Fully Bideniable Interactive Encryption

While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker that has no knowledge of the communicating parties’ keys and randomness of encryption, deniable encryption [Canetti et al., Crypto’96] provides the additional guarantee that the plaintext remains secret even in face of authoritative entities that attempt to coerce (or bribe) communicating parties to expose their internal states, including the plaintexts, keys and randomness. To achieve this guarantee, deniable encryption is equipped with a faking algorithm which allows parties to generate fake keys and randomness that make the ciphertext appear consistent with any plaintext of the parties’ choice. To date, only partial results were known: either deniability against coercing only the sender, or against coercing only the receiver [Sahai-Waters, STOC ‘14] or schemes satisfying weaker notions of deniability [O’Neil et al., Crypto ‘11]. In this paper we present the first fully bideniable interactive encryption scheme, thus resolving the 20-years-old open problem. Our scheme also satisfies an additional, incomparable to standard deniability, property called off-the-record deniability, which we introduce in this paper. This property guarantees that, even if the sender claims that one plaintext was used and the receiver claims a different one, the adversary has no way of figuring out who is lying the sender, the receiver, or both. This is useful when parties don’t have means to agree on what fake plaintext to claim, or when one party defects against the other. Our protocol has three messages, which is optimal [Bendlin et al., Asiacrypt’11], and works in a CRS model. We assume subexponential indistinguishability obfuscation (iO) and one way functions. ∗Boston University and Tel Aviv University. Email: canetti@bu.edu †MIT. Email sunoo@csail.mit.edu. ‡Boston University. Email: oxanapob@bu.edu

[1]  Ran Canetti,et al.  Adaptively Secure Two-Party Computation from Indistinguishability Obfuscation , 2015, TCC.

[2]  Nir Bitansky,et al.  On the Cryptographic Hardness of Finding a Nash Equilibrium , 2015, FOCS.

[3]  Dana Dachman-Soled,et al.  On the Impossibility of Sender-Deniable Public Key Encryption , 2012, IACR Cryptol. ePrint Arch..

[4]  Nir Bitansky,et al.  Indistinguishability Obfuscation for RAM Programs and Succinct Randomized Encodings , 2018, SIAM J. Comput..

[5]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..

[6]  Sanjam Garg,et al.  Revisiting the Cryptographic Hardness of Finding a Nash Equilibrium , 2016, CRYPTO.

[7]  Ran Canetti,et al.  Incoercible Multiparty Computation (extended abstract). , 1996, IEEE Annual Symposium on Foundations of Computer Science.

[8]  Brent Waters,et al.  Bi-Deniable Public-Key Encryption , 2011, CRYPTO.

[9]  Kai-Min Chung,et al.  On Extractability Obfuscation , 2014, IACR Cryptol. ePrint Arch..

[10]  Josh Benaloh,et al.  Receipt-free secret-ballot elections (extended abstract) , 1994, STOC '94.

[11]  Claudio Orlandi,et al.  Lower and Upper Bounds for Deniable Public-Key Encryption , 2011, ASIACRYPT.

[12]  Ran Canetti,et al.  Indistinguishability Obfuscation of Iterated Circuits and RAM Programs , 2014, IACR Cryptol. ePrint Arch..

[13]  Feng-Hao Liu,et al.  Deniable Attribute Based Encryption for Branching Programs from LWE , 2016, TCC.

[14]  Silvio Micali,et al.  On the Cryptographic Applications of Random Functions , 1984, CRYPTO.

[15]  Ran Canetti,et al.  Optimal-Rate Non-Committing Encryption , 2017, ASIACRYPT.

[16]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[17]  Shafi Goldwasser,et al.  The Edited Truth , 2017, TCC.

[18]  Rafail Ostrovsky,et al.  Incoercible Multi-party Computation and Universally Composable Receipt-Free Voting , 2015, CRYPTO.

[19]  Jonathan Katz,et al.  Composability and On-Line Deniability of Authentication , 2009, TCC.

[20]  Jörn Müller-Quade,et al.  Universally Composable Incoercibility , 2009, IACR Cryptol. ePrint Arch..

[21]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[22]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[23]  Nir Bitansky,et al.  Perfect Structure on the Edge of Chaos - Trapdoor Permutations from Indistinguishability Obfuscation , 2016, TCC.

[24]  Angelo De Caro,et al.  Deniable Functional Encryption , 2016, Public Key Cryptography.

[25]  Tal Malkin,et al.  Improved Non-committing Encryption with Applications to Adaptively Secure Protocols , 2009, ASIACRYPT.

[26]  Allison Bishop,et al.  Indistinguishability Obfuscation for Turing Machines with Unbounded Memory , 2015, IACR Cryptol. ePrint Arch..

[27]  Bruce Schneier,et al.  Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications , 2008, HotSec.