Efficient Deniable Authentication Protocol based on Generalized ElGamal Signature Scheme

1. Efficient Deniable Authentication Protocol based on Generalized ElGamal Signature Scheme Zuhua Shao Computer Standards & Interface, Vol. 26, issue 5, 2004, p.p. 449-454 Speaker: Chi-Yu Liu

2. Outline • The properties • Applications • Notations • Related work review • The proposed scheme • Conclusion • Comment Speaker: Chi-Yu Liu

3. The Properties • It enables an intended receiver to identify the source of a given message. • A receiver can not prove the source of the message to third party. Speaker: Chi-Yu Liu

4. R Application 1 • Freedom from coercion in electronic voting system. • S is a voter, and R is a tallying authority. Compel !! Ballot Third party Voter TA X Can’t prove!! Speaker: Chi-Yu Liu

5. R Application 2 • Secure negotiation over Internet. • S is a computer, and R is a merchant. order goods, price offer Computer Merchant X Third party Can’t prove!! Speaker: Chi-Yu Liu

6. Notations • S: a sender. • R: a receiver. • INQ: an inquisitor. • p, q: two big prime numbers. • g: a generator. • H(): a collision-free hash function. • (X, Y): a pair of private/public keys, where Y =gX mod p. • (SK,PK): a pair of private/public keys. Speaker: Chi-Yu Liu

7. Deng et al.’s Scheme, 2001 • Notations • N = p* q, where p and q are two large prime number. • Message M = {m1,m2,…, mn}. Speaker: Chi-Yu Liu

8. R S Deng et al.’s Scheme based on Factoring, 2001 • M = {m1,m2,…, mn}. • H(M)= {Z1,Z2, …Zn} • Choose n random numbers {c1,c2,…, cn} • Compute Ci = ci2 mod N , i = 1~n. 2. EPKr(Ui), K, Vi 3. Decrypt DSKr(Ui) =>Ui 4. Verify Ui2 ?= KCi mod N Vi ?= H(Ui) 1. Randomly choose k K = k2 mod N Ui = kci mod N Vi’ = H(Ui)Zi Speaker: Chi-Yu Liu

9. R S Deng et al.’s Scheme based on Discrete Logarithm, 2001 • M = {m1,m2,…, mn}. • H(M)= {Z1,Z2, …Zn} • Choose n random numbers {c1,c2,…, cn} • Compute Ci = gici, i = 1~n. 2. EPKr(Ui), K, Vi 3. Decrypt DSKr(Ui) =>Ui 4. Verify gUi ?= KCi mod p Vi ?= H(Ui)zi 1. Randomly choose k K = gk mod p Ui = k+ci mod q Vi = H(Ui)Zi Speaker: Chi-Yu Liu

10. Disadvantage of Deng et al.s’ • It needs public directory, which is trusted by sender and receiver. Speaker: Chi-Yu Liu

11. R S Fan et al.’s Scheme based on Diffie-Hellman, 2002 2. RS’ 1. Randomly choose k RS = gk mod p RS’ = ESKr(RS) 5. SK = RRK mod p 6. D = H(SK, M) 3. Randomly choose y RR = gy mod p 5. RS = Dpkr(RS’) SK = RSy mod p 8. Compute D’ = H(SK,M) Compare D’ ?= D 4. RR 7. D, M Speaker: Chi-Yu Liu

12. Disadvantages of Fan et al.s’ • The sender could not verify the identify of the receiver. • Besides the authenticator, a signature is also required. • Any third party can identify the source of RS’ = ESKr(RS). Speaker: Chi-Yu Liu

13. Common Weakness in the Previous Protocols • The sender does not know to whom he proves the source of a given message. • Third party can impersonate the intended receiver to identify the source of a given message. Speaker: Chi-Yu Liu

14. R S The Proposed Scheme 4. r, S, MAC, M 1. Randomly choose k K= YRk mod p r = H(K) 2. MAC = H(K||M) 3. S = k –XSr mod q 5. K’ = (gSYSr )XR mod p 6. Verify r ?= H(K’) MAC ?= H(K’||M) Speaker: Chi-Yu Liu

15. Conclusion • The authors proposed a new deniable authentication protocol based on the generalized ElGamal signature scheme. Speaker: Chi-Yu Liu

16. Comment • The third party could not impersonate the intended receiver, because he has no the verified secret of the receiver. Speaker: Chi-Yu Liu