Deniable Authentication Scheme

1. Deniable Authentication Scheme

2. Deniable authentication protocol based on Deffie-Hellman algorithmIEE ELECTRONICS LETTERS, 38(14), PP. 705-706, 2002 • Efficient deniable authentication protocol based on generalized ElGamal siganture • schemeCOMPUTER STANDARDS & INTERFACES, 26, PP. 449-454, 2004 • An efficient id-based deniable authentication protocol from pairings19th International Conference on Advanced Information Networking and Application, 2005

3. Deniable authentication protocol based on Deffie-Hellman algorithm Receiver 4. X’ Sender 7. Y 12. M, H(k’, M) 5. y: random number 6. Y=gy mod p 8. X=Dpub(X’) 9. k=Xy mod p 13. H(k, M) 14. H(k’, M) =? H(k, M) 1. x: random number 2. X=gx mod p3. X’=Eprv(X) 10. k’=Yx mod p 11. H(k’, M)

4. Efficient deniable authentication protocol based on generalized ElGamal siganture scheme Receiver Sender X:secret key Y: public key, gX mop p 6. r, s, MAC, M 1. t: random number 2. k=Yrt mod p3. r=H(k) 4. MAC=H(k||M) 5. s=t-Xsr mod q 7. k’=(gsYsr)Xr mod p 6. r=?H(k’) 8. MAC=?H(k’||M)

5. An efficient id-based deniable authentication protocol from pairings KGC (Key Generation Center): • H, H1: hash function • e: G1*G1->G2 • P: random number • s: secret key • Ppub=sP • Public parameter: G1, G2, e, P, Ppub, H1, H2, H3, E • Generate a pair of user’s ID keys (QID, SID) QID=H1(ID) SID=sQID 8. Issues SID to user via a secure channel

6. An efficient id-based deniable authentication protocol from pairings Receiver Sender 5. IDA, T, MAC, C T: timestamp 1. Y=e(TPpub+SIDA, TP+QIDB) 2. K=H2(Y, IDA)3. MAC=H3(K, M) 4. C=E(K, M) 6. Check T 7. Y*=e(TP+QIDA, TPpub+SIDB) 8. K*=H2(Y*, IDA) 9. Decrypt M from C 10. MAC*=H3(K*, M) 11. MAC*=?MAC Y*=e(TP+QIDA, TPpub+SIDB) =e(TP+QIDA, s(TP+QIDB)) =e(s(TP+QIDA), TP+QIDB) =e(TPpub+SIDA, TP+QIDB) =Y