a simple deniable authentication protocol
DESCRIPTION
Deniable authentificationTRANSCRIPT
International Journal of Computer MathematicsVol. 85, No. 9, September 2008, 1315–1323
A simple deniable authentication protocol based on theDiffie–Hellman algorithm
Rongxing Lua*, Xiaodong Linb, Zhenfu Caoa, Liuquan Qina and Xiaohui Lianga
aDepartment of Computer Science and Engineering, Shanghai Jiao Tong University No. 800, Shanghai,P.R. of China; bDepartment of Electrical and Computer Engineering, University of Waterloo, Waterloo,
Ontario, Canada
(Received 03 January 2006; revised version received 27 November 2006; accepted 06 August 2007)
Deniable authentication protocol is a new authentication mechanism in secure computer communication,that not only enables an intended receiver to identify the source of a received message but also preventsa third party from identifying the source of the message. In this paper, based on the Diffie–Hellmanalgorithm, we propose a new simple deniable authentication protocol from a provably secure simple userauthentication scheme. Compared with other deniable authentication protocols, our proposed protocol notonly achieves the property of deniable authenticity, but also provides the mutual authentication betweenthe sender and the intended receiver and the confidentiality.
Keywords: user authentication scheme; deniable authentication protocol; Diffie–Hellman algorithm;bilinear pairing
CCS Category: E.3
1. Introduction
Deniable authentication protocol is a new security authentication mechanism. Compared withtraditional authentication protocols, it has the following two features: i) It enables an intendedreceiver to identify the source of a given message; ii) However, the intended receiver cannot proveto any third party the identify of the sender [2]. Just due to these two features, deniable authen-tication protocol has become a solution to some special requirements for secure communication,and a lot of relevant work [2,6,8–15] has been published in recent years.
In 1998, Dwork et al. [8] developed a notable deniable authentication protocol based on theconcurrent zero-knowledge proof, however the protocol requires a timing constraint and theproof zero-knowledge is subject to a time delay in the authentication process. Auman and Rabin[2] proposed some other deniable authentication protocols based on the factoring problem. In2001, Deng et al. [6] also proposed two deniable authentication protocols based on the factor-ing and the discrete logarithm problem, respectively. In 2002, Fan et al. [9] proposed a simple
*Corresponding author. Email: [email protected]
ISSN 0020-7160 print/ISSN 1029-0265 online© 2008 Taylor & FrancisDOI: 10.1080/00207160701622741http://www.informaworld.com
1316 R. Lu et al.
deniable authentication protocol based on the Diffie–Hellman algorithm. More recently, manynon-interactive deniable authentication protocols were also proposed [10–15].
However, when we take a closer look at these protocols, we will find that none of them hasprovided the property of confidentiality, while the confidentiality should be one important partof the overall solution for truly secure communications. Therefore, in this paper, to resolve thisproblem, we propose a new simple interactive deniable authentication protocol based on theDiffie–Hellman algorithm [7]. Our proposed protocol would achieve the following properties.
• Deniable authentication. The intended receiver can identify the source of a given message, butcannot prove the source to any third party.
• Mutual authentication. During the protocol execution, the sender and the intended receiver canprovide authentication to each other.
• Confidentialities. Any outside adversary has no ability to gain the deniable authenticationmessage from the transmitted transcripts.
The rest of this paper is organized as follows. In the next section, we first review the bilinearpairings [4] and Diffie–Hellman problems [1]. In Section 3, we present a simple user authenticationscheme and propose our simple deniable authentication protocol. Then, we discuss the securityand performance of our proposed protocol in Sections 4 and 5, respectively. Finally, we draw ourconclusions in Section 6.
2. Bilinear pairings and Diffie–Hellman problems
More recently, bilinear pairings have allowed the opening of a new territory in moderncryptography [4]. In this section, we briefly review the necessary facts used for our protocol.
2.1. Bilinear pairings
Let G, GT be two cyclic groups of the same prime order q. Let e be a computable bilinear mape : G × G → GT , which satisfies the following properties.
• Bilinear. e(P a, Qb) = e(P, Q)ab, where P, Q ∈ G and a, b ∈ Z∗q .
• Non-degenerate. There exists P, Q ∈ G such that e(P, Q) �= 1GT.
• Computability. There exists an efficient algorithm to compute e(P, Q) for all P, Q ∈ G.
We call such a bilinear map e as an admissible bilinear pairing, and the Weil or Tate pairing inelliptic curve can give a good implementation of the admissible bilinear pairing [4].
DEFINITION 2.1 (Bilinear Parameter Generator) A bilinear parameter generator Gen is a proba-bilistic algorithm that takes a security parameter k as input and outputs a 5-tuple (q, G, GT , e, g)
as the bilinear parameters, including a prime number q with |q| = k, two cyclic groups G, GT
of the same order q, an admissible bilinear map e : G × G → GT and a generator g of G.
2.2. Diffie–Hellman problems
The problems relevant to our deniable authentication protocol are of the Diffie–Hellman type,namely the Computational Diffie–Hellman (CDH) problem, the Decisional Diffie–Hellman(DDH) problem and the Hash Diffie–Hellman (HDDH) problem [1].
International Journal of Computer Mathematics 1317
DEFINITION 2.2 (CDH) Let (q, G, GT , e, g) be a 5-tuple generated by Gen(k), and let x, y ∈ Z∗q ,
the CDH problem in G is as follows: given (g, gx, gy), compute gxy .
The (t, ε)-CDH assumption holds in G if there is no algorithm A running in time at most t
such that
AdvCDHG
(A) = Pr[A(g, gx, gy) = gxy] ≥ ε
where the probability is taken over all possible choices of (x, y).
DEFINITION 2.3 (DDH) Let (q, G, GT , e, g) be a 5-tuple generated by Gen(k), and let x, y, z ∈Z
∗q , the DDH problem in G is as follows: given (g, gx, gy, gz), decide whether it is a Diffie–
Hellman tuple (g, gx, gy, gxy).
Owing to the property of bilinear, we know e(gx, gy) = e(g, gz) in GT if and only if(g, gx, gy, gz) is a Diffie–Hellman tuple. Therefore, the DDH problem in G is easy.
Since the CDH problem in G is hard and the DDH problem in G is easy, the group G is calledas a Gap Diffie–Hellman Group.
DEFINITION 2.4 (HDDH) Let (q, G, GT , e, g) be a 5-tuple generated by Gen(k), H : {0, 1}∗ →{0, 1}l be a secure cryptographic hash function, where l is a security parameter, and let x, y ∈ Z
∗q ,
h ∈ {0, 1}l , the HDDH problem in G is as follows: given (g, gx, gy, h), decide whether it is ahash Diffie–Hellman tuple (g, gx, gy, H(gxy)). If it is right, outputs ‘1’; and ‘0’ otherwise.
The (t, ε)-HDDH assumption holds in G if there is no algorithm A running in time at most t
such that
AdvHDDHG
(A) = | Pr[A(g, gx, gy, H(gxy)) = 1] − Pr[A(g, gx, gy, h) = 1]| ≥ ε,
where the probability is taken over all possible choices of (x, y, h).According to the literature [1], the hash Diffie–Hellman assumption would seem to be a much
weaker assumption than the decisional Diffie–Hellman assumption. Here, although the DDHproblem is easy in G, we have the confidence that the HDDH assumption still holds in G providedthat the hash function H : {0, 1}∗ → {0, 1}l is secure. Throughout the rest of this paper, we assumethat the HDDH problem is hard in G.
3. New deniable authentication protocol
The Diffie–Hellman algorithm [7] is a well-known key exchange protocol, which allows twoentities to agree on a shared session key over an insecure channel.Although it is not secure (againstperson-in-the-middle attack), yet, the Diffie–Hellman algorithm broke a new path in cryptography[6] and has been used as a building block for constructing a lot of complex cryptographic systems.In this section, we develop our new deniable authentication protocol based on the Diffie–Hellmanalgorithm over the Gap Diffie–Hellman Group G mentioned above. As a preliminary work, wefirst present a simple user authentication scheme in the following.
3.1. Simple user authentication scheme
Let (q, G, GT , e, g) be a 5-tuple generated by the bilinear parameter generator Gen(k), and letH : {0, 1}∗ → {0, 1}l be a secure cryptographic hash function, where l is security parameter.
1318 R. Lu et al.
Table 1. A simple user authentication scheme.
U (Yu, xu) RS (remote server)
IDu− − − − − − − − −− →R0← − − − − − − − − −− R0 = gr , R1 = Y r
u
R′0 = R
xu0
h = H(IDu, R0, R′0)
hu− − − − − − − − −− →h
?= H(IDu, R0, R1)
Assume that a user U , who holds the public key and private key pair (Yu = gxu, xu ∈ Z∗q), wants
to enter a remote server RS, as shown in Table 1, they should execute the following steps.
Step 1 When the user U wants to enter the remote server RS, he first sends his identity IDu to RS.
Step 2 RS then chooses a random number r ∈ Z∗q , computes R0 = gr , R1 = Y r
u , and sends R0
back to the user U .
Step 3 User U then uses his private key xu to compute R′0 = R
xu
0 and h = H(IDu, R0, R′0).
Finally, U sends h to RS.
Step 4 Upon receiving h, RS verifies it by checking the equality h = H(IDu, R0, R1). If it doeshold, the user U will be authenticated; otherwise, rejected, since R1 = R′
0 = gxur .
3.2. Proposed deniable authentication protocol
Based on the simple user authentication scheme as mentioned above, we now propose our simpledeniable authentication protocol. Our proposed protocol involves two entities: a sender S and anintended receiver R.
As in the user authentication scheme, let (q, G, GT , e, g) be a 5-tuple generated by the bilinearparameter generatorGen(k), and letH : {0, 1}∗ → {0, 1}l be a secure cryptographic hash function,where l is a security parameter. The public key and private key pairs of the sender S and the receiverR are (Ys, xs) and (Yr , xr) respectively, where xs, xr ∈ Z
∗q and Ys = gxs , Yr = gxr .
Our simple deniable authentication protocol, as shown in Table 2, is then described as follows.
Step 1 The sender S chooses a random number u ∈ Z∗q and computes U = gu, U ′ = Yu
r andthen sends his/her identity IDs and U to the receiver R.
Table 2. Proposed simple deniable authentication protocol.
Sender: S (Ys , xs) Receiver: R (Yr , xr )
U = gu, U ′ = Yur
IDs ,U− − − − − − − − −− →V = gv , V ′ = Y v
s , U ′′ = Uxr
V,h1← − − − − − − − − −− h1 = H(IDr , U, U ′′, V )
h1?= H(IDr , U, U ′, V )V ′′ = V xs
h2 = H(V ′′) ⊕ M
h3 = H(IDs, V, V ′′, M)h2,h3− − − − − − − − −− →
M = h2 ⊕ H(V ′)h3
?= H(IDs, V, V ′, M)
International Journal of Computer Mathematics 1319
Step 2 R chooses a random number v ∈ Z∗q and computes V = gv , V ′ = Y v
s . R also uses his/herprivate key xr to compute U ′′ = Uxr , h1 = H(IDr, U, U ′′, V ) and sends (V , h1) to S.
Step 3 S checks the equality h1 = H(IDr, U, U ′, V ). If it holds, S is authenticated and V isaccepted; otherwise rejected, since U ′ = U ′′ = guxr .
Step 4 When S wants to send a deniable message M ∈ {0, 1}l , he/she first computes V ′′ = V xs
and sends both h2 and h3 to R, where h2 = H(V ′′) ⊕ M and h3 = H(IDs, V, V ′′, M).
Step 5 R recovers M by computing h2 ⊕ H(V ′) and verifies its validity by checkingequality h3 = H(IDs, V, V ′, M). If it holds, M will be accepted; otherwise rejected, sinceV ′ = V ′′ = gxsv .
4. Security analysis
In this section, we give the security analysis of our proposed deniable authentication protocol andshow that it satisfies the properties of mutual authentication, confidentiality and deniability.
4.1. Security analysis on simple user authentication scheme
To prove that our proposed deniable authentication protocol achieves the mutual authenticationbetween the sender and the intended receiver, we first show that the simple user authenticationscheme in Section 3.1 is secure.
Formal security notion
According to the resources and capabilities that an adversary may gain in most practical applicationscenarios, we provide a formal definition of user authentication schemes. Concretely, it is definedby the following game between an adversary A and a challenge C.
Setup:On input of security parameters,C runs the algorithm to generate the system parametersand public key and private key pairs (pki, ski), 1 ≤ i ≤ n, of n users U = {U1, U2, . . . , Un},and sends the system parameters and all public keys pk1, . . . , pkn to A.Corrupt Queries: A can corrupt some users in U and obtain their private keys.User authentication queries: A can also make several user authentication queries on someuncorrupted users in U .Impersonate: In the end, A impersonates an uncorrupted user in U by outputting a validlogin authentication message.The success probability of A to win the game is defined by Succ(A).
DEFINITION 4.1 We say that a user authentication scheme is secure if the probability of successof any polynomial bounded adversary A in the above game is negligible.
THEOREM 4.2 Assume that H behaves as a random oracle. Then the simple user authenticationscheme in Section 3.1 is secure provided that the CDH assumption holds in G.
Proof Assume that A is an adversary, who can, with non-negligible probability, break thesimple user authentication scheme in Section 3.1. Then, we can use A to construct another
1320 R. Lu et al.
algorithm B, which is able to break the CDH problem in G with another non-negligibleprobability.
Setup: First, algorithm B is given the system parameters (q, G, GT , e, g, H), where H :{0, 1}∗ → {0, 1}l behaves a random oracle [5], and a CDH instance (g, gx, gy) as her chal-lenge, and her task here is to compute gxy . Let U = {U1, . . . , Un} be a set of n users whomay participate in the system. B first picks a random number j from {1, 2, . . . , n}, and setsthe user Uj ’s public key Yj = gx . Then, B chooses another n − 1 random numbers xi ∈ Z
∗q
as user Ui’s secret key, where 1 ≤ i ≤ n and i �= j , and computes the corresponding publickey Yi = gxi . Finally, B sends all pubic key Y1, Y2, . . . Yn to the adversary A.Corrupt Queries: When A wants to corrupt the user Ui’s secret key, B will process asfollows:• If i = j , B has to terminate the game and reports failure, since she has no knowledge on
user Uj ’s secret key.• If i �= j , B returns the corresponding xi to A.Clearly, after qc times corrupting queries, this game does not terminate with probability1 − (qc/n), where qc < n.H Random Oracle Queries: To avoid collision and consistently respond to these randomoracle queries, B maintains list �H , which is initially empty. Assume that ‘�’ is a specialsymbol. When A makes a query on αi = 〈ID, R, R′〉, if (αi, hi) exists in �H , hi is returned;else if (〈ID, R, �〉, hi) exists and e(g, R′) = e(YID, R) (it means we find the CDH solution),then ‘�’ is set to R′ and hi is returned; otherwise B chooses a random number hi ∈ {0, 1}l ,adds (αi, hi) to �H and returns hi to A.User Authentication Queries: Since only the unilateral authentication is required in thesimple user authentication scheme, the adversary is allowed to make the user authenticationqueries.
When A chooses R = gr and launches the user Ui authentication query, B will respond asfollows.• If i = j , B chooses a random number hi ∈ {0, 1}l , adds the entry (αi = 〈IDi, R, �〉, hi)
in �H and returns hi to A. According the simulation rules of Random Oracle H describedabove, hi is appointed to the query 〈IDi, R, Rx〉, so B can always simulate the gamesuccessfully.
• If i �= j , B directly computes R′ = Rxi , makes a query of 〈IDi, R, R′〉 to Random Oracleof H . Suppose hi is returned from the query, B sends hi to A.
Impersonate: In the end, A is ready to impersonate an uncorrupted user Ui from (n − qc)
users to enter the remote server. B then responds as follows:• If i = j , B sets R = gy and sends it back to A. A then sends a login message h to B. B
then looks up the �H .(i) If for some (α = 〈IDj , R, R′〉, h) ∈ �H , e(Yj , R) = e(gx, gy) = e(g, R′), returns R′
as the CDH challenge gxy .(ii) Else A couldn’t win the game, the probability that the hash value of 〈IDj , g
y, gxy〉equals to h is at most 1/2l , when it hasn’t be queried and will be returned randomlyfrom the space {0, 1}l .
• If i �= j , B has to terminate the game, because it doesn’t help B to solve the CDH problem.
We define the success probability of A in breaking the simple authentication scheme is Succ(A)
and the advantage of B in solving the CDH problem is AdvCDH(B). Then, from the above game,we will have
Succ(A) ·(
1 − qc
n
)· 1
n − qc
− 1
2l≤ AdvCDH(B),
International Journal of Computer Mathematics 1321
That is,
AdvCDH(B) ≥ Succ(A)
n− 1
2l
This completes the proof. �
4.2. Security analysis on deniable authentication protocol
Since our proposed deniable authentication protocol is based on the simple user authenticationprotocol, we can easily prove that our protocol can achieve the mutual authentication between thesender and the intended receiver.
THEOREM 4.3 Our proposed protocol achieves the mutual authentication between the sender andthe intended receiver.
Proof According to the result of Theorem 4.2, the sender S can authenticate the receiver R inStep 3, and the receiver R also can authenticate the sender S in Step 5. Hence it follows thatour proposed protocol achieves the mutual authentication between the sender and the intendedreceiver. �
DEFINITION 4.4 Informally, a deniable authentication protocol is said to achieve the property ofconfidentiality, if there is no polynomial time algorithm that can distinguish the transcripts of twodistinct messages.
THEOREM 4.5 Our proposed protocol achieves the property of confidentiality provided that theHDDH problem is hard in G.
Proof Let us go back to observe our proposed protocol. In Step 3, the sender S can authenticatethe receiver R and the transcript V = gv as well. If we regard V = gv as the temporal public keyof R, then (Ys = gxs , h2 = H(gxsv) ⊕ M) is actually a hashed ElGamal ciphertext [16]. Using thealmost same proof technique in [16], we can easily prove that the hashed ElGamal encryption hereis also semantic security under the HDDH assumption in G. As a result, our proposed protocol canachieves the confidentiality. In addition, since h3 behaves as secure MAC, our proposed protocolalso provides the message authentication. �
THEOREM 4.6 Our proposed protocol also achieves the property of deniability.
Proof To prove that our proposed protocol has the property of deniability, we should prove thatall transcripts transmitted between the sender S and the receiver R could be simulated by thereceiver R himself.
Transcript simulation
To simulate the transcripts on message M , the receiver R chooses two random numbers u, v ∈ Z∗q
and computes as follows.⎧⎪⎨⎪⎩
U = gu, V = gv
U ′ = U ′′ = Uxr = guxr
V ′ = V ′′ = Y vs = gvxs
⎧⎪⎨⎪⎩
h1 = H(IDr, U, U ′′, V )
h2 = H(V ′′) ⊕ M
h3 = H(IDs, V, V ′′, M)
1322 R. Lu et al.
Table 3. Security properties comparisons.
Protocol [8] Protocol [7] Protocol [9] Our proposed
Deniable authentication � � � �Mutual authentication × × × �Confidentiality × × × �
Table 4. Comparisons of two deniable authentication protocols.
Protocol [9] Our proposed
Computation costs 4Expn + 2Hash + Enc + Dec 6ExpG + 6HashCommunication overheads 2368 bits 989 bits
Clearly, the transcripts (IDs, U, h2, h3) in simulation are indistinguishable from those of thesender S. As a result, the receiver R is not able to prove to a third party that the transcripts wereproduced by the sender S.
According to the receiver’s indistinguishable transcript simulation as mentioned above, ourproposed protocol also achieves the property of deniability. �
Based on the analysis above, we can conclude that our proposed protocol can achieve thedeniable authentication, mutual authentication and confidentiality. We compare our proposedprotocol with other interactive deniable authentication protocols, and the result is shown in Table 3.
5. Performance Analysis
To measure the performance of a protocol, the computational costs and the communication over-loads are two useful criteria. In this section, we compare our proposed protocol with anotherDiffie–Hellman algorithm based deniable authentication protocol [9]. To achieve the same secu-rity level, when the modular n in their protocol is 1024 bits, the group element of G in our proposedprotocol is about 171 bits (when employing any of the families of curves described in [5]).
The following notations are used for analysing the computational costs: ExpG denotes the expo-nent operation in G, Expn denotes the modular exponent operation in Z
∗n, Hash denotes the hash
function operation, Enc denotes the public key encryption operation and Dec denotes the pub-lic key decryption operation. For the convenient comparison of communication overheads, weassume that the length of identity IDs , message M and the hash value H(.) are both 160 bits, andthe ciphertext in [9] is not expanded. Then, we use Table 4 to summarise the computational costsand the communication overheads of these two protocols. As we know, ExpG is faster than Expn,Enc, Dec, when achieving the same security level. Therefore, from Table 4, we can conclude thatour proposed deniable authentication protocol is an efficient one.
6. Conclusions
In this paper, based on the Diffie–Hellman algorithm, we first presented a provably secure simpleuser authentication scheme. Then, based on the simple user authentication scheme, we proposedour simple deniable authentication protocol. Compared with other deniable authentication proto-cols, our proposed protocol can simultaneously achieve not only the deniable authentication butalso the mutual authentication between the sender and the intended receiver and the confidentiality.
International Journal of Computer Mathematics 1323
Acknowledgements
The author would like to thank the anonymous referees for their valuable comments and suggestions to improve thepresentation of this paper.
References
[1] M. Abdalla, M. Bellare, and P. Rogaway, The oracle Diffie-Hellman assumptions and an analysis of DHIES,in Topics in Cryptology - CT-RSA 2001, Vol. 2020, LNCS, 2001, pp. 143–158.
[2] Y. Aumann and M. Rabin, Authentication, enhanced security and error correcting codes, in Advances in Cryptology-Crypto’98, Vol. 1462, LNCS, 1998, pp. 299–303.
[3] M. Bellar and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in Proceedingsof the 1st CSS, 1993, pp. 62–73.
[4] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, SIAM. J. Comput. 32 (2003),pp. 586–615.
[5] D. Boneh, B. Lynn, and H. Shacham, Short signatures from theWeil pairing, in Advances in Cryptology - Asiacrypt’01,Vol. 2248, LNCS, 2001, pp. 514–532.
[6] X. Deng, C.H. Lee, and H. Zhu, Deniable authentication protocols, IEE Proc. Comput. Digi. Tech. 148 (2001),pp. 101–104.
[7] W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Trans. Info. Theory 22 (1976), pp. 644–654.[8] C. Dwork, M. Naor, and A. Sahai, Concurrent zero-knowledge, in Proceedings of 30th ACM STOC’98, 1998,
pp. 409–418.[9] L. Fan, C.X. Xu, and J.H. Li, Deniable authentication protocol based on Diffie-Hellman algorithm, Electron. Lett.
38 (2002), pp. 705–706.[10] R. Lu and Z. Cao, Non-interactive deniable authentication protocol based on factoring, Comp. Stand. Interfaces 27
(2005), pp. 401–405.[11] ———, A new deniable authentication protocol from bilinear pairings, Appl. Math. Comput. 168 (2005), pp.
954–961.[12] ———, Erratum to ‘Non-interactive deniable authentication protocol based on factoring’, Comput. Stand. Interfaces
29 (2007), p. 275.[13] R. Lu, Z. Cao, S. Wang, and H. Bao, A new id-based deniable authentication protocol, Informatica 18 (2007),
pp. 67–78.[14] Z. Shao, Efficient deniable authentication protocol based on generalized ElGamal signature scheme, Comp. Stand.
Interfaces 26 (2004), pp. 449–454.[15] Y. Shi and J. Li, Identity-based deniable authentication protocol, Electron. Lett. 41 (2005), pp. 241–242.[16] V. Shoup, Sequences of games: a tool for taming complexity in security proofs, in Cryptology ePrint Archive: Report
2004/332, 2004. Available at: http://eprint.iacr.org/2004/332.
