Abstract
An anamorphic encryption scheme allows two parties who share a so-called double key to embed covert messages in ciphertexts of an established PKE scheme. This protects against a dictator that can force the receiver to reveal the secret keys for the PKE scheme, but who is oblivious about the existence of the double key. We identify two limitations of the original model by Persiano, Phan, and Yung (EUROCRYPT 2022). First, in their definition a double key can only be generated once, together with a key-pair. This has the drawback that a receiver who wants to use the anamorphic mode after a dictator comes to power, needs to deploy a new key-pair, a potentially suspicious act. Second, a receiver cannot distinguish whether or not a ciphertext contains a covert message.
In this work we propose a new model that overcomes these limitations. First, we allow to associate multiple double keys to a key-pair, after its deployment. This also enables deniability in case the double key only depends on the public key. Second, we propose a natural robustness notion, which guarantees that anamorphically decrypting a regularly encrypted message results in a special symbol indicating that no covert message is contained, which also eliminates certain attacks.
Finally, to instantiate our new, stronger definition of anamorphic encryption, we provide generic and concrete constructions. Concretely, we show that ElGamal and Cramer-Shoup satisfy a new condition, selective randomness recoverability, which enables robust anamorphic extensions, and we also provide a robust anamorphic extension for RSA-OAEP.
F. Banfi and G. Rito—Work done while the author was at ETH Zurich.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The original work considers a further case, the anamorphic with normal encryption or aneAME, but in our model, since the anamorphic key generation algorithm does not output a key-pair, this case is equivalent to our third case, and hence irrelevant.
- 2.
We use the term distinguisher rather than adversary because the latter is more general, but our notions are all real-or-ideal.
- 3.
- 4.
In case of pre-computation, this is true also for the space complexity of \(\textsf{aDec}\).
- 5.
In practice, the ciphertext might be a bit string, in which case we would instead have \(c=\alpha ( pk ,m,r)\Vert \beta (r)\). Moreover, note that order does not matter, so we could also have \(c=(\beta (r),\alpha ( pk ,m,r))\).
- 6.
Recall that, even if we did not explicitate it here, we assume that \(\textsf{pp}\) can be obtained from both \( sk \) and \( pk \).
References
Abdalla, M., Bellare, M., Neven, G.: Robust encryption. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 480–497. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_28
Abelson, H., et al.: The risks of key recovery, key escrow, and trusted third-party encryption (1997)
Abelson, H., et al.: Keys under doormats: mandating insecurity by requiring government access to all data and communications. (July 6) 2015. Google Scholar Google Scholar Digital Library Digital Library (2015)
Banfi, F., Gegier, K., Hirt, M., Maurer, U., Rito, G.: Anamorphic encryption, revisited. Cryptology ePrint Arch. Report 2023/249 (2023), https://eprint.iacr.org/2023/249
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, pp. 394–403. IEEE Computer Society Press. (1997) https://doi.org/10.1109/SFCS.1997.646128
Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_32
Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1
Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053428
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Blaze, M.: Protocol failure in the escrowed encryption standard. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S. (eds.) ACM CCS 94, pp. 59–67. ACM Press. (1994) https://doi.org/10.1145/191177.191193
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052229
Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Fu, K., Jung, J. (eds.) USENIX Security 2014, pp. 319–335. USENIX Association (2014)
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
Dakoff, H.S.: The clipper chip proposal: deciphering the unfounded fears that are wrongfully derailing its implementation. J. Marshall L. Rev. UIC Law Review 29(2), 475 8 (1996)
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985). https://doi.org/10.1109/TIT.1985.1057074
Frankel, Y., Yung, M.: Escrow encryption systems visited: attacks, analysis and designs. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 222–235. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_18
Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal re-encryption for mixnets. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 163–178. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24660-2_14
Green, M., Kaptchuk, G., Van Laer, G.: Abuse resistant law enforcement access systems. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12698, pp. 553–583. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77883-5_19
Horel, T., Park, S., Richelson, S., Vaikuntanathan, V.: How to subvert backdoored encryption: security against adversaries that decrypt all ciphertexts. In: Blum, A. (ed.) ITCS 2019, vol. 124, pp. 42:1–42:20. LIPIcs (2019) https://doi.org/10.4230/LIPIcs.ITCS.2019.42
Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: Anonymity-preserving public-key encryption: a constructive approach. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 19–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39077-7_2
Kutylowski, M., Persiano, G., Phan, D.H., Yung, M., Zawada, M.: The self-anti-censorship nature of encryption: on the prevalence of anamorphic cryptography. PoPETs 2023(4), 170–183 (2023)https://doi.org/10.56553/popets-2023-0104
Kutylowski, M., Persiano, G., Phan, D.H., Yung, M., Zawada, M.: Anamorphic signatures: secrecy from a dictator who only permits authentication! In: CRYPTO 2023, Part II, pp. 759–790. LNCS, Springer, Heidelberg (2023).https://doi.org/10.1007/978-3-031-38545-2_25
Li, C.K., Wong, D.S.: Signcryption from randomness recoverable public key encryption. Inf. Sci. 180(4), 549–559 (2010)
Micali, S.: Fair public-key cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 113–138. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_9
Persiano, G., Phan, D.H., Yung, M.: Anamorphic encryption: private communication against a dictator. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part II. LNCS, vol. 13276, pp. 34–63. Springer, Heidelberg (2022)https://doi.org/10.1007/978-3-031-07085-3_2
Rivest, R.L., et al.: Chaffing and winnowing: confidentiality without encryption. CryptoBytes (RSA laboratories) 4(1), 12–17 (1998)
Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_2
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Generic semantic security against a kleptographic adversary. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 907–922. ACM Press (2017)https://doi.org/10.1145/3133956.3133993
Simmons, G.J.: The prisoners problem and the subliminal channel. In: Chaum, D. (ed.) CRYPTO’83, pp. 51–67. Plenum Press, New York, USA (1983)
von Ahn, L., Hopper, N.J.: Public-key steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_20
Wang, Y., Chen, R., Huang, X., Yung, M.: Sender-anamorphic encryption reformulated: achieving robust and generic constructions. In: Guo, J., Steinfeld, R. (eds.) Advances in Cryptology – ASIACRYPT 2023, pp. 135–167. Springer Nature Singapore, Singapore (2023)https://doi.org/10.1007/978-981-99-8736-8_5
Young, A., Yung, M.: The dark side of “black-box’’ cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_8
Young, A., Yung, M.: The prevalence of kleptographic attacks on discrete-log based cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 264–276. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052241
Young, A., Yung, M.: Auto-recoverable auto-certifiable cryptosystems. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 17–31. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054114
Young, A., Yung, M.: Kleptography from standard assumptions and applications. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 271–290. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15317-4_18
Young, A.L., Yung, M.: Semantically secure anonymity: foundations of re-encryption. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 255–273. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_14
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Banfi, F., Gegier, K., Hirt, M., Maurer, U., Rito, G. (2024). Anamorphic Encryption, Revisited. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14652. Springer, Cham. https://doi.org/10.1007/978-3-031-58723-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-58723-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58722-1
Online ISBN: 978-3-031-58723-8
eBook Packages: Computer ScienceComputer Science (R0)