Revisiting Deniability in Quantum Key Exchange via Covert Communication and Entanglement Distillation

We revisit the notion of deniability in quantum key exchange (QKE), a topic that remains largely unexplored. In the only work on this subject by Donald Beaver, it is argued that QKE is not necessarily deniable due to an eavesdropping attack that limits key equivocation. We provide more insight into the nature of this attack and how it extends to other constructions such as QKE obtained from uncloneable encryption. We then adopt the framework for quantum authenticated key exchange, developed by Mosca et al., and extend it to introduce the notion of coercer-deniable QKE, formalized in terms of the indistinguishability of real and fake coercer views. Next, we apply results from a recent work by Arrazola and Scarani on covert quantum communication to establish a connection between covert QKE and deniability. We propose DC-QKE, a simple deniable covert QKE protocol, and prove its deniability via a reduction to the security of covert QKE. Finally, we consider how entanglement distillation can be used to enable information-theoretically deniable protocols for QKE and tasks beyond key exchange.Comment: 16 pages, published in the proceedings of NordSec 201

KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures

Email breaches are commonplace, and they expose a wealth of personal, business, and political data that may have devastating consequences. The current email system allows any attacker who gains access to your email to prove the authenticity of the stolen messages to third parties -- a property arising from a necessary anti-spam / anti-spoofing protocol called DKIM. This exacerbates the problem of email breaches by greatly increasing the potential for attackers to damage the users' reputation, blackmail them, or sell the stolen information to third parties. In this paper, we introduce "non-attributable email", which guarantees that a wide class of adversaries are unable to convince any third party of the authenticity of stolen emails. We formally define non-attributability, and present two practical system proposals -- KeyForge and TimeForge -- that provably achieve non-attributability while maintaining the important protection against spam and spoofing that is currently provided by DKIM. Moreover, we implement KeyForge and demonstrate that that scheme is practical, achieving competitive verification and signing speed while also requiring 42% less bandwidth per email than RSA2048

Deniable Key Establishment Resistance against eKCI Attacks

In extended Key Compromise Impersonation (eKCI) attack against authenticated key establishment (AKE) protocols the adversary impersonates one party, having the long term key and the ephemeral key of the other peer party. Such an attack can be mounted against variety of AKE protocols, including 3-pass HMQV. An intuitive countermeasure, based on BLS (Boneh–Lynn–Shacham) signatures, for strengthening HMQV was proposed in literature. The original HMQV protocol fulfills the deniability property: a party can deny its participation in the protocol execution, as the peer party can create a fake protocol transcript indistinguishable from the real one. Unfortunately, the modified BLS based version of HMQV is not deniable. In this paper we propose a method for converting HMQV (and similar AKE protocols) into a protocol resistant to eKCI attacks but without losing the original deniability property. For that purpose, instead of the undeniable BLS, we use a modification of Schnorr authentication protocol, which is deniable and immune to ephemeral key leakages

Deniable encryption, authentication, and key exchange

We present some foundational ideas related to deniable encryption, message authentication, and key exchange in classical cryptography. We give detailed proofs of results that were previously only sketched in the literature. In some cases, we reach the same conclusions as in previous papers; in other cases, the focus on rigorous proofs leads us to different formulations of the results

Federated Identity Management Systems: A Privacy-based Characterization

Identity management systems store attributes associated with users and facilitate authorization on the basis of these attributes. A privacy-driven characterization of the principal design choices for identity management systems is given, and existing systems are fit into this framework. The taxonomy of design choices also can guide public policy relating to identity management, which is illustrated using the United States NSTIC initiative