1 / 16

Efficient Deniable Authentication Protocol based on Generalized ElGamal Signature Scheme

Efficient Deniable Authentication Protocol based on Generalized ElGamal Signature Scheme. Zuhua Shao Computer Standards & Interface, Vol. 26, issue 5, 2004, p.p. 449-454. Outline. The properties Applications Notations Related work review The proposed scheme Conclusion Comment.

perezt
Download Presentation

Efficient Deniable Authentication Protocol based on Generalized ElGamal Signature Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient Deniable Authentication Protocol based on Generalized ElGamal Signature Scheme Zuhua Shao Computer Standards & Interface, Vol. 26, issue 5, 2004, p.p. 449-454 Speaker: Chi-Yu Liu

  2. Outline • The properties • Applications • Notations • Related work review • The proposed scheme • Conclusion • Comment Speaker: Chi-Yu Liu

  3. The Properties • It enables an intended receiver to identify the source of a given message. • A receiver can not prove the source of the message to third party. Speaker: Chi-Yu Liu

  4. R Application 1 • Freedom from coercion in electronic voting system. • S is a voter, and R is a tallying authority. Compel !! Ballot Third party Voter TA X Can’t prove!! Speaker: Chi-Yu Liu

  5. R Application 2 • Secure negotiation over Internet. • S is a computer, and R is a merchant. order goods, price offer Computer Merchant X Third party Can’t prove!! Speaker: Chi-Yu Liu

  6. Notations • S: a sender. • R: a receiver. • INQ: an inquisitor. • p, q: two big prime numbers. • g: a generator. • H(): a collision-free hash function. • (X, Y): a pair of private/public keys, where Y =gX mod p. • (SK,PK): a pair of private/public keys. Speaker: Chi-Yu Liu

  7. Deng et al.’s Scheme, 2001 • Notations • N = p* q, where p and q are two large prime number. • Message M = {m1,m2,…, mn}. Speaker: Chi-Yu Liu

  8. R S Deng et al.’s Scheme based on Factoring, 2001 • M = {m1,m2,…, mn}. • H(M)= {Z1,Z2, …Zn} • Choose n random numbers {c1,c2,…, cn} • Compute Ci = ci2 mod N , i = 1~n. 2. EPKr(Ui), K, Vi 3. Decrypt DSKr(Ui) =>Ui 4. Verify Ui2 ?= KCi mod N Vi ?= H(Ui) 1. Randomly choose k K = k2 mod N Ui = kci mod N Vi’ = H(Ui)Zi Speaker: Chi-Yu Liu

  9. R S Deng et al.’s Scheme based on Discrete Logarithm, 2001 • M = {m1,m2,…, mn}. • H(M)= {Z1,Z2, …Zn} • Choose n random numbers {c1,c2,…, cn} • Compute Ci = gici, i = 1~n. 2. EPKr(Ui), K, Vi 3. Decrypt DSKr(Ui) =>Ui 4. Verify gUi ?= KCi mod p Vi ?= H(Ui)zi 1. Randomly choose k K = gk mod p Ui = k+ci mod q Vi = H(Ui)Zi Speaker: Chi-Yu Liu

  10. Disadvantage of Deng et al.s’ • It needs public directory, which is trusted by sender and receiver. Speaker: Chi-Yu Liu

  11. R S Fan et al.’s Scheme based on Diffie-Hellman, 2002 2. RS’ 1. Randomly choose k RS = gk mod p RS’ = ESKr(RS) 5. SK = RRK mod p 6. D = H(SK, M) 3. Randomly choose y RR = gy mod p 5. RS = Dpkr(RS’) SK = RSy mod p 8. Compute D’ = H(SK,M) Compare D’ ?= D 4. RR 7. D, M Speaker: Chi-Yu Liu

  12. Disadvantages of Fan et al.s’ • The sender could not verify the identify of the receiver. • Besides the authenticator, a signature is also required. • Any third party can identify the source of RS’ = ESKr(RS). Speaker: Chi-Yu Liu

  13. Common Weakness in the Previous Protocols • The sender does not know to whom he proves the source of a given message. • Third party can impersonate the intended receiver to identify the source of a given message. Speaker: Chi-Yu Liu

  14. R S The Proposed Scheme 4. r, S, MAC, M 1. Randomly choose k K= YRk mod p r = H(K) 2. MAC = H(K||M) 3. S = k –XSr mod q 5. K’ = (gSYSr )XR mod p 6. Verify r ?= H(K’) MAC ?= H(K’||M) Speaker: Chi-Yu Liu

  15. Conclusion • The authors proposed a new deniable authentication protocol based on the generalized ElGamal signature scheme. Speaker: Chi-Yu Liu

  16. Comment • The third party could not impersonate the intended receiver, because he has no the verified secret of the receiver. Speaker: Chi-Yu Liu

More Related