1

Deniable Ring Authentication

Moni Naor

Weizmann Institute of Science

2

AuthenticationOne of the fundamental tasks of cryptography• Alice (sender) wants to send a message m to Bob

(receiver).• They want to prevent Eve from interfering

– Bob should be sure that the message he receives is the message m Alice sent.

Alice Bob

Eve

3

Is authentication transferable?

• Shared key authentication: non-transferable• except in a limited sense.

• Key idea of modern cryptography (Diffie and Hellman): can make authentication (signatures) transferable to third party - Non-repudiation.– Essential to contract signing, e-commerce…

Digital Signatures: last 25 years major effort in– Research

• Notions of security• Computationally efficient constructions

– Technology, Infrastructure, Commerce, Legal

4

Is non-repudiation always desirable?Not necessarily so:• Privacy of conversation, no (verifiable) record.

– Do you want everything you ever said to be held against you?

• Bob pays for the authentication, shouldn't be able to transfer it for free

• Perhaps can gain efficiency

In this talk - merge two approaches for privacy• Deniable Authentication• Ring Authentication

5

Talk• Authentication

– Traditional– Deniable– Ring

• Some Old Protocols:– Interactive Authentication (Dwork, Dolev, Naor)– Deniable Authentication (Dwork, Naor, Sahai)

• Some New Ones:– Deniable Ring Authentication– Threshold scheme– Dealing with Big Brother

6

Deniable AuthenticationWant to come up with an (perhaps interactive) authentication

scheme such that the receiver keeps no receipt of conversation. This means:• Any receiver could have generated the conversation itself.

– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.

– Similar to Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!

Proof of security consists of Unforgeability and Deniability

7

Ring Signatures and Authentication

Can we keep the sender anonymous?Idea: prove that the signer is a member of an ad hoc set

– Other members do not cooperate– Use their `regular’ public-keys

• Signature keys [RST], Encryption [This Talk]

– Should be indistinguishable which member of the set is actually doing the authentication

Bob

Alice?? Eve

8

Related Notions

Deniability has many meanings…• Undeniable signatures(Chaum and van Antwerpen 89, GKR)

– Chameleon signatures (Krawczyk and Rabin 98).• Group signaturesThe signature is intended for ultimate adjudication by a third

party (judge).– Not deniable if secret keys are revealed!

• Designated verifier proofs

• Ring Signatures [RST] ad hoc sets (users choose their keys)

9

Ring Signatures [RST]

Rivest, Shamir and Tauman proposed Ring Signatures:• Signature on message m by a member of an ad hoc set of

participants– Using existing Infrastructure for signatures

• For a generated signature the source is (statistically) indistinguishable

• Non-repudiation - recipient can convince a third party of the authenticity of a signature

• Non-interactive - single round • Efficient - if underlying signature is low exponent RSA/Rabin

– Need Ideal Cipher for combining function

10

Deniable Ring AuthenticationWant the properties of Ring Signatures but• With deniability - no third part authentication

– Willing to trade with interaction - essential without model changes• Use Public Encryption Keys

• Some of the keys maybe badly formedUnforgeability and Deniability - as before plus Source Hiding:

– For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys

11

Security of Authentication Schemes

The Golswasser-Micali-Rivest classification of signature schemes can be applied to interactive authentication schemes:

The classification is according to:• Attacks• What it means to breakStrongest type: Existential unforgeable against adaptive chosen

message attack– Adversary can choose any sequence of messages m1, m2 … and receive an authentication on them.

If he then succeeds in convincing an honest verifier that some m’ not in m1, m2 … then he has broken the system

12

Ring Authentication Setting

• A ring is an arbitrary set of participants including the authenticator

• Each member i of the ring has a public key Ei.– Generated according to some protocol– Good players follow it, bad ones the adversary fixes.– Example: signature, Encryption

• To run a ring authentication protocol both sides need to know E1, E2, …, En - the public key of the ring members

...

13

Deniable Ring AuthenticationCompleteness for any good sender and receiver possible to complete the

authentication on any message Unforgeability Existential unforgeable against adaptive chosen message

attackDeniability

– For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate indistinguishable conversations.

Source Hiding:– For any verifier, for any arbitrary set of keys, some good some bad,

the source is computationally indistinguishable among the good keys

Source Hiding and Deniability – incomparable

14

The Protocols

• Some background Protocols• Main Protocol for deniable ring authentication• Extended Protocol for Threshold Schemes• A protocol for deniable ring authentication in the

presence of big brother

All the protocols are based on encryption

15

Encryption

• Assume an encryption scheme E• Public key K – knowing K can encrypt message m

– generate Y=EK(m)

– With corresponding secret key, given Y can retrieve m

• Process is probabilistic: to generate EK(m) choose random string

16

A Public Key Authentication Protocol

[DDN,DN]P has a public key K of an encryption scheme E.To authenticate a message m:• V P : Choose r {0,1}n. Send EK(m r)

• P V : Verify that prefix of plaintext is m. If yes - send r.

Is it Unforgeable? Is it Deniable?

17

Encryption: attacks and security

• Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it.

• Chosen ciphertext attacks - the post-processing mode:– Adversary has access to decryption box. Challenge ciphertext is

known when the attacks takes place (but cannot submit it...).• Strongest type of cryptosystem (?):

– non-malleable against chosen ciphertext attacks in the post-processing mode. (Non-Malleable and Semantic Security are equivalent under this attack).

18

Encryption: Implementation

• Under any trapdoor permutation - rather inefficient [DDN].• Cramer & Shoup: Under the Decisional DH assumption

– Requires a few exponentiations.• With Random Oracles: several proposals

– RSA with OAEP - same complexity as vanilla RSA [Crypto’2001]– Can use low exponent RSA/Rabin

• With additional Interaction: J. Katz’s non malleable POKS?

19

Security of the schemeUnforgeability: depends on the strength of EK .• Sensitive to malleability:

– if given EK(m r) can generate EK(m’ r) - can forge messages.• The protocol allows a chosen ciphertext attack on EK.

– Even of the post-processing kind!• Can prove that any strategy for existential forgery can be

translated into a CCA strategy on E• Works even against concurrent executions.Deniability: does V retain a receipt??

– It is for honest V– Need to prove knowledge of r

20

Sender Receiver

Commit Phase

Reveal Phase

Sender ReceiverX

Regular Commitments

Receiver can verify X

Sender is bound to X

X

21

Encryption as Commitment

When the public key K is fixed and known EK(x) can be seen as commitment to x

To open x: reveal , the random bits used to generate EK(x).

Perfect binding: from unique decryption For any Y there are no two different x and x’ and and ’ s.t.

Y = EK(x,) = EK(x’ ,’)

Secrecy: no information about x leaked to those not knowing private key corresponding to LInsecure for others

22

Concurrency

Whether protocols remain secure when executed concurrently:– No online coordination between the good guys– Adversary controls schedule

Is a major issueSolutions:

– Timing– Added rounds– Non black-box?– Shared random string

23

Fiat-Shamir Heuristic

Remove interaction by oracles• Can convert a public coin identification protocol into a

signature scheme using random oracles

• Can such a protocol be converted into a signature scheme?

24

Deniable Protocol [DNS]

P has a public key K of an encryption scheme E.To authenticate message m:• V P: Choose r {0,1}n. Send EK(m r) - random bits used secret

• P V: Send EK(r) - random bits used secret

• V P: Send r and - opening EK(m r)

• P V: Open EK(r) by sending .

25

Security of the scheme

Unforgeability: as before - depends on the strength of EK

can simulate previous scheme (with access to DK )Important property: EK(r) is a non-malleable commitment (wrt

the encryption) to r (need unique opening).Deniability: can run simulator `as usual’:• Extract r by running with E(r’) and rewinding• Expected polynomial time• Need the semantic security of E - it acts as a

commitment scheme

26

Ring Signatures and Authentication

Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys

• Encryption [This Talk]

– Should be indistinguishable which member of the set is actually doing the authentication

Bob

?Alice Eve

27

Ring Authentication Setting

• A ring is an arbitrary set of participants including the authenticator

• Each member i of the ring has a public encryption key Ei.– Everyone that knows Ei can encrypt a message m and send Ei

(m).– Only i, that knows the secret key of Ei ,can decrypt Ei (m)

• To run a ring authentication protocol both sides need to know E1, E2, …, En - the public key of the ring members

...

28

A not so good Ring Authentication Protocol

Ring has public keys K1, K2, …, Kn of an encryption scheme To authenticate message m with jth decryption key:• V P: Choose r {0,1}n. Send EK1

(m r), EK2(m r), … EKn

(m r)

- random bits used i

• P V: Decrypt EKj(m r) and Send

EK1(r), EK2

(r), …, EKn(r) - random bits used i

• V P: Send r and i - opening EKi(m r)

• P V: Verify consistency and open all EKi(r) by revealing i

.

Problem: what if not all suffixes (r‘s) are equal

29

The Ring Authentication Protocol

Ring has public keys K1, K2, …, Kn of an encryption scheme

To authenticate message m with jth decryption key:• V P: Choose r {0,1}n. Send EK1

(m r), EK2(m r), … EKn

(m r)

- random bits used i

• P V: Decrypt EKj(m r) and Send

EK1(r1), EK2

(r2), …, EKn(rn) where

r1 + r2 …+ rn = r

• V P: Send r and i - opening EKi(m r)

• P V: Verify consistency and open all EKi(ri) by revealing i

30

Security of the scheme

Unforgeability: as before (assuming all keys are well chosen) since EK1

(r1), EK2(r2), …, EKn

(rn) is a non-malleable commitment to r

Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol

Deniability: Can run simulator `as before’: • Semantic security of one of the Ei‘s - is sufficient that

EK1(r1), …, acts as a commitment scheme

31

Comparison with Ring Signatures [RST]

Disadvantages• Ours Requires interaction

– But stronger notion of deniability

• Communication proportional to ring (subset) size (as compared to single element)

Advantages• Works with any (strong

enough) encryption– unwilling participants cannot

avoid it if they want good encryption

• Provable in the `real’ world – – no random oracles or ideal

ciphers– No additional primitives

• Extensions to threshold

•Assuming random oracles - comparable to RST (up to multiplicative factors)

32

Extension: Threshold and Other Access Structures

Instead of convincing a verifier that a single member of the ad hoc subset confirms the message want:– At least k members – More complex access structures

Can use secret sharing (for any access structure) without any member revealing their keys

Idea: split r according to the shares

33

Extended Protocol

Ring has public keys K1, K2, …, Kn

To authenticate message m with subset T of decryption keys:• V P : Choose r{0,1}n and split into shares x1, x2, … xn

Send EK1(m x1), …, EKn

(m xn)

• P V : For each jT decrypt EKj(m xj) and reconstruct r

Send EK1(r1), EK2

(r2), …, EKn(rn) where

r1 + r2 …+ rn = r

• V P: Send r and i for all i{1..n} - opening EKi(m xi)

• P V: Verify consistency of all xi and open all EKi(ri).

34

Deniable Ring authentication In the Presence Big Brother

Suppose that the adversary knows the private keys of all usersThen the protocol is not source hiding anymore:In Step 1 can encrypt different r’s and read them out in step 2

Why would they be known:– Identity Based Encryption– Revocation Schemes – Subset cover protocols.

• Enables covering any subsets by a relatively small number of keys!

Idea: use regular commitment W protocol and add a proof of knowledge to obtain non-malleability

35

In the Presence Big Brother

Subset has public keys K1, K2, …, Kn To authenticate message m with jth decryption key:• V P : Choose r{0,1}n and Send EK1

(m r), …, EKn(m r)

• P V : Decrypt EKj(m r) and reconstruct r and choose

(r01,r1

1) , (r02,r1

2) … (r0m,r1

1m) s.t. r = r0i+r1

i

Send (W(r01 ) ,W(r1

1 )), (W(r02 ) ,W(r1

2 )), … (W(r0m ),W(r1

m)) • V P: Choose m random bits b1 , b2 , … , bm • P V : Open W(r0

b1 ) , W(r0b2 ) , … , W(r1

bm)) • V P: Verify the opening. Open EK1

(m r), …, EKn(m r)

• P V: Verify consistency of EKi(m r) and open the remaining W(ri).

36

Open Problems• What is the communication complexity required of deniable

authentication? Is it possible to exchange o(|S|) bits (if the set is known)? – Low Communication is possible in principal

• Is source hiding alone easier than deniability– Is it possible in the shared key world (at reasonable costs)?

• What is the precise security requirement from E in the main protocol?– Katz’s NM POK

• In the access scheme is it possible for the members to be mutually untrusting wrt deniability

• Where is the border between possible and impossible in deniability• Fiat-Shamir heuristics• Social/legal implication to PKI?

37

Concurrency in Timing Model [DNS]

Timing based (,) assumption for <: If one processor measures , the second , then finishes after .

To achieve concurrent deniability add timing constraintsP requires that Step 3 message be received within (local time)

from Step 1P delays Step 4 message until time from Step 1

1234< <

38

...Concurrency

• Can achieve -knowledge (zero-knowledge where the simulator knows the distinguishing probability)

• Open Problem: Can Goldreich’s new simulator be used to show 0-knowledge?

39

What Are Zaps A zap for a language L is a• Two-round witness indistinguishable proof system for showing XL

1. verifier prover2. prover verifier

• First round message can be fixed ``once and for all” (before X is chosen)

• The verifier uses public coins– Single round non-constructively

Theorem: Zaps for L exists if NIZKs for L exist (~ and vice versa)

40

Tool: Timed Commitments [BN]

• Regular commitment

• Potential forced opening phase

X ReceiverSender

41

Sender Receiver

Commit Phase

Reveal Phase

Sender ReceiverX

Regular Commitments

Receiver can verify X

Sender is bound to X

X

42

Forced Open Phase

SenderX

Receiver

Receiver extracts X (+proof) in time T

Commitment is secure only for time t < T

Potential ForcedForced OpeningOpening

43

Requirements

• Future recoverability - verifiable following commit phase• Decommitment - value + proof. Ditto for forcibly recovered

values. Can act as genuine proof of knowledge to committed value• Immunity to parallel attacks

Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN].

We will substitute with a zap.

44

2-round Timed Deniable Auth.

Public key: keys K1 and K2 and string of zapTo authenticate m• Verifier prover:

– Choose r, y0, y1 {0,1}n. Send EK1

(m r), C(y0), C(y0)

Give zap of validity of at least one using . Random string for zaps

• Prover verifier: – Checks zap proof and decrypt r – Send Y=EK1

(r) Z= EK2(s) and zap using that either

(i) r = DK1(Y) or

(ii) DK2(Z) {y0, y1}

Timing requirement: verifier receives response within

45

References

• [Dolev, Dwork, Naor] Non-malleable Cryptography, SIAM J. Computing, 2000 (prelim. version STOC’91)

• [Dwork, Naor] Method for message authentication from non-malleable cryptosystems, US Patent 1996.

• [Dwork, Naor, Sahai] Concurrent Zero-Knowledge, STOC’98.

• [Boneh, Naor] Timed Commitments, Crypto’2000.• [Dwork,Naor] Zaps and their Applications, FOCS’2000.• [Naor] Deniable Ring Authentication, Crypto 2002

46

Comparison with Designated

Verifier/recipient

• No need for verifier to have a public-key• How to verify the independence of the keys of the

verifier? Interaction...