2 research outputs found
Deniable Key Establishment Resistance against eKCI Attacks
In extended Key Compromise Impersonation (eKCI) attack against authenticated key establishment (AKE) protocols the adversary impersonates one party, having the long term key and the ephemeral key of the other peer party. Such an attack can be mounted against variety of AKE protocols, including 3-pass HMQV. An intuitive countermeasure, based on BLS (Boneh–Lynn–Shacham) signatures, for strengthening HMQV was proposed in literature. The original HMQV protocol fulfills the deniability property: a party can deny its participation in the protocol execution, as the peer party can create a fake protocol transcript indistinguishable from the real one. Unfortunately, the modified BLS based version of HMQV is not deniable. In this paper we propose a method for converting HMQV (and similar AKE protocols) into a protocol resistant to eKCI attacks but without losing the original deniability property. For that purpose, instead of the undeniable BLS, we use a modification of Schnorr authentication protocol, which is deniable and immune to ephemeral key leakages
Anonymous Deniable Identification in Ephemeral Setup & Leakage Scenarios
In this paper we concern anonymous identification, where the verifier
can check that the user belongs to a given group of users (just like in case of
ring signatures), however a transcript of a session executed between a user and a
verifier is deniable. That is, neither the verifier nor the prover can convice a third
party that a given user has been involved in a session but also he cannot prove
that any user has been interacting with the verifier. Thereby one can achieve high
standards for protecting personal data according to the General Data Protection
Regulation – the fact that an interaction took place might be a sensitive data from
information security perspective.
We show a simple realization of this idea based on Schnorr identification scheme
arranged like for ring signatures. We show that with minor modifications one can
create a version immune to leakage of ephemeral keys.
We extend the above scenario to the case of k out of n, where the prover must
use at least k private keys corresponding to the set of n public keys. With the
most probable setting of k = 2 or 3, we are talking about the practical case of
multifactor authentication that might be necessary for applications with higher
security level