A practical and communication-efficient deniable authentication with source-hiding and its application on Wi-Fi privacy

Information Sciences 516 (2020) 331–345

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

A practical and communication-efficient deniable authentication with source-hiding and its application on Wi-Fi privacy Shengke Zeng a,b,∗, Yi Mu c, Hongjie Zhang a, Mingxing He a a

School of Computer and Software Engineering, Xihua University, Chengdu 610039, China School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China c Fujian Provincial Key Laboratory of Network Security and Cryptology, College of Mathematics and Informatics, Fujian Normal University, Fuzhou, Fujian, China b

a r t i c l e

i n f o

Article history: Received 19 August 2019 Revised 31 October 2019 Accepted 27 December 2019 Available online 30 December 2019 Keywords: Authentication Privacy Deniability Source hiding Location privacy

a b s t r a c t Authentication service in communication is essential. However, information flows transmitted during an authentication process might reveal some personal information. In this paper, we propose a deniable authentication protocol with source hiding which does not reveal any private information, therefore the privacy of participants is preserved. With our approach, the sender is able to deny an authentication process to any third party. The receiver can not prove that the sender has participated in this authentication, though it is sure that the sender is legitimate. We construct this protocol without using “Encryptionthen-MAC” paradigm, therefore the underlying building block is not required to be CCA2 secure, and is a more realistic authentication protocol for practical privacy-preserving Internet-based applications. We also show how to apply it in Wi-Fi authentication to prevent the location leakage. © 2019 Published by Elsevier Inc.

1. Introduction Internet communication lacks of trust, therefore, authentication is an essential security primitive for the communication in the Internet environment. Digital signature is a traditional way for authentication. However, the non-repudiation property of the digital signature is somewhat contradicting to the privacy preservation for the signer. Besides the security, privacy is also a desired property. Suppose an Internet-based client-server service requires authentication. The authentication is to assure the client is legitimate. However, the authentication transcript would expose some sensitive (private) information (i.e., the conversation transcript is bound to the client identity, location, service et al). Obviously, a traditional digital signature is no longer the candidate for such an application as it can convince anyone about the signer. Some works (e.g., [1–3,30]) have addressed privacy issues in several applications. However, how to achieve the privacy during the authentication? In a traditional authentication, the server can convince anyone about the client involvement. The

∗

Corresponding author. E-mail address: [email protected] (S. Zeng).

https://doi.org/10.1016/j.ins.2019.12.069 0020-0255/© 2019 Published by Elsevier Inc.

332

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

intuitive way handling this problem is to make the conversation transcript not bound to any party. If the communication transcript is simulatable by anyone without the secret, the participants are not convinced of their involvement in the conversation. Obviously, the signature algorithm is not simulatable without the secret (i.e., the signing key), otherwise it violates the unforgeability. Therefore, transcript simulation (without the secret) is a useful method to achieve the privacy preservation and authentication with deniability. Deniability as an essential privacy property was formalized by Dwork, Naor and Sahai [4]. The notion of deniable authentication [4] states that the verifier is convinced that the sender has authenticated a message while the verifier cannot convince a third party that this message is authenticated since there is no “paper trail” of this conversation. They handled the simulation-based deniability by challenge-response method. The receiver issues a challenge (i.e., encryption to a witness) to invoke the sender authentication. The sender responds it by implicit reply (i.e., commitment to the decrypted witness). Obtaining the commitment, the witness is revealed by the receiver. The sender with the opened witness is convinced to be able to deny. Finally, the sender opens the commitment to the receiver to complete authentication. Ring signature is a cryptographic primitive related to privacy, which has subtle relationship with deniable authentication. In a ring signature scheme the actual signer can choose several members to form a group. Then he generates a verifiable signature on behalf of this group. This generated ring signature convinces anyone that the signature is generated by a member of the group without knowing which one. Therefore, the actual signer hides himself in this group. A property of deniable authentication which is distinct from ring signatures is deniability. Deniable authentication can be simulated without a secret of participants (e.g., the sender and receiver) while ring signature is publicly verifiable and unforgeable, hence not simulatable without a signing key. Therefore, the members in the group can not deny their involvement w.r.t. a generated ring signature.

1.1. Related work Deniable authentication was formalized by Dwork et al. [4] which is based on encryption. The unforgeability of their authentication depends on the underlying encryption with CCA2 security. Di Raimondo et al. [5] claimed that deniable authentication can be built with different primitives other than encryption. Indeed, multi-trapdoor commitment [6] and projective hash functions [7] are used to construct the simulation-based deniable authentication [5]. Besides that, the public random oracle (pRO) [8] was employed by Jiang et al. to construct a deniable key exchange protocol [9]. The witness in the authentication can be extracted by the pRO and hence achieves the deniability. Depending on the knowledge of exponent assumption [10], Yao et al. constructed deniable Internet key exchange protocols [11] in which the transcripts are perfectly simulated by extracting the witness under the KEA assumption. Tian et al. resorted to a new primitive of selectively unforgeable but existentially forgeable signature to realize simulation-based deniability [12]. Although these approaches do not adopt encryption paradigm (thus avoiding inefficient CCA2 secure encryptions), their underlying primitives rely on stronger assumptions. Above authentication protocols provide the full deniability, which means the simulation-based deniability is realized by a simulator run by anyone. Compared to the full deniability, partially deniable authentications always are constructed by noninteractive step. Although the communication overhead is the advantage, the simulator in partial deniability can not be run by anyone otherwise it conflicts the unforgeability. For example, the authentication tag in partially deniable authentications [13,14] is calculated by the sender’s secret and the receiver’s public key. Therefore, no one except the receiver can simulate the authentication transcript. It causes that either the sender or the receiver is bound to the authentication. It is unfair to the sender if the receiver is accepted by the public. The full deniability shows the strong privacy. The receiver can not convince a third party of the sender involvement in the authentication as the conversation transcript may be simulated by others. However, the receiver knows the sender during the authentication. Besides the full deniability, we focus on a stronger privacy preservation. In the privacy-enhanced deniable authentication, we hope the sender is even anonymous to receiver. Naor proposed the notion of deniable ring authentication [15] by borrowing the idea of ring signature that the actual sender is hidden in a group of members. Therefore, the receiver can only be convinced that one member in the group authenticates a message without revealing which one. Their unforgeability follows CCA2 secure encryption as Dwork et al.’s construction [4] and the communication round is up to 6. Dowsley et al.’s contribution to the deniable ring authentication is to reduce the round to 4 by using CCA2 secure verifiable broadcast encryption [16]. Although Zeng et al. constructed a deniable ring authentication with only 2 rounds [17], their scheme is at the expense of PA-secure multi-receiver encryption and KEA assumption which is strong. Note that the notion of deniable ring authentication is different from deniable ring signature proposed by Komano [18] although it seems that they are similar. Deniable ring signature states that a member in a ring (group) who does not sign a message can run an interactive protocol to prove that he did not generate this signature to deny his involvement. On the other hand, the actual signer can confirm his signing through a confirmation protocol. However, deniable ring authentication states that both sender and receiver can deny their involvement in authentication for their privacy and the sender is even anonymous to the receiver by hiding his identity in a group of members. Therefore, deniability in the former is completely different from deniable ring authentication.

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

333

1.2. Motivation and contribution The communication transcript can be simulated in the deniable authentication hence to realize the privacy-preserving applications. However, the sender identity in the deniable authentication exposes to the receiver. In order to fully protect the participants privacy during the authentication, we focus on the stronger privacy. We realize the full deniability of authentication. Moreover, the sender is hidden itself to the receiver during authentication. That is the sender can not only fully deny the interaction ever took place but also is even unknown to receiver. Therefore our proposal is suitable for the privacy-enhanced environment. The existed approaches realize fully deniable authentications relying on either CCA2 (even PA) secure encryptions or strong assumptions (i.e., KEA assumption, pRO etc). Thus, they result in inefficient and impractical applications. Following Di Raimondo et al.’s suggestion [5], constructing deniable authentication by underlying building blocks with looser requirements is more significant. Our motivation is to construct a realistic and practical deniable authentication which adapts to privacy-preserving Internet-based applications. Therefore, it is necessary for the underlying building block with looser requirements as Di Raimondo et al. suggested. Our privacy is realized following deniability capability and sender anonymity, thus we call our protocol as deniable authentication with source hiding. The contribution of our work is as follows. 1. A generic construction of the deniable authentication with source hiding λDRA is proposed to show the privacyenhanced property. As presented above, our construction realizes the full deniability and anonymity to the receiver. Our authentication is not constructed by encryption-paradigm in which the underlying encryption algorithm must be CCA2 secure such as [15–17]. Instead, we adopt the projective hash functions to build our authentication by observing its specific properties. Therefore, our authentication depends on projection and smoothness of projective hash function and it is not necessarily CCA2 secure factually. We realize anonymity by hiding the sender in N size group. However, the communication and computation are not proportional to N in each round. As a matter of fact, the first 3 rounds just are required to send constant-size transcripts and the computation and communication are linear to the group size only in the last round. This is the inevitable cost in the group-based hiding. Therefore, our construction is more realistic. 2. We observe that the communication round of our construction can be reduced to 2 if the receiver is honest. Indeed, reducing communication overhead is significant in some specific environment. Therefore, we present a 2-round privacy-preserving authentication protocol λDRA under assumption that the receiver is honest. This assumption is reasonable as the Internet environment is client-server model. This construction is instantiated with a concrete projective hash function from Diffie–Hellman language and a concrete NIWI proof with the composite order. This instantiation does not depend on the stronger assumptions and also with shorter transcripts. Therefore, our extended construction is practical in some specific environments. 3. Finally, we show the application of deniable authentication with source hiding. We notice that the privacy problem exists in Wi-Fi access procedure inevitably and it can be handled by the “deniability”. We introduce our application to Wi-Fi authentication. The actual mobile terminal obtains the valid IP address from the access point through our deniable authentication although it is hidden in a group of members. The deniability of this authentication makes sure that this authentication transcript is simulatable. Therefore, the sender can deny its connection to a fixed access point and the location privacy is preserved. Portions of this work have previously appeared in our conference version [19]. Compared to the preliminary version [19], we enrich this work in the following aspects. We extend the generic construction to a kind of specific application. In this environment the communication round can be reduced to 2. We instantiate this extension with a concrete projective hash function from DH language and NIWI proofs. We give formal security proofs for essential properties of extension under the specific number-theoretic assumptions. Finally, we add the portion of the application to privacy-preserved Wi-Fi access protocol. Compared to the preliminary version, it shows both theoretical and practical values.

1.3. Organization This paper is organized as follows. In Section 2 we introduce preliminaries and then the security model of deniable authentication with source hiding is formalized in Section 3. We propose a generic construction and analyze its security and efficiency in Section 4. In Section 5, we improve this generic construction to 2 rounds under the assumption of honest receiver. We instantiate this construction, prove its security formally and simulate its performance. In Section 6, we show its application to privacy-preserving Wi-Fi access scheme. Finally, we conclude this paper in Section 7.

2. Preliminaries We briefly describe the building blocks in this section. For our instantiation, we employ the bilinear groups of composite order and the security of our instantiation is based on the specific number-theoretic assumptions. Therefore, the basic definition of the bilinear pairing and the related assumptions also are introduced here.

334

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

2.1. Projective hash functions Projective hash functions (PHF) are the important primitives which are applied to authenticated key agreements [20,21], searchable encryption [22,23] and non-interactive commitments [24]. This notion of PHF is introduced by Cramer and Shoup [7]. The definition and properties of PHF are as follows. 2.1.1. Definition PHF is defined for a domain X and an NP language L where L ⊂ X . Formally, PHF system over L is composed of the following algorithms. • • • • •

PHFSetup(1λ ): generate an NP language instance L by inputting the security parameter λ. HashKG(L): generate a hashing key hk for L. ProjKG(hk, L): a projection key hp is generated by inputting the hashing key hk. Hash(hk, L, c): for a word c ∈ L, the hash value hv is output from hk and c. ProjHash(hp, L, c, ω): for a witness ω for c ∈ L, the hash value hv is output from hp and ω.

2.1.2. Properties • Projection: for a word c ∈ L and the witness ω for this relation, PHF requires that Hash (hk, L, c) = ProjHash (hp, L, c, ω ). In other words, the hash value is uniquely determined by the projection key if c ∈ L. • Smoothness: for any word c ∈ X /L, Hash (hk, L, c) is statistically indistinguishable from a random value. In other words, no information of the hash value is given if c ∈ / L. Note that the message can be embedded to PHF to support the message authentication. In this case, the definition of PHF can be changed slightly. We let M be the message space and PHF maps X × M to another set. Therefore, for m ∈ M, we have Hash(hk, L, c; m)=ProjHash(hp, L, c, ω; m). 2.2. Commitment scheme Commitment scheme COM is employed in this paper to hide the sender identity. The basic properties of commitment scheme are hiding and binding. •

•

Hiding: the committed value v in COM can not be obtained by adversary. If v can be switched to another value v under a trapdoor, we call it perfect hiding. Binding: v is fixed in the commitment COM and can not be modified without the trapdoor.

2.3. Non-interactive witness indistinguishable proofs (NIWI) Given a witness for a statement, it is possible for us to construct a non-interactive proof for this statement. However, it is impossible for an adversary to produce an accepted proof for a false statement. Besides that, the proof does not reveal which witness is used in the proof if two different witnesses are given. There are prover P and the verifier V in a proof system. Formally, given a statement x, an NP language L and a witness ω for x ∈ L, NIWI proof system (P, V) satisfies the following properties: •

•

•

Completeness: A common reference string crs is shared in the non-interactive proof system. A proof produced by this system is accepted if ω for x ∈ L is given. That is crs, Vcrs (x, Pcrs (x, ω )) = 1. Soundness: It is impossible for an adversary A to produce an accepted proof for x ∈ / L. That is Pr[Vcrs (x, π ) = 1 : (x, π ) ← A(crs )] = 0 Witness Indistinguishability: the proofs generated by two different witnesses have the indistinguishable distributions. That is:

Pr[(x, ω0 , ω1 ) ← A; π ← Pcrs (x, ω0 ) : Acrs (π ) = 1 ∧ (x, ω0 ), (x, ω1 ) ∈ R] ≈ Pr[(x, ω0 , ω1 ) ← A; π ← Pcrs (x, ω1 ) : Acrs (π ) = 1 ∧ (x, ω0 ), (x, ω1 ) ∈ R] where R is a computable relation. 2.4. Bilinear group of composite order Bilinear group of composite order was introduced by Boneh, Goh and Nissim [25]. We employ it to our instantiation. In such group, p and q are two primes and n is set by n = pq. There are three multiplicative cyclic groups G, H, GH of the same order n. Suppose g ∈ G, h ∈ H and G, H, GH are associated to a non-degenerate asymmetric bilinear pairing eˆ : G × H → GH with the following properties: • • •

Bilinearity: For a, b ∈ Zn , eˆ(ga , hb ) = eˆ(g, h )ab . Non-degeneracy. eˆ(g, h ) = 1 where 1 is the identity element of GH . Computability. There is an efficient algorithm to calculate eˆ(g, h ).

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

335

2.5. Number-theoretic assumptions The security of our instantiation is based on two assumptions, namely the subgroup decision assumption [25] and the decisional Diffie–Hellman assumption in G p . 2.5.1. Subgroup decision assumption As the description for composite order group above, G is a group of order n = pq and G p is a group of order p. Obviously, G p is the subgroup of G. Informally, the subgroup decision assumption states that an element randomly chosen from G and G p are computationally indistinguishable. Formally, for an adversary A: Pr[( p, q, G, G p , g)|n = pg, r ← Zn , h = gr : A( p, q, G, G p , g) = 1] ≈ Pr[( p, q, G, G p , g)|n = pg, r ← Z p , h = gqr : A( p, q, G, G p , g) = 1] 2.5.2. DDH Assumption in G p ?

Given a tuple (g, ga , gb , Z) over the cyclic group (G p , g, p) where g ∈ G p , decide Z = gab is a hard problem. 3. Deniable authentication with source hiding 3.1. Syntax We introduce the notion of deniable authentication with source hiding, in which the participants involved in this authentication can deny the fact of conversation, moreover the receiver does not know the sender. We introduce the syntax of deniable authentication firstly then extend it to source hiding. Deniable authentication. The sender A authenticates a message m to the receiver B in an interactive fashion. Finally, B accepts A’s authentication if both participants perform this authentication protocol honestly. On the other hand, the participants (both A and B) can deny their involvement since this conversation leaves no evidence. Extension to source hiding. The receiver B knows the sender A during the authentication although A can deny its authentication to any third party. In order to seek privacy-enhanced protection for the sender, A may hope it is anonymous to B besides its disavowal to others. Therefore, the deniable authentication with source hiding is necessary. Suppose there is a group of participants R = {P1 , P2 , . . . , } and their public keys are authenticated and accessible. A hides its identity in the subgroup of R to execute the deniable authentication protocol. In the end of the protocol execution, the receiver B accepts authentication if the participants perform this authentication protocol honestly. All the participants in the hidden group can deny their involvement. Besides that, B even can not decide which member in the hidden group makes this authentication. Similar to the ring signature scheme, we require the source hiding property is unconditional. That is the advantage that B’s guess for the actual sender in the hidden group is negligible although all the members in the hidden group reveal their secret keys (i.e., the authentication keys). 3.2. Formal security model The security model of deniable authentication with source hiding consists of completeness, soundness(unforgeability), deniability and source hiding (anonymity). Completeness. The sender A hides itself in a group of participants R (R ⊆ R) to execute the deniable authentication with source hiding property for a given message m. The receiver B is convinced that one member in R has authenticated m without knowing which one if all the participants perform the protocol honestly. Soundness (Unforgeability). Suppose an adversary A violating the soundness of the authentication. Its goal is to produce an accepted authentication tag without knowing the secret. The soundness means that A without the sender secret can not forge an authentication transcript which is acceptable. Before its forgery, A may corrupt the participants and obtain the authentication transcripts from authentication oracle. Formally, A and its challenger C in the following soundness game sound : Setup. C generates ν key pairs (P Ki , SKi )νi=1 and returns the public keys PK = {P K1 , . . . , P Kν } to A. Corruption query. A makes the corruption query for the set D ⊂ {1, . . . , ν}, C returns {SKi |i ∈ D} to A. Authentication query. Upon receiving A’s authentication queries on a message m and a ring R = {P K j1 , . . . , P K jN } where N > 1. C returns the corresponding authentication transcript tr to A. Challenge. A challenges a forgery tr∗ for its chosen (m∗ , R∗ ) where R∗ ∩ D = ∅. A is said success if tr∗ is a valid forgery. That is tr∗ is accepted by B and (m∗ , R∗ ) was not queried to authentication oracle. Succ(A, sound ) is denoted as the success event of A in game sound .

336

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

Definition 1. Let λDRA be a deniable authentication protocol with source hiding. λDRA is sound (unforgeable) if Pr[Succ(A, sound )] is negligible. Deniability. In order to deny the involvement in the authentication, we should make sure that this authentication leaves no evidence bound to the participants. Therefore, the simulation paradigm is the natural way to formalize the deniability of λDRA . We consider the real game rea in which C performs λDRA as the sender to output the authentication tag as the protocol required. A records its view in game rea as viewDRA (A, rea ). We then consider the simulation game sim in which a simulator S simulates the authentication transcript without the secret and outputs the simulated authentication tag. A records its view in game sim as viewDRA (A, sim ). Definition 2. Let λDRA be a deniable authentication with source hiding. λDRA is deniable if viewDRA (A, sim ) ≈ viewDRA (A, rea ). Source hiding (Anonymity). It belongs to the insider security. This property means that the sender A is anonymous to the receiver B during the authentication. This property does not conflict with soundness. In order to realize the sender anonymity, A is hidden in a group of participants. Formally, we consider the anonymity game anon as follows. Setup. The challenger C generates ν key pairs (P Ki , SKi )νi=1 and returns (P Ki , SKi )νi=1 to A. Authentication query. A makes authentication queries and is returned the reply as the game sound . Anonymity challenge. A challenges any two public keys PK0 , PK1 with m. Its challenger C takes b ← {0, 1} randomly and follows λDRA to return the transcript tr with SKb . In the end, A guesses the bit b for b from returned tr. Note that A has the private authentication keys {SKi }νi=1 . Succ(A, anon ) is denoted as the success event that A’s guessing b = b in game anon . Definition 3. Let λDRA be a deniable authentication with source hiding. λDRA is anonymous if Pr[Succ(A, anon )] ≈

1 2.

Remark 1. Deniability and anonymity are the privacy properties. Our privacy-preserving authentication is realized following deniability and sender anonymity. The sender can deny the authentication since no evidence shows sender involvement. However, the receiver knows the sender during authentication. For the privacy-enhanced requirement, the sender should be anonymous to the receiver. Therefore, anonymity is to the receiver while deniability is to anyone else. 4. Generic construction We present our deniable authentication with source hiding in this section. We call this protocol as λDRA . Our generic construction is based on projective hash function and NIWI proof system. 4.1. Construction Each participant Pi generates its private key SKi by invoking HashKG(L) and its public key PKi by invoking ProjKG(hk, L), see 2.1. That is SKi = hki and P Ki = hpi . We suppose each PKi is accessible. Sender A authenticates to receiver B with a message m ∈ M. During this authentication, the privacy of the participants is considered. Therefore, both A and B should have the capability to deny their involvement in this conversation. In addition, A even hopes to be anonymous to B. Setup. The system performs the algorithm PHFSetup(1λ ) to generate an NP language instance L. Key generation. Upon the system output, each participant Pi invokes algorithm HashKG(L) to generate its private key hki and invokes algorithm ProjKG(hki , L) to generate its public key hpi respectively. That is (SKi , P Ki ) = (hki , hpi ). Each public key hpi is accessed by anyone. Our generic construction of deniable authentication with source hiding protocol λDRA between A and B is as follows. Suppose A engages B to perform the authentication with (m, R ), where R chosen by A is a set of public keys including P KA . That is R = {P K1 , · · · , P KA , · · · , PKN }, where N is the size of R. The PHF with embedded message m is invoked by participants. 1. B picks a word c ∈ L with the witness ω and publishes f low1 = c. 2. A → B: Upon the receipt of flow1 , A calculates the value of Hash(hkA , L, c; m ) using its private key hkA firstly. Then A hides this value by using a secure commitment scheme COM regarding to Section 2.2. Concretely, A does as follows: (a) compute σA = Hash(hkA , L, c; m ); (b) compute CA = COM(σA ; rA ) with randomly chosen rA ; A sends f low2 = (CA , R ) to B. This is to show that the sender in set R wants to authenticate with B. 3. B → R: B reveals ω to R after receiving the commitment CA .

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

337

4. A → B: A checks that the value ω is indeed the witness for c ∈ L. That is, A is convinced that it can deny successfully later if ProjHash(hpA , L, c, ω; m ) = σA . Then the following work for A is to convince B that commitment CA is indeed consistent with one σ i which can be computed by B by using each public key in R. However, B does not know which σ i is hidden in CA . Concretely, A does as follows: (a) for 1 ≤ i ≤ N, compute σi = ProjHash(hpi , L, c, ω; m ); (b) generate an NIWI proof  = Acrs (x; (σA , rA )) for an NP language L which is defined as: L  {({σi }N , C ) | ∃σA ∈ {σi }N , s.t. CA = COM(σA ; rA )} i=1 A i=1 where x is a statement belonging to L , (σA , rA ) are the witness for x ∈ L and crs is the common reference string of the NIWI proof system. A sends f low4 =  to B. ?

Finally, B verifies Bcrs ({σi }N , C , ) = 1 by computing σi = ProjHash(hpi , L, c, ω; m ) for 1 ≤ i ≤ N. B accepts A’s authentii=1 A cation if the NIWI proof Acrs (· ) is valid. Protocol λDRA involves 4 rounds. Although the sender is hidden in a group of size N, our computation and communication overhead are not linear to N in each round. Indeed, the first 3 rounds are constant in computation and communication, see flow1 to flow3 . Only flow4 is proportional to N. This is the inevitable cost in the group-based hiding. 4.2. Security We analyze the security of protocol λDRA formally regarding to three essential properties: soundness (unforgeability), source hiding (anonymity) and deniability. 4.2.1. Soundness General speaking, the soundness (unforgeability) follows that hash value can only be calculated by using the private key hki if without knowing the witness ω. Therefore, “good” σ i implies sound authentication. This property is due to the smoothness of PHF. Besides, the attacker may commit a fake σ i to trick receiver to accept . Therefore, the soundness of NIWI proof and perfect binding of commitment scheme imply sound authentication also. Theorem 1. The protocol λDRA satisfies soundness (unforgeability) if L is a hard NP language, PHF is smooth, the underlying commitment scheme COM is perfect binding and NIWI proof is sound. Proof. We assume that A would like to violate the soundness of protocol λDRA and there is another adversary A whose goal is to decide whether c∗ ∈ L or not by given a word c∗ . A acts as A’s challenger. It maintains the ν public-private keypairs (P Ki , SKi )νi=1 according to the Setup and Key Generation algorithms of λDRA . A is given PK = {P K1 , . . . , P Kν }. When A makes corruption queries for set D ⊂ {1, . . . , ν}, A returns {SKi = hki |i ∈ D} to A. When A makes authentication queries on a message m and ring R = {P K j1 , . . . , P K jN }, A ’s simulation for authentication transcript tr is as follows. If A does as receiver, A ’s simulation is trivial as it has the private key SKi . If A does as sender, A ’s simulation is more complicated. A prepares f low1 = c by using the given c. Then A simulates flow3 by querying the witness ω for c ∈ L to its challenger. In the challenge phase, A challenges a forgery tr∗ for its chosen (m∗ , R∗ ) where R∗ ∩ D = ∅. A uses the target word c∗ to prepare f low1 = c∗ and f low3 = ω ¯ where ω ¯ is randomly chosen by A . However, this difference can not be detected by A otherwise it helps A to decide that c∗ ∈ L. Indeed, the value Hash(hkI , L, c; m ) (where I ∈ R∗ ) is random due to the smoothness property of PHF if c∗ ∈ / L. Therefore, A cannot find that the random ω ¯ is not consistent with real one in this case. Thus, this forgery will not be aborted. In the last round, A tries to generate an accepted NIWI proof  for language L  {({σi }N , C ) | ∃σI ∈ {σi }N , s.t. CI = COM(σI ; rI )} for its forgery. In this verification, A uses SKi (1 ≤ i ≤ N i=1 I i=1 and N = |R∗ |) to verify the validity of . Concretely, A computes σi = Hash(hki , L, c∗ ; m∗ ). Obviously, the verification fails as CI commits a fake hash value σ¯ , otherwise it conflicts the perfect binding of commitment scheme COM(· ) and soundness of NIWI proof system.  4.2.2. Source hiding The source hiding (anonymity) follows that σ i is hidden in a commitment CA thus B can not decide which member in set R produces σ i . Our strategy is that A generates an NIWI proof to convince B that CA is indeed consistent with one σ i without revealing which one. Therefore, B accepts that this authentication is made by one member in R. Therefore, the source hiding property is due to perfect hiding of COM and witness indistinguishability of NIWI proof. Theorem 2. The protocol λDRA satisfies source hiding (anonymity) if the commitment scheme COM(· ) is perfect hiding and NIWI proof is witness indistinguishable. Proof. We assume that A would like to violate the source hiding property of protocol λDRA and its challenger is C . C maintains ν public-private keypairs (P Ki , SKi )νi=1 according to the Setup and Key Generation algorithms of λDRA . A is given these ν keypairs. When A makes authentication queries, C responds normally.

338

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

When A makes anonymity challenge by outputting message m∗ , a ring R∗ and two public keys PK0 , PK1 from R∗ . C takes b ← {0, 1} randomly and follows protocol λDRA to respond with SKb . That is σb = Hash(hkb , L, c∗ ; m∗ ), C ∗ = COM(σb ; rb ) and ∗ = Ccrs (·; (σb , rb )). The target transcript (C∗ , ∗ ) for A is to guess bit b. Since C∗ can be rewritten as C ∗ = COM(σ1−b ; r1−b ) due to perfect hiding of the commitment scheme COM(· ) and ∗ is a witness indistinguishable proof. Therefore, ∗ = Ccrs ({σi }N , C ∗ ; (σ1−b , r1−b )) is also accepted by verifier and the generated ∗ cannot give any information that which witi=1 ness (σ b or σ1−b ) is used for this proof. Therefore, the probability that A guesses the right b is Pr[Succ(A, anon )] ≈ 12 .  4.2.3. Deniability This authentication between sender A and receiver B is privacy-preserving as they can deny the involvement of this authentication. Deniability is an essential privacy-concerned property and it holds with off-the-record conversation. The full deniability is realized in the Step 3 due to the revelation of witness of language L. With this witness ω, the transcript can be simulated by anyone by the rewinding. Simulation paradigm is an important way to provide off-the-record deniability capability. Simulation-based deniability requires that the simulated transcript for the communication is indistinguishable from the real conversation. Since the simulation is without the sender secret, the real conversation transcript does not provide the evidence for sender involvement. To simulate the transcript, we employ a simulator S to perform the steps below. Simulation: (1) (2) (3) (2 ) (3 =3) (4)

B:

S → B: B → S: S → B: B → S: S → B:

c; CI = COM(garbage ); reveal ω ; COM(ProjHash(ω )); reveal ω ; generate NIWI proof

S simulates the authentication transcript by rewinding (step (2 )). Indeed, S (without the secret of sender A) produces an accepted NIWI proof after seeing ω. Obviously, the simulated transcript is statistically indistinguishable from the real one. Therefore, this protocol is zero-knowledge and the deniability follows. 4.3. Efficiency We analyze the performance of protocol λDRA in computation and communication and compare it to related and representative works. We focus on the deniability with simulation technology. Therefore, our comparison includes non-interactive deniable authentications [14], deniable authenticated key exchange [11] and deniable authentications with source hiding [15–17]. 4.3.1. Computation Li’s scheme [14] realizes deniability by computing the authentication tag with the receiver’s public key. Therefore, it just achieves partial deniability as the authentication transcript can only be simulated by the receiver. Since this scheme does not realize source hiding property, the computation complexity is O (1 ). Yao’s deniable authenticated key exchange protocol [11] depends on non-malleable zero-knowledge (NMZK) to achieve full deniability. Its computation complexity is also O (1 ) as the source hiding property is not considered. In Naor’s scheme [15], the authentication is reached as receiver challenges encrypted r and the correct decryption of r implies authentication. In order to hide the sender in the N-size group, N encryptions must be performed for both receiver and sender in each round. If the underlying encryption is implemented with DH-based scheme, O (N ) exponentiations are required. Dowsley et al. used the broadcast encryption to realize source hiding property [16]. The broadcast encryption with verifiability is used to check the equality of message received by each recipient. This is the vital step to realize source hiding. With the implementation from BGW scheme, O (N ) exponentiations and bilinear pairings are required in the first 2 rounds. Zeng’s scheme [17] is also based on encryption to reach authentication. In order to satisfy source hiding property, the multi-receiver encryption is employed. N computations are necessary to hide the sender. Concretely, the receiver performs O (N ) exponentiations and the sender performs O (N ) pairings. Our protocol λDRA employs smooth PHF and NIWI proof to realize fully deniable authentication with source hiding property. Our construction does not need O (N ) computations in each round. As a matter of fact, the computation in the first 3 rounds is constant and is proportional to N only in the last round. 4.3.2. Communication The communication round is the major indicator for communication overhead. As analysis above, it requires interaction during the communication to realize full deniability. Generally speaking, Naor’s scheme [15] needs 6 rounds. Moreover, N ciphertexts sent in each round is also the major burden. Dowsley’s scheme [16] requires 4 rounds. Although the transmission data size in each round is constant, the actual communication overhead is not low. The members’ private keys in broadcast encryption scheme must be generated by the third party, which requires the high-level secure channel to send out these private keys. This is the extra expensive cost. The communication round in Zeng’s scheme [17] is only 2 rounds. This is the optimal round. However, it requires a strong assumption to reach full deniability. Note that, all the above 3 schemes omit

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

339

Table 1 Comparison of representative works on authentication with deniability. Scheme

Round

Deniability

Anonymity

CCA-paradigm

Assumption

[15] [16] [17] [14] [11]

7 5 3 1 4 4

full full full partial full full

yes yes yes no no yes

yes yes yes no no no

standard standard strong standard strong standard

λDRA

that in practice sender should choose and send the hidden group R to receiver firstly as the receiver encrypts the message with respective to R. Therefore, the actual communication rounds of [15–17] should be increased 1. Our protocol λDRA requires 4 communication rounds. Note that the computation related to R for receiver is only to check that σA ∈ {σi }N . Therefore, the sender can piggyback group R in the second round and the extra round to show R is not i=1 necessary in our proposal. Besides, our advantage is that the communication overhead is constant in the first 3 rounds. It is proportional to N just in the last round. Yao’s scheme [11] is constructed under the generic NMZK. As we know, the round of black-box zero-knowledge proof or argument is at least 4. Therefore, the actual communication round of [11] is at least 4 to realize deniable authentication of key agreement. 4.3.3. Underlying security requirement General speaking, we hope security requirements for underlying block as loose as possible. Thus, it is significant for us to construct secure protocols with a looser requirement for practicability. All the three construction (e.g., [15–17]) are built on encryption paradigm. Their soundness require CCA2 secure encryptions at least. Indeed, Naor’s scheme [15] and Dowsley’s scheme [16] depend on CCA2 secure encryption, and Zeng’s scheme [17] requires even plaintext-aware (PA) security. λDRA is constructed other than CCA paradigm. We use the specific properties (projection and smoothness) of PHF to build deniable authentication. Factually, the underlying building block is not necessarily CCA2 secure. We summarize the comparison in Table 1. 5. Extension to applications As we analyze above, our protocol λDRA realizes authentication, source hiding and deniability in 4 rounds. Such communication overhead is heavy in practical applications. As a matter of fact, the communication round of λDRA can be reduced in some specific conditions. Indeed, 4 rounds are necessary in case of dishonest receiver. Once the receiver does not follow protocol honestly, i.e., B does not choose random ω to prepare c, a challenge-response mechanism that B reveals ω has to be introduced. Otherwise the simulation fails. We observe that if ω is chosen randomly in the first round, the simulation is smooth although revelation of ω in the third round is not necessary. In this case, the simulator honestly chooses random value ω and the simulated transcript is indeed indistinguishable from the real one. In some practical applications the receiver can be defined honest, then our communication round is reduced to 2. This assumption is significant and feasible. In general, the communication mode in the Internet is client-server and the server is accepted by public. Therefore, the server as receiver can be required to perform protocol honestly. Under this assumption, our protocol λDRA can be reduced to 2 rounds. In this section, we improve λDRA to 2 rounds in order to make it is appropriate for practical applications. We instantiate it with concrete PHF and NIWI proofs. 5.1. A concrete projective hash function from DH language We first give a concrete PHF from DH language. Let G p be a group of prime order p and (gp , ηp ) be the generators of G p . ω We introduce the Diffie–Hellman language LDH , which is defined as: LDH = {(c1 , c2 )|∃ω ∈ Z p , s.t., c1 = gω p , c2 = η p }. We embed the message m into PHF to support message authentication. The concrete PHF with m ∈ M is constructed over LDH with the parameters (G, p, g p , η p ) as follows: • • • •

•

ω PHFSetup(1λ ): Upon the security parameter λ, LDH is defined as: LDH = {(c1 , c2 )|∃ω ∈ Z p , s.t., c1 = gω p , c2 = η p }; HashKG(LDH ): choose x, y ← Z p , return the hashing key hk = (x, y ); y ProjKG(hk, LDH ): input hk, return the projection key hp = gxp η p ;

Hash(hk, LDH , c; m): input hk, the word c = (c1 , c2 ) from LDH and the message m, return hv = (c1x c2 )H (m ) , where H : {0, 1}∗ → Z p is a collision-free hash function; ProjHash(hp, LDH , c, ω; m): input hp, the word c = (c1 , c2 ) from LDH , the witness ω of LDH and the message m, return y hv = (gxp η p )ωH (m ) . y

340

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

Projection. If ω is the witness for c ∈ LDH , we have Hash(hk, LDH , c; m) = (c1x c2y )H (m ) = hv = hv = (gxp ηyp )ωH (m ) = ProjHash(hp, LDH , c, ω; m )

Smoothness. If c ∈ / LDH , Hash(hk, LDH , c; m) is statistically indistinguishable from a random value. Indeed, c ∈ / LDH implies ω ω μ c = (g p 1 , η p 2 ) for ω1 = ω2 . Suppose η p = g p for some μ, we have (1) log hp = x + μy and (2) log hv = (ω1 x + μω2 y )H (m ). Since ω1 = ω2 , Eq. (2) is linearly independent with the Eq. (1). This means that hv is uniformly distributed over G p and statistically indistinguishable from a random value in G p . 5.2. Instantiation with 2 rounds We denote the improvement as protocol λDRA . We employ a concrete PHF with composite order and Groth-Sahai NIWI proof system [26] with asymmetric bilinear map (which are introduced in Section 2) to construct protocol λDRA . Setup. Choose primes p, q and n is set by pq. There are three multiplicative cyclic groups G, H, GH of the same order n which are associated to an asymmetric bilinear pairing eˆ : G × H → GH . Let g1 and h1 be the generators of G and H, respecμ μ μ tively. Choose μ1 , μ2 , μ3 ← Zn and set η = g1 1 , g2 = g1 2 , h2 = h1 3 . H : {0, 1}∗ → Zn is a collision-resistant hash function. The public parameters (common reference string) crs = (n, G, H, GH , eˆ, g1 , η, g2 , h1 , h2 , H ) is the output. x

Key Generation. For each participant Pi , chooses xi , yi ← Zn and sets SKi = hki = (xi , yi ), P Ki = hpi = g1i ηyi . All the public keys PK1 , PK2 , , PKν are accessible by anyone. Concrete Execution of λDRA Suppose A engages B to perform the authentication with (m, R ), where R is a number of public keys including P KA chosen by A. Suppose A is indexed by I, that is R = {P K1 , · · · , P KI , · · · , P KN }, where N is the size of R. 1. B: B picks a word c ∈ LDH with the witness ω ← Zn , such that LDH = {c|∃ω, c = (c1 , c2 ) = (gω , ηω )}. B publishes 1 f low1 = c. 2. A → B: Upon the receipt of flow1 from B, A calculates as follows: H ( m ) xI (a) compute σI = Hash(hkA , LDH , c; m ) = (gω ) ( η ω H ( m ) )yI ; 1 rI (b) compute CI = COM(σI ; rI ) = σI · g2 with a random value rI ← Zn ; (c) generate the NIWI proof  for NP language L to convince B that commitment CI is indeed consistent with one σ i (without knowing which one). Note that σ i can be produced by B by using ω and PKi . L  {({P Ki }N , C ) | ∃σI ∈ {σi }N , s.t. CI = COM(σI ; rI )} i=1 I i=1 Concretely, A produces the NIWI proof  = Acrs (({P Ki }N , C ); (σ I , rI )) as follows: i=1 I t

t

t

t

i. for i = I, choose ti ← Zn , compute Gi = g2i , Hi = h2i , πiG = (g−1 g2i )ti and θiH = (h−1 h2i )ti ; 1 1  tI tI tI t tI t G H ii. for i = I, compute tI = − i =I ti , GI = g1 g2 , HI = h1 h2 , πI = (g1 g2 ) I , θI = (h1 h2 ) I ; H (m )ti x ti t t  tI −rI i iii. for 1 ≤ i ≤ N, compute λi = P Ki = (g1i ηyi )H (m )ti , π = g1I · N ; i=1 (g2 ) , θ = h1 G H N We denote  = ({Gi , Hi , πi , θi , λi }i=1 , π , θ ), A sends f low2 = (CI , , R ) to B.

B first computes σi = ProjHash(hpi , LDH , c, ω; m ) = (g1i ηyi )H (m )ω for 1 ≤ i ≤ N with witness ω. Then it verifies Bcrs ({σi }N , C , ) = 1 as following to accept this authentication to m made by one member in R: i=1 I x

• • • •

eˆ(Gi , Hi h−1 ) · eˆ(Gi g−1 , Hi ) = eˆ(πiG , h2 ) · eˆ(g2 , θiH ) for 1 ≤ i ≤ N; 1 1 N G = g1 ; iN=1 i H = h1 ; iN=1 i N ω i=1 eˆ(σi Gi , Hi ) = eˆ(CI g1 , h1 ) · eˆ(π · i=1 λi , h2 ) · eˆ(g2 , θ ).

If receiver B is honest, our protocol λDRA satisfies soundness, full deniability and source hiding with only 2 rounds. We will prove its security in the following subsection. Without revelation of witness ω, the simulation does not require rewinding step any more. It results in concurrent deniability. Therefore, it adapts to the Internet-based applications which is concurrent environment. 5.3. Security We analyze the security of our instantiation λDRA . We prove that protocol λDRA satisfies the essential properties: soundness, deniability and source hiding formally. 5.3.1. Soundness(unforgeability) The protocol λDRA is sound (unforgeable) if adversary A cannot authenticate to receiver on behalf of R without the private keys of set R. Informally, A cannot forge a correct σ I without the private key SKI = (xI , yI ) due to smoothness of PHF and DDH assumption. On the other side, σ I is the witness of our NIWI proof. The soundness of NIWI proof system

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

341

convinces the verifier that an accepted NIWI proof cannot be built on a fake σ I . We prove soundness property in a formal way. The proof strategy is to revise the original game (in which g2 and h2 have order n) to the variant of this game (in which g2 and h2 have order q), showing the difference of the two games is negligible and finally point out the probability that the adversary wins in the variant game is negligible. Theorem 3. Assume that subgroup decision assumption and decisional Diffie–Hellman assumption in G p hold, protocol λDRA achieves soundness (unforgeability). Proof. Let us review the subgroup decision assumption firstly. This assumption states that an element randomly chosen from G and Gq are computationally indistinguishable, see Section 2.5 for details. Suppose A is an adversary against soundness of λDRA . Let G0 be the original soundness game as defined in Section 3.2. We denote Succsd DRA (A, G0 ) as the success event of A in G0 in which A is given set PK = {P K1 , · · · , P Kν }, the corrupted private key set {SKi |i ∈ D} and the system parameters crs. Note that g2 and h2 are of order n in the game G0 . A’s view in G0 is identical to the real environment. We revise the game G0 to the game G1 such that g2 and h2 in G1 are of order q. We argue that this modification can not cause A to find the difference, otherwise we can construct an adversary A by running A to solve the subgroup decision assumption. Thus, we have view (G0 , A ) = view (G1 , A ). Now we consider the soundness game in G1 . A in G1 is given crs in which g2 and h2 have order q. Therefore A’s forgery CI∗ uniquely determines the committed value σI∗ ’s projection on G p , which is perfectly binding in G p . On the other hand,  N A wishes to convince the receiver that the forgery CI∗ is indeed valid then N λωi , h2 ) · i=1 eˆ(σi Gi , Hi ) = eˆ(CIg1 , h1) · eˆ(π · i=1  eˆ(g2 , θ ) must hold. We raise both sides of this equation to power q and we have eˆ (σi g1 )q , h1 = eˆ (σI∗ g1 )q , h1 for i = I where σ i is computed by the challenger with ω and σI∗ is A’s forgery. That means σI∗ must have the same projection on G p as σ i for i = I. The following is to show that A can not generate σI∗ such that σI∗ is consistent with one σ i in the projection on G p . Each σ i,p is the output of the projective hash function in G p mentioned in Section 5.1. Since it satisfies the Smoothness, the instantiated PHF is also pseudo random. This property can be obtained from DDH assumption (see Section 2.5), which a a equals to hardly distinguishing two distributions DDH = {(g p , η p , gap , ηap )|a ∈ Z p } and RAN = {(g p , η p , g p1 , η p2 )|a1 , a2 ∈ Z p }, where gp , ηp are the generators of G p of order prime p. Given a distribution RAN (in this case the probability that a1 = a2 is only 1/p, which is omitted) the output of PHF is random by Smoothness. Since two distributions DDH and RAN are computationally indistinguishable under DDH assumption, the value of the hash function constructed under the DDH tuple is pseudo random otherwise it violates DDH assumption. That means σ I,p is uniformly distributed over G p and A gets this value only by guessing with probability 1/p, negligible. Thus we have that Pr[Succ(A, G1 )] is negligible. Since view (G0 , A ) = view (G1 , A ), finally we have Pr[Succ(A, G0 )] is negligible to complete the soundness proof.  5.3.2. Deniability Deniability is an essential privacy-preserving property. Protocol λDRA satisfies full deniability as the conversation transcript can be simulated by anyone if receiver is honest. With this assumption, the simulator S chooses random value ω ¯ to prepare c¯ in f low1 . The following simulation is normal as the witness σ I for NP language L is known to S with ω ¯. Obviously, the simulation transcripts ( f low1 , f low2 ) are indistinguishable from the real one. 5.3.3. Source hiding (anonymity) Deniability is respect to privacy. Source hiding concerns privacy-enhancing property. Indeed, authentication transcript can not convince a third party that this conversation has occurred. However, the receiver knows the sender during authentication. Source hiding makes the sender anonymous to the receiver. Our technology is to hide σ I in commitment CI as r CI = σI g2I . When g2 has order n, the commitment is perfect hiding. It means that CI can be switched to the commitments to other σ i . Indeed, with the trapdoor key (μ1 = logg1 η, μ2 = logg1 g2 ), the commitment r

ω H ( m )xI ω H ( m )yI rI η g

CI = σI g2I = g1

2

r

can be opened to any value CI = σi g2i where ωH (m )(xI −xi )+μ1 ωH (m )(yI −yi ) ri = rI + μ2 σ = gωH (m)xi ηωH (m)yi i

1  N ω The unique proof (π , θ ) implies any σ i committed in CI makes N i=1 eˆ(σi Gi , Hi ) = eˆ(CI g1 , h1 ) · eˆ(π · i=1 λi , h2 ) · eˆ(g2 , θ ). In other words, the receiver can not decide the actual sender even though each private key (xi , yi ) is revealed as the commitment CI is perfect hiding and the proof  is NIWI proof.

5.4. Performance We simulate our protocol λDRA and test the computation time of sender A and receiver B respectively. Our experimental platform is equipped with processor of Intel(R) Pentium(R) CPU G4500 @3.50GHz with 4G RAM. Software environment is operating system of Win 7 and complier of Microsoft VS 2012. Library supporting is free pairing-based Cryptography

342

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

Fig. 1. Online computation cost for sender.

Fig. 2. Off-line computation cost for sender.

which provides several types of pairing. We choose type D curve and its parameters are in subdirectory of PBC files. We incrementally involve participants size from 10 to 100 to implement λDRA . Note that, the anonymity is stronger if the size is bigger whereas the computation is heavier. We observe that the computation of sender A in step 2 includes online and off-line. The online computation for A is to calculate (σ I , CI ) as this part can only be computed after receiving c from B. Our implementation result is shown in Fig. 1. It is roughly from 5.3ms to 5.9ms no matter how many participants are involved. The online computation cost for user is acceptable. Then A calculates  = ({Gi , Hi , πiG , θiH , λi }N , π , θ ) to hide itself in the group R = {P K1 , . . . , P KI , . . . , P KN }. i=1 Since it involves N-size calculation, the computation time for A in this phase is proportional to N. Our Fig. 2 shows the computation cost of A’s calculation on  when the participants group size N varies from 10 to 100. Although the result seems impractical, this computation for A can be done off-line as it is independent of B’s challenge. A can pre-compute these variables and save them in advance. Fig. 3 is B’s verification time when the participants group size varies from 10 to 100. Since B is always acted by the server equipped with strong computation capability, the time consumption shown in Fig. 3 is practical. 6. Application The authentication protocols with deniability have many applications which require privacy. We notice that Wi-Fi access protocol leaks the location privacy inevitably although it provides a convenient service for mobile equipments to have access

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

343

Fig. 3. Verification cost for receiver.

to the Internet. The client with the successful authentication would be allocated the valid Internet address. This authentication conversation includes the client personal information and thus the authentication record is bound to client connection. As we know, Wi-Fi hotspots are fixed and public, the location of connected access point (AP) reveals the client location. Although several works focus on the location privacy [27–29], their solutions can not be used directly to handle the contradiction between access authentication and location privacy. The common approaches solve the location privacy mainly by preventing the location leakage to the attacker. Therefore, the homomorphic encryptions are necessary. If we make the conversation “off-the-record” during the communication, the client location privacy is preserved although the accurate location is captured. In other words, the authentication transcript can be simulated and hence it can not be used as the evidence to convince any third party the fact of the connection. The client location privacy is achieved naturally. Therefore, we can run the privacy-preserving authentication with deniability between the client mobile equipment (UE) and the access point (AP) whenever the client privacy is desired. The valid authentication makes AP to accept UE connection request. On the other hand, if the underlying authentication is deniable, AP can not convince anyone else that UE was ever involved in this connection. Intuitively, non-interactive deniable authentication seems preferable for its efficient communication overhead. However, non-interactive deniable authentication always achieves the partial deniability as we analyze before. In the Wi-Fi access setting, the receiver is AP which on behalf of Telecom Operator (TO). Obviously, TO is the authority and is accepted by the public. Therefore, the partial deniability is unfair to the client (i.e., the sender). In addition, Wi-Fi access protocol is inherently interactive even in the absence of security. The access procedure is also interactive even though the underlying deniable authentication is non-interactive. Therefore, the underlying fully deniable authentication protocol does not influence the communication overhead of Wi-Fi access protocol. In order to apply protocol λDRA , we require that AP follows protocol honestly. This assumption is feasible as TO is an honest and trusted entity. Here we introduce the highlevel in short to apply the deniable authentication to Wi-Fi access protocol against the location leakage. Client UEk chooses N public keys to form a set R = {P K1 , · · · , P Kk , · · · , P KN } and chooses a random value key to generate an encryption cAP = E (key, P K ) by using AP’s public key PK. UEk sends (R, cAP ) to issue a connection request. Then AP decrypts to get key and requires UEk to perform the authentication with AP as the protocol λDRA runs. If this conversation succeeds, AP accepts UEk ’s access request and sends CUE = IP  key. UEk obtains the IP address by calculating CUE  key. We suppose PK1 , PK2 ,  are the public keys of the registered UEs and can be accessed by anyone. Therefore, the unforgeability of λDRA ensures that only UE in set R makes the authentication. Since the members in set R are the registered users (i.e., paid for some plans), AP should accept this connection. On the other hand, protocol λDRA is deniable with source hiding, all the members can deny the involvement and UEk is anonymous to AP. Therefore, there is no evidence to show UEk ’s connection to AP. The location privacy is preserved. 7. Conclusion We proposed a privacy-preserving authentication protocol in which participants involved in authentication can deny their involvement and the sender is even blind to the receiver. We did not require the underlying building blocks to satisfy CCA2 security. Our source-hiding property is achieved by employing an N size group. However, the computation and communication overhead are not proportional to N in each round. We extended our construction to a specific environment in which

344

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

the receiver can be assumed honest. In this case, the communication round is reduced to 2 and concurrent deniability is achieved naturally. We instantiated this 2-round privacy-preserving authentication protocol with a concrete PHF and an NIWI proofs to illustrate the feasibility. Finally, we elaborated its application to privacy-preserving Wi-Fi access protocol against location leakage. Declaration of Competing Interest We wish to confirm that there are no conflicts of interest associated with the submission of this manuscript and we confirm that this manuscript has been read and approved by all named authors. Acknowledgments This work is supported by the Ministry of Education “chunhui plan” (Z2016150), Sichuan Science and Technology Program (2018GZDZX0 0 08), Chengdu Science and Technology Program (2018-YF08-0 0 0 07-GX), the National Natural Science Foundation of China (61872087) and the National key R& D Program of China (2017YFB0802300). References [1] T. Li, J. Li, Z. Liu, P. Li, C. Jia, Differentially private naive bayes learning over multiple data sources, Inf. Sci. 444 (2018) 89–104. [2] Y. Yu, Y. Li, B. Yang, W. Susilo, Attribute-based cloud data integrity auditing for secure outsourced storage, IEEE Trans. Emerg. Top. Comput. (2017), doi:10.1109/TETC.2017.2759329. [3] Y. Yang, X. Zheng, W. Guo, X. Liu, V. Chang, (Revised version) privacy-preserving smart iot-based healthcare big data storage and self-adaptive access control system, Inf. Sci. 479 (2018) 567–592. [4] C. Dwork, M. Naor, A. Sahai, Concurrent zero-knowledge, J. ACM 51 (6) (2004) 851–898. [5] M.D. Raimondo, R. Gennaro, New approaches for deniable authentication, J. Cryptol. 22 (4) (2009) 572–615. [6] R. Gennaro, Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks, in: Advances in Cryptology - CRYPTO 2004, 24th Annual International CryptologyConference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings, in: Lecture Notes in Computer Science, 3152, Springer, 2004, pp. 220–236. [7] R. Cramer, V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption, in: Advances in Cryptology - EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28, May 2, 2002, Proceedings, in: Lecture Notes in Computer Science, 2332, Springer, 2002, pp. 45–64. [8] R. Pass, On deniability in the common reference string and random oracle model, in: Advances in Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings, in: Lecture Notes in Computer Science, 2729, Springer, 2003, pp. 316–337. [9] S. Jiang, R. Safavi-Naini, An efficient deniable key exchange protocol (extended abstract), in: Financial Cryptography and Data Security, 12th International Conference, FC 2008, Cozumel, Mexico, January 28–31, 2008, Revised Selected Papers, in: Lecture Notes in Computer Science, 5143, Springer, 2008, pp. 47–52. [10] I. Damgård, Towards practical public key systems secure against chosen ciphertext attacks, in: Advances in Cryptology - CRYPTO ’91, 11th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11–15, 1991, Proceedings, in: Lecture Notes in Computer Science, 576, Springer, 1991, pp. 445–456. [11] A.C. Yao, Y. Zhao, Privacy-preserving authenticated key-exchange over internet, IEEE Trans. Inf. Forensics Security 9 (1) (2014) 125–140. [12] H. Tian, X. Chen, W. Susilo, Deniability and forward secrecy of one-round authenticated key exchange, J. Supercomput. 67 (3) (2014) 671–690. [13] F. Li, D. Zhong, T. Takagi, Efficient deniably authenticated encryption and its application to e-mail, IEEE Trans. Inf. Forensics Security 11 (11) (2016) 2477–2486. [14] F. Li, J. Hong, A.A. Omala, Practical deniable authentication for pervasive computing environments, Wirel. Netw. 24 (1) (2018) 139–149. [15] M. Naor, Deniable ring authentication, in: Advances in Cryptology - CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002, Proceedings, in: Lecture Notes in Computer Science, 2442, Springer, 2002, pp. 481–498. [16] R. Dowsley, G. Hanaoka, H. Imai, A.C.A. Nascimento, Round-optimal deniable ring authentication in the presence of big brother, in: Information Security Applications - 11th International Workshop, WISA 2010, Jeju Island, Korea, August 24–26, 2010, Revised Selected Papers, in: Lecture Notes in Computer Science, 6513, Springer, 2010, pp. 307–321. [17] S. Zeng, Y. Chen, S. Tan, M. He, Concurrently deniable ring authentication and its application to LBS in vanets, Peer-to-Peer Networking Appl. 10 (4) (2017) 844–856. [18] Y. Komano, K. Ohta, A. Shimbo, S. Kawamura, Toward the fair anonymous signatures: deniable ring signatures, in: Topics in Cryptology - CT-RSA 2006, The Cryptographers’ Track at the RSA Conference 2006, San Jose, CA, USA, February 13–17, 2006, Proceedings, in: Lecture Notes in Computer Science, 3860, Springer, 2006, pp. 174–191. [19] S. Zeng, Y. Mu, G. Yang, M. He, Deniable ring authentication based on projective hash functions, in: Provable Security - 11th International Conference, ProvSec 2017, Xi’an, China, October 23–25, 2017, Proceedings, 2017, pp. 127–143. [20] F. Benhamouda, O. Blazy, C. Chevalier, D. Pointcheval, D. Vergnaud, New techniques for sphfs and efficient one-round PAKE protocols, in: Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2013. Proceedings, Part I, in: Lecture Notes in Computer Science, 8042, Springer, 2013, pp. 449–475. [21] M. Abdalla, F. Benhamouda, D. Pointcheval, Public-key encryption indistinguishable under plaintext-checkable attacks, IET Inf. Security 10 (6) (2016) 288–303. [22] R. Chen, Y. Mu, G. Yang, F. Guo, X. Wang, Dual-server public-key encryption with keyword search for secure cloud storage, IEEE Trans. Inf. Forensics Security 11 (4) (2016) 789–798. [23] S. Ma, Y. Mu, W. Susilo, B. Yang, Witness-based searchable encryption, Inf. Sci. 453 (2018) 364–378. [24] M. Abdalla, F. Benhamouda, O. Blazy, C. Chevalier, D. Pointcheval, Sphf-friendly non-interactive commitments, in: Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part I, in: Lecture Notes in Computer Science, 8269, Springer, 2013, pp. 214–234. [25] D. Boneh, E. Goh, K. Nissim, Evaluating 2-dnf formulas on ciphertexts, in: Theory of Cryptography, Second Theory of Cryptography Conference, TCC 2005, Cambridge, MA, USA, February 10–12, 2005, Proceedings, in: Lecture Notes in Computer Science, 3378, Springer, 2005, pp. 325–341. [26] J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in: Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13–17, 2008. Proceedings, in: Lecture Notes in Computer Science, 4965, Springer, 2008, pp. 415–432. [27] S. Li, H. Li, L. Sun, Privacy-preserving crowdsourced site survey in wifi fingerprint-based localization, Eurasip J. Wirel. Commun.Networking 2016 (1) (2016) 123.

S. Zeng, Y. Mu and H. Zhang et al. / Information Sciences 516 (2020) 331–345

345

[28] S. Tao, Y. Chen, J. Yang, Protecting multi-lateral localization privacy in pervasive environments, IEEE/ACM Trans. Networking 23 (5) (2015) 1688–1701. [29] Z. Yang, K. Järvinen, The death and rebirth of privacy-preserving wifi fingerprint localization with paillier encryption, in: 2018 IEEE Conference on Computer Communications, INFOCOM 2018, Honolulu, HI, USA, April 16–19, 2018, 2018, pp. 1223–1231. [30] X. Liu, R.H. Deng, K.-K.R. Choo, Y. Yang, Privacy-preserving reinforcement learning design for patient-centric dynamic treatment regime, IEEE Trans. Emerging Topic in Computing (2019), doi:10.1109/tetc.2019.2896325.