Efficient deniable authentication protocol based on generalized ElGamal signature scheme

1. Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao Presented by Yi-Jhih Jan 11/02/2004

2. Outlines • Introductions • The Fan et al’s protocol • The proposed protocol • Security analysis • Conclusins

3. Introductions • Deniable authentication protocol 1. It enables an intended receiver to identify the source of a given message.(傳統) 2. The intended receiver cannot prove the source of a given message to any third party. (因receiver只要知道protocol,即可偽造此簽章,所以sender可以否認) • Application 1. It can provide Freedom from coercion in electronic voting systems 2. Secure negotiations over the Internet

4. The Fan et al’s protocol Sender Receiver Y X’ D,M

5. The Fan et al’s protocol • Weaknesses 1. INQ can impersonate the receiver and sends Y=gy mod p to the sender. 2.INQ can identify the source of X’. If INQ is sure that the M and X’ come from the same source, he can also identify the source of the message.

6. The proposed protocol • Parameters: p: a large prime (bit size 1024-2048) q: a prime divisor of p-1 (160 bit size) g: a generator of order q H(.): a collision-free hash function X: private key Y: public key CA: a certification authority

7. The proposed protocol Sender(Xs,Ys) Receiver(XR,YR)

8. Security analysis • 1.Completeness

9. Security analysis • 2. It can withstand forgery attacks. a) we first design a generalized ElGamal signature scheme (Harn proposed)

10. Security analysis • If an adversary has an algorithm A(M,YR) and returns (r,s,MAC), he would forge the signature of the generalized ElGamal signature scheme for the message m’. M Algorithm (r,s,MAC) YR

11. Security analysis • b) Define a function if XR is public, the h(.) is secure as long as H(.) is a secure hash function u h(u)=v v H(w) =v w

12. Security analysis • 3. The proposed protocol is deniable. - If the receiver reveals the session key k, he can convince the third party the signature (r,s) of the sender < and the public key YR have the same exponent XR by using zero-knowledge proof.> - Then the third party can verfy MAC=H(k||M) by himself. - But, the third party can compute the Diffie-Hellman key of the sender and the receiver. - So the receiver would not reveal his secret informatino.

13. Security analysis - even though the receiver reveals k under coercion, the third party would also be skeptical. - because that the receiver can constuct other authenticator MAC’=H(k||M’) - that is, the receiver can simulate the authenticated message of the sender. - hence the protocol is deniable.

14. Security analysis • 4. It can withstand impersonate attacks adversary: - assume that the adversary can obtain M and its authority (r,s,MAC). - if he can verify the message authenticator, he must find k’ such that - the adversary could compute - it’s impossible to do it under the Diffie-Hellman assumption.

15. Conclusions • If an adversary could forge signature of this protocol, he would forge signatures of the generalized ElGamal signature scheme. • Anyone can not impersonate the intended receiver.