Deniable authentication and key exchange

We extend the definitional work of Dwork,Naor and Sahai from deniable authentication to deniable key-exchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchange (IKE)protocol.SKEME is an encryption-based protocol for which we prove full deniability based on the plaintext awareness of the underlying encryption scheme. Interestingly SKEME's deniability is possibly the first "natural" application which essentially requires plaintext awareness (until now this notion has been mainly used as a tool for proving chosen-ciphertext security).SIGMA, on the other hand,uses non-repudiable signatures for authentication and hence cannot be proven to be fully deniable. Yet we are able to prove a weaker, but meaningful, "partial deniability" property: a party may not be able to deny that it was "alive" at some point in time but can fully deny the contents of its communications and the identity of its interlocutors.We remark that the deniability of SKEME and SIGMA holds in a concurrent setting and does not essentially rely on the random oracle model.

[1]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[2]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..

[3]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[4]  Hugo Krawczyk,et al.  Secure off-the-record messaging , 2005, WPES '05.

[5]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[6]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[7]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[8]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[9]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[10]  Hoeteck Wee,et al.  Toward Privacy in Public Databases , 2005, TCC.

[11]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[12]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[13]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[14]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[15]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[16]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[17]  Yehuda Lindell,et al.  Privacy Preserving Data Mining , 2002, Journal of Cryptology.

[18]  Alexander W. Dent Cramer-Shoup is Plaintext-Aware in the Standard Model , 2005 .

[19]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[20]  K. Paterson,et al.  On The Plausible Deniability Feature of Internet Protocols , 2002 .

[21]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[22]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[23]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[24]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[25]  Kenneth G. Paterson,et al.  Key Agreement Using Statically Keyed Authenticators , 2004, ACNS.

[26]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[27]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[28]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[29]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[30]  Jonathan Katz,et al.  Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications , 2003, EUROCRYPT.

[31]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[32]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[33]  Cynthia Dwork,et al.  Privacy-Preserving Datamining on Vertically Partitioned Databases , 2004, CRYPTO.

[34]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[35]  Nikita Borisov,et al.  Off-the-record communication, or, why not to use PGP , 2004, WPES '04.

[36]  Moni Naor,et al.  Deniable Ring Authentication , 2002, CRYPTO.

[37]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[38]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[39]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[40]  Rosario Gennaro,et al.  New Approaches for Deniable Authentication , 2005, CCS '05.

[41]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[42]  Eyal Kushilevitz,et al.  Private information retrieval , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[43]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[44]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[45]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.