Strongly Deniable Identification Schemes Immune to Prover’s and Verifier’s Ephemeral Leakage

Abstract

In this paper, we consider Identification Schemes (\(\mathsf {IS}\)) in the context of attacks against their deniability via Fiat-Shamir transformations. We address the following issue: How to design and implement a deniable \(\mathsf {IS}\), that is secure against ephemeral leakage on both a Prover’s and a Verifier’s side, and withstands attacks based on Fiat-Shamir transformation. We propose a new security model to address the leakage on the Verifier’s side, extending the previous propositions [1]. During the Query Stage, we allow the malicious Verifier to set random values used on the Prover’s side. Additionally, we allow malicious Prover to access ephemeral values of the Verifier during the Impersonation Stage. We introduce two generic constructions based on three-step \(\mathsf {IS}\). Finally, we provide an example scheme based on the extended construction from [1], which is provably deniable and secure in our new strong model.

Partially supported by funding from Polish National Science Centre (NCN) contract number DEC-2013/08/M/ST6/00928.

A Postponed Proof

Proof

We use ROM for hash queries. The proof is by contradiction. Suppose there is an Adversary for which is non-negligible. Thus, it can be used as a subprocedure: either to break security of RSA by taking eth root in \(\mathbb {Z}_N^\times \) of a given challenge ciphertext \(\widetilde{c}\), or to break \(\mathsf {GDH}\) for the given instance \(g, g^\alpha , g^\beta \), by computing \(g^{\alpha \beta }\), either with a non-negligible probability. Therefore we draw a bit d which determines our strategy. If \(d=0\), we assume a play against the Adversary in the first scenario, breaking the security of RSA; otherwise, we play against the Adversary in the second scenario, solving the \(\mathsf {CDH}\) problem.

 

\(\mathtt {Init \ Stage{:}}\) :

Let \(\mathsf {par}\leftarrow \mathbb {G}=(q, g, G)\) and \((g, g^\alpha , g^\beta )\) be the \(\mathsf {CDH}\) problem input instance. We set \({\mathsf {pk}}=g^\alpha \) and give it to \(\mathcal {A}\). If \(d=0\), we assume \({\mathsf {pe}}\) and \(\widetilde{c}\) to be the RSA input instance, thus we do not know the proper verifier’s secret key; otherwise, we honestly generate verifier secret keys (\({\mathsf {pe}}, {\mathsf {se}}\)). We initiate RO table with columns I, H, r.

\(\mathtt {Query \ Stage{:}}\) :

We interactively simulate, with an active malicious Verifier \(\widetilde{\mathcal {V}}\), the protocol \(\pi (\mathcal {P} ^{{\bar{x}}_i}({\mathsf {pk}}),\widetilde{\mathcal {V}}^{\mathcal {O}_{\mathcal {H}_G}}({\mathsf {pk}},{\bar{x}}_i,\{v_{i-1}\}))\), without the secret key, using injected ephemerals \({\bar{x}}_i\), \(\ell \) times.

 

Serving Hash queries \(\mathcal {O}_{\mathcal {H}_G}(I_i)\) : If input \(I_i\) is in the RO table, the oracle returns the corresponding output \(H_i\). Otherwise, \(r_i\leftarrow _R \mathbb {Z}^{*}_q\), \(H_i=g^{r_i}\), add (\(I_i, H_i, r_i\)) to the RO table.

1. (1)

   Commitment \(\hat{c}\) : Receive the commitment \(\hat{c}\) in the first message.

2. (2)

   Commitment X : Send \(\widetilde{X}=g^{\bar{x}}\) to the Verifier \(\widetilde{\mathcal {V}}\).

3. (3)

   Proof S : Upon obtaining m, b from the Verifier, check \(m^e{\mathop {=}\limits ^{?}}\hat{c}\) and compute \(\bar{c}=\mathcal {H}_q(m,b)\). Query \(\mathcal {O}_{\mathcal {H}_G}(\widetilde{X}, \bar{c})\) for r. Set \(\widetilde{S} = \widetilde{X}^{r}{\mathsf {pk}}^{r\bar{c}} = \hat{g}^{\bar{x}+{\mathsf {sk}}\bar{c}}\). Note that: \(\hat{e}(\widetilde{S},g) = \hat{e}(\hat{g},\widetilde{X}{\mathsf {pk}}^{\bar{c}})\). The simulated transcript tuple \(\widetilde{T}=(\hat{c}, \widetilde{X},({m},{b}),\widetilde{S})\) and the potential real protocol execution transcript \({T}=(\hat{c}, X,(m,b),S)\) are of the same distribution.

 

\(\mathtt {Impersonation \ Stage{:}}\) :

The strategy differs between the scenarios:

 

• \(d=0\) We send the challenge ciphertext \(\widetilde{c}\) as Verifier’s commitment. If the Adversary computes the challenge \(c=\mathcal {H}_q(m,b)\) before sending X, we use him to break the security of the underlying encryption scheme. Intercepting query \(\mathcal {O}_{\mathcal {H}_q}(m,b)\), we obtain m breaking the encryption one-wayness, in this case, being the eth root of \(\widetilde{c}\) in \(\mathbb {Z}_N^\times \), as \(m^e = \widetilde{c}\).

• \(d=1\) In ROM, we run \(\pi (\widetilde{\mathcal {P}}^{\mathcal {O}_{\mathcal {H}_G}}({\mathsf {pk}},{\mathsf {pe}},\{v_i\}),\mathcal {V} ({\mathsf {pk}},{\mathsf {se}}))\) playing the role of the honest Verifier. We use the rewinding technique: we fix the random value x used for \(X=g^x\) by \(\widetilde{\mathcal {P}}\), and upon obtaining a correct proof message, we rewind the prover back to the challenge phase, choosing \(b=0\) in the first run and \(b=1\) in the second run. This gives us \(c_1=\mathcal {H}_q(m,0)\) for the first run and \(c_2=\mathcal {H}_q(m,1)\) for the second run. Finally, we get tuples (\(\hat{c}, X, m , 0, c_1, S_1, \hat{g}_1, r_1\)) and (\(\hat{c}, X, m , 1, c_2, S_2, \hat{g}_2, r_2\)). By inspecting RO tables, we obtain \(\hat{g}_1 = \mathcal {O}_{\mathcal {H}_G}(X,c_1)\rightarrow g^{\beta r_1}\), \(\hat{g}_2 = \mathcal {O}_{\mathcal {H}_G}(X,c_2)\rightarrow g^{\beta r_2}\). If we accept the Prover both times, i.e.: \(\hat{e}({S_1},g) = \hat{e}(\hat{g}_1\), \(X{\mathsf {pk}}^{c_1})\) and \(\hat{e}({S_2},g) = \hat{e}(\hat{g}_2\), \(X{\mathsf {pk}}^{c_2})\). Hence we conclude: \(S_1=g^{\beta r_1(x + \alpha c_1)}\) and \(S_2=g^{\beta r_2(x + \alpha c_2)}\). Thus \(S_1^{1/{r_1}}/{S_2}^{1/{r_2}} = g^{\beta (\alpha c_1 - \alpha c_2)}\) and \(g^{\alpha \beta } = (S_1^{1/{r_1}}/{S_2}^{1/{r_2}})^{1/{(c_1-c_2)}}\).

Now, let p denote the non-negligible probability of \(\mathcal {A}\) breaking our scheme. Let \(p_0\) be the probability that it knows \(c=\mathcal {H}_q(m,b)\) before sending X. Let \(p_1=1-p_0\) be the probability that it doesn’t know \(c=\mathcal {H}_q(m,b)\) before sending X. Thus, we break RSA with probability \(\frac{1}{2} p p_0\), or alternatively, we break \(\mathsf {CDH}\) with probability \(\frac{1}{2} p (1-p_0)\). Hence, we break one of the problems with non negligible probability, which contradicts our assumptions for any probability value \(p_0\in [0,1]\).    \(\square \)