TY - GEN
T1 - Composability and on-line deniability of authentication
AU - Dodis, Yevgeniy
AU - Katz, Jonathan
AU - Smith, Adam
AU - Walfish, Shabsi
PY - 2009
Y1 - 2009
N2 - Protocols for deniable authentication achieve seemingly paradoxical guarantees: upon completion of the protocol the receiver is convinced that the sender authenticated the message, but neither party can convince anyone else that the other party took part in the protocol. We introduce and study on-line deniability, where deniability should hold even when one of the parties colludes with a third party during execution of the protocol. This turns out to generalize several realistic scenarios that are outside the scope of previous models. We show that a protocol achieves our definition of on-line deniability if and only if it realizes the message authentication functionality in the generalized universal composability framework; any protocol satisfying our definition thus automatically inherits strong composability guarantees. Unfortunately, we show that our definition is impossible to realize in the PKI model if adaptive corruptions are allowed (even if secure erasure is assumed). On the other hand, we show feasibility with respect to static corruptions (giving the first separation in terms of feasibility between the static and adaptive setting), and show how to realize a relaxation termed deniability with incriminating abort under adaptive corruptions.
AB - Protocols for deniable authentication achieve seemingly paradoxical guarantees: upon completion of the protocol the receiver is convinced that the sender authenticated the message, but neither party can convince anyone else that the other party took part in the protocol. We introduce and study on-line deniability, where deniability should hold even when one of the parties colludes with a third party during execution of the protocol. This turns out to generalize several realistic scenarios that are outside the scope of previous models. We show that a protocol achieves our definition of on-line deniability if and only if it realizes the message authentication functionality in the generalized universal composability framework; any protocol satisfying our definition thus automatically inherits strong composability guarantees. Unfortunately, we show that our definition is impossible to realize in the PKI model if adaptive corruptions are allowed (even if secure erasure is assumed). On the other hand, we show feasibility with respect to static corruptions (giving the first separation in terms of feasibility between the static and adaptive setting), and show how to realize a relaxation termed deniability with incriminating abort under adaptive corruptions.
UR - http://www.scopus.com/inward/record.url?scp=70350639645&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70350639645&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-00457-5_10
DO - 10.1007/978-3-642-00457-5_10
M3 - Conference contribution
AN - SCOPUS:70350639645
SN - 3642004563
SN - 9783642004568
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 146
EP - 162
BT - Theory of Cryptography - 6th Theory of Cryptography Conference, TCC 2009, Proceedings
T2 - 6th Theory of Cryptography Conference, TCC 2009
Y2 - 15 March 2009 through 17 March 2009
ER -