Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lower and Upper Bounds for Deniable Public-Key ...

Lower and Upper Bounds for Deniable Public-Key Encryption

We show that (Receiver/Bi)-Deniable Public-Key Encryption is impossible with negligible detection probability, but that it can be achieved with an inverse poly detection probability.

Peter Sebastian Nordholt

November 09, 2012
Tweet

Other Decks in Science

Transcript

  1. Lower and Upper Bounds for Deniable Public-Key Encryption Rikke Bendlin1

    Jesper Buus Nielsen1 Peter Sebastian Nordholt1 Claudio Orlandi2 1 Aarhus University, Denmark 2 Bar-Ilan University, Israel September 7, 2012 交互计算 CTIC 1 / 74
  2. 交互计算 CTIC Public-Key Encryption m = "Want to come to

    my party?" m m Passive Adversary: Eve only listens to communication. 4 / 74
  3. 交互计算 CTIC Public-Key Encryption pk, m = "Want to come

    to my party?" ( pk, sk) ← KeyGen(1 k) pk Passive Adversary: Eve only listens to communication. 5 / 74
  4. 交互计算 CTIC Public-Key Encryption pk, m = "Want to come

    to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) Passive Adversary: Eve only listens to communication. Security: Eve does not learn anything about m without sk. 6 / 74
  5. 交互计算 CTIC Public-Key Encryption pk, m = "Want to come

    to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 7 / 74
  6. 交互计算 CTIC Public-Key Encryption pk, m = "Want to come

    to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) ! Coercing Adversary: Eve can threaten Bob to give his secret key. 8 / 74
  7. 交互计算 CTIC Public-Key Encryption pk, m = "Want to come

    to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) ! sk Coercing Adversary: Eve can threaten Bob to give his secret key. 9 / 74
  8. 交互计算 CTIC Public-Key Encryption pk, m = "Want to come

    to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c , sk c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 10 / 74
  9. 交互计算 CTIC Public-Key Encryption pk, m = "Want to come

    to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c , sk m = Dec sk( c) c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 11 / 74
  10. 交互计算 CTIC Public-Key Encryption (Receiver-Deniable Encryption) pk, m = "Want

    to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 12 / 74
  11. 交互计算 CTIC Public-Key Encryption (Receiver-Deniable Encryption) pk, m = "Want

    to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. 13 / 74
  12. 交互计算 CTIC Public-Key Encryption (Receiver-Deniable Encryption) pk, m = "Want

    to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) pk , c c = Enc pk( m) ! Coercing Adversary: Eve can threaten Bob to give his secret key. 14 / 74
  13. 交互计算 CTIC Public-Key Encryption (Receiver-Deniable Encryption) pk, m = "Want

    to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) m = Cryptography is cool! pk , c , sk c = Enc pk( m) ! sk Coercing Adversary: Eve can threaten Bob to give his secret key. 15 / 74
  14. 交互计算 CTIC Public-Key Encryption (Receiver-Deniable Encryption) pk, m = "Want

    to come to my party?" ( pk, sk) ← KeyGen(1 k) m = Dec sk( c) m = Cryptography is cool! pk , c , sk m = Dec sk ( c) c = Enc pk( m) Coercing Adversary: Eve can threaten Bob to give his secret key. Security: Eve can not detect that Bob is cheating. 16 / 74
  15. 交互计算 CTIC Related Work [CDNO97]: sender-deniable public-key encryption and interactive

    receiver-deniable encryption with inverse-polynomial detection probability. 17 / 74
  16. 交互计算 CTIC Related Work [CDNO97]: sender-deniable public-key encryption and interactive

    receiver-deniable encryption with inverse-polynomial detection probability. [OPW11]: multi-distributional (sender/reciever/bi)-deniable public-key encryption with negligible detection probability. 18 / 74
  17. 交互计算 CTIC Related Work [CDNO97]: sender-deniable public-key encryption and interactive

    receiver-deniable encryption with inverse-polynomial detection probability. [OPW11]: multi-distributional (sender/reciever/bi)-deniable public-key encryption with negligible detection probability. [DF11]: interactive sender-deniable encryption with negligible detection probability ... 19 / 74
  18. 交互计算 CTIC Related Work [CDNO97]: sender-deniable public-key encryption and interactive

    receiver-deniable encryption with inverse-polynomial detection probability. [OPW11]: multi-distributional (sender/reciever/bi)-deniable public-key encryption with negligible detection probability. [DF11]: interactive sender-deniable encryption with negligible detection probability ... 20 / 74
  19. 交互计算 CTIC Related Work [CDNO97]: sender-deniable public-key encryption and interactive

    receiver-deniable encryption with inverse-polynomial detection probability. [OPW11]: multi-distributional (sender/reciever/bi)-deniable public-key encryption with negligible detection probability. [DF11]: interactive sender-deniable encryption with negligible detection probability ... faulty proof . 21 / 74
  20. 交互计算 CTIC Our Work We looked for deniable public-key encryption

    with negligible detection probability. 22 / 74
  21. 交互计算 CTIC Our Work We looked for deniable public-key encryption

    with negligible detection probability. Receiver/Bi-deniable public-key encryption is impossible with negligible detection probability. 23 / 74
  22. 交互计算 CTIC Our Work We looked for deniable public-key encryption

    with negligible detection probability. Receiver/Bi-deniable public-key encryption is impossible with negligible detection probability. Constructions of receiver/bi-deniable public-key encryption with inverse-polynomial detection probability. 24 / 74
  23. 交互计算 CTIC Overview 1 Intro 2 Receiver-Deniable Public-Key Encryption 3

    Negligible Detection Probability 4 Inverse Polynomial Detection Probability 5 Last Slide 25 / 74
  24. 交互计算 CTIC Receiver-Deniable Public-Key Encryption For security parameter k. (KeyGen,

    Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using public-key pk and randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): generates a fake secret key sk so that Decsk (c) = m . 27 / 74
  25. 交互计算 CTIC Receiver-Deniable Public-Key Encryption For security parameter k. (KeyGen,

    Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using public-key pk and randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): generates a fake secret key sk so that Decsk (c) = m . sk def = random- ness of KeyGen 28 / 74
  26. 交互计算 CTIC Receiver-Deniable Public-Key Encryption For security parameter k. (KeyGen,

    Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using public-key pk and randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): generates a fake secret key sk so that Decsk (c) = m . sk def = random- ness of KeyGen Correctness: Pr Decsk(Encpk(m)) = m = 1 − negl(k). 29 / 74
  27. 交互计算 CTIC Receiver Deniable Public-Key Encryption Security Games For adversary

    A = (A 1 , A 2 ) Honest Game Faking Game (pk, sk) ← KeyGen(1k) (pk, sk) ← KeyGen(1k) (m, m , st) ← A 1 (pk) (m, m , st) ← A 1 (pk) c ← Encpk(m ; r) c ← Encpk(m; r) sk ← Fake(sk, c, m ) b ← A 2 (st, c, sk) b ← A 2 (st, c, sk ) 30 / 74
  28. 交互计算 CTIC Receiver Deniable Public-Key Encryption Security Games For adversary

    A = (A 1 , A 2 ) Honest Game Faking Game (pk, sk) ← KeyGen(1k) (pk, sk) ← KeyGen(1k) (m, m , st) ← A 1 (pk) (m, m , st) ← A 1 (pk) c ← Encpk(m ; r) c ← Encpk(m; r) sk ← Fake(sk, c, m ) b ← A 2 (st, c, sk) b ← A 2 (st, c, sk ) (KeyGen, Enc, Dec, Fake) is ε-receiver deniable if all PPT A have distingiushing advantage AdvA(k) = negl(k) + ε. 31 / 74
  29. 交互计算 CTIC Overview 1 Intro 2 Receiver-Deniable Public-Key Encryption 3

    Negligible Detection Probability 4 Inverse Polynomial Detection Probability 5 Last Slide 32 / 74
  30. 交互计算 CTIC Theorem Let Π = (KeyGen, Enc, Dec, Fake)

    be ε-receiver deniable, and σ be an upper bound on the length of the secret keys. Then ε ≥ 1 2(σ + 1) − negl(k). 33 / 74
  31. 交互计算 CTIC Theorem Let Π = (KeyGen, Enc, Dec, Fake)

    be ε-receiver deniable, and σ be an upper bound on the length of the secret keys. Then ε ≥ 1 2(σ + 1) − negl(k). I.e. for ε = negl(k) σ must be super-polynomial. 34 / 74
  32. 交互计算 CTIC Parallel Self-Composition For any receiver-deniable Π = (KeyGen,

    Enc, Dec, Fake) and n = poly(k) dene the parallel self-composition 35 / 74
  33. 交互计算 CTIC Parallel Self-Composition For any receiver-deniable Π = (KeyGen,

    Enc, Dec, Fake) and n = poly(k) dene the parallel self-composition Πn = (KeyGenn, Encn, Decn, Faken ) KeyGenn(1κ) = KeyGen(1κ). Encn pk(m 1 , . . . , mn; r 1 , . . . , rn) = (Encpk(m 1 ; r 1 ), . . . , Encpk(mn; rn)) Decn sk(c 1 , . . . , cn) = (Decsk(c 1 ), . . . , Decsk(cn)). Faken (sk, (c 1 , . . . , cn), (m 1 , . . . , mn)) = sk where sk 0 = sk, sk 1 ← Fake(sk 0 , c 1 , m 1 ), sk 2 ← Fake(sk 1 , c 2 , m 2 ), . . . , skn ← Fake(skn−1 , cn, mn) and skn = sk . 36 / 74
  34. 交互计算 CTIC Security of Parallel Self-Composition Lemma If Π is

    ε-receiver-deniable, then Πn is nε-receiver-deniable. 37 / 74
  35. 交互计算 CTIC Security of Parallel Self-Composition Lemma If Π is

    ε-receiver-deniable, then Πn is nε-receiver-deniable. Proof idea: For any adversary A = (A 1 , A 2 ) against Πn construct adversaries Bh against Π for h = 1, . . . , n so that AdvA(k) = Σn h=1 AdvBh By ε-receiver-deniability of Π AdvA(k) = Σn h=1 (ε + negl(k)) = nε + negl (k). 38 / 74
  36. 交互计算 CTIC Security of Parallel Self-Composition Bh = (Bh,1 ,

    Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) 39 / 74
  37. 交互计算 CTIC Security of Parallel Self-Composition Bh = (Bh,1 ,

    Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: 40 / 74
  38. 交互计算 CTIC Security of Parallel Self-Composition Bh = (Bh,1 ,

    Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: For i = 1, . . . , h − 1 and sample ci ← Encpk(mi). 41 / 74
  39. 交互计算 CTIC Security of Parallel Self-Composition Bh = (Bh,1 ,

    Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: For i = 1, . . . , h − 1 and sample ci ← Encpk(mi). Let skh = sk and ch = c. 42 / 74
  40. 交互计算 CTIC Security of Parallel Self-Composition Bh = (Bh,1 ,

    Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: For i = 1, . . . , h − 1 and sample ci ← Encpk(mi). Let skh = sk and ch = c. For i = h + 1, . . . , n, sample ci ← Encpk(mi) and ski ← Fake(ski−1 , ci, mi). 43 / 74
  41. 交互计算 CTIC Security of Parallel Self-Composition Bh = (Bh,1 ,

    Bh,2 ) Bh,1 (pk): Output (stBh, mh, mh) where: stBh = (stA, ((m 1 , . . . , mn), (m 1 , . . . , mn)) ← A 1 (pk) Bh,2 (stBh, c, sk): Construct c 1 , . . . , cn and skh, . . . , skn as follows: For i = 1, . . . , h − 1 and sample ci ← Encpk(mi). Let skh = sk and ch = c. For i = h + 1, . . . , n, sample ci ← Encpk(mi) and ski ← Fake(ski−1 , ci, mi). Output bh = b ← A 2 (stA, (c 1 , . . . , cn), skn). 44 / 74
  42. 交互计算 CTIC Security of Parallel Self-Composition Let bh be the

    distribution of bh in the honest game. 45 / 74
  43. 交互计算 CTIC Security of Parallel Self-Composition Let bh be the

    distribution of bh in the honest game. Let bh be the distribution of bh in the faking game. 46 / 74
  44. 交互计算 CTIC Security of Parallel Self-Composition Let bh be the

    distribution of bh in the honest game. Let bh be the distribution of bh in the faking game. By denition AdvBh = |bh − bh| 47 / 74
  45. 交互计算 CTIC Security of Parallel Self-Composition Let bh be the

    distribution of bh in the honest game. Let bh be the distribution of bh in the faking game. By denition AdvBh = |bh − bh| By construction AdvA(k) = |bn − b 1 |. 48 / 74
  46. 交互计算 CTIC Security of Parallel Self-Composition Bh−1 in the Honest

    Game skh ← Fake(skh−1 , ch, mh) is computed by Bh−1 . skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. 49 / 74
  47. 交互计算 CTIC Security of Parallel Self-Composition Bh−1 in the Honest

    Game skh ← Fake(skh−1 , ch, mh) is computed by Bh−1 . skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. For Bh in the Faking Game skh ← Fake(skh−1 , ch, mh) is computed by the game (for some honest skh−1 ). skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. 50 / 74
  48. 交互计算 CTIC Security of Parallel Self-Composition Bh−1 in the Honest

    Game skh ← Fake(skh−1 , ch, mh) is computed by Bh−1 . skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. For Bh in the Faking Game skh ← Fake(skh−1 , ch, mh) is computed by the game (for some honest skh−1 ). skn computed as ski ← Fake(ski−1 , ci, mi) for i = h + 1, . . . , n. I.e. bh−1 = bh. 51 / 74
  49. 交互计算 CTIC Security of Parallel Self-Composition Thus by triangle inequality.

    AdvA(k) = |bn − b 1 | = |(bn − bn) + (bn−1 − bn−1 ) + . . . + (b 1 − b 1 )| ≤ Σn h=1 AdvBh(k) ≤ nε + negl (k). 53 / 74
  50. 交互计算 CTIC Communication Protocol Assume Π = (KeyGen, Enc, Dec,

    Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. 54 / 74
  51. 交互计算 CTIC Communication Protocol Assume Π = (KeyGen, Enc, Dec,

    Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. m ← {0, 1} n ( pk, sk) ← KeyGenn(1 k) c ← Encn pk(0 n; r) sk ← Faken( sk, c, m ) c = Encn pk(0 n; r) m = Decn sk ( c) ( r, sk ) 55 / 74
  52. 交互计算 CTIC Communication Protocol Assume Π = (KeyGen, Enc, Dec,

    Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. m ← {0, 1} n ( pk, sk) ← KeyGenn(1 k) c ← Encn pk(0 n; r) sk ← Faken( sk, c, m ) c = Encn pk(0 n; r) m = Decn sk ( c) ( r, sk ) By nε-receiver deniability of Πn Pr [m = m ] ≤ nε + negl(k) 56 / 74
  53. 交互计算 CTIC Communication Protocol Assume Π = (KeyGen, Enc, Dec,

    Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. m ← {0, 1} n ( pk, sk) ← KeyGenn(1 k) c ← Encn pk(0 n; r) sk ← Faken( sk, c, m ) c = Encn pk(0 n; r) m = Decn sk ( c) ( r, sk ) By nε-receiver deniability of Πn Pr [m = m ] ≤ nε + negl(k) Let rk be the randomness minimizing decryption error. 57 / 74
  54. 交互计算 CTIC Communication Protocol Assume Π = (KeyGen, Enc, Dec,

    Fake) is ε-reciever-deniable and has messages of length ≥ 1. So that Πn = (KeyGenn, Encn, Decn, Faken ) is nε-reciever-deniable and has messages of length ≥ n. m ← {0, 1} n ( pk, sk) ← KeyGenn(1 k) c ← Encn pk(0 n; r k) sk ← Faken( sk, c, m ) c = Encn pk(0 n, r k) m = Decn sk ( c) sk By nε-receiver deniability of Πn Pr [m = m ] ≤ nε + negl(k) Let rk be the randomness minimizing decryption error. 58 / 74
  55. 交互计算 CTIC Communication Protocol We still have Pr m =

    m ≤ nε + negl(k) Let σ be the length of the longest key of Πn and n = σ + 1. Then, by |sk | ≤ |m | − 1, Pr m = m ≤ 1 2 60 / 74
  56. 交互计算 CTIC Communication Protocol We still have Pr m =

    m ≤ nε + negl(k) Let σ be the length of the longest key of Πn and n = σ + 1. Then, by |sk | ≤ |m | − 1, Pr m = m ≤ 1 2 So ε ≥ 1 2(σ + 1) 61 / 74
  57. 交互计算 CTIC Overview 1 Intro 2 Receiver-Deniable Public-Key Encryption 3

    Negligible Detection Probability 4 Inverse Polynomial Detection Probability 5 Last Slide 62 / 74
  58. 交互计算 CTIC Multidistributional Receiver-Deniable Public-Key Encryption (KeyGen, KeyGen F ,

    Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). KeyGen F (1k) : generates a fakable key-pair (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): For (pk, sk) ← KeyGen F (1κ) and c ← Encpk(m), generates a fake secret key sk such that Decsk (c) = m . 63 / 74
  59. 交互计算 CTIC Multidistributional Receiver-Deniable Public-Key Encryption (KeyGen, KeyGen F ,

    Enc, Dec, Fake): PPT algorithms KeyGen(1k): generates a honest key-pair, (pk, sk). KeyGen F (1k) : generates a fakable key-pair (pk, sk). Encpk(m; r): encrypts message m ∈ {0, 1} using randomness r. Decsk(c): decrypts ciphertext c to a message m ∈ {0, 1} . Fake(sk, c, m ): For (pk, sk) ← KeyGen F (1κ) and c ← Encpk(m), generates a fake secret key sk such that Decsk (c) = m . Correctness: All schemes (KeyGen∗, Enc, Dec) with KeyGen ∗ ∈ {KeyGen, KeyGen∗} are correct. 64 / 74
  60. 交互计算 CTIC Multidistributional Receiver-Deniable Public-Key Encryption Security Games For adversary

    A = (A 1 , A 2 ) Honest Game Faking Game (pk, sk) ← KeyGen(1k) (pk, sk) ← KeyGen F (1k) (m, m , st) ← A 1 (pk) (m, m , st) ← A 1 (pk) c ← Encpk(m ; r) c ← Encpk(m; r) sk ← Fake(sk, c, m ) b ← A 2 (st, c, sk) b ← A 2 (st, c, sk ) (KeyGen, KeyGen F , Enc, Dec, Fake) is ε-receiver-deniable if all PPT A have distingiushing advantage AdvA(k) = negl(k) + ε. 65 / 74
  61. 交互计算 CTIC Receiver-Deniable Public-Key Encryption Let (KeyGen, KeyGen F ,

    Enc, Dec, Fake) be multi-distributionally negl-receiver-deniable (KeyGen , Enc , Dec ) KeyGen (1κ): For i = 1, . . . , n generate (pki, ski) using at random either KeyGen or KeyGen F . Output (PK , SK ) = ((pki)n i=1 , (ski, ai)n i=1 ). 66 / 74
  62. 交互计算 CTIC Receiver-Deniable Public-Key Encryption Let (KeyGen, KeyGen F ,

    Enc, Dec, Fake) be multi-distributionally negl-receiver-deniable (KeyGen , Enc , Dec ) KeyGen (1κ): For i = 1, . . . , n generate (pki, ski) using at random either KeyGen or KeyGen F . Output (PK , SK ) = ((pki)n i=1 , (ski, ai)n i=1 ). EncPK(b): For i = 1, . . . , n, sample bi ∈ R {0, 1} so that b = ⊕ n i bi. Let ci ← Encpki (bi) and output C = (ci)n i=1 . 67 / 74
  63. 交互计算 CTIC Receiver-Deniable Public-Key Encryption Let (KeyGen, KeyGen F ,

    Enc, Dec, Fake) be multi-distributionally negl-receiver-deniable (KeyGen , Enc , Dec ) KeyGen (1κ): For i = 1, . . . , n generate (pki, ski) using at random either KeyGen or KeyGen F . Output (PK , SK ) = ((pki)n i=1 , (ski, ai)n i=1 ). EncPK(b): For i = 1, . . . , n, sample bi ∈ R {0, 1} so that b = ⊕ n i bi. Let ci ← Encpki (bi) and output C = (ci)n i=1 . DecSK(C ): Compute all bi = Decski (ci). Output b = n i=1 bi. 68 / 74
  64. 交互计算 CTIC Receiver-Deniable Public-Key Encryption Fake Fake (SK , C

    , b ): If b = DecSK(C ) output SK . Otherwise pick random index i so that ai = 1, compute bi = Decski (ci) and let ski = Fake(ski, ci, 1 − bi) and ai = 0. For all j = i, let skj = skj and aj = aj. Output SK = (skj, aj)n j=1 . 69 / 74
  65. 交互计算 CTIC Receiver-Deniable Public-Key Encryption Fake Fake (SK , C

    , b ): If b = DecSK(C ) output SK . Otherwise pick random index i so that ai = 1, compute bi = Decski (ci) and let ski = Fake(ski, ci, 1 − bi) and ai = 0. For all j = i, let skj = skj and aj = aj. Output SK = (skj, aj)n j=1 . Distinguishing comes down to distinguishing uniformly random a 1 , . . . , an from a 1 , . . . , an where one 1 is ipped to 0. 70 / 74
  66. 交互计算 CTIC Receiver-Deniable Public-Key Encryption Fake Fake (SK , C

    , b ): If b = DecSK(C ) output SK . Otherwise pick random index i so that ai = 1, compute bi = Decski (ci) and let ski = Fake(ski, ci, 1 − bi) and ai = 0. For all j = i, let skj = skj and aj = aj. Output SK = (skj, aj)n j=1 . Distinguishing comes down to distinguishing uniformly random a 1 , . . . , an from a 1 , . . . , an where one 1 is ipped to 0. Thus (KeyGen, KeyGen F , Enc, Dec, Fake) becomes 1 √n−1 -receiver-deniable. 71 / 74
  67. 交互计算 CTIC Overview 1 Intro 2 Receiver-Deniable Public-Key Encryption 3

    Negligible Detection Probability 4 Inverse Polynomial Detection Probability 5 Last Slide 72 / 74
  68. 交互计算 CTIC What Do We Know? Notion Security Interaction Sender

    Receiver Bi Single-Dist Negligible Interactive ? ? Public-key ?   Polynomial Public-key Multi-Dist Negligible Public-key 73 / 74
  69. 交互计算 CTIC Ran Canetti, Cynthia Dwork, Moni Naor, and Rafail

    Ostrovsky. Deniable encryption. In CRYPTO, pages 90104, 1997. Markus Dürmuth and David Mandell Freeman. Deniable encryption with negligible detection probability: An interactive construction. In EUROCRYPT, pages 610626, 2011. Adam O'Neill, Chris Peikert, and Brent Waters. Bi-deniable public-key encryption. In CRYPTO, pages 525542, 2011. 74 / 74