1 / 15

Efficient deniable authentication protocol based on generalized ElGamal signature scheme

Efficient deniable authentication protocol based on generalized ElGamal signature scheme. From ELSEVIER Computer Standards & Interface Author: Zuhua Shao Presented by Yi-Jhih Jan 11/02/2004. Outlines. Introductions The Fan et al’s protocol The proposed protocol

gryta
Download Presentation

Efficient deniable authentication protocol based on generalized ElGamal signature scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao Presented by Yi-Jhih Jan 11/02/2004

  2. Outlines • Introductions • The Fan et al’s protocol • The proposed protocol • Security analysis • Conclusins

  3. Introductions • Deniable authentication protocol 1. It enables an intended receiver to identify the source of a given message.(傳統) 2. The intended receiver cannot prove the source of a given message to any third party. (因receiver只要知道protocol,即可偽造此簽章,所以sender可以否認) • Application 1. It can provide Freedom from coercion in electronic voting systems 2. Secure negotiations over the Internet

  4. The Fan et al’s protocol Sender Receiver Y X’ D,M

  5. The Fan et al’s protocol • Weaknesses 1. INQ can impersonate the receiver and sends Y=gy mod p to the sender. 2.INQ can identify the source of X’. If INQ is sure that the M and X’ come from the same source, he can also identify the source of the message.

  6. The proposed protocol • Parameters: p: a large prime (bit size 1024-2048) q: a prime divisor of p-1 (160 bit size) g: a generator of order q H(.): a collision-free hash function X: private key Y: public key CA: a certification authority

  7. The proposed protocol Sender(Xs,Ys) Receiver(XR,YR)

  8. Security analysis • 1.Completeness

  9. Security analysis • 2. It can withstand forgery attacks. a) we first design a generalized ElGamal signature scheme (Harn proposed)

  10. Security analysis • If an adversary has an algorithm A(M,YR) and returns (r,s,MAC), he would forge the signature of the generalized ElGamal signature scheme for the message m’. M Algorithm (r,s,MAC) YR

  11. Security analysis • b) Define a function if XR is public, the h(.) is secure as long as H(.) is a secure hash function u h(u)=v v H(w) =v w

  12. Security analysis • 3. The proposed protocol is deniable. - If the receiver reveals the session key k, he can convince the third party the signature (r,s) of the sender < and the public key YR have the same exponent XR by using zero-knowledge proof.> - Then the third party can verfy MAC=H(k||M) by himself. - But, the third party can compute the Diffie-Hellman key of the sender and the receiver. - So the receiver would not reveal his secret informatino.

  13. Security analysis - even though the receiver reveals k under coercion, the third party would also be skeptical. - because that the receiver can constuct other authenticator MAC’=H(k||M’) - that is, the receiver can simulate the authenticated message of the sender. - hence the protocol is deniable.

  14. Security analysis • 4. It can withstand impersonate attacks adversary: - assume that the adversary can obtain M and its authority (r,s,MAC). - if he can verify the message authenticator, he must find k’ such that - the adversary could compute - it’s impossible to do it under the Diffie-Hellman assumption.

  15. Conclusions • If an adversary could forge signature of this protocol, he would forge signatures of the generalized ElGamal signature scheme. • Anyone can not impersonate the intended receiver.

More Related