Yale University Department of Computer Science Deniable Anonymous Group Authentication

In some situations, users need to authenticate as distinct members of some welldefined group, without revealing their individual identities: to validate and corroborate a leak, for example, or to count participants in a closed anonymous forum. Current group authentication techniques offering this capability, however, may de-anonymize users if an attacker later compromises their private keys. Addressing this under-explored risk, we present deniable anonymous group authentication (DAGA), the first anonymous authentication protocol offering proportionality, forward anonymity, and deniability in combination. To offer these properties, DAGA leverages a federation of collectively (but not individually) trusted servers. These servers collectively generate tags during authentication, which ensure client distinctness and proportionality, while cryptographically scrubbing information that could later de-anonymize clients. After an authentication round, clients and (honest) servers securely erase their ephemeral secrets, protecting clients from later de-anonymization even if an attacker eventually compromises all long-term client and server keys. A proof-of-concept prototype validates DAGA’s practicality, authenticating a client into a 32-member group in one second, or into a 2048-member group in two minutes.