Abstract
Deniable public-key encryption (DPKE) is a cryptographic primitive that allows the sender of an encrypted message to later claim that they sent a different message. DPKE’s threat model assumes powerful adversaries who can coerce users to reveal plaintexts; it is thus reasonable to consider other advanced capabilities, such as being able to subvert algorithms in a so-called Algorithm Substitution Attack (ASA). ASAs have been considered against a number of primitives including digital signatures, symmetric encryption and pseudo-random generators. However, public-key encryption has presented a less fruitful target, as the sender’s only secrets are plaintexts and ASA techniques generally do not provide sufficient bandwidth to leak these.
In this article, we give a formal model of ASAs against DPKE, and argue that subversion attacks against DPKE schemes present an attractive opportunity for an adversary. Our results strengthen the security model for DPKE and highlight the necessity of considering subversion in the design of practical schemes.
An extended version of this article is available at https://pure.royalholloway.ac.uk/portal/files/46742531/main.pdf [3].
The research of Armour was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/P009301/1).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Here universal means that the ASA applies generically to any encryption scheme, and consistent essentially means that the ASA outputs genuine ciphertexts.
- 2.
Chen et al. [9] overcome these limitations by using non-generic techniques against KEM-DEM constructions to leak underlying plaintexts representing (session) keys.
- 3.
Gunn et al. [11] consider circumventing cryptographic deniability, which is similar in spirit. However, their scenario is quite different: firstly, they consider deniable communication protocols (such as Signal). Secondly, they do not consider subversion attacks – instead, their scenario is logically equivalent to compromising the receiver.
- 4.
See the extended version [3] for a complete discussion of the message sampler.
- 5.
Our informal notions (‘realistic’ and ‘practical’) are easily reformulated in terms of probabilistic polynomial-time (PPT) algorithms. However, given that asymptotic notions don’t reflect practice particularly well, we prefer to use the informal terms.
- 6.
As an interesting aside, the approach for iO deniability schemes is to hide an encoding of the faked ciphertext within randomness; the encryption algorithm first checks whether the randomness encodes a ciphertext c and if so outputs c; if not, it proceeds to encrypt the message. The security follows from the fact that iO obfuscates the inner working of the algorithm so that it appears as a black box. This results in large, structured randomness inputs which would seem to facilitate subversion.
References
Agrawal, S., Goldwasser, S., Mossel, S.: Deniable fully homomorphic encryption from learning with errors. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 641–670. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_22
Armour, M., Poettering, B.: Subverting decryption in AEAD. In: Albrecht, M. (ed.) IMACC 2019. LNCS, vol. 11929, pp. 22–41. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35199-1_2
Armour, M., Quaglia, E.A.: Subverting deniability. Royal Holloway University of London repository (2022). https://pure.royalholloway.ac.uk/portal/files/46742531/main.pdf
Bellare, M., Jaeger, J., Kane, D.: Mass-surveillance without the state: Strongly undetectable algorithm-substitution attacks. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015: 22nd Conference on Computer and Communications Security, pp. 1431–1440. ACM Press (2015). https://doi.org/10.1145/2810103.2813681
Berndt, S., Liskiewicz, M.: Algorithm substitution attacks from a steganographic perspective. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017: 24th Conference on Computer and Communications Security, pp. 1649–1660. ACM Press (2017). https://doi.org/10.1145/3133956.3133981
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052229
Canetti, R., Park, S., Poburinnaya, O.: Fully deniable interactive encryption. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 807–835. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_27
Celi, S., Symeonidis, I.: The current state of denial. In: HotPETS (2020)
Chen, R., Huang, X., Yung, M.: Subvert KEM to break DEM: practical algorithm-substitution attacks on public-key encryption. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 98–128. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_4
De Caro, A., Iovino, V., O’Neill, A.: Deniable functional encryption. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 196–222. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_8
Gunn, L.J., Parra, R.V., Asokan, N.: Circumventing cryptographic deniability with remote attestation. Proc. Priv. Enhancing Technol. 2019(3), 350–369 (2019). https://doi.org/10.2478/popets-2019-0051
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, pp. 475–484. ACM Press (2014). https://doi.org/10.1145/2591796.2591825
Schneier, B., Fredrikson, M., Kohno, T., Ristenpart, T.: Surreptitiously weakening cryptographic systems. Cryptology ePrint Archive, Report 2015/097 (2015). https://eprint.iacr.org/2015/097
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Armour, M., Quaglia, E.A. (2022). Subverting Deniability. In: Ge, C., Guo, F. (eds) Provable and Practical Security. ProvSec 2022. Lecture Notes in Computer Science, vol 13600. Springer, Cham. https://doi.org/10.1007/978-3-031-20917-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-20917-8_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-20916-1
Online ISBN: 978-3-031-20917-8
eBook Packages: Computer ScienceComputer Science (R0)