Non-Interactive Deniable Ring Authentication - Semantic Scholar

Download PDF
5 downloads 40305 Views 148KB Size Report
Comment
active deniable ring authentication: it is possible to convince a verifier ... signature. (ii) Be a good authentication scheme, i.e. not allowing forgeries, where.
Non-Interactive Deniable Ring Authentication Willy Susilo and Yi Mu Centre for Information Security Research School of Information Technology and Computer Science University of Wollongong Wollongong 2522, AUSTRALIA Email: {wsusilo, ymu}@uow.edu.au

Abstract. In this paper, we propose a new primitive called non interactive deniable ring authentication: it is possible to convince a verifier that a member of an ad hoc collection of participants is authenticating a message m without revealing which one and the verifier V cannot convince any third party that the message m was indeed authenticated in a non-interactive way. Unlike the deniable ring authentication proposed in [19], we require this primitive to be non-interactive. Having this restriction, the primitive can be used in practice without having to use the anonymous routing channel (eg. MIX-nets) introduced in [19]. In this paper, we provide the formal definition of non-interactive deniable ring authentication schemes together with a generic construction of such schemes from any ring signature schemes. The generic construction can be used to convert any existing ring signature schemes, for example [20, 1], to non-interactive deniable ring authentication schemes. We also present an extension of this idea to allow a non-interactive deniable ring to threshold ring authentication. In this scenario, the signature can convince a group of verifiers, but the verifiers cannot convince any other third party about this fact, because any collusion of t verifiers can always generate a valid message-signature pair. We also present a generic construction of this scheme. A special case of this scenario is a deniable ring-to-ring authentication scheme, where the collaboration of all verifiers is required to generate a valid message-signature pair.

Keywords: ring signature schemes, deniable, non-interactive, ring-to-ring authentication

1

Introduction

Consider a situation when Alice, who is a member of the parliament, wishes to inform the prime minister about very sensitive information related to the country. In this situation, Alice does not want her identity to be revealed by the prime minister, and on the other hand, she also wants the prime minister to keep this information for himself and not to be forwarded to any other person. To make the information reliable, it must be authenticated and this must be verifiable by

the prime minister that it comes from one of the parliament’s member, so that the prime minister can make his decision on this matter. Alice cannot use a standard digitally signed message, since this message will directly reveal her identity to the prime minister. With the recent work introduced by Rivest, Shamir and Tauman [20], called ring signature, Alice’s identity can be hidden and the message can be identified to come from one of the parliament members without revealing who the actual signer is, but the prime minister can quote this message and publish it as an authenticated message that comes from one of the parliament member - something that Alice does not want to happen. Motivated by the above idea, the recent work introduced by Naor [19], called Deniable Ring Authentication, can be used. However, this scheme requires an interactive zero knowledge protocol, which makes it impractical. The intention of this paper is to introduce a new notion called a noninteractive deniable ring authentication, which allows a signer to sign a message m on behalf of an ad hoc collection of participants, and to convince a designated verifier V that this message is correct. We note that in practice, we replace m with H(m), where H(·) denote a collision-free hash function. Moreover, it is required that the designated verifier V cannot convince any other third party that the message m was indeed authenticated. We also require that a non-interactive verification must be used, because the ad hoc collection of participants might not be aware to acknowledge any authentication request whenever they are asked (c.f. [19]). In this situation, V can verify the correctness of the message whenever he would like to do so, but he cannot show this message to anyone else and claim that this was authenticated by the ad hoc collection of participants. Roughly speaking, for a scheme to be Non-interactive Deniable Ring Authentication, it should: (i) Enable a sender in an ad hoc collection S and any message m to prove (non-interactively) that a member of S is the one authenticating the signature. (ii) Be a good authentication scheme, i.e. not allowing forgeries, where the notions of forgeability of Goldwasser, Micali and Rivest [14] are relevant. (iii) The authentication is deniable in the zero-knowledge sense. The recipient could have generated the conversation alone and the result would have been indistinguishable. (iv) The authentication must be signer-ambiguous. (v) The verifier is not part of the system. We provide a formal model of a non-interactive deniable ring authentication scheme. We also propose a generic method for converting a ring signature scheme into a non-interactive deniable ring authentication scheme. We show that a noninteractive deniable ring authentication scheme can be constructed from a ring signature scheme combined with a chameleon hash [18]. We also extend our work to provide a non-interactive deniable ring to threshold ring authentication scheme. In this scenario, the signer in the ring can sign a message and convince a group of verifiers about this fact, but the verifiers cannot convince any third party about the authenticity of this message, because a collusion of t verifiers can always create a valid message-signature pair that will also pass the verification stage. We also show a generic construction of this type of scheme, together with

a special case when t = n, which we call deniable ring-to-ring authentication scheme. 1.1

Related Work

In [20], the definition of ring signatures was formalized and an efficient scheme based on RSA was proposed. A ring signature scheme is based on trapdoor one-way permutations and an ideal block cipher that is regarded as a perfectly random permutation. A ring signature scheme allows a signer who knows at least one secret information (or trapdoor information) to produce a sequence of n random permutation and form them into a ring. This signature can be used to convince any third party that one of the people in the group (who knows the trapdoor information) has authenticated the message on behalf of the group. The authentication provides signer ambiguity, in the sense that no one can identify who has actually signed the message. In [1], a method to construct a ring signature from different types of public keys, such as these for integer factoring based schemes and discrete log based schemes, was proposed. The proposed scheme is more efficient than [20]. The formal security definition of a ring signature is also given in [1]. In [19], the notion of ring signatures was combined with deniable authenticaton [13]. The result is called Deniable Ring Authentication that allows a signer to authenticate a message m on behalf of an ad hoc collection of users and to convince a verifier that this authentication is done correctly. Moreover, the verifier cannot convince any third party that the message m was indeed authenticated. There is no ‘paper trail’ of the conversation, other than what could be produced by the verifier alone, as in zero-knowledge [19]. However, the verification is done interactively, and hence, the requirement of having an anonymous routing, such as MIX-nets, is essential. Moreover, as a result of the requirement of this new notion, the message size is longer compared to a normal ring signature. Another related notion is group signature schemes. These schemes allow members of a fixed group to sign messages on the group’s behalf while their anonymity is preserved. This anonymity is conditional and the group manager can always revoke it. This concept was introduced by Chaum in [11]. The original scheme has the characteristic that the size of the signature is always proportional to the group size. However, since the introduction of the scheme in [6], the size of the signature is fixed and it does not depend on the group size. Designated Verifier Proofs were proposed in [17]. The idea is to allow signatures to convince only the intended recipient, who is assumed to have a publickey. As noted in [20], ring signature schemes can be used to provide this mechanism by joining the verifier in the ring. However, it might not be practical in the real life since the verifier might not have any public key setup. Dwork, Naor and Sahai proposed deniable authentication in [13]. Deniable authentication provides a system that addresses the deniability aspects, i.e. the protocol does not leave any paper trail for the authentication of the message. This work allows a single signer to achieve this property.

Undeniable signatures [10] allows a signature to be verified by everyone but requires the help of the signer. The signer is able to reject invalid signatures, but he must not be able to deny valid signatures. If the signer is unavailable or unwilling to cooperate, the signature would not be longer verifiable. To overcome this shortcoming, the notion of confirmer signature [9] is proposed. In confirmer signatures, the ability to verify or deny signatures is transferred to a designated confirmer. A generic construction of a confirmer signature from an ordinary signature scheme is proposed in [7]. The notion of Universal Designated-Verifier Signatures (UDVS) was recently proposed in [23]. A UDVS scheme can be used as a standard publicly-verifiable digital signature but has additional functionality that allows any signature holder to designate the signature to any desired designated verifier, using the verifier’s public key. The construction proposed in [23] is based on bilinear pairing, which is an extension of Boneh-Lynn-Shacham (BLS) short signature scheme [4]. Our Contributions We define the notion of non-interactive deniable ring authentication. Our schemes provide a ring signature scheme with a designated verifier. The verification is done non-interactively by the verifier. We note that the idea of converting interactive protocols to non-interactive ones is not new, for example as suggested in [12]. Our schemes will not require any additional requirement such as an anonymous routing (cf. [19]). We provide a generic construction of non-interactive deniable ring authentication. The size of the resulting new scheme is the same as the original ring signature scheme plus a random number (cf. [19] which requires about twice the size of the message). We only require the designated verifier V to have a published chameleon hash function to be used by the signer. We note that this requirement might be removed in a different construction. We also extend our basic schemes to deniable ring to ring authentication schemes. In these schemes, a message authenticated by a member of a ring S can be designated to a group of people, V. The notion of designation in this context refers to the inability of the verifiers in V to convince a third party outside V about this fact because the verifiers themselves could produce such signature, by collaborating with the other verifiers in V. When t verifiers in V are required to collaborate to generate a new valid message-signature pair, we call this scheme a deniable ring to threshold ring authentication scheme. When all verifiers in V are required to collaborate to generate a valid message-signature pair, we call it a deniable ring-to-ring authentication scheme. We show how to construct such schemes from any existing ring signature schemes. 1.2

Cryptographic Tools

Chameleon Hashing Chameleon hashing is basically non-interactive commitment schemes as proposed by Brassard, Chaum and Crepeau [5]. The idea of chameleon hash functions was introduced and formalized in [18] in the construction of their chameleon signature schemes. The name “chameleon” refers to the ability of the owner of

the trapdoor information to change the input to the function to any value of his choice without changing the resulting output. A chameleon hash function is associated with a pair of public and private keys and has the following properties [18]: (1) Anyone who knows the public key can compute the associated hash function. (2) For people who do not have the knowledge of the trapdoor (i.e. the secret key), the hash function is collision resistant: it is infeasible to find two inputs which are mapped to the same output. (3) The trapdoor information’s holder can easily find collisions for every given input. Several constructions of chameleon hashing have been proposed in [18], which are based on discrete log and [8], which is based on the hardness of deciding whether an element is a “small” e-th residue modulo N 2 . Access Structures and Cumulative Arrays Let V = {V1 , · · · , Vn } be a group of n players and let 2V denote the family of all subsets of V. A subset Γ of 2V with the property that if A ∈ Γ and A ⊆ A then A ∈ Γ is called monotone increasing. An access structure Γ is a monotone increasing subset of 2V . Elements in Γ are called authorized subsets on Γ and elements not in Γ are called unauthorized subset. The notion of access structures plays an important role in the theory of secret sharing. The first (t, n) threshold secret sharing scheme independently invented by Blakley [2] and Shamir [21] in which the access structure is defined by Γ = {A ⊆ V||A| ≥ t} and is known as the (t, n) threshold access structure. Cumulative maps (or also called cumulative arrays) for access structures were formally introduced in [22], but the idea behind them was implicitly used in the constructions given in [15]. The construction of minimal cumulative maps for any access structures were developed in [16]. The rest of this paper is organized as follows. In the next section, we give a model for a non-interactive deniable ring authentication scheme and outline its security requirements. Section 3 proposes a generic construction of noninteractive deniable ring authentication schemes from ring signature schemes and chameleon hashing. In section 4, we present an extension of the basic scheme to allow a deniable ring to threshold ring authentication schemes. We also provide a generic construction of such schemes. Finally, we provide a special case of deniable ring to threshold ring authentication schemes called deniable ring-to-ring authentication schemes. Section 5 concludes the paper.

2

Non-Interactive Deniable Ring Authentication

In this section, we provide a definition of non-interactive deniable ring authentication. This authentication can also be referred to as ring authentication with designated verifier. We now provide the summary of the setup and requirements of a non-interactive deniable ring authentication.

Setup. We assume that the participants have published their public keys. The public keys are generated via a standard public key generation algorithm. We define the ring as follows. A ring S contains any subset of participants. An authenticator Si ∈ S can sign on behalf of S. The verifier of a message, V, is an arbitrary party. We require that V ∈ S. We also require that V has published a hash function H that can be used by the signers S. We assume that both verifier and the authenticator have access to the public keys of all members Si ∈ S. The verifier V can verify an authenticated message non-interactively, without the help of any member in S. We require the authentication scheme to provide: – Completeness: For any subset of participants ∈ S and for any good authenticator Si ∈ S, for any message m ∈ {0, 1}∗ , if Si has followed the signature generation protocol correctly, and V has also followed the verification algorithm correctly, then V accepts with an overwhelming probability. – Signer Ambiguity: For any participant Si ∈ S and assuming the size of |S| = sˆ, the probability that an authenticated message m is signed by Si is at most 1sˆ . – Soundness: The soundness of non-interactive deniable ring authentication scheme is computational, since the underlying ring signature scheme cannot be stronger than the individual signature scheme used by the possible signers. We consider an attack to be successful, if after analyzing n non-interactive deniable ring authentication, the forger can construct a valid non-interactive deniable ring authentication on behalf of the same group, for a different message m ∈ {mi }i=1,2,···,n , where the verifier V will accept. In the following definition, we denote < ski , pki > as a pair of secret and public key according to a specific algorithm, that is owned by Si . A non-interactive deniable authentication scheme consists of the following algorithms: – DSign(m, sk , L): is a probabilistic polynomial time algorithm that takes a message m ∈ {0, 1}∗ and a list L that contains a set of public keys, including the one that corresponds to the secret key, sk , and outputs a signature σ. – DVerify(m, σ, L): is a deterministic non-interactive polynomial-time algorithm that takes a message m, a signature σ and a list of public keys L, and outputs either True or ⊥ meaning accept or reject, respectively. We require that Pr({m, σ, L} : σ ← DSign(m, sk , L); True ← DVerify(m, σ, L)) = 1 L includes public keys based on different security parameters, and the security of DSign(m, sk , L) is set to the smallest one among them. L can include several types of public-keys at the same time, such as for RSA and Schnorr in a particular construction. We require that the probability ⎡ ⎤ σ ˆ ← DSign(m, ski , L), ⎢ L := {pk1 , pk2 , · · · , pkn }, ⎥ ⎥ Pr ⎢ ⎣ ⎦ i ∈ {1, 2, · · · , n}, True ← DVerify(m, σ ˆ , L)

is negligible. We also require that a non-interactive deniable ring authentication scheme must provide an existential unforgeability. Unforgeability requires that it be difficult to forge a valid non-interactive deniable ring authenticated message. The advantage in existential forging a non-interactive deniable ring authenticated message of an algorithm F, given access to a non-interactive deniable ring authentication signature generation oracle S, along with a hash oracle, is ⎡ ⎤ DVerify(m, σ, < pk1 , pk2 , · · · , pkn >) = True : ⎢ ⎥ {< pk1 , sk1 >, < pk2 , sk2 >, def ⎢ ⎥ AdvDSigFF = Pr ⎢ R ⎥ · · · , < pkn , skn >} ← KeyGen(), ⎣ ⎦ R S σ ← F (m, ski , < pk1 , pk2 , · · · , pkn >) The probability is taken over the coin tosses of the key generation algorithms, of the oracles, and of the forger. The forger is additionally constrained in that its forgery on a message m must be non trivial. It must not previously have queried the oracle S at m. Definition 1. A non-interactive deniable ring authentication signature forger F(t, qH , qS , )-forges a non-interactive deniable ring authentication signature if: Algorithm F runs in time at most t; F makes at most qH queries to the hash function, at most qS queries to the oracle S; and AdvDSigFF is at least . A noninteractive deniable ring authentication scheme is (t, qH , qS , )-secure against existential forgery if no forger (t, qH , qS , ) breaks it.

3

Generic Construction of Non-Interactive Deniable Ring Authentication Schemes

In this section, we provide a generic construction for constructing non-interactive deniable ring authentication schemes from ring signature schemes. Before proceeding with the generic construction, we will review the ring signature schemes and the chameleon hashing to highlight the notations that will be used in this section. 3.1

Ring Signature Schemes

We use the notation proposed in [1] to define ring signature schemes. We note that the ring signature schemes are referred to 1-out-of-n in [1]. Definition 2. [1] A ring signature scheme consists of three polynomial time algorithms – (sk , pk ) ← G(1κ ): A probabilistic algorithm that takes security parameter κ and outputs private key sk and public key pk . – σ ← S(m, sk , L): A probabilistic algorithm that takes a message m, a list L that contains public keys including the one that corresponds to sk and outputs a signature σ.

– {True or ⊥} ← V(m, σ, L): A deterministic algorithm that takes a message m and a signature σ, and outputs either True or ⊥ meaning accept or reject, respectively. It is required to have True ← V(m, S(m, sk , L), L) with an overwhelming probability. A ring that allows a mixture of factorization and discrete log based public keys has been constructed in [1]. 3.2

Chameleon Hashing

A chameleon hash function is associated with a user Ui who has published a public hashing key, HUi , and holds the corresponding secret key (i.e. the trapdoor for finding collisions), denoted by skUi . We abuse the notation sk in this context, because sk is basically a secret key that is generated via a key generation algorithm by Ui , and the public (hashing) key HUi defines the chameleon hash function, denoted by CHAM HASHUi (·, ·), which can be computed efficiently given the value of HUi [18]. The properties of CHAM HASHUi (·, ·) are illustrated as follows [18]. – On input a message m and a random string r, CHAM HASHUi (m, r) generates a hash value h. – The hash value h ← CHAM HASHUi (m, r) satisfies the following properties. • Collision Resistance: There is no efficient algorithm that on input the public key HUi can find pairs (m1 , r1 ) and (m2 , r2 ) where m1 = m2 such that CHAM HASHUi (m1 , r1 ) = CHAM HASHUi (m2 , r2 ) with a non-negligible probability. • Trapdoor Collisions: Given the secret trapdoor information sk , together with (m1 , r1 ), there is an efficient algorithm that can find an arbitrary message m2 such that CHAM HASHUi (m1 , r1 ) = CHAM HASHUi (m2 , r2 ) with an overwhelming probability. • Uniformity: For a randomly chosen r, all messages m induce the same probability distribution on CHAM HASHUi (m, r). Concrete examples of chameleon hash functions have been developed in [18] and [8]. In the following, we recall the chameleon hash function constructed in [18], which is based on the hardness of discrete log. In the setup phase, Ui generates two prime numbers p and q such that q|p−1, where q is a large enough prime factor. Then, an element g where ordp (g) = q is chosen, from Z∗p . The private key sk is a random x ∈ Z∗q . The public key HUi is y = g x (mod p). We note that p, q, g are implicit parts of the public key. The chameleon hash function CHAM HASHUi (m, r) is defined as follows. For a given message m ∈ Z∗q , choose a random value r ∈ Z∗q , and set CHAM HASHUi (m, r) = g m y r (mod p). We note that the above chameleon hash function is collision resistant for ˆ = m, and compute the any Uj = Ui . Ui can always find any other message m appropriate rˆ to find the same hash value, because he knows x and he can easily solve m + xr = m ˆ + xˆ r (mod q).

3.3

Generic Construction for Non-Interactive Deniable Ring Authentication

In this section, we proceed with our generic construction for non-interactive deniable ring authentication from any ring signature schemes. The conversion is defined as follows. (Let CHAM HASHV (·, ·) be the chameleon hash function published by the verifier V). 1. Define:

⎧ ⎨ h ← CHAM HASHV (m, r), for a random r Δ DSign(m, sk , L) = σ1 ← S(h, sk , L), ⎩ σ ← (σ1 ||r)

We define the signature of message m to be σ. 2. Define: ⎧ ⎨ (σ1 ||r) ← σ, Δ DVerify(m, σ, L) = h ← CHAM HASHV (m, r), ⎩ Result ← V(h, σ1 , L) The result of the verification is defined as Result ← DVerify(m, σ, L), which is either True or ⊥, meaning accept or reject, respectively. The resulting signature is non-transferable. We note that the resulting noninteractive deniable ring authentication does not allow the verifier V to convince any third party about this fact, due to the use of chameleon hashing in the above scheme. Since V knows the secret key sk used in CHAM HASHV (m, r), then he can always generate another pair (m, ˆ rˆ), for m ˆ = m that will pass the verification DVerify(m, ˆ σ, L) for the same signature σ. The resulting signature provides signer-ambiguity. It is straight forward to see that the signer-ambiguity is provided by the original ring signature used in the conversion. The resulting non-interactive deniable ring authentication scheme provides an existential unforgeability iff the underlying ring signature scheme used in the conversion provides an existential unforgeability. It is straight forward to see that the existential unforgeability of the underlying ring signature scheme will result in the existential unforgeability of the resulting non-interactive deniable ring authentication scheme. 3.4

An Example

We present a sample conversion of the ring signature scheme proposed in [3] to make a non-interactive deniable ring authentication scheme as described in previous section. We follow the settings of the original ring signature proposed in [3]. There is a set U of users, where each user u ∈ U has a signing key pair (P Ku , SKu ). The ring signature is constructed from bilinear maps. Recall g1 , g2 are generators

of group G1 , G2 respectively, and e : G1 × G2 → GT is a bilinear map, and a computable isomorphism ψ : G1 → G2 exists, with ψ(g1 ) = g2 . There is a fulldomain hash function h : {0, 1}∗ → G2 . The security analysis considers h as a random oracle [3]. In the following, we use the chameleon hash function CHAM HASHV (m, r) = g m y r (mod p) as defined in [18]. We assume the verifier V publishes this chameleon hash function, and keeps the secret key x = logg (y). The non-interactive deniable ring authentication is defined as follows. Key Generation. For any user u ∈ U , pick a random x ¯ ∈R Zp and compute ¯ ∈ Zp . v = g1x¯ . The user’s public key is v ∈ G1 , and the user’s secret key is x Non-Interactive Ring Signing. Given public keys v1 , · · · , vn ∈ G1 , a message ¯ corresponding to one of the public keys vs for some m ∈ Zp and a private key x s, do the following. ˆ = h(CHAM HASHV (m, r)) 1. Choose a random r ∈ Zp and compute h 2. Choose random ai ∈ Zp for all i = s. 3. Set ⎞⎞1/¯x ⎛ ⎛

ˆ ⎝ v ai ⎠⎠ σs = ⎝h/ψ i i=s

4. For all i = s, set σi =

g2ai .

The signature is (m, r, σ), where σ =< σ1 , σ2 , · · · , σn >∈ Gn2 . Non-Interactive Ring Verification. Given public keys v1 , · · · , vn ∈ G1 , a ˆ = h(CHAM HASHV (m, r)) σ, and r, compute h message m ∈ Zp , a ring signature n and verify that e(g, h) = i=1 e(vi , σi ). Completeness. It is easy to show a signature produced by the non-interactive ring signing algorithm will verify under the non-interactive ring verification algorithm using the bilinearity and nondegeneracy of the pairing e. Designated Signature. It is also easy to see that the verifier V can be convinced with the correctness of the signature σ, but no one else can be convinced with this fact because V can modify the message m with any message m = m of his choice, and find the appropriate r = r, since V knows the secret key x = logg (y).

4

An Extension: Non-Interactive Deniable Ring to Threshold Ring Authentication Schemes

Consider a case where a member of an ad hoc group would like to reveal an information on behalf of the group to a designated group of people. We call this case as a deniable ring to ring authentication. We require that the people in the designated group cannot forward the message to convince a third party about this fact. When t verifiers (or recipients) are required to collaborate to forge the message-signature pair, we call this deniable ring to threshold (t, n) ring

authentication. We define the deniable ring to threshold (t, n) ring authentication schemes as follows. Definition 3. Deniable ring to threshold (t, n) ring authentication schemes (DTTR (t, n) ) allow any participants in a ring S to authenticate a message m ∈ {0, 1}∗ on behalf of an ad hoc group S to convince a group of verifiers V of the authenticity of m, where S ∩ V = ø. However, the verifiers cannot convince any third party out of V about this fact, because any t out of n verifiers in V can create the message-signature pair by themselves. Definition 4. In a DTTR (t, n) scheme, if n − t + 1 verifiers agree that they have not altered the authenticated message, then they can be convinced that the message is indeed authenticated by the ring S. The setup procedure of DTTR (t, n) schemes is illustrated as follows. We assume that the participants have published their public keys. The public keys are generated via a standard public key generation algorithm. A ring S contains any subset of participants, S = {S1 , · · · , S }. The verifier of the message, V, is a set of participants, {V1 , V2 , · · · , Vn } ∈ V, where S ∩ V = ø. We require that each verifier Vi has published a chameleon hash function Hi (that can be used by the signer ∈ S). We assume that the verifiers and the authenticators have access to the public keys of all members Si ∈ S and Vi ∈ V. Each signer Si ∈ S can sign a message on behalf of the ring S, and this message will be designated to V. Each verifier Vi ∈ V can verify an authenticated message non-interactively, without any help from S. We require the authenticated message to be designated, which means that no third party outside V can be convinced with the fact that the authenticated message has indeed been signed by S. The reason behind this is due to the fact that t-out-of-n verifiers can collaborate and create any valid message-signature pair themselves. As in the standard definition of ring signature schemes, we require no setup procedure for the signers S to form the ring, as well as no setup procedure for the construction of the verifiers V. We note that this requirement enables these schemes to be used in an ad hoc environment. 4.1

Constructing Non Interactive DTTR (t, n) Schemes

Inspiring by the original idea mentioned earlier, we can obtain a non-interactive DTTR (t, n) scheme as follows. We incorporate the idea of cumulative array [16, 22] in this scheme. The signature generation phase consists of two stages: 1) hash function generation and 2) signature generation. Hash Function Generation Step 1. Generating the Cumulative Array We assume that each verifier Vi ∈ V has published a chameleon hash function CHAM HASHVi = g m yir (mod p) as before. Each verifier Vi holds the secret key associated with xi = logg (yi ). To construct a non-interactive DTTR (t, n) scheme, firstly the signer in S generates a cumulative array for Γ , where Γ denotes access structure, i.e. the

set of authorized participants. A cumulative scheme for Γ is a map α : V → 2F , where F is a finite set such that for any A ⊆ V,  αi = F ⇐⇒ A ∈ Γ Vi ∈A

where αi = α(Vi ). We can represent the scheme as a |V| × |F| cumulative array C(Γ ) = [cij ], where each entry cij is either 0 or 1 such that cij = 1 ⇐⇒ Vi ⊆ Aj Example 1. Suppose V = {V1 , V2 , V3 , V4 } and Si ∈ S would like to set up (2, 4) scheme. Then, he will define the following cumulative array, V1 V2 V3 V4

V1 V2 V1 V3 V1 V4 V2 V3 V2 V4 V3 V4 1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1

We note that for each column Vi Vj , i = j, there are exactly two 1’s, because the threshold t = 2 in the above example. Example 2. For the above example, if Si ∈ S would like to setup (3, 4) scheme, the cumulative array is defined as follows. V1 V2 V3 V4

V1 V2 V3 V1 V2 V4 V1 V3 V4 V2 V3 V4 1 1 1 0 1 1 0 1 1 0 1 1 0 1 1 1

Step 2. Generating the hash function   Next, the columns of the cumulative array are renamed to ri , i = 1, · · · , nt . Finally, the hash function is defined as H(m, r1 , · · · , r(n) ) = g t

m

n



yi

(∀j,cij =1)

rj

(mod p)

i=1

Example 3. In Example 1, the cumulative table is rewritten as

V1 V2 V3 V4

V1 V2 V1 V3 V1 V4 V2 V3 V2 V4 V3 V4 r1 r2 r3 r4 r5 r6 1 1 1 0 0 0 1 0 0 1 1 0 0 1 0 1 0 1 0 0 1 0 1 1

and the hash function H(m, r1 , r2 , r3 , r4 , r5 , r6 ) is defined as H(m, r1 , r2 , r3 , r4 , r5 , r6 ) = g m y1r1 +r2 +r3 y2r1 +r4 +r5 + y3r2 +r4 +r6 y4r3 +r5 +r6

(mod p)

Similarly, the hash function in Example 2 is defined as H(m, r1 , r2 , r3 , r4 ) = g m y1r1 +r2 +r3 y2r1 +r2 +r4 y3r1 +r3 +r4 y4r2 +r3 +r4

(mod p)

Signature Generation After defining the hash function H(m, r1 , · · · , r(n) ), Si ∈ S generates a signature t

as follows (note: L is the collection of public keys of S)

h ← H(m, r1 , · · · , r(n) ), for randomly chosen r1 , · · · , r(n) t

t

σ1 ← S(h, ski , L) σ ← (σ1 ||r1 || · · · ||r(n) )) t

The signature is sent together to the verifiers. We note that the definition of the hash function H(m, r1 , · · · , r(n) ) is public. t

Signature Verification To verify a signature, anyone can perform the following (σ1 ||r1 || · · · ||r(n) ) ← σ t

h ← H(m, r1 , · · · , r(n) ) t

Result ← V(h, σ1 , L) The result of the verification is either True or ⊥, meaning accept or reject, respectively. The soundness and completeness of the scheme can be derived easily as before. Theorem 1. In a non-interactive DTTR (t, n) scheme defined above, the verifiers V cannot convince any third party about the authenticity of the signature σ because any collusion of t-out-of-n verifiers can create any valid messagesignature pair by themselves. Proof. From the definition of the hash function H(m, ·) above, a collusion of any t-out-of-n verifiers in V (who knows the associated secret keys xi = logg (yi )) can always find a valid message-signature pair, after seeing a valid message-signature pair, since they have a common ri associated in the hash function. To be more precise, we will illustrate this as follows. Consider a valid message-signature pair (m, σ) that was signed by Si ∈ S for verifiers {V1 , · · · , Vn }. The message was signed using the following hash function H(m, r1 , · · · , rj , · · · , r(n) ) = g m t

n

i=1



yi

(∀k,cik =1)

rk

(mod p)

for j ∈ {1, · · · ,

n t

}. We note that the verifiers obtain the following equation ⎡ ⎛ ⎞⎤ n   ⎣xi ⎝ γ =m+ rk ⎠⎦ (mod q) i=1

(∀k,cik =1)

for an integer γ. However, t colluders only know t secret keys xi = logg (yi ). We also note that due to the construction of the cumulative array C(Γ ), any t out of n verifiers will share a common rj . Therefore, the colluders can also obtain ⎤ ⎡  xi rj ⎦ (mod q) γˆ = m + ⎣ ∀i,Vi colludes for γˆ ∈ Zq . Knowing the value of rj and m, they can easily compute γˆ , and choose any message m = m with the associated rj = rj . It is easy to see that the new message-signature pair, (m , σ), where σ contains r1 , r2 , · · · , rj , · · · , r(n) , t is valid under the same verification algorithm. 3 4.2

A Special Case: Non-Interactive Deniable Ring-to-Ring Authentication Schemes

A special case of the non-interactive DTTR (t, n) scheme is the non-interactive deniable ring to (n, n) ring authentication, or simply called deniable ring-to-ring authentication. In this scheme, the setting is the same as the DTTR (t, n) scheme. However, if the verifiers would like to create another valid message-signature pair, then a collusion of n (or all) verifiers in V is required. To design a ring-to-ring authentication, we can use the same method as before. However, since we require that only the collusion of all verifiers that can create any valid message-signature pair, then the hash function can be simplified as follows. H(m, r) = g m y1r y2r · · · , ynr (mod p) We note that according to Definition 4, any verifiers in V can be convinced with the authenticity of the message if he/she has not modified the message m.

5

Conclusion

We introduced Non-Interactive Deniable Ring Authentication schemes to allow a user in an ad hoc mode to designate his signature to a third party. We defined precise security notions for such schemes and proposed a way to convert any ring signature schemes into such schemes. We note that in our construction, the length of the signature is the same as the length of the underlying ring signature used in the conversion plus a random number (cf. [19]). We also presented an extension of this notion, namely Non-Interactive Deniable Ring to Threshold Ring Authentication that allows a user in ad hoc mode to designate his signature

to a group of verifiers. However, the verifiers cannot convince any other third party about this fact, because any collusion of t verifiers can always produce a valid message-signature pair. We also show a special case when t = n that we call Deniable Ring-to-Ring Authentication schemes. Acknowledgement We would like to thank the anonymous referees whose comments and suggestions helped us to improve this paper.

References 1. M. Abe, M. Ohkubo, and K. Suzuki. 1-out-of-n Signatures from a Variety of Keys. Advances in Cryptology - Asiacrypt 2002, Lecture Notes in Computer Science 2501, pages 415 – 432, 2002. 2. G. Blakley. Safeguarding cryptographic keys. Proceedings of AFIPS 1979 National Computer Conference, 48:313 – 317, 1979. 3. D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and Verifiable Encrypted Signatures from Bilinear Maps. Proceedings of Eurocrypt 2003, Lecture Notes in Computer Science 2656, pages 416 – 432, 2003. 4. D. Boneh, B. Lynn, and H. Shacham. Short signatures from the weil pairing. pages 514–532. Springer Verlag, 2001. 5. G. Brassard, D. Chaum, and C. Cr´ epeau. Minimum Disclosure Proofs of Knowledge. JCSS, 37(2), pages 156 – 189, 1988. 6. J. Camenisch. Efficient and generalized group signatures. Advances in Cryptology - Eurocrypt ’97, Lecture Notes in Computer Science 1233, pages 465–479, 1997. 7. J. Camenisch and M. Michels. Confirmer signature schemes secure against adaptive adversaries. Advances in Cryptology - Eurocrypt 2000, Lecture Notes in Computer Science 1807, 2000. 8. D. Catalano, R. Gennaro, N. Howgrave-Graham, and P. Q. Nguyen. Paillier’s Cryptosystem Revisited . ACM CCS 2001, 2001. 9. D. Chaum. Designated Confirmer Signatures. Advances in Cryptology - Eurocrypt ’94, Lecture Notes in Computer Science 950, pages 86 – 91, 1994. 10. D. Chaum and H. van Antwerpen. Undeniable signatures. Advances in Cryptology - Crypto ’89, Lecture Notes in Computer Science 435, pages 212–216, 1990. 11. D. Chaum and E. van Heyst. Group signatures. Advances in Cryptology - Eurocrypt ’91, Lecture Notes in Computer Science 547, pages 257–265, 1991. 12. R. Cramer, I. B. Damg˚ ard, and B. Schoenmakers. Proof of partial knowledge and simplified design of witness hiding protocols. Advances in Cryptology - Crypto 94, Lecture Notes in Computer Science, 839:174–187, 1994. 13. C. Dwork, M. Naor, and A. Sahai. Concurrent Zero-Knowledge. Proc. 30th ACM Symposium on the Theory of Computing, pages 409 – 418, 1998. 14. S. Goldwasser, S. Micali, and R. Rivest. A Secure Digital Signature Scheme. SIAM Journal on Computing 17, pages 281 – 308, 1988. 15. M. Ito, A. Saito, and T. Nishizeki. Secret Sharing Scheme Realizing General Access Structure. Journal of Cryptology, 6:15–20, 1993. 16. W. Jackson and K. Martin. Cumulative Arrays and Geometric Secret Sharing Schemes. Advances in Cryptology–Auscrypt’92, Lecture Notes in Computer Science 718, pages 48–55, 1993.

17. M. Jakobsson, K. Sako, and R. Impagliazzo. Designated Verifier Proofs and Their Applications. Advances in Cryptology - Eurocrypt ’96, Lecture Notes in Computer Science 1070, pages 143 – 154, 1996. 18. H. Krawczyk and T. Rabin. Chameleon hashing and signatures. Network and Distributed System Security Symposium, The Internet Society, pages 143 – 154, 2000. 19. M. Naor. Deniable Ring Authentication. Advances in Cryptology - Crypto 2002, Lecture Notes in Computer Science 2442, pages 481 – 498, 2002. 20. R. L. Rivest, A. Shamir, and Y. Tauman. How to Leak a Secret. Advances in Cryptology - Asiacrypt 2001, Lecture Notes in Computer Science 2248, pages 552 – 565, 2001. 21. A. Shamir. How to share a secret. Communications of the ACM, 22:612–613, November 1979. 22. G. J. Simmons, W. A. Jackson, and K. Martin. The Geometry of Shared Secret Schemes. Bulletin of the ICA, 1:71 – 88, 1991. 23. R. Steinfeld, L. Bull, H. Wang, and J. Pieprzyk. Universal designated-verifier signatures. Proceedings of Asiacrypt 2003, Lecture Notes in Computer Science, 2003 (to appear).