Efficient deniable authentication protocol based on generalized ElGamal signature schemeFrom ELSEVIER Computer Standards & Interface

Author: Zuhua Shao

Presented by Yi-Jhih Jan

11/02/2004

Outlines

Introductions The Fan et al’s protocol The proposed protocol Security analysis Conclusins

Introductions

Deniable authentication protocol1. It enables an intended receiver to identify the source of a given message.(傳統 )2. The intended receiver cannot prove the source of a given message to any third party.(因 receiver只要知道 protocol,即可偽造此簽章 ,所以 sender可以否認 )

Application1. It can provide Freedom from coercion in electronic voting systems2. Secure negotiations over the Internet

Y X’

D,M

The Fan et al’s protocol

M),H(k'D'

(X)EX'

modpgX

prvK

x

modpgY y

Sender Receiver

modpXk

)(X'DX

y

Kpub

modpYk' x

M)H(k,D

The Fan et al’s protocol

Weaknesses

1. INQ can impersonate the receiver and sends Y=gy mod p to the sender.

2.INQ can identify the source of X’.

If INQ is sure that the M and X’ come from the same source, he can also identify the source of the message.

The proposed protocol

Parameters:

p: a large prime (bit size 1024-2048)

q: a prime divisor of p-1 (160 bit size)

g: a generator of order q

H(.): a collision-free hash function

X: private key

Y: public key

CA: a certification authority

The proposed protocol

q mod

)||(

)(

mod

rXts

MkHMAC

kHr

pYk

S

tR

)||'(?

)'(?

mod)('

MkHMAC

kHr

pYgk RXrS

s

Sender(Xs,Ys) Receiver(XR,YR)

MMACsr ),,,(

Security analysis

1.Completeness

)||'()||(

)'()(

'

mod)(

mod

mod

:Pr

MkHMkH

kHkHr

kk

pYgYg

pgYg

ptrXs

oof

tR

tXXrs

s

trs

s

s

RR

Security analysis

2. It can withstand forgery attacks.a) we first design a generalized ElGamal signature scheme

puYg

puYgbyitverify

suissignature

qXrts

puHr

pgu

muHs

uHs

mH

t

mH

mod

mod

),(

mod

)mod(

mod

)(

)modp(

)(

)(

(Harn proposed)

Security analysis

If an adversary has an algorithm A(M,YR) and returns (r,s,MAC), he would forge the signature of the generalized ElGamal signature scheme for the message m’.

pgY

mHXRX

R

R

mod

)'(

)mod)(( pYgHr RXrs

s pYguLet rs

s mod)(

puYg puHs

s mH

mod)mod( )'(

M

YR

Algorithm (r,s,MAC)

H(w) =v

Security analysis

b) Define a function

if XR is public, the h(.) is secure as long as H(.) is a secure hash function

)mod()( puHuh RX

vwHpuwvuh RX )(mod)(

)()(

modmod)()(

21

221121

wHwH

puwandpuwuhuh RR XX

)mod)(( pYgHr RXrs

s pYguLet rs

s mod)(

puYg uhs

s mod)(

u v

w

h(u)=v

puw Rx mod

m)h(r,e p, modygr

:Schnorres

Security analysis

3. The proposed protocol is deniable.

- If the receiver reveals the session key k, he can convince the third party the signature (r,s) of the sender

< and the public key YR have the same exponent XR by using zero-knowledge proof.>

- Then the third party can verfy MAC=H(k||M) by himself.

- But, the third party can compute the Diffie-Hellman key of the sender and the receiver.

- So the receiver would not reveal his secret informatino.

pYgk RXrS

s mod)(

pkYpgK

pgYYgkrS

RXX

SR

rXXsR

XrS

s

RS

RSR

mod)(mod

mod)()(1

Security analysis

- even though the receiver reveals k under coercion, the third party would also be skeptical.

- because that the receiver can constuct other authenticator MAC’=H(k||M’)

- that is, the receiver can simulate the authenticated message of the sender.

- hence the protocol is deniable.

Security analysis

4. It can withstand impersonate attacks

adversary:

- assume that the adversary can obtain M and its authority (r,s,MAC).

- if he can verify the message authenticator, he must find k’ such that

- the adversary could compute

- it’s impossible to do it under the Diffie-Hellman assumption.

pYgk RXrS

s mod)('1

)/'(

rSR

XS

XX YkYg RRS

Conclusions

If an adversary could forge signature of this protocol, he would forge signatures of the generalized ElGamal signature scheme.

Anyone can not impersonate the intended receiver.