91 research outputs found
Revisiting Deniability in Quantum Key Exchange via Covert Communication and Entanglement Distillation
We revisit the notion of deniability in quantum key exchange (QKE), a topic
that remains largely unexplored. In the only work on this subject by Donald
Beaver, it is argued that QKE is not necessarily deniable due to an
eavesdropping attack that limits key equivocation. We provide more insight into
the nature of this attack and how it extends to other constructions such as QKE
obtained from uncloneable encryption. We then adopt the framework for quantum
authenticated key exchange, developed by Mosca et al., and extend it to
introduce the notion of coercer-deniable QKE, formalized in terms of the
indistinguishability of real and fake coercer views. Next, we apply results
from a recent work by Arrazola and Scarani on covert quantum communication to
establish a connection between covert QKE and deniability. We propose DC-QKE, a
simple deniable covert QKE protocol, and prove its deniability via a reduction
to the security of covert QKE. Finally, we consider how entanglement
distillation can be used to enable information-theoretically deniable protocols
for QKE and tasks beyond key exchange.Comment: 16 pages, published in the proceedings of NordSec 201
Bi-Deniable Public-Key Encryption
In CRYPTO 1997, Canetti \etal put forward the intruiging notion of
\emph{deniable encryption}, which (informally) allows a sender and/or
receiver, having already performed some encrypted communication, to
produce `fake\u27 (but legitimate-looking) random coins that open the
ciphertext to another message. Deniability is a powerful notion for
both practice and theory: apart from its inherent utility for
resisting coercion, a deniable scheme is also noncommitting (a useful
property in constructing adaptively secure protocols) and secure under
selective-opening attacks on whichever parties can equivocate. To
date, however, known constructions have achieved only limited forms of
deniability, requiring at least one party to withhold its randomness,
and in some cases using an interactive protocol or external parties.
In this work we construct \emph{bi-deniable} public-key cryptosystems,
in which both the sender and receiver can simultaneously equivocate;
we stress that the schemes are noninteractive and involve no third
parties. One of our systems is based generically on ``simulatable
encryption\u27\u27 as defined by Damgård and Nielsen (CRYPTO 2000),
while the other is lattice-based and builds upon the results of
Gentry, Peikert and Vaikuntanathan (STOC 2008) with techniques that
may be of independent interest. Both schemes work in the so-called
``multi-distributional\u27\u27 model, in which the parties run alternative
key-generation and encryption algorithms for equivocable
communication, but claim under coercion to have run the prescribed
algorithms. Although multi-distributional deniability has not
attracted much attention, we argue that it is meaningful and useful
because it provides credible coercion resistance in certain settings,
and suffices for all of the related properties mentioned above
Lower and Upper Bounds for Deniable Public-Key Encryption
A deniable cryptosystem allows a sender and a receiver to
communicate over an insecure channel in such a way that the
communication is still secure even if the adversary can threaten the
parties into revealing their internal states after the execution of
the protocol. This is done by allowing the parties to change their
internal state to make it look like a given ciphertext decrypts to a
message different from what it really decrypts to. Deniable
encryption was in this way introduced to allow to deny a message
exchange and hence combat coercion.
Depending on which parties can be coerced, the security level, the
flavor and the number of rounds of the cryptosystem, it is possible
to define a number of notions of deniable encryption.
In this paper we prove that there does not exist any non-interactive
receiver-deniable cryptosystem with better than polynomial
security. This also shows that it is impossible to construct a
non-interactive bi-deniable public-key encryption scheme with better
than polynomial security. Specifically, we give an explicit bound
relating the security of the scheme to how efficient the scheme is
in terms of key size. Our impossibility result establishes a lower
bound on the security.
As a final contribution we give constructions of deniable public-key
encryption schemes which establishes upper bounds on the security in
terms of key length. There is a gap between our lower and upper
bounds, which leaves the interesting open problem of finding the
tight bounds
Online Deniability for Multiparty Protocols with Applications to Externally Anonymous Authentication
In the problem of anonymous authentication (Boneh et al. CCS 1999), a sender wishes to authenticate a message to a given recipient in a way that preserves anonymity: the recipient does not know the identity of the sender and only is assured that the sender belongs to some authorized set. Although solutions for the problem exist (for example, by using ring signatures, e.g. Naor, Crypto 2002), they provide no security when the anonymity set is a singleton. This work is motivated by the question of whether there is any type of anonymity possible in this scenario. It turns out that we can still protect the identity of all senders (authorized or not) if we shift our concern from preventing the identity information be revealed to the recipient to preventing it could be revealed to an external entity, other than the recipient. We define a natural functionality which provides such guarantees and we denote it by F_{eaa} for externally anonymous authenticated channel.
We argue that any realization of F_{eaa} must be deniable in the sense of Dodis et al. TCC 2009. To prove the deniability of similar primitives, previous work defined ad hoc notions of deniability for each task, and then each notion was showed equivalent to realizing the primitive in the Generalized Universal Composability framework (GUC, Canetti et al. TCC 2007). Instead, we put forward the question of whether deniability can be defined independently from any particular task. We answer this question in the affirmative providing a natural extension of the definition of Dodis et al. for arbitrary multiparty protocols. Furthermore, we show that a protocol satisfies this definition if an only if it realizes the ideal functionality F_{eaa} in the GUC framework. This result enables us to prove that most GUC functionalities we are aware of (and their realizations) are deniable.
We conclude by applying our results to the construction of a deniable protocol that realizes F_{eaa}
Deniable Key Exchanges for Secure Messaging
Despite our increasing reliance on digital communication, much of our online discourse lacks any security or privacy protections. Almost no email messages sent today provide end-to-end security, despite privacy-enhancing technologies being available for decades. Recent revelations by Edward Snowden of government surveillance have highlighted this disconnect between the importance of our digital communications and the lack of available secure messaging tools. In response to increased public awareness and demand, the market has recently been flooded with new applications claiming to provide security and privacy guarantees. Unfortunately, the urgency with which these tools are being developed and marketed has led to inferior or insecure products, grandiose claims of unobtainable features, and widespread confusion about which schemes can be trusted.
Meanwhile, there remains disagreement in the academic community over the definitions and desirability of secure messaging features. This incoherent vision is due in part to the lack of a broad perspective of the literature. One of the most contested properties is deniability—the plausible assertion that a user did not send a message or participate in a conversation. There are several subtly different definitions of deniability in the literature, and no available secure messaging scheme meets all definitions simultaneously. Deniable authenticated key exchanges (DAKEs), the primary cryptographic tool responsible for deniability in a secure messaging scheme, are also often unsuitable for use in emerging applications such as smartphone communications due to unreasonable resource or network requirements.
In this thesis, we provide a guide for a practitioner seeking to implement deniable secure messaging systems. We examine dozens of existing secure messaging protocols, both proposed and implemented, and find that they achieve mixed results in terms of security. This systematization of knowledge serves as a resource for understanding the current state-of-the-art approaches. We survey formalizations of deniability in the secure messaging context, as well as the properties of existing DAKEs. We construct several new practical DAKEs with the intention of providing deniability in modern secure messaging environments. Notably, we introduce Spawn, the first non-interactive DAKE that offers forward secrecy and achieves deniability against both offline and online judges; Spawn can be used to improve the deniability properties of the popular TextSecure secure messaging application. We prove the security of our new constructions in the generalized universal composability (GUC) framework. To demonstrate the practicality of our protocols, we develop and compare open-source instantiations that remain secure without random oracles
Deniable encryption protocols based on probabilistic public-key encryption
The paper proposes a new method for designing deniable encryption protocols characterized in using RSA-like probabilistic public-key encryption algorithms. Sender-, receiver-, and bi-deniable protocols are described. To provide bi-deniability in the case of attacks perfored by an active coercer stage of entity authentication is used in one of described protocols
Deniable encryption, authentication, and key exchange
We present some foundational ideas related to deniable encryption, message authentication, and key exchange in classical cryptography. We give detailed proofs of results that were previously only sketched in the literature. In some cases, we reach the same conclusions as in previous papers; in other cases, the focus on rigorous proofs leads us to different formulations of the results
- …