Multi-Designated Receiver Signed Public Key Encryption

Maurer, Ueli; Portmann, Christopher; Rito, Guilherme

doi:10.1007/978-3-031-07085-3_22

Cited by 4 publications

(28 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…MDRS-PKE schemes. When translating desirable properties of such group messaging protocols into suitable cryptographic primitives (with associated properties), we end up with "Multi-Designated Receiver Signed Public Key Encryption" (MDRS-PKE, [17]). Informally, these protocols function like signed versions of broadcast encryption schemes with additional integrity properties (that guarantee, e.g., that all receivers receive the same message).…”

mentioning

confidence: 99%

“…Fortunately, [17] show how to construct MDRS-PKE schemes from a combination of suitable variants of signature and broadcast encryption schemes. Specifically, they require the following:…”

mentioning

confidence: 99%

“…State-of-the-art MDVS constructions [6] exist from algebraic assumptions (like the combination of Diffie-Hellman and Paillier-like assumptions), and also from generic primitives (like the combination of noninteractive key exchange (NIKE), non-interactive zero-knowledge (NIZK), and a few other standard primitives). -A type of broadcast encryption scheme called "Public-Key Encryption for Broadcast" (PKEBC [17]) that essentially has all the properties of an MDRS-PKE scheme except for authenticity. PKEBC schemes can be instantiated from a combination of public-key encryption, NIZKs, and commitments.…”

mentioning

confidence: 99%

“…In summary, we do have tools that give meaningful security and privacy guarantees for group messaging even in face of corruptions. The current state of the art [6,17] leaves a few questions unanswered, however:…”

mentioning

confidence: 99%

“…Limited deniability guarantees. The deniability (technically: OTR) guarantees given by the combination of [6,17] are limited to the case where the secret keys of honest senders remain secret. In particular, simulated ciphertexts are only proven to look plausible when the corresponding sender key is unknown.…”

mentioning

confidence: 99%

See 4 more Smart Citations

Deniable Authentication When Signing Keys Leak

Chakraborty

Hofheinz

Maurer

et al. 2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Deniable Authentication is a highly desirable property for secure messaging protocols: it allows a sender Alice to authentically transmit messages to a designated receiver Bob in such a way that only Bob gets convinced that Alice indeed sent these messages. In particular, it guarantees that even if Bob tries to convince a (non-designated) party Judy that Alice sent some message, and even if Bob gives Judy his own secret key, Judy will not be convinced: as far as Judy knows, Bob could be making it all up! In this paper we study Deniable Authentication in the setting where Judy can additionally obtain Alice's secret key. Informally, we want that knowledge of Alice's secret key does not help Judy in learning whether Alice sent any messages, even if Bob does not have Alice's secret key and even if Bob cooperates with Judy by giving her his own secret key. This stronger flavor of Deniable Authentication was not considered before and is particularly relevant for Off-The-Record Group Messaging as it gives users stronger deniability guarantees. Our main contribution is a scalable "MDRS-PKE" (Multi-Designated Receiver Signed Public Key Encryption) scheme-a technical formalization of Deniable Authentication that is particularly useful for secure messaging for its confidentiality guarantees-that provides this stronger deniability guarantee. At its core lie new MDVS (Multi-Designated Verifier Signature) and PKEBC (Public Key Encryption for Broadcast) scheme constructions: our MDVS is not only secure with respect to the new deniability notions, but it is also the first to be tightly secure under standard assumptions; our PKEBC-which is also of independent interest-is the first with ciphertext sizes and encryption and decryption times that grow only linearly in the number of receivers. This is a significant improvement upon the construction given by Maurer et al. (EUROCRYPT '22), where ciphertext sizes and encryption and decryption times are quadratic in the number of receivers.Motivation. More than 3 billion people currently use messaging apps. 3 Naturally, there is a demand for secure messaging which guarantees, e.g., the secrecy ⋆ All of the work was done while author was at ETH Zurich.

show abstract

mentioning

confidence: 99%

“…Fortunately, [17] show how to construct MDRS-PKE schemes from a combination of suitable variants of signature and broadcast encryption schemes. Specifically, they require the following:…”

mentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations