We present two new approaches to the problem of deniable authentication. The novelty of our schemes is that they do not require the use of CCA-secure encryption (all previous known solutions did), thus showing a different generic approach to the problem of deniable authentication. These new approaches are practically relevant as they lead to more efficient protocols.
In the process we point out a subtle definitional issue for deniability. In particular we propose the notion of "forward deniability", which requires that the authentications remain deniable even if the Sender wants to later prove that she authenticated a message. We show that a simulation-based definition of deniability, where the simulation can be computationally indistinguishable from the real protocol does not imply forward deniability. Thus for deniability one needs to restrict the simulation to be perfect (or statistically close). Our new protocols satisfy this stricter requirement.
Category / Keywords: cryptographic protocols / Authentication, Deniability, Zero-Knowledge, Concurrency Publication Info: proceedings of ACM CCS 2005 Date: received 19 Feb 2005, last revised 31 May 2006 Contact author: diraimondo at dmi unict it Available format(s): PDF | BibTeX Citation Note: updated full version Version: 20060531:142114 (All versions of this report) Short URL: ia.cr/2005/046 Discussion forum: Show discussion | Start new discussion