatures [RST]
Disadvantages• Ours Requires interaction
– But stronger notion of deniability
• Communication proportional to ring (subset) size (as compared to single element)
Advantages• Works with any (strong
enough) encryption– unwilling participants cannot
avoid it if they want good encryption
• Provable in the `real’ world – – no random oracles or ideal
ciphers– No additional primitives
• Extensions to threshold
•Assuming random oracles - comparable to RST (up to multiplicative factors)
![Page 32: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/32.jpg)
32
Extension: Threshold and Other Access Structures
Instead of convincing a verifier that a single member of the ad hoc subset confirms the message want:– At least k members – More complex access structures
Can use secret sharing (for any access structure) without any member revealing their keys
Idea: split r according to the shares
![Page 33: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/33.jpg)
33
Extended Protocol
Ring has public keys K1, K2, …, Kn
To authenticate message m with subset T of decryption keys:• V P : Choose r{0,1}n and split into shares x1, x2, … xn
Send EK1(m x1), …, EKn
(m xn)
• P V : For each jT decrypt EKj(m xj) and reconstruct r
Send EK1(r1), EK2
(r2), …, EKn(rn) where
r1 + r2 …+ rn = r
• V P: Send r and i for all i{1..n} - opening EKi(m xi)
• P V: Verify consistency of all xi and open all EKi(ri).
![Page 34: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/34.jpg)
34
Deniable Ring authentication In the Presence Big Brother
Suppose that the adversary knows the private keys of all usersThen the protocol is not source hiding anymore:In Step 1 can encrypt different r’s and read them out in step 2
Why would they be known:– Identity Based Encryption– Revocation Schemes – Subset cover protocols.
• Enables covering any subsets by a relatively small number of keys!
Idea: use regular commitment W protocol and add a proof of knowledge to obtain non-malleability
![Page 35: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/35.jpg)
35
In the Presence Big Brother
Subset has public keys K1, K2, …, Kn To authenticate message m with jth decryption key:• V P : Choose r{0,1}n and Send EK1
(m r), …, EKn(m r)
• P V : Decrypt EKj(m r) and reconstruct r and choose
(r01,r1
1) , (r02,r1
2) … (r0m,r1
1m) s.t. r = r0i+r1
i
Send (W(r01 ) ,W(r1
1 )), (W(r02 ) ,W(r1
2 )), … (W(r0m ),W(r1
m)) • V P: Choose m random bits b1 , b2 , … , bm • P V : Open W(r0
b1 ) , W(r0b2 ) , … , W(r1
bm)) • V P: Verify the opening. Open EK1
(m r), …, EKn(m r)
• P V: Verify consistency of EKi(m r) and open the remaining W(ri).
![Page 36: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/36.jpg)
36
Open Problems• What is the communication complexity required of deniable
authentication? Is it possible to exchange o(|S|) bits (if the set is known)? – Low Communication is possible in principal
• Is source hiding alone easier than deniability– Is it possible in the shared key world (at reasonable costs)?
• What is the precise security requirement from E in the main protocol?– Katz’s NM POK
• In the access scheme is it possible for the members to be mutually untrusting wrt deniability
• Where is the border between possible and impossible in deniability• Fiat-Shamir heuristics• Social/legal implication to PKI?
![Page 37: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/37.jpg)
37
Concurrency in Timing Model [DNS]
Timing based (,) assumption for <: If one processor measures , the second , then finishes after .
To achieve concurrent deniability add timing constraintsP requires that Step 3 message be received within (local time)
from Step 1P delays Step 4 message until time from Step 1
1234< <
![Page 38: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/38.jpg)
38
...Concurrency
• Can achieve -knowledge (zero-knowledge where the simulator knows the distinguishing probability)
• Open Problem: Can Goldreich’s new simulator be used to show 0-knowledge?
![Page 39: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/39.jpg)
39
What Are Zaps A zap for a language L is a• Two-round witness indistinguishable proof system for showing XL
1. verifier prover2. prover verifier
• First round message can be fixed ``once and for all” (before X is chosen)
• The verifier uses public coins– Single round non-constructively
Theorem: Zaps for L exists if NIZKs for L exist (~ and vice versa)
![Page 40: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/40.jpg)
40
Tool: Timed Commitments [BN]
• Regular commitment
• Potential forced opening phase
X ReceiverSender
![Page 41: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/41.jpg)
41
Sender Receiver
Commit Phase
Reveal Phase
Sender ReceiverX
Regular Commitments
Receiver can verify X
Sender is bound to X
X
![Page 42: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/42.jpg)
42
Forced Open Phase
SenderX
Receiver
Receiver extracts X (+proof) in time T
Commitment is secure only for time t < T
Potential ForcedForced OpeningOpening
![Page 43: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/43.jpg)
43
Requirements
• Future recoverability - verifiable following commit phase• Decommitment - value + proof. Ditto for forcibly recovered
values. Can act as genuine proof of knowledge to committed value• Immunity to parallel attacks
Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN].
We will substitute with a zap.
![Page 44: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/44.jpg)
44
2-round Timed Deniable Auth.
Public key: keys K1 and K2 and string of zapTo authenticate m• Verifier prover:
– Choose r, y0, y1 {0,1}n. Send EK1
(m r), C(y0), C(y0)
Give zap of validity of at least one using . Random string for zaps
• Prover verifier: – Checks zap proof and decrypt r – Send Y=EK1
(r) Z= EK2(s) and zap using that either
(i) r = DK1(Y) or
(ii) DK2(Z) {y0, y1}
Timing requirement: verifier receives response within
![Page 45: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/45.jpg)
45
References
• [Dolev, Dwork, Naor] Non-malleable Cryptography, SIAM J. Computing, 2000 (prelim. version STOC’91)
• [Dwork, Naor] Method for message authentication from non-malleable cryptosystems, US Patent 1996.
• [Dwork, Naor, Sahai] Concurrent Zero-Knowledge, STOC’98.
• [Boneh, Naor] Timed Commitments, Crypto’2000.• [Dwork,Naor] Zaps and their Applications, FOCS’2000.• [Naor] Deniable Ring Authentication, Crypto 2002
![Page 46: Deniable Ring Authentication](https://reader036.vdocuments.mx/reader036/viewer/2022062306/568144c8550346895db191ce/html5/thumbnails/46.jpg)
46
Comparison with Designated
Verifier/recipient
• No need for verifier to have a public-key• How to verify the independence of the keys of the
verifier? Interaction...