Article

Deniable authentication and key exchange

Authors:
Mario Di Raimondo

Università di Catania, Italy

Università di Catania, Italy
View Profile

,
Rosario Gennaro

IBM T.J.Watson Research Center

IBM T.J.Watson Research Center
View Profile

,
Hugo Krawczyk

IBM T.J.Watson Research Center

IBM T.J.Watson Research Center
View Profile

CCS '06: Proceedings of the 13th ACM conference on Computer and communications securityOctober 2006Pages 400–409https://doi.org/10.1145/1180405.1180454

Published:30 October 2006Publication History

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Pages 400–409

ABSTRACT

We extend the definitional work of Dwork,Naor and Sahai from deniable authentication to deniable key-exchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchange (IKE)protocol.SKEME is an encryption-based protocol for which we prove full deniability based on the plaintext awareness of the underlying encryption scheme. Interestingly SKEME's deniability is possibly the first "natural" application which essentially requires plaintext awareness (until now this notion has been mainly used as a tool for proving chosen-ciphertext security).SIGMA, on the other hand,uses non-repudiable signatures for authentication and hence cannot be proven to be fully deniable. Yet we are able to prove a weaker, but meaningful, "partial deniability" property: a party may not be able to deny that it was "alive" at some point in time but can fully deny the contents of its communications and the identity of its interlocutors.We remark that the deniability of SKEME and SIGMA holds in a concurrent setting and does not essentially rely on the random oracle model.

References

M. Bellare, R. Canetti and H. Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols.STOC '98, 419--428, ACM 1998.]] Google ScholarDigital Library
M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations among Notions of Security for Public-Key Encryption Schemes. CRYPTO '98, LNCS 1462, 26--45, Springer 1998.]] Google ScholarDigital Library
M. Bellare and A. Palacio. The Knowledge of Exponent Assumptions and 3-Round Zero-Knowledge Protocols. CRYPTO '04, LNCS 3152, 273--289, Springer 2004.]]Google Scholar
M. Bellare and A. Palacio. Towards Plaintext-Aware Public-Key Encryption without Random Oracles. ASIACRYPT '04,LNCS 3329,48--62, Springer 2004.]]Google Scholar
M. Bellare and P. Rogaway. Entity authentication and key distribution. CRYPTO '93, LNCS 773, 232--249, Springer 1994.]] Google ScholarDigital Library
M.Bellare and P.Rogaway.Optimal Asymmetric Encryption. EUROCRYPT '94,LNCS 950, 92--111,Springer 1994.]]Google Scholar
N. Borisov, I. Goldberg and E. Brewer. Off-the-Record Communication, or, Why Not To Use PGP. ACM WPES '04, 77--84, ACM 2004.]] Google ScholarDigital Library
C. Boyd, W. Mao and K. Paterson. Key Agreement using Statically Keyed Authenticators. ACNS 2004, LNCS 3089, 248--262, Springer 2004.]]Google ScholarCross Ref
R. Canetti and H. Krawczyk. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. EUROCRYPT '01, LNCS 2045, 453--474, Springer 2001.]] Google ScholarDigital Library
R.Canetti and H. Krawczyk. Universally Composable Notions of Key Exchange and Secure Channels.EUROCRYPT '02, LNCS 2332, 337--351, Springer 2002. Full version at eprint.iacr.org/2002/059.]] Google ScholarDigital Library
R. Canetti and H. Krawczyk. Security Analysis of IKE 's Signature-based Key-Exchange Protocol.CRYPTO '02, LNCS 2442, 143--161, Springer 2002.]] Google ScholarDigital Library
D. Chaum. Untraceable Electronic Mail,Return Addresses, and Digital Pseudonyms.Communications of the ACM, 24(2), February 1981.]] Google ScholarDigital Library
D. Chaum. Blind Signatures for Untraceable Payments. CRYPTO '82, 199--203,Plenum 1982.]]Google Scholar
D. Chaum. Security Without Identification: Transaction Systems to Make Big Brother Obsolete. Communications of the ACM, 28(10):1030--1044, October 1985.]] Google ScholarDigital Library
D. Chaum and H. van Antwerpen. Undeniable Signatures. CRYPTO '89,LNCS 435, 212--226, Springer 1990.]] Google ScholarDigital Library
S. Chawla, C. Dwork, F. McSherry, A. Smith and H. Wee. Toward Privacy in Public Databases.TCC '05,LNCS 3378, 363--385, Springer 2005.]] Google ScholarDigital Library
B. Chor, O. Goldreich, E. Kushilevitz and M. Sudan. Private Information Retrieval. FOCS '95, 41--50, IEEE 1995.]] Google ScholarDigital Library
R. Cramer and V. Shoup. A Practical Public-Key Cryptosystem Secure Against Adaptive Chosen Ciphertexts Attacks. CRYPTO '98, LNCS 1462, 13--25, Springer 1998.]] Google ScholarDigital Library
I. Damgard. Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks.CRYPTO '91,LNCS 576, 445--456, Springer 1992.]] Google ScholarDigital Library
A. Dent. Cramer-Shoup is Plaintext-Aware in the Standard Model. EUROCRYPT '06,LNCS 4004, 289--307, Springer 2006.]] Google ScholarDigital Library
M. Di Raimondo and R. Gennaro. New Approaches for Deniable Authentication. ACM CCS '05, 112--121, ACM 2005.]] Google ScholarDigital Library
M. Di Raimondo, R. Gennaro and H. Krawczyk. Secure Off-the-Record Messaging. ACM WPES '05,81--89, ACM Press, 2005.]] Google ScholarDigital Library
D. Dolev, C. Dwork and M. Naor. Non-Malleable Cryptography, SIAM J. Comp., 30(2): 391--437, April 2000.]] Google ScholarDigital Library
C. Dwork and K. Nissim. Privacy-Preserving Datamining on Vertically Partitioned Databases. CRYPTO '04, LNCS 3152, 528--544, Springer 2004.]]Google Scholar
C. Dwork, M. Naor and A. Sahai. Concurrent Zero-Knowledge. J. ACM 51(6): 851--898 (2004).]] Google ScholarDigital Library
W. Diffie, P. Van Oorschot and M. Wiener. Authentication and Authenticate Key Exchange.Designs,Codes and Cryptography, no.2, 107--125, 1992.]] Google ScholarDigital Library
S. Goldwasser, S. Micali,and C. Rackoff. The Knowledge Complexity of Interactive Proof-systems.SIAM J.Comp., 18(1): 186--208, February 1989.]] Google ScholarDigital Library
S. Hada and T. Tanaka. On the Existence of 3-Round Zero-Knowledge Protocols.CRYPTO '98, LNCS 1462, 408--423, Springer 1998.]] Google ScholarDigital Library
D. Harkins and D. Carrel, eds. The Internet Key Exchange (IKE). RFC 2409 November 1998.]] Google ScholarDigital Library
ISO/IEC IS 9798-3,"Entity authentication mechanisms ¿ Part 3: Entity authentication using asymmetric techniques ", 1993.]]Google Scholar
M. Jakobsson, K. Sako and R. Impagliazzo. Designated Verifier Proofs and Their Applications.EUROCRYPT '96, LNCS 1070, 143--154, Springer 1996.]]Google ScholarCross Ref
J. Katz, Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications. EUROCRYPT '03, LNCS 2656, 211--228, Springer 2003.]]Google Scholar
C. Kaufman, ed., Internet Key Exchange (IKEv2) Protocol, draft-ietf-ipsec-ikev2-17. txt, September 2004 (pending RFC).]]Google Scholar
H. Krawczyk. SKEME: a versatile secure key exchange mechanism for Internet. IEEE SNDSS '96, 114--127, IEEE Press 1996.]] Google ScholarDigital Library
H. Krawczyk. SIGMA: The 'SiGn-and-MAc 'Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols. CRYPTO '03,LNCS 2729, 400--425, Springer 2003. Available at www.research.ibm.com/security/sigma.p]]Google ScholarCross Ref
Y. Lindell and B. Pinkas. Privacy Preserving Data Mining. J. of Cryptology, 15(3): 177--206, Springer 2002.]]Google ScholarDigital Library
C. H. Lim and P. J. Lee. A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup. CRYPTO '97, LNCS 1294, 249--263, Springer 1997.]] Google ScholarDigital Library
W. Mao and K. G. Paterson. On the Plausible Deniability Feature of Internet Protocols. Manuscript.]]Google Scholar
R. Pass. On Deniability in the Common Reference String and Random Oracle Model. CRYPTO '03, LNCS 2729, 316--337, Springer 2003.]]Google ScholarCross Ref
R. Rivest, A. Shamir and Y. Tauman. How to Leak a Secret. ASIACRYPT '01, LNCS 2248, 552--565, Springer 2001]] Google ScholarDigital Library
V. Shoup. On Formal Models for Secure Key Exchange. IBM Research Report RZ 3120, April 1999.]]Google Scholar

Index Terms

Deniable authentication and key exchange
1. Networks
  1. Network protocols
    1. Application layer protocols
2. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

New approaches for deniable authentication
CCS '05: Proceedings of the 12th ACM conference on Computer and communications security

Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place.We present two new approaches to the ...
Read More
Deniable Authentication on the Internet
Information Security and Cryptology

Deniable authentication is a technique that allows one party to send messages to another while the latter can not prove to a third party the fact of communication. In this paper, we formalize a natural notion of deniable security and naturally extend ...
Read More
New Approaches for Deniable Authentication

Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place.

We present two new approaches to the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '06: Proceedings of the 13th ACM conference on Computer and communications security
October 2006
434 pages
ISBN:1595935185
DOI:10.1145/1180405
General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Rebecca Wright
Stevens Institute of Technology
,
Sabrina De Capitani di Vimercati
University of Milan, Italy
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 October 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authentication
deniability
key exchange
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 68
  Total Citations
  View Citations
- 1,475
  Total Downloads
- Downloads (Last 12 months)46
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Deniable authentication and key exchange

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

New approaches for deniable authentication

Deniable Authentication on the Internet

New Approaches for Deniable Authentication