Deniable Encryption

6 Coercing the Sender vs. Coercing the Receiver We describe simple constructions that transform sender-deniable schemes into receiver-deniable schemes and vice-versa. If there are other parties that can help in transmitting the data, we also construct a sender-and-receiver-deniable scheme from any sender-deniable scheme. We describe the constructions with respect to schemes that encrypt only one bit at a time. Generalizing these constructions to schemes that encrypt arbitrarily long messages is straightforward. These constructions apply to both shared-key and public-key settings. Receiver-deniability from Sender-deniability. Assume a sender-deniable encryption scheme A, and construct the following scheme B. Let b denote the bit to be transmitted from S to R. First R chooses a random bit r, and invokes the scheme A to send r to S. (That is, with respect to scheme A, R is the sender and S is the receiver.) Next, S sends b r to R, in the clear. If scheme A is sender-deniable then, when attacked, R can convincingly claim that the value of r was either 0 or 1, as desired. Consequently R can claim that the bit b was either 0 or 1, at wish, and scheme B is receiver-deniable. Sender-deniability from Receiver-deniability. We use the exact same construction. It is easy to verify that if A is receiver-deniable then B is sender-deniable. Sender-and-receiver-deniability. Assume that S and R can use other parties I1; :::; In as intermediaries in their communication. The following scheme is resilient against attacking the sender, the receiver and some intermediaries, as long as at least one intermediary remains unattacked. In order to transmit a bit b to R, S rst chooses n bits b1:::bn such that ibi = b. Next, S transmits bi to each intermediary Ii, using a sender-deniable scheme. Next, each Ii transmits bi to R using a receiverdeniable scheme. Finally R computes ibi = b. When an intermediary Ii is attacked, it reveals the true value of bi. However, as long as one intermediary Ij remains unattacked, both S and R can convincingly claim, when attacked, that the value of bj (and consequently the value of b) is either 0 or 1. Note that this scheme works only if the parties can `coordinate their stories', in the sense of Remark 2 to De nition 10. In particular, the sender and receiver must know, when attacked, which intermediaries are being attacked.4 References [1] M. Ajtai, Generating Hard Instances of Lattice Problems, STOC'96 [2] M. Ajtai, C. Dwork, A Public-Key Cryptosystem with Average-Case/Worst-Case Equivalence, STOC'97; see also Electronic Colloquium on Computational Complexity TR96-065, http://www.eccc.uni-trier.de/eccc-local/Lists/TR-1996.html [3] D. Beaver and S. Haber, Cryptographic Protocols Provably Secure Against Dynamic Adversaries, Eurocrypt, 1992. [4] J. Benaloh and D. Tunistra, Receipt-Free Secret-Ballot Elections, 26th STOC, 1994, pp. 544-552. 4In general, when both the sender and the receiver are attacked they are faced with a `coordination problem': to be consistent, they both should claim the same (fake or true) value for the cleartext. We believe that this `coordination' issue should be treated separately. This problem is extensively treated in [5].) 11 [5] R. Canetti and R. Gennaro, Incoercible multiparty computation, FOCS'96 [6] R. Canetti, C. Dwork, M. Naor and R. Ostrovsky, Deniable Encryption, Theory of Cryptology Library, http://theory.lcs.mit.edu/ tcryptol, 1996. [7] R. Canetti, U. Feige, O. Goldreich and M. Naor, Adaptively secure computation, 28th STOC, 1996. [8] D. Dolev, C. Dwork and M. Naor, Non-malleable cryptography, STOC'91 [9] P. Feldman, Private Communication, 1986. [10] A. Herzberg, Rump-Session presentation at CRYPTO 1991. [11] R. Gennaro, unpublished manuscript. [12] O. Goldreich and L. Levin, A Hard-Core Predicate to any One-Way Function, 21st STOC, 1989, pp. 25-32. [13] O. Goldreich, S. Micali and A. Wigderson, Proofs that Yield Nothing but the Validity of the Assertion, and a Methodology of Cryptographic Protocol Design, 27th FOCS, 174-187, 1986. [14] O. Goldreich, S. Micali and A. Wigderson, How to Play any Mental Game, 19th STOC, pp. 218-229, 1987. [15] S. Goldwasser and S. Micali, Probabilistic encryption, JCSS, Vol. 28, No 2, April 1984, pp. 270-299. [16] P. Gutman, Secure Deletion of Data from Magnetic and Solid-State Memory, Sixth USENIX Security Symposium Proceedings, San Jose, California, July 22-25, 1996, pp. 77-89. [17] M. Naor and M. Yung \ Public key cryptosystems provably secure against chosen ciphertext attacks", Proc. 22nd ACM Annual Symposium on the Theory of Computing, 1990, pp. 427{437. [18] C. Racko and D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, CRYPTO'91, (LNCS 576), 1991. [19] K. Sako and J. Kilian, Receipt-Free Mix-Type Voting Scheme, Eurocrypt 1995, pp. 393-403. A An Alternative Non-Committing Encryption Scheme Recently, general multiparty protocols secure against an adaptive adversary that corrupts parties based on past information were constructed [7]. At the heart of this construction is another type of encryption protocol, called non-committing encryptions. As in the case of deniable encryption, non-committing encryption is concerned with foiling an adversary that registers the ciphertext and later asks the sender and receiver to reveal their secret keys and random choices. Non-committing encryption o ers a considerably weaker solution to this problem than deniable encryption, (although non-committing encryption su ce for proving adaptive security.) Very roughly, a non-committing encryption scheme consists of the usual key-generation, encryption, and decryption algorithms that ensure correctness and semantic security, with the following extra property: There exists a simulator that simulates the process of encryption and decryption in a deniable. That is, the simulator rst generates dummy ciphertexts that are indistinguishable, in the eyes of the adversary, from authentic 12 ciphertexts. Next, when the adversary asks to see the internal data of the sender and the receiver, the simulator is able to choose an arbitrary cleartext and then present the adversary with data that is consistent the chosen cleartext. Note that in a non-committing scheme only the simulator can generate `dummy ciphertexts' that can be `opened' as encryptions of more than one value. The sender and receiver are unable to do so. Furthermore, the dummy ciphertexts of a non-committing scheme need not have meaningful decryption, whereas in deniable encryption each ciphertext has unique, meaningful decryption and at the same time can be opened in several ways for an adversary. In particular the non-committing scheme described in [7] is not deniable. Any public-key (n)-sender-and-receiver-deniable encryption scheme according to De nition 10 is noncommitting if (n) is negligible. However, we do not know if such a deniable scheme exists. (In this paper we only describe 1 nc -sender-and-receiver-deniable schemes, we're c is a constant.) It turns out, however, that the basic scheme described in Section 3, after being transformed into a sender-and-receiver-deniable scheme using the technique of Section 6, is a valid non-committing encryption scheme. In particular, this scheme is much simpler to present and prove than the [7] scheme. Call this scheme the transformed basic scheme. To show that the transformed basic scheme is non-committing, we have to describe the simulator. We use the fact that, in the basic scheme, cheating is undetectable in one direction (except for negligible probability). That is, the sender can encrypt 1 and later claim that the encrypted bit was 0. The dummy ciphertexts generated by the simulator will all be legal encryptions of 1. When, in a simulated execution, the sender and receiver are asked to demonstrate their internal data they can show that the encrypted bit was either 0 or 1, as desired. B De nitions 9 and 10 De nition 9 A protocol with sender S and receiver R, and with security parameter n is a (n)-receiverdeniable encryption protocol if it satis es De nition 2, with the exception that the Deniability property is replaced as follows. Deniability: There exists an e cient faking algorithm having the following property with respect to any m1; m2 2 M . Let rS ; rR be uniformly chosen random inputs of S and R, respectively, let c = com (m1; rS; rR), and let ~ rR = (m1; rR; c;m2). Then, the random variables (m2; ~ rR; c) and (m2; rR;com (m2; rS; rR)) are (n)-close. De nition 10 A protocol with sender S and receiver R, and with security parameter n is a (n)-senderand-receiver-deniable encryption protocol if it satis es De nition 2, with the exception that the Deniability property is replaced as follows. Deniability: There exist two e cient faking algorithms S and R having the following property with respect to any m1; m2 2 M . Let rS ; rR be uniformly chosen random inputs of S and R, respectively, let c = com (m1; rS; rR), let ~ rS = S(m1; rS; c;m2), and let ~ rR = R(m1; rR; c;m2). Then, the random variables (m2; ~ rS; ~ rR; c) and (m2; rS; rR;com (m2; rS; rR)) are (n)-close. 13 Remarks: 1. Note that the requirement from a sender-and-receiver-deniable encryption protocol is stronger than requiring that the protocol be both sender-deniable and receiver-deniable. 2. De nition 10 does not address the following issue. In order for the sender and the receiver to convince an adversary that attacks both, the parties need to have `consistent stories'. That is, they both should claim the same (fake or true) value for the cleartext. We believe that this `coordination' issue should be treated separately. (Indeed, it is extensively treated in [5].) Note that this issue does not appear when only the sender or only the receiver are attacked. 14