Deniable Ring Authentication
Digital Signatures enable authenticating messages in a way that disallows
repudiation. While non-repudiation is essential in some applications, it
might be undesirable in others. Two related notions of authentication are:
(Dwork, Naor and Sahai STOC'98, see
) and Ring Signatures
(Rivest, Shamir and Tauman ASIACRYPT'2001).
In this work we show how to combine these notions and achieve Deniable Ring
Authentication: it is possible to convince a verifier that a member of an
ad hoc subset of participants (a ring) is authenticating a message m without
revealing which one (source hiding), and the verifier V cannot convince a
third party that message m was indeed authenticated -- there is no `paper
trail' of the conversation, other than what could be produced by V alone,
as in zero-knowledge.
We provide an efficient protocol for deniable ring authentication based on
any strong encryption scheme. That is once an entity has published a public-key
of such a system it can be drafted to any such ring. There is no need for
any other cryptographic primitive. The scheme can be extended to yield threshold
authentication as well.
, gzipped Postscript
. Also see Open Day 2005 talk: Cryptography and Complexity at the Weizmann Institute ,
Related On-Line Papers:
- Danny Dolev, Cynthia Dwork and Moni Naor, Non-Malleable
Cryptography, Siam J. on Computing 30(2), 2000, pp. 391-437.
- Cynthia Dwork, Moni Naor and Amit Sahai, Concurrent
Zero-Knowledge or The Timing Model for Designing Concurrent Protocols,
Proc. 29th ACM Symp. on Theory of Computing, 1998.