Lower and Upper Bounds for Deniable Public-Key Encryption

Lower and Upper Bounds for Deniable Public-Key Encryption Rikke Bendlin1
Jesper Buus Nielsen1 Peter Sebastian Nordholt1 Claudio Orlandi2 1 Aarhus University, Denmark 2 Bar-Ilan University, Israel September 7, 2012 交互计算 CTIC 1 / 74

交互计算 CTIC Public-Key Encryption 2 / 74

交互计算 CTIC Public-Key Encryption m = "Want to come to
my party?" m 3 / 74

交互计算 CTIC Public-Key Encryption m = "Want to come to
my party?" m m Passive Adversary: Eve only listens to communication. 4 / 74

交互计算 CTIC Public-Key Encryption pk, m = "Want to come
to my party?" ( pk, sk) ← KeyGen(1 k) pk Passive Adversary: Eve only listens to communication. 5 / 74

to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) Passive Adversary: Eve only listens to communication. Security: Eve does not learn anything about m without sk. 6 / 74

to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 7 / 74

to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) ! Coercing Adversary: Eve can threaten Bob to give his secret key. 8 / 74

to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) ! sk Coercing Adversary: Eve can threaten Bob to give his secret key. 9 / 74

to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c , sk c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 10 / 74

to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c , sk m = Dec sk( c) c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 11 / 74

交互计算 CTIC Public-Key Encryption (Receiver-Deniable Encryption) pk, m = "Want
to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 12 / 74

to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 13 / 74

to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) ! Coercing Adversary: Eve can threaten Bob to give his secret key. 14 / 74

to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) m = Cryptography is cool! pk , c , sk c = Enc pk( m) ! sk Coercing Adversary: Eve can threaten Bob to give his secret key. 15 / 74

to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) m = Cryptography is cool! pk , c , sk m = Dec sk ( c) c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. Security: Eve can not detect that Bob is cheating. 16 / 74

交互计算 CTIC Related Work [CDNO97]: sender-deniable public-key encryption and interactive
receiver-deniable encryption with inverse-polynomial detection probability. 17 / 74

receiver-deniable encryption with inverse-polynomial detection probability. [OPW11]: multi-distributional (sender/reciever/bi)-deniable public-key encryption with negligible detection probability. 18 / 74

receiver-deniable encryption with inverse-polynomial detection probability. [OPW11]: multi-distributional (sender/reciever/bi)-deniable public-key encryption with negligible detection probability. [DF11]: interactive sender-deniable encryption with negligible detection probability ... 19 / 74

receiver-deniable encryption with inverse-polynomial detection probability. [OPW11]: multi-distributional (sender/reciever/bi)-deniable public-key encryption with negligible detection probability. [DF11]: interactive sender-deniable encryption with negligible detection probability ... 20 / 74

receiver-deniable encryption with inverse-polynomial detection probability. [OPW11]: multi-distributional (sender/reciever/bi)-deniable public-key encryption with negligible detection probability. [DF11]: interactive sender-deniable encryption with negligible detection probability ... faulty proof . 21 / 74

交互计算 CTIC Our Work We looked for deniable public-key encryption
with negligible detection probability. 22 / 74

with negligible detection probability. Receiver/Bi-deniable public-key encryption is impossible with negligible detection probability. 23 / 74

with negligible detection probability. Receiver/Bi-deniable public-key encryption is impossible with negligible detection probability. Constructions of receiver/bi-deniable public-key encryption with inverse-polynomial detection probability. 24 / 74

交互计算 CTIC Overview 1 Intro 2 Receiver-Deniable Public-Key Encryption 3
Negligible Detection Probability 4 Inverse Polynomial Detection Probability 5 Last Slide 25 / 74

交互计算 CTIC Receiver-Deniable Public-Key Encryption For security parameter k. 26
/ 74

交互计算 CTIC Receiver-Deniable Public-Key Encryption For security parameter k. (KeyGen,
Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using public-key pk and randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): generates a fake secret key sk so that Decsk (c) = m . 27 / 74

Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using public-key pk and randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): generates a fake secret key sk so that Decsk (c) = m . sk def = randomness of KeyGen 28 / 74

Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using public-key pk and randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): generates a fake secret key sk so that Decsk (c) = m . sk def = randomness of KeyGen Correctness: Pr Decsk(Encpk(m)) = m = 1 − negl(k). 29 / 74

交互计算 CTIC Receiver Deniable Public-Key Encryption Security Games For adversary
A = (A 1 , A 2 ) Honest Game Faking Game (pk, sk) ← KeyGen(1k) (pk, sk) ← KeyGen(1k) (m, m , st) ← A 1 (pk) (m, m , st) ← A 1 (pk) c ← Encpk(m ; r) c ← Encpk(m; r) sk ← Fake(sk, c, m ) b ← A 2 (st, c, sk) b ← A 2 (st, c, sk ) 30 / 74

交互计算 CTIC Receiver Deniable Public-Key Encryption Security Games For adversary
A = (A 1 , A 2 ) Honest Game Faking Game (pk, sk) ← KeyGen(1k) (pk, sk) ← KeyGen(1k) (m, m , st) ← A 1 (pk) (m, m , st) ← A 1 (pk) c ← Encpk(m ; r) c ← Encpk(m; r) sk ← Fake(sk, c, m ) b ← A 2 (st, c, sk) b ← A 2 (st, c, sk ) (KeyGen, Enc, Dec, Fake) is ε-receiver deniable if all PPT A have distingiushing advantage AdvA(k) = negl(k) + ε. 31 / 74

交互计算 CTIC Theorem Let Π = (KeyGen, Enc, Dec, Fake)
be ε-receiver deniable, and σ be an upper bound on the length of the secret keys. Then ε ≥ 1 2(σ + 1) − negl(k). 33 / 74

交互计算 CTIC Theorem Let Π = (KeyGen, Enc, Dec, Fake)
be ε-receiver deniable, and σ be an upper bound on the length of the secret keys. Then ε ≥ 1 2(σ + 1) − negl(k). I.e. for ε = negl(k) σ must be super-polynomial. 34 / 74

交互计算 CTIC Parallel Self-Composition For any receiver-deniable Π = (KeyGen,
Enc, Dec, Fake) and n = poly(k) dene the parallel self-composition 35 / 74

交互计算 CTIC Parallel Self-Composition For any receiver-deniable Π = (KeyGen,
Enc, Dec, Fake) and n = poly(k) dene the parallel self-composition Πn = (KeyGenn, Encn, Decn, Faken ) KeyGenn(1κ) = KeyGen(1κ). Encn pk(m 1 , . . . , mn; r 1 , . . . , rn) = (Encpk(m 1 ; r 1 ), . . . , Encpk(mn; rn)) Decn sk(c 1 , . . . , cn) = (Decsk(c 1 ), . . . , Decsk(cn)). Faken (sk, (c 1 , . . . , cn), (m 1 , . . . , mn)) = sk where sk 0 = sk, sk 1 ← Fake(sk 0 , c 1 , m 1 ), sk 2 ← Fake(sk 1 , c 2 , m 2 ), . . . , skn ← Fake(skn−1 , cn, mn) and skn = sk . 36 / 74

交互计算 CTIC Security of Parallel Self-Composition Lemma If Π is
ε-receiver-deniable, then Πn is nε-receiver-deniable. 37 / 74

交互计算 CTIC Security of Parallel Self-Composition Lemma If Π is
ε-receiver-deniable, then Πn is nε-receiver-deniable. Proof idea: For any adversary A = (A 1 , A 2 ) against Πn construct adversaries Bh against Π for h = 1, . . . , n so that AdvA(k) = Σn h=1 AdvBh By ε-receiver-deniability of Π AdvA(k) = Σn h=1 (ε + negl(k)) = nε + negl (k). 38 / 74

交互计算 CTIC Security of Parallel Self-Composition Bh = (Bh,1 ,
Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) 39 / 74

Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: 40 / 74

Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: For i = 1, . . . , h − 1 and sample ci ← Encpk(mi). 41 / 74

Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: For i = 1, . . . , h − 1 and sample ci ← Encpk(mi). Let skh = sk and ch = c. 42 / 74

Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: For i = 1, . . . , h − 1 and sample ci ← Encpk(mi). Let skh = sk and ch = c. For i = h + 1, . . . , n, sample ci ← Encpk(mi) and ski ← Fake(ski−1 , ci, mi). 43 / 74

Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: For i = 1, . . . , h − 1 and sample ci ← Encpk(mi). Let skh = sk and ch = c. For i = h + 1, . . . , n, sample ci ← Encpk(mi) and ski ← Fake(ski−1 , ci, mi). Output bh = b ← A 2 (stA, (c 1 , . . . , cn), skn). 44 / 74

交互计算 CTIC Security of Parallel Self-Composition Let bh be the
distribution of bh in the honest game. 45 / 74

distribution of bh in the honest game. Let bh be the distribution of bh in the faking game. 46 / 74

distribution of bh in the honest game. Let bh be the distribution of bh in the faking game. By denition AdvBh = |bh − bh| 47 / 74

distribution of bh in the honest game. Let bh be the distribution of bh in the faking game. By denition AdvBh = |bh − bh| By construction AdvA(k) = |bn − b 1 |. 48 / 74

交互计算 CTIC Security of Parallel Self-Composition Bh−1 in the Honest
Game skh ← Fake(skh−1 , ch, mh) is computed by Bh−1 . skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. 49 / 74

Game skh ← Fake(skh−1 , ch, mh) is computed by Bh−1 . skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. For Bh in the Faking Game skh ← Fake(skh−1 , ch, mh) is computed by the game (for some honest skh−1 ). skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. 50 / 74

Game skh ← Fake(skh−1 , ch, mh) is computed by Bh−1 . skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. For Bh in the Faking Game skh ← Fake(skh−1 , ch, mh) is computed by the game (for some honest skh−1 ). skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. I.e. bh−1 = bh. 51 / 74

交互计算 CTIC Security of Parallel Self-Composition Thus by triangle inequality.
52 / 74

交互计算 CTIC Security of Parallel Self-Composition Thus by triangle inequality.
AdvA(k) = |bn − b 1 | = |(bn − bn) + (bn−1 − bn−1 ) + . . . + (b 1 − b 1 )| ≤ Σn h=1 AdvBh(k) ≤ nε + negl (k). 53 / 74

交互计算 CTIC Communication Protocol Assume Π = (KeyGen, Enc, Dec,
Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. 54 / 74

Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. m ← {0, 1} n ( pk, sk) ← KeyGenn(1 k) c ← Encn pk(0 n; r) sk ← Faken( sk, c, m ) c = Encn pk(0 n; r) m = Decn sk ( c) ( r, sk ) 55 / 74

Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. m ← {0, 1} n ( pk, sk) ← KeyGenn(1 k) c ← Encn pk(0 n; r) sk ← Faken( sk, c, m ) c = Encn pk(0 n; r) m = Decn sk ( c) ( r, sk ) By nε-receiver deniability of Πn Pr [m = m ] ≤ nε + negl(k) 56 / 74

Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. m ← {0, 1} n ( pk, sk) ← KeyGenn(1 k) c ← Encn pk(0 n; r) sk ← Faken( sk, c, m ) c = Encn pk(0 n; r) m = Decn sk ( c) ( r, sk ) By nε-receiver deniability of Πn Pr [m = m ] ≤ nε + negl(k) Let rk be the randomness minimizing decryption error. 57 / 74

Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. m ← {0, 1} n ( pk, sk) ← KeyGenn(1 k) c ← Encn pk(0 n; r k) sk ← Faken( sk, c, m ) c = Encn pk(0 n, r k) m = Decn sk ( c) sk By nε-receiver deniability of Πn Pr [m = m ] ≤ nε + negl(k) Let rk be the randomness minimizing decryption error. 58 / 74

交互计算 CTIC Communication Protocol We still have Pr m =
m ≤ nε + negl(k) 59 / 74

m ≤ nε + negl(k) Let σ be the length of the longest key of Πn and n = σ + 1. Then, by |sk | ≤ |m | − 1, Pr m = m ≤ 1 2 60 / 74

m ≤ nε + negl(k) Let σ be the length of the longest key of Πn and n = σ + 1. Then, by |sk | ≤ |m | − 1, Pr m = m ≤ 1 2 So ε ≥ 1 2(σ + 1) 61 / 74

交互计算 CTIC Multidistributional Receiver-Deniable Public-Key Encryption (KeyGen, KeyGen F ,
Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). KeyGen F (1k) : generates a fakable key-pair (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): For (pk, sk) ← KeyGen F (1κ) and c ← Encpk(m), generates a fake secret key sk such that Decsk (c) = m . 63 / 74

交互计算 CTIC Multidistributional Receiver-Deniable Public-Key Encryption (KeyGen, KeyGen F ,
Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). KeyGen F (1k) : generates a fakable key-pair (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): For (pk, sk) ← KeyGen F (1κ) and c ← Encpk(m), generates a fake secret key sk such that Decsk (c) = m . Correctness: All schemes (KeyGen∗, Enc, Dec) with KeyGen ∗ ∈ {KeyGen, KeyGen∗} are correct. 64 / 74

交互计算 CTIC Multidistributional Receiver-Deniable Public-Key Encryption Security Games For adversary
A = (A 1 , A 2 ) Honest Game Faking Game (pk, sk) ← KeyGen(1k) (pk, sk) ← KeyGen F (1k) (m, m , st) ← A 1 (pk) (m, m , st) ← A 1 (pk) c ← Encpk(m ; r) c ← Encpk(m; r) sk ← Fake(sk, c, m ) b ← A 2 (st, c, sk) b ← A 2 (st, c, sk ) (KeyGen, KeyGen F , Enc, Dec, Fake) is ε-receiver-deniable if all PPT A have distingiushing advantage AdvA(k) = negl(k) + ε. 65 / 74

交互计算 CTIC Receiver-Deniable Public-Key Encryption Let (KeyGen, KeyGen F ,
Enc, Dec, Fake) be multi-distributionally negl-receiver-deniable (KeyGen , Enc , Dec ) KeyGen (1κ): For i = 1, . . . , n generate (pki, ski) using at random either KeyGen or KeyGen F . Output (PK , SK ) = ((pki)n i=1 , (ski, ai)n i=1 ). 66 / 74

Enc, Dec, Fake) be multi-distributionally negl-receiver-deniable (KeyGen , Enc , Dec ) KeyGen (1κ): For i = 1, . . . , n generate (pki, ski) using at random either KeyGen or KeyGen F . Output (PK , SK ) = ((pki)n i=1 , (ski, ai)n i=1 ). EncPK(b): For i = 1, . . . , n, sample bi ∈ R {0, 1} so that b = ⊕ n i bi. Let ci ← Encpki (bi) and output C = (ci)n i=1 . 67 / 74

Enc, Dec, Fake) be multi-distributionally negl-receiver-deniable (KeyGen , Enc , Dec ) KeyGen (1κ): For i = 1, . . . , n generate (pki, ski) using at random either KeyGen or KeyGen F . Output (PK , SK ) = ((pki)n i=1 , (ski, ai)n i=1 ). EncPK(b): For i = 1, . . . , n, sample bi ∈ R {0, 1} so that b = ⊕ n i bi. Let ci ← Encpki (bi) and output C = (ci)n i=1 . DecSK(C ): Compute all bi = Decski (ci). Output b = n i=1 bi. 68 / 74

交互计算 CTIC Receiver-Deniable Public-Key Encryption Fake Fake (SK , C
, b ): If b = DecSK(C ) output SK . Otherwise pick random index i so that ai = 1, compute bi = Decski (ci) and let ski = Fake(ski, ci, 1 − bi) and ai = 0. For all j = i, let skj = skj and aj = aj. Output SK = (skj, aj)n j=1 . 69 / 74

, b ): If b = DecSK(C ) output SK . Otherwise pick random index i so that ai = 1, compute bi = Decski (ci) and let ski = Fake(ski, ci, 1 − bi) and ai = 0. For all j = i, let skj = skj and aj = aj. Output SK = (skj, aj)n j=1 . Distinguishing comes down to distinguishing uniformly random a 1 , . . . , an from a 1 , . . . , an where one 1 is ipped to 0. 70 / 74

, b ): If b = DecSK(C ) output SK . Otherwise pick random index i so that ai = 1, compute bi = Decski (ci) and let ski = Fake(ski, ci, 1 − bi) and ai = 0. For all j = i, let skj = skj and aj = aj. Output SK = (skj, aj)n j=1 . Distinguishing comes down to distinguishing uniformly random a 1 , . . . , an from a 1 , . . . , an where one 1 is ipped to 0. Thus (KeyGen, KeyGen F , Enc, Dec, Fake) becomes 1 √n−1 -receiver-deniable. 71 / 74

交互计算 CTIC What Do We Know? Notion Security Interaction Sender
Receiver Bi Single-Dist Negligible Interactive ? ? Public-key ? Polynomial Public-key Multi-Dist Negligible Public-key 73 / 74

交互计算 CTIC Ran Canetti, Cynthia Dwork, Moni Naor, and Rafail
Ostrovsky. Deniable encryption. In CRYPTO, pages 90104, 1997. Markus Dürmuth and David Mandell Freeman. Deniable encryption with negligible detection probability: An interactive construction. In EUROCRYPT, pages 610626, 2011. Adam O'Neill, Chris Peikert, and Brent Waters. Bi-deniable public-key encryption. In CRYPTO, pages 525542, 2011. 74 / 74

Lower and Upper Bounds for Deniable Public-Key Encryption

Lower and Upper Bounds for Deniable Public-Key Encryption

Other Decks in Science

Featured

Transcript