Deniable Ring Authentication

  • Moni Naor
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


Digital Signatures enable authenticating messages in a way that disallows repudiation. While non-repudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Signatures (see Rivest, Shamir and Tauman [38]). In this paper we show how to combine these notions and achieve Deniable Ring Authentication: it is possible to convince a verifier that a member of an ad hoc subset of participants (a ring) is authenticating a message m without revealing which one (source hiding), and the verifier V cannot convince a third party that message m was indeed authenticated - there is no ‘paper trail’ of the conversation, other than what could be produced by V alone, as in zero-knowledge.

We provide an efficient protocol for deniable ring authentication based on any strong encryption scheme. That is once an entity has published a public-key of such an encryption system, it can be drafted to any such ring. There is no need for any other cryptographic primitive. The scheme can be extended to yield threshold authentication (e.g. at least k members of the ring are approving the message) as well.


Encryption Scheme Access Structure Random Oracle Secret Sharing Scheme Commitment Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations among notions of security for public-key encryption schemes, Advances in Cryptology-saCRYPTO’98, LNCS 1462, Springer, pp. 26–45.CrossRefGoogle Scholar
  2. 2.
    M. Bellare and P. Rogaway, Optimal Asymmetric Encryption, Advances in Cryptology-Eurocrypt’ 94, LNCS 950, Springer, 1995, pp. 92–111.CrossRefGoogle Scholar
  3. 3.
    Dan Boneh, Simplified OAEP for the RSA and Rabin Functions, Advances in Cryptology-CRYPTO 2001, LNCS2139, Springer 2001, pp. 275–291.CrossRefGoogle Scholar
  4. 4.
    D. Boneh and M. Franklin, Anonymous Authentication with Subset Queries, ACM Conference on Computer and Communications Security 1999, pp. 113-119.Google Scholar
  5. 5.
    D. Boneh and M. Franklin, Identity-Based Encryption from the Weil Pairing, Advances in Cryptology-CRYPTO 2001, LNCS 2139, Springer, 2001, pp. 213–229.CrossRefGoogle Scholar
  6. 6.
    J. Boyar, D. Chaum, I. Damg°ard and T. P. Pedersen: Convertible Undeniable Signatures, Advances in Cryptology-CRYPTO’90, Springer, 1991, pp. 189–205.Google Scholar
  7. 7.
    E. Bresson, J. Stern and M. Szydlo, Threshold Ring Signatures for Ad-hoc Groups, Advances in Cryptology-CRYPTO/r'2002, (these proceedings).Google Scholar
  8. 8.
    J. Camenisch, Efficient and Generalized Group Signatures, Advances in Cryptology-EUROCRYPT’97, LNCS 1233, Springer, 1997, pp. 465–479.Google Scholar
  9. 9.
    J. Camenisch and I. Damg°ard, Verifiable Encryption, Group Encryption, and Their Applications to Group Signatures and Signature Sharing Schemes, Advances in Cryptology-Asiacrypt 2000, LNCS 1976, Springer, 2000, pp. 331–345.CrossRefGoogle Scholar
  10. 10.
    J. Camenisch and A. Lysyanskaya, An Identity Escrow Scheme with Appointed Verifiers, Advances in Cryptology-Crypto 2001, LNCS 2139, Springer, 2001, pp. 388–407.CrossRefGoogle Scholar
  11. 11.
    J. Camenisch, M. Michels, Separability and Efficiency for Generic Group Signature Schemes, Advances in Cryptology-CRYPTO’99, LNCS 1666, Springer, 1999, pp. 106–121.Google Scholar
  12. 12.
    J. Camenisch and M. Stadler, Efficient Group Signature Schemes for Large Groups, Advances in Cryptology-CRYPTO’97, LNCS 1294, Springer, 1997, pp. 410–424.CrossRefGoogle Scholar
  13. 13.
    R. Canetti, C. Dwork, M. Naor and R. Ostrovsky, Deniable Encryption, Advances in Cryptology-CRYPTO’97, LNCS 1294, Springer, 1997, pp. 90–104.CrossRefGoogle Scholar
  14. 14.
    D. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms, Comm. of ACM, vol. 24(2), 1981, pp. 84–88.CrossRefGoogle Scholar
  15. 15.
    D. Chaum and H. van Antwerpen, Undeniable Signatures, Advances in Cryptology-CRYPTO’89, LNCS 435, Springer, 1990, pp. 212–216.Google Scholar
  16. 16.
    D. Chaum and E. van Heyst, Group Signatures, Advances in Cryptology-EUROCRYPT’91, LNCS 541, Springer, 1991, pp. 257–265.Google Scholar
  17. 17.
    D. Chaum and E. van Heyst and B. Pfitzmann, Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer, Advances in Cryptology-CRYPTO’91, LNCS 576, Springer, 1992, pp. 470–484.Google Scholar
  18. 18.
    C. Cocks. An identity based encryption scheme based on quadratic residues, Cryptography and Coding, LNCS 2260, Springer, 2001, pp. 360–363.CrossRefGoogle Scholar
  19. 19.
    R. Cramer, I. Damg°ard, B. Schoenmakers, Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols, Advances in Cryptology-CRYPTO’94, LNCS, Springer, 1994, pp. 174–187.Google Scholar
  20. 20.
    R. Cramer and V. Shoup, A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack, Advances in Cryptology-CRYPTO’98, LNCS 1462, Springer, 1998, pp. 13–25.CrossRefGoogle Scholar
  21. 21.
    A. De Santis, G. Di Crescenzo, G. Persiano, M. Yung, On Monotone Formula Closure of SZK, Proc. 35th IEEE FOCS, 1994, pp. 454–465.Google Scholar
  22. 22.
    W. Diffie, and M.E. Hellman. New Directions in Cryptography. IEEE Trans. on Info. Theory, IT-22 (Nov. 1976), pages 644–654.Google Scholar
  23. 23.
    D. Dolev, C. Dwork and M. Naor, Non-malleable Cryptography, Siam J. on Computing, vol 30, 2000, pp. 391–437.zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    C. Dwork and M. Naor, Zaps and Their Applications, Proc. 41st IEEE Symposium on Foundations of Computer Science, pp. 283–293. Full version: ECCC, Report TR02-001,
  25. 25.
    C. Dwork, M. Naor and A. Sahai, Concurrent Zero-Knowledge, Proc. 30th ACM Symposium on the Theory of Computing, Dallas, 1998, pp. 409–418.Google Scholar
  26. 26.
    A. Fiat and A. Shamir, How to Prove Yourself: Practical Solutions to Identification and Signature Problems, Advances in Cryptology-CRYPTO’86, LNCS 263, Springer, 1987, pp. 186–194.Google Scholar
  27. 27.
    E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP Is Secure under the RSA Assumption, Advances in Cryptology-CRYPTO 2001, pp. 260–274.Google Scholar
  28. 28.
    R. Gennaro, H. Krawczyk and T. Rabin, RSA-Based Undeniable Signatures, Advances in Cryptology-CRYPTO’97, LNCS 1294, Springer, 1997, pp. 132–149.CrossRefGoogle Scholar
  29. 29.
    O. Goldreich and Y. Oren, Definitions and properties of Zero-Knowledge proof systems, J. of Cryptology, Vol 7, 1994, pp.1–32.zbMATHMathSciNetCrossRefGoogle Scholar
  30. 30.
    S. Goldwasser, S. Micali and R. Rivest, A secure digital signature scheme, SIAM J. on Computing 17, 1988, pp. 281–308.zbMATHCrossRefMathSciNetGoogle Scholar
  31. 31.
    M. Jakobsson, K. Sako and R. Impagliazzo, Designated Verifier Proofs and Their Applications, Advances in Cryptology-EUROCRYPT’ 96, pp. 143–154.Google Scholar
  32. 32.
    J. Katz, Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications Cryptology, ePrint Archive, Report 2002//027,
  33. 33.
    J. Kilian, A Note on Efficient Zero-Knowledge Proofs and Arguments, Proc. 24th ACM Symposium on the Theory of Computing, 1992, pp. 723–732.Google Scholar
  34. 34.
    J. Kilian and E. Petrank, Identity Escrow, Advances in Cryptology-CRYPTO’ 98 LNCS 1462, 1998, pp. 169–185.CrossRefGoogle Scholar
  35. 35.
    H. Krawczyk and T. Rabin, Chameleon Hashing Signatures, Proceedings of Network and Distributed Systems Security Symposium (NDSS) 2000, Internet Society, pp. 143–154.Google Scholar
  36. 36.
    M. Naor. Bit Commitment Using Pseudo-Randomness, Journal of Cryptology, vol. 4, 1991, pp. 151–158.zbMATHCrossRefMathSciNetGoogle Scholar
  37. 37.
    D. Naor, M. Naor and J. B. Lotspiech, Revocation and Tracing Schemes for Stateless Receivers, Advances in Cryptology-CRYPTO 2001, pp. 41–62. LNCS 2139, Springer, 2001, pp. 205-219. Full version: Cryptology ePrint Archive, Report 2001/059, CrossRefGoogle Scholar
  38. 38.
    R. L. Rivest, A. Shamir, and Y. Tauman, How to Leak A Secret, Advances in Cryptology-ASIACRYPT 2001, Lecture Notes in Computer Science, Vol. 2248, Springer, pp. 552–565.CrossRefGoogle Scholar
  39. 39.
    A. Sahai, Non-Malleable Non-Interactive Zero Knowledge and Achieving Chosen-Ciphertext Security, Proc. 40th IEEE Symposium on Foundations of Computer Science, 1999, pp. 543–553.Google Scholar
  40. 40.
    A. Shamir, How to Share a Secret, Communications of the ACM 22, 1979, pp. 612–613.Google Scholar
  41. 41.
    A. Shamir, Identity-Based Cryptosystems and Signature Schemes, Advances in Cryptology-CRYPTO’84, LNCS 196, Springer, 1985, pp. 47–53.Google Scholar
  42. 42.
    V. Shoup, OAEP Reconsidered, Advances in Cryptology-CRYPTO 2001, LNCS, Springer, 2001, pp. 239–259.CrossRefGoogle Scholar
  43. 43.
    Bibliography on Secret Sharing Schemes, maintained by D. Stinson and R. Wei.

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Moni Naor
    • 1
  1. 1.Dept. of Computer Science and Applied Math Weizmann Institute of ScienceIsrael

Personalised recommendations