Dwork-Naor ZAP and Its Application in Deniable Authentication, Revisited Shaoquan Jiang School of Computer Science and Engineering University of Electronic Science and Technology of China Email: [email protected]

Abstract. A zap is a two-round public coin witness indistinguishable proof system, where the first round is a random string from the verifier to the prover. This notion is proposed by Dwork and Naor. They constructed a zap for NP from any non-interactive zero-knowledge (NIZK) proof which has many applications in the literature. In this note, we start with a more explicit proof of their soundness through enumeration. Based on this proof view point, we further show that if NIZK used in their zap has an adaptive soundness, then the zap soundness error can be reduced by a factor of 2|x| , where |x| is the length of the N P-statement and is fixed before the protocol starts (but x itself can be chosen adaptively). Our improved bound is optimal in the sense that for any N P-language L, there exists a NIZK that asymptotically achieves this bound. Finally, we investigate their deniable authentication protocol from this zap. We show that this protocol in fact can be simplified without a zap.

1

Introduction

A zap is a two-round public coin witness-indistinguishable protocol, in which the first round message is a random string from the verifier to the prover. It has been initiated by Dwork and Naor [4, 5], where they constructed a zap, based on any non-interactive zero-knowledge (NIZK) protocol. Dwork and Naor also showed that zaps can be used to construct adaptive non-interactive zeroknowledge protocol, where the prover can choose the theorem to prove after the common random string is fixed. Zaps are also used by them to construct verifiable pseudorandom generators, oblivious transfer, concurrent zero-knowledge and deniable authentication. Dwork-Naor ZAP has a very important impact to other research topics. Specifically, [2] used this protocol to construct efficient ring signatures; Barak et al. [1] used it to show the existence of resettably-sound proof that is resettable witness indistinguishable; Pass [10] used it to prove the existence of two round interactive argument with certain properties. 1.1

Contribution

In this paper, we start with a more explicit proof for the soundness of DworkNaor zap by enumerating bad randomness. Based on this proof view point, we

further show that if NIZK in their zap has an adaptive soundness, then the probability bound for soundness error can be reduced by a factor of 2|x| , where |x| is the length of the theorem to be proven. We show that the reduced bound is optimal in the sense that for any 0 < ϵ < 1, there exists NIZK with adaptive soundness error ϵ such that the zap from it has a soundness error asymptotically achieving this bound. One might wish to use NIZK with perfect soundness (i.e., ϵ = 0) in this protocol. However, we show that such NIZK in the common random string model (as required in their zap) does not exist for a language outside BPP. We stress that this impossibility result does not contradict the existence of NIZK in the common reference string model in the literature, where the random string model requires that the shared string is a uniformly random string while the common reference string is not necessarily random. Finally, we investigate their application of zap to deniable authentication. We find that their protocol can be significantly improved without a zap. A sender in our protocol only has a cost of one encryption, one timed-commitment and one adaptive sound NIZK proof while a receiver only has a cost of one decryption and one verification of adaptive sound NIZK proof. Zhao [12] also considered an improvement on Dwor-Naor’s authentication protocol. His main contribution is to remove the dependency of the first round message on the message to be authenticated. Compared with the original protocol, their protocol still needs two zaps, two encryptions and two timed commitments and hence is less efficient than ours. Notations. For a set S, x ← S samples x from S randomly; A ◦ B means A concatenating with B. We use negl : N → R to denote a negligible function: for any polynomial p(x), limn→∞ negl(n)p(n) = 0. Algorithm A (e.g., encryption or commitment) with input m and randomness r is written as A(m; r). When r is unspecified, simply write it as A(m). x ← A(m) denotes the random output of A with input m and unspecified randomness.

2

Definitions

zap is a special two-round public coin witness-indistinguishable proof system and is formally defined as follows. The following definition follows from [5]. Definition 1. A zap is a 2-round protocol for proving membership of x ∈ L, where L is a N P language. The first round message ρ is from the verifier to the prover and the second round message π is from the prover to the verifier, satisfying the following. - Public Coins. ρ has a length of a fixed polynomial k(|x|), where |x| is fixed before the protocol starts but x itself can be chosen by prover after receiving ρ. The verifier’s final decision is deterministic in x, ρ and π. - Completeness. Given ρ, x and its witness w, the prover, following the protocol, can generate a proof π that will always be accepted by the verifier. This is called perfect completeness and can be relaxed by allowing a negligible probability of failure.

- Soundness. Over the distribution of ρ, the probability of the existence of (x′ , π) such that x′ ̸∈ L and that the verifier accepts (x′ , ρ, π), is negligible. - Indistinguishability. Let w and w′ be two witnesses for x ∈ L. Then, given ρ, the distribution (ρ, x, π) when the prover has input (x, w) and the distribution (ρ, x, π) when the prover has input (x, w′ ), are indistinguishable even if the distinguisher are given w′ and w. The following is the definition of non-interactive zero-knowledge protocol in the common random string model, where the public string shared between the prover and the verifier are uniformly random. We follows from [5]. This is the single-theorem version of NIZK and it suffices for our purpose in this work. One can consult [6] for the multi-theorem case. Common random string model is different from the common reference string model [7]. Especially, Groth [7] that showed NIZK with perfect soundness exists in the latter setting while we show that it does not exist in the common random string model. In this paper, without a special mention, by NIZK, we always mean that it is in the common random string model. Definition 2. A pair of probabilistic polynomial time machines (P, V ) with a common random string σ is a non-interactive zero-knowledge (NIZK) proof system for an N P-language L if the following holds. - Completeness. For any x ∈ L with witness w, P , with input (x, w, σ), produces a proof π that will be accepted by V except for a negligible probability, where the probability is over the choices of σ and coins of P . - Soundness. For any x ̸∈ L, the probability that there exists π ∈ {0, 1}∗ such that V accepts (σ, x, π) is negligible, where the probability is over the choices of σ. - Zero-knowledge. For any x ∈ L with witness w, there exists a probabilistic polynomial time machine Sim (called simulator) that takes x as input and produces (σ, π) such that (σ, π) is indistinguishable from that produced in the real execution between (P, V ). Here the distinguisher is given (σ, π, x, w) and probability is over the choices of σ and the coins of Sim and P. For the soundness, if we allow the instance x to be chosen after σ is fixed, NIZK is said to have adaptive soundness. In other words, NIZK is adaptive sound if over the choices of σ, the probability of the existence of (π, x) such that the verifier accepts (σ, x, π), is negligible. Adaptive Zero Knowledge. Adaptive zero knowledge requires that the following two adversary views are indistinguishable, where A is any non-uniform probabilistic polynomial time adversary. • Take common random string σ ← {0, 1}ℓ ; (x, w) ← A(σ) s.t. w is a witness for x ∈ L; compute proof π from (x, w, σ). Adversary view is (σ, π, r), where r is the random tape of A. • Simulator SIM simulates a common random string σ with a trapdoor τ ; then, A(σ) outputs x; SIM simulates a proof π from x and trapdoor τ . The adversary view is (σ, π, r), where r is again the random tape of A.

Our adaptive zero knowledge definition follows from Sahai [11] with a slight but equivalent change. In his definition, the adversary consists of two parts: A1 and A2 , corresponding to A and distinguisher in the above definition. He lets A1 forward a state information to A2 (instead of random tape r and σ in our definition). These two definitions are equivalent since τ is determined by (r, σ) and also one can define τ = (r, σ). We prefer this change since it seems more convenient for our security proof later. The following is the definition of language BPP and can be found in almost every complexity book. It essentially means that a language can be decided by a probabilistic polynomial time machine with a good probability. Definition 3. A language L is in BPP if there exists a probabilistic polynomial time Turing machine D satisfying the following two conditions. - For any x ∈ L, Pr[D(x) = “accept”] > 2/3; - For any x ∈ ̸ L, Pr[D(x) = “accept”] < 1/3. It is known that NIZK proof system exists with some adaptive soundness error δ < 1. For arbitrarily small ϵ, one can use parallel repetitions of this NIZK to obtain a new proof which has a soundness error no more than ϵ, where it should be noted that in each repetition the common random string σi must be taken independently. This is clear by a hybrid argument. Fact 1. For any ϵ > 0, there exists an NIZK with adaptive soundness error ϵ. However, we show that the perfect sound NIZK for a non-trivial language does not exist, where the soundness of this NIZK may or may not be adaptive. Lemma 1. If there exists a NIZK proof system in the common random string model with (adaptive) perfect soundness for a language L, then L ∈ BPP. Proof. It suffices to consider the non-adaptive case only. Assume ⟨P, V ⟩ is a NIZK proof system for L. Then, for any x ∈ L, there exists a simulator SIM outputting a string (x, σ, π) that is indistinguishable from the real transcript (note the definition allows the distinguisher to get the witness of x and the indistinguishability holds of course when the witness is not given). Now a decider D for L is as follows. Upon x, D runs SIM to obtain (x, σ, π). It accepts if it is accepted by the algorithm V ; reject otherwise. If x ∈ L, by zero knowledge property, algorithm V will reject the simulated (x, σ, π) with probability at most ϵc + negl(n), where ϵc is the completeness error probability and is negligible. If x ̸∈ L, then V will reject; otherwise, a cheating prover P ∗ with positive soundness error can be designed as follows. Given x and common random string σ, P ∗ runs SIM(x) to generate a transcript (x, σ ′ , π ′ ) and sends (x, σ, π ′ ) to V . If σ = σ ′ , then by assumption, V will accept with probability ϵ > 0. Since SIM(x) is independent of σ, Pr[σ = σ ′ ] = 2−|σ| . Hence, P ∗ convinces V for x ̸∈ L with probability ϵ · 2−|σ| > 0, contradicting the perfect soundness of NIZK. Hence, when x ̸∈ L, D always rejects x.  Remark. In this paper, NIZK is defined in the common random string model, instead of common reference string model. In the latter case, the proof in the

above lemma does not work since it is possible that Pr[σ = σ ′ ] = 0. I.e., SIM never generates a valid reference string. Hence, (x, σ, π ′ ) sent by P ∗ for x ̸∈ L could never be accepted. So we can not reach the contradiction to the perfect soundness of NIZK. In fact, Groth [7] constructed a NIZK with perfect soundness in the common reference string model. Timed Commitment. Timed commitment essentially is a special commitment whose security holds only within a fixed period of time and beyond that, one might be able to open it using a moderate hard work. Boneh and Naor [3] proposed this notion and provided an efficient construction. Formally, (T, t, ϵ)timed commitment consists of three phases, where S is the committer and R is the receiver. Commit phase: To commit to a string w ∈ {0, 1}n , S and R execute a protocol and the final output of R is a commitment α for w. Open phase: In the open phase, S sends the string w to R. They then execute a protocol, at the end of which R obtains a proof that w is the committed value. Forced open phase: If S refuses to execute the open phase, there exists an algorithm F-Open that takes α and outputs w, where w is the commitment in α. The runtime of F-Open is bounded by T. Definition 4. A timed commitment is secure with parameters (T, t, ϵ) if it satisfies: Completeness: When R accepts in the commitment phase, then α is a commitment for some w ∈ {0, 1}n and F-Open(α) will result in the same w. Binding: In the open phase, S can not convince R that α is a commitment of w′ ̸= w. This holds even if S has an infinite power. Soundness: In the forced open phase, F-Open(α) outputs w in time T . Privacy: For any adversary A of time t < T , the following holds: | Pr[A(tr, w) = 1] − Pr[A(tr, w′ ) = 1]| ≤ ϵ,

(1)

where the probability is over coins of S and R in the commitment phase and tr is the transcript in that phase. Deniable Authentication Deniable authentication essentially means that one can authentically send a message to a receiver while on the other hand he can later deny the fact of communication. The public-key deniable authentication considers the setting where the sender has a public key and private key pair while the receiver does not have a secret key. Following the formulation in [5] (seemingly weaker than [8]), it should satisfy the following. Completeness. For any message m, if both a sender S and a receiver R follow the protocol specification without an attacker involved in, then R accepts. Soundness. It is unforgeable against a concurrent chosen-message attack: an adversary A plays the role of a receiver adaptively and concurrently schedules S to authenticate a sequence of messages m1 , m2 , · · ·. A is successful if he can authenticate a new message m ̸= mi to a receiver R. The soundness requires

that any probabilistic polynomial time adversary A can succeed with at most negligible probability only. Deniability. This property essentially means that the sender’s action can be simulated without his private key. More formally, for any adversarial receiver A, there exists a simulator that, given the public key, simulates the authentication transcript that is indistinguishable from the real one.

3

Dwork-Naor ZAP from NIZK

In this section, we review Dwork-Naor’s NIZK-based ZAP. Let x ∈ L be an N P-statement to be proved to the verifier. |x| is fixed before the protocol starts but x can be chosen adaptively by the prover. Let w be the witness of x. Use π ← D(x, w, σ) to denote the distribution of the NIZK proof with input x, auxiliary input w and the common random string σ. Assume σ has a length ℓ(n, |x|), where n is a security parameter. The ZAP protocol is as follows. First Round: P ←− V : sends them to P.

Verifier V takes Bi ← {0, 1}ℓ , i = 1, · · · , m and

Second Round: P −→ V : Prover P takes C ← {0, 1}ℓ and computes σj = Bj ⊕ C (i.e., bit-wise exclusive-OR). Then, he computes πj ← D(x, w, σj ) for j = 1, · · · , m and sends x, C, {πj }m j=1 to V. Final Check: V : For j = 1, · · · , m, V computes σj = Bj ⊕ C and checks whether (πj , x, σj ) is accepted by a verifier in NIZK. If all are valid, accept the zap; otherwise, reject.

4

Soundness

In [5], the above protocol is proven to be sound and witness-indistinguishable and hence it is a secure zap. We show that if NIZK used here has an adaptive soundness, then their soundness error bound can be significantly improved. Toward this, we first provide a more explicit proof of their original soundness (i.e., when NIZK is not necessarily adaptively sound). Our new proof uses the enumeration of bad common random strings for NIZKs and seems more clear to verify and follow than the original one, where the latter studied some probabilistic independence between different NIZK instances. Based on our proof view point, we improve the soundness bound for the adaptive sound NIZK case, by a factor of 2|x| . We also show that this improved bound is optimal. Theorem 1. If NIZK has a soundness error ϵ, then the Dwork-Naor zap has a soundness error 2ℓ+|x| ϵm . Proof. NIZK has a soundness error ϵ. Let Ax be the set of common random string σ in NIZK such that there exists π such that (σ, x, π) convinces V . Then, |Ax | · 2−ℓ ≤ ϵ, since σ has a uniform distribution over {0, 1}ℓ . Use Cρ to denote C taken by the prover of the zap when the first message is ρ = B1 · · · Bm .

In the zap, the verifier accepts if and only if all πj are consistent. Hence, to construct a consistent proof for some x ̸∈ L ∩ {0, 1}|x| (a prover can choose this ‘some x’ after receiving ρ), it must hold that Bj ⊕ Cρ ∈ Ax for all j. We now count the number of such ρ (called bad ρ). Fix x first. For fixed B1 , there are |Ax | possible choices for C such that B1 ⊕ C ∈ Ax . For each fixed such C and i > 1, there are |Ax | possible Bi such that Bi ⊕ C ∈ Ax . So in total there are at most 2ℓ · |Ax | · |Ax |m−1 = 2ℓ · |Ax |m possible choices of bad ρ for fixed x. Hence, ∑ the soundness error can occur to this x with probability bounded by 2−mℓ bad ρ 1 = 2ℓ · ϵm . There are total 2|x| choices of x. The soundness error for zap is thus bounded by 2ℓ+|x| ϵm .  In the above proof, we saw that the adaptive soundness of zap is obtained by adding together the soundness error of every x ∈ L. Conceivably, if NIZK has adaptive soundness, this addition is not necessary since it is handled by the adaptive soundness of NIZK. In the following, we carefully implement this intuition and show that the factor 2|x| can be dropped. Theorem 2. If NIZK has an adaptive soundness error ϵ, then Dwork-Naor zap has a soundness error at most 2ℓ ϵm . This bound is optimal in the sense that there exists a NIZK with soundness error ϵ such that the zap has a soundness error at least 2ℓ ϵm − o(2ℓ ϵm ). In addition, if 2ℓ ϵm < 1, there must exist a ρ∗ = ∗ ∈ {0, 1}mℓ for the first round message such that the zap has perfect B1∗ · · · Bm soundness. Proof. For σ ∈ {0, 1}ℓ , let Sσ be the set of x ̸∈ L such that, when the common random string in NIZK is σ, ∃π s.t. (x, σ, π) convinces the verifier. Let A = {σ | Sσ ̸= ∅}. Therefore, when σ ̸∈ A, the soundness error will never occur; when σ ∈ A, a cheating prover can search for x ̸∈ L and proof π such that (σ, x, π) convinces the verifier. Hence, the adaptive soundness of NIZK is |A| · 2−ℓ . Now we consider the soundness of zap. When the first message is B1 , · · · , Bm and the prover takes C, there exists x′ ̸∈ L and (π1 , · · · , πm ) that convinces the verifier only if SB1 ⊕C ∩ · · · ∩ SBm ⊕C ̸= ∅ (to guarantee all proofs use a common ‘bad’ x). Therefore, the soundness of zap is { } −mℓ | (B1 , · · · , Bm ) | ∃ C s.t. ∩m i=1 SBi ⊕C ̸= ∅ | · 2 { } ≤ | (B1 , · · · , Bm ) | ∃ C s.t. SBi ⊕C ̸= ∅, i = 1, · · · , m | · 2−mℓ { } = | (B1 , · · · , Bm ) | ∃ C s.t. Bi ⊕ C ∈ A, i = 1, · · · , m | · 2−mℓ = 2ℓ · |A|m · 2−mℓ ≤ 2ℓ · ϵm . This completes the bound proof. To construct a protocol approximately achieving this bound, we first construct a NIZK Γ1 for L from a known NIZK Γ2 where the latter has a small (to be specified later) exact soundness error ϵ2 . Let ϵ = ϵ2 + N/2ℓ + δ ′ /2ℓ for some N ∈ N and 0 ≤ δ ′ < 1. Γ1 only modifies the verifier as follows. When the common random string σ < N , then the verifier directly accepts; otherwise, it

proceeds as in Γ2 normally. As before, define Sσ′ in Γ2 to be the set of x ̸∈ L that has a convincing proof. In Γ1 , we have that Sσ = {0, 1}|x| \L for σ < N and Sσ = Sσ′ for σ ≥ N . Hence, as long as L ∩ {0, 1}|x| ̸= {0, 1}|x| , Γ1 has an exact soundness error ϵ1 = N/2ℓ + δ for some δ ≤ ϵ2 . Hence, ϵ1 ≤ ϵ. Applying Γ1 into the zap, we have } { = ̸ ∅ | · 2−mℓ S | (B1 , · · · , Bm ) | ∃ C s.t. ∩m B ⊕C i i=1 { } ≥ | (B1 , · · · , Bm ) | ∃ C s.t. Bi ⊕ C < N, i = 1, · · · , m | · 2−mℓ = 2ℓ · N m · 2−mℓ = 2ℓ (ϵ − ϵ∗2 )m , where ϵ∗2 (= )ϵ2 + δ ′ /2ℓ ( ) m ≥ 2ℓ ϵm − 2ℓ ϵm−1 ϵ∗2 , since mi ϵm−i ϵ∗2 i ≥ i+1 ϵm−i−1 ϵ∗2 i+1 for all i if ϵ ≥ mϵ∗2 , which is 2ℓ ϵm − o(2ℓ ϵm ) as long as ϵ2 = o(ϵ), which can be satisfied since NIZK with arbitrary small soundness error exists by Lemma 1. The soundness error of zap is the number of bad tuples (B1 , · · · , Bm ) (i.e., tuples for which a cheating prover can find x ̸∈ L with a consistent proof π), divided by 2−mℓ . As the soundness error is bounded by 2ℓ ϵm . So if 2ℓ ϵm < 1, ∗ ) such that for all x there is no soundness error. there must exist (B1∗ , · · · , Bm That is, it admits perfect soundness.  Note in the above proof, we construct Γ1 from Γ2 with small soundness error ϵ2 . As seen in Lemma 1, we can not hope to construct Γ1 using a perfect sound Γ2 since a perfect sound NIZK does not exist for L outside BPP.

5

Improving Dwork-Naor’s ZAP-based Timed Deniable Authentication

Based on ZAP, Dwork and Naor present a timed deniable authentication protocol. Their idea is to let a receiver encrypt a random number r together with a message m, compute two timed commitments on two random numbers ρ1 , ρ2 and attach a zap proving that one of two timed commitments is valid. The sender replies with an encryption η of r and an encryption δ of a random number s, together with a zap proving that either η is an encryption of r or δ is an encryption of s = ρ1 or ρ2 . The authentication is guaranteed since normally the sender does not know ρ1 , ρ2 and has to be able to compute η by first decrypting r. This protocol invokes each of CCA2 encryptions, timed commitment and zap proof for two times and hence not efficient. In the following, we show that this protocol can be naturally improved using only one encryption and one timed commitment and one adaptive NIZK. Our construction does not require the common reference string for NIZK to be random. It is very simple and intuitive. Let E be a public key of an encryption scheme with private key D and ρ be a common random string for a non-interactive zero knowledge protocol P. (E, ρ) is set as the public key. T is a timed commitment scheme. Let m be the message that the sender S wish to authenticate to the receiver R. Our idea is to let R encrypt a random number r together with m, compute a timed commitment of r and

generate a NIZK proof that the encryption and commitment are done properly. The sender S will reply with r decrypted using his private key. R will accept r only if it is received within a reasonable period of time ϕ1 (e.g., 1 minute) from his sending out the previous message. Intuitively, the authentication is guaranteed since no one can decrypt the encryption without a private key or can decommit r in time ϕ1 (T will have this assumption); the protocol is also deniable since any one can obtain r using a forced-decommitment in some moderate longer time T (e.g., 1 days). The decryption and decommitment are consistent by the soundness of NIZK. This protocol is formally described as follows, which we denote by t-Auth. – R takes r ← {0, 1}ℓ and s1 , s2 ← {0, 1}∗ . He computes α = E(m ◦ r; s1 ) and β = T(r; s2 ) and uses ρ as common random string to compute a noninteractive zero-knowledge proof π = P(ρ, m, α, β; r, s1 , s2 ) that α and β have the said format. R sends (α, β, m, π) to S. – Receiving (α, β, m, π), S computes m′ ◦ r′ = D(α), and checks if m′ = m and π is valid. If yes, send r′ to R. Otherwise, reject. – Receiving r′ , R checks if it is within a timely fashion (see below) and if r′ = r. If yes, accept; reject otherwise. Time Constraint. S’s second round message r′ must arrive at R within time ϕ1 from the time the latter sends out the first round message to S. Let ϕ2 be the upper bound on the time to compute α and π. ϕ1 is defined such that ϕ1 + ϕ2 < t, where t is the time bound below which the timed commitment is secure. Remark. Although a time constraint is used in the protocol (in the same way as in Dwork-Naor protocol), this time constraint only requires the sender to send back r as soon as possible (i.e., within time ϕ1 ). Hence, it does not artificially cause a communication delay. But we have to set ϕ1 properly. If it is too small, a normal network delay might unexpectedly cause the receiver to reject. In the following, we show that the t-Auth protocol is a deniable authentication protocol. Theorem 3. P is an adaptive non-interactive zero-knowledge proof with negligible soundness error and perfect completeness. (E, D) is a CCA2 secure public key encryption and T is a secure timed commitment (as in Definition 4). Then, t-Auth is a deniable authentication protocol. Proof. Completeness. When S and R follows the protocol without an attacker, S will accept R’s first round message, due to the perfect completeness of NIZK. In addition, r′ produced by S equals r taken by R, due to the completeness of (E, D). The completeness for t-Auth follows. Soundness. We need to show that any probabilistic polynomial time adversary A, after interacting with the sender S to receive authenticated messages m1 , m2 , · · · , can not authenticate a new message m ̸= mi to a receiver R. A can concurrently schedule the message events to both S and R. We use the sequence of game strategy. Denote the success of A in authenticating such m by

Succ and assume it has a probability ps . Denote the real game with A against it, by Γ0 . We modify Γ0 to Γ1 with the only change: ρ is simulated and π ∗ in the session of receiving m by R is simulated too (using a trapdoor τ of ρ). By reducing to the adaptive zero knowledge property of NIZK, we have that Pr[Succ(A, Γ1 )] > ps − ϵ4 (since adversary view between Γ1 and Γ0 has a gap at most ϵ4 and Succ is implied in adversary view), where ϵ4 is the distinguishing gap for the simulated zero knowledge proof. Then, we modify Γ1 to Γ2 with the only change: in the session to receive m, R generates α = E(m ◦ r′ ) for r′ ← {0, 1}ℓ (instead of r committed in β). By reducing to the CCA2 security of E, we will show that Pr[Succ(A, Γ2 )] ≥ ps − ϵ4 − ϵ3 , where ϵ3 is the advantage to break E (note for simplicity we do not mention the attack time but it can be easily calculated from the reduction below). Given E, an attacker D generates ρ together with its trapdoor τ and then simulates S and R normally, except (1) when R (simulated by D) is asked to receive an ‘authenticated’ m which S never sent, he computes r0 , r1 ← {0, 1}ℓ and uses (m ◦ r0 , m ◦ r1 ) as his plaintext challenge pair. He will receive α∗ = E(m ◦ rb ) for some b ← {0, 1}. He then computes β ∗ = T(r0 ) and simulates π ∗ using τ. (2) whenever S (simulated by D) is authenticating mi and needs to decrypt α using D, D asks his decryption oracle to compute it unless α = α∗ . In this case, he directly rejects (this decision is correct as by assumption S never authenticates m encrypted in α∗ ). Finally, when A replies r∗ = rb′ in the session of authenticating m, D outputs b′ directly; otherwise, output b′ = 1. Note when b = 0, the simulated game is Γ1 ; when b = 1, the simulated game is Γ2 . Hence, ϵ3 ≥ | Pr[D(E(m ◦ r0 )) = 0] − Pr[D(E(m ◦ r1 )) = 0]| = | Pr[Succ∗ (A, Γ1 )] − Pr[Succ∗ (A, Γ2 )]|, where Pr[Succ∗ (A, Γ )] is the probability that A successfully outputs r0 committed in β ∗ . Note that in Γ1 , r encoded in β ∗ and α∗ is identical (it is r0 in the reduction). Therefore, Succ(A, Γ1 ) = Succ∗ (A, Γ1 ). Next, we show that Pr[Succ∗ (A, Γ2 )]| ≤ ϵ2 , where ϵ2 is the success probability for an adversary of time t to break T (see Definition 4). This is done by reducing to the privacy of T. To see this, notice that the time for R to receive the second round message r∗ = r0 must be within α from the time of R’s sending the first round message and that the time to prepare α∗ and π ∗ is at most γ, where α + γ < t. Hence, we have that ps − ϵ4 − ϵ3 ≤ ϵ2 . That is, ps ≤ ϵ4 + ϵ3 + ϵ2 . Deniability. In order to prove that the protocol is deniable, we need to construct a simulator SIM that simulates the protocol execution with A without using D such that the view of A is indistinguishable from that in the real world. Initially, SIM and A receive (E, ρ). Then, to authenticate any message m, SIM can simulate S with A as follows. ⋆ When S receives (α, β, π), it verifies if π is consistent with (m, α, β). If not, reject; otherwise, he pauses A and computes r in β using F-Open, after which he frees A and sends out r. Review the above code, the view of A in the simulation is different from the real execution only when (α, β) is not consistent with m, r but π is verified

successfully. However, this occurs only if the soundness of NIZK is broken, which has a probability of at most ϵ2 .  Remark. Our protocol requires that an adversary should not be able to construct (α, β) with inconsistent r. This is guaranteed by the the adaptive soundness of NIZK. A careful reader might notice that in our authentication proof, Γ2 computes (α∗ , β ∗ ) with an inconsistent r but a simulated proof π ∗ in the challenge session. This requires that given such information, an adversary should not be able to construct a (α, β) with an inconsistent r but a consistent proof. It seems only one-time simulation sound NIZK [9] can guarantee this. However, in our protocol, such a strong condition is not used. We only use a NIZK with an adaptive soundness. The idea is that the real game (and Γ1 ) does not allow an adversary to construct such a consistent proof of a false statement, simply due to the soundness of NIZK. Γ2 and Γ1 have a negligible gap on such events, due to a reduction to CCA2 security of (E, D). Acknowledgements. This work is supported by National Science Foundation of China (No. 60973161) and UESTC Young Faculty Plans.

References 1. Boaz Barak, Oded Goldreich, Shafi Goldwasser, Yehuda Lindell: Resettably-Sound Zero-Knowledge and its Applications. In Proceedings of the 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14-17 October 2001, Las Vegas, Nevada, USA. IEEE Computer Society, pages 116-125, 2001. 2. Adam Bender, Jonathan Katz and Ruggero Morselli: Ring Signatures: Stronger Definitions, and Constructions without Random Oracles. J. Cryptology 22(1): 114138 (2009). 3. Dan Boneh and Moni Naor, Timed Commitments and applications, Advances in Cryptology-CRYPTO 2000, Mihir Bellare (Ed.), LNCS 1880, Springer-Verlag, pages 236-254, 2000. 4. Cynthia Dwork and Moni Naor. Zaps and Their Applications. In Proceedings of the 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, 12-14 November 2000, Redondo Beach, California, USA. IEEE Computer Society, pages 283-293, 2000. 5. Cynthia Dwork and Moni Naor, Zaps and Their Applications, SIAM Journal on Computing 36(6), pages 1513-1543, 2007. 6. Oded Goldreich, Foundations of Cryptography: Basic Tools, Cambridge University Press, 2001. 7. Jens Groth, Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures. Advances in Cryptology - ASIACRYPT 2006, Xuejia Lai, Kefei Chen (Eds.), LNCS 4284, Springer-Verlag, pages 444-459, 2006. 8. Shaoquan Jiang, Deniable Authentication on the Internet. Information Security and Cryptology, the Third SKLOIS Conference, INSCRYPT 2007, Dingyi Pei, Moti Yung, Dongdai Lin, Chuankun Wu (Eds.), LNCS 4990, Springer-Verlag, pages 298312, 2008,. 9. Y. Lindell, A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions, Journal of Cryptology, 19(3):359-377, 2006.

10. Rafael Pass. Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition. Advances in Cryptology-EUROCRYPT 2003, Eli Biham (Ed.), LNCS 2656, Springer-Verlag, pages. 160-176, 2003. 11. Amit Sahai, Non-malleable Non-Interactive Zero Knowledge and Adaptive ChosenCiphertext Security. In Proceedings of the 40th Annual Symposium on Foundations of Computer Science, FOCS’99, 17-18 October, 1999, New York, NY, USA. IEEE Computer Society, pages 243-353, 1999. 12. Yunlei Zhao, A note on the Dwork-Naor timed deniable authentication, Information Processing Letters, 100(2006), pages 1-7, 2006.