criptografia_negável-ran_canetti
TRANSCRIPT
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 1/15
D e n i a b l e E n c r y p t i o n
Ran Canetti Cynthia Dwork: Moni Naor s Rafall Ostrovsky4
i I B M T . J . W a t s o n R e s e a rc h C e n t e r .
c a n e t t i Q w a t s o n . i b m . c o m
2 I B M A l m a d en R e s e a rc h C e n t e r . e m a i / : d w o r k Q a l m a d e n . i b m . c o m
s D e p t . o f C o m p u t e r S c i en c e, t h e W e i z m a n n I n s t it u t e .
ema~l
n a o r Q w i s d o m . w e i z m a n n , a c . il
4 Be l l Com m uni c a t i ons Re s e a r c h , M CC 1C- 365B, M or r i s t ow n , N . J .
ema~l
r a f a i l Q b e l l c o r e . c o m
A b s t r a c t . C o n s id e r a s i tu a t i o n in w h i c h t h e t ra n s m i s s io n o f e n c r y p t e d
m e s s a ge s i s i n t e r c e p t e d by a n a dve r s a r y w ho c a n l a t e r a s k t he s e nde r t o
r e ve a l t he r a ndom c ho ic e s ( a nd a l s o t he s e c r e t ke y , i f one e x i s t s) u s e d in
ge ne r a t i ng t he c i phe r t e x t , t he r e by e xpos i ng t he c l e a r t e x t . A n e nc r yp t i on
s c he m e is de nia ble i f t he s e nde r c a n ge n e r a t e f a ke r a nd om c ho ic e s t ha t
w ill m a ke t he c i phe r t e x t l ook l ike a n e nc z y p t i on o f a d i ~e r e n t c l e a r te x t ,
t hus ke e p i ng t he r e a l c l e a r t e x t p r i va t e . A na l ogous r e qu i r e m e n t s c a n be
f o r m u l a t e d w i t h r e s pe c t t o a t t a c k i ng t he r e c e i ve r a nd w i t h r e s pe c t t o
a t t a c k ing bo t h pa r t ie s .
I n th i s pa pe r w e i n t r oduc e de n i a b l e e nc r yp t i on a nd p r opo s e c ons t r uc t ions
o f s c hem e s w i th po l ynom i a l de n i a b i li t y . I n a dd i t i on t o be i ng i n t e r e s ti ng
by i ts e l f, and having severa l app l i ca t ions , den iab le enc ryp t ion provides a
s im p lif ie d a nd e l e ga n t c ons t r uc t i on o f a d a p t i r e l y s e c u r e m u l t i pa r t y c om -
pu t a t i on .
I n t r o d u c t i o n
T h e t r a d i t io n a l g o a l o f e n c r y p t i o n is t o m a i n t a i n t h e p r i v a c y o f c o m m u n i c a t e d
d a t a a g a i n st p a ss iv e e a v e s d r o p p e r s . T h a t i s, ~ s u m e t h a t A l i c e w a n t s t o c o m -
m u n i c a t e p r iv a t e i n f o r m a t i o n t o B o b o v e r a c h a n n e l w h e r e E v e c a n e av e sd r op .
A l ic e o b t a in s B o b s ( p u bl ic ) e n c r y p t i o n k e y o f a n a s y m m e t r i c e n c r y p t i o n sc h em e
a n d u s es it , t o g e t h e r w i t h l o c al r a n d o m n e s s , t o e n c r y p t h e r m e s sa g e s. N o w o n l y
B o b , w h o p o s se ss es t h e d e c r y p t i o n k e y , s h o u l d b e a b l e t o d e c r y p t . S e m a n t i c se -
c u r i t y [ 1 5 ] c a p t u r e s t h e s e c u r i t y r e q u i r e m e n t s t h a t t h i s s e t t i n g i m p o s e s o n t h e
e n c r y p t i o n fu n c t i o n . B a s ic a ll y , s e m a n t i c s e c u r i t y m e a n s t h a t E v e le a r ns n o t h i n g
f r o m t h e c i p h e r te x t s s h e h e a rs : w h a t e v e r s h e c a n c o m p u t e h a v i n g h e a r d t h e ci-
p h e r t e x t s s h e c a n al so c o m p u t e f r o m s c r a t c h . I t f o l lo w s t h a t A l ic e m u s t u s e l o c a l
r a n d o m n e s s i n o r d e r t o a c h i ev e s e m a n t i c s e c u r i ty .
W h i l e ( p as si ve ) se m a n t i c s e c u r i t y a p p r o p r i a t e l y c a p t u r e s t h e s e c u r it y n e e d e d
a g a i n s t p a s s iv e e a v e s d r o p p e r s , t h e r e a r e s e t t i n g s i n w h i c h i t f al ls s h o r t o f p r o -
v i d i n g t h e d e s ir e d d e g r ee o f p r o t e c t i o n . S u c h s e t t i n g s i n c l u d e p r o t e c t i o n a g a i n s t
* Re s e a r c h on t h i s pa pe r w a s s uppo r t e d by BS F G r a n t 32 - 00032 .
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 2/15
9
chosen ciphertext attacks (e.g., [17, 18]), non-malleable encryption [8], and pro-
tection against adaptive adversaries [7].
We investigate the additional properties required to protect the privacy of
transmitted data in yet another hostile setting. Assume that the adversary Eve
now has the power to approach Alice (or Bob, or both) af/er the ciphertext
was transmitted, and demand to see all the private information: the cleartext,
the random bits used for encryption and any private keys Alice (or Bob) have.
Once Alice hands over this information, Eve can verify that the cleartext and
randomness provided by Alice indeed mat~.h the transmi tted ciphertext. Can the
privacy of the communicated dat a be still somehow maintained, in face of such
an attack?
We first concentrate on the case where Eve attacks only Alice in the above
way. Certainly, if Alice must hand Eve the real cleartext and random bits then
no protection is possible. Also if Eve approaches Alice before the transmission
and requires Alice to send specific messages there is no way to hide information.
However, in case Eve has no direct physical access to Alice's memory, and Alice
is allowed to hand Eve fake cleartext and random bits, is it possible for Alice
to maintain the privacy of the transmitted data? That is, we ask the following
question. Assume Alice sent a ciphertext e = E(ml , r) , where ml is some mes-
sage, E is the public encryp tion a lgo rithm and r is Alice's local random input.
Can Alice now come up with a fake random input r' that will make e 'look like'
an encryption of a different message m2? We call encryption schemes that have
this property deniable.
The following valid ques tion ma y arise at this point: if Eve has no physical
access to Alice's memory, then why should Alice present Eve with any data
at all? That is, why not have Alice tell Eve: 'Sorry, I erased the cleartext and
the random bits used'. Indeed, if Eve will be willing to accept such an answer,
then deniable encryption is not needed. But there may well exist cases where
being able to provide Eve with convincing fake randomness will be valuable to
Alice. (Presenting convincing da ta is almost always more credible than saying 'I
erased', or 'I forgot'.) In fact, there ma y be cases where Alice is required to record
all her history including the randomness used, and can be punished/prosecuted
if she claims to have destroyed the evidence , i .e. any part of her history.
Furthermore, the mere fact that Alice is able to 'open' any ciphertext in many
ways makes it impossible for Alice to convince Eve in the authenticity of ar~y
opening. This holds even if Alice w i s h e s to present Eve with the real data. In
this sense, the privacy of Alice's data is protected even from the ~ ture be hav ior
of Al ice herse l f.
Standard encryption schemes do not guarantee deniability. Indeed, typically
there do not exisg two different messages that may result in the same ciphertext
(with any random input). In fact, encryption is often conceived of as a c om -
mi t ing process, in the sense that the ciphertext may serve as a commitment to
the cleartext. (This is a common use for encryption schemes, e.g. in [13, 14].)
Deniable encryption radically diverges from this concept.
D~niable encryption may seem impossible at first glance: consider a cipher-
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 3/15
92
t e x t c s e n t f r o m A l i c e t o B o b . If, u s i n g t w o d i f f e r e n t r a n d o m c h o i c e s , A l i c e c o u l d
h a v e g e n e r a t e d c b o t h a s a n e n c r y p t i o n o f a m e s s a g e m l a n d a s a n e n c r y p t i o n
o f a d i f f e r e n t m e s s a g e , m 2 , t h e n h o w c a n B o b c o r r e c t l y d e c i d e , f r o m c a l on e ,
w h e t h e r A l i c e m e a n t t o s e n d m l o r m 2 ? A m o r e c a r e f u l i n s p e c t i o n s h o w s t h a t
s u c h s c h e m e s c a n i n d e e d b e c o n s t r u c t e d , b a s e d o n t r a p d o o r i n f o r m a t i o n u n a v a il -
a b l e t o E v e .
D e n i a b l e e n c r y p t i o n h a s a p p l i c a t i o n s t o t h e p r e v e n t i o n o f v o t e - b u y i n g i n
e l e c t r o n i c v o t i n g s c h e m e s [4, 1 0, 1 1 , 1 9 ] , s t o r i n g e n c r y p t e d d a t a i n a d e n i a b l e
w a y , a n d u n c o e r c i b l e m u l t i p a r t y c o m p u t a t i o n [ 5 ] ; it a l s o y i e l d s a n a l t e r n at i v e
s o l u t i o n t o t h e a d a p t i v e s e c u r i t y p r o b l e m [ 7 ]. e e l a b o r a t e o n t h e s e a p p l i c a t i on s
i n t h e s e q u e l .
W e c la ss if y d e n i a b l e e n c r y p t i o n s c h e m e s a c c o r d i n g t o w h i c h p a r t i e s m a y b e
c o e r c e d : a s e n d e r - d e n ia b l e s c h e m e i s r e s il i e nt a g a i n s t c o e r c i n g
i . e . ,
e m a n d i n g
t o s e e t h e s e c r e t d a t a ) o f t h e s e n d e r o f t h e c i p h e r t e x t ; r ec e iv e r- d en i ab l e a n d
s e n de r -a n d -r e ce l v er - d en i ab l e s c h e m e s a x e d e f i n e d a n a l o g o u s l y . W e a l s o d i s t i n g ui s h
b e t w e e n s h a r e d - k e y s c h e m e s , i n w h i c h t h e s e n d e r a n d r e c e i v e r i ni ti al ly s h a r e
s o m e i n f o r m a t i o n , a n d p u b l i c - k e y d e n i a b l e e n c r y p t i o n s c h e m e s , i n w h i c h n o p r i o r
c o m m u n i c a t i o n i s a s s u m e d . A n o t h e r i s s u e i s t h e t i m e a t w h i c h t h e c o e r c e d p a r t y
m u s t d e c i d e o n t h e f a k e m e s s a g e : a t t i m e o f a t t a c k ( p r e f e r a b l e ) o r a t t i m e o f
e n c r y p t i o n .
L e t u s i n f o r m a l l y s k e t c h t h e r e q u i r e m e n t s f o r a o n e - r o u n d p u b l i c - k e y , s e n d e r -
d e n i a b l e , b i t - b y - bi t e n c r y p t i o n s c h e m e ( S e c t i o n 2 c o n t a i n s a m o r e g e n e r a l d ef i-
n i ti o n ) . L e t E L b e t h e s e n d e r s e n c r y p t i o n a l g o r i t h m w i t h p u b l i c k e y h . F i r s t, a
d e n i a b l e e n c r y p t i o n s c h e m e s h o u l d b e s e m a n t i c a l l y s e c u r e i n t h e s e n s e o f [ 1 5] .
I n a d d i t i o n w e r e q u i r e t h a t t h e s e n d e r h a v e a ( p u b l i c l y k n o w n ) f a k i n g a l g o r i t h m .
G i v e n a b i t b, a r a n d o m i n p u t r , a n d t h e r e s u l t i n g c i p h e r t e x t c = E ~ ( b , r ) , t h e
f a k i n g a l g o r i t h m g e n e r a t e s a f a k e r a n d o m i n p u t p = r r , c ) t h a t c m a k e s c l o o k
l i ke a n e n c r y p t i o n o f b . T h a t is, g i v e n b , p , c , t h e a d v e r s a r y s h o u l d b e u n a b l e t o
d i s t i n g u i s h b e t w e e n t h e f o l l o w i n g c a s e s :
a ) p i s u n i f o r m l y c h o s en a n d c - E ~ b , p )
b ) c w a s g e n e r a te d a s c : - E ~ b , r ) w h e r e r is i n d e p e n d e n t l y a n d u n i f o r m l y
c hose n , a n d p : r r , c ) .
W e s a y t h a t a s c h e m e is 6 - d e n i a b l e i f t h e a d v e r s a r y c a n d i s t i n g u i s h b e t w e e n c a s es
a ) a n d b ) w i t h p r o b a b i l i t y a t m o s t 6.
W e c o n s t r u c t a s e n d e r - d e n i a b l e p u b l i c - k e y e n c r y p t i o n s c h e m e b a s e d o n a n y
t r a p d o o r p e r m u t a t i o n S e c t i o n 3 ). H o w e v e r , o u r s c h e m e f a ll s s h o r t o f a c h ie v -
i n g t h e d e s i r e d l ev e l o f d e n i a b i l i t y . T h a t i s, w h i l e w e c a n c o n s t r u c t a 6 - d e n i a b le
s c h e m e fo r a r b i t r a r i l y s m a l l 6, t h e l e n g t h o f th e c i p h e r t e x t i s l i n e a r i n 1 / 6 .
C o n s e q u e n t l y , i f w e w a n t 6 t o b e n e g l i g i b l e , w e e n d u p w i t h c i p h e r t e x t s o f
s u p e r - p o l y n o m i a l l e n g th . T h e s e m a n t i c s e c u r i t y o f o u r s c h e m e a g a i n s t p a ss iv e
e a v e s d r o p p e r s h o l d s i n th e u s u a l s e n s e .) W e p r e s e n t e v i d e n c e t h a t c o n s t r u c t i n g
s u b s t a n t i a l l y b e t t e r o n e - r o u n d s c h e m e s r e q u i r e s a d i f f e r e n t a p p r o a c h S e c ti o n 4 ) .
W e a l so c o n si d er a m o r e f le x ib l e n o t i o n o f d e n i a b i l i t y t h a n t h e o n e sk e tc h e d
a b o v e . A n e n c r y p t i o n s c h e m e f o r e n c r y p t i n g a s i n g l e b i t c a n b e g e n e r a l ly v i ew e d
a s d e fi n i n g t w o d i s t r ib u t i o n s o n c i p h e r t e x t s : a d i s t r i b u t i o n T o o f e n c r y p t i o n s o f
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 4/15
9 3
0 , a n d a d i s t r i b u t i o n 2 1 o f e n c r y p t i o n s o f 1 . H e r e , i n c o n t r a s t , t h e s e n d e r c h o o s e s
t h e c i p h e r t e x t a c c o r d i n g t o o n e
of four
d i s t r i b u t i o n s , T o , T 1 , C o , C 1 . D i s t r i b u t i o n
b is u s e d b y a se n d e r w h o w i s h e s t o s e n d t h e b i n a r y v a l u e b a n d d o e s n o t w i s h t o
h a v e t h e a b i li t y t o o p e n d i s h o n e s t l y w h e n a t t a c k e d . D i s t r i b u t i o n C , is a ls o u s e d
t o s e n d t h e b i t v a l u e b, b u t b y a s e n d e r w h o w i s h e s t o p r e s e r v e b o t h t h e a b i l i t y t o
o p e n h o n e s t l y a n d t h e a b i l i t y t o o p e n d i s h o n e s t l y w h e n a tt a c k e d . (T h i s c h o ic e
c a n b e m a d e a t t i m e o f a t t a c k . ) I n p a r t i c u l a r , i f t h e s e n d e r e n c r y p t s a c c o r d in g t o
d i s t r ib u t i o n C ~ t h e n , w h e n a t t a c k e d , t h e s e n d e r c a n a p p e a r t o h a v e c h o se n e i t h e r
f r o m T o o r T 1. T h i s a l t e r n a t i v e n o t i o n a l l o w s u s t o c o n s t r u c t e f fi ci en t d e n i a b l e
s c h e m e s w i t h n e g l i g i b l e 6 .
S e c t io n 6 s h ow s , v i a s i m p l e c o n s t r u c t i o n s , h o w t o t r a n s f o r m a n y s e n d e r -
d e n i a b l e e n c r y p t i o n s c h e m e i n t o a r e c e i v e r - d e n i a b l e s c h em e , a n d v i ce - ve r sa . W e
a l s o s h o w h o w a s c h e m e r e s i h e n t a g a i n s t c o r r u p t i n g b o t h t h e s e n d e r a n d t h e
r e c e i v e r c a n b e c o n s t r u c t e d b a s e d o n a s c h e m e r e s i l i e n t a g a i n s t c o r r u p t i n g t h e
s e n d e r . T h i s l a s t c o n s t r u c t i o n r e q u i r e s t h e h e l p o f o t h e r p a r t i e s i n a n e t w o r k ,
a n d w o r k s a s l o n g a s a t l e a s t o n e o t h e r p a r t y r e m a i n s u n a t t a c k e d . I n S e c t i o n 5
w e r e v i e w s o m e s h a r e d - k e y d e n i a b l e s c h e m e s .
A P P L I C A T I O N S A N D R E L A T E D W O R K A n a t u r a l a p p l i c a t i o n o f d e n i a b l e e n -
c r y p t i o n i s t o p r e v e n t c o e r c i o n i n e l e c t r o n i c s e c r e t v o t i n g s c h e m e s [ 10 ]: c o e r c e r
m a y o f f e r b r i b e i n e x c h a n g e f o r p r o o f o f a p e r s o n s v o t e , a f t e r h e a r i n g t h e c o r -
r e s p o n d i n g c i p h e r t e x t . T h e c o e r c i o n p r o b l e m i n t h e c o n t e x t o f v o t i n g h a s b e e n
s t u d i e d i n t h e p a s t [ 4 , 1 9 , 1 1 ] . H o w e v e r , t h e s e p r e v i o u s w o r k s a s s u m e t h a t , f o r a
c r u c i a l p a r t o f t h e c o n v e r s a t i o n , t h e c o m m u n i c a t i n g p a r t i e s s h a r e a p h y s i c a l l y s e -
c u r e c h a n n e l ; t h u s , t h e c o e r c e r h e a r s n o c i p h e r t e x t a n d t h e d e n i a b i l i t y r o b l e m
d i s a p p e a r s . 5 D e n i a b l e e n c r y p t i o n s m a y b e i n c o r p o r a t e d i n t h e s e w o r k s t o r e p l a c e
t h e s e p h y s i c a l s e c u r i t y a s s u m p t i o n s . ( O n e s t i l l a s t o m a k e s u r e , a s b e f o r e , t h a t
t h e v o t e r s a r e n o t c o e r c e d p r / o r t o t h e e l e c t i o n s . )
B a s e d o n t h e p u b l i c - k e y , s e n d e r - d e n i a b l e c o n s t r u c t i o n p r e s e n t e d h e r e , [ 5] d e -
s c r i b e a g e n e r a l m u l t i p a r t y p r o t o c o l p e r m i t t i n g a s e t o f p a r t i e s t o c o m p u t e a
c o m m o n f u n c t i o n o f t h e i r i n p u t s w h i l e k e e p i n g t h e i r i n t e r n a l d a t a p r i v a t e e v e n
i n t h e p r e s e n c e o f a c o e r c e r .
F i n a l l y , o u r w o r k o n d e n i a b l e e n c r y p t i o n p r o v i d e s a c o n c e p t u a l l y s i m p l e a n d
e l e g a n t a l t e r n a t i v e s o l u t i o n t o t h e p r o b l e m o f g e n e r a l s e c u r e m u l t i p a r t y c o m -
p u t a t i o n i n t h e p r e s e n c e o f a n
d p t i v e
a d v e r s a r y - o n e t h a t c h o o s e s w h o m t o
c o r r u p t
d u r i n g
t h e c o u r s e o f t h e c o m p u t a t i o n , b a s e d o n t h e i n f o r m a t i o n s e e n a s
t h e e x e c u t i o n u n f o l d s . P r o t o c o l s f o r s e c u r e l y c o m p u t i n g a n y f u n c t i o n i n a m u l -
t i p a r t y s c e n a r i o i n t h e p r e s e n c e o f a n o n - a d a p t i v e a d v e r s a r y w e r e s h o w n i n [ 14 ].
A l m o s t a d e c a d e p a s s e d b e f o r e t h e r e s t r i c t i o n t o n o n - a d a p t i v e a d v e r s a r i e s w a s
l i f te d [ 7 ] . T h e s e p r o t o c o l s a r e b a s e d o n a n o t h e r t y p e o f e n c r y p t i o n p r o t o c o l ,
s In [11] a s ligh t ly d i f fe ren t phy s ica l s ecu r i ty a s su m pt ion i s ma de , nam ely tha t the
random choices used for enc rypt ion a re phys ica l ly unava i l ab le . The resu l t i s the
same: the 'den iab i l i ty problem' d i sappears .
[9 , 3 ] ob ta in so lu t ions for th i s p r ob lem un de r the as sum pt ion tha t the pa r t i e s a re
t rus te d to keep e ras ing pas t in fo rm at ion . Such so lu t ions a re unsa t i s fac tory in a s e t -
t ing where pa r t i e s a ren ' t t rus ted s ince e ras ing cannot be ex te rna l ly ve r i f i ed . Fur the r -
m o r e , t he phys i c al de si gn o f c om pu t e r s y s t e m s m a ke s e r a si ng i n f o r m a t i on d if fic ult
and unrel iable [16] .
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 5/15
9
c a l l e d non c o m m itt ing e n c r y p t i o n . N o n - c o m m i t t i n g e n c r y p t i o n s h a v e t h e s a m e
f l a vo r a s d e n i a b l e e n c r y p t i o n s , i n t h a t t h e r e e x i s t c i p h e r t e x t s t h a t c a n b e o p e n e d
a s e n c r y p t i o n s o f , s a y , b o t h q a n d 0 . o w e v e r , n o n - c o m m i t t i n g e n c r y p t i o n s a r e
s tr ic tl y w e a k e r t h a n d e n i a b l e o n e s . F o r e x a m p l e , i n n o n - c o m m i t t i n g e n c r y p t i o n s
t h e p a r t i e s z ~ s i n g t h e s c h e m e a r e , i n g e n e r a l ,
n o t
a b l e t o g e n e r a t e c i p h e r t e x t s
t h a t c a n b e o p e n e d b o t h w a y s ; s u c h c i p h e r t e x t s c a n o n l y b e g e n e r a t e d b y a s i m -
u l a t o r ( w h i c h i s a n a r ti f ac t f t h e [7] m o d e l ) . I n c o n t r a s t , i n d e n i a b l e e n c r y p t i o n
e a c h c i p h e r t e x t g e n e r a t e d b y p a r t i e s u s i n g t h e s c h e m e h a s u n i q u e d e c r y p t i o n ,
a n d a t t h e s a m e t i m e c a n b e o p e n e d i n s e v e r a l w a y s f o r a n a d v e r s a r y ( t h u s ,
t h e n o n - c o m m i t t i n g e n c r y p t i o n s c h e m e i n [ 7] i s n o t d e n i a b l e ) . T h e k e y i n si g ht i s
t h a t a n y d e n i a b l e e n c r y p t i o n s c h e m e r e si l i e n t g a i n s t a t t a c k i n g b o t h t h e s e n d e r
a n d t h e r e c e iv e r is n o n - c o m m i t t i n g . I n d e e d , a p p l y i n g t h e t r a n s f o r m a t i o n o f S e c -
t i o n 6 t o t h e b a s i c s c h e m e d e s c r i b e d i n S e c t i o n 3 y i e l d s a c o m p l e t e s o l u t i o n t o
t h e a d a p t i v e s e c u r i t y p r o b l e m . S e e [6] f o r m o r e d e t a i l s .
2 D e f i n i t i o n s
L e t u s f ir st e c al l h e d e f i n i ti o n o f c o m p u t a t i o n a l d i s t a n c e o f d i st r ib u t i on s . e r e
a n d i n t h e s e q u e l a f u n c t i o n 6 : N --* [0, I ] i s n e gl i gi b le f i t a p p r o a c h e s z e r o fa s t er
t h a n a n y p o l y n o m i a l ( w h e n i t s a r g u m e n t a p p r o a c h e s i n f i n i t y ) .
D e f i n i t i o n 1 . L e t . 4 = { A , ~ } , ~ e N a n d B = { B ~ } n e N b e t w o e n s e m b l e s o f p r o b -
a b i l it y d i s t r ib u t i on s , a n d l et 6 : N --* [ 0, 1]. W e s a y t h a t . 4 a n d B a r e 6 ( n ) -
c l o se i f f o r e v e r y p o l y n o m i a l t i m e d i s t i n g u i s h e r D a n d f o r a ll l a r g e e n o u g h n ,
[ P r o b ( D ( A , ~ ) = i ) - P r o b ( D ( B , ~ ) = i ) [ < 6 n ) .
I f 6 ( n ) i s n e g li g i bl e t h e n w e s a y t h a t . 4 a n d B a r e computa t iona l l y i n d i s t i n -
g u i s h a b l e a n d w r i t e , 4 ~ B .
2 . 1 P u b l i c - k e y e n c r y p t l o n
Co n s id e r a sen d e r S an d a r ece iv e r R . t h a t , a
pr ior i
h av e n o sh a red sec r e t i n -
f o r m a t i o n . T h e y en g a g e i n s o m e p r o t o c o l i n o r d e r t o t r a n s m i t a m e s s a g e f r o m
S t o R . ( I f a s ta n d a r d p u b l i c k e y e n c r y p t i o n s c h e m e i s u s e d th e n t h is p r o to -
c o l m a y c o n s is t o f t h e r e c e iv e r s e n d i n g h i s p u b l i c e n c r y p t i o n k e y t o t h e s e n d e r,
w h o r e s p o n d s w i t h t h e e n c r y p t e d m e s s a g e . ) I n t u i t i v e l y , w e d e si re : ( 1 ) t h e r e-
ce iv e r sh o u ld b e ab le to d ec r y p t t h e co r r ec t v a lu e ( ex ce p t , p e rh ap s , w i th neglig i-
b l e p r o b a b i l i t y o f e r ro r ); ( 2) t h e p r o t o c o l s h o u l d b e s e m a n t i c a l l y s e c u re a g a i n s t
e a v e s d r o p p e r s ; a n d ( 3 ) t h e s e n d e r s h o u l d h a v e a f a k i ng algorithm ~b su ch t h a t,
g iv en ( m l , ~ s , c , m 2 ) (wh e re rn l i s t h e t r a n s m i t t ed m essag e , r s i s t h e sen d e r s
r a n d o m i n p u t , c is a t r a n s c r i p t o f t h e c o n v e r s a t i o n b e t w e e n S a n d R f o r t r a n s -
m i t t i n g r r~ t , n d r n 2 is t h e r e q u i r e d f a k e m e s s a g e ) , ~ g e n e r a t e s a f a k e r a n d o m
i n p u t f o r t h e s e n d e r , t h a t m a k e s c l o o k l i k e a c o n v e r s a t i o n f o r t r a n s m i t t i n g r n 2.
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 6/15
95
M o r e p r ec is e ly , le t M b e t h e s e t o f a l l p o s s i b l e m e s s a g e s t o b e s e n t f r o m S t o
R ( M c a n b e { 0 , 1 } ' f o r s o m e s ) . L e t ~r b e a p r o t o c o l f o r t r a n s m i t t i n g a m e s s a g e
rr~ E M f r o m S t o R . L e t C O M , ( m , r s , rR ) d e n o t e t h e c o m m u n i c a t i o n b e t w e e n
S a n d R f or t r a n s m i t t i n g m , w h e n S h a s r a n d o m i n p u t r s a n d R h a s r a n d o m
i n p u t r R . L e t c o M ~ ( ra ) d e n o t e t h e r a n d o m v a r i a b l e d e s c r ib i n g C O M~ m , r S , r R )
w h e n r s a n d r R a re u n i f o r m l y a n d i n d e p e n d e n t l y c h o s en .
D e f i n i t i o n 2 . A p r o t o c o l ~r w i t h s e n d e r S a n d r ec e iv e r R , a n d w i th s e c u ri ty
pa r ame te r n , i s a 6 ( n ) - sende r - den iab l e enc r yp t ion p r o toco l i f :
C o rre ctn ess : T h e p r o b a b i l i t y t h a t R ' s o u t p u t i s d i ff e re n t t h a n S ' s i n p u t is n e g -
l ig ib l e ( a s a f un c t ion o f n ) .
S ecu rity : F o r a n y m l , m 2 E M w e h a v e c o M ~ ( m l ) ~ c o M , ( m 2 ) .
Deniabil ity: Th ere exis t s an e f f ic ient faking a lgor ithm hav ing the fol lowing pro p-
e r ty w i th r e s p ec t t o a n y m l , r a2 E M . L e t r s , r R b e u n i f o r m l y a n d i n d e p e n -
den t ly chosen r and om inp u t s o f S an d R , r e spec t ive ly , l e t c - co M , ( m 1, r s , r R ) ,
a n d l et ? s = ( m l , r s , c , m 2 ) . T h e n , t h e r a n d o m v a ri ab l es
( m 2 , r s , C O M , ( m r , r s , r R ) ) a n d ( m 2 , r s , c o M ~ ( m 2 , r s , r R ) ) ( 1)
a re 5(n) -c lose .
T h e r ig h t h a n d s id e o f ( 1 ) d e s c r i b e s t h e a d v e r s a r y ' s v i e w o f a n h o n e s t e n c r y p t i o n
of m2 acco r d ing to p r o toc o l 7r. T he l e f t han d s ide o f ( 1 ) de sc ribe s t he adve r sa r y ' s
v i e w w h e n c w a s g e n e r a t e d w h i l e t r a n s m i t t i n g m l , a n d t h e s e n d er fa l se l y c l a im s
t h a t c is a n e n c r y p t i o n o f m 2 . T h e d e f i n i t io n r e q u i re s t h a t t h e a d v e r s a r y c ~ n n o t
d i st in g u i sh b e t w e e n t h e t w o c a s e s w i t h p r o b a b i l i t y m o r e t h a n 6 n) .
R EM A R KS : 1 . W h e n t h e d o m a i n o f m e s s a g e s i s M = { 0 , 1 } t h e d e f in i ti o n m a y
b e s i m p l if ie d . I n t h e s e q u e l w e c o n c e n t r a t e o n s u c h s c h e m e s , e n c r y p t i n g o n e b i t
a t a t ime .
2 . D e f in i ti o n 2 re q u i re s t h e p a r t i e s t o c h o o s e n e w p u b l i c k e y s f o r e a c h m e s s a g e
t r a n s m i t t e d . T h e d e f in i t io n c a n b e m o d i f i e d i n a n a t u r a l w a y t o c a p t u r e sc h e m e s
w h e r e a ' l o n g - l iv e d ' p u b l i c k e y i s u s e d t o e n c r y p t s e v e ra l m e s s a g e s, re q u i ri n g t h e
s e n d e r t o b e a b l e t o ' f a k e ' e a c h m e s s a g e i n d e p e n d e n t l y o f t h e o t h e r m e s s a g e s
e n c r y p t e d w i t h t h e s a m e p u b l i c k e y . T h e s c h e m e d e s c r i b e d i n t h e s e q u e l i n d e e d
e n j o y s t h i s a d d i t i o n a l p r o p e r t y .
3 . S c h e m e s i n w h i c h t h e c o e r c e d p a r t y c h o o s e s t h e f a k e m e s s a g e m 2 a t t i m e o f
enc r yp t ion a r e ca l l ed plan-ahead d e n i a b l e e n c r y p t i o n s c h em e s . S o m e m o d i fi c a -
t i o n s o f t h e c o n s t r u c t i o n s d e s c r i b e d b e l o w y i e l d p l a n - a h e a d d e n i a b l e e n c r y p t i o n
schemes w i th neg l ig ib l e 6 n ) .
Ne xt w e de f ine a s om ew ha t we ake r no t ion o f den iab i li t y , c a l led flexib le den i-
a b i l i t y .
D e f i n i t i o n 3 . A p r o t o c o l ~r w i t h s e n d e r S a n d r e c ei v e r R , b i n a r y P re se rv e p a -
r a m e t e r P , a n d s e c u r i t y p a r a m e t e r n , i s a
6 n ) - f l e x i b l e - s e n d e r - d e n i a b l e e n c r y p t io n
protocol i f :
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 7/15
9
Correctness
T h e p r o b a b i l i t y t h a t R s o u t p u t i s d i f f er e n t t h a n S s i n p u t i s n e g -
l ig ib le (as a func t ion o f n ) .
Secur i ty
Fo r an y r a t , ra2 E M an d fo r an y P E {T , C } we h av e COM ,~(P , r a l ) ~ ,
C O M . P , r a 2 )
( e n c r y p t io n s o f r a t a n d ra 2 a re i n d i s t i n g u i s h a b l e i n d e p e n d e n t o f P ) .
W eak Oeniabi li ty : There ex is ts an e f fic ien t fak ing a lg or i thm r hav in g the fo l-
l o w in g p r o p e r t y w i t h re s p e c t t o a n y r a t , m 2 E M . L e t r s , r R b e u n i fo r m l y
ch o sen r an d o m in p u t s o f S an d R , r e sp ec t iv e ly , l e t c = COM,~(C, r a t , r s , r a ) ,
a n d l et r s = r r s , c , m 2 ) . T h e n , t h e r a n d o m v a r ia b l e s
(m~, r s , c ) an d ( rn2 , r~ , COM,r(T, ra2 , r~ , r~ ) ) (2 )
a r e 6 (n ) -c l o se , w h e re r ~ , r ~ a r e i n d e p e n d e n t , u n i f o r m l y c h os e n r a n d o m i n-
p u t s o f S an d R , r e sp ec tiv e ly .
T h e l e f t -h a n d s id e o f E q u a t i o n 2 d e s c r i b e s t h e v i e w o f t h e a d v e r s a r y w h e n t h e
s e n d e r, h a v i n g p r es e r v ed t h e a b i l i t y t o o p e n d i s h o n e s t l y w h e n s e n d i n g r a t , o p e n s
w i t h v a l u e ra 2 (w h i c h m i g h t o r m i g h t n o t e q u a l m r ) . T h e r i g h t - h a n d s id e o f
E q u a t i o n 2 d e s c ri b e s t h e a d v e r s a r y s v i e w w h e n t h e s e n d e r , n o t h a v i n g p r es e r v ed
t h e a b i l i t y t o o p e n d i s h o n es t ly , o p e n s a n e n c r y p t i o n o f r a2 .
S c h e m e s r e s i l i e n t a g a i n s t a t t a c k i n g t h e r e c e i v e r , o r s i m u l t a n e o u s a t t a c k o f
b o th th e sen d e r an d th e r ece iv e r, a r e d e f in ed an a lo g o u s ly . Th ey ap p e a r in [6 ].
2 .2 S h a r e d - k e y e n c r y p t i o n
In a sh a r ed -k ey scen a r io , t h e sen d e r an d r ece iv e r sh a r e a r an d o m , sec r e t k ey
a b o u t w h i c h t h e a d v e r s a r y i s a s s u m e d t o h a v e n o a p r i o r i i n fo rm a t io n . Co n -
seq u en t ly , h e re th e p a r t i e s can a l so p r e se n t t h e ad v e r sa ry w i th a fak e sha red
k ey , o n t o p o f p r e s en t in g f a k e r a n d o m i n p u t s . T h i s i s c a p t u r e d a s f ol lo w s . T h e
c o m m u n i c a t i o n b e t w e e n t h e p a r t i e s n o w d e p e n d s a l s o o n a s h a r e d k e y k , a n d i s
d e n o t e d C O M , (m , k , r s , r R ) ( w h e r e r a , r s , r a a r e t h e s a m e a s b e f o re ) . B e lo w w e
def ine sender -den iab i l i ty .
D e f i n i t i o n 4 . A p r o to c o l lr w i t h s e n d e r S a n d r e ce i v er R , an d w i t h s e cu r it y
parameter n , i s a shared-key 6(n) -sender -den lab le encryp t ion p ro toco l i f :
Correctness
T h e p r o b a b i l i t y t h a t R s o u t p u t i s d i f fe r e n t t h a n S s i n p u t i s n e g-
l ig ib le (as a fun c t ion o f n ) .
Security : Fo r an y r a t , m 2 E M an d fo r a sh a r ed -k ey k ch o sen a t r an d o m , we h av e
CO M . rat , k) ~ CO M . ra2, k) .
Deniabi ll ty : Th ere ex is ts an e ff ic ien t fak ing a lg or i th m r hav in g the fo l low-
i n g p r o p e r t y w i t h r e s p e c t t o a n y r n i , ra 2 E M . L e t k , r s ,
r R
b e u n i f o r m l y
c h o s en s h a re d - k e y a n d r a n d o m i n p u t s o f S a n d R , r e s p e c ti v e ly , l e t c -
c o M , ( r a t , k, r s , r R ) , a n d le t ( k , F s ) -- r k , r s , c , r a2 ). T h e n , t h e r a n d o m
v ar i ab le s
(ra2, k, ~s, c) and r a 2 , k , r s , COM~(ra2 , k , r s , r R ) )
are 6 (n) -c lose .
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 8/15
97
N o t e t h a t D e f i n i t i o n 4 a l s o c o v e r s t h e c a s e w h e r e t h e s a m e k e y i s u s e d t o
e n c r y p t s e v er al m e s s ag e s : l e t m i ( r es p . , r a 2 ) i n t h e d e f i n i t i o n d e n o t e t h e c o n c a t e -
n a t i o n o f a l l r e al ( r e sp . , f a k e) m e s s a g e s . I n S e c t i o n 5 w e m e n t i o n s o m e s h a r e d - k e y
s c h e m e s .
3 Publ ic key Den iable En crypt ion
OVERVIEW W e d e s cr i b e t w o p u b l i c - k e y d e n i a b l e e n c r y p t i o n s c h em e s . T h e f i rs t ,
c a l le d t h e b as ic s c h e m e , is o n l y a p a r t i a l s o l u t i o n t o t h e p r o b l e m . W e u se i t a s a
b u i l d i n g - b l o c k t o c o n s t r u c t o u r m a i n s c h e m e . ( I t c a n a l s o b e u se d to c o n s t r u c t
a n o n - c o m m i t t i n g e n c r y p t i o n s c h e m e , a s d e s c r i b e d i n [6 ].) O u r m a i n s c h e m e ,
c a l le d t h e P a ri ty S c h e m e , is ~ - s e n d e r - d e n i a b l e a c c o r d i n g t o D e f i n i ti o n 2 . R o u g h l y
s p e a k in g , t h i s m e a n s t h a t t h e p r o b a b i l i t y o f su c c es s fu l a t t a c k v a n is h es l in e a rl y i n
t h e s e c u r it y p a r a m e t e r . ( B y a s i m p l e r e n a m i n g o f p a r a m e t e r s t h i s s c h em e c a n b e
r e g a r d e d a s 0 - s e n d e r - d e n i a b l e f o r a n y c > 0 . Y e t , t h e p r o b a b i l i t y o f s u c ce s sf u l
a t t a c k v a n is h es o n l y li n e a r l y i n t h e a m o u n t o f w o rk i n v e s te d in e n c r y p t i o n a n d
d e c r y p t i o n . )
T h e s c h e m e s a re s e n d e r - d e n i a b l e . R e c e i v e r - d e n i a b l e a n d S e n d e r -a n d - re c e iv e r -
d e n i a b l e s ch e m e s c a n b e c o n s t r u c t e d f r o m t h e s e u s i n g t h e t e c h n i q u e s o f S e c t io n 6 .
O u r s c h e m e s e n c r y p t o n e b i t a t a t i m e . H e r e t h e y a r e d es c r ib e d i n t h e s t a n d a r d
t e r m s o f e n c r y p t i o n a n d d e c r y p t i o n a l g o r i t h m s . I n t e r m s o f D e f in i ti o n 2 , t h e
i n t e r a c t i o n c o n s i st s o f t h e r e c e iv e r s e n d i n g t h e p u b l i c e n c r y p t i o n k e y t o t h e
s e n de r, w h o re s p o n d s w i t h t h e e n c r y p t e d m e s s a g e .
T H E B A S IC A PP RO A C H. O u r s c h e m e s a r e b a s e d o n t h e fo l l o w i n g s i m p l e i d e a .
A s s u m e t h a t t h e s e n d e r c a n p i c k a n e l e m e n t i n s o m e d o m a i n ei th e r randomly
o r a c c o r d i n g t o s o m e
pse~dor~ndom
d i s t r i b u t i o n . A s s u m e fu r t h e r t h a t t h e re -
c e iv e r, h a v i n g s o m e se c r et i n f o r m a t i o n , c a n t e l l w h e t h e r t h e e l e m e n t w a s c h o s e n
r a n d o m l y o r p s e u d o r a n d o m l y ; o t h e r p a r t i e s c a n n o t t e l l t h e d i ff er en c e. T h e n , t h e
s e n d e r c a n p r o c e e d a s fo l lo w s : t o e n c r y p t a 1 (r e sp . , 0 ) s e n d a p s e u d o r a n d o m
( re s p ., r a n d o m ) e l e m e n t . T h e r e c e iv e r w i l l b e a b l e t o d e c r y p t c o r r e c tl y ; b u t i f
a pse~dorandom
e l e m e n t e w a s t r a n s m i t t e d , t h e n w h e n a t t a c k e d t h e s e n d e r c a n
c l a i m t h a t e w a s randomly c h o s e n - - a n d t h e a d v e r s a r y w i ll n o t b e a b le to t e ll
t he d i f f e r e nc e .
H e r e t h e s e n d e r c o u l d f a k e i t s m e s s a g e o n l y i n o n e d ir e c t io n ( f r o m 1 t o 0 ).
U s i ng s im p l e t ri ck s o n e c a n c o m e u p w i t h s c h e m e s t h a t a ll o w f a k in g i n b o t h
d i r e ct i o n s . W e n o w d e s c r i b e t h e s c h e m e s i n d e t a i l .
T R A N S L U C E N T S E T S O u r
s c h e m e s a r e b a s e d o n a c o n s t r u c t t h a t c a n b e i n f or -
m a l l y d e s c r i b e d a s f o l l o w s . F o r m a l d e f i n i t io n s c a n b e e x t r a c t e d f r o m t h i s d e s c r ip -
t i o n . )
W e a s s u m e t h a t t h e r e e x i s t s a f a m i l y { 8 ~ } t e N o f s e t s , w h e r e S t C { 0 , 1 } ~,
t o g e t h e r w i t h s ec re t t r a p d o o r i n f o r m a t i o n d r, s u c h t h a t :
1 S t i s sma l l : [ S t [ _( 2 ~ - ~ f o r s om e su f f i c i e n t ly l a r ge k (~).
2 . I t i s e a s y t o g e n e r a t e r a n d o m e l e m e n t s z E ~ q t, e v e n w i t h o u t t h e s e c r e t d ~.
3 . G i v e n z E { 0, 1 } * a n d d t i t i s e a s y t o d e c i d e w h e t h e r z E S~ .
4 . W i t h o u t d r , v a l u e s c h o s e n u n i f o r m l y f r o m 8 ~ a r e i n di s t i n g u i s h a bl e f r o m v a l u e s
c h o s e n u n i f o r m l y f r o m { 0 , i } ~.
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 9/15
9
W e f ir s t p r e s e n t t w o s i m p l e c o n s t r u c t i o n s o f t r a n s l u c e n t s e ts . B o t h u s e a t r a p -
d o o r p e r m u t a t i o n f : { 0 , 1 } s -- { 0 , 1 } s , a n d i t s h a r d - c o r e p r e d i c a t e / 3 : { 0 , 1 } s -
{ 0 , I } ( s a y , u s e t h e G o l d r e i c h - L e v i n p r e d i c a t e [ 1 2 ] ) .
C o n s t r u c t i o n I : L e t t = s k . R e p r e s e n t e a c h z E { 0 , 1 } ~ a s a v e c t o r z =
z i . . . z ~
w h e r e e a c h
z i
E { 0 , I } ~. T h e n l e t 8 t :
{ z i . . . z ~
E { O , l } S k [ V i =
l . . k , B ( / - t ( z ~ ) ) - - 0 } . H e r e
[S , I ~
2 ( s - t ) ~ - - 2 ' - ~ .
C o n s t r u c t i o n I f: L e t t : s + k . R e p r e s e n t e a c h x E { 0 , I } t
as z - Zo, bt...b~
w h e r e ~ 0 E { 0 , 1 } ' a n d f o r i > _ i e a c h bi E { 0 , I } . T h e n l et S ~ : { z 0 , bt...bt e
{ 0 , I } s + t l i = l . . k , B f - i Z o ) ) = b ~ } . H e r e
l S l
=
2 = 2
I t i s e a s y t o v e r i f y t h a t b o t h c o n s t r u c t i o n s s a t i s f y r e q u i r e m e n t s 1 - 4 . C o n s t r u c t i o n
I I i s m o r e e f f ic ie n t i n t h a t , g i v e n a t r a p d o o r p e r m u t a t i o n o n { 0 , 1 } ~ , t h e l e n g t h
o f z i s o n l y t - - s + k i n s t e a d o f t = s k .
A t h i r d c o n s t r u c t i o n r e l i e s o n t h e l a t t i c e d - b a s e d p u b l i c - k e y c r y p t o s y s t e m
d e s c r i b e d i n [ 2 ] . R o u g h l y s p e a k i n g , t h e s e c r e t i n f o r m a t i o n i s a n n - d i m e n s i o n a l
v e c t o r u o f l e n g t h a t m o s t 1 . L e t / C d e n o t e t h e c u b e 2 l ~ w h e r e U ( ) i s t h e
n - d i m e n s i o n a l u n i t c u b e . T h e v e c t o r u i n d u c e s a c o l l e c t i o n o f ( n - 1 ) - d i m e n s i o n a l
h y p e r p l a n e s a s f o l l o w s : f o r i n t e g e r i t h e i ~ h h y p e r p l a n e i s t h e s e t o f a ll v e c t o r s
v w h o s e i n n e r p r o d u c t w i t h u i s e q u a l t o i . L e t X b e t h e i n t e r s e c t i o n o f t h e
h y p e r p l a n e s w i t h / C . T h e p u b l i c k e y c o n s i s t s o f a c o l l e c t i o n o f m - - n c p o i n t s
v t , . . . , v , ~ , e a c h o f w h i c h i s a s m a l l p e r t u r b a t i o n o f a r a n d o m l y c h o s e n p o i n t
i n X . T h e e n c r y p t i o n p r o c e d u r e m a k e s u s e o f a c e r t a i n p a r a l l e l e p i p e d 7 , c o m -
p u t a b l e f r o m t h e p u b l i c k e y . A n e n c r y p t i o n o f z e r o i s a p o i n t c h o s e n u n i f o r m l y
a t r a n d o m f r o m K N 2 - ~ : r ' ~ . A n e n c r y p t i o n o f o n e i s ~ ' ~ i ~ = t ~ v ~ r o o d ~ P , w h e r e
e a c h 6 ~ E R { 0 , i } . T h u s , e n c r y p t i o n s o f o n e a r e c l o s e t o h y p e r p l a n e s i n X , w h i l e
e n c r y p t i o n s o f z e r o , t y p i c a l l y , a r e n o t . D e c r y p t i o n o f t h e c i p h e r t e x t i s p e r f o r m e d
b y c o m p u t i n g t h e d i s t a n c e o f t h e c i p h e r t e x t f r o m t h e n e a r e s t h y p e r p l a n e i n X :
i f t h e d i s t a n c e i s s u f f i c i e n t l y s m a l l t h e c i p h e r t e x t i s d e c r y p t e d a s o n e ( t h e r e i s
a p o l y n o m i a l p r o b a b i l i t y o f e r r o r ) . T h i s c o n s t r u c t i o n y i e l d s a t r a n s l u c e n t s e t i n
w h i c h t i s t h e l e n g t h o f a c i p h e r t e x t ( t ~ n 2 ) , a n d , o n c e t h e p u b l i c k e y h a s b e e n
c h o s e n , S ~ i s t h e s e t o f e n c r y p t i o n s o f o n e , a n d 7 ~ t i s t h e s e t o f e n c r y p t i o n s o f
z e r o .
T H E B A S I C S C H E M E . T h e p u b l i c e n c r y p t i o n k e y i s a m e t h o d f o r g e n e r a t i n g
u n i f o r m l y a t r a n d o m a m e m b e r o f a t r a n s l u c e n t s e t S ~ C { 0 , I } t. T h e p r i v a t e
d e c r y p t i o n k e y i s t h e c o r r e s p o n d i n g s e c r e t d .
E n c r y p t i o n :
T o e n c r yp t 1, s e n d a r a n d o m e l e m e n t
o f S ~ .
T o e n c r y p t O, s e n d a
r a n d o m e l e m e n t i n
{0 , 1} ~.
D e c r y p t i o n : I f t h e c i p h e r t e x t z
i s i n S ~ t h e n o u t p u t 1 . E l s e o u t p u t O.
O p e n i n g a n e n c r y p t i o n h o n e s t l y : r e v e a / t h e
t r u e r a n d o m
c h o i c e s
used .
O p e n i n g a n e n c r y p t i o n d i s h o n e s t l y : I f t h e e n c r y p t e d b i t i s 1 i .e . t h e c i-
p h e r t e x t z i s a r a n d o m e l e m e n t in S t h e n c l a / r n t h a t z w a s c h o s e n a t r a n d o m
f r o m { 0 1} ~ a n d t h u s z i s a n e n c r y p t i o n o f O. I f t h e e n c r y p t e d b i t i s 0 t h e n I y in g
wi]] b e i n f e a si b l e s i n c e t h e c i p h e r t e x t x i s i n S t o n ] y w i t h n e g l i g ib l e p r o b a b i l i t y
2 - k . A n a l y s i s: C o r r e c t n e s s : A n e n c r y p t i o n o f i i s a l w a y s d e c r y p t e d c o r re c t l y . A n
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 10/15
99
e n c r y p t i o n o f 0 m a y b e d e c r y p t e d a s 1 w i t h p r o b a b i l i t y 2 - t . S t a n d a r d s e c u r i t y
a g a i n s t e ~ v e s d r o p p e r s i s s t r a i g h t f o r w a r d . D e n i a b i l i t y : t h e f a k i n g a l g o r i t h m ~ a n d
i t s v a l i d i t y r e d e s c r i b e d a b o v e . S i n c e l y i n g i s p o s s i b l e o n l y i n o n e d i r ec t i o n , t h i s
i s o n l y a p a r t i a l s o l u t i o n t o t h e p r o b l e m . N e x t w e d e s c r i b e a s c h e m e w h e r e l y i n g
i s p o s s i b l e i n b o t h d i r e c t io n s .
T H B P A R I T Y S C H E M E . L e t S : C { 0 , i ) : b e a t r a n s l u c e n t s et . W e c al l e l e m e n t s
d r a w n u n i f o r m l y f r o m S ( r es p . , f r o m { 0 , I } ) S - e l e m e n t s ( re sp ., - e l e m e n t s ) .
E n c r y p t l o n : T o e n c r y p t 0
(reap., 1),
c h o o s e a
r a n d o m
e ve n ( r e s p . ,
odd)
n u m b e r
i E 0 , . . . ,
n . Con s t ruc t a c ipher t ex t cons i s t i ng o f i
~q- e l e m e n t s
fol lowed by n - i
~ - e l e m e n t s .
D e e r y p t i o n :
O u t p u t t he p a r i t y o f th e n u m b e r o f
e l e m e n t s
in the received ci-
phe r t e x t
t h a t
be long
t o G
O p e n i n g a n e n c r y p t i o n h o n e s t l y : R e ve M t h e re M
r a n d o m
c h o i c e s u s e d i n
g e n e r a t i n g
t he c iph er t ex t .
pening
a n e n c r y p t i o n d i s h o n e s t l y : L e t i b e t he n u m b e r c ho se n b y t he
s e n d e r .
T h e
s e n d e r c l a i m s t h a t s h e h a s c h o s e n i - 1 r a t h e r t h a n i. (C o n s e -
q u e n t l y ,
t he par i t y o f i f l ips . )
F o r t h / s , s h e
c la ims t ha t t he i t h
e l e m e n t in t h e
c i p h e r t e x t i s a n T ~ - el e m e n t ( w h e r e a s i t w a s c h o s e n a s a n
S- e l e m e n t ) . I f
t h e r e a r e
no ~q - e l e m e n t s
(i.e.,
i = 0 ) t h e n
cheat ing fai l s .
T h e o r e m 5 .
A s s um e t r apdoor pe r m u t a t i ons
e z i s L
Then the Par i t y Scheme i s a
4/n-sender-denz able enc ~yp t ion sch em e.
P r o o f ( S k e t c h ) : T h e p r o b a b i l i ty o f e r r o n e o u s d e c r y p t i o n is a t m o s t n 2 - ~ . S e-
c u r i t y o f t h e P a r i t y S c h e m e a g a i n s t e a v e s d r o p p e r s t h a t s ee o n ly t h e c i p h e r t e x t
is s t r a ig h t f o r w a r d . W e s h o w d e n i a b i l i t y . A s s u m e t h a t n is o d d , a n d l e t c b e a n
e n c r y p t i o n o f 1. L e t i b e t h e n u m b e r c h o s e n f o r g e n e r a t i n g c . T h e n , i w as ch o s e n
a t r a n d o m f r o m 1 , 3 , . .. n . C o n s e q u e n t l y , t h e v a l u e i - 1 is u n i f o r m l y d i s t r i b u t e d
o v e r 0, 2 . . .. , n - 1 . T h u s , w h e n t h e s e n d e r c l a i m s t h a t s h e h a s c h o s e n i - 1 , s h e
d e m o n s t r a t e s t h e c o r r e c t d i s t r i b u t i o n o f i f o r e n c r y p t i n g 0 . T h u s , c h e a t i n g in t h is
d i r e c ti o n is u n d e t e c t a b l e ( a s lo n g a s S - e l e m e n t s c a n n o t b e d i s ti n g u is h e d f r o m
T ~ - e le m e n ts ). A s s u m e n o w t h a t c is a n e n c r y p t i o n o f 0 . T h u s i is c h o s e n u n i -
f o r m l y f r o m 0 , 2 , . .. , n - 1 . N o w , i - 1 i s d i s t r i b u t e d u n i f o r m l y i n - 1 , 1 , 3 , . .. , n - 2
( w h e r e - 1 is i n t e r p r e t e d a s c h e a t i n g i m p o s s i b l e ) . I t is e a s y t o v e r if y t h a t t h e
s t a ti s ti c a l d i s ta n c e b e t w e e n t h e d i s t r i b u t i o n o f i in t h e c a s e o f a n h o n e s t o p e n i n g
( i. e. , u n i f o r m o n 1 , 3 , . .. , n ) a n d t h e d i s t r i b u t i o n o f { i n t h e c a s e o f f a k e o p e n i n g
( i .e . , u n i f o r m o n - 1 , 1 , 3 , . .. , n - 2 ) i s 4 / n . I t f o l l o w s t h a t , a s l o n g a s S - e l e m e n t s
c a n n o t b e d i st in g u i sh e d f r o m k - e l e m e n t s , c h e a t i n g is d et e c ta b l e w i th p r o b a b i l i t y
a t m o s t 4 / n .
[ ]
T h e P a r i t y S c h e m e c a n b e m o d i f i e d t o l e t t h e s e n d e r f i r s t c h o o s e a v e c t o r
v u n i f o r m l y o u t o f a l l v e c t o r s i n { 0 , I ~ ~ w i t h t h e p a r i t y o f t h e b i t t o b e e n -
c r y p t e d . N e x t t h e c i p h e r t e x t is c o n s t r u c t e d b y r e p l a c in g e a ch I e n t r y in v w i t h
a n S - e l e m e n t , a n d r e p l a c i n g e a c h 0 w i t h a n 7 ~ - e l e m e n t . H e r e t h e p r o b a b i l i t y o f
i = 0 ( i . e. , h e p r o b a b i l i t y o f t h e c a s e w h e r e c h e a t i n g i s i m p o s s i b l e ) i s n e g l i -
g ib l e . N o w , h o w e v e r , t h e s t at i s t i c a l d i s t a n c e b e t w e e n i s d i s t r i b u t i o n i n h o n e s t
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 11/15
1
/ '7- .
and fake openings grows to f2(~/~). A 'hybrid' scheme, omitted from this ab-
stract, achieves both negligible probabil ity o f impossible cheating and probability
O(1/n) of detection.
The unique shortes~ vector prob lem for la ttices is: =Find the shortest non~.ero
vector in an n dimensional lattice L where the shortest vector v is unique in the
sense that any other vector whose length is at most
n l l v l l
is parallel to v. The
unique shortest vector problem is one of the three famous problems listed in [1].
There, a random method is given to generate hard instances of a particular lattice
problem so that if it has a polynomial time solution then all of the three worst-
case problems (including the unique-shortest vector problem) has a solution.
The cryptosystem in [2] outlined above is secure provided the unique shortest
vector problem is hard in the worst case. From th is and the proof of Theorem 5
we have.
T h e o r e m 6 . Assume that the unique shortest vector problem is hard in the worst
case. Then the Parity Scheme is a 4/n-sender-deniable enc~ /ption scheme.
A FLEXIBLY DENIABLE SCHEME. Let To = {7~, 7~}, T1 = C1 = {S, 7~}, and
c 0 = { s , s .
Encryp t lon : To encrypt b without preserving the ability to open dishonestly
(that is, if Preserve = 0), send V 6a Tb. To encrypt b preserving the ability to
open dishonestly
P r e s e r v e
= 1), send V Ea Cb.
Deeryp t ion : Output the parity" of the number of elements in V that belong to
S.
Opening an encryp t ion d rawn f rom Tb: Reread the true random choices
used.
Openin g an encry p t io n d ra wn f rom Co as va lue v: Let b be the number of
elements in the ciphertext drawn from S. if v = 0 then claim that V was chosen
as {TO, T~}. If v = 1 then c/aim that V was chosen as {S, 7~}.
Opening an encry p t io n d raw n f r om Cl as va lue v: If v = 0 then cladm
that V was chosen as {~,T~}. Ifv = 1 then revea2 the read random choices used
in generating V.
Analysis: Security against eavesdroppers seeing only the ciphertext is straightfor-
ward. The probability of erroneous decryption is a t most 2 -~. Weak deniability
with negligible 6(n) is immediate by inspection , assuming polynomial time in-
distinguishabi lity of S and 7~.
4 E f f i c i e n c y V s . D e n i a b i l i t y
In this section we describe an attack suggesting that no one-round scheme of
the type presented above can enjoy negligible6(n). The attack works against all
schemes that we describe as separable (the reason for the name will become clear
shortly). Roughly, in a separable scheme the decryption key is the trapdoor of
some translucent set S C {0, 1}t; a ciphertext consists o f a sequence of elements
yl .... Ym in {0, 1} t. The sender chooses some of the y~'s at random, and the rest
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 12/15
1 1
a t r a n d o m f r o m S . T h e e n c r y p t e d b i t i s e n c o d e d i n t h e n u m b e r a n d p l a c e m e n t
o f t h e y i s t h a t a r e i n t h e t r a n s l u c e n t s e t 8 . T o f a k e t h e v a l u e o f t h e c l e a r t e x t
t h e s e n d e r c l a i m s t h a t o n e ( o r m o r e ) o f t h e y i s w a s r a n d o m l y c h o s e n , w h e r e a s
t h i s y ~ w a s c h o s e n f r o m S .
F o r a n y s e p a r a b l e s c h e m e , a n d f o r e a c h v a l u e b E { 0, i } , o n e c a n c o m p u t e t h e
e x p e c t e d n u m b e r o f V i S i n 8 i n a n e n c r y p t i o n o f b . D e n o t e t h i s n u m b e r b y E b .
N o w , s i n c e t h e f a k i n g a l g o r i t h m a l w a y s
d e c r e a s e s
t h e n u m b e r o f y i s f o r w h i c h
t h e s e n d e r c l a i m s t o k n o w t h e p r e i m a g e , t h e a d v e r s a r y d e c i d e s t h a t t h e s e n d e r
i s l y i n g i f t h e s e n d e r c l a i m s t o h a v e s e n t b b u t t h e n u m b e r o f y i s w h i c h t h e
s e n d e r c l a i m s t o h a v e c h o s e n f r o m S i s l e s s t h a n E b . I t i s s h o w n b e l o w t h a t t h i s
s t r a t e g y s u c c e e d s w i t h p r o b a b i l i t y a t l e a s t ; 2 ( ~ ) .
A m o r e p r e c i s e ( a n d s o m e w h a t m o r e g e n e r a l ) d e s c r i p t i o n f ol lo w s.
D e f i n i t i o n 7 . A - ~ - s e n d e r - d e n i a b l e p u b l i c k e y e n c r y p t i o n s c h e m e 7r i s m - s e p a r a b l e
i f t h e r e e x i s ts a n e f f ic i e n t, d e t e r m i n i s t i c c l as s if ic a ti o n a l g or it hm C t h a t , o n a n y
i n p u t p ( i n te r p r e te d a s a c l a im e d r a n d o m i n p u t o f t h e se n d e r) , o u t p u t s a n u m b e r
C ( p ) E 1 , . . . , m . F u r t h e r m o r e :
1 . F o r a v a l u e p ( i n t e r p r e t e d a s a r a n d o m i n p u t f o r th e s e n d e r ) , l e t p (b ) b e
t h e r a n d o m v a r i a b l e d e s c r i b i n g r p , e ) , w h e r e r i s t h e se n d e r s f a k i n g
a l g o r i th m , b E { 0 , 1 } , r R i s t h e r e c e i v e r s r a n d o m i n p u t , a n d a n d e -
c o M , ( b , p , r R ) i s t h e r e s u l t i n g c o m m u n i c a t i o n . L e t E C ( b ) (p ) d e n o t e t h e e x -
p e c t e d v a l u e ( o v e r t h e c h o i c e s o f r R ) o f
C p b ) ) .
T h e n f o r a n y v a lu e p s u c h t h a t C p ) > 1 , e i t h e r E C ( ~ _< C p ) - 1 o r
E C 1 ) p ) < _ C p ) - I .
2 . If t h e s e n d e r s r a n d o m i n p u t p s at is fi es
C p )
= i t h e n t h e f a k i n g a l g o r i t h m
fa ils , . e . t o u t p u t s a s p e c i a l s y m b o l d e n o t i n g t h a t n o s u i t a b l e f a k e r a n d o m
i n p u t w a s f o u n d .
C l a i m 8
F o r a n y
m -s e p a ra b l e ~ - -s e n d e r -d e n ia b le p u b l i c k e y e n c r y p t io n s c h e m e w e
h a v e 2 m >
k .
R E M A R K S :
U s i ng t h e t e r m i n o l o g y o f t h e a b o v e i n f o r m a l d e s c r ip t io n o f s e p a ra b l e s c h e m e s ,
t h e c o e r c e r w i l l u s e t h e c l a s s i f ic a t i o n a l g o r i t h m t h a t o u t p u t s t h e n u m b e r o f
y i s w h i c h t h e s e n d e r c l a i m s t o h a v e c h o s e n a s S - e le m e n t s . I t f o ll o w s t h a t
a n y s u c h s c h e m e w i t h o n l y m y i s is m - s e p a r a b l e .
- I n al l t h e n ~ - s e pa r a b le s c h e m e s t h a t w e k n o w o f , t h e l e n g t h o f t h e c i p h e r -
t e x t g r o w s l i n e a rl y w i t h m . T h i s s e e m s t o b e i n h e r e n t i n o u r a p p r o a c h f o r
c o n s t r u c t i n g d e n i a b l e s c h e m e s .
Proo f . C o n s id e r a n m - s e p a r a b l e d e n i a b l e s c h e m e lr w i t h f a k in g a l g o r it h m r W e
s h o w a n M g o r i t h m A t h a t f o r s o m e b E { 0 , 1 } d i s t i n g u i s h e s b e t w e e n
b, r b), C O M ~ ( b , r s , r R ) ) a n d ( b , r s , C O M . ( b, r s , r R ) ) ( 3 )
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 13/15
1 2
w i t h p r o b a b i l i t y ~ , w h e r e r s , r R a x e r a n d o m i n p u t s fo r t h e s e n d e r a n d t h e
r e c e i v e r r e s p ec t i v e ly , a n d r (b)
= r r s ,
C O M , r ( b , r s , r R ) ) .
L e t C b e t h e c la s si f ic a ti o n a l g o r i t h m . F o r b 6 ( 0 , i } , l et
D C
d e n o t e t h e
d i s t r i b u t i on o f
C ( r s )
w h e r e
r s
i s c h o s e n a t r a n d o m f r o m t h e d o m a i n o f r a n d o m
i n p u t s o f t h e s e n d e r , a n d l et D C (b) d e n o t e t h e d i s t r i b u t i o n o f C ( r ( b) ) w h e n r a
i s c h o s e n a t r a n d o m . L e t E C , E C (b) d e n o t e t h e e x p e c t e d v a l u e s o f D C , D C (b),
r e sp e ct i ve l y. I t f o l l o w s f r o m D e f i n i t i o n 7 t h a t e i t h e r
E C - E C ( ~ > _ 8 9
r
E C
EC Z ) !
L e t S D ( D I , D 2 ) d e n o t e t h e s t a t i s t i c a l d i s t a n c e b e t w e e n t w o d i st r i b ut i o n s
D z , D 2 o v e r 1 , . . . , n , a n d l et E l , E 2 d e n o t e t h e c o r r e s p o n d i n g e x p e c t e d v a l u es .
I t c a n b e v er if ie d t h a t I E I - E 2 1 < r n - S D ( D z , D 2 ) . I n o u r c a s e t h i s i m p l i e s t h a t
e i t he r S D D C , D C ~ > ~ or S D D C , D C X )) > - ~ .
T h e d is ti n g u is h e r A is n o w s t r a i g h t f o r w a r d . A s s u m e t h a t S D D C , D C ~ >
T h e n A d i st ingu i s hes be t w e e n 0 , r s ) , C O M~ 1 , r s , r a ) ) a nd
2~'n
0 , r s , C O M~ 0, r s , r R ) ) a s f o ll ow s . L e t Z C 1 . . . m be t he s e t o f num be r s t ha t ha ve
h i ghe r p r oba b i l i t y unde r
D C ~
t h a n u n d e r
D C .
T he n, given a t r iple t 0 , p , c ) ,
f ir s t c he ck t ha t t he c i phe r t e x t c is c ons i s t e n t w i t h 0 a nd p . N e x t , i f
C p ) = 1
t he n b y D e f i n it ion 7 a bove A c a n d i s t i ngu i s h be t w e e n t he t w o d i s t ri bu t i ons o f 3 ).
O t he r w i s e , s ay t ha t t he t r i p l e t de s c r i be s a n hon e s t e n c r yp t i on o f 0 i ff C p ) E Z .
B y de f in i ti on o f s t a ti s ti c a l d i s ta nc e , A d i s t i ngu i s he s c o r r e c t l y w i t h p r oba b i l i ty
a t l e a s t 1 S ince Z is a subse t o f 1 . . .rn , i t c an be fo un d by sam pl ing . )
~ -
5 S h a r e d - k e y d e n i a b l e e n c r y p t i o n
I n t h i s s e c t i o n w e b r i ef ly r e m a r k o n s o m e s h a r e d - k e y d e n i a b l e s c h e m e s . C l e a x l y ,
a p u b l i c - k e y d e n i a b l e s c h e m e i s a l s o d e n i a b l e i n t h e s h a r e d - k e y s e tt i ng . T h u s t h e
p u b l i c k e y c o n s t r u c t i o n s d e s c r i b e d i n p r e v i o u s s e c t i o n s a p p l y h e r e a s w e l l. Y e t
b e t t e r s h a r e d - k e y d e n i a b l e s c h e m e s m a y b e e a s i e r t o f i n d t h a n p u b l i c - k e y o n e s .
A o n e - t i m e - p a d i s a s h a r e d - k e y d e n i a b l e e n c r y p t i o n s c h e m e : A s s u m e t h a t t h e
s e n d e r a n d t h e r e ce i ve r s h a r e a s u f f i c i e n t l y l o n g r a n d o m s t r i ng , a n d e a c h m e s s a g e
r n i s e n c r y p t e d b y b i t w i s e x o r i n g i t w i t h t h e n e x t u n u s e d [ m [ b i t s o f t h e k e y . L e t
k d e n o t e t h e p a r t o f t h e r a n d o m k e y u s e d t o e n c r y p t r n , a n d l e t c = m @ k d e n o t e
t h e c o r r e s p o n d i n g c i p h e r t e x t . T h e n , i n o r d e r t o c l a i m t h a t c is a n e n c r y p t i o n
o f a m e s s a g e m ~ m , t h e p a r t i e s c l a i m t h a t t h e s h a r e d k e y i s k - c ~ m . I t
i s e a s y t o v e r if y t h a t t h i s t ri v i al s c h e m e s at i s fi es D e f i n i t i o n 4 . H e r e t h e m e s s a g e
m c a n b e c h o s e n a s l a t e a s a t t i m e o f a t t a c k . H o w e v e r , u s i n g a o n e - t i m e p a d i s
g e n e r a l l y i m p r a c t i c a l , s i n c e t h e k e y h a s t o b e a s l o n g a s a ll t h e c o m m u n i c a t i o n
b e t w e e n t h e p ar ti es .
R e c a l l t h a t in p l a n - a h e a d s e n d e r - d e n i a b i l i t y t h e s e n d e r c h o o s e s t h e f a k e m e s -
s a g e ( s )
a t t i m e o f e n c r y p t i o n .
A l t h o u g h r e s t r i c t i v e , t h i s n o t i o n c a n b e u se fu l ,
e .g . f o r m a i n t a i n i n g d e n i a b l e r e c o r d s o f d a t a , s u c h a s a p r i v a t e d i a r y, t h a t m a y
b e p u b l i c l y a c c e s s i bl e b u t i s k e p t p r i v a t e u s i n g a d e n i a b l e e n c r y p t i o n s c h e m e
( a lt e r n a ti v e e x a m p l e s i n c l u d e a p s y c h ia t r i s t s o r l a w y e r s n o t e s . ) T h e r e c o r d s a r e
r T h a t is, S D ( D ~ , D 2 ) = ~ e * . . . . . [ P r o b D , ( i ) = P r o b D ~ ( i ) l .
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 14/15
1 3
deniable if, when coerced to reveal the cleartext and the secret key used for en-
cryption and decryption, the owner of the record can instead reveal a variety
of fake cleartexts o f her choice.
Plan-ahead shared-key deniability is trivially solved: given l alternative mes-
sages to encrypt, use I different keys, and construct the ciphertext as the con-
catenation of the encryptions of all messages, where the i th message is encrypted
using the ith key. When coerced, the party simply claims that the key he used
is the one that corresponds to the message he wishes to open.
One problem with this simple scheme is tha t the size of the ciphertext grows
linearly in the number of different messages to be encrypted. It is possible (details
omitted for lack of space) to transform any given shared key encryption to a
deniable one, without any increase in the message length, and with a key of
length 1 - } times the length of the message. The shared-key deniable schemes
can also be used to make public-key deniable schemes more efficient by way
of first sending (using public-key deniable scheme) a deniable shared key and
then switching to a private-key (deniable) scheme. We omit the details from this
abstract.
6 Coercing the Sen der vs Coer cing the Receiver
We describe simple constructions t ha t transform sender-deniable schemes into
receiver-deniable schemes and vice-versa. If there are other parties th at can help
in transmitt ing the data, we also construct a sender-and-receiver-deniable scheme
from any sender-deniable scheme. We describe the constructions with respect to
schemes that encrypt only one bit at a time. Generalizing these constructions
to schemes that encrypt arbitrarily long messages is straightforward. These con-
structions apply to both shared-key and public-key settings.
RECBIVBI~ DBNIABILITY FROM SBN DER DB NIAB ILITY.
Assume a sender-deniabl(
encryption scheme .4, and construct the following scheme •. Let b denote the
bit to be transmitted from S to R. First R chooses a random bit r, and invokes
the scheme .4 to send r to S. (That is, with respect to scheme ,4, R is the sender
and S is the receiver.) Next, S sends b ~ r to R, in the clear.
If scheme ,4 is sender-deniable then, when attacked, R can convincingly claim
that the value of r was either 0 or 1, as desired. Consequently R can claim that
the bit b was either 0 or 1, at wish, and scheme B is receiver-deniable.
S E ND E R D E N IA BIL IT Y F RO M RE CE I V E R D E N I A BI L I T Y .
~N'e use the exact same
construction. It is easy to verify that if .4 is receiver-deniable then B is sender-
deniable.
SENDI~P~ AND RECEIVER DENIABILITY.
Assume that S and R can use other
parties I i, ..., I,~ as intermediaries in their communicat ion. The following scheme
is resilient against at tacking the sender, the receiver and some intermediaries, as
long as at least one intermediary remains unattacked.
In order to transmit a bit b to R, S first chooses n bits
b i b n
such that
Gibi -- b. Next, S transmits b~ to each in termediary I~, using a sender-deniable
7/23/2019 criptografia_negável-ran_canetti
http://slidepdf.com/reader/full/criptografianegavel-rancanetti 15/15
104
s c h e m e . N e x t , e a c h I~ t r a n s m i t s b~ t o
R
u s i n g a r e c e i v e r - d e n i a b l e s c h e m e . F i n a l ly
R c o m p u t e s ~ b i
= b
W h e n a n i n t e r m e d i a r y I~ is a t t a c k e d , i t r e v e a l s t h e t r u e v a l u e o f h i. H o w e v er ,
a s l o n g as on e i n t e r m e d i a r y I i r e m a i n s u n a t t a c k e d , b o t h S a n d R c a n c o n v in c -
i n g l y c l a im , w h e n a tt a c k e d , t h a t t h e v a l u e o f b ( a n d c o n s e q u e n t l y t h e v al u e o f
b) i s e i the r 0 or 1 .
N o t e t h a t t h is s c h e m e w o r k s o n l y i f t h e p a r t i e s c a n ' c o o r d i n a t e t h e i r s to r ie s '.
( T h i s i s f u r t h e r t r e a t e d i n [ 5 ] . )
e f e r e n c e s
1 . M . A j ta i, G e n e r a t in g H a r d I n s t a n c e s o f L a t t i c e P r o b l e m s , S T O C ' 9 6
2 . M . A j ta i, C . D w o rk , A P u b l i c - K e y C r y p t o s y s t e m w i t h A v e r a g e - C a s e/ W o r s t -
Case Equiva lence , ST00 97; see a lso Elect ronic
Colloquium on Computational Complexity TR96-Ofi5,
h t t p : / / w w w . e c c c . u n i -
t r i e r . d e / e c c c - l o c a l / L i s t s / T R - 1 9 9 6 . h t m l
3 . D . Be a ve r a nd S . H a b e r , C r yp t og r a ph i c P r o t oc o l s P r ova b l y S e c u r e A ga i n s t
Dynamic Adversa r i e s ,
Eurocr~pt,
1992.
4 . J . Be na l oh a nd D . T un i s t ra , R e c e i p t - F r e e S e c r e t- Ba U o t E le c t ions ,
~fith STOC,
1994, pp. 544-552.
5 . R . Ca ne t t i a nd R . G e nna r o , I nc oe r c i b l e m u l t i pa r t y c om pu t a t i on ,
FOCS'gfi
6 . R . Ca ne t t i , C . D w or k , M . N a o r a nd R . O s t r ovs ky , D e n i a b le E nc r yp t i on , T he o r y
of Cryptology L=brary,
h t t p : / / t h e o r y . l o s .m i t .
edn/~r
1996.
7 . R . Can e t t i , U . Fe ige , O . Goldre ich an d M . Naor , Ad apt ive ly secure com puta -
t ion , 28 th
STOC,
1996.
8 . D . D o le v , C . D w o r k a nd M . N a o r , N o n- m a l l e a b l e c r yp t og r a phy ,
STOC'91
9. P . Feldm an,
Private Communication,
1986.
10. A . H e r z be r g , Rum p- S e s si on p r e s e n t a t i on a t
C R Y P T O
1991.
11. R . G e nna r o , unpub l i s he d m a nus c r i p t .
12. O . G o l d re ic h a nd L . L e v i n , A H a r d - C or e P r e d i c a t e t o a ny O n e - W a y F unct ion ,
~ I s t
STOC
1989, pp. 25 32.
13. O . Goldre ich , S . Mica l i and A . Wigderson , P roofs tha t Y ie ld Noth ing bu t
t he V a l id i ty o f t he A s s e r ti on , a nd a M e t ho do l ogy o f Cr yp t og r a ph i c P r o t oc o l
Design,
27th FOCS,
174-187, 1986.
14 . O . G o l d r e i c h , S . M i c a h a nd A . W i gde r s on , H ow t o P l a y a ny M e n t a l G a m e ,
19th STO0, pp. 218-229, 1987.
15 . S . Goldwasser and S . Mica li , P ro ba bi l i s t i c en c ryp t ion , JOSS, Vol. 28 ,
N o
2,
A pri l 1984 , pp. 270-299.
16. P . G u t m a n , S e c u r e D e l e t ion o f D a t a f r om M a gne t i c a nd S o l id - S t a te M e m or y ,
S i x t h U S E N I X S e c u r i t y S ym pos i um P r oc e e d i ngs , S a n J o s e , Ca l i f o r n i a , J u l y
22-25, 1 996 , pp. 77-89.
17. M . N a o r a nd M . Y ung P u b l i c ke y c r y p t o s ys t e m s p r ova b l y s e c u re a ga in s t c ho -
s e n c i p h e rt e x t a t ta c k s , P r o c . 2 2 n d A C M A n n u a l S y m p o s i u m o n t h e T h e o r y
of Com put ing , 1990 , pp . 427 -437 .
18 . C . Rackof f and D . S imon, No n- in te rac t ive ze ro-kno wledg e pro of of knowledge
a nd c hose n c i phe r t e x t a t t a c k ,
CRYPTO'91,
L N C S 57fi), 991.
19. K . Sako and J . K i l ian , Rec e ip t -F ree M ix -T yp e Vot ing Scheme, Euroc~y pt 1995 ,
pp. 393-403.