Deniable RSA Signature

The 40 thieves realize that the fortune in their cave is vanishing. A rumor says that Ali Baba has been granted access (in the form of a certificate) to the cave but they need evidence to get justice from the Caliph. On the other hand, Ali Baba wants to be able to securely access to the cave without leaking any evidence. A similar scenario holds in the biometric passport application: Ali Baba wants to be able to prove his identity securely but do not want to leak any transferable evidence of, say, his date of birth. In this paper we discuss the notion of offline non-transferable authentication protocol (ONTAP). We review a construction based on the GQ protocol which could accommodate authentication based on any standard RSA certificate. We also discuss on the fragility of this deniability property with respect to set up assumptions. Namely, if tamper resistance exist, any ONTAP protocol in the standard model collapses. 1 Prolog: Supporting Ali Baba’s Crime in a Fair Way Many centuries after the 1001 nights, Queen Scheherazade revisits her story of Ali Baba [23]: Ali Baba is well known to be granted access to the cave of the forty thieves. However, any proof of that could be presented to the Caliph would let the king no other choice than condemn him for violating the thieves’ property. So far, the thieves did not succeed to get such evidence. Actually, Ali Baba’s grant to open the cave has the form of an RSA certificate (signed by Scheherazade, the authority in this story) assessing that Ali Baba is authorized to open the cave. As the cave recognizes the queen’s signature, it opens for Ali Baba. However, this certificate can constitute some evidence to convict Ali Baba and Scheherazade. Otherwise, the existence of this certificate can just be denied and nobody would even risk to implicitly accuse the Queen without any evidence. Since, the thieves could play some active attack (sometimes also called thief-in-the-middle attack) between the cave and Ali Baba, the access control protocol must be such that, while being secure so that nobody without any valid certificate could open the cave, the thieves have no way to get any transferable proof which could convict Ali Baba. Indeed, Ali Baba is running a protocol with the cave, proving possession of the RSA signature but in a deniable way. In this paper we describe this protocol which is based on the Guillou-Quisquater (GQ) protocol [14,15]. History of this protocol. This problem appeared with the application of the biometric passport [1]. In this application, the passport holds a signature (by government authorities) assessing the identity of the passport holder. The identity is defined by a facial picture, a name, a date of birth, a passport number, and its expiration date. One problem with this application (called “passive authentication”) is that any passport reader (or any reader getting through the access control protocol) can get this signature which can later be collected or posted for whatever reason. This would raise privacy concerns. Some closely related protocols such as [2] were proposed for slightly different applications, based on ElGamal signatures. At Asiacrypt 2005, after [2] was presented, Marc Girault suggested that the GQ protocol [14,15] could be used to prove knowledge of an RSA signature in a zero-knowledge (ZK) way. The basic GQ protocol is not zero-knowledge though, so we have to enrich it. The application to the biometric passport was suggested by Monnerat, Vaudenay, and Vuagnoux in [20,28,30]. At ACNS 2009, Monnerat, Pasini, and Vaudenay [17] presented this enriched protocol together with a proof of security. The protocol is called an offline non-transferable authentication protocol (ONTAP). We review this result in this paper. Our ONTAP protocol involves three participants: the authority (Queen Scheherazade), the holder (Ali Baba), and the server (the cave). The authority is trusted. It holds a secret key for signature but the other participants do not hold any secret, a priori. However, the protocol should be protected against a cheating prover trying to open the cave, a cheating verifier trying to collect (offline) transferable evidence from Ali Baba. Non-transferability was introduced in [6,16]. We distinguish here offline evidence (proofs which could be shown to a trial) from online evidence (proofs involving some action by the judge during the protocol) because we do not assume the Caliph to be willing to participate to some online attack. Although weaker than online non-transferability, offline non-transferability is implied by regular zero-knowledge. More precisely, it is implied by deniable zero-knowledge [22]. The advantage is that it can be achieved without deploying a PKI for verifiers. Although our framework could accommodate any type of standard signature, we focus on RSA signatures which require the GQ protocol. (Signatures based on ElGamal would require the Schnorr protocol [24,25] instead.) Deniability is a fragile notion. Indeed, we often prove deniability in zero-knowledge protocols by the ability to simulate the transcript by rewinding the verifier. This implicitly assumes that any computing device could be rewinded. In practice, there are many hardware systems which are assumed not to be rewindable. Namely, tamper-proof devices are not rewindable. This implies that we could loose deniability by implementing a verifier in such a device as shown by Mateus and Vaudenay [18,19]. We conclude this paper by telling how Ali Baba was caught in this way. Related notions. Several notions similar to ONTAP exist but none of them fully match our needs.Nontransitive signatures [10,21] and deniable authentication [11] only involve two participants (which would imply that Ali Baba must know the authority secret key, which does not fit our application). Invisible signatures (a.k.a. undeniable signatures) [8] also involve two participants and do not always accommodate non-transferable properties, which is one of our main requirements. Designated confirmer signatures [7] involve three participants. These extend invisible signatures by protecting the verifier from signers unwilling to participate in the protocol. A typical protocol would be some unreliable signer delegating a trusted confirmer to participate in the proof protocol. In our scenario, the signer (Scheherazade) is trusted but the confirmer (Ali Baba) may be not. Universal designatedverifier signatures (UDVS) [27] involve three participants as well, but rely on a PKI for verifiers. In our scenario, we do not want to deploy a new PKI for the cave. A weaker notion is the universal designated verifier signature proof (UDVSP) [2]. The difference with our scenario is that the verifier in the protocol is assumed to be honest. There are also stronger notions such as credential ownership proofs (COP) [26], but they are more involved than our solution and do not always fit standard signatures. 2 Log: Making ONTAP from Standard Signature Schemes 2.1 Zero-Knowledge Proof based on GQ In the literature, there have been several definitions for Σ-protocols. (See [4,9].) For our purpose, we change a bit the definition. Definition 1. Let R be a relation which holds on pairs (x,w) in which x ∈ Dx is called an instance and w ∈ Dw is called a witness. Let κ be a function mapping x to a real number. A Σ-protocol for