Upload
gryta
View
41
Download
0
Embed Size (px)
DESCRIPTION
Efficient deniable authentication protocol based on generalized ElGamal signature scheme. From ELSEVIER Computer Standards & Interface Author: Zuhua Shao Presented by Yi-Jhih Jan 11/02/2004. Outlines. Introductions The Fan et al’s protocol The proposed protocol - PowerPoint PPT Presentation
Citation preview
Efficient deniable authentication protocol based on generalized ElGamal signature schemeFrom ELSEVIER Computer Standards & Interface
Author: Zuhua Shao
Presented by Yi-Jhih Jan
11/02/2004
Outlines
Introductions The Fan et al’s protocol The proposed protocol Security analysis Conclusins
Introductions
Deniable authentication protocol1. It enables an intended receiver to identify the source of a given message.(傳統 )2. The intended receiver cannot prove the source of a given message to any third party.(因 receiver只要知道 protocol,即可偽造此簽章 ,所以 sender可以否認 )
Application1. It can provide Freedom from coercion in electronic voting systems2. Secure negotiations over the Internet
Y X’
D,M
The Fan et al’s protocol
M),H(k'D'
(X)EX'
modpgX
prvK
x
modpgY y
Sender Receiver
modpXk
)(X'DX
y
Kpub
modpYk' x
M)H(k,D
The Fan et al’s protocol
Weaknesses
1. INQ can impersonate the receiver and sends Y=gy mod p to the sender.
2.INQ can identify the source of X’.
If INQ is sure that the M and X’ come from the same source, he can also identify the source of the message.
The proposed protocol
Parameters:
p: a large prime (bit size 1024-2048)
q: a prime divisor of p-1 (160 bit size)
g: a generator of order q
H(.): a collision-free hash function
X: private key
Y: public key
CA: a certification authority
The proposed protocol
q mod
)||(
)(
mod
rXts
MkHMAC
kHr
pYk
S
tR
)||'(?
)'(?
mod)('
MkHMAC
kHr
pYgk RXrS
s
Sender(Xs,Ys) Receiver(XR,YR)
MMACsr ),,,(
Security analysis
1.Completeness
)||'()||(
)'()(
'
mod)(
mod
mod
:Pr
MkHMkH
kHkHr
kk
pYgYg
pgYg
ptrXs
oof
tR
tXXrs
s
trs
s
s
RR
Security analysis
2. It can withstand forgery attacks.a) we first design a generalized ElGamal signature scheme
puYg
puYgbyitverify
suissignature
qXrts
puHr
pgu
muHs
uHs
mH
t
mH
mod
mod
),(
mod
)mod(
mod
)(
)modp(
)(
)(
(Harn proposed)
Security analysis
If an adversary has an algorithm A(M,YR) and returns (r,s,MAC), he would forge the signature of the generalized ElGamal signature scheme for the message m’.
pgY
mHXRX
R
R
mod
)'(
)mod)(( pYgHr RXrs
s pYguLet rs
s mod)(
puYg puHs
s mH
mod)mod( )'(
M
YR
Algorithm (r,s,MAC)
H(w) =v
Security analysis
b) Define a function
if XR is public, the h(.) is secure as long as H(.) is a secure hash function
)mod()( puHuh RX
vwHpuwvuh RX )(mod)(
)()(
modmod)()(
21
221121
wHwH
puwandpuwuhuh RR XX
)mod)(( pYgHr RXrs
s pYguLet rs
s mod)(
puYg uhs
s mod)(
u v
w
h(u)=v
puw Rx mod
m)h(r,e p, modygr
:Schnorres
Security analysis
3. The proposed protocol is deniable.
- If the receiver reveals the session key k, he can convince the third party the signature (r,s) of the sender
< and the public key YR have the same exponent XR by using zero-knowledge proof.>
- Then the third party can verfy MAC=H(k||M) by himself.
- But, the third party can compute the Diffie-Hellman key of the sender and the receiver.
- So the receiver would not reveal his secret informatino.
pYgk RXrS
s mod)(
pkYpgK
pgYYgkrS
RXX
SR
rXXsR
XrS
s
RS
RSR
mod)(mod
mod)()(1
Security analysis
- even though the receiver reveals k under coercion, the third party would also be skeptical.
- because that the receiver can constuct other authenticator MAC’=H(k||M’)
- that is, the receiver can simulate the authenticated message of the sender.
- hence the protocol is deniable.
Security analysis
4. It can withstand impersonate attacks
adversary:
- assume that the adversary can obtain M and its authority (r,s,MAC).
- if he can verify the message authenticator, he must find k’ such that
- the adversary could compute
- it’s impossible to do it under the Diffie-Hellman assumption.
pYgk RXrS
s mod)('1
)/'(
rSR
XS
XX YkYg RRS
Conclusions
If an adversary could forge signature of this protocol, he would forge signatures of the generalized ElGamal signature scheme.
Anyone can not impersonate the intended receiver.