Deniable Ring Authentication

Deniable Ring Authentication Moni Naor Weizmann Institute of Science

Authentication One of the fundamental tasks of cryptography • Alice (sender) wants to send a message m to Bob (receiver). • They want to prevent Eve from interfering • Bob should be sure that the message he receives is the message mAlice sent. Alice Bob Eve

Is authentication transferable? • Shared key authentication: non-transferable • except in a limited sense. • Key idea of modern cryptography (Diffie and Hellman): can make authentication (signatures) transferable to third party - Non-repudiation. • Essential to contract signing, e-commerce… Digital Signatures: last 25 years major effort in • Research • Notions of security • Computationally efficient constructions • Technology, Infrastructure, Commerce, Legal

Isnon-repudiation always desirable? Not necessarily so: • Privacy of conversation, no (verifiable) record. • Do you want everything you ever said to be held against you? • Bob pays for the authentication, shouldn't be able to transfer it for free • Perhaps can gain efficiency In this talk - merge two approaches for privacy • Deniable Authentication • Ring Authentication

Talk • Authentication • Traditional • Deniable • Ring • Some Old Protocols: • Interactive Authentication (Dwork, Dolev, Naor) • Deniable Authentication (Dwork, Naor, Sahai) • Some New Ones: • Deniable Ring Authentication • Threshold scheme • Dealing with Big Brother

Deniable Authentication Want to come up with an (perhaps interactive) authentication scheme such that the receiver keeps no receipt of conversation. This means: • Any receiver could have generated the conversation itself. • There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. • Similar to Zero-Knowledge! • An example where zero-knowledge is the ends, not the means! Proof of security consists of Unforgeability and Deniability

Ring Signatures and Authentication Can we keep the sender anonymous? Idea: prove that the signer is a member of an ad hocset • Other members do not cooperate • Use their `regular’ public-keys • Signature keys [RST], Encryption [This Talk] • Should be indistinguishable which member of the set is actually doing the authentication Bob Eve Alice??

Related Notions Deniability has many meanings… • Undeniable signatures(Chaum and van Antwerpen 89, GKR) • Chameleon signatures (Krawczyk and Rabin 98). • Group signatures The signature is intended for ultimate adjudication by a third party (judge). • Not deniable if secret keys are revealed! • Designated verifier proofs • Ring Signatures [RST] ad hoc sets (users choose their keys)

Ring Signatures [RST] Rivest, Shamir and Tauman proposed Ring Signatures: • Signature on message m by a member of an ad hoc set of participants • Using existing Infrastructure for signatures • For a generated signature the source is (statistically) indistinguishable • Non-repudiation - recipient can convince a third party of the authenticity of a signature • Non-interactive - single round • Efficient - if underlying signature is low exponent RSA/Rabin • Need Ideal Cipher for combining function

Deniable Ring Authentication Want the properties of Ring Signatures but • With deniability - no third part authentication • Willing to trade with interaction - essential without model changes • Use Public Encryption Keys • Some of the keys maybe badly formed Unforgeability and Deniability - as before plus Source Hiding: • For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys

Security of Authentication Schemes The Golswasser-Micali-Rivestclassification of signature schemes can be applied to interactive authentication schemes: The classification is according to: • Attacks • What it means to break Strongest type: Existential unforgeable against adaptive chosen message attack • Adversary can choose any sequence of messages m1, m2 … and receive an authentication on them. If he then succeeds in convincing an honest verifier that some m’ not in m1, m2 … then he has broken the system

Ring Authentication Setting • A ring is an arbitrary set of participants including the authenticator • Each member i of the ring has a public key Ei. • Generated according to some protocol • Good players follow it, bad ones the adversary fixes. • Example: signature, Encryption • To run a ring authentication protocol both sides need to know E1, E2, …, En - the public key of the ring members ...

Deniable Ring Authentication Completeness for any good sender and receiver possible to complete the authentication on any message Unforgeability Existential unforgeable against adaptive chosen message attack Deniability • For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate indistinguishable conversations. Source Hiding: • For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys Source Hiding andDeniability – incomparable

The Protocols • Some background Protocols • Main Protocol for deniable ring authentication • Extended Protocol for Threshold Schemes • A protocol for deniable ring authentication in the presence of big brother All the protocols are based on encryption

Encryption • Assume an encryption scheme E • Public key K – knowing K can encrypt message m • generate Y=EK(m) • With corresponding secret key, givenY can retrieve m • Process is probabilistic: to generate EK(m) choose random string 

A Public Key Authentication Protocol [DDN,DN] P has a public key K of an encryption scheme E. To authenticate a message m: • V  P : Choose r{0,1}n. Send EK(m°r) • P V : Verify that prefix of plaintext is m. If yes - sendr. Is it Unforgeable? Is it Deniable?

Encryption: attacks and security • Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it. • Chosen ciphertext attacks - the post-processing mode: • Adversary has access to decryption box. Challenge ciphertext is known when the attacks takes place (but cannot submit it...). • Strongest type of cryptosystem (?): • non-malleable against chosen ciphertext attacks in the post-processing mode. (Non-Malleable and Semantic Security are equivalent under this attack).

Encryption: Implementation • Under any trapdoor permutation - rather inefficient [DDN]. • Cramer & Shoup: Under the Decisional DH assumption • Requires a few exponentiations. • With Random Oracles: several proposals • RSA with OAEP - same complexity as vanilla RSA [Crypto’2001] • Can use low exponent RSA/Rabin • With additional Interaction: J. Katz’s non malleable POKS?

Security of the scheme Unforgeability: depends on the strength of EK . • Sensitive to malleability: • if given EK(m°r) can generate EK(m’°r) - can forge messages. • The protocol allows a chosen ciphertext attack on EK. • Even of the post-processing kind! • Can prove that any strategy for existential forgery can be translated into a CCA strategy on E • Works even against concurrent executions. Deniability: does V retain a receipt?? • It is for honest V • Need to prove knowledge of r

Regular Commitments Commit Phase X Sender Receiver Sender is bound to X Reveal Phase X Sender Receiver Receiver can verify X

Encryption as Commitment When the public key K is fixed and known EK(x) can be seen as commitment to x To open x: reveal, the random bits used to generateEK(x). Perfect binding: from unique decryption For any Y there are no two different x and x’ and  and ’ s.t. Y = EK(x,) = EK(x’ ,’) Secrecy: no information about x leaked to those not knowing private key corresponding to L Insecure for others

Concurrency Whether protocols remain secure when executed concurrently: • No online coordination between the good guys • Adversary controls schedule Is a major issue Solutions: • Timing • Added rounds • Non black-box? • Shared random string

Fiat-Shamir Heuristic Remove interaction by oracles • Can convert a public coin identification protocol into a signature scheme using random oracles • Can such a protocol be converted into a signature scheme?

Deniable Protocol [DNS] P has a public key K of an encryption scheme E. To authenticate message m: • V  P: Choose r{0,1}n. Send EK(m°r) - random bits used  secret • P V: SendEK(r) - random bits used  secret • V  P: Sendr and  - opening EK(m°r) • P V: Open EK(r) by sending .

Security of the scheme Unforgeability: as before - depends on the strength of EK can simulate previous scheme (with access to DK ) Important property: EK(r) is a non-malleable commitment (wrt the encryption) to r(need unique opening). Deniability: can run simulator `as usual’: • Extract r by running with E(r’) and rewinding • Expected polynomial time • Need the semantic security of E - it acts as a commitment scheme

Ring Signatures and Authentication Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set • Other members do not cooperate • Use their `regular’ public-keys • Encryption [This Talk] • Should be indistinguishable which member of the set is actually doing the authentication Bob Eve ?Alice

Ring Authentication Setting • A ring is an arbitrary set of participants including the authenticator • Each member i of the ring has a public encryption key Ei. • Everyone that knows Ei can encrypt a message m and send Ei (m). • Only i,that knows the secret key of Ei ,can decrypt Ei (m) • To run a ring authentication protocol both sides need to know E1, E2, …, En - the public key of the ring members ...

A not so good Ring Authentication Protocol Ring has public keys K1, K2, …, Kn of an encryption scheme To authenticate message m with jth decryption key: • V  P: Choose r{0,1}n. Send EK1(m°r), EK2(m°r), … EKn(m°r) - random bits used i • P V: Decrypt EKj(m°r) and Send EK1(r), EK2(r), …, EKn(r) - random bits used i • V  P: Sendr andi- opening EKi(m°r) • P V: Verify consistency and open allEKi(r) by revealingi . Problem: what if not all suffixes (r‘s) are equal

The Ring Authentication Protocol Ring has public keys K1, K2, …, Kn of an encryption scheme To authenticate message m with jth decryption key: • V  P: Choose r{0,1}n. Send EK1(m°r), EK2(m°r), … EKn(m°r) - random bits used i • P V: Decrypt EKj(m°r) and Send EK1(r1), EK2(r2), …, EKn(rn) where r1 + r2 …+ rn = r • V  P: Sendr and i- opening EKi(m°r) • P V: Verify consistency and open allEKi(ri) by revealingi

Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since EK1(r1), EK2(r2), …, EKn(rn) is a non-malleable commitment to r Source Hiding: which key was used (among well chosen keys) is • Computationally indistinguishable during protocol • Statistically indistinguishable after protocol Deniability: Can run simulator `as before’: • Semantic security of one of the Ei‘s - is sufficient that EK1(r1), …, acts as a commitment scheme

Disadvantages Ours Requires interaction But stronger notion of deniability Communication proportional to ring (subset) size (as compared to single element) Advantages Works with any (strong enough) encryption unwilling participants cannot avoid it if they want good encryption Provable in the `real’ world – no random oracles or ideal ciphers No additional primitives Extensions to threshold Comparison with Ring Signatures [RST] • Assuming random oracles - comparable to RST (up to multiplicative factors)

Extension: Threshold and Other Access Structures Instead of convincing a verifier that a single member of the ad hoc subset confirms the message want: • At leastk members • More complex access structures Can use secret sharing (for any access structure) without any member revealing their keys Idea: splitraccording to the shares

Extended Protocol Ring has public keys K1, K2, …, Kn To authenticate message m with subset T of decryption keys: • V  P : Choose r{0,1}n and split into shares x1, x2, … xn Send EK1(m°x1), …, EKn(m°xn) • P V : For each jT decrypt EKj(m°xj) and reconstruct r Send EK1(r1), EK2(r2), …, EKn(rn) where r1 + r2 …+ rn = r • V  P: Sendr and ifor all i{1..n} - opening EKi(m°xi) • P V: Verify consistency of all xi and open allEKi(ri).

Deniable Ring authentication In the Presence Big Brother Suppose that the adversary knows the private keys of all users Then the protocol is not source hiding anymore: In Step 1 can encrypt different r’s and read them out in step 2 Why would they be known: • Identity Based Encryption • Revocation Schemes – Subset cover protocols. • Enables covering any subsets by a relatively small number of keys! Idea: use regular commitment W protocol and add a proof of knowledge to obtain non-malleability

In the Presence Big Brother Subset has public keys K1, K2, …, Kn To authenticate message m with jth decryption key: • V  P : Choose r{0,1}n and Send EK1(m°r), …, EKn(m°r) • P V : Decrypt EKj(m°r) and reconstruct r and choose (r01,r11) , (r02,r12) … (r0m,r11m) s.t. r = r0i+r1i Send (W(r01 ) ,W(r11 )), (W(r02 ) ,W(r12 )), … (W(r0m ),W(r1m)) • V  P: Choose m random bits b1 , b2 , … , bm • P V : Open W(r0b1 ), W(r0b2 ), … , W(r1bm)) • V  P: Verify the opening. Open EK1(m°r), …, EKn(m°r) • P V: Verify consistency of EKi(m°r) and open the remainingW(ri).

Open Problems • What is the communication complexity required of deniable authentication? Is it possible to exchange o(|S|) bits (if the set is known)? • Low Communication is possible in principal • Is source hiding alone easier than deniability • Is it possible in the shared key world (at reasonable costs)? • What is the precise security requirement from E in the main protocol? • Katz’s NM POK • In the access scheme is it possible for the members to be mutually untrusting wrt deniability • Where is the border between possible and impossible in deniability • Fiat-Shamir heuristics • Social/legal implication to PKI?

Concurrency in Timing Model[DNS] Timing based (,) assumption for<:If one processor measures, the second , then  finishes after . To achieve concurrent deniability add timing constraints P requires that Step 3 message be received within  (local time) from Step 1 P delays Step 4 message until time  from Step 1 1 2 3 4 < <

...Concurrency • Can achieve -knowledge (zero-knowledge where the simulator knows the distinguishing probability) • Open Problem: Can Goldreich’s new simulator be used to show 0-knowledge?

What Are Zaps A zap for a language L is a • Two-round witness indistinguishable proof system for showing XL 1.verifier prover 2.prover verifier • First round message can be fixed ``once and for all” (before X is chosen) • The verifier uses public coins • Single round non-constructively Theorem: Zaps for L exists if NIZKs for L exist (~ and vice versa)

Tool: Timed Commitments [BN] • Regular commitment • Potential forced opening phase X Receiver Sender

Regular Commitments Commit Phase X Sender Receiver Sender is bound to X Reveal Phase X Sender Receiver Receiver can verify X

PotentialForcedOpening Forced Open Phase X Receiver Sender Receiver extracts X (+proof) in time T Commitment is secureonly for time t < T

Requirements • Future recoverability - verifiable following commit phase • Decommitment - value + proof. Ditto for forcibly recovered values. Can act as genuine proof of knowledge to committed value • Immunity toparallel attacks Construction based on ``generalized BBS.” Uses several rounds to prove consistency of commitment [BN]. We will substitute with a zap.

2-round Timed Deniable Auth. Public key: keys K1 and K2 and string s1 of zap To authenticate m • Verifier prover: • Choose r, y0, y1{0,1}n. Send EK1(m°r), x0= TC(y0),x1= TC(y0) Give zap of validity of at least one xi using s1. Random string s2 for zaps • Prover verifier: • Checks zap proof and decrypt r • Send Y=EK1(r) Z= EK2(s) and zap using s2 that either (i) r = DK1(Y) or (ii) DK2(Z) {y0, y1} Timing requirement: verifier receives response within 

References • [Dolev, Dwork, Naor] Non-malleable Cryptography, SIAM J. Computing, 2000 (prelim. version STOC’91) • [Dwork, Naor] Method for message authentication from non-malleable cryptosystems, US Patent 1996. • [Dwork, Naor, Sahai] Concurrent Zero-Knowledge, STOC’98. • [Boneh, Naor] Timed Commitments, Crypto’2000. • [Dwork,Naor] Zaps and their Applications, FOCS’2000. • [Naor] Deniable Ring Authentication, Crypto 2002

Comparison with Designated Verifier/recipient • No need for verifier to have a public-key • How to verify the independence of the keys of the verifier? Interaction...

Deniable Ring Authentication

Deniable Ring Authentication

Presentation Transcript

Authentication

Authentication

Authentication

Foundations of Privacy Formal Lecture Zero-Knowledge and Deniable Authentication

Authentication

Authentication

Authentication

Authentication

Authentication

Authentication

AUTHENTICATION

Efficient deniable authentication protocol based on generalized ElGamal signature scheme

RING,RING

Class 16 Deniable Authentication CIS 755: Advanced Computer Security Spring 2014

Authentication

Authentication

Authentication

New Approaches for Deniable Authentication

Deniable and Traceable Anonymity

Efficient Deniable Authentication Protocol based on Generalized ElGamal Signature Scheme