• PDF / 340,016 Bytes
• 11 Pages / 430 x 660 pts Page_size
• 17 Downloads / 197 Views

DOWNLOAD

REPORT

stract. A party using encrypted communication or storing data in an encrypted form might be forced to show the corresponding plaintext. It may happen for law enforcement reasons as well as for evil purposes. Deniable encryption scheme introduced by Canetti et al. shows that cryptography can be used against revealing information: the owner of the data may decrypt it in an alternative way to a harmless plaintext. Moreover, it is impossible to check if there is another hidden plaintext. The scheme of Canetti is inefficient in the sense that it is a special purpose scheme and using it indicates that there is some hidden message inside. We show that deniable encryption can be implemented in a different way so that it does not point to exploiting deniable encryption. Moreover, it is quite straightforward, so it can be used for both good and evil purposes. Apart from that we show that even the special purpose original scheme can be extended to allow, in some circumstances, any “depth” of deniability. Keywords: deniable encryption.

1

Introduction

Regular encryption schemes are aimed at hiding contents of encrypted data. Many of them meet very high security against an adversary that is given a ciphertext and would like to learn the corresponding plaintext. However, in the real world situation might be more complex. After gaining access to encrypted data, an adversary can demand presenting decryption keys or the corresponding plaintext (in the latter case the adversary may demand a proof that the plaintext is the right one). This may happen due to law enforcement procedures as well as a part of a criminal action. In many countries citizens are obliged by law to reveal these data on demand of appropriate authorities. One cannot simply refuse claiming that the decryption keys are lost or forgotten – in such a case the person might be considered as guilty by default. For most encryption schemes (ElGamal, RSA, DES . . . ), neither a receiver (we call him Bob), nor the sender (Alice) of encrypted data can cheat and disclose an incorrect plaintext. An incorrect decryption key would give senseless data. 

The paper is partially supported by EU within the 6th Framework Programme under contract 001907 (DELIS).

V. Geffert et al. (Eds.): SOFSEM 2008, LNCS 4910, pp. 599–609, 2008. c Springer-Verlag Berlin Heidelberg 2008 

600

M. Klonowski, P. Kubiak, and M. Kutyłowski

The main step for solving the problems mentioned is the idea of deniable encryption proposed in [3]. In this scheme, the sender can reveal fake parameters like random strings and private keys that yield a plaintext mf , instead of the original plaintext m. More precisely, if a ciphertext c = E(m, r) of message m is composed with parameter r (which is the key and, may be, some additional parameters), then the goal is to present rf and mf = m, such that c = E(mf , rf ). Moreover, mf should be a reasonable plaintext, in order to convince the adversary. The protocol for finding such mf and rf is called a faking algorithm, while the whole cryptosystem is named deniable enc

Recommend Documents

New Practical Public-Key Deniable Encryption

172 86 30MB

Heterogeneous Deniable Authenticated Encryption Protocol

185 52 57MB

Practical Packing Method in Somewhat Homomorphic Encryption

226 73 266KB

Encryption

152 32 2MB

ENCRYPTION

177 31 525KB

Subvert KEM to Break DEM: Practical Algorithm-Substitution Attacks on Public-Key Encryption

149 70 24MB

Practical Cryptanalysis of a Public-Key Encryption Scheme Based on New Multivariate Quadratic Assumptions

169 41 330KB

Group Encryption

161 27 489KB

Homomorphic Encryption

162 42 14MB

Multimedia Encryption

161 60 27MB

Asymmetric Encryption

178 50 5MB

Encryption, Biometric

159 49 2MB