Non-interactive deniable authentication protocol based on factoring

Computer Standards & Interfaces 27 (2005) 401 – 405 www.elsevier.com/locate/csi

Non-interactive deniable authentication protocol based on factoringB Rongxing Lu*, Zhenfu Cao* Department of Computer Science, Shanghai Jiao Tong University, 1954 Huashang Road, Shanghai 200030, Peoples Republic of China Received 18 September 2004; accepted 20 September 2004 Available online 14 October 2004

Abstract Deniable authentication protocol is a new cryptographic authentication protocol that enables a specified receiver to identify the source of a given message, but not prove the identity of the sender to a third party. In recent years, many deniable authentication protocols have been proposed. However, most of these proposed schemes are interactive and less efficient. To our knowledge, only Shao has proposed an efficient non-interactive deniable authentication protocol based on generalized ElGamal signature scheme. Therefore, in this paper, we would like to propose another non-interactive deniable authentication protocol based on factoring. What’s more, we also prove it is secure in the random oracle model. D 2004 Elsevier B.V. All rights reserved. Keywords: Cryptography; Deniable authentication; Factoring

1. Introduction Deniable authentication protocol is a new cryptographic authentication protocol. Compared with the

traditional authentication protocols, the deniable authentication protocol has two basic characteristics: (1) (2)

B This research is partially supported by the National Natural Science Foundation of China for Distinguished Young Scholars under Grant No. 60225007 and the National Resaerch Fund for the Doctoral Program of Higher Education of China under Grant No. 20020248024. * Corresponding authors. Tel.: +86 21 62932951; fax: +86 21 62932902. E-mail addresses: [email protected] (R. Lu)8 [email protected] (Z. Cao).

0920-5489/$ - see front matter D 2004 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2004.09.007

It enables a specified receiver to identify the source of a given message. The specified receiver cannot prove to a third party the identity of the sender.

Just as the above two characteristics, the deniable authentication protocol can be applied in some special situations. For instance, it can provide freedom from coercion in electronic voting systems and provide security of negotiation over the Internet [2]. In the past years, many researchers have done a lot of work in this field, and several deniable authenti-

402

R. Lu, Z. Cao / Computer Standards & Interfaces 27 (2005) 401–405

cation protocols have been proposed. In 1998, Dwork et al. [1] developed a notable deniable authentication protocol based on concurrent zero-knowledge proof, yet the protocol requires a timing constraint and the proof of knowledge is subject to a time delay in the authentication process. In the same year, Aumann and Rabin [2,3] proposed another scheme based on the factoring problem, but it should need a pubic directory trusted by the sender and the receiver. Lately, Deng et al. [4] proposed two deniable authentication protocols based on the factoring and the discrete logarithm problem, respectively. However, it also requires a trusted public directory. To overcome this weakness, Fan et al. [5] proposed a new deniable authentication protocol based on the Diffie–Hellman key distribution protocol in 2002. However, it is still an interactive protocol as other schemes [1–4]. Therefore, there is a desire to design secure and efficient non-interactive deniable authentication protocol. To our knowledge, till now, only Shao [6] has proposed such an efficient non-interactive deniable authentication protocol based on generalized ElGamal signature scheme. Motivated by the above mentioned, in this paper, based on factorization problem, we would like to propose a new deniable authentication protocol. Like Shao’s scheme [6], our scheme is also non-interactive. At the same time, it satisfies deniable authentication protocol’s correctness, unforgeability and deniability. The rest of the paper is organized as follows. In Section 2, we first review some basic building technologies, such as the determinate Rabin cryptosystem and the improved Rabin signature. Then we propose our new deniable authentication protocol in Section 3 and discuss its security in Section 4. Finally, concluding remarks are made in Section 5.

2. Preliminaries Before introducing our deniable authentication protocol, in this section, we first briefly review the determinate Rabin cryptosystem and the improved Rabin signature. 2.1. Determinate Rabin cryptosystem As we know, given n, a product of two large primes, the Rabin trapdoor function f(x)ux 2 (mod n)

is not as permutation but a 4-to-1 function. Therefore, the Rabin cryptosystem [8] has to add a constraint to identify the uniquely right plaintext. Here, we will briefly review such a determinate Rabin cryptosystem. Select two security large primes p, q, and compute n=pq, where puqu3 (mod 4). Then, the private key is ( p,q) and the corresponding public key is n. !

Encryption algorithm: Suppose that plaintext maZ
n . Then, the following steps will be carried out. (1) compute the first constraint parameter a 1, where
0 if m b n2 ; a1 ¼ 1 if m N n2 : (2)

compute the second constraint parameter a 2, where  
0 if  mn  ¼ 1; a2 ¼ 1 if mn ¼ 1:

compute cum 2 (mod n), then the ciphertext is (c,a 1,a 2). Decryption algorithm: According to the private key ( p,q), four roots {x 1,x 2,x 3,x 4} that satisfies x 2uc (mod n) can be derived. Then from the constraint parameters a 1,a 2, the right plaintext m can be immediately determined.

(3) !

2.2. Improved Rabin signature The improved Rabin signature has been introduced in Ref. [7]. Here, for the self-contained, we review it again. Let p and q be two security large primes, satisfying puqu3 (mod 4). Compute n=pq and select a parameter a satisfying Jacobi symbol (a/n)=1. Then, the private key is ( p,q) and the corresponding public key is (n,a). In addition, a one-way hash functions H : f0; 1g*YZ
n is also published. !

Signing algorithm: Suppose that a message ma{0,1}* should be signed. The signer will do it by the following steps: (1) compute the first parameter b 1, where   8 < 0 if H ðmÞ ¼ 1;  n  b1 ¼ : 1 if H ðmÞ ¼  1: n

R. Lu, Z. Cao / Computer Standards & Interfaces 27 (2005) 401–405

(2)

compute t=b b 1H(m) and the second parameter b 2, where

b2 ¼

(3)

8 <0

if

:1

if

  t p

¼

t p

¼

 

  t q

¼ 1;

t q

¼  1:

 

compute u=(1)b 2a b 1H(m) and s, where s2 uu ðmod nÞ

In this way, the signature on message m is (s,b 1,b 2). ! Verifying algorithm: Any verifier can verify the signature (s,b 1,b 2) by the following equation s2 uð  1Þb2 : ab1 : H ðmÞ

ðmod nÞ;

If it holds, the signature will be accepted; otherwise rejected.

3.2. The concrete protocol Suppose Alice wants to send a deniable authentication message m to Bob, then she should run the following steps: choose a random number raR Z
nb and compute H a (r), (2) use the improved Rabin signature to compute (s,b 1,b 2), satisfying s 2u(1)b 2a b 1H a (r)(mod n a ), (3) use the determinate Rabin cryptosystem to compute (c,a 1,a 2), where cu(H b (s)r)2 (mod n b ), (4) compute MAC=H c (m,r), (5) send (s,b 1,b 2,c,a 1,a 2,MAC) together with m to Bob. (1)

After receiving (s,b 1,b 2,c,a 1,a 2,MAC), Bob uses his private key ( p b ,q b ) to verify it by the following steps: (1)

3. Non-interactive deniable authentication protocol (2) In this section, based on the above determinate Rabin cryptosystem and improved Rabin signature, we will propose a new non-interactive deniable authentication protocol.

In this system, assume Alice and Bob are the sender and the receiver, respectively. Then, given a security parameter k, Alice chooses two large prime p a and q a as her private key, where |p a |=|q a |=k and p a uq a u3 (mod 4). Then she computes n a =p a q a as her public key. Moreover, she also publishes another random number a, such that (a/n a )=1. Bob also chooses two large prime p b and q b such that |p b |=|q b |=k and p b uq b u3 (mod 4), and computes n b =p b q b . Then he keeps ( p b ,q b ) as his private key and open n b as the corresponding public key. Furthermore, three secure one-way hash functions Ha : f0; 1g*YZ
na ; Hb : f0; 1g*YZ
nb a n d H c ( . ) should be published. Here, note that both {n a ,a} and n b should be certified by a trusted authority.

compute d from (c,a 1,a 2), where d 2uc (mod n b ), compute r by the following equation, ru

(3) 3.1. System setting

403

d Hb ðsÞ : r u Hb ðsÞ Hb ðsÞ

ðmod nb Þ

check whether s 2_(1)b 2a b 1H a (r) (mod n a ) and MAC_H c (m ,r ). If they both hold, (s,b 1,b 2,c,a 1,a 2,MAC) can be accepted, otherwise rejected.

4. Security discussion In this Section, we will discuss whether the proposed protocol satisfies the basic security requirements. Here, we mainly concentrate on protocol’s correctness, unforgeability and deniability. Theorem 1. If the sender and the receiver both follow the issuing protocol, the receiver is always able to identify the source of a message. Proof. From the deduction in Section 3, if Alice and Bob both follow the issuing protocol, Bob is always able to identify the source of a message. 5

404

R. Lu, Z. Cao / Computer Standards & Interfaces 27 (2005) 401–405

To prove the proposed protocol satisfies unforgeability, here we assume H a (.) is a random oracle. Then, we can make a rigid provable security proof in the random oracle model. Theorem 2. Suppose that factoring is (sV, eV)-secure. Then for any q h , q s the proposed protocol is (s, q h , q s , e)-secure against existential forgery on adaptive chosen message attack in the random oracle model. Proof. Suppose A is a forger, who can (s, q h , q s , e)break the proposed protocol. Then, we can use A to construct another algorithm S to solve factorization problem. First, algorithm S is given a challenge as follows: For n a , a product of two large primes p a and q a , it requires S to solve out p a and q a in a polynomial time. Now algorithm S sets n a as the public key and chooses another pair ( p b , q b ) and n b to A. Then, S can simulate a run of the proposed protocol to the forger A. S answers AVs hash function queries and signature oracle queries. Here, without loss of generality, we assume that all hash oracle queries and signature oracle queries are distinct. At the same time, for simple and clear description, we omit the bmod n a Q and bmod n b Q markers and assume a 1=a 2=b 1=b 2=0. Answering H-oracle queries. When A provides H H a new random number r for H a (.) query, algorithm S maintains a hash query table H-list and works as follows. Here, we may assume that A exactly makes q h H-oracle queries and H-list is initially empty. When A makes the ith query r i , where 1 V i V q h and r i aZ*nb . S picks up a random number t i aZ*n a and computes t2i (mod n a ). Then, he adds (r i , t i , t i2) to H list. At last, S responds t2i as H a (r i ) to A. Answering signature queries. Here, we assume that A totally makes q s signature queries, where q s bq h . When A makes a signature query on a message m i , algorithm S responds to this query as follows: (1) (2)

First, S randomly selects an entry (r i , t i , t2i ) from the H-list and sets s i =t i . Then, S computes MACi =H c (m i , r i ) and uses the determinate Rabin cryptsystem to compute c i u(H b (s i )r i )2 (mod n b ).

(3)

Finally, S responds (s i , c i , MACi ) to A and deletes (r i , t i , t2i ) from the H-list.

Solving factorization problem. At last, A stops and returns a valid forge (s*, c*, MAC*) for a new message m*. When S received (s*, c*, MAC*), S can use ( p b , q b ) to compute d* such that d*2uc* (mod n b ). Then he can compute r*, where

r4u

d4 Hb ðs4Þ : r4 u ðmod nb Þ: Hb ðs4Þ Hb ðs4Þ

If r* does not exist in H-list, S aborts and reports failure. Otherwise, S picks up the corresponding entry (r*, t*, t*2) from the H-list. Since (s*, c*, MAC*) is a valid forge, there is a probability 1/2 that s* differs from t* and S can factor n b by gcd(s*t*, n b ) accordingly. Because H a (.) is assumed a random oracle, A cannot distinguish between S simulation and real life. Therefore, S can solve the factorization problem with non-negligible probability. 5 From Theorem 2, the proposed protocol can withstand forgery attack. Theorem 3. For any third party, the proposed protocol is deniable. Proof. After receiving (s, b 1, b 2, c, a 1, a 2, MAC) and the message m, Bob can identify the source of the message due to his private key. But he cannot convince it to a third party. Bob may provide the third party with d, where duH b (s)d r (mod n b ). Then, the third party can verify (s, b 1, b 2, c, a 1, a 2, MAC) and m by himself. However, the third party is still skeptical of the truth of the evidence provided by Bob. Since Bob can construct another MACV=H c (mV, r) for a different message mV, and it is indistinguishable from the actual message authenticator computed by Alice. Therefore, the proposed protocol is deniable. 5 From the above three theorems, we can conclude that: Corollary 1. The proposed deniable authentication protocol is secure and can work correctly.

R. Lu, Z. Cao / Computer Standards & Interfaces 27 (2005) 401–405

5. Conclusions In this paper, we have proposed a new noninteractive deniable authentication protocol based on factoring and proved it is secure in the random oracle model. As a further work, it is deserved to study new security model for deniable authentication protocol and give a rigorous security proof in the new model.

References [1] C. Dwork, M. Naor, A. Sahai, Concurrent zero-knowledge, Proc. 30th ACM STOC ’98, Dallas TX, USA, 1998, pp. 409 – 418. [2] Y. Aumann, M. Rabin, Authenticaton, enhanced security and error correcting codes, Crypto’98, Santa Barbara, CA, USA, LNCS 1462, Springer-Verlag, Berlin, 1998, pp. 299 – 303. [3] Y. Aumann, M. Rabin, Efficient deniable authentication of long messages, Int. Conf. on Theoretical Computer Science in Honor of Professor Manuel Blum’s 60th Birthday April 20–24, 1998, http://www.cs.cityu.edu.hk/dept/video.html. [4] X. Deng, C.H. Lee, H. Zhu, Deniable authentication protocols, IEE Proceedings. Computers and Digital Techniques 148 (2) (2001) 101 – 104. [5] L. Fan, C.X. Xu, J.H. Li, Deniable authentication protocol based on Diffie–Hellman algorithm, Electronics Letters 38 (4) (2002) 705 – 706. [6] Z. Shao, Efficient deniable authentication protocol based on generalized ElGamal signature scheme, Computer Standards & Interfaces 26 (2004) 449 – 454.

405

[7] R. Lu, Z. Cao, Y. Zhou, A simple efficient proxy-protected signature scheme based on factoring, Computer Standards & Interfaces, in press. [8] M.O. Rabin, Digitalized Signatures and Public-Key Functions as Intractable as Factorization, MIT/LCS/TR-212, MIT Laboratory for Computer Science, 1979. Rongxing Lu received his BS degree and MS in Computer Science from Shanghai Tongji University in 2000 and 2003, respectively. Currently, he is a doctoral candidate in the Department of Computer and Engineering, Shanghai Jiao Tong University. His research interests is in cryptography and network security.

Zhenfu Cao is the professor and the doctoral supervisor of Computer Software and Theory at Department of Computer Science of Shanghai Jiao Tong University. His main research areas are number theory and modern cryptography, theory and technology of information security, etc. He is the gainer of Ying-Tung Fok Young Teacher Award (1989), the First Ten Outstanding Youth in Harbin (1996), Best PhD thesis award in Harbin Institute of Technology (2001) and the National Outstanding Youth Fund in 2002.