Abstract
The primitive of deniable encryption aims to protect the privacy of communicated data in the scenario of coercion by allowing the sender (or receiver or both of them) to open the ciphertext transmitted into a different message. There are two types of deniability, namely, multi-distributional deniability and full deniability, and the later provides better security guarantees than the former one. However, all existing schemes under the framework of full deniability are less efficient. In this paper, we first propose a new public key encryption scheme in which the ciphertexts could be decrypted by the receiver depending on the decision of the sender. Additionally, building on this encryption, we construct a new public-key sender-deniable encryption scheme under the framework of full deniability. Compared with Canetti et al.’s party scheme, the proposed scheme is superior in both efficiency andeniability.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Howlader, J., Roy, S.K., Mal, A.K.: Practical receipt-free sealed-bid auction in the coercive environment. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 418–434. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12160-4_25
Chen, X., Lee, B., Kim, K.: Receipt-free electronic auction schemes using homomorphic encryption. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 259–273. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24691-6_20
Cramer, R., Gennaro, R., Schoenmakers, B.: A secure and optimally efficient multi-authority election scheme. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 103–118. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_9
Hirt, M., Sako, K.: Efficient receipt-free voting based on homomorphic encryption. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 539–556. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_38
Chi, P., Lei, C.: Audit-free cloud storage via deniable attribute-based encryption. IEEE Trans. Cloud Comput. 6(2), 414–427 (2018)
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052229
Dachman-Soled, D., Liu, F.-H., Zhou, H.-S.: Leakage-resilient circuits revisited – optimal number of computing components without leak-free hardware. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 131–158. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_5
Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: Miller, G.L. (ed.) STOC 1996, pp. 639–648. ACM (1996)
Canetti, R., Goldwasser, S., Poburinnaya, O.: Adaptively secure two-party computation from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 557–585. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_22
Garg, S., Polychroniadou, A.: Two-round adaptively secure MPC from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 614–637. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_24
Dachman-Soled, D., Katz, J., Rao, V.: Adaptively secure, universally composable, multiparty computation in constant rounds. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 586–613. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_23
Klonowski, M., Kubiak, P., Kutyłowski, M.: Practical deniable encryption. In: Geffert, V., Karhumäki, J., Bertoni, A., Preneel, B., Návrat, P., Bieliková, M. (eds.) SOFSEM 2008. LNCS, vol. 4910, pp. 599–609. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-77566-9_52
Ibrahim, M.H.: A method for obtaining deniable public-key encryption. I. J. Netw. Secur. 8(1), 1–9 (2009)
O’Neill, A., Peikert, C., Waters, B.: Bi-deniable public-key encryption. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 525–542. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_30
Bendlin, R., Nielsen, J.B., Nordholt, P.S., Orlandi, C.: Lower and upper bounds for deniable public-key encryption. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 125–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_7
Dürmuth, M., Freeman, D.M.: Deniable encryption with negligible detection probability: an interactive construction. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 610–626. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_33
Dürmuth, M., Freeman, D.M.: Deniable encryption with negligible detection probability: an interactive construction. IACR Cryptology ePrint Archive 2011, 66 (2011)
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) STOC 2014, pp. 475–484. ACM (2014)
Canetti, R., Park, S., Poburinnaya, O.: Fully bideniable interactive encryption. IACR Cryptology ePrint Archive 2018, 1244 (2018)
Goldreich, O.: Foundations of Cryptography: Basic Tools. 2001. Press Syndicate of the University of Cambridge (2001)
Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_18
Gjøsteen, K.: Homomorphic cryptosystems based on subgroup membership problems. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 314–327. Springer, Heidelberg (2005). https://doi.org/10.1007/11554868_22
Nieto, J.M.G., Boyd, C., Dawson, E.: A public key cryptosystem based on a subgroup membership problem. Des. Codes Cryptogr. 36(3), 301–316 (2005)
Armknecht, F., Katzenbeisser, S., Peter, A.: Group homomorphic encryption: characterizations, impossibility results, and applications. Des. Codes Cryptogr. 67(2), 209–232 (2013)
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Wei, J., Chen, X., Wang, J., Hu, X., Ma, J.: Forward-secure puncturable identity-based encryption for securing cloud emails. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 134–150. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_7
Barbosa, M., Farshim, P.: On the semantic security of functional encryption schemes. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 143–161. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_10
Pollard, J.M.: Monte Carlo methods for index computation (MODP). Math. Comput. 32(143), 918–924 (1978)
Zhang, Z., Wang, J., Wang, Y., Su, Y., Chen, X.: Towards efficient verifiable forward secure searchable symmetric encryption. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 304–321. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_15
Hanzlik, L., Kutyłowski, M.: Chip authentication for E-passports: PACE with chip authentication mapping v2. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 115–129. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45871-7_8
Acknowledgement
This work is supported by the National Key Research and Development Program of China (No. 2018YFB0804105), and the National Cryptography Development Fund (No. MMJJ20180110).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A. Proof of Theorem 4
Proof
Suppose there exists an adversary \(\mathcal {A}\) who breaks the semantic security of the proposed scheme with a non-negligible advantage \(\varepsilon \), and we can construct an adversary \(\mathcal {B}\) to break the semantic security of the PKE-CD scheme with a non-negligible advantage \(Adv^{\mathcal {B},se}_{\mathrm {PKE-CD}}=\varepsilon \). Let \(\mathrm {\Pi }\)=(KeyGen, Encrypt, Decrypt, Fake) be a PKE-CD scheme, and let \((pk,sk)\leftarrow \mathbf {KeyGen}(1^{\lambda })\). Given as input pk and other public parameters f and n. \(\mathcal {B}\) works as follows.
-
Setup. \(\mathcal {B}\) sets the public key \(PK=(pk,f,n)\) and gives PK to \(\mathcal {A}\).
-
Challenge. \(\mathcal {A}\) submits two different messages \(m_{0},m_{1}\in \mathcal {M}\) to \(\mathcal {B}\), \(\mathcal {B}\) then sends them to the challenger. The challenger flips a coin \(b\in \{0,1\}\), randomly selects a random input \(r\in \varOmega _{1}\), and outputs a challenge ciphertext \(c\leftarrow \mathbf {Encrypt}(pk,m_{b},1,r)\) to \(\mathcal {B}\). Then \(\mathcal {B}\) choose a random \(e\in X_{n}\), for \(1\le i\le n\), \(i\ne f(e)\), randomly selects \(m_{i}\in \mathcal {M}\), \(r_{i}\in \varOmega _{e_{i}}\), it produces ciphertexts \(c_{n},c_{n-1},...,c_{f(e)+1},c_{f(e)-1},...,c_{1}\) by running algorithm Encrypt, and returns \(c=(c_{n},c_{n-1},...,c_{f(e)+1},c,c_{f(e)-1},...,c_{1})\) to \(\mathcal {A}\) as a challenge.
-
Guess. \(\mathcal {A}\) outputs its guess \(b'\in \{0,1\}\), \(\mathcal {B}\) then also outputs \(b'\).
It is easy to see that the adversary \(\mathcal {B}\)’s advantage of breaking PKE-CD scheme’s sematic security is equal to the adversary \(\mathcal {A}\)’s advantage of breaking the sematic security of the proposed scheme, i.e., \(Adv^{\mathcal {B},se}_{\mathbf {PKE-CD}}=\varepsilon \).
Appendix B. Proof of Theorem 5
Proof
Suppose \(\mathrm {\Pi }\) is \(\varepsilon (\lambda )\)-half-deniable, \(X_{n}\) and \(Y_{n}(f)\) are \(\delta (n)\)-close for a random \(f\in \mathcal {F}_{n}\). Given any encrypted and fake messages \(m,m'\in \mathcal {M}\), random inputs \(\mathbb {R}\) and \(\mathbb {R}'\). Let \((PK, SK)\leftarrow \mathbf {Gen}(1^{n})\) where \(PK=(pk,f,n)\), \(c\leftarrow \mathbf {Enc}(PK,m,\mathbb {R})\), \(c'\leftarrow \mathbf {Enc}(PK,m',\mathbb {R}')\), and \(\mathbb {R}''\leftarrow \mathbf {Fake}(PK,m,\mathbb {R},m')\). Next, we define four probability distributions \(\mathcal {R}_{n}^{1}\), \(\mathcal {R}_{n}^{2}\), \(\mathcal {R}_{n}^{3}\) and \(\mathcal {R}_{n}^{4}\) via series of hybrid games which is a common technique in security analysis [29, 30].
-
Game \(G_{1}\): Pick \(e'=(e_{n},e_{n-1},...,e_{1})\in X_{n}\) at random, compute \(k'=f(e')\). Then randomly choose \(m'_{i}\in \mathcal {M}\) for \(1\le i\le n, i\ne k'\), select \(r'_{i}\in \varOmega _{e_{i}}\) for \(1\le i\le n\), and generate \(\mathbb {R}'=(e',m'_{n},...,m'_{k'+1},m'_{k'-1},...,m'_{1},r'_{n},r'_{n-1}, ...,r'_{1})\). Finally, the game outputs the distribution \(\mathcal {R}_{n}^{1}=\{\mathbb {R}'\}\).
-
Game \(G_{2}\): Pick \(e'=(e_{n},e_{n-1},...,e_{1})\) at random from a different distribution \(Y_{n}(f)\), compute \(k'=f(e')\). Then randomly choose \(m'_{i}\) and \(r'_{i}\) as before, produce \(\mathbb {R}'=(e',m'_{n},...,m'_{k'+1},m'_{k'-1},...,m'_{1}, r'_{n},r'_{n-1},...,r'_{1})\). Finally the game outputs the distribution \(\mathcal {R}_{n}^{2}=\{\mathbb {R}'\}\).
-
Game \(G_{3}\): Pick \(e=(e_{n},e_{n-1},...,e_{1})\in X_{n}\) at random, compute \(k=f(e)\), set \(e''=(e_{n},...e_{k+1},0,e_{k-1},...,e_{1})\) and compute \(k''=f(e'')\), randomly choose \(m''_{i}\in \mathcal {M}\) for \(1\le i\le n, i\ne k''\), select \(r''_{i}\in \varOmega _{e_{i}}\) for \(1\le i\le n\), and create \(\mathbb {R}''=(e'',m''_{n},...,m''_{k''+1},m''_{k''-1},...,m''_{1}, r''_{n},r''_{n-1},...,r''_{1})\). Finally the game outputs the distribution \(\mathcal {R}_{n}^{3}=\{\mathbb {R}''\}\).
-
Game \(G_{4}\): Obtain \(e, k, e''\) and \(k''\) as before. For \(i=k\), set \(m_{k}\leftarrow m\), then randomly choose \(r_{k}\in \varOmega _{1}, m_{k}''\in \mathcal {M}\), produce \(r''_{k}\leftarrow \mathbf {Fake}(pk,m_{k},r_{k},m_{k}'')\). For \(i=k''\), randomly select \(r_{k''}\in \varOmega _{1}\). While for \(1\le i\le n\), \(i\ne k, i\ne k''\), randomly choose \(m_{i}\in \mathcal {M}\), \(r_{i}\in \varOmega _{e_{i}}\). Let \(m_{i}''\leftarrow m_{i}\), \(r_{i}''\leftarrow r_{i}\), for \(1\le i\le n, i\ne k\), and generate \(\mathbb {R}''=(e'',m''_{n},...,m''_{k''+1},m''_{k''-1},...,m''_{1}, r''_{n},r''_{n-1},...,r''_{1})\). Finally the game outputs the distribution \(\mathcal {R}_{n}^{4}=\{\mathbb {R}''\}\).
It clear that the Game \(G_{1}\) and Game \(G_{2}\) are indistinguishable except that the bit string \(e'\) comes from different distributions \(X_{n}\) and \(Y_{n}(f)\), therefore, \(\mathcal {R}_{n}^{1}\) and \(\mathcal {R}_{n}^{2}\) are \(\delta (n)\)-close. It follows directly that the output distributions of Game \(G_{2}\) and Game \(G_{3}\) are the same from the definition of \(Y_{n}(f)\). We see that the only difference between Game \(G_{3}\) and Game \(G_{4}\) is the distributions of \(r_{k}''\), according to the half-deniability of \(\mathrm {\Pi }\), we know that \(\mathcal {R}_{n}^{3}\) and \(\mathcal {R}_{n}^{4}\) are \(\varepsilon (\lambda )\)-close. Taken altogether results above, we immediately get \(\mathcal {R}_{n}^{1}\) and \(\mathcal {R}_{n}^{4}\) are \(\varepsilon (\lambda )+\delta (n)\)-close. Next, we consider the random variables \((m',\mathbb {R}', c')\) and \((m',\mathbb {R}'',c)\), it is not hard to see that the random inputs \(\mathbb {R}'\) and \(\mathbb {R}''\) belong to distribution \(\mathcal {R}_{n}^{1}\) and distribution \(\mathcal {R}_{n}^{4}\), respectively. Since \(c'\leftarrow \mathbf {Enc}(PK,m',\mathbb {R}')\), \(c\leftarrow \mathbf {Enc}(PK,m',\mathbb {R}'')\), it immediately follows that the random variables \((m',\mathbb {R}',c')\) and \((m',\mathbb {R}'',c)\) are \(\varepsilon (\lambda )+\delta (n)\)-close. In [6], Canetti et al. omitted the negligible quantity when they estimated their scheme’s deniability, and we also omit the negligible quantity \(\varepsilon (\lambda )\) in our scheme. This completes the proof.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Cao, Y., Zhang, F., Gao, C., Chen, X. (2020). New Practical Public-Key Deniable Encryption. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds) Information and Communications Security. ICICS 2020. Lecture Notes in Computer Science(), vol 12282. Springer, Cham. https://doi.org/10.1007/978-3-030-61078-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-61078-4_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61077-7
Online ISBN: 978-3-030-61078-4
eBook Packages: Computer ScienceComputer Science (R0)