Composability and On-Line Deniability of Authentication

  • Yevgeniy Dodis
  • Jonathan Katz
  • Adam Smith
  • Shabsi Walfish
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5444)


Protocols for deniable authentication achieve seemingly paradoxical guarantees: upon completion of the protocol the receiver is convinced that the sender authenticated the message, but neither party can convince anyone else that the other party took part in the protocol. We introduce and study on-line deniability, where deniability should hold even when one of the parties colludes with a third party during execution of the protocol. This turns out to generalize several realistic scenarios that are outside the scope of previous models.

We show that a protocol achieves our definition of on-line deniability if and only if it realizes the message authentication functionality in the generalized universal composability framework; any protocol satisfying our definition thus automatically inherits strong composability guarantees. Unfortunately, we show that our definition is impossible to realize in the PKI model if adaptive corruptions are allowed (even if secure erasure is assumed). On the other hand, we show feasibility with respect to static corruptions (giving the first separation in terms of feasibility between the static and adaptive setting), and show how to realize a relaxation termed deniability with incriminating abort under adaptive corruptions.


Random Oracle Impossibility Result Honest Party Static Adversary Forward Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barak, B., Canetti, R., Nielsen, J., Pass, R.: Universally composable protocols with relaxed set-up assumptions. In: FOCS, pp. 186–195. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  2. 2.
    Bender, A., Katz, J., Morselli, R.: Ring signatures: Stronger definitions, and constructions without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 60–79. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In: WPES, pp. 77–84. ACM, New York (2004)Google Scholar
  4. 4.
    Boyd, C., Mao, W., Paterson, K.G.: Deniable authenticated key establishment for internet protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 255–271. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS, pp. 136–145. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  6. 6.
    Canetti, R.: Universally composable signatures, certification, and authentication. In: Computer Security Foundations Workshop, pp. 219–235. IEEE Computer Society Press, Los Alamitos (2004)Google Scholar
  7. 7.
    Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: STOC, pp. 639–648. ACM, New York (1996)Google Scholar
  9. 9.
    Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zero-knowledge requires (almost) logarithmically many rounds. SIAM J. Computing 32(1), 1–47 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Canetti, R., Kushilevitz, E., Lindell, Y.: On the limitations of universally composable two-party computation without set-up assumptions. J. Cryptology 19(2), 135–167 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Di Raimondo, M., Gennaro, R., Krawczyk, H.: Secure off-the-record messaging. In: WPES, pp. 81–89. ACM, New York (2005)Google Scholar
  14. 14.
    Di Raimondo, M., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Juels, A., Wright, R., De Capitani di Vimercati, S. (eds.) ACM Conf. Computer and Communications Security, pp. 400–409. ACM, New York (2006)Google Scholar
  15. 15.
    Diament, T., Lee, H.K., Keromytis, A.D., Yung, M.: The dual receiver cryptosystem and its applications. In: Atluri, V., Pfitzmann, B., McDaniel, P.D. (eds.) ACM Conf. Computer and Communications Security, pp. 330–343. ACM, New York (2004)Google Scholar
  16. 16.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Computing 30(2), 391–437 (2000); Preliminary version in STOC 1991MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Computing 36(6), 1513–1543 (2007); Preliminary version in FOCS 2000MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. J. ACM 51(6), 851–898 (2004); Preliminary version in STOC 1998MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Dwork, C., Sahai, A.: Concurrent zero-knowledge: Reducing the need for timing constraints. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 442–457. Springer, Heidelberg (1998); Full version available from the second author’s webpageCrossRefGoogle Scholar
  20. 20.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Computing 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Herzog, J., Liskov, M., Micali, S.: Plaintext awareness via key registration. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 548–564. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  23. 23.
    Jiang, S.: Deniable authentication on the internet. Cryptology ePrint Archive, Report 2007/082 (2007),
  24. 24.
    Katz, J.: Efficient and non-malleable proofs of plaintext knowledge and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 211–228. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Lim, M.-H., Lee, S., Park, Y., Moon, S.: Secure deniable authenticated key establishment for internet protocols. Cryptology ePrint Archive, Report 2007/163 (2007),
  26. 26.
    Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  27. 27.
    Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM Conf. Computer and Communications Security, pp. 112–121. ACM, New York (2005)Google Scholar
  29. 29.
    Richardson, R., Kilian, J.: On the concurrent composition of zero-knowledge proofs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 415–431. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  30. 30.
    Rivest, R., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Susilo, W., Mu, Y.: Non-interactive deniable ring authentication. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 386–401. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  32. 32.
    Yao, A.C.-C., Yao, F., Zhao, Y., Zhu, B.: Deniable internet key-exchange. Cryptology ePrint Archive, Report 2007/191 (2007),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Jonathan Katz
    • 2
  • Adam Smith
    • 3
  • Shabsi Walfish
    • 4
  1. 1.Dept. of Computer ScienceNew York UniversityUSA
  2. 2.Dept. of Computer ScienceUniversity of MarylandUSA
  3. 3.Dept. of Computer Science and EngineeringPennsylvania State UniversityUSA
  4. 4.Google, Inc.USA

Personalised recommendations