Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao.

Slides:

Advertisements

Similar presentations

The Diffie-Hellman Algorithm

Advertisements

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Cryptography and Network Security

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

1 Security analysis of an enhanced authentication key exchange protocol Authors ： H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date ： 2005/5/20.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

1 An ID-based multisignature scheme without reblocking and predetermined signing order Chin-Chen Chang, Iuon-Chang Lin, and Kwok-Yan Lam Computer Standards.

A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人：陳昱升.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 13

Computer Science Public Key Management Lecture 5.

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

8. Data Integrity Techniques

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall

Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Bob can sign a message using a digital signature generation algorithm

1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.

Basel Alomair, Krishna Sampigethaya, and Radha Poovendran University of Washington TexPoint fonts used in EMF.

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Cryptography and Network Security (CS435) Part Eight (Key Management)

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

1 一個新的代理簽章法 A New Proxy Signature Scheme 作者 : 洪國寶, 許琪慧, 郭淑娟與邱文怡報告者 : 郭淑娟.

Digital Signatures, Message Digest and Authentication Week-9.

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

ECE509 Cyber Security : Concept, Theory, and Practice Key Management Spring 2014.

Secure Communication between Set-top Box and Smart Card in DTV Broadcasting Authors: T. Jiang, Y. Hou and S. Zheng Source: IEEE Transactions on Consumer.

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Prepared by Dr. Lamiaa Elshenawy

A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,

MSN lab1 A novel deniable authentication protocol using generalized ElGamal signature scheme Source: Information Sciences, vol. 177, pp , 2007.

Key Management Network Systems Security Mort Anvari.

Digital Signature Standard (DSS) US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993,

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Fall 2006CS 395: Computer Security1 Key Management.

1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.

Cryptography and Network Security Chapter 13

Fourth Edition by William Stallings Lecture slides by Lawrie Brown

CS480 Cryptography and Information Security

Identity-based deniable authentication protocol

Presentation transcript:

Efficient deniable authentication protocol based on generalized ElGamal signature scheme From ELSEVIER Computer Standards & Interface Author: Zuhua Shao Presented by Yi-Jhih Jan 11/02/2004

Outlines Introductions The Fan et al’s protocol The proposed protocol Security analysis Conclusins

Introductions Deniable authentication protocol 1. It enables an intended receiver to identify the source of a given message.( 傳統 ) 2. The intended receiver cannot prove the source of a given message to any third party. ( 因 receiver 只要知道 protocol, 即可偽造此簽章, 所以 sender 可以否認 ) Application 1. It can provide Freedom from coercion in electronic voting systems 2. Secure negotiations over the Internet

YX’ D,M The Fan et al ’ s protocol Sender Receiver

The Fan et al ’ s protocol Weaknesses 1. INQ can impersonate the receiver and sends Y=g y mod p to the sender. 2.INQ can identify the source of X’. If INQ is sure that the M and X’ come from the same source, he can also identify the source of the message.

The proposed protocol Parameters: p: a large prime (bit size ) q: a prime divisor of p-1 (160 bit size) g: a generator of order q H(.): a collision-free hash function X: private key Y: public key CA: a certification authority

The proposed protocol Sender(X s,Y s ) Receiver(X R,Y R )

Security analysis 1.Completeness

Security analysis 2. It can withstand forgery attacks. a) we first design a generalized ElGamal signature scheme (Harn proposed)

Security analysis If an adversary has an algorithm A(M,Y R ) and returns (r,s,MAC), he would forge the signature of the generalized ElGamal signature scheme for the message m’. M YRYR Algorithm (r,s,MAC)

H(w) =v Security analysis b) Define a function if X R is public, the h(.) is secure as long as H(.) is a secure hash function u v w h(u)=v

Security analysis 3. The proposed protocol is deniable. - If the receiver reveals the session key k, he can convince the third party the signature (r,s) of the sender - Then the third party can verfy MAC=H(k||M) by himself. - But, the third party can compute the Diffie-Hellman key of the sender and the receiver. - So the receiver would not reveal his secret informatino.

Security analysis - even though the receiver reveals k under coercion, the third party would also be skeptical. - because that the receiver can constuct other authenticator MAC’=H(k||M’) - that is, the receiver can simulate the authenticated message of the sender. - hence the protocol is deniable.

Security analysis 4. It can withstand impersonate attacks adversary: - assume that the adversary can obtain M and its authority (r,s,MAC). - if he can verify the message authenticator, he must find k’ such that - the adversary could compute - it’s impossible to do it under the Diffie-Hellman assumption.

Conclusions If an adversary could forge signature of this protocol, he would forge signatures of the generalized ElGamal signature scheme. Anyone can not impersonate the intended receiver.