Composability and On-Line Deniability of Authentication

Protocols for deniable authentication achieve seemingly paradoxical guarantees: upon completion of the protocol the receiver is convinced that the sender authenticated the message, but neither party can convince anyone else that the other party took part in the protocol. We introduce and study on-line deniability , where deniability should hold even when one of the parties colludes with a third party during execution of the protocol. This turns out to generalize several realistic scenarios that are outside the scope of previous models. We show that a protocol achieves our definition of on-line deniability if and only if it realizes the message authentication functionality in the generalized universal composability framework; any protocol satisfying our definition thus automatically inherits strong composability guarantees. Unfortunately, we show that our definition is impossible to realize in the PKI model if adaptive corruptions are allowed (even if secure erasure is assumed). On the other hand, we show feasibility with respect to static corruptions (giving the first separation in terms of feasibility between the static and adaptive setting), and show how to realize a relaxation termed deniability with incriminating abort under adaptive corruptions.

[1]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[2]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[3]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[4]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[5]  Amit Sahai,et al.  Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints , 1998, CRYPTO.

[6]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[7]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[8]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[9]  Moni Naor,et al.  Zaps and their applications , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[10]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[11]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[12]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[13]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[14]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[15]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[16]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[17]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[18]  Ran Canetti,et al.  Black-Box Concurrent Zero-Knowledge Requires (Almost) Logarithmically Many Rounds , 2002, SIAM J. Comput..

[19]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[20]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[21]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[22]  Silvio Micali,et al.  Plaintext Awareness via Key Registration , 2003, CRYPTO.

[23]  Yi Mu,et al.  Non-interactive Deniable Ring Authentication , 2003, ICISC.

[24]  Jongin Lim,et al.  Information Security and Cryptology - ICISC 2003 , 2003, Lecture Notes in Computer Science.

[25]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[26]  Kenneth G. Paterson,et al.  Deniable Authenticated Key Establishment for Internet Protocols , 2003, Security Protocols Workshop.

[27]  Jonathan Katz,et al.  Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications , 2003, EUROCRYPT.

[28]  Angelos D. Keromytis,et al.  The dual receiver cryptosystem and its applications , 2004, CCS '04.

[29]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[30]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[31]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[32]  Rosario Gennaro,et al.  New Approaches for Deniable Authentication , 2005, CCS '05.

[33]  Yehuda Lindell,et al.  On the Limitations of Universally Composable Two-Party Computation Without Set-Up Assumptions , 2003, Journal of Cryptology.

[34]  Hugo Krawczyk,et al.  Secure off-the-record messaging , 2005, WPES '05.

[35]  Jonathan Katz,et al.  Ring Signatures: Stronger Definitions, and Constructions without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[36]  Hugo Krawczyk,et al.  Deniable authentication and key exchange , 2006, CCS '06.

[37]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[38]  Shaoquan Jiang Deniable Authentication on the Internet , 2007, Inscrypt.

[39]  Youngho Park,et al.  Secure Deniable Authenticated Key Establishment for Internet Protocols , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[40]  Yunlei Zhao,et al.  Deniable Internet Key Exchange , 2010, ACNS.