Abstract
Deniable encryption (Canetti et al. in CRYPTO ’97) is an intriguing primitive, which provides security guarantee against coercion by allowing a sender to convincingly open the ciphertext into a fake message. Despite the notable result by Sahai and Waters in STOC ’14 and other efforts in functionality extension, all the deniable public key encryption (\(\textsf{DPKE}\)) schemes suffer from intolerable overhead due to the heavy building blocks, e.g., translucent sets or indistinguishability obfuscation. Besides, none of them considers the possible damage from leakage in the real world, obstructing these protocols from practical use.
To fill the gap, in this work we first present a simple and generic approach of sender-\(\textsf{DPKE}\) from ciphertext-simulatable encryption, which can be instantiated with nearly all the common \(\textsf{PKE}\) schemes. The core of this design is a newly-designed framework for flipping a bit-string that offers inverse polynomial distinguishability. Then we theoretically and experimentally expound on how classic side-channel attacks (timing or simple power attacks), can help the coercer break deniability, along with feasible countermeasures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Due to the page limits, we omit the graphics for other values of n that show the similar grades as that of \(n=2^{30}\).
References
Agrawal, S., Goldwasser, S., Mossel, S.: Deniable fully homomorphic encryption from learning with errors. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12826, pp. 641–670. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_22
Apon, D., Fan, X., Liu, F.-H.: Deniable attribute based encryption for branching programs from LWE. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 299–329. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_12
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_15
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory 6(3), 13:1–13:36 (2014). https://doi.org/10.1145/2633600
Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., Sahai, A.: Exposure-resilient functions and all-or-nothing transforms. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 453–469. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_33
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052229
Canetti, R., Park, S., Poburinnaya, O.: Fully deniable interactive encryption. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 807–835. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_27
Cao, Y., Zhang, F., Gao, C., Chen, X.: New practical public-key deniable encryption. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds.) ICICS 2020. LNCS, vol. 12282, pp. 147–163. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61078-4_9
De Caro, A., Iovino, V., O’Neill, A.: Deniable functional encryption. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 196–222. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_8
Caro, A.D., Iovino, V., O’Neill, A.: Receiver- and sender-deniable functional encryption. IET Inf. Secur. 12(3), 207–216 (2018). https://doi.org/10.1049/iet-ifs.2017.0040
Chi, P., Lei, C.: Audit-free cloud storage via deniable attribute-based encryption. IEEE Trans. Cloud Comput. 6(2), 414–427 (2018). https://doi.org/10.1109/TCC.2015.2424882
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: A homomorphic LWE based e-voting scheme. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 245–265. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_16
Choi, S.G., Dachman-Soled, D., Malkin, T., Wee, H.: Improved non-committing encryption with applications to adaptively secure protocols. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 287–302. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_17
Coladangelo, A., Goldwasser, S., Vazirani, U.V.: Deniable encryption in a quantum world. In: Leonardi, S., Gupta, A. (eds.) STOC 2022, pp. 1378–1391. ACM (2022). https://doi.org/10.1145/3519935.3520019
Damgård, I., Nielsen, J.B.: Improved non-committing encryption schemes based on a general complexity assumption. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 432–450. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_27
Dent, A.W.: The Cramer-Shoup encryption scheme is plaintext aware in the standard model. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 289–307. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_18
Dodis, Y., Goldwasser, S., Tauman Kalai, Y., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361–381. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_22
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS 2008, pp. 293–302. IEEE Computer Society (2008). https://doi.org/10.1109/FOCS.2008.56
Gao, C., Xie, D., Wei, B.: Deniable encryptions secure against adaptive chosen ciphertext attack. In: Ryan, M.D., Smyth, B., Wang, G. (eds.) ISPEC 2012. LNCS, vol. 7232, pp. 46–62. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29101-2_4
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS 2013, pp. 40–49. IEEE Computer Society (2013). https://doi.org/10.1109/FOCS.2013.13
Garg, S., Polychroniadou, A.: Two-round adaptively secure MPC from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 614–637. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_24
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) STOC 2009, pp. 169–178. ACM (2009). https://doi.org/10.1145/1536414.1536440
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Khuller, S., Williams, V.V. (eds.) STOC 2021, pp. 60–73. ACM (2021). https://doi.org/10.1145/3406325.3451093
Kaminsky, D., Patterson, M.L., Sassaman, L.: PKI layer cake: new collision attacks against the global X.509 infrastructure. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 289–303. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_22
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Li, H., Zhang, F., Fan, C.: Deniable searchable symmetric encryption. Inf. Sci. 402, 233–243 (2017). https://doi.org/10.1016/j.ins.2017.03.032
Matsuda, T., Hanaoka, G.: Trading plaintext-awareness for simulatability to achieve chosen ciphertext security. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 3–34. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_1
Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44499-8_19
Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_16
Michalevsky, Y., Schulman, A., Veerapandian, G.A., Boneh, D., Nakibly, G.: PowerSpy: location tracking using mobile device power analysis. In: Jung, J., Holz, T. (eds.) USENIX Security Symposium 2015, pp. 785–800. USENIX Association (2015). https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/michalevsky
O’Neill, A., Peikert, C., Waters, B.: Bi-deniable public-key encryption. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 525–542. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_30
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) STOC 2014, pp. 475–484. ACM (2014). https://doi.org/10.1145/2591796.2591825
Silverman, J.H., Whyte, W.: Timing attacks on NTRUEncrypt via variation in the number of hash calls. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 208–224. Springer, Heidelberg (2006). https://doi.org/10.1007/11967668_14
Acknowledgments
This work is supported by the National Natural Science Foundation of China (No. 61972429 and No. 62272491) and Guangdong Major Project of Basic and Applied Basic Research (2019B030302008) and the National Key R&D Program of China under Grant (2022YFB2701500).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Towards Optimal Flipping Sampling
A Towards Optimal Flipping Sampling
One natural question raised from the above design of \(\textsf{DPKE}\) is: are there any other ways of flipping bits of \(\boldsymbol{s}\) that result in a closer distance from U, leveraging which we can devise a \(\textsf{DPKE}\) with better deniability? Below we give the negative answer by showing that flipping one bit is actually the optimal way, by proving that it is superior to any t-bit flipping (\(t>1\)) or uniformly random flipping. For simplicity, hereafter we assume \(\left( {\begin{array}{c}n\\ k\end{array}}\right) =0\) for \(k>n\).
Theorem 5
For \(t\in [1,n]\), let \(F_{t}\) be the flipping case where it first samples \(\boldsymbol{s}\) from \(\mathcal {S}\), if the count of 1 in \(\boldsymbol{s}\) is less than t, outputs \(\perp \); else randomly flips t bits in \(\boldsymbol{s}\) from 1 to 0. It holds \(\textsf{SD}(U,F_t)>\textsf{SD}(U,F)\) for \(t\ge 2\).
Proof
Observe that \(\boldsymbol{s}\) must be obtained by flipping t bit 1 of some string \(\boldsymbol{s}'\) from \(\mathcal {S}\) whose count of bit 1 is \(k+t\). Thus, there are \(\left( {\begin{array}{c}n-k\\ t\end{array}}\right) \) possible \(\boldsymbol{s}'\) when fixing \(\boldsymbol{s}\). Further, the probability of exactly flipping the corresponding 1 of \(\boldsymbol{s}'\) is \(1/\left( {\begin{array}{c}k+t\\ t\end{array}}\right) \). Then \(\forall \boldsymbol{s}\in \mathcal S,F(\boldsymbol{s})=\frac{1}{2^{n}}\cdot \left( {\begin{array}{c}n\\ k\end{array}}\right) \left( {\begin{array}{c}n-k\\ t\end{array}}\right) /\left( {\begin{array}{c}k+t\\ t\end{array}}\right) \), and the distance between R and \(F_t\) is
To prove \(\textsf{SD}(R,F_t)>\textsf{SD}(R,F)\) for \(t\ge 2\), it suffices to argue that \(\textsf{SD}(R,F_1)\) is the minimum value regarding \(\textsf{SD}(R,F_t)\) as a discrete function of t, for which we consider the following two cases:
-
For \(1\le t\le m\), Eq. (2) can be simplified into \(\frac{1}{2^{n}}\cdot \sum \limits _{k=\lceil {\frac{n-t}{2}}\rceil }^{\lceil \frac{n+t}{2}\rceil -1}\left( {\begin{array}{c}n\\ k\end{array}}\right) \), being monotonically increasing on t. So \(t=1\) is the minimum point in this interval.
-
For \(m+1\le t\le n\), Eq. (2) can be simplified into
$$\begin{aligned} \frac{1}{2^{n+1}}\cdot \left( \sum \limits _{i=t}^{\lceil {\frac{n+t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) +\sum \limits _{i=\lceil {\frac{n-t}{2}}\rceil }^{\lceil {\frac{n+t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) -\sum \limits _{i=0}^{\lceil {\frac{n-t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) +\sum \limits _{k=0}^{t-1}\left( {\begin{array}{c}n\\ k\end{array}}\right) \right) . \end{aligned}$$To estimate the scale of the above equation, observe that
$$\left( \sum \limits _{i=t}^{\lceil {\frac{n+t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) -\sum \limits _{i=0}^{\lceil {\frac{n-t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) \right) \ge 0,\;\left( \sum \limits _{i=\lceil {\frac{n-t}{2}}\rceil }^{\lceil {\frac{n+t}{2}}\rceil -1}\left( {\begin{array}{c}n\\ i\end{array}}\right) +\sum \limits _{k=0}^{t-1}\left( {\begin{array}{c}n\\ k\end{array}}\right) \right) >2\cdot \left( {\begin{array}{c}n\\ m\end{array}}\right) .$$Thus we can deduce that \(\textsf{SD}(R,F_t)>\textsf{SD}(R,F)\) also holds in this interval.
Based on the above analysis, it is clear that \(\textsf{SD}(R,F_t)>\textsf{SD}(R,F)\) for \(t\ge 2\). \(\square \)
Theorem 6
Let \(F'\) be the flipping case where it first samples \(\boldsymbol{s}\) from \(\mathcal {S}\setminus \{0^n\}\) and then randomly flips some bits of \(\boldsymbol{s}\) (not all of 1) from 1 to 0, it holds \(\textsf{SD}(U,F')>\textsf{SD}(U,F)\).
Proof
Any \(\boldsymbol{s}\) from \(F'\) must be obtained by flipping j bits 1 of some \(\boldsymbol{s}'\) for \(j\in [1,n-k]\), meaning the count of 1 of \(\boldsymbol{s}'\) is \(k+j\). So the generation of \(\boldsymbol{s}\) can be divided into two steps: 1) choose the indexes of i bits 1 to fix \(\boldsymbol{s}'\); 2) flip the target indexes of \(\boldsymbol{s}'\). Hence, the total possible way of sampling \(\boldsymbol{s}\) is \(\frac{1}{2^{n}}\cdot \sum \limits _{j=1}^{n-k}\left( {\begin{array}{c}n-k\\ j\end{array}}\right) \cdot {2}^{-(k+j)}.\) Then by traversing all the possible \(\boldsymbol{s}\) (\(\left( {\begin{array}{c}n\\ k\end{array}}\right) \) values), we have that
To estimate the relative scale of Eq. (3), we first consider the item of the absolute value \(\left| 1-2^{-k}\cdot \sum \limits _{j=1}^{n-k} \left( {\begin{array}{c}n-k\\ j\end{array}}\right) \cdot {2}^{-j}\right| \). Denote the sum of the involved sequence as \(S_m=\sum \limits _{j=0}^{m} \left( {\begin{array}{c}m\\ j\end{array}}\right) \cdot {2}^{-j}\), a simple calculation shows that \(S_{m+1}=\frac{3}{2}S_m\) (geometric progression), further arriving at the simplified expression \(\left| 1-\frac{3^{n-k}}{2^n}+\frac{1}{2^k}\right| \). For large n, e.g., \(n>2^5\), we obtain the following inequality:
which implies that \(\textsf{SD}(R,F')>\textsf{SD}(R,F)\). \(\square \)
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
An, Z., Tian, H., Chen, C., Zhang, F. (2024). Deniable Cryptosystems: Simpler Constructions and Achieving Leakage Resilience. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14344. Springer, Cham. https://doi.org/10.1007/978-3-031-50594-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-50594-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-50593-5
Online ISBN: 978-3-031-50594-2
eBook Packages: Computer ScienceComputer Science (R0)