New Practical Public-Key Deniable Encryption

Abstract

The primitive of deniable encryption aims to protect the privacy of communicated data in the scenario of coercion by allowing the sender (or receiver or both of them) to open the ciphertext transmitted into a different message. There are two types of deniability, namely, multi-distributional deniability and full deniability, and the later provides better security guarantees than the former one. However, all existing schemes under the framework of full deniability are less efficient. In this paper, we first propose a new public key encryption scheme in which the ciphertexts could be decrypted by the receiver depending on the decision of the sender. Additionally, building on this encryption, we construct a new public-key sender-deniable encryption scheme under the framework of full deniability. Compared with Canetti et al.’s party scheme, the proposed scheme is superior in both efficiency andeniability.

Appendices

Appendix A. Proof of Theorem 4

Proof

Suppose there exists an adversary \(\mathcal {A}\) who breaks the semantic security of the proposed scheme with a non-negligible advantage \(\varepsilon \), and we can construct an adversary \(\mathcal {B}\) to break the semantic security of the PKE-CD scheme with a non-negligible advantage \(Adv^{\mathcal {B},se}_{\mathrm {PKE-CD}}=\varepsilon \). Let \(\mathrm {\Pi }\)=(KeyGen, Encrypt, Decrypt, Fake) be a PKE-CD scheme, and let \((pk,sk)\leftarrow \mathbf {KeyGen}(1^{\lambda })\). Given as input pk and other public parameters f and n. \(\mathcal {B}\) works as follows.

• Setup. \(\mathcal {B}\) sets the public key \(PK=(pk,f,n)\) and gives PK to \(\mathcal {A}\).

• Challenge. \(\mathcal {A}\) submits two different messages \(m_{0},m_{1}\in \mathcal {M}\) to \(\mathcal {B}\), \(\mathcal {B}\) then sends them to the challenger. The challenger flips a coin \(b\in \{0,1\}\), randomly selects a random input \(r\in \varOmega _{1}\), and outputs a challenge ciphertext \(c\leftarrow \mathbf {Encrypt}(pk,m_{b},1,r)\) to \(\mathcal {B}\). Then \(\mathcal {B}\) choose a random \(e\in X_{n}\), for \(1\le i\le n\), \(i\ne f(e)\), randomly selects \(m_{i}\in \mathcal {M}\), \(r_{i}\in \varOmega _{e_{i}}\), it produces ciphertexts \(c_{n},c_{n-1},...,c_{f(e)+1},c_{f(e)-1},...,c_{1}\) by running algorithm Encrypt, and returns \(c=(c_{n},c_{n-1},...,c_{f(e)+1},c,c_{f(e)-1},...,c_{1})\) to \(\mathcal {A}\) as a challenge.

• Guess. \(\mathcal {A}\) outputs its guess \(b'\in \{0,1\}\), \(\mathcal {B}\) then also outputs \(b'\).

It is easy to see that the adversary \(\mathcal {B}\)’s advantage of breaking PKE-CD scheme’s sematic security is equal to the adversary \(\mathcal {A}\)’s advantage of breaking the sematic security of the proposed scheme, i.e., \(Adv^{\mathcal {B},se}_{\mathbf {PKE-CD}}=\varepsilon \).

Appendix B. Proof of Theorem 5

Proof

Suppose \(\mathrm {\Pi }\) is \(\varepsilon (\lambda )\)-half-deniable, \(X_{n}\) and \(Y_{n}(f)\) are \(\delta (n)\)-close for a random \(f\in \mathcal {F}_{n}\). Given any encrypted and fake messages \(m,m'\in \mathcal {M}\), random inputs \(\mathbb {R}\) and \(\mathbb {R}'\). Let \((PK, SK)\leftarrow \mathbf {Gen}(1^{n})\) where \(PK=(pk,f,n)\), \(c\leftarrow \mathbf {Enc}(PK,m,\mathbb {R})\), \(c'\leftarrow \mathbf {Enc}(PK,m',\mathbb {R}')\), and \(\mathbb {R}''\leftarrow \mathbf {Fake}(PK,m,\mathbb {R},m')\). Next, we define four probability distributions \(\mathcal {R}_{n}^{1}\), \(\mathcal {R}_{n}^{2}\), \(\mathcal {R}_{n}^{3}\) and \(\mathcal {R}_{n}^{4}\) via series of hybrid games which is a common technique in security analysis [29, 30].

• Game \(G_{1}\): Pick \(e'=(e_{n},e_{n-1},...,e_{1})\in X_{n}\) at random, compute \(k'=f(e')\). Then randomly choose \(m'_{i}\in \mathcal {M}\) for \(1\le i\le n, i\ne k'\), select \(r'_{i}\in \varOmega _{e_{i}}\) for \(1\le i\le n\), and generate \(\mathbb {R}'=(e',m'_{n},...,m'_{k'+1},m'_{k'-1},...,m'_{1},r'_{n},r'_{n-1}, ...,r'_{1})\). Finally, the game outputs the distribution \(\mathcal {R}_{n}^{1}=\{\mathbb {R}'\}\).

• Game \(G_{2}\): Pick \(e'=(e_{n},e_{n-1},...,e_{1})\) at random from a different distribution \(Y_{n}(f)\), compute \(k'=f(e')\). Then randomly choose \(m'_{i}\) and \(r'_{i}\) as before, produce \(\mathbb {R}'=(e',m'_{n},...,m'_{k'+1},m'_{k'-1},...,m'_{1}, r'_{n},r'_{n-1},...,r'_{1})\). Finally the game outputs the distribution \(\mathcal {R}_{n}^{2}=\{\mathbb {R}'\}\).

• Game \(G_{3}\): Pick \(e=(e_{n},e_{n-1},...,e_{1})\in X_{n}\) at random, compute \(k=f(e)\), set \(e''=(e_{n},...e_{k+1},0,e_{k-1},...,e_{1})\) and compute \(k''=f(e'')\), randomly choose \(m''_{i}\in \mathcal {M}\) for \(1\le i\le n, i\ne k''\), select \(r''_{i}\in \varOmega _{e_{i}}\) for \(1\le i\le n\), and create \(\mathbb {R}''=(e'',m''_{n},...,m''_{k''+1},m''_{k''-1},...,m''_{1}, r''_{n},r''_{n-1},...,r''_{1})\). Finally the game outputs the distribution \(\mathcal {R}_{n}^{3}=\{\mathbb {R}''\}\).

• Game \(G_{4}\): Obtain \(e, k, e''\) and \(k''\) as before. For \(i=k\), set \(m_{k}\leftarrow m\), then randomly choose \(r_{k}\in \varOmega _{1}, m_{k}''\in \mathcal {M}\), produce \(r''_{k}\leftarrow \mathbf {Fake}(pk,m_{k},r_{k},m_{k}'')\). For \(i=k''\), randomly select \(r_{k''}\in \varOmega _{1}\). While for \(1\le i\le n\), \(i\ne k, i\ne k''\), randomly choose \(m_{i}\in \mathcal {M}\), \(r_{i}\in \varOmega _{e_{i}}\). Let \(m_{i}''\leftarrow m_{i}\), \(r_{i}''\leftarrow r_{i}\), for \(1\le i\le n, i\ne k\), and generate \(\mathbb {R}''=(e'',m''_{n},...,m''_{k''+1},m''_{k''-1},...,m''_{1}, r''_{n},r''_{n-1},...,r''_{1})\). Finally the game outputs the distribution \(\mathcal {R}_{n}^{4}=\{\mathbb {R}''\}\).

It clear that the Game \(G_{1}\) and Game \(G_{2}\) are indistinguishable except that the bit string \(e'\) comes from different distributions \(X_{n}\) and \(Y_{n}(f)\), therefore, \(\mathcal {R}_{n}^{1}\) and \(\mathcal {R}_{n}^{2}\) are \(\delta (n)\)-close. It follows directly that the output distributions of Game \(G_{2}\) and Game \(G_{3}\) are the same from the definition of \(Y_{n}(f)\). We see that the only difference between Game \(G_{3}\) and Game \(G_{4}\) is the distributions of \(r_{k}''\), according to the half-deniability of \(\mathrm {\Pi }\), we know that \(\mathcal {R}_{n}^{3}\) and \(\mathcal {R}_{n}^{4}\) are \(\varepsilon (\lambda )\)-close. Taken altogether results above, we immediately get \(\mathcal {R}_{n}^{1}\) and \(\mathcal {R}_{n}^{4}\) are \(\varepsilon (\lambda )+\delta (n)\)-close. Next, we consider the random variables \((m',\mathbb {R}', c')\) and \((m',\mathbb {R}'',c)\), it is not hard to see that the random inputs \(\mathbb {R}'\) and \(\mathbb {R}''\) belong to distribution \(\mathcal {R}_{n}^{1}\) and distribution \(\mathcal {R}_{n}^{4}\), respectively. Since \(c'\leftarrow \mathbf {Enc}(PK,m',\mathbb {R}')\), \(c\leftarrow \mathbf {Enc}(PK,m',\mathbb {R}'')\), it immediately follows that the random variables \((m',\mathbb {R}',c')\) and \((m',\mathbb {R}'',c)\) are \(\varepsilon (\lambda )+\delta (n)\)-close. In [6], Canetti et al. omitted the negligible quantity when they estimated their scheme’s deniability, and we also omit the negligible quantity \(\varepsilon (\lambda )\) in our scheme. This completes the proof.