bi deniable public key encryption
play

Bi-Deniable Public-Key Encryption Adam ONeill 1 , 2 Chris Peikert 1 - PowerPoint PPT Presentation

May 26, 2023 •127 likes •694 views

Bi-Deniable Public-Key Encryption Adam ONeill 1 , 2 Chris Peikert 1 Brent Waters 2 1 Georgia Tech 2 U Texas, Austin CRYPTO 2011 17 Aug 1 / 13 Deniable Encryption [CDNO97] c = Enc pk (surpriz prty 4 big bro!) (Images courtesy

  1. Bi-Deniable Public-Key Encryption Adam O’Neill 1 , 2 Chris Peikert 1 Brent Waters 2 1 Georgia Tech 2 U Texas, Austin CRYPTO 2011 17 Aug 1 / 13

  2. Deniable Encryption [CDNO’97] c = Enc pk (“surpriz prty 4 big bro!”) (Images courtesy xkcd.org) 2 / 13

  3. Deniable Encryption [CDNO’97] c = Enc pk (“surpriz prty 4 big bro!”) !! (Images courtesy xkcd.org) 2 / 13

  4. Deniable Encryption [CDNO’97] c = DenEnc pk (“surpriz prty 4 big bro!”) What We Want: Bi-Deniability 1 Bob decrypts Alice’s message correctly, but . . . (Images courtesy xkcd.org) 2 / 13

  5. Deniable Encryption [CDNO’97] c = DenEnc pk (“surpriz prty 4 big bro!”) (fake!) (fake!) What We Want: Bi-Deniability 1 Bob decrypts Alice’s message correctly, but . . . (Images courtesy xkcd.org) 2 / 13

  6. Deniable Encryption [CDNO’97] c = Enc pk (“ Dad is so lame!!!! ”) What We Want: Bi-Deniability 1 Bob decrypts Alice’s message correctly, but . . . 2 Fake coins & keys “look as if” another message was encrypted. (Images courtesy xkcd.org) 2 / 13

  7. Deniable Encryption [CDNO’97] c = Enc pk (“ Dad is so lame!!!! ”) What We Want: Bi-Deniability 1 Bob decrypts Alice’s message correctly, but . . . 2 Fake coins & keys “look as if” another message was encrypted. ⋆⋆ Coercion is after the fact (cf. “uncoercible communication” [BT’94]) (Images courtesy xkcd.org) 2 / 13

  8. Applications of Deniability 1 Anti-coercion: journalists, lawyers, whistle-blowers 3 / 13

  9. Applications of Deniability 1 Anti-coercion: journalists, lawyers, whistle-blowers 3 / 13

  10. Applications of Deniability 1 Anti-coercion: journalists, lawyers, whistle-blowers 2 Voting (?): can reveal any candidate, so can’t ‘sell’ vote 3 / 13

  11. Applications of Deniability 1 Anti-coercion: journalists, lawyers, whistle-blowers 2 Voting (?): can reveal any candidate, so can’t ‘sell’ vote 3 Implies selective-opening security [DNRS’99,BHY’09] 3 / 13

  12. Applications of Deniability 1 Anti-coercion: journalists, lawyers, whistle-blowers 2 Voting (?): can reveal any candidate, so can’t ‘sell’ vote 3 Implies selective-opening security [DNRS’99,BHY’09] 4 Implies noncommitting encryption for adaptive corruption [CFGN’96] 3 / 13

  13. Prior Work Theory [CDNO’97] ◮ Sender-deniable public-key encryption ◮ Receiver-deniability with interaction ◮ Bi-deniability via interaction w/ 3rd parties (one must remain uncoerced) 4 / 13

  14. Prior Work Theory [CDNO’97] ◮ Sender-deniable public-key encryption ◮ Receiver-deniability with interaction ◮ Bi-deniability via interaction w/ 3rd parties (one must remain uncoerced) Practice: TrueCrypt, Rubberhose FS, . . . ◮ “Plausible deniability:” move along, no message here. . . Maybe OK for storage , but not so much for communication . 4 / 13

  15. This Work 1 Bi-deniable encryption: sender & receiver are simultaneously coercible, and can reveal any message (chosen at coercion time). 5 / 13

  16. This Work 1 Bi-deniable encryption: sender & receiver are simultaneously coercible, and can reveal any message (chosen at coercion time). Works in “multi-distributional” (flexible) model: DenGen & DenEnc algorithms, equivocated as if Gen & Enc were run. 5 / 13

  17. This Work 1 Bi-deniable encryption: sender & receiver are simultaneously coercible, and can reveal any message (chosen at coercion time). Works in “multi-distributional” (flexible) model: DenGen & DenEnc algorithms, equivocated as if Gen & Enc were run. ⋆ True public-key schemes: non-interactive, no 3rd parties ⋆ One generic construction [DN’00] & one using lattices [GPV’08] ⋆ Both have | keys | > | messages | . . . but this is inherent [Nielsen’02] 5 / 13

  18. This Work 1 Bi-deniable encryption: sender & receiver are simultaneously coercible, and can reveal any message (chosen at coercion time). Works in “multi-distributional” (flexible) model: DenGen & DenEnc algorithms, equivocated as if Gen & Enc were run. ⋆ True public-key schemes: non-interactive, no 3rd parties ⋆ One generic construction [DN’00] & one using lattices [GPV’08] ⋆ Both have | keys | > | messages | . . . but this is inherent [Nielsen’02] 2 “Plan-ahead” bi-deniability with short keys (analogue of “somewhat non-committing” encryption [GWZ’09]) ⋆ Bounded number of alternative messages, decided in advance ⋆ Sender & receiver automatically agree on fake message 5 / 13

  19. This Work 1 Bi-deniable encryption: sender & receiver are simultaneously coercible, and can reveal any message (chosen at coercion time). Works in “multi-distributional” (flexible) model: DenGen & DenEnc algorithms, equivocated as if Gen & Enc were run. ⋆ True public-key schemes: non-interactive, no 3rd parties ⋆ One generic construction [DN’00] & one using lattices [GPV’08] ⋆ Both have | keys | > | messages | . . . but this is inherent [Nielsen’02] 2 “Plan-ahead” bi-deniability with short keys (analogue of “somewhat non-committing” encryption [GWZ’09]) ⋆ Bounded number of alternative messages, decided in advance ⋆ Sender & receiver automatically agree on fake message 3 Analogous solutions in the ID-based setting. 5 / 13

  20. Subsequent Work [DF’11] announced interactive, fully sender-deniable encryption 1 6 / 13

  21. Subsequent Work [DF’11] announced interactive, fully sender-deniable encryption 1 ⋆ Unfortunately, there is a fatal bug in deniability claim (& an attack) ⋆ Obtaining full deniability remains an intriguing open problem! 6 / 13

  22. Subsequent Work [DF’11] announced interactive, fully sender-deniable encryption 1 ⋆ Unfortunately, there is a fatal bug in deniability claim (& an attack) ⋆ Obtaining full deniability remains an intriguing open problem! 2 “Fully receiver-/bi-deniable PKE is impossible” [BNNO’11] ⋆ Formally: σ -bit secret key ⇒ ( 1 /σ ) -distinguishable real vs. fake ⋆ Don’t deny the impossibility — instead, be “flexible.” 6 / 13

  23. “Flexible” Bi-Deniability ◮ ‘Normal’ Gen, Enc, Dec algorithms . . . plus ‘deniable’ DenGen, DenEnc and ‘faking’ RecFake, SendFake. 7 / 13

  24. “Flexible” Bi-Deniability ◮ ‘Normal’ Gen, Enc, Dec algorithms . . . plus ‘deniable’ DenGen, DenEnc and ‘faking’ RecFake, SendFake. ◮ The following are indistinguishable for all bits b , b ′ : ( pk , sk ) ← Gen c ← Enc ( pk , b ; r ) View: ( pk , c , sk , r ) 7 / 13

  25. “Flexible” Bi-Deniability ◮ ‘Normal’ Gen, Enc, Dec algorithms . . . plus ‘deniable’ DenGen, DenEnc and ‘faking’ RecFake, SendFake. ◮ The following are indistinguishable for all bits b , b ′ : ( pk , sk ) ← Gen ( pk , fk ) ← DenGen c ← DenEnc ( pk , b ′ ; r ) c ← Enc ( pk , b ; r ) sk ∗ ← RecFake ( fk , c , b ) r ∗ ← SendFake ( pk , r , b ′ , b ) View: ( pk , c , sk , r ) View: ( pk , c , sk ∗ , r ∗ ) 7 / 13

  26. “Flexible” Bi-Deniability ◮ ‘Normal’ Gen, Enc, Dec algorithms . . . plus ‘deniable’ DenGen, DenEnc and ‘faking’ RecFake, SendFake. ◮ The following are indistinguishable for all bits b , b ′ : ( pk , sk ) ← Gen ( pk , fk ) ← DenGen c ← DenEnc ( pk , b ′ ; r ) c ← Enc ( pk , b ; r ) sk ∗ ← RecFake ( fk , c , b ) r ∗ ← SendFake ( pk , r , b ′ , b ) View: ( pk , c , sk , r ) View: ( pk , c , sk ∗ , r ∗ ) (Even better, RecFake could output fake coins for Gen, instead of sk ∗ .) 7 / 13

  27. “Flexible” Bi-Deniability ◮ ‘Normal’ Gen, Enc, Dec algorithms . . . plus ‘deniable’ DenGen, DenEnc and ‘faking’ RecFake, SendFake. ◮ The following are indistinguishable for all bits b , b ′ : ( pk , sk ) ← Gen ( pk , fk ) ← DenGen c ← DenEnc ( pk , b ′ ; r ) c ← Enc ( pk , b ; r ) sk ∗ ← RecFake ( fk , c , b ) r ∗ ← SendFake ( pk , r , b ′ , b ) View: ( pk , c , sk , r ) View: ( pk , c , sk ∗ , r ∗ ) (Even better, RecFake could output fake coins for Gen, instead of sk ∗ .) ◮ “Full” deniability requires equivocable Gen and Enc algs. 7 / 13

  28. Is (Flexible) Deniability Meaningful? Objection #1 ◮ Everyone knows that the coins & message could be fake. So who do we think we’re fooling? 8 / 13

  29. Is (Flexible) Deniability Meaningful? Objection #1 ◮ Everyone knows that the coins & message could be fake. So who do we think we’re fooling? Answer ◮ ‘Perfectly secret’ communication is inherently deniable. . . . . . but most encryption introduces risk of coercion! 8 / 13

  30. Is (Flexible) Deniability Meaningful? Objection #1 ◮ Everyone knows that the coins & message could be fake. So who do we think we’re fooling? Answer ◮ ‘Perfectly secret’ communication is inherently deniable. . . . . . but most encryption introduces risk of coercion! ◮ Deniable encryption avoids this side-effect risk. 8 / 13

  31. Is (Flexible) Deniability Meaningful? Objection #1 ◮ Everyone knows that the coins & message could be fake. So who do we think we’re fooling? Answer ◮ ‘Perfectly secret’ communication is inherently deniable. . . . . . but most encryption introduces risk of coercion! ◮ Deniable encryption avoids this side-effect risk. The purpose is not to ‘convince’ the coercer, but just to preempt coercion in the first place . 8 / 13

  32. Is (Flexible) Deniability Meaningful? Objection #2 ◮ Wouldn’t the coercer request the coins of DenGen & DenEnc? 9 / 13

Recommend

MOBICEAL: TOWARDS SECURE AND PRACTICAL PLAUSIBLY DENIABLE ENCRYPTION ON MOBILE DEVICES Bing

MOBICEAL: TOWARDS SECURE AND PRACTICAL PLAUSIBLY DENIABLE ENCRYPTION ON MOBILE DEVICES Bing

MOBICEAL: TOWARDS SECURE AND PRACTICAL PLAUSIBLY DENIABLE ENCRYPTION ON MOBILE DEVICES Bing Chang, Fengwei Zhang, Bo Chen, Yingjiu Li, Wen- Tao Zhu, Yangguang Tian, Zhan Wang and Albert Ching OVERVIEW 1. What is Plausibly Deniable Encryption

657 views • 28 slides
DEFY: A Deniable, Encrypted File System for Log Structured Storage WRITTEN BY: PRESENTED BY:

DEFY: A Deniable, Encrypted File System for Log Structured Storage WRITTEN BY: PRESENTED BY:

DEFY: A Deniable, Encrypted File System for Log Structured Storage WRITTEN BY: PRESENTED BY: TIMOTHY PETERS NICHOLAS BURTON MARK GONDREE ZACHARY PETERSON What is encryption? Why hide encryption? Previous Work on the Matter u Anderson and

550 views • 39 slides
Mobiflage: Deniable Storage Encryption for Mobile Devices Adam Skillen and Mohammad Mannan a

Mobiflage: Deniable Storage Encryption for Mobile Devices Adam Skillen and Mohammad Mannan a

Mobiflage: Deniable Storage Encryption for Mobile Devices Adam Skillen and Mohammad Mannan a skil@ciise.concordia.ca Concordia Institute for Information Systems Engineering Concordia University Montr eal, Canada NDSS 2013, San Diego, CA

486 views • 23 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key PKE scheme Encryption (a.k.a. private-key encryption) a.k.a. asymmetric-key encryption PKE SKE: Syntax Syntax KeyGen outputs KeyGen

366 views • 13 slides
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption

Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption

Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP RECALL Diffie-Hellman Key-exchange Secure if (g x ,g y ,g xy ) (g x ,g y ,g r ) Random x {0,..,|G|-1} Random y

173 views • 13 slides
Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Encryption Public-Key Cryptography Lecture 8 Public-Key Encryption Diffie-Hellman Key-Exchange PKE scheme PKE scheme SKE: Syntax KeyGen outputs K K Enc: M K R

1.18k views • 104 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar

Laconic Zero Knowledge to Public Key Cryptography Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] pk sk Public Key Encryption Public Key Encryption

296 views • 25 slides
Facade: High-Throughput, Deniable Censorship Circumven<on Using

Facade: High-Throughput, Deniable Censorship Circumven<on Using

Facade: High-Throughput, Deniable Censorship Circumven<on Using Web Search Ben Jones, Sam BurneB, Nick Feamster, Sean Donovan, Sarthak Grover, Sathya

574 views • 19 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
Scalable deniable group key establishment Kashi Neupane Rainer

Scalable deniable group key establishment Kashi Neupane Rainer

Scalable deniable group key establishment Kashi Neupane Rainer Steinwandt Adriana Surez Corona FPS 2012, Montreal, 25 October 2012 Outline IntroducDon

497 views • 23 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) -

Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) -

Lecture 9 Public Key Cryptography: Encryption + Signatures 1 El Gamal PK cryptosystem (83) - p large prime - b base, primitive element, generator - x private exponent - x y public residue y b p ; mod = P Z * p =

272 views • 25 slides
gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

Identity-Based Encryption gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen sk M C M Enc Dec Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow to encrypt based

584 views • 10 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
The Public Key Muddle How to manage transparent end-to-end encryption in organizations Dr.

The Public Key Muddle How to manage transparent end-to-end encryption in organizations Dr.

The Public Key Muddle How to manage transparent end-to-end encryption in organizations Dr. Gunnar Jacobson CEO Secardeo GmbH Business Communication E-Mail Desktop (e.g. Outlook) Cloud (e.g. Office 365) More than 50% opened on

503 views • 29 slides
DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A.

DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A.

DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A. Gondree, and Zachary N. J. Peterson. In NDSS'15 Presented by Fengwei Zhang Wayne State University CSC 6991 Advanced Computer Security 1

576 views • 21 slides
DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A.

DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A.

DEFY: A Deniable, Encrypted File System for Log-Structured Storage. Timothy M. Peters, Mark A. Gondree, and Zachary N. J. Peterson. In NDSS'15 Presented by Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1

695 views • 20 slides
Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech

Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech

Overview Needed Theorems RSA Encryption Public Key (RSA) Encryption Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science Public Key (RSA) Encryption Overview Needed Theorems RSA

1.62k views • 137 slides
Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Microsoft Research

Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Microsoft Research

Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting Zvika Brakerski Gil Segev Microsoft Research Weizmann Institute Silicon Valley Probabilistic Encryption Enc Semantic Security [GM82]: No

341 views • 14 slides
Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California, Berkeley and Microsoft Research September 3, 2015 Homomorphic Encryption Homomorphic Encryption Consider a public key cryptosystem, and operations

777 views • 35 slides
CoinJoinXT . . . and other techiques for deniable transfers Adam Gibson 03 July 2018 Building

CoinJoinXT . . . and other techiques for deniable transfers Adam Gibson 03 July 2018 Building

CoinJoinXT . . . and other techiques for deniable transfers Adam Gibson 03 July 2018 Building On Bitcoin 2018 1/17 Outline Motivation Intrinsic fungibility and deniability CoinJoinXT Extending CoinJoin across multiple transactions

500 views • 25 slides

More recommend