Non-interactive Deniable Ring Authentication

Abstract

In this paper, we propose a new primitive called non interactive deniable ring authentication: it is possible to convince a verifier that a member of an ad hoc collection of participants is authenticating a message m without revealing which one and the verifier V cannot convince any third party that the message m was indeed authenticated in a non-interactive way. Unlike the deniable ring authentication proposed in [19], we require this primitive to be non-interactive. Having this restriction, the primitive can be used in practice without having to use the anonymous routing channel (eg. MIX-nets) introduced in [19]. In this paper, we provide the formal definition of non-interactive deniable ring authentication schemes together with a generic construction of such schemes from any ring signature schemes. The generic construction can be used to convert any existing ring signature schemes, for example [20, 1], to non-interactive deniable ring authentication schemes. We also present an extension of this idea to allow a non-interactive deniable ring to threshold ring authentication. In this scenario, the signature can convince a group of verifiers, but the verifiers cannot convince any other third party about this fact, because any collusion of t verifiers can always generate a valid message-signature pair. We also present a generic construction of this scheme. A special case of this scenario is a deniable ring-to-ring authentication scheme, where the collaboration of all verifiers is required to generate a valid message-signature pair. © Springer-Verlag 2004.