Abstract
In this paper, we consider Identification Schemes (\(\mathsf {IS}\)) in the context of attacks against their deniability via Fiat-Shamir transformations. We address the following issue: How to design and implement a deniable \(\mathsf {IS}\), that is secure against ephemeral leakage on both a Prover’s and a Verifier’s side, and withstands attacks based on Fiat-Shamir transformation. We propose a new security model to address the leakage on the Verifier’s side, extending the previous propositions [1]. During the Query Stage, we allow the malicious Verifier to set random values used on the Prover’s side. Additionally, we allow malicious Prover to access ephemeral values of the Verifier during the Impersonation Stage. We introduce two generic constructions based on three-step \(\mathsf {IS}\). Finally, we provide an example scheme based on the extended construction from [1], which is provably deniable and secure in our new strong model.
Partially supported by funding from Polish National Science Centre (NCN) contract number DEC-2013/08/M/ST6/00928.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Krzywiecki, Ł.: Schnorr-like identification scheme resistant to malicious subliminal setting of ephemeral secret. In: Bica, I., Reyhanitabar, R. (eds.) SECITC 2016. LNCS, vol. 10006, pp. 137–148. Springer, Cham (2016). doi:10.1007/978-3-319-47238-6_10
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). http://dx.doi.org/10.1007/BF00196725
Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993). doi:10.1007/3-540-48071-4_3
Stinson, D.R., Wu, J.: An efficient and secure two-flow zero-knowledge identification protocol. J. Math. Cryptol. (JMC) 1(3), 201–220 (2007)
Wu, J., Stinson, D.R.: An efficient identification protocol and the knowledge-of-exponent assumption. IACR Cryptology ePrint Archive 2007, 479 (2007)
Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE—AA protocol for machine readable travel documents, and its security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32946-3_25
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi:10.1007/3-540-47721-7_12
Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988). http://dx.doi.org/10.1007/BF02351717
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). doi:10.1007/3-540-45961-8_11
Kurosawa, K., Heng, S.-H.: Identity-based identification without random oracles. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganà, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 603–613. Springer, Heidelberg (2005). doi:10.1007/11424826_64
Kurosawa, K., Heng, S.-H.: The power of identification schemes. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 364–377. Springer, Heidelberg (2006). doi:10.1007/11745853_24
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge (extended abstract). In: Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing (STOC 2000), pp. 235–244 (2000). http://doi.acm.org/10.1145/335305.335334
Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification protocols secure against reset attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 495–511. Springer, Heidelberg (2001). doi:10.1007/3-540-44987-6_30
Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, 12–6 October 2015, pp. 364–375 (2015)
Russell, A., Tang, Q., Yung, M., Zhou, H.: Cliptography: clipping the power of kleptographic attacks. IACR Cryptology ePrint Archive 2015, 695 (2015). http://eprint.iacr.org/2015/695
Hanzlik, L., Kluczniak, K., Kutyłowski, M.: Controlled randomness – a defense against backdoors in cryptographic devices. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 215–232. Springer, Cham (2017). doi:10.1007/978-3-319-61273-7_11
Raimondo, M.D., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, 30 October–3 November 2006, pp. 400–409. ACM (2006). http://doi.acm.org/10.1145/1180405.1180454
Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing (STOC 1998), pp. 409–418 (1998). http://doi.acm.org/10.1145/276698.276853
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). http://dx.doi.org/10.1145/359340.359342
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Postponed Proof
A Postponed Proof
Proof
We use ROM for hash queries. The proof is by contradiction. Suppose there is an Adversary for which is non-negligible. Thus, it can be used as a subprocedure: either to break security of RSA by taking eth root in \(\mathbb {Z}_N^\times \) of a given challenge ciphertext \(\widetilde{c}\), or to break \(\mathsf {GDH}\) for the given instance \(g, g^\alpha , g^\beta \), by computing \(g^{\alpha \beta }\), either with a non-negligible probability. Therefore we draw a bit d which determines our strategy. If \(d=0\), we assume a play against the Adversary in the first scenario, breaking the security of RSA; otherwise, we play against the Adversary in the second scenario, solving the \(\mathsf {CDH}\) problem.
- \(\mathtt {Init \ Stage{:}}\) :
-
Let \(\mathsf {par}\leftarrow \mathbb {G}=(q, g, G)\) and \((g, g^\alpha , g^\beta )\) be the \(\mathsf {CDH}\) problem input instance. We set \({\mathsf {pk}}=g^\alpha \) and give it to \(\mathcal {A}\). If \(d=0\), we assume \({\mathsf {pe}}\) and \(\widetilde{c}\) to be the RSA input instance, thus we do not know the proper verifier’s secret key; otherwise, we honestly generate verifier secret keys (\({\mathsf {pe}}, {\mathsf {se}}\)). We initiate RO table with columns I, H, r.
- \(\mathtt {Query \ Stage{:}}\) :
-
We interactively simulate, with an active malicious Verifier \(\widetilde{\mathcal {V}}\), the protocol \(\pi (\mathcal {P} ^{{\bar{x}}_i}({\mathsf {pk}}),\widetilde{\mathcal {V}}^{\mathcal {O}_{\mathcal {H}_G}}({\mathsf {pk}},{\bar{x}}_i,\{v_{i-1}\}))\), without the secret key, using injected ephemerals \({\bar{x}}_i\), \(\ell \) times.
Serving Hash queries \(\mathcal {O}_{\mathcal {H}_G}(I_i)\) : If input \(I_i\) is in the RO table, the oracle returns the corresponding output \(H_i\). Otherwise, \(r_i\leftarrow _R \mathbb {Z}^{*}_q\), \(H_i=g^{r_i}\), add (\(I_i, H_i, r_i\)) to the RO table.
-
(1)
Commitment \(\hat{c}\) : Receive the commitment \(\hat{c}\) in the first message.
-
(2)
Commitment X : Send \(\widetilde{X}=g^{\bar{x}}\) to the Verifier \(\widetilde{\mathcal {V}}\).
-
(3)
Proof S : Upon obtaining m, b from the Verifier, check \(m^e{\mathop {=}\limits ^{?}}\hat{c}\) and compute \(\bar{c}=\mathcal {H}_q(m,b)\). Query \(\mathcal {O}_{\mathcal {H}_G}(\widetilde{X}, \bar{c})\) for r. Set \(\widetilde{S} = \widetilde{X}^{r}{\mathsf {pk}}^{r\bar{c}} = \hat{g}^{\bar{x}+{\mathsf {sk}}\bar{c}}\). Note that: \(\hat{e}(\widetilde{S},g) = \hat{e}(\hat{g},\widetilde{X}{\mathsf {pk}}^{\bar{c}})\). The simulated transcript tuple \(\widetilde{T}=(\hat{c}, \widetilde{X},({m},{b}),\widetilde{S})\) and the potential real protocol execution transcript \({T}=(\hat{c}, X,(m,b),S)\) are of the same distribution.
- \(\mathtt {Impersonation \ Stage{:}}\) :
-
The strategy differs between the scenarios:
-
\(d=0\) We send the challenge ciphertext \(\widetilde{c}\) as Verifier’s commitment. If the Adversary computes the challenge \(c=\mathcal {H}_q(m,b)\) before sending X, we use him to break the security of the underlying encryption scheme. Intercepting query \(\mathcal {O}_{\mathcal {H}_q}(m,b)\), we obtain m breaking the encryption one-wayness, in this case, being the eth root of \(\widetilde{c}\) in \(\mathbb {Z}_N^\times \), as \(m^e = \widetilde{c}\).
-
\(d=1\) In ROM, we run \(\pi (\widetilde{\mathcal {P}}^{\mathcal {O}_{\mathcal {H}_G}}({\mathsf {pk}},{\mathsf {pe}},\{v_i\}),\mathcal {V} ({\mathsf {pk}},{\mathsf {se}}))\) playing the role of the honest Verifier. We use the rewinding technique: we fix the random value x used for \(X=g^x\) by \(\widetilde{\mathcal {P}}\), and upon obtaining a correct proof message, we rewind the prover back to the challenge phase, choosing \(b=0\) in the first run and \(b=1\) in the second run. This gives us \(c_1=\mathcal {H}_q(m,0)\) for the first run and \(c_2=\mathcal {H}_q(m,1)\) for the second run. Finally, we get tuples (\(\hat{c}, X, m , 0, c_1, S_1, \hat{g}_1, r_1\)) and (\(\hat{c}, X, m , 1, c_2, S_2, \hat{g}_2, r_2\)). By inspecting RO tables, we obtain \(\hat{g}_1 = \mathcal {O}_{\mathcal {H}_G}(X,c_1)\rightarrow g^{\beta r_1}\), \(\hat{g}_2 = \mathcal {O}_{\mathcal {H}_G}(X,c_2)\rightarrow g^{\beta r_2}\). If we accept the Prover both times, i.e.: \(\hat{e}({S_1},g) = \hat{e}(\hat{g}_1\), \(X{\mathsf {pk}}^{c_1})\) and \(\hat{e}({S_2},g) = \hat{e}(\hat{g}_2\), \(X{\mathsf {pk}}^{c_2})\). Hence we conclude: \(S_1=g^{\beta r_1(x + \alpha c_1)}\) and \(S_2=g^{\beta r_2(x + \alpha c_2)}\). Thus \(S_1^{1/{r_1}}/{S_2}^{1/{r_2}} = g^{\beta (\alpha c_1 - \alpha c_2)}\) and \(g^{\alpha \beta } = (S_1^{1/{r_1}}/{S_2}^{1/{r_2}})^{1/{(c_1-c_2)}}\).
Now, let p denote the non-negligible probability of \(\mathcal {A}\) breaking our scheme. Let \(p_0\) be the probability that it knows \(c=\mathcal {H}_q(m,b)\) before sending X. Let \(p_1=1-p_0\) be the probability that it doesn’t know \(c=\mathcal {H}_q(m,b)\) before sending X. Thus, we break RSA with probability \(\frac{1}{2} p p_0\), or alternatively, we break \(\mathsf {CDH}\) with probability \(\frac{1}{2} p (1-p_0)\). Hence, we break one of the problems with non negligible probability, which contradicts our assumptions for any probability value \(p_0\in [0,1]\). \(\square \)
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Krzywiecki, Ł., Słowik, M. (2017). Strongly Deniable Identification Schemes Immune to Prover’s and Verifier’s Ephemeral Leakage. In: Farshim, P., Simion, E. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2017. Lecture Notes in Computer Science(), vol 10543. Springer, Cham. https://doi.org/10.1007/978-3-319-69284-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-69284-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69283-8
Online ISBN: 978-3-319-69284-5
eBook Packages: Computer ScienceComputer Science (R0)