Efficient deniable authentication protocol based on ... - Semantic Scholar

Computer Standards & Interfaces 26 (2004) 449 – 454 www.elsevier.com/locate/csi

Efficient deniable authentication protocol based on generalized ElGamal signature scheme Zuhua Shao * Department of Computer and Electronic Engineering, Zhejiang University of Science and Technology, No. 85, XueYuan Road, Hangzhou, Zhejiang 310012, PR China Received 31 July 2003; received in revised form 28 October 2003; accepted 4 November 2003

Abstract An efficient and non-interactive deniable authentication protocol is presented to enable a receiver to identify the source of a given message, but not prove the identity of the sender to a third party. The proposed protocol is based on the generalized ElGamal signature scheme and is more efficient than the previous protocols. We show that if an adversary could forge signatures of this protocol, he would forge signatures of the generalized ElGamal signature scheme. Moreover, the new protocol is more secure than the previous deniable authentication protocols, since anyone can not impersonate the intended receiver. D 2003 Elsevier B.V. All rights reserved. Keywords: Security; Cryptography; Authentication; Digital signature; Impersonation attack

1. Introduction Deniable authentication protocol is a new technique of modern cryptography. Compared with the traditional authentication protocols, the deniable authentication protocol has two characteristics: 1. It enables an intended receiver to identify the source of a given message. 2. The intended receiver cannot prove the source of a given message to any third party. The deniable authentication protocol can be used in many specialized applications. For example, it can provide freedom from coercion in electronic voting * Corresponding author. Tel.: +86-571-85121332; fax: +86571-85121214. E-mail address: [email protected] (Z. Shao). 0920-5489/$ - see front matter D 2003 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2003.11.001

systems and secure negotiation over Internet [1]. Hence it is desirable to design secure and efficient deniable authentication protocol, since it has an important role in practice. Dwork et al. [2] proposed a deniable authentication protocol based on concurrent zero-knowledge proof. This protocol suffers from a timing constraint, and proof of knowledge is subject to a time delay in the authentication procedure. Aumann and Rabin [3] proposed another deniable authentication protocol based on factoring. Their protocol model has three participants: a sender S, a receiver R and an inquisitor INQ. INQ sits on an insecure link between S and R, intercepting the traffic between them and injecting message of his own. With the communication between S and R, INQ does not identify S even though INQ can later compel S and R to reveal all security data or INQ and S fully cooperate with each other. If the receiver can simulate all communications between S and R accord-

450

Z. Shao / Computer Standards & Interfaces 26 (2004) 449–454

ing to the protocol, the sender can deny communications between them. Lately, Deng et al. [4] also proposed two deniable authentication protocols based on the factoring and the discrete logarithm problem respectively. Both the Aumann – Rabin protocol and Deng et al.’s protocols need a public directory trusted by the sender and the receiver. Recently, Fan et al. [5] proposed a simple deniable authentication protocol based on the Diffie– Hellman [6] key distribution protocol. Their protocol adopts certificates to defeat the attack of person-in-middle and signatures to identify the source of a given message. There is a common weakness in the previous four deniable authentication protocols. The sender does not know to whom he proves the source of a given message. That is, a third party can impersonate the intended receiver to identify the source of a given message. Meanwhile the four protocols are interactive and less efficient. In this paper, we will propose a more efficient deniable authentication protocol based on the generalized ElGamal signature scheme [7]. It requires neither a trusted third party nor the publicly known directory. Only the intended receiver can verify the signature and then identify the source of a given message. We show that if an adversary could forge signatures of this protocol, he would forge signatures of the generalized ElGamal signature scheme. Moreover, the new protocol is non-interactive, and only three modular exponentiations and 480 bits communication are required for authenticating a message. Hence the new protocol is more efficient than the previous protocols.

2. Brief review of the Fan et al.’s deniable authentication protocol The Fan et al.’s deniable authentication protocol is more efficient than the other three protocols. To compare our new protocol with the four protocols, we only review the Fan et al.’s deniable authentication protocol. Every sender has a pair of private/public keys (Kprv, Kpub) certificated by a certification authority CA. The sender S and the receiver R will use one common prime numbers p and one common primitive element g, as does the original Diffie– Hellman key distribution protocol. A collision-free hash

function H() is required. The process of their protocol is as follows: Step 1 S chooses a random large intege x and computes X ¼ gx mod p X V¼ EKprv ðX Þ And then S sends X V to R. In fact, X Vis the signature of the X. Step 2 R chooses a random large integer y and sends S Y ¼ g y mod p Step 3 R decrypts X Vand computes X ¼ DKpub ðX VÞ k ¼ X y mod p Step 4 S computes kV¼ Y x mod p Step 5 If S wants to send a message M to R, he will send R both M and D ¼ Hðk; M Þ Step 6 R computes DV¼ HðkV; M Þ If D = D V, R accepts M otherwise rejects it. There are three weaknesses in this protocol. First, if INQ impersonates the receiver and sends Y = g y mod p to the sender. The sender cannot find this impersonation attack since the sender does not verify the identity of the receiver. Second, INQ is able to intercept the traffic between the sender, and the receiver. INQ can identify the source of XV= EKprv(X). If INQ is sure that the message M and X V come from the same source, he can also identify the source of the message. Third, besides the authenticator, a signature is also required. Fan et al. does not explain what digital signature scheme they use in step 1. To compare performance, we simply assume that they use the Nyberg–Rueppel signature scheme with message recovery based on the discrete logarithm problem [8].


3. New deniable authentication protocol based on the generalized ElGamal signature scheme The new protocol uses the public key infrastructure of DSA [9]. The authority chooses the following public parameters: 1. p is a large prime number of bit size 1024 – 2048. 2. q is a prime divisor of p 1 of bit size 160. 3. g is an element of order q in the finite field GF( p). 4. H () is a collision-free hash function, for example SHA-1. The bit size of the output of H () is AqA, which denotes bit size of q. Each signer chooses an element X in GF( q) as his private key, and computes

451

Suppose that the sender S wants to deniably authenticate a message M to the intended receiver R, they operate the following protocol: 1. S chooses an integer t randomly between 1 and q.0 2. S computes k ¼ YRt mod p r ¼ HðkÞ MAC ¼ HðkNM Þ s ¼ t Xs r mod q Then S sends (r, s, MAC) together with M to R. 3. R computes kV¼ ðg s Ysr ÞXR mod p 4. R verifies r ¼ HðkVÞ

Y ¼ g X mod p as his public key. The public key of each user is certificated by a certification authority CA. Then the sender S and the receiver R have the pairs of private/public keys (XS, YS) and (XR, YR) respectively.

MAC ¼ HðkVNM Þ If the two equations hold, R accepts it. Otherwise R rejects it. Note that ‘‘N ’’ is the concatenate opertor of strings. The proposed protocol is summarized in the following figure:

452


4. Security and performance We will first show that the above protocol satisfies the security requirements and then discuss the performance compared with the previous protocols. 4.1. Security analysis Statement 1: Completeness: if the sender and the receiver follow the protocol, the receiver is always able to identify the source of the message. Proof: Because s þ Xs r ¼ t

mod q

So gs Ysr ¼ g t mod p ðgs Ysr ÞXR ¼ g tXR ¼ YRt mod p k ¼ kV r ¼ HðkÞ ¼ HðkVÞ HðkNM Þ ¼ HðkVNM Þ Hence if the sender and the receiver follow the protocol, the receiver is always able to identify the source of the message. Statement 2: The proposed protocol can withstand forgery attacks. Proof: First we design a generalized ElGamal signature scheme. The public parameters are the same as DSA. Each signer chooses an element X in GF( q) as his private key, and computes Y ¼ gX

mod p

as his public key. To sign a message, the signer does the following steps: 1. Chooses an integer t randomly between 1 and q. 2. Computes u ¼ g t mod p r ¼ HðuHðmÞ mod pÞ s ¼ t Xrmod q

The signature of the message m is (u, s), and anyone can verify it by checking the following verification equation: g s Y Hðu

HðmÞ

mod pÞ

¼ umod p

Harn proposed 18 generalized ElGamal signature schemes [7]. The verification equation of one of these schemes is the equation: g s Y uHðmÞ ¼ umod p Hence the scheme designed above can be regarded as an enhanced of the Harn generalized ElGamal signature scheme. The generalized ElGamal signature schemes are secure so far, so is the enhanced one. Now, we claim that if an adversary has an algorithm A(M, YR) that takes any message M and any public key YR and returns (r, s, MAC), he would forge the signature of the generalized ElGamal signature scheme for any message mV. The adversary computes XR = H(mV) and YR = gXR mod p. Then he chooses a number as M. He computes (r, s, MAC) by using the algorithm A(M, YR). Hence r ¼ Hððg s YSr ÞXR mod pÞ Let u = ( gsYSr) mod p. the equation above is equivalent to the equation HðuHðmVÞ mod pÞ

g s YS

¼ umod p

Therefore the adversary derives the forged signature (u, s) of the generalized ElGamal signature scheme for the given message mV. Hence the new deniable authentication protocol at least has the same security as the generalized ElGamal signature scheme. Because the generalized ElGamal signature scheme can withstand forgery attack, so does the new deniable authentication protocol. Hence the proposed protocol is unforgeable in standard model under the security assumption of generalized ElGamal signature schemes. We can also discuss the security of the new protocol from other point of view. Define a function h(u) = H(uXR mod p). We claim that if XR is public, the function h() is secure as long as H() is a secure hash function.


Let v be any integer between 1 and q. If we can find an integer u such that h(u) = v, we can also find an integer w = uXR mod p such that H(w) = v. Therefore h() is one way if H() is one way. If we can find two integers u1 and u2 such that h(u1) = h(u2), we can also find two integers w1 = u1XR mod p and w2 = u2XR mod p such that H(w1) = H(w2). Therefore h() is collision-free if H() is collision-free. Hence the function h() is secure if H() is a secure hash function. Let u = ( gsYSr ) mod p. Thus the verification equation r ¼ Hððgs YSr ÞXR mod pÞ is equivalent to the equation hðuÞ

g s YS

¼u

mod p

It can be regarded as the verification equation of the Schnorr signature scheme [10] for the null message. Because the Schnorr signature scheme is secure so far, anyone cannot forge signature (r, s) of the null message without the knowledge of the private key XS. Statement 3: The proposed protocol is deniable. Proof: After receiving (r, s, MAC) and the message M, the receiver can identify the source of them with his private key XR. But he cannot prove the source of the message to a third party for the following reasons. First, if the receiver reveals the session key k, he can convince the third party the signature (r, s) of the sender by proving that the number k = ( gsYSr ) XR mod p to the base ( gsYSr ) and the public key YR to the base g have the same exponent XR by using a zero-knowledge proof. Then the third party can verify MAC = H(kNM) by himself. However, ( gsYSr )XR = YRs( gXSXR)r mod p. k = ( gsYSr )XR 1 mod p implies KSR = gXSXR mod p = (kYRs)r mod p. Hence the third party can compute the Diffie– Hellman key KSR of the sender and the receiver. Obviously, the receiver would not reveal his secret information. Second, even though the receiver reveals this secret information k under coercion, the third party would also be skeptical of the truth of the evidence provided by the receiver. This is because that the receiver can construct other authenticator MAC V= H(kNM V)

453

for a different message M V. (MAC V, M V) is indistinguishable from the actual message authenticator computed by the sender. That is, the receiver can simulate the authenticated message of the sender. Hence this protocol is deniable. Statement 4: The proposed protocol can withstand impersonate attacks. Proof: Suppose that a third party wants to impersonate the intended receiver or a third party is an inquisitor sitting on an insecure link between the sender and the intended receiver. Assume that this adversary obtains a message M and its authenticator (r, s, MAC). If he can verify the message authenticator, he must find k V such that k V= ( gsYSr )XR mod p. With the knowledge of kV, the adversary could compute 1 gXSXR = YSXR = (k V/YRs )r mod p. It is impossible to do it under the Diffie –Hellman assumption. 4.2. Performance comparison To study the performance of the new protocol, we compare it with previous deniable authentication protocols. The Deng et al.’s protocol is more efficient than the Aumann – Rabin protocol since the latter needs one execution of the protocol to deniably authenticate one bit of the encode message. However, the Fan et al.’s protocol is more efficient than the Aumann – Rabin protocol since the latter needs a publicly known directory PD and Int(zi)-iteration of hash function. Hence we compare the performance of the new protocol only with the Fan et al.’s protocol in Table 1. To authenticate the source of a message in the new protocol, one modular exponentiation computation and two hash function computations are required

Table 1 Comparison of the Fan’s protocol and the proposed protocol Fan’s protocol

Exponentiation Hash function Communication

Interactive Impersonate attack

Proposed protocol

Sender

Receiver

Sender

2+1 1+1 2ApA + 2AqA bits Yes Yes

2+2 1+1

1 2 2 2 3AqA bits

No No

Receiver

454


by the sender, and two modular exponentiation computations and two hash function computations are required by the receiver. The communication is 3AqA bits. To authenticate the source of a message in the Fan et al.’s protocol, two modular exponentiation computations and one hash function computation are required by both the sender and the receiver. In addition, the sender needs to compute a signature with message recovery, which requires one modular exponentiation computation and one hash function computation. The receiver needs to decrypt a signature, which requires two modular exponentiation computations and one hash function computation. The communication is 2ApA + 2AqA bits. Hence the computation of the new protocol is about one half of that of the Fan et al.’s protocol and communication of the new protocol is about one eighth of that of the Fan et al.’ protocol. Furthermore the new protocol is non-interactive while the Fan et al.’s protocol is not, which requires some communication overhead. Therefore the new protocol is more efficient than the previous deniable authentication protocols. Moreover, the new protocol is more secure than the previous deniable authentication protocols, since anyone can not impersonate the intended receiver.

5. Conclusions We have developed a new deniable authentication protocol based on the generalized ElGamal signature scheme. We show that if an adversary could forge signatures of this protocol, he would forge signatures of the generalized ElGamal signature scheme. Hence the proposed protocol is unforgeable in standard model under the security assumption of generalized ElGamal signature schemes. Moreover, the new protocol is more secure than the previous deniable authentication protocols, since anyone can not impersonate the intended receiver under the security assumption of the Diffie– Hellman problem. By compared with the existing deniable authentication protocols, the new protocol needs less computation and communication. Moreover the new protocol is on-interactive. Therefore the new protocol is more efficient.

Acknowledgements The author would like to thank the anonymous reviewers for their valuable comments and suggestions that improve the presentation of this paper. This work is A Project Supported by Scientific Research Fund of Zhejiang Provincial Education Department.

References [1] Y. Aumann, M. Rabin, Authentication enhanced security and error correcting codes, Crypto ’98, Santa Barbara, CA, USA, LNCS 1462, Springer-Verlag, Berlin, 1998, pp. 299 – 303. [2] C. Dwork, M. Naor, A. Sahai, Concurrent zero-knowledge, Proc. 30th ACM STOC ’98, Dallas TX, USA, 1998, pp. 409 – 418. [3] Y. Aumann, M. Rabin, Efficient deniable authentication of long messages, Int. Conf. on Theoretical Computer Science in Honor of Professor Manuel Blum’s 60th birthday. http:// www.cs.cityu.edu.hk/dept/video.html. April 20 – 24, 1998. [4] X. Deng, C.H. Lee, H. Zhu, Deniable authentication protocols, IEE Proceedings Computers and Digital Techniques 148 (2) (2001) 101 – 104. [5] L. Fan, C.X. Xu, J.H. Li, Deniable authentication protocol based on Diffie – Hellman algorithm, Electronics Letters 38 (4) (2002) 705 – 706. [6] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (1976) 644 – 654. [7] L. Harn, Design of generalised ElGamal type digital signature scheme based on discrete logarithm, Electronics Letters 31 (20) (1995) 2025 – 2026. [8] K. Nyberg, R.A. Rueppel, Message recovery for signature schemes based on the discrete logarithm problem, EUROCRYPT’94, Perugia, Italy, LNCS 950, Springer-Verlag, Berlin, 1994 May, pp. 182 – 193. [9] Proposed federal information processing standard for digital signature standard, Federal Register 56 (169, 30) (1991 Aug.) 42980 – 42982. [10] C.P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology 3 (3) (1991) 161 – 174. Zuhua Shao was born in Shanghai, People’s Republic of China, on 30 April 1948. He received B.S. degree in mathematics and M.S. in algebra from the Northeastern Normal University, People’s Republic of China in 1976 and 1981 respectively. From 1990 to 2001, he was an associated professor in the Hangzhou Institute of Financial Managers, The Industrial and Commerce Bank of China. Now he a professor in the Zhejiang University of Science and Technology. His current research interests are cryptography and financial data security.