Deniable Cryptosystems: Simpler Constructions and Achieving Leakage Resilience

Abstract

Deniable encryption (Canetti et al. in CRYPTO ’97) is an intriguing primitive, which provides security guarantee against coercion by allowing a sender to convincingly open the ciphertext into a fake message. Despite the notable result by Sahai and Waters in STOC ’14 and other efforts in functionality extension, all the deniable public key encryption (\(\textsf{DPKE}\)) schemes suffer from intolerable overhead due to the heavy building blocks, e.g., translucent sets or indistinguishability obfuscation. Besides, none of them considers the possible damage from leakage in the real world, obstructing these protocols from practical use.

To fill the gap, in this work we first present a simple and generic approach of sender-\(\textsf{DPKE}\) from ciphertext-simulatable encryption, which can be instantiated with nearly all the common \(\textsf{PKE}\) schemes. The core of this design is a newly-designed framework for flipping a bit-string that offers inverse polynomial distinguishability. Then we theoretically and experimentally expound on how classic side-channel attacks (timing or simple power attacks), can help the coercer break deniability, along with feasible countermeasures.

A Towards Optimal Flipping Sampling

One natural question raised from the above design of \(\textsf{DPKE}\) is: are there any other ways of flipping bits of \(\boldsymbol{s}\) that result in a closer distance from U, leveraging which we can devise a \(\textsf{DPKE}\) with better deniability? Below we give the negative answer by showing that flipping one bit is actually the optimal way, by proving that it is superior to any t-bit flipping (\(t>1\)) or uniformly random flipping. For simplicity, hereafter we assume \(\left( {\begin{array}{c}n\\ k\end{array}}\right) =0\) for \(k>n\).

Theorem 5

For \(t\in [1,n]\), let \(F_{t}\) be the flipping case where it first samples \(\boldsymbol{s}\) from \(\mathcal {S}\), if the count of 1 in \(\boldsymbol{s}\) is less than t, outputs \(\perp \); else randomly flips t bits in \(\boldsymbol{s}\) from 1 to 0. It holds \(\textsf{SD}(U,F_t)>\textsf{SD}(U,F)\) for \(t\ge 2\).

Proof

Observe that \(\boldsymbol{s}\) must be obtained by flipping t bit 1 of some string \(\boldsymbol{s}'\) from \(\mathcal {S}\) whose count of bit 1 is \(k+t\). Thus, there are \(\left( {\begin{array}{c}n-k\\ t\end{array}}\right) \) possible \(\boldsymbol{s}'\) when fixing \(\boldsymbol{s}\). Further, the probability of exactly flipping the corresponding 1 of \(\boldsymbol{s}'\) is \(1/\left( {\begin{array}{c}k+t\\ t\end{array}}\right) \). Then \(\forall \boldsymbol{s}\in \mathcal S,F(\boldsymbol{s})=\frac{1}{2^{n}}\cdot \left( {\begin{array}{c}n\\ k\end{array}}\right) \left( {\begin{array}{c}n-k\\ t\end{array}}\right) /\left( {\begin{array}{c}k+t\\ t\end{array}}\right) \), and the distance between R and \(F_t\) is

$$\begin{aligned} \begin{aligned} \textsf{SD}(R,F_t)&=\frac{1}{2}\cdot \sum \limits _{k=0}^{n}\left| \frac{1}{2^{n}} \left( {\begin{array}{c}n\\ k\end{array}}\right) \left( 1-\frac{\left( {\begin{array}{c}n-k\\ t\end{array}}\right) }{\left( {\begin{array}{c}k+t\\ t\end{array}}\right) } \right) \right| +\frac{1}{2}\cdot F_t(\perp )\\ &=\frac{1}{2^{n+1}}\cdot \left( \sum \limits _{k=0}^{n} \left| \left( {\begin{array}{c}n\\ k\end{array}}\right) -\left( {\begin{array}{c}n\\ k+t\end{array}}\right) \right| +\sum \limits _{k=0}^{t-1}\left( {\begin{array}{c}n\\ k\end{array}}\right) \right) . \end{aligned} \end{aligned}$$

(2)

To prove \(\textsf{SD}(R,F_t)>\textsf{SD}(R,F)\) for \(t\ge 2\), it suffices to argue that \(\textsf{SD}(R,F_1)\) is the minimum value regarding \(\textsf{SD}(R,F_t)\) as a discrete function of t, for which we consider the following two cases:

• For \(1\le t\le m\), Eq. (2) can be simplified into \(\frac{1}{2^{n}}\cdot \sum \limits _{k=\lceil {\frac{n-t}{2}}\rceil }^{\lceil \frac{n+t}{2}\rceil -1}\left( {\begin{array}{c}n\\ k\end{array}}\right) \), being monotonically increasing on t. So \(t=1\) is the minimum point in this interval.

• For \(m+1\le t\le n\), Eq. (2) can be simplified into

  $$\begin{aligned} \frac{1}{2^{n+1}}\cdot \left( \sum \limits _{i=t}^{\lceil {\frac{n+t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) +\sum \limits _{i=\lceil {\frac{n-t}{2}}\rceil }^{\lceil {\frac{n+t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) -\sum \limits _{i=0}^{\lceil {\frac{n-t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) +\sum \limits _{k=0}^{t-1}\left( {\begin{array}{c}n\\ k\end{array}}\right) \right) . \end{aligned}$$

  To estimate the scale of the above equation, observe that

  $$\left( \sum \limits _{i=t}^{\lceil {\frac{n+t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) -\sum \limits _{i=0}^{\lceil {\frac{n-t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) \right) \ge 0,\;\left( \sum \limits _{i=\lceil {\frac{n-t}{2}}\rceil }^{\lceil {\frac{n+t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) +\sum \limits _{k=0}^{t-1}\left( {\begin{array}{c}n\\ k\end{array}}\right) \right) >2\cdot \left( {\begin{array}{c}n\\ m\end{array}}\right) .$$

  Thus we can deduce that \(\textsf{SD}(R,F_t)>\textsf{SD}(R,F)\) also holds in this interval.

Based on the above analysis, it is clear that \(\textsf{SD}(R,F_t)>\textsf{SD}(R,F)\) for \(t\ge 2\).   \(\square \)

Theorem 6

Let \(F'\) be the flipping case where it first samples \(\boldsymbol{s}\) from \(\mathcal {S}\setminus \{0^n\}\) and then randomly flips some bits of \(\boldsymbol{s}\) (not all of 1) from 1 to 0, it holds \(\textsf{SD}(U,F')>\textsf{SD}(U,F)\).

Proof

Any \(\boldsymbol{s}\) from \(F'\) must be obtained by flipping j bits 1 of some \(\boldsymbol{s}'\) for \(j\in [1,n-k]\), meaning the count of 1 of \(\boldsymbol{s}'\) is \(k+j\). So the generation of \(\boldsymbol{s}\) can be divided into two steps: 1) choose the indexes of i bits 1 to fix \(\boldsymbol{s}'\); 2) flip the target indexes of \(\boldsymbol{s}'\). Hence, the total possible way of sampling \(\boldsymbol{s}\) is \(\frac{1}{2^{n}}\cdot \sum \limits _{j=1}^{n-k}\left( {\begin{array}{c}n-k\\ j\end{array}}\right) \cdot {2}^{-(k+j)}.\) Then by traversing all the possible \(\boldsymbol{s}\) (\(\left( {\begin{array}{c}n\\ k\end{array}}\right) \) values), we have that

$$\begin{aligned} \begin{aligned} \textsf{SD}(R,F')&=\frac{1}{2}\cdot \sum \limits _{k=0}^{n}\left| \frac{1}{2^{n}}\left( {\begin{array}{c}n\\ k\end{array}}\right) \left( 1-\sum \limits _{j=1}^{n-k} \left( {\begin{array}{c}n-k\\ j\end{array}}\right) \cdot {2}^{-(k+j)}\right) \right| \\ &=\frac{1}{2^{n+1}}\cdot \sum \limits _{k=0}^{n}\left( {\begin{array}{c}n\\ k\end{array}}\right) \left| 1-2^{-k}\cdot \sum \limits _{j=1}^{n-k} \left( {\begin{array}{c}n-k\\ j\end{array}}\right) \cdot {2}^{-j}\right| .\\ \end{aligned} \end{aligned}$$

(3)

To estimate the relative scale of Eq. (3), we first consider the item of the absolute value \(\left| 1-2^{-k}\cdot \sum \limits _{j=1}^{n-k} \left( {\begin{array}{c}n-k\\ j\end{array}}\right) \cdot {2}^{-j}\right| \). Denote the sum of the involved sequence as \(S_m=\sum \limits _{j=0}^{m} \left( {\begin{array}{c}m\\ j\end{array}}\right) \cdot {2}^{-j}\), a simple calculation shows that \(S_{m+1}=\frac{3}{2}S_m\) (geometric progression), further arriving at the simplified expression \(\left| 1-\frac{3^{n-k}}{2^n}+\frac{1}{2^k}\right| \). For large n, e.g., \(n>2^5\), we obtain the following inequality:

$$\begin{aligned} \sum \limits _{k=0}^{n}\left( {\begin{array}{c}n\\ k\end{array}}\right) \left| 1-\frac{3^{n-k}}{2^n}+\frac{1}{2^k}\right| >\sum \limits _{k=0}^{n}\left( {\begin{array}{c}n\\ k\end{array}}\right) \left| 1-\frac{n-k}{k+1}\right| , \end{aligned}$$

which implies that \(\textsf{SD}(R,F')>\textsf{SD}(R,F)\).   \(\square \)