An Efficient Fully Deniable Key Exchange Protocol Shaoquan Jiang and Reihaneh Safavi-Naini Department of Computer Science University of Calgary, Calgary, T2N 1N4

Abstract. A deniable key exchange allows two parties to jointly share a secret key while neither of two nor an outsider can prove to a third party that the communication between the two happened. This is an important mechanism for realizing a deniably secure channel. In this paper, we propose an efficient key exchange protocol and prove its deniable security. We compare our construction with the best known protocol with proven deniable security and show the advantages of the new construction.

1

Introduction

Two basic security properties for communication over the Internet are confidentiality and authenticity of communication. A subtle property is deniability which allows communicants to deny their participation in the communication. Deniability provides privacy for communicants and allows them to freely discuss details that otherwise would be considered binding because of the communication traces. This is essential in many financial negotiations over the Internet and the need for parties to remain uncommitted until they decide to commit and employ a suitable security functionality to achieve that. Deniability is desirable for protocols to secure IP layer in Internet protocol stack [14]. If the two communicants use a shared key to protect their communication, then both of them remain deniable because the conversation transcript can be generated by each of them individually. To obtain a shared key, the communicants usually need to run an authenticated key exchange (agreement) protocol. However, a poor design of such a protocol may leave a trace to an attacker. Avoiding a trace is not an easy task. Indeed, in such a protocol each party must be able to authenticate himself to his peer while he should not leave any traceable evidence. In order to ensure this deniability the transcript of the protocol is desirable to be simulatable by the attacker himself, who might be one of the participants (in case of an insider attack) or an outsider (in case of an outsider attack). This means that whatever is seen by the attacker through interaction with honest parities can be simulated by himself without it and so innocent parties can always deny the involvement in the communication. 1.1

Our work

In this work, we first formalize an adversarial model for a deniably secure key exchange protocol by adding deniability [11] to Bellare-Rogaway model [1] of secure key exchange. We model the deniability by requiring that the adversary’s view be simulatable by using the adversary’s knowledge only. We then construct an efficient three round key exchange protocol using a trapdoor one-way permutation and a hash function, and prove its deniable security in a variant of random-oracle (RO) model. This variant of RO was first adopted by [21] for deniable zero knowledge. If the trapdoor one-way permutation is implemented by the RSA function, our protocol only requires each party to compute two modular exponentiations and four hash calculations. It is more efficient than previous deniably secure key exchange protocols such as SKEME [7].

1.2

Related Work

Deniable authentication was first introduced by Dolev, Dwork and Naor [10] and formally investigated by Dwork et al. [11] while the deniability concept was studied earlier by Desmedt [9]. Dwork et al. defined deniable authentication by requiring that the messages be authenticated and that the adversary view be simulated by using the adversary’s knowledge only. The latter especially requires that the secret input of uncorrupted users should not be provided to the adversary. A natural tool to achieve this property is zero knowledge proofs [13]. This line of research was followed by a number of authors [12, 11, 16, 20]. [12, 11] considered how to obtain concurrent zero knowledge proofs and their application to deniable authentication. Katz [16] considered efficient deniable authentication from plaintext awareness. Naor [20] considered deniable ring authentication. All these constructions can only achieve deniability in the concurrent model with timing, which is insufficient for a fully concurrent environment such as Internet. Di Raimondo et al [7] considered deniability of key exchange protocols (in the fully concurrent environment) and gave a definition for deniable key exchange protocols that follows their earlier work [4], where the deniability follows [11]. They showed that under an assumption known as the knowledge of exponent assumption [3, 6], SKEME [17] is deniably secure. SKEME employs a public key cryptosystem that is CCA2 secure and has plaintext-awareness property. Plaintext awareness requires that anyone who generates the ciphertext must know the plaintext. Currently, the most efficient such a scheme is Cramer-Shoup cryptosystem [5, 6]. If it employs this system, SKEME requires each party to compute 10 modular exponentiations and thus is not very efficient. Di Raimondo et al also introduced a weaker notion of partial deniability with respect to one of the participants, which requires the interaction between A and B to be indistinguishable from that between A and B 0 . They showed that a signature based key exchange protocol SIGMA [18] has this property. In this work, we are only interested in the full deniability that requires simulatability [11]. SIGMA uses signature and thus is not deniable in our sense (since a simulator can not forge a signature). Some informal discussions on deniability that are related to partial deniability of Di Raimondo et al early appeared in [19]. Another related work is due to Jiang [15] who considered the problem of the deniable authentication in the fully concurrent environment (i.e. without a timing assumption). All previous works [11, 12, 16, 20] considered concurrency with an extra assumption on timing. He also formalized the notion of deniable security in the real-ideal model and showed a deniable authenticator theorem which essentially states that if a protocol is deniably secure in the authenticated-link model, then it can be transformed into one that is deniably secure in the unauthenticated-link model (e.g. Internet) using a deniable authenticator. He further applied this result to obtain a deniably secure key exchange protocol. However, this protocol has 9 rounds and each party in the protocol has a computation cost of 5 modular exponentiations. In this paper, we are interested in designing more efficient key exchange protocols with deniable security. This paper is organized as follows. In Section 2, we will introduce the notations and definitions that will be used in this paper. In Section 3, we introduce the security model of key exchange. In Section 4, we propose our new key exchange protocol. In Section 5, we prove the security properties of our protocol. In Section 6, we compare efficiency of our protocol with other protocols [7] and [15]. The last section is a conclusion. 2

2

Preliminaries

In this section, we provide notations and definitions that will be used throughout the paper. PPT means a probabilistic polynomial time, where the polynomial is stated in terms of a security parameter κ. negl : Z → R+ denotes a negligible function: for any positive polynomial p(n), there exists n0 > 0 such that negl(n) < 1/p(n) for all n > n0 . For a set S, a ← S means uniformly sampling an element a from S. For an algorithm A with input a, o ← A(a) means running A with input a and internal random bits r ← {0, 1}∗ and finally generating an output o. Therefore o is a random variable that depends on the coin flips r. A||B means that A concatenates with B. 2.1

Trapdoor Permutation

Trapdoor permutation originated from the seminal paper of Diffie-Hellman [8] and is a permutation T that with the knowledge of a trapdoor d it is easy to invert T , while without d it is hard to do this. Formally, Definition 1. Assume Ω ⊂ {0, 1}∗ . Let I : 1κ → Dom1 × Dom2 be a PPT algorithm, where Dom1 and Dom2 are two sets of permutations over Ω. That is, Domi (i = 1, 2) consists of permutation functions f : Ω → Ω. Dom1 , sampled by I, is said to a collection of trapdoor permutations over Ω if for (T, D) ← I(1κ ), the following conditions hold. - Easy with Trapdoor. Pr[D(y) = x : y = T (x), x ← Ω] = 1, where the probability is taken over the coin flips of I and the randomness of x. - Hard to Invert. For any PPT algorithm A, Pr[A(y) = x : y = T (x), x ← Ω] = negl(κ), where the probability is taken over the coin flips of I and A and the randomness of x. RSA function is a trapdoor permutation and T (x) = xe

3

(mod N ); D(x) = xd

(mod N ).

Security Model

In this section, we introduce the security model of key exchange due to Bellare and Rogaway [1] and then we add the deniability to this model following the approach [11]. Consider a set of n parties P1 , · · · , Pn . A key exchange protocol Ξ is a two-party protocol that might be executed between a pair Pi and Pj , at the end of which, Pi and Pj will share a secret key (called a session key). Let I be an initialization function for Ξ. Initially, a trusted third party T executes (I0 , I1 , · · · , In ) ← I(r) for r ← {0, 1}κ . It then provides Ii to Pi as his secret, and makes I0 as the public key accessible to all parties. In case of RSA initialization function, I0 = {(e1 , N1 ), · · · , (en , Nn )} and Ii = di , where (ei , Ni ) is the encryption exponent and RSA modulus for Pi and di is the decryption key w.r.t. (ei , Ni ). Each party Pi is modeled as a probabilistic polynomial time algorithm. Besides the public input I0 and secret input Ii , Pi has a random tape that serves as the random source when executing Ξ. Each Pi can concurrently execute multiple copies of Ξ with possibly distinct Pj . When Pi jointly executes Ξ with Pj , he runs according to the specification of Ξ. Some notations that are used to describe the adversarial model, are introduced as follows. 3

- Πili . A party Pi is allowed to start with many copies of Ξ (with any possibly different parties). Each copy is called an instance and identified by an id number li . li is chosen by Pi and unique within this party. We use Πili to represent the instance li within party Pi . The only purpose of li is just to differentiate instances within Pi . Especially, li is not required to be globally unique. - F lowi . The ith message of protocol Ξ. - sidlii . The session identifier of a particular instance Πili . Although li is used to locally identify Πili , li is independent of the protocol execution. In the security evaluation, we need a session identifier to label one instance such that two instances jointly executing Ξ have an identical session identifier. The specification of sidlii is clear only when the description of Ξ is given. - pidlii . the party, which Πili presumably interacts with. - statlii . This is the internal state of Πili . This variable keeps updated with the execution of Πili . This state is defined such that, when Πili is activated, the response is completely determined by statlii , secret input, its unused random tape and identity Pi . - skili . The session key defined by instance Πili after the successful execution of Ξ. - initiator and responder. If an instance Πili sends out the first message F low1 , we say Pi acts an initiator in this instance. Similarly, if Πili is a receiver of message F low1 , we say that Pi acts as a responder in this instance. l

l

Partnering. l

Two instances Πili and Πjj are said to be partnered if (1) pidlii = Pj and pidjj = Pi ;

(2) sidlii = sidjj . Intuitively, two instances are partnered if they are jointly executing Ξ. Adversarial Model. Now we formalize the adversarial behaviors. The adversary is allowed to fully control the external network. He can inject, modify, block and delete messages at will. That is, he launches a man-in-middle attack. He can also corrupt some users and obtain their secret keys and the internal states inside these users. He is also able to collect some selected session keys. Finally, Ξ is secure if the adversary can not obtain any information about an established session key unless it is compromised trivially (e.g., through party corruption). To capture these adversarial behaviors, we allow the adversary to access a number of oracles which, upon the attacks mentioned above, respond according to the specification of Ξ. Initially, the trusted third party T initializes the protocol. He takes (I0 , I1 , · · · , In ) ← I(r) for r ← {0, 1}∗ . I0 is made public to all participants and Ii is the secret key for Pi . The oracles are as follows. • Send(d, i, li , M ). When this oracle is called, message M is sent to instance Πili as F lowd . By default, when d = 0, assume this query is to start a new instance as an initiator in Pi ; when d = 1, this query is to start a new instance at Pi as a responder. Upon a Send query, oracle follows the protocol specification to respond. Finally, an oracle output is generated. This output is either accept, or reject, or outgoing message F lowd+1 (if applicable). This oracle call reflects a man-in-the-middle attack. • Reveal(i, li ). When this oracle is called, it outputs the session key skili of instance Πili if skili is defined; otherwise, it outputs ⊥. This oracle call reflects the session key loss attack. • Corrupt(i). Upon this query, Pi is corrupted. As a result, the internal states for all instances in Pi as well as his secret key Ii are available to adversary. In addition, Pi is no longer active and his future action will be fully taken by adversary. • Test(i, li ). This oracle does not reflect any real concern. However, it provides a security test. The adversary is allowed to query it once. The queried session must be completed and accepted. 4

Furthermore, this session as well as its partnered session (if it exists) should not be issued a Reveal query. When this oracle is called, it flips a fair coin b. If b = 1, then skili is provided to adversary; otherwise, a random number rk of the same length is provided. The adversary then tries to output a guess bit b0 . He is informed success if b0 = b; otherwise, fail. Note forbidding to reveal the Test session and its partnered session is natural. Otherwise, the adversary can always successfully guess b since two instances that jointly executes Ξ share an identical session key. Having defined adversary behavior, we come to define the protocol security. It contains four conditions: correctness, secrecy, authentication and deniability. Correctness.

l

l

If two partnered instances Πili and Πjj successfully completes, then skili = skjj .

Secrecy. Assume A is the adversary. Let a random variable Succ(A) to denote the success of A in the Test query. Intuitively, if Ξ is secure, A should not be able to correctly guess b with probability significantly better than 1/2. Formally, we require Pr[Succ(A)] < 21 + negl(κ). Authentication. Essentially, authentication is to require that when one instance Πili successfully completes the execution of Ξ, indeed pidlii attended this execution. Formally, let Πili be the test session and Non-Auth be the event: either there does not exist an partnered instance for Πili or its partnered instance is not unique. Then Ξ is said to be authenticated if Pr[Non-Auth(A)] is negligible. Note in [1], authentication is defined for any Πili (not just a test session as we define here). These two versions have no essential differences since security definition requires both secrecy and authentication. Thus, if one successfully completed instance does not have a partnered session, then choosing this session as the test session will result in breaking the authentication (in our definition). Our choice of this definition is to simplify the proof of the authentication. Deniability. Deniability in [11, 15] essentially states that the adversary view can be simulated by a simulator using the adversary’s knowledge only. Especially, uncorrupted parties’ secret inputs should not be available to the adversary. In this way, an adversary can run the simulator’s code to simulate his view alone (especially, without additional interaction with other honest parties) and thus the uncorrupted parties are deniable. In our setting, an adversary view consists of public key I0 , his internal coins and oracles’ replies to the adversary’s queries (e.g., corruption query). The deniability is to require that the adversary’s view when interacting with the oracles which are implemented according to the real run of protocol Ξ, is indistinguishable from his view when interacting with the oracles that are simulated by a polynomial time simulator S that satisfies the following restrictions. - Initially, T prepares (I0 , I1 , · · · , In ). Then I0 will be provided to S and an adversary A. - When A queries Corrupt(i) oracle, S forwards this query to T, receives the response Ii and passes it to A. S is allowed to issue Corrupt(i) to T if and only if Pi is corrupted by A. - There is no restriction on the replies of S for the remaining oracles. Denote the interaction between A and oracles according to the real run of protocol Ξ, by Γ rea ; denote the interaction between A and S by Γ sim . Use View(A, Γ ) to denote the view of A in Γ . Then, the deniability is to require that there exists S such that, for any PPT adversary A and all PPT distinguisher D, | Pr[D(View(A, Γ sim ) = 1] − Pr[D(View(A, Γ rea ) = 1]| = negl(κ). Now we are ready to provide a formal definition of security. 5

(1)

Definition 2. A key exchange protocol Ξ is said to be deniably secure if it has -

3.1

Correctness. Secrecy. For any PPT adversary A, Pr[Succ(A)] ≤ 12 + negl(κ). Authentication. For any PPT adversary A, Pr[Non-Auth(A)] = negl(κ). Deniability. For any PPT adversary A, there exists a PPT simulator S such that View(A, Γ rea ) and View(A, Γ sim ) are indistinguishable. (Public) Random Oracle

Random oracle [2] H : {0, 1}∗ → {0, 1}κ is a random function: (i) it is a function in that the same input gives the same output, and (ii) it is completely random in that for any input x, H(x) is uniformly distributed over {0, 1}κ . RO can be evaluated as follows. Let L ⊂ {0, 1}∗ × {0, 1}κ . Initially, L = ∅. Upon an input x ∈ {0, 1}∗ , compute y = H(x) as follows. First check whether there exists y ∈ {0, 1}κ such that (x, y) ∈ L. If no, take y ← {0, 1}κ and add (x, y) into L. In any case, return y as the function value H(x). Our protocol in the next section is proven deniably secure in the public random oracle (pRO) model where the random oracle is a public random function that is accessible by the adversary and the simulator by submitting inputs and receiving outputs. The simulator can see the input/ouput pairs for all random oracle queries. This type of random oracle is introduced by [21] for proving deniable zero knowledge. Recall deniability means the simulator’s code can be played by an adversary himself (thus he can simulate the adversary view without interaction with the honest parties). In this case, adversary is the only entity interacting with public random oracle (the simulator algorithm’s query will be forwarded to the public random oracle) and thus he can feed to the simulator with oracle inputs/outputs. Thus, the simulation under public random oracle indeed can be replayed by an adversary. In contrast, in the traditional random oracle model [2], the random oracle evaluation is maintained by the simulator. Now if the adversary plays the simulator’s code, it implies that he is simulating the random oracle (since the simulator is his subroutine). But in the real protocol in the random oracle model, an adversary can only ask a random oracle function and get the result. Thus, the simulator’s code in the traditional random oracle can not be played by an adversary (thus the simulation in this ways is not guaranteed to be deniable).

4

Our Protocol

In this section, we introduce our new key exchange protocol. Our construction is proven secure based the public random oracle (pRO) model. Denote our new protocol by pRO-KE; See Figure 1. Let P1 , · · · , Pn be n parties. Let Ti be a trapdoor permutation for party Pi and Di is the trapdoor. In case of RSA initialization, Ti is the encryption exponent and modulus composite pair (ei , Ni ) and Di is the decryption exponent and modulus composite pair (di , Ni ). The global public information I0 is defined to {Ti }ni=1 . Di is the secret for Pi . Let H : {0, 1}∗ → {0, 1}κ be a hash function. Suppose Pi wishes to establish a session key with Pj . They jointly execute pRO-KE as follows. 1. Pi takes s ← {0, 1}κ , computes and sends out Pi , Tj (s), H(s|Pi |Pj ) to Pj . 2. Receiving F low1 message (Pi , α, σ), Pj uses his trapdoor Dj to compute s = Dj (α) and verify whether σ = H(s|Pi |Pj ). If the verification fails, he rejects. Otherwise, he takes r ← {0, 1}κ , sends out Ti (r), H(s|r|Pi |Pj |0) to Pi . 6

Pj

Pi Pi ,Tj (s),H(s|Pi |Pj )

s ← {0, 1}κ

sk = H(s|r|Pi |Pj |2)

o

/

Ti (r),H(s|r|Pi |Pj |0)

H(s|r|Pi |Pj |1)

r ← {0, 1}κ ,

/

sk = H(s|r|Pi |Pj |2)

Fig. 1. Our Deniable Key Exchange Protocol pRO-KE (Note the complete details appear in the context)

3. Receiving F low2 message (β, δ1 ), Pi uses his trapdoor Di to compute r = Di (β) and verify whether δ1 = H(s|r|Pi |Pj |0). If the verification fails, he rejects. Otherwise, he defines session key sk = H(s|r|Pi |Pj |2) and sends out H(s|r|Pi |Pj |1) to Pj . 4. Receiving F low3 message δ2 , Pj verifies whether δ2 = H(s|r|Pi |Pj |1). If no, he rejects. Otherwise, he defines the session key sk = H(s|r|Pi |Pj |2).

5

Security Analysis l

In this section, we prove the security of pRO-KE. We define sidlii and sidjj as s|r|Pi |Pj . The correctl

ness property holds trivially since partnered instances Πili and Πjj have the same view on s|r|Pi |Pj . We thus focus on deniability, secrecy and authentication. 5.1

Deniability

Before proceeding to the formal proof, we outline the main idea. In order for pRO-KE to be deniable, we need to construct a simulator S to answer Send, Reveal, Test and Corrupt queries such that the adversary’s view in the simulated game is indistinguishable from that in the real execution, while S should not use any of the uncorrupted secret keys. The only difficult part is to answer Send(t, ∗) query for t = 1, 2, 3. Our idea is the following. Consider Send(1, j, lj , F low1 ) query first. Let F low1 =< Pi , Tj (s), σ >. If (s|Pi |Pj ) must have been queried to H-oracle, then F low1 is consistent only if σ = H(s|Pi |Pj ), which can be verified by the simulator since he sees the input/output for all H-queries. If (s|Pi |Pj ) was not queried to H-oracle, then F low1 is inconsistent with probability 1 − negl(κ) since H(s|Pi |Pj ) is random and unlikely equal to σ. Ignoring this unlikely event, S can answer Send(1, i, li , F low1 ) without Dj . Send(2, *) can be answered similarly. Send(3, j, lj , ∗) can occur only if Send(1, j, lj , ∗) was verified to be consistent, in which case (s, r) is already known to S. Thus, the response can be processed without Dj too. The detailed analysis is in the following. Theorem 1. Let H be a public random oracle. Then pRO-KE is deniable. Proof. For any adversary A, we need to construct a simulator S such that View(A, Γ rea ) and View(A, Γ sim ) are indistinguishable, where View(A, Γ ) in a game Γ consists of random tape of A, I0 and oracle replies w.r.t. queries issued by A. Let (Ti , Di ) be the permutation/trapdoor pair for Pi , generated by T. T provides {Ti }ni=1 to A and S. Before proceeding, assume the random oracle H is maintained by a third party through a list L as follows. L is initially empty. Upon a query 7

x, first check if a record for (x, y) ∈ L. If no, take y ← {0, 1}κ and add (x, y) into L. In any case, reply y as the oracle output for x. By the assumption of public random oracle, S can see every input/output of H-query (no matter it is issued by A or S). Now we present the code of S. For simplicity, we use Pi to denote the initiator and Pj the responder. Send oracle.

There are a few cases.

- Send(0, i, li , M ). In this case, since no secret key Di is required, the simulation is normal and perfect. Define statlii = s, where s is taken in this oracle simulation (i.e., preparing F low1 ). - Send(1, j, lj , M ). In this case, parse M = (Pi , α, σ). Check whether there exists a record (s|Pi |Pj , σ) ∈ L for some s ∈ {0, 1}∗ such that Tj (s) = α. If no, reject; otherwise, take r ← l {0, 1}κ and normally prepare F low2 . Update statjj = (s, r). The adversary view in this query differs from the real execution only if no record of form (s|Pi |Pj , σ) ∈ L (s.t. Ej (s) = α) but H(Dj (α)|Pi |Pj ) = σ. In this case, the simulation above rejects while the real execution will accept and prepare F low2 . Denote this event by Bad1 . Fortunately, in this case, since (Dj (α)|Pi |Pj ) is not queried to H-oracle, H(Dj (α)|Pi |Pj ) is independent of σ. So Bad1 occurs l to this particular instance Πjj with probability ≤ 21κ . Assume ] of Send(1, ∗) queries is bounded 0

s by Q0s . Then Pr[Bad1 ] ≤ Q 2κ . - Send(2, i, li , M ). In this case, parse M = (β, δ1 ). S first checks whether there exists (s|r|Pi |Pj |0, δ1 ) ∈ L for some r ∈ {0, 1}∗ such that Ti (r) = β, where s is from statlii . If no, reject. Otherwise, compute F low3 and skili normally (i.e., by query H oracle) and update statlii = (s, r). This simulation differs from a normal simulation only if no record of form (s|r|Pi |Pj |0, δ1 ) 6∈ L (s.t. Ei (r) = β) but it happens H(s|Di (β)|Pi |Pj |0) = δ1 . Denote this event by Bad2 . Let Q00s be the upper bound 00 of ]Send(2, ∗) queries. Similar to Bad1 , we fortunately have that Pr[Bad2 ] ≤ Q2κs . This query occurs only if Send(1, j, lj , M ) oracle generated F low2 . Thus, - Send(3, j, lj , δ2 ). lj l l statj = (s, r) is defined. Use statjj = (s, r) to verify δ2 and compute skjj normally (by querying H-oracle). It is immediate that this simulation is perfect.

Corrupt(i) oracle. Upon this oracle call, forward to T. In turn, Di is provided. S then collects all the internal states in Pi and provides the internal states as well as Di to A. The view of A in this query is perfectly according to the real execution. Reveal(t, lt ) oracle. This oracle call occurs only if Πtlt has successfully completed (i.e., Send(v, t, lt , ∗), v = 2 or 3, is processed successfully). In both cases, skili is known to S. Thus, the response is perfectly according to the real execution. Test(i, li ) oracle. Similar to Reveal query, this query can be answered according to the real execution. Based the simulation of S and the analysis, we have that the adversary view in the simulation is 0 00 s perfectly distributed as in the real world unless Bad1 ∨ Bad2 occurs. Since Pr[Bad1 ∨ Bad2 ] ≤ Qs2+Q κ (negligible), the theorem is proved. ¥ Remark 1. Note corruption of Pi in the deniability game means that a malicious Pi attempts to make his communicating party (say Pj ) undeniable. In this case, allowing the simulator to obtain Ii is to try to demonstrate that the adversary view can be simulated by using the knowledge of A. In case of non-adaptive corruption, deniability for pRO-KE can be intuitively seen as follows. Let Kc be the set of corrupted keys. Then deniability requires the adversary view can be generated with {Ti } and Kc only. To do this, an algorithm A0 can run the code of A and S with random tapes RA 8

and RS respectively. H-query asked by S (resp. A) is forwarded to H-oracle as his own query (thus just like A, A0 only sees input/output of his own queries) and when the reply is provided, forward it back to S (resp. A). Finally, output the view of A (i.e., RA and the messages from S to A). Note this view is exactly distributed as View(A, Γ sim ) and thus is indistingusihable from View(A, Γ rea ). 5.2

Secrecy

Now we consider the secrecy. That is, the adversary can not have a non-negligible advantage in distinguishing an un-compromised session key from a random key. Intuitively, if a test session is not exposed, then, by the difficulty to invert T , both s and r are unpredictable. Thus, adversary should not be able to query s|r|Pi |Pj |2. So H(s|r|Pi |Pj |2) remains uniformly random to him. Formally, Theorem 2. If H is a random oracle and T is a trapdoor permutation, then pRO-KE satisfies secrecy property. Proof. Denote Succ(A, Γ ) the success event of A in game Γ. Since Succ(A, Γ ) is a part of view of A in Γ for Γ ∈ {Γ sim , Γ rea }, we have a projection f : f (View(A, Γ )) ∈ {Succ(A, Γ ), Succ(A, Γ )} such that f (View(A, Γ )) = Succ(A, Γ ) if and only if Succ event occurs in PΓ . If let kX, Y k be the statistical distance function on random variable X and Y (i.e., kX, Y k = u | Pr[X = u] − Pr[Y = u]|), we have (although easy to prove, one can find details in Chapter 2 of [22]) kf (View(A, Γ rea )), f (View(A, Γ sim ))k ≤ kView(A, Γ rea ), View(A, Γ sim )k, 0

00

0

(2)

00

+Qs s which is bounded by Q2sκ−1 . Thus, Pr[Succ(A, Γ rea )] ≤ Pr[Succ(A, Γ sim )] + Qs2+Q . To prove the κ 1 sim theorem, it suffices to show that Pr[Succ(A, Γ )] = 2 + negl(κ). The remaining proof will focus on this. First, if Πili has set statlii = (s, r), define sidlii = (s, r, initiator, responder) (e.g., in Figure 1, l sidlii = sidjj = (s, r, Pi , Pj )); otherwise, leave sidlii undefined. Suppose A succeeds in Test(i∗ , l∗ ) query ∗ ∗ for some i∗ ∈ {1, · · · , n}, l∗ ∈ N. W.O.L.G, assume Pi∗ acts as the initiator in Πil∗ and Pj ∗ = pidli∗ . For simplicity, we restrict us to Good setting: throughout the simulation, s in Send(0, ∗) (resp. r 000 2

02

Qs +Qs in Send(1, ∗)) never repeat. Let ] of Send(0, ∗) be bounded by Q000 s . Then Pr[Good] ≤ 2κ (recall Q0s is the bound for ] of Send(1, ∗)). The remaining analysis is under the Good condition. A Succ(A, Γ sim ) event can be separated in two cases below. ∗

Case 1. Let sidli∗ = (s∗ , r∗ , Pi∗ , Pj ∗ ). A ever made a H-query with input (s∗ |r∗ |Pi∗ |Pj ∗ |v) for some v ∈ {0, 1, 2}. Denote this event by Bad3 . Intuitively, Bad3 is not desired since in this case A will know the test session key and win the test session. However, we show that Pr[Bad3 ] is negligible. Intuitively, F low1 and F low2 leaks no information about s∗ . But Bad3 implies that A has the knowledge of s∗ . Since Tj ∗ (s∗ ) is generated by Send(0, i∗ , l∗ , ∗), A must be able to invert Tj ∗ . Formally, Claim 1. Pr[Bad3 ] is negligible Proof. We construct an adversary I to reduce the Bad3 event to invert T. We show that if the probability for I to invert T is negligible, then Pr[Bad3 ] is negligible. Let ν be an upper bound on ] Send(0, ∗) in which the responder id is fixed. Given T and a challenge ciphertext α∗ , I takes j ∗ ← {1, · · · , n} and ` ← {1, · · · , ν}. Then he tries to simulate Γ sim with A by playing the roles of S, T and H-oracle. The details follow, where unmentioned cases are responded normally. 9

a. Tj ∗ is set to be T. Tj for other j is normally simulated. b. Whenever upon a H-oracle call of form x| ∗ |Pj ∗ or x| ∗ | ∗ |Pj ∗ |v for x ∈ {0, 1}κ and v ∈ {0, 1, 2}, check whether Tj ∗ (x) = α∗ . If yes, succeed with x; otherwise normally answer this query. Other H-query is answered normally. Note since the probability to invert T is negligible, the succeed event is negligible. For simplicity, assume this succeed event never occurs. ∗ c. When the `th Send(0, i∗ , l∗ , M ) query with a fixed pidli∗ = Pj ∗ occurs for some i∗ and l∗ , I does the following. He takes σ ∗ ← {0.1}κ and defines F low1 = (α∗ , σ ∗ ). Finally, he uses a variable ans to denote Dj ∗ (α∗ ) (which is currently unknown to I) and records (ans|Pi∗ |Pj ∗ , σ ∗ ) into L. Otherwise, Send(0, ∗) is processed normally. The simulation here is consistent with Γ sim since item b guarantees that no query (s|Pi |Pj ∗ ) s.t. Tj ∗ (s) = α∗ was or will be issued to H-oracle. d. When a Send(1, j ∗ , lj ∗ , M ) query occurs, I does the following. Let M = (Pi , α, σ). The response for the case α 6= α∗ is normal as in Γ sim . Consider case α = α∗ . If (ans|Pi |Pj ∗ , σ) 6∈ L, reject; otherwise, take r ← {0, 1}κ and check if (ans|r|Pi |Pj ∗ |0, δ1 ) ∈ L for some δ1 . If no, take l

∗

δ1 ← {0, 1}κ , add (ans|r|Pi |Pj ∗ |0, δ1 ) ∈ L. In any case, define sidjj∗ = ans|r|Pi |Pj ∗ and let F low2 =< Ti (r), δ1 >. Note if (ans|Pi |Pj ∗ , σ) 6∈ L, then α∗ is independent of α and thus the reject decision is wrong with probability 21κ only. Ignoring this event, the simulation here is consistent with Γ sim since item b guarantees that only no query (x|Pi |Pj ∗ ) or (x|y|Pi |Pj ∗ |0) s.t. Tj ∗ (x) = α∗ was or will be issued to H-oracle. e. When Send(2, i, li , M ) query occurs, I does as follows. Let M = (β, δ1 ). If (i, li ) 6= (i∗ , l∗ ), the response is normal as in Γ sim . In this case, since s in statlii is known, the simulation is perfectly consistent with Γ sim . Otherwise, verify whether there exists r ∈ {0, 1}κ s.t. (ans|r|Pi∗ |Pj ∗ |0, δ1 ) ∈ L and Ti∗ (r) = β. If not, reject (the decision in this case is wrong with probability 21κ , ignore it); otherwise, normally query H-oracle with ans|r|Pi∗ |Pj ∗ |1 and ans|r|Pi∗ |Pj ∗ |2 to compute δ2∗ and ∗ ∗ skil∗ , respectively. Finally define F low3 = δ2∗ and sidli∗ = ans|r|Pi∗ |Pj ∗ .Again the simulation here is consistent with Γ sim since item b guarantees that no query (x|Pi |Pj ∗ |v) for some v ∈ {0, 1, 2} was or will be issued to H-oracle s.t. Tj ∗ (x) = α∗ . f. When Send(3, j, lj , δ2 ) is called. If α in F low1 is not equal to α∗ , the response is normal (since l (s, r) in statjj is known in this case); otherwise, check if (ans|Pi |Pj ∗ |1, δ2 ) ∈ L. If yes, accept l

and define skjj by querying ans|Pi |Pj ∗ |2 to H-oracle; otherwise, reject (this decision is wrong with probability 21κ , ignore it). The simulation here is consistent with Γ sim . g. When Corrupt(j ∗ ) or Corrupt(i∗ ) (for some i∗ specified in item c) occurs, I aborts with failure. 0 ∗ Let l0 be an integer (if exist) s.t. sidlj ∗ = sidli∗ . By Good condition, there is at most one l0 . If Reveal(j ∗ , l0 ) or Reveal(i∗ , l∗ ) occurs, abort with failure too. The remaining oracle query can be answered without Dj ∗ (α∗ ) and are normally simulated according ∗ to Γ sim . Note if (j ∗ , `) is correctly guessed in the sense that Πil∗ is chosen as a test session, then adversary view is consistent with that in Γ sim (unless succeed in item b occurs, negligible!). In this case, Pr[Bad3 ] in Γ sim is negligibly close to Pr[Bad3 ] in the simulation of I. However, the event for latter implies succeed in item b (negligible!). Thus, the former is negligible too. Since (j ∗ , `) is 1 correct with probability nν . Thus, Pr[Bad3 ] in Γ sim is negligible. ♣. Case 2.

∗

Let sidli∗ = s∗ |r∗ |Pi∗ |Pj ∗ . A never makes a H-query (s∗ |r∗ |Pi∗ |Pj ∗ |v) for some v ∈ {0, 1, 2}.

Denote the class of A satisfying the above constraint by N Q. We show that Succ(A) in this case has a probability exactly 1/2. Actually, if View(A, Γ sim )b denotes the view of A such that the challenge bit in the test query is b, we show Claim 2.

Let A ∈ N Q. Then View(A, Γ sim )0 and View(A, Γ sim )1 are identically distributed. 10

Proof. Assume |L| be bounded by L. Let ΦH = {Y1 , · · · , YL }, where Yi = H(xi ) is for the ith unrecorded H-query xi . Thus, (Y1 , · · · , YL ) is uniformly distributed over {0, 1}κL . Let Φ0 = {s1 , · · · , sQ000 }, where si is the randomness of s in ith Send(0, ∗) oracle. Let Φ1 = {r1 , · · · , rQ0 }, where ri is the randomness of r in ith Send(1, ∗) oracle. Let RA be randomness for A, RT for T, rand for the random key and b the challenge bit for Test oracle. Then View(A, Γ sim ) is deterministic in ∗ (ΦH , Φ0 , Φ1 , RA , RT , rand, b). W.O.L.G, assume an initiator instance Πil∗ is selected as Test instance ∗ and its sidli∗ = s∗ |r∗ |Pi∗ |Pj ∗ . Then ΦH can be separated into two parts: (1) Y ∗ for H(s∗ |r∗ |Pi∗ |Pj ∗ |2), and (2) Φ0H := ΦH \{Y ∗ }. Let ω be the challenge key returned to A in Test(i∗ , l∗ ). Then ω = Y ∗ for b = 0 and ω = rand for b = 1. To prove the claim, it is sufficient to show that there exists a deterministic function G such that View(A, Γ sim ) = G(RA , RT , Φ0H , Φ0 , Φ1 , ω). If this is done, then View(A, Γ sim )0 = G(RA , RT , Φ0H , Φ0 , Φ1 , Y ∗ ) and View(A, Γ sim )1 = G(RA , RT , Φ0H , Φ1 , Φ1 , rand). Since Y ∗ and rand are both uniformly random from {0, 1}κ , the claim follows. Note View(A, Γ sim ) consists of RA , {Ti }ni=1 and all the oracle replies from the simulator S. Initially, his view consists of RA and {Ti }, which is deterministic in RA and RT . Thus, the conclusion holds initially. To prove the claim, it suffices to show that after each oracle query, the view of A remains deterministic in RA , RT , Φ0H , Φ0 , Φ1 , ω. The cases are as follows. ∗

- H-oracle with input x by A. Since A ∈ N Q, we have that x 6= sidli∗ |2. Thus, H(x) ∈ Φ0H . - Send(0, i, li , M ) query. Assume pidlii = Pj . Then we have that the oracle reply is Pi , Tj (s), H(s|Pi |Pj ) for some s ∈ Φ0 . Since (s|Pi |Pj ) 6= (s∗ |Pi∗ |Pj ∗ |2), it follows that H(s|Pi |Pj ) ∈ Φ0H . - Send(1, j, lj , M ) query. Let M = (Pi , α, σ). In Γ sim , if there does not exist (s|Pi |Pj , σ) ∈ L s.t. Tj (s) = α, reject; otherwise, the oracle reply is (Ti (r), H(s|r|Pi |Pj |0)). Since s|Pi |Pj 6= s∗ |Pi∗ |Pj ∗ |2 for any s, the reject/accept verification in this query only depends on Φ0H . In addition, r ∈ Φ1 and H(s|r|Pi |Pj |0) ∈ Φ0H since (s|r|Pi |Pj |0) 6= (s∗ |r∗ |Pi∗ |Pj ∗ |2). - Send(2, i, li , M ) query. Let M = (β, δ1 ). In Γ sim , if there does not exist r s.t. (s|r|Pi |Pj |0, δ1 ) ∈ L, then reject; otherwise, the reply is H(s|r|Pi |Pj |1), where s = statlii and Pj = pidlii . Since s|r|Pi |Pj |0 6= s∗ |r∗ |Pi∗ |Pj ∗ |2, the verification only depends on Φ0H . Note s ∈ Φ0 and H(s|r|Pi |Pj |1) ∈ Φ0H , the conclusion holds after this query. l - Send(3, j, lj , δ2 ). Let sidjj = s|r|Pi |Pj . The reply is accept if and only if (s|r|Pi |Pj |1, δ1 ) ∈ L. Since H(s|r|Pi |Pj |1) ∈ Φ0H , the conclusion is correct after this query. - Corrupt(i) query. The reply is Di and statli and skil for all l. Note i 6= i∗ , j ∗ by Test restriction. statli only depends on Φ0 and Φ1 . Each skil is the random variable of form H(∗Pi ∗). Since Pi 6∈ {Pi∗ , Pj ∗ }, skil ∈ Φ0H . Thus, the conclusion holds too after this query. - Reveal(i, li ) query. The case i 6∈ {i∗ , j ∗ } is shown in Corrupt query. If i = i∗ but Πili is a ∗ responder, then skili has a form of H(∗| ∗ | ∗ |Pi∗ |2) ∈ Φ0H (recall skil∗ = H(s∗ |r∗ |Pi∗ |Pj ∗ |2)). Similarly, the case i = j ∗ but Πili is an initiator, can be showed. If i = i∗ but li 6= l∗ , then for statlii = (s, r), skili = H(s|r|Pi | ∗ |2). By Good condition, s 6= s∗ . Thus, H(s|r|Pi | ∗ |2) ∈ Φ0H (if defined). If i = i∗ and li = l∗ , then this query is not allowed due to Test constraint. If i = j ∗ and Pi is a responder, then the query is allowed only if statlii 6= (s∗ , r∗ ), which implies that skili ∈ Φ0H (if defined). - Test(i∗ , l∗ ). The answer is ω. Thus, if the view of A before a query only depends on (Φ0H , Φ0 , Φ1 , RA , RT , ω), then after this query, the view of A still only depends on this variable. It follows that View(A, Γ sim ) only depends on (Φ0H , Φ0 , Φ1 , RA , RT , ω). ♣

11

1 2

Summarizing the above two cases, we have the Pr[Succ(A, Γ sim )] ≤ + negl(κ).

5.3

1 2

+ Pr[Bad3 ] + Pr[Good] < ¥

Authentication ∗

In this section, we consider the authentication of pRO-KE. This is to show that a test session Πil∗ ∗ must have a partnered session in pidil ∗ . Theorem 3. Pr[Non-Auth(A)] is negligible. l

l

Proof. l

For any instances Πili and Πjj with pidlii = Pj and pidjj = Pi . Let sidlii = s|r|Pi |Pj

and sidjj = s0 |r0 |Pi |Pj . Then (s, r) = (s0 , r0 ) if and only if (Tj (s), Ti (r)) = (Tj (s0 ), Ti (r0 )). Since (Tj (s), Ti (r)) and (Tj (s0 ), Ti (r0 )) are in the view of A, partnership can be determined from View(A). ∗ Thus, similar to equation (2), we only need to consider Non-Auth in Γ sim . For a test instance Πil∗ ∗ with sidli∗ = s∗ |r∗ |Pi∗ |Pj ∗ , by proof of Theorem 2, there are two cases: (1) A made a H-query with s∗ |r∗ |Pi∗ |Pj ∗ |v for some v ∈ {0, 1, 2}; (2) A never made such a query. By Claim 1, case (1) occurs negligibly. Consider Case (2). Assume the simulator never repeats s∗ in Send(0, ∗). In this case, ∗ since there is no partnered instance for Πi`∗ , the simulator S in Γ sim never made a H-query with s∗ |r∗ |Pi∗ |Pj ∗ |v for any v. So L does not contain a record of form (s∗ |r∗ |Pi∗ |Pj ∗ |v, ∗). Especially, δ1 ∗ received by Πil∗ (via Send(2, i∗ , l∗ , M )) is consistent with H(s∗ |r∗ |Pi∗ |Pj ∗ |0) with probability 2−κ , negligible. Thus, Non-Auth(A) in Γ sim occurs only negligibly. ¥

6

Performance

In this section, we discuss the performance of our protocol and compare it with other deniably secure key exchange protocols [7, 15]. We first individually describe their performance. 1. Our pRO-KE protocol only has three rounds thus it is round efficient. If we implement T by RSA, then computational cost for each party is dominated only by two exponentiations. Our security is based on public random oracle and the hardness to invert the trapdoor permutation. 2. Di Raimondo et al. [7] showed that SKEME [17] is deniably secure. SKEME has three rounds. But it requires a public-key cryptosystem with CCA2 security and plaintext-awareness. Instantiated with Cramer-Shoup cryptosystem [5] (the plaintext-awareness is shown by Dent [6] under knowledge of exponent assumption), each party needs 10 modular exponentiations. 3. Jiang [15] recently presents a deniable authenticator theorem which essentially states that when a protocol is deniably secure in the authenticated-link model, then a deniable MT-authenticator can transform it to a deniably secure protocol in the unauthenticated-link model. Using this theorem, he obtained a deniably secure key exchange protocol. However, this protocol has 9 rounds. Each party needs to encrypt or decrypt a semantically secure cryptosystem and a trapdoor permutation. Instantiated the former with ElGamal cryptosystem and the latter with RSA, each party needs 5 modular exponentiations. The security of his scheme is based public random oracle (Remark: public random oracle is called uncontrollable random oracle in [15]. We change the name only since it sounds better) in and the security of these two primitives. The comparison of these three schemes are summarized in Table 2. Some remarks are needed. The computation cost only counts the dominating operation as others are negligible. The assumption only states the strongest assumption as it is the most interested one. The instantiated primitive 12

means that the general primitives mentioned above are instantiated using the most efficient known scheme that appears in the table. The computation cost is calculated based on the instantiated primitives. Note we only compare these schemes since they are the only known key exchange protocols with fully deniability (in the sense of [11], i.e., simulatability of an adversary view in a fully concurrent environment). Scheme Comput. Cost Round Comp. Assumption Instantiated primitives SKEME[17, 7] 10 exps 3 KEA Cramer-Shoup [5] uROE-KE [15] 5 exps 9 pRO ElGamal and RSA pRO-KE (this work) 2 exps 3 pRO RSA

Fig. 2. Compare pRO-KE with other schemes

7

Conclusion

In this work, we proposed a new deniably secure key exchange protocol. Our protocol allows two parties to jointly share a secret key while neither of two can prove to a third party the fact that communication between the two happened. Deniably secure key exchange protocol is an important tool to realize a deniably secure channel. Our protocol is simpler and more efficient than the previous protocols and it is proven deniably secure under the public random oracle model. Acknowledgement. S.Jiang has been supported as a postdoctoral fellow by two Informatics Circle of Research Excellence grants on Information Security, and Algorithmic Number Theory and Cryptography.

References 1. M. Bellare, P. Rogaway, Entity Authentication and Key Distribution. CRYPTO 1993: 232-249. 2. M. Bellare and P. Rogaway, Random Oracle is Practical: A Paradigm for Designing Efficient Protocols, ACM CCS’93, pp. 62-73. 3. M. Bellare and A. Palacio, Towards Plaintext-Aware Public-Key Encryption without Random Oracles, ASIACRYPT’04, Springer-Verlag, 2004. 4. R. Canetti and H. Krawczyk, Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels, Eurocrypt 2001: 453-474. 5. R. Cramer, V. Shoup, A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. CRYPTO 1998: 13-25. 6. A. Dent, The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model, EUROCRYPT’06. 7. M. Di Raimondo, R. Gennaro and H. Krawczyk, Deniable Authentication and Key Exchange, ACM CCS’06. 8. W. Diffie and M. Hellman, new directions in cryptography, IEEE Transactions on Information Theory, Vol. 22, pp. 644-654, Nov. 1976. 9. Y. Desmedt, Subliminal-Free Authentication and Signature (Extended Abstract), EUROCRYPT 1988, pp. 23-33, 1988. 10. D. Dolev, C. Dwork, M. Naor, Non-malleable Cryptography. SIAM J. Comput., 30(2): 391-437 (2000). Earlier version appeared in STOC’91, pp. 542-552, 1991. 11. C. Dwork, M. Naor and A. Sahai, Concurrent Zero-Knowledge, STOC’98, Dallas, Texas, US, pp. 409-418, 1998. 12. C. Dwork and A. Sahai, Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints, CRYPTO’98, pp. 442-457.

13

13. S. Goldwasser, S. Micali, C. Rackoff, The Knowledge Complexity of Interactive Proof Systems, SIAM J. Comput., 18(1): 186-208 (1989). 14. D. Harkins, C. Kaufman, T. Kivinen, S. Kent and R. Perlman, Design Rationale for IKEv2, February 2002, Internet Draft. 15. S. Jiang, Deniable Authentication on the Internet, INSCRYPT 2007. Available at http://eprint.iacr.org/2007 16. J. Katz, Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications, EUROCRYPT’03, pp. 211-228. 17. H. Krawczyk, SKEME, a versatile secure key exchange mechanism for Internet, NDSS’96, pp. 114-127. 18. H. Krawczyk, SIGMA: The ’SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKEProtocols, CRYPTO 2003, pp. 400-425. 19. W. Mao and K. Paterson, On the Plausible Deniability Feature of Internet Protocols, Manuscript. 20. M. Naor, Deniable Ring Authentication, Advances in Cryptology-CRYPTO’02, M. Yung (Ed.), LNCS 2442, Springer-Verlag, pp. 481-498, 2002. 21. R. Pass, On the deniability in the common reference string and random oracle model, CRYPTO’03, pp. 316-337, 2003. 22. J. Wullschleger, Oblivious Transfer Amplification, PhD Thesis, ETH, 2006. http://arxiv.org/cs.CR/0608076.

14