criptografia_negável-ran_canetti

7/23/2019 criptografia_negável-ran_canetti

http://slidepdf.com/reader/full/criptografianegavel-rancanetti 1/15

D e n i a b l e E n c r y p t i o n

Ran Canetti Cynthia Dwork: Moni Naor s Rafall Ostrovsky4

i I B M T . J . W a t s o n R e s e a rc h C e n t e r .

email

c a n e t t i Q w a t s o n . i b m . c o m

2 I B M A l m a d en R e s e a rc h C e n t e r . e m a i / : d w o r k Q a l m a d e n . i b m . c o m

s D e p t . o f C o m p u t e r S c i en c e, t h e W e i z m a n n I n s t it u t e .

ema~l

n a o r Q w i s d o m . w e i z m a n n , a c . il

4 Be l l Com m uni c a t i ons Re s e a r c h , M CC 1C- 365B, M or r i s t ow n , N . J .

ema~l

r a f a i l Q b e l l c o r e . c o m

A b s t r a c t . C o n s id e r a s i tu a t i o n in w h i c h t h e t ra n s m i s s io n o f e n c r y p t e d

m e s s a ge s i s i n t e r c e p t e d by a n a dve r s a r y w ho c a n l a t e r a s k t he s e nde r t o

r e ve a l t he r a ndom c ho ic e s ( a nd a l s o t he s e c r e t ke y , i f one e x i s t s) u s e d in

ge ne r a t i ng t he c i phe r t e x t , t he r e by e xpos i ng t he c l e a r t e x t . A n e nc r yp t i on

s c he m e is de nia ble i f t he s e nde r c a n ge n e r a t e f a ke r a nd om c ho ic e s t ha t

w ill m a ke t he c i phe r t e x t l ook l ike a n e nc z y p t i on o f a d i ~e r e n t c l e a r te x t ,

t hus ke e p i ng t he r e a l c l e a r t e x t p r i va t e . A na l ogous r e qu i r e m e n t s c a n be

f o r m u l a t e d w i t h r e s pe c t t o a t t a c k i ng t he r e c e i ve r a nd w i t h r e s pe c t t o

a t t a c k ing bo t h pa r t ie s .

I n th i s pa pe r w e i n t r oduc e de n i a b l e e nc r yp t i on a nd p r opo s e c ons t r uc t ions

o f s c hem e s w i th po l ynom i a l de n i a b i li t y . I n a dd i t i on t o be i ng i n t e r e s ti ng

by i ts e l f, and having severa l app l i ca t ions , den iab le enc ryp t ion provides a

s im p lif ie d a nd e l e ga n t c ons t r uc t i on o f a d a p t i r e l y s e c u r e m u l t i pa r t y c om -

pu t a t i on .

I n t r o d u c t i o n

T h e t r a d i t io n a l g o a l o f e n c r y p t i o n is t o m a i n t a i n t h e p r i v a c y o f c o m m u n i c a t e d

d a t a a g a i n st p a ss iv e e a v e s d r o p p e r s . T h a t i s, ~ s u m e t h a t A l i c e w a n t s t o c o m -

m u n i c a t e p r iv a t e i n f o r m a t i o n t o B o b o v e r a c h a n n e l w h e r e E v e c a n e av e sd r op .

A l ic e o b t a in s B o b s ( p u bl ic ) e n c r y p t i o n k e y o f a n a s y m m e t r i c e n c r y p t i o n sc h em e

a n d u s es it , t o g e t h e r w i t h l o c al r a n d o m n e s s , t o e n c r y p t h e r m e s sa g e s. N o w o n l y

B o b , w h o p o s se ss es t h e d e c r y p t i o n k e y , s h o u l d b e a b l e t o d e c r y p t . S e m a n t i c se -

c u r i t y [ 1 5 ] c a p t u r e s t h e s e c u r i t y r e q u i r e m e n t s t h a t t h i s s e t t i n g i m p o s e s o n t h e

e n c r y p t i o n fu n c t i o n . B a s ic a ll y , s e m a n t i c s e c u r i t y m e a n s t h a t E v e le a r ns n o t h i n g

f r o m t h e c i p h e r te x t s s h e h e a rs : w h a t e v e r s h e c a n c o m p u t e h a v i n g h e a r d t h e ci-

p h e r t e x t s s h e c a n al so c o m p u t e f r o m s c r a t c h . I t f o l lo w s t h a t A l ic e m u s t u s e l o c a l

r a n d o m n e s s i n o r d e r t o a c h i ev e s e m a n t i c s e c u r i ty .

W h i l e ( p as si ve ) se m a n t i c s e c u r i t y a p p r o p r i a t e l y c a p t u r e s t h e s e c u r it y n e e d e d

a g a i n s t p a s s iv e e a v e s d r o p p e r s , t h e r e a r e s e t t i n g s i n w h i c h i t f al ls s h o r t o f p r o -

v i d i n g t h e d e s ir e d d e g r ee o f p r o t e c t i o n . S u c h s e t t i n g s i n c l u d e p r o t e c t i o n a g a i n s t

* Re s e a r c h on t h i s pa pe r w a s s uppo r t e d by BS F G r a n t 32 - 00032 .



9

chosen ciphertext attacks (e.g., [17, 18]), non-malleable encryption [8], and pro-

tection against adaptive adversaries [7].

We investigate the additional properties required to protect the privacy of

transmitted data in yet another hostile setting. Assume that the adversary Eve

now has the power to approach Alice (or Bob, or both) af/er the ciphertext

was transmitted, and demand to see all the private information: the cleartext,

the random bits used for encryption and any private keys Alice (or Bob) have.

Once Alice hands over this information, Eve can verify that the cleartext and

randomness provided by Alice indeed mat~.h the transmi tted ciphertext. Can the

privacy of the communicated dat a be still somehow maintained, in face of such

an attack?

We first concentrate on the case where Eve attacks only Alice in the above

way. Certainly, if Alice must hand Eve the real cleartext and random bits then

no protection is possible. Also if Eve approaches Alice before the transmission

and requires Alice to send specific messages there is no way to hide information.

However, in case Eve has no direct physical access to Alice's memory, and Alice

is allowed to hand Eve fake cleartext and random bits, is it possible for Alice

to maintain the privacy of the transmitted data? That is, we ask the following

question. Assume Alice sent a ciphertext e = E(ml , r) , where ml is some mes-

sage, E is the public encryp tion a lgo rithm and r is Alice's local random input.

Can Alice now come up with a fake random input r' that will make e 'look like'

an encryption of a different message m2? We call encryption schemes that have

this property deniable.

The following valid ques tion ma y arise at this point: if Eve has no physical

access to Alice's memory, then why should Alice present Eve with any data

at all? That is, why not have Alice tell Eve: 'Sorry, I erased the cleartext and

the random bits used'. Indeed, if Eve will be willing to accept such an answer,

then deniable encryption is not needed. But there may well exist cases where

being able to provide Eve with convincing fake randomness will be valuable to

Alice. (Presenting convincing da ta is almost always more credible than saying 'I

erased', or 'I forgot'.) In fact, there ma y be cases where Alice is required to record

all her history including the randomness used, and can be punished/prosecuted

if she claims to have destroyed the evidence , i .e. any part of her history.

Furthermore, the mere fact that Alice is able to 'open' any ciphertext in many

ways makes it impossible for Alice to convince Eve in the authenticity of ar~y

opening. This holds even if Alice w i s h e s to present Eve with the real data. In

this sense, the privacy of Alice's data is protected even from the ~ ture be hav ior

of Al ice herse l f.

Standard encryption schemes do not guarantee deniability. Indeed, typically

there do not exisg two different messages that may result in the same ciphertext

(with any random input). In fact, encryption is often conceived of as a c om -

mi t ing process, in the sense that the ciphertext may serve as a commitment to

the cleartext. (This is a common use for encryption schemes, e.g. in [13, 14].)

Deniable encryption radically diverges from this concept.

D~niable encryption may seem impossible at first glance: consider a cipher-



92

t e x t c s e n t f r o m A l i c e t o B o b . If, u s i n g t w o d i f f e r e n t r a n d o m c h o i c e s , A l i c e c o u l d

h a v e g e n e r a t e d c b o t h a s a n e n c r y p t i o n o f a m e s s a g e m l a n d a s a n e n c r y p t i o n

o f a d i f f e r e n t m e s s a g e , m 2 , t h e n h o w c a n B o b c o r r e c t l y d e c i d e , f r o m c a l on e ,

w h e t h e r A l i c e m e a n t t o s e n d m l o r m 2 ? A m o r e c a r e f u l i n s p e c t i o n s h o w s t h a t

s u c h s c h e m e s c a n i n d e e d b e c o n s t r u c t e d , b a s e d o n t r a p d o o r i n f o r m a t i o n u n a v a il -

a b l e t o E v e .

D e n i a b l e e n c r y p t i o n h a s a p p l i c a t i o n s t o t h e p r e v e n t i o n o f v o t e - b u y i n g i n

e l e c t r o n i c v o t i n g s c h e m e s [4, 1 0, 1 1 , 1 9 ] , s t o r i n g e n c r y p t e d d a t a i n a d e n i a b l e

w a y , a n d u n c o e r c i b l e m u l t i p a r t y c o m p u t a t i o n [ 5 ] ; it a l s o y i e l d s a n a l t e r n at i v e

s o l u t i o n t o t h e a d a p t i v e s e c u r i t y p r o b l e m [ 7 ]. e e l a b o r a t e o n t h e s e a p p l i c a t i on s

i n t h e s e q u e l .

W e c la ss if y d e n i a b l e e n c r y p t i o n s c h e m e s a c c o r d i n g t o w h i c h p a r t i e s m a y b e

c o e r c e d : a s e n d e r - d e n ia b l e s c h e m e i s r e s il i e nt a g a i n s t c o e r c i n g

i . e . ,

e m a n d i n g

t o s e e t h e s e c r e t d a t a ) o f t h e s e n d e r o f t h e c i p h e r t e x t ; r ec e iv e r- d en i ab l e a n d

s e n de r -a n d -r e ce l v er - d en i ab l e s c h e m e s a x e d e f i n e d a n a l o g o u s l y . W e a l s o d i s t i n g ui s h

b e t w e e n s h a r e d - k e y s c h e m e s , i n w h i c h t h e s e n d e r a n d r e c e i v e r i ni ti al ly s h a r e

s o m e i n f o r m a t i o n , a n d p u b l i c - k e y d e n i a b l e e n c r y p t i o n s c h e m e s , i n w h i c h n o p r i o r

c o m m u n i c a t i o n i s a s s u m e d . A n o t h e r i s s u e i s t h e t i m e a t w h i c h t h e c o e r c e d p a r t y

m u s t d e c i d e o n t h e f a k e m e s s a g e : a t t i m e o f a t t a c k ( p r e f e r a b l e ) o r a t t i m e o f

e n c r y p t i o n .

L e t u s i n f o r m a l l y s k e t c h t h e r e q u i r e m e n t s f o r a o n e - r o u n d p u b l i c - k e y , s e n d e r -

d e n i a b l e , b i t - b y - bi t e n c r y p t i o n s c h e m e ( S e c t i o n 2 c o n t a i n s a m o r e g e n e r a l d ef i-

n i ti o n ) . L e t E L b e t h e s e n d e r s e n c r y p t i o n a l g o r i t h m w i t h p u b l i c k e y h . F i r s t, a

d e n i a b l e e n c r y p t i o n s c h e m e s h o u l d b e s e m a n t i c a l l y s e c u r e i n t h e s e n s e o f [ 1 5] .

I n a d d i t i o n w e r e q u i r e t h a t t h e s e n d e r h a v e a ( p u b l i c l y k n o w n ) f a k i n g a l g o r i t h m .

G i v e n a b i t b, a r a n d o m i n p u t r , a n d t h e r e s u l t i n g c i p h e r t e x t c = E ~ ( b , r ) , t h e

f a k i n g a l g o r i t h m g e n e r a t e s a f a k e r a n d o m i n p u t p = r r , c ) t h a t c m a k e s c l o o k

l i ke a n e n c r y p t i o n o f b . T h a t is, g i v e n b , p , c , t h e a d v e r s a r y s h o u l d b e u n a b l e t o

d i s t i n g u i s h b e t w e e n t h e f o l l o w i n g c a s e s :

a ) p i s u n i f o r m l y c h o s en a n d c - E ~ b , p )

b ) c w a s g e n e r a te d a s c : - E ~ b , r ) w h e r e r is i n d e p e n d e n t l y a n d u n i f o r m l y

c hose n , a n d p : r r , c ) .

W e s a y t h a t a s c h e m e is 6 - d e n i a b l e i f t h e a d v e r s a r y c a n d i s t i n g u i s h b e t w e e n c a s es

a ) a n d b ) w i t h p r o b a b i l i t y a t m o s t 6.

W e c o n s t r u c t a s e n d e r - d e n i a b l e p u b l i c - k e y e n c r y p t i o n s c h e m e b a s e d o n a n y

t r a p d o o r p e r m u t a t i o n S e c t i o n 3 ). H o w e v e r , o u r s c h e m e f a ll s s h o r t o f a c h ie v -

i n g t h e d e s i r e d l ev e l o f d e n i a b i l i t y . T h a t i s, w h i l e w e c a n c o n s t r u c t a 6 - d e n i a b le

s c h e m e fo r a r b i t r a r i l y s m a l l 6, t h e l e n g t h o f th e c i p h e r t e x t i s l i n e a r i n 1 / 6 .

C o n s e q u e n t l y , i f w e w a n t 6 t o b e n e g l i g i b l e , w e e n d u p w i t h c i p h e r t e x t s o f

s u p e r - p o l y n o m i a l l e n g th . T h e s e m a n t i c s e c u r i t y o f o u r s c h e m e a g a i n s t p a ss iv e

e a v e s d r o p p e r s h o l d s i n th e u s u a l s e n s e .) W e p r e s e n t e v i d e n c e t h a t c o n s t r u c t i n g

s u b s t a n t i a l l y b e t t e r o n e - r o u n d s c h e m e s r e q u i r e s a d i f f e r e n t a p p r o a c h S e c ti o n 4 ) .

W e a l so c o n si d er a m o r e f le x ib l e n o t i o n o f d e n i a b i l i t y t h a n t h e o n e sk e tc h e d

a b o v e . A n e n c r y p t i o n s c h e m e f o r e n c r y p t i n g a s i n g l e b i t c a n b e g e n e r a l ly v i ew e d

a s d e fi n i n g t w o d i s t r ib u t i o n s o n c i p h e r t e x t s : a d i s t r i b u t i o n T o o f e n c r y p t i o n s o f



9 3

0 , a n d a d i s t r i b u t i o n 2 1 o f e n c r y p t i o n s o f 1 . H e r e , i n c o n t r a s t , t h e s e n d e r c h o o s e s

t h e c i p h e r t e x t a c c o r d i n g t o o n e

of four

d i s t r i b u t i o n s , T o , T 1 , C o , C 1 . D i s t r i b u t i o n

b is u s e d b y a se n d e r w h o w i s h e s t o s e n d t h e b i n a r y v a l u e b a n d d o e s n o t w i s h t o

h a v e t h e a b i li t y t o o p e n d i s h o n e s t l y w h e n a t t a c k e d . D i s t r i b u t i o n C , is a ls o u s e d

t o s e n d t h e b i t v a l u e b, b u t b y a s e n d e r w h o w i s h e s t o p r e s e r v e b o t h t h e a b i l i t y t o

o p e n h o n e s t l y a n d t h e a b i l i t y t o o p e n d i s h o n e s t l y w h e n a tt a c k e d . (T h i s c h o ic e

c a n b e m a d e a t t i m e o f a t t a c k . ) I n p a r t i c u l a r , i f t h e s e n d e r e n c r y p t s a c c o r d in g t o

d i s t r ib u t i o n C ~ t h e n , w h e n a t t a c k e d , t h e s e n d e r c a n a p p e a r t o h a v e c h o se n e i t h e r

f r o m T o o r T 1. T h i s a l t e r n a t i v e n o t i o n a l l o w s u s t o c o n s t r u c t e f fi ci en t d e n i a b l e

s c h e m e s w i t h n e g l i g i b l e 6 .

S e c t io n 6 s h ow s , v i a s i m p l e c o n s t r u c t i o n s , h o w t o t r a n s f o r m a n y s e n d e r -

d e n i a b l e e n c r y p t i o n s c h e m e i n t o a r e c e i v e r - d e n i a b l e s c h em e , a n d v i ce - ve r sa . W e

a l s o s h o w h o w a s c h e m e r e s i h e n t a g a i n s t c o r r u p t i n g b o t h t h e s e n d e r a n d t h e

r e c e i v e r c a n b e c o n s t r u c t e d b a s e d o n a s c h e m e r e s i l i e n t a g a i n s t c o r r u p t i n g t h e

s e n d e r . T h i s l a s t c o n s t r u c t i o n r e q u i r e s t h e h e l p o f o t h e r p a r t i e s i n a n e t w o r k ,

a n d w o r k s a s l o n g a s a t l e a s t o n e o t h e r p a r t y r e m a i n s u n a t t a c k e d . I n S e c t i o n 5

w e r e v i e w s o m e s h a r e d - k e y d e n i a b l e s c h e m e s .

A P P L I C A T I O N S A N D R E L A T E D W O R K A n a t u r a l a p p l i c a t i o n o f d e n i a b l e e n -

c r y p t i o n i s t o p r e v e n t c o e r c i o n i n e l e c t r o n i c s e c r e t v o t i n g s c h e m e s [ 10 ]: c o e r c e r

m a y o f f e r b r i b e i n e x c h a n g e f o r p r o o f o f a p e r s o n s v o t e , a f t e r h e a r i n g t h e c o r -

r e s p o n d i n g c i p h e r t e x t . T h e c o e r c i o n p r o b l e m i n t h e c o n t e x t o f v o t i n g h a s b e e n

s t u d i e d i n t h e p a s t [ 4 , 1 9 , 1 1 ] . H o w e v e r , t h e s e p r e v i o u s w o r k s a s s u m e t h a t , f o r a

c r u c i a l p a r t o f t h e c o n v e r s a t i o n , t h e c o m m u n i c a t i n g p a r t i e s s h a r e a p h y s i c a l l y s e -

c u r e c h a n n e l ; t h u s , t h e c o e r c e r h e a r s n o c i p h e r t e x t a n d t h e d e n i a b i l i t y r o b l e m

d i s a p p e a r s . 5 D e n i a b l e e n c r y p t i o n s m a y b e i n c o r p o r a t e d i n t h e s e w o r k s t o r e p l a c e

t h e s e p h y s i c a l s e c u r i t y a s s u m p t i o n s . ( O n e s t i l l a s t o m a k e s u r e , a s b e f o r e , t h a t

t h e v o t e r s a r e n o t c o e r c e d p r / o r t o t h e e l e c t i o n s . )

B a s e d o n t h e p u b l i c - k e y , s e n d e r - d e n i a b l e c o n s t r u c t i o n p r e s e n t e d h e r e , [ 5] d e -

s c r i b e a g e n e r a l m u l t i p a r t y p r o t o c o l p e r m i t t i n g a s e t o f p a r t i e s t o c o m p u t e a

c o m m o n f u n c t i o n o f t h e i r i n p u t s w h i l e k e e p i n g t h e i r i n t e r n a l d a t a p r i v a t e e v e n

i n t h e p r e s e n c e o f a c o e r c e r .

F i n a l l y , o u r w o r k o n d e n i a b l e e n c r y p t i o n p r o v i d e s a c o n c e p t u a l l y s i m p l e a n d

e l e g a n t a l t e r n a t i v e s o l u t i o n t o t h e p r o b l e m o f g e n e r a l s e c u r e m u l t i p a r t y c o m -

p u t a t i o n i n t h e p r e s e n c e o f a n

d p t i v e

a d v e r s a r y - o n e t h a t c h o o s e s w h o m t o

c o r r u p t

d u r i n g

t h e c o u r s e o f t h e c o m p u t a t i o n , b a s e d o n t h e i n f o r m a t i o n s e e n a s

t h e e x e c u t i o n u n f o l d s . P r o t o c o l s f o r s e c u r e l y c o m p u t i n g a n y f u n c t i o n i n a m u l -

t i p a r t y s c e n a r i o i n t h e p r e s e n c e o f a n o n - a d a p t i v e a d v e r s a r y w e r e s h o w n i n [ 14 ].

A l m o s t a d e c a d e p a s s e d b e f o r e t h e r e s t r i c t i o n t o n o n - a d a p t i v e a d v e r s a r i e s w a s

l i f te d [ 7 ] . T h e s e p r o t o c o l s a r e b a s e d o n a n o t h e r t y p e o f e n c r y p t i o n p r o t o c o l ,

s In [11] a s ligh t ly d i f fe ren t phy s ica l s ecu r i ty a s su m pt ion i s ma de , nam ely tha t the

random choices used for enc rypt ion a re phys ica l ly unava i l ab le . The resu l t i s the

same: the 'den iab i l i ty problem' d i sappears .

[9 , 3 ] ob ta in so lu t ions for th i s p r ob lem un de r the as sum pt ion tha t the pa r t i e s a re

t rus te d to keep e ras ing pas t in fo rm at ion . Such so lu t ions a re unsa t i s fac tory in a s e t -

t ing where pa r t i e s a ren ' t t rus ted s ince e ras ing cannot be ex te rna l ly ve r i f i ed . Fur the r -

m o r e , t he phys i c al de si gn o f c om pu t e r s y s t e m s m a ke s e r a si ng i n f o r m a t i on d if fic ult

and unrel iable [16] .



9

c a l l e d non c o m m itt ing e n c r y p t i o n . N o n - c o m m i t t i n g e n c r y p t i o n s h a v e t h e s a m e

f l a vo r a s d e n i a b l e e n c r y p t i o n s , i n t h a t t h e r e e x i s t c i p h e r t e x t s t h a t c a n b e o p e n e d

a s e n c r y p t i o n s o f , s a y , b o t h q a n d 0 . o w e v e r , n o n - c o m m i t t i n g e n c r y p t i o n s a r e

s tr ic tl y w e a k e r t h a n d e n i a b l e o n e s . F o r e x a m p l e , i n n o n - c o m m i t t i n g e n c r y p t i o n s

t h e p a r t i e s z ~ s i n g t h e s c h e m e a r e , i n g e n e r a l ,

n o t

a b l e t o g e n e r a t e c i p h e r t e x t s

t h a t c a n b e o p e n e d b o t h w a y s ; s u c h c i p h e r t e x t s c a n o n l y b e g e n e r a t e d b y a s i m -

u l a t o r ( w h i c h i s a n a r ti f ac t f t h e [7] m o d e l ) . I n c o n t r a s t , i n d e n i a b l e e n c r y p t i o n

e a c h c i p h e r t e x t g e n e r a t e d b y p a r t i e s u s i n g t h e s c h e m e h a s u n i q u e d e c r y p t i o n ,

a n d a t t h e s a m e t i m e c a n b e o p e n e d i n s e v e r a l w a y s f o r a n a d v e r s a r y ( t h u s ,

t h e n o n - c o m m i t t i n g e n c r y p t i o n s c h e m e i n [ 7] i s n o t d e n i a b l e ) . T h e k e y i n si g ht i s

t h a t a n y d e n i a b l e e n c r y p t i o n s c h e m e r e si l i e n t g a i n s t a t t a c k i n g b o t h t h e s e n d e r

a n d t h e r e c e iv e r is n o n - c o m m i t t i n g . I n d e e d , a p p l y i n g t h e t r a n s f o r m a t i o n o f S e c -

t i o n 6 t o t h e b a s i c s c h e m e d e s c r i b e d i n S e c t i o n 3 y i e l d s a c o m p l e t e s o l u t i o n t o

t h e a d a p t i v e s e c u r i t y p r o b l e m . S e e [6] f o r m o r e d e t a i l s .

2 D e f i n i t i o n s

L e t u s f ir st e c al l h e d e f i n i ti o n o f c o m p u t a t i o n a l d i s t a n c e o f d i st r ib u t i on s . e r e

a n d i n t h e s e q u e l a f u n c t i o n 6 : N --* [0, I ] i s n e gl i gi b le f i t a p p r o a c h e s z e r o fa s t er

t h a n a n y p o l y n o m i a l ( w h e n i t s a r g u m e n t a p p r o a c h e s i n f i n i t y ) .

D e f i n i t i o n 1 . L e t . 4 = { A , ~ } , ~ e N a n d B = { B ~ } n e N b e t w o e n s e m b l e s o f p r o b -

a b i l it y d i s t r ib u t i on s , a n d l et 6 : N --* [ 0, 1]. W e s a y t h a t . 4 a n d B a r e 6 ( n ) -

c l o se i f f o r e v e r y p o l y n o m i a l t i m e d i s t i n g u i s h e r D a n d f o r a ll l a r g e e n o u g h n ,

[ P r o b ( D ( A , ~ ) = i ) - P r o b ( D ( B , ~ ) = i ) [ < 6 n ) .

I f 6 ( n ) i s n e g li g i bl e t h e n w e s a y t h a t . 4 a n d B a r e computa t iona l l y i n d i s t i n -

g u i s h a b l e a n d w r i t e , 4 ~ B .

2 . 1 P u b l i c - k e y e n c r y p t l o n

Co n s id e r a sen d e r S an d a r ece iv e r R . t h a t , a

pr ior i

h av e n o sh a red sec r e t i n -

f o r m a t i o n . T h e y en g a g e i n s o m e p r o t o c o l i n o r d e r t o t r a n s m i t a m e s s a g e f r o m

S t o R . ( I f a s ta n d a r d p u b l i c k e y e n c r y p t i o n s c h e m e i s u s e d th e n t h is p r o to -

c o l m a y c o n s is t o f t h e r e c e iv e r s e n d i n g h i s p u b l i c e n c r y p t i o n k e y t o t h e s e n d e r,

w h o r e s p o n d s w i t h t h e e n c r y p t e d m e s s a g e . ) I n t u i t i v e l y , w e d e si re : ( 1 ) t h e r e-

ce iv e r sh o u ld b e ab le to d ec r y p t t h e co r r ec t v a lu e ( ex ce p t , p e rh ap s , w i th neglig i-

b l e p r o b a b i l i t y o f e r ro r ); ( 2) t h e p r o t o c o l s h o u l d b e s e m a n t i c a l l y s e c u re a g a i n s t

e a v e s d r o p p e r s ; a n d ( 3 ) t h e s e n d e r s h o u l d h a v e a f a k i ng algorithm ~b su ch t h a t,

g iv en ( m l , ~ s , c , m 2 ) (wh e re rn l i s t h e t r a n s m i t t ed m essag e , r s i s t h e sen d e r s

r a n d o m i n p u t , c is a t r a n s c r i p t o f t h e c o n v e r s a t i o n b e t w e e n S a n d R f o r t r a n s -

m i t t i n g r r~ t , n d r n 2 is t h e r e q u i r e d f a k e m e s s a g e ) , ~ g e n e r a t e s a f a k e r a n d o m

i n p u t f o r t h e s e n d e r , t h a t m a k e s c l o o k l i k e a c o n v e r s a t i o n f o r t r a n s m i t t i n g r n 2.



95

M o r e p r ec is e ly , le t M b e t h e s e t o f a l l p o s s i b l e m e s s a g e s t o b e s e n t f r o m S t o

R ( M c a n b e { 0 , 1 } ' f o r s o m e s ) . L e t ~r b e a p r o t o c o l f o r t r a n s m i t t i n g a m e s s a g e

rr~ E M f r o m S t o R . L e t C O M , ( m , r s , rR ) d e n o t e t h e c o m m u n i c a t i o n b e t w e e n

S a n d R f or t r a n s m i t t i n g m , w h e n S h a s r a n d o m i n p u t r s a n d R h a s r a n d o m

i n p u t r R . L e t c o M ~ ( ra ) d e n o t e t h e r a n d o m v a r i a b l e d e s c r ib i n g C O M~ m , r S , r R )

w h e n r s a n d r R a re u n i f o r m l y a n d i n d e p e n d e n t l y c h o s en .

D e f i n i t i o n 2 . A p r o t o c o l ~r w i t h s e n d e r S a n d r ec e iv e r R , a n d w i th s e c u ri ty

pa r ame te r n , i s a 6 ( n ) - sende r - den iab l e enc r yp t ion p r o toco l i f :

C o rre ctn ess : T h e p r o b a b i l i t y t h a t R ' s o u t p u t i s d i ff e re n t t h a n S ' s i n p u t is n e g -

l ig ib l e ( a s a f un c t ion o f n ) .

S ecu rity : F o r a n y m l , m 2 E M w e h a v e c o M ~ ( m l ) ~ c o M , ( m 2 ) .

Deniabil ity: Th ere exis t s an e f f ic ient faking a lgor ithm hav ing the fol lowing pro p-

e r ty w i th r e s p ec t t o a n y m l , r a2 E M . L e t r s , r R b e u n i f o r m l y a n d i n d e p e n -

den t ly chosen r and om inp u t s o f S an d R , r e spec t ive ly , l e t c - co M , ( m 1, r s , r R ) ,

a n d l et ? s = ( m l , r s , c , m 2 ) . T h e n , t h e r a n d o m v a ri ab l es

( m 2 , r s , C O M , ( m r , r s , r R ) ) a n d ( m 2 , r s , c o M ~ ( m 2 , r s , r R ) ) ( 1)

a re 5(n) -c lose .

T h e r ig h t h a n d s id e o f ( 1 ) d e s c r i b e s t h e a d v e r s a r y ' s v i e w o f a n h o n e s t e n c r y p t i o n

of m2 acco r d ing to p r o toc o l 7r. T he l e f t han d s ide o f ( 1 ) de sc ribe s t he adve r sa r y ' s

v i e w w h e n c w a s g e n e r a t e d w h i l e t r a n s m i t t i n g m l , a n d t h e s e n d er fa l se l y c l a im s

t h a t c is a n e n c r y p t i o n o f m 2 . T h e d e f i n i t io n r e q u i re s t h a t t h e a d v e r s a r y c ~ n n o t

d i st in g u i sh b e t w e e n t h e t w o c a s e s w i t h p r o b a b i l i t y m o r e t h a n 6 n) .

R EM A R KS : 1 . W h e n t h e d o m a i n o f m e s s a g e s i s M = { 0 , 1 } t h e d e f in i ti o n m a y

b e s i m p l if ie d . I n t h e s e q u e l w e c o n c e n t r a t e o n s u c h s c h e m e s , e n c r y p t i n g o n e b i t

a t a t ime .

2 . D e f in i ti o n 2 re q u i re s t h e p a r t i e s t o c h o o s e n e w p u b l i c k e y s f o r e a c h m e s s a g e

t r a n s m i t t e d . T h e d e f in i t io n c a n b e m o d i f i e d i n a n a t u r a l w a y t o c a p t u r e sc h e m e s

w h e r e a ' l o n g - l iv e d ' p u b l i c k e y i s u s e d t o e n c r y p t s e v e ra l m e s s a g e s, re q u i ri n g t h e

s e n d e r t o b e a b l e t o ' f a k e ' e a c h m e s s a g e i n d e p e n d e n t l y o f t h e o t h e r m e s s a g e s

e n c r y p t e d w i t h t h e s a m e p u b l i c k e y . T h e s c h e m e d e s c r i b e d i n t h e s e q u e l i n d e e d

e n j o y s t h i s a d d i t i o n a l p r o p e r t y .

3 . S c h e m e s i n w h i c h t h e c o e r c e d p a r t y c h o o s e s t h e f a k e m e s s a g e m 2 a t t i m e o f

enc r yp t ion a r e ca l l ed plan-ahead d e n i a b l e e n c r y p t i o n s c h em e s . S o m e m o d i fi c a -

t i o n s o f t h e c o n s t r u c t i o n s d e s c r i b e d b e l o w y i e l d p l a n - a h e a d d e n i a b l e e n c r y p t i o n

schemes w i th neg l ig ib l e 6 n ) .

Ne xt w e de f ine a s om ew ha t we ake r no t ion o f den iab i li t y , c a l led flexib le den i-

a b i l i t y .

D e f i n i t i o n 3 . A p r o t o c o l ~r w i t h s e n d e r S a n d r e c ei v e r R , b i n a r y P re se rv e p a -

r a m e t e r P , a n d s e c u r i t y p a r a m e t e r n , i s a

6 n ) - f l e x i b l e - s e n d e r - d e n i a b l e e n c r y p t io n

protocol i f :



9

Correctness

T h e p r o b a b i l i t y t h a t R s o u t p u t i s d i f f er e n t t h a n S s i n p u t i s n e g -

l ig ib le (as a func t ion o f n ) .

Secur i ty

Fo r an y r a t , ra2 E M an d fo r an y P E {T , C } we h av e COM ,~(P , r a l ) ~ ,

C O M . P , r a 2 )

( e n c r y p t io n s o f r a t a n d ra 2 a re i n d i s t i n g u i s h a b l e i n d e p e n d e n t o f P ) .

W eak Oeniabi li ty : There ex is ts an e f fic ien t fak ing a lg or i thm r hav in g the fo l-

l o w in g p r o p e r t y w i t h re s p e c t t o a n y r a t , m 2 E M . L e t r s , r R b e u n i fo r m l y

ch o sen r an d o m in p u t s o f S an d R , r e sp ec t iv e ly , l e t c = COM,~(C, r a t , r s , r a ) ,

a n d l et r s = r r s , c , m 2 ) . T h e n , t h e r a n d o m v a r ia b l e s

(m~, r s , c ) an d ( rn2 , r~ , COM,r(T, ra2 , r~ , r~ ) ) (2 )

a r e 6 (n ) -c l o se , w h e re r ~ , r ~ a r e i n d e p e n d e n t , u n i f o r m l y c h os e n r a n d o m i n-

p u t s o f S an d R , r e sp ec tiv e ly .

T h e l e f t -h a n d s id e o f E q u a t i o n 2 d e s c r i b e s t h e v i e w o f t h e a d v e r s a r y w h e n t h e

s e n d e r, h a v i n g p r es e r v ed t h e a b i l i t y t o o p e n d i s h o n e s t l y w h e n s e n d i n g r a t , o p e n s

w i t h v a l u e ra 2 (w h i c h m i g h t o r m i g h t n o t e q u a l m r ) . T h e r i g h t - h a n d s id e o f

E q u a t i o n 2 d e s c ri b e s t h e a d v e r s a r y s v i e w w h e n t h e s e n d e r , n o t h a v i n g p r es e r v ed

t h e a b i l i t y t o o p e n d i s h o n es t ly , o p e n s a n e n c r y p t i o n o f r a2 .

S c h e m e s r e s i l i e n t a g a i n s t a t t a c k i n g t h e r e c e i v e r , o r s i m u l t a n e o u s a t t a c k o f

b o th th e sen d e r an d th e r ece iv e r, a r e d e f in ed an a lo g o u s ly . Th ey ap p e a r in [6 ].

2 .2 S h a r e d - k e y e n c r y p t i o n

In a sh a r ed -k ey scen a r io , t h e sen d e r an d r ece iv e r sh a r e a r an d o m , sec r e t k ey

a b o u t w h i c h t h e a d v e r s a r y i s a s s u m e d t o h a v e n o a p r i o r i i n fo rm a t io n . Co n -

seq u en t ly , h e re th e p a r t i e s can a l so p r e se n t t h e ad v e r sa ry w i th a fak e sha red

k ey , o n t o p o f p r e s en t in g f a k e r a n d o m i n p u t s . T h i s i s c a p t u r e d a s f ol lo w s . T h e

c o m m u n i c a t i o n b e t w e e n t h e p a r t i e s n o w d e p e n d s a l s o o n a s h a r e d k e y k , a n d i s

d e n o t e d C O M , (m , k , r s , r R ) ( w h e r e r a , r s , r a a r e t h e s a m e a s b e f o re ) . B e lo w w e

def ine sender -den iab i l i ty .

D e f i n i t i o n 4 . A p r o to c o l lr w i t h s e n d e r S a n d r e ce i v er R , an d w i t h s e cu r it y

parameter n , i s a shared-key 6(n) -sender -den lab le encryp t ion p ro toco l i f :

Correctness

T h e p r o b a b i l i t y t h a t R s o u t p u t i s d i f fe r e n t t h a n S s i n p u t i s n e g-

l ig ib le (as a fun c t ion o f n ) .

Security : Fo r an y r a t , m 2 E M an d fo r a sh a r ed -k ey k ch o sen a t r an d o m , we h av e

CO M . rat , k) ~ CO M . ra2, k) .

Deniabi ll ty : Th ere ex is ts an e ff ic ien t fak ing a lg or i th m r hav in g the fo l low-

i n g p r o p e r t y w i t h r e s p e c t t o a n y r n i , ra 2 E M . L e t k , r s ,

r R

b e u n i f o r m l y

c h o s en s h a re d - k e y a n d r a n d o m i n p u t s o f S a n d R , r e s p e c ti v e ly , l e t c -

c o M , ( r a t , k, r s , r R ) , a n d le t ( k , F s ) -- r k , r s , c , r a2 ). T h e n , t h e r a n d o m

v ar i ab le s

(ra2, k, ~s, c) and r a 2 , k , r s , COM~(ra2 , k , r s , r R ) )

are 6 (n) -c lose .



97

N o t e t h a t D e f i n i t i o n 4 a l s o c o v e r s t h e c a s e w h e r e t h e s a m e k e y i s u s e d t o

e n c r y p t s e v er al m e s s ag e s : l e t m i ( r es p . , r a 2 ) i n t h e d e f i n i t i o n d e n o t e t h e c o n c a t e -

n a t i o n o f a l l r e al ( r e sp . , f a k e) m e s s a g e s . I n S e c t i o n 5 w e m e n t i o n s o m e s h a r e d - k e y

s c h e m e s .

3 Publ ic key Den iable En crypt ion

OVERVIEW W e d e s cr i b e t w o p u b l i c - k e y d e n i a b l e e n c r y p t i o n s c h em e s . T h e f i rs t ,

c a l le d t h e b as ic s c h e m e , is o n l y a p a r t i a l s o l u t i o n t o t h e p r o b l e m . W e u se i t a s a

b u i l d i n g - b l o c k t o c o n s t r u c t o u r m a i n s c h e m e . ( I t c a n a l s o b e u se d to c o n s t r u c t

a n o n - c o m m i t t i n g e n c r y p t i o n s c h e m e , a s d e s c r i b e d i n [6 ].) O u r m a i n s c h e m e ,

c a l le d t h e P a ri ty S c h e m e , is ~ - s e n d e r - d e n i a b l e a c c o r d i n g t o D e f i n i ti o n 2 . R o u g h l y

s p e a k in g , t h i s m e a n s t h a t t h e p r o b a b i l i t y o f su c c es s fu l a t t a c k v a n is h es l in e a rl y i n

t h e s e c u r it y p a r a m e t e r . ( B y a s i m p l e r e n a m i n g o f p a r a m e t e r s t h i s s c h em e c a n b e

r e g a r d e d a s 0 - s e n d e r - d e n i a b l e f o r a n y c > 0 . Y e t , t h e p r o b a b i l i t y o f s u c ce s sf u l

a t t a c k v a n is h es o n l y li n e a r l y i n t h e a m o u n t o f w o rk i n v e s te d in e n c r y p t i o n a n d

d e c r y p t i o n . )

T h e s c h e m e s a re s e n d e r - d e n i a b l e . R e c e i v e r - d e n i a b l e a n d S e n d e r -a n d - re c e iv e r -

d e n i a b l e s ch e m e s c a n b e c o n s t r u c t e d f r o m t h e s e u s i n g t h e t e c h n i q u e s o f S e c t io n 6 .

O u r s c h e m e s e n c r y p t o n e b i t a t a t i m e . H e r e t h e y a r e d es c r ib e d i n t h e s t a n d a r d

t e r m s o f e n c r y p t i o n a n d d e c r y p t i o n a l g o r i t h m s . I n t e r m s o f D e f in i ti o n 2 , t h e

i n t e r a c t i o n c o n s i st s o f t h e r e c e iv e r s e n d i n g t h e p u b l i c e n c r y p t i o n k e y t o t h e

s e n de r, w h o re s p o n d s w i t h t h e e n c r y p t e d m e s s a g e .

T H E B A S IC A PP RO A C H. O u r s c h e m e s a r e b a s e d o n t h e fo l l o w i n g s i m p l e i d e a .

A s s u m e t h a t t h e s e n d e r c a n p i c k a n e l e m e n t i n s o m e d o m a i n ei th e r randomly

o r a c c o r d i n g t o s o m e

pse~dor~ndom

d i s t r i b u t i o n . A s s u m e fu r t h e r t h a t t h e re -

c e iv e r, h a v i n g s o m e se c r et i n f o r m a t i o n , c a n t e l l w h e t h e r t h e e l e m e n t w a s c h o s e n

r a n d o m l y o r p s e u d o r a n d o m l y ; o t h e r p a r t i e s c a n n o t t e l l t h e d i ff er en c e. T h e n , t h e

s e n d e r c a n p r o c e e d a s fo l lo w s : t o e n c r y p t a 1 (r e sp . , 0 ) s e n d a p s e u d o r a n d o m

( re s p ., r a n d o m ) e l e m e n t . T h e r e c e iv e r w i l l b e a b l e t o d e c r y p t c o r r e c tl y ; b u t i f

a pse~dorandom

e l e m e n t e w a s t r a n s m i t t e d , t h e n w h e n a t t a c k e d t h e s e n d e r c a n

c l a i m t h a t e w a s randomly c h o s e n - - a n d t h e a d v e r s a r y w i ll n o t b e a b le to t e ll

t he d i f f e r e nc e .

H e r e t h e s e n d e r c o u l d f a k e i t s m e s s a g e o n l y i n o n e d ir e c t io n ( f r o m 1 t o 0 ).

U s i ng s im p l e t ri ck s o n e c a n c o m e u p w i t h s c h e m e s t h a t a ll o w f a k in g i n b o t h

d i r e ct i o n s . W e n o w d e s c r i b e t h e s c h e m e s i n d e t a i l .

T R A N S L U C E N T S E T S O u r

s c h e m e s a r e b a s e d o n a c o n s t r u c t t h a t c a n b e i n f or -

m a l l y d e s c r i b e d a s f o l l o w s . F o r m a l d e f i n i t io n s c a n b e e x t r a c t e d f r o m t h i s d e s c r ip -

t i o n . )

W e a s s u m e t h a t t h e r e e x i s t s a f a m i l y { 8 ~ } t e N o f s e t s , w h e r e S t C { 0 , 1 } ~,

t o g e t h e r w i t h s ec re t t r a p d o o r i n f o r m a t i o n d r, s u c h t h a t :

1 S t i s sma l l : [ S t [ _( 2 ~ - ~ f o r s om e su f f i c i e n t ly l a r ge k (~).

2 . I t i s e a s y t o g e n e r a t e r a n d o m e l e m e n t s z E ~ q t, e v e n w i t h o u t t h e s e c r e t d ~.

3 . G i v e n z E { 0, 1 } * a n d d t i t i s e a s y t o d e c i d e w h e t h e r z E S~ .

4 . W i t h o u t d r , v a l u e s c h o s e n u n i f o r m l y f r o m 8 ~ a r e i n di s t i n g u i s h a bl e f r o m v a l u e s

c h o s e n u n i f o r m l y f r o m { 0 , i } ~.



9

W e f ir s t p r e s e n t t w o s i m p l e c o n s t r u c t i o n s o f t r a n s l u c e n t s e ts . B o t h u s e a t r a p -

d o o r p e r m u t a t i o n f : { 0 , 1 } s -- { 0 , 1 } s , a n d i t s h a r d - c o r e p r e d i c a t e / 3 : { 0 , 1 } s -

{ 0 , I } ( s a y , u s e t h e G o l d r e i c h - L e v i n p r e d i c a t e [ 1 2 ] ) .

C o n s t r u c t i o n I : L e t t = s k . R e p r e s e n t e a c h z E { 0 , 1 } ~ a s a v e c t o r z =

z i . . . z ~

w h e r e e a c h

z i

E { 0 , I } ~. T h e n l e t 8 t :

{ z i . . . z ~

E { O , l } S k [ V i =

l . . k , B ( / - t ( z ~ ) ) - - 0 } . H e r e

[S , I ~

2 ( s - t ) ~ - - 2 ' - ~ .

C o n s t r u c t i o n I f: L e t t : s + k . R e p r e s e n t e a c h x E { 0 , I } t

as z - Zo, bt...b~

w h e r e ~ 0 E { 0 , 1 } ' a n d f o r i > _ i e a c h bi E { 0 , I } . T h e n l et S ~ : { z 0 , bt...bt e

{ 0 , I } s + t l i = l . . k , B f - i Z o ) ) = b ~ } . H e r e

l S l

=

2 = 2

I t i s e a s y t o v e r i f y t h a t b o t h c o n s t r u c t i o n s s a t i s f y r e q u i r e m e n t s 1 - 4 . C o n s t r u c t i o n

I I i s m o r e e f f ic ie n t i n t h a t , g i v e n a t r a p d o o r p e r m u t a t i o n o n { 0 , 1 } ~ , t h e l e n g t h

o f z i s o n l y t - - s + k i n s t e a d o f t = s k .

A t h i r d c o n s t r u c t i o n r e l i e s o n t h e l a t t i c e d - b a s e d p u b l i c - k e y c r y p t o s y s t e m

d e s c r i b e d i n [ 2 ] . R o u g h l y s p e a k i n g , t h e s e c r e t i n f o r m a t i o n i s a n n - d i m e n s i o n a l

v e c t o r u o f l e n g t h a t m o s t 1 . L e t / C d e n o t e t h e c u b e 2 l ~ w h e r e U ( ) i s t h e

n - d i m e n s i o n a l u n i t c u b e . T h e v e c t o r u i n d u c e s a c o l l e c t i o n o f ( n - 1 ) - d i m e n s i o n a l

h y p e r p l a n e s a s f o l l o w s : f o r i n t e g e r i t h e i ~ h h y p e r p l a n e i s t h e s e t o f a ll v e c t o r s

v w h o s e i n n e r p r o d u c t w i t h u i s e q u a l t o i . L e t X b e t h e i n t e r s e c t i o n o f t h e

h y p e r p l a n e s w i t h / C . T h e p u b l i c k e y c o n s i s t s o f a c o l l e c t i o n o f m - - n c p o i n t s

v t , . . . , v , ~ , e a c h o f w h i c h i s a s m a l l p e r t u r b a t i o n o f a r a n d o m l y c h o s e n p o i n t

i n X . T h e e n c r y p t i o n p r o c e d u r e m a k e s u s e o f a c e r t a i n p a r a l l e l e p i p e d 7 , c o m -

p u t a b l e f r o m t h e p u b l i c k e y . A n e n c r y p t i o n o f z e r o i s a p o i n t c h o s e n u n i f o r m l y

a t r a n d o m f r o m K N 2 - ~ : r ' ~ . A n e n c r y p t i o n o f o n e i s ~ ' ~ i ~ = t ~ v ~ r o o d ~ P , w h e r e

e a c h 6 ~ E R { 0 , i } . T h u s , e n c r y p t i o n s o f o n e a r e c l o s e t o h y p e r p l a n e s i n X , w h i l e

e n c r y p t i o n s o f z e r o , t y p i c a l l y , a r e n o t . D e c r y p t i o n o f t h e c i p h e r t e x t i s p e r f o r m e d

b y c o m p u t i n g t h e d i s t a n c e o f t h e c i p h e r t e x t f r o m t h e n e a r e s t h y p e r p l a n e i n X :

i f t h e d i s t a n c e i s s u f f i c i e n t l y s m a l l t h e c i p h e r t e x t i s d e c r y p t e d a s o n e ( t h e r e i s

a p o l y n o m i a l p r o b a b i l i t y o f e r r o r ) . T h i s c o n s t r u c t i o n y i e l d s a t r a n s l u c e n t s e t i n

w h i c h t i s t h e l e n g t h o f a c i p h e r t e x t ( t ~ n 2 ) , a n d , o n c e t h e p u b l i c k e y h a s b e e n

c h o s e n , S ~ i s t h e s e t o f e n c r y p t i o n s o f o n e , a n d 7 ~ t i s t h e s e t o f e n c r y p t i o n s o f

z e r o .

T H E B A S I C S C H E M E . T h e p u b l i c e n c r y p t i o n k e y i s a m e t h o d f o r g e n e r a t i n g

u n i f o r m l y a t r a n d o m a m e m b e r o f a t r a n s l u c e n t s e t S ~ C { 0 , I } t. T h e p r i v a t e

d e c r y p t i o n k e y i s t h e c o r r e s p o n d i n g s e c r e t d .

E n c r y p t i o n :

T o e n c r yp t 1, s e n d a r a n d o m e l e m e n t

o f S ~ .

T o e n c r y p t O, s e n d a

r a n d o m e l e m e n t i n

{0 , 1} ~.

D e c r y p t i o n : I f t h e c i p h e r t e x t z

i s i n S ~ t h e n o u t p u t 1 . E l s e o u t p u t O.

O p e n i n g a n e n c r y p t i o n h o n e s t l y : r e v e a / t h e

t r u e r a n d o m

c h o i c e s

used .

O p e n i n g a n e n c r y p t i o n d i s h o n e s t l y : I f t h e e n c r y p t e d b i t i s 1 i .e . t h e c i-

p h e r t e x t z i s a r a n d o m e l e m e n t in S t h e n c l a / r n t h a t z w a s c h o s e n a t r a n d o m

f r o m { 0 1} ~ a n d t h u s z i s a n e n c r y p t i o n o f O. I f t h e e n c r y p t e d b i t i s 0 t h e n I y in g

wi]] b e i n f e a si b l e s i n c e t h e c i p h e r t e x t x i s i n S t o n ] y w i t h n e g l i g ib l e p r o b a b i l i t y

2 - k . A n a l y s i s: C o r r e c t n e s s : A n e n c r y p t i o n o f i i s a l w a y s d e c r y p t e d c o r re c t l y . A n



99

e n c r y p t i o n o f 0 m a y b e d e c r y p t e d a s 1 w i t h p r o b a b i l i t y 2 - t . S t a n d a r d s e c u r i t y

a g a i n s t e ~ v e s d r o p p e r s i s s t r a i g h t f o r w a r d . D e n i a b i l i t y : t h e f a k i n g a l g o r i t h m ~ a n d

i t s v a l i d i t y r e d e s c r i b e d a b o v e . S i n c e l y i n g i s p o s s i b l e o n l y i n o n e d i r ec t i o n , t h i s

i s o n l y a p a r t i a l s o l u t i o n t o t h e p r o b l e m . N e x t w e d e s c r i b e a s c h e m e w h e r e l y i n g

i s p o s s i b l e i n b o t h d i r e c t io n s .

T H B P A R I T Y S C H E M E . L e t S : C { 0 , i ) : b e a t r a n s l u c e n t s et . W e c al l e l e m e n t s

d r a w n u n i f o r m l y f r o m S ( r es p . , f r o m { 0 , I } ) S - e l e m e n t s ( re sp ., - e l e m e n t s ) .

E n c r y p t l o n : T o e n c r y p t 0

(reap., 1),

c h o o s e a

r a n d o m

e ve n ( r e s p . ,

odd)

n u m b e r

i E 0 , . . . ,

n . Con s t ruc t a c ipher t ex t cons i s t i ng o f i

~q- e l e m e n t s

fol lowed by n - i

~ - e l e m e n t s .

D e e r y p t i o n :

O u t p u t t he p a r i t y o f th e n u m b e r o f

e l e m e n t s

in the received ci-

phe r t e x t

t h a t

be long

t o G

O p e n i n g a n e n c r y p t i o n h o n e s t l y : R e ve M t h e re M

r a n d o m

c h o i c e s u s e d i n

g e n e r a t i n g

t he c iph er t ex t .

pening

a n e n c r y p t i o n d i s h o n e s t l y : L e t i b e t he n u m b e r c ho se n b y t he

s e n d e r .

T h e

s e n d e r c l a i m s t h a t s h e h a s c h o s e n i - 1 r a t h e r t h a n i. (C o n s e -

q u e n t l y ,

t he par i t y o f i f l ips . )

F o r t h / s , s h e

c la ims t ha t t he i t h

e l e m e n t in t h e

c i p h e r t e x t i s a n T ~ - el e m e n t ( w h e r e a s i t w a s c h o s e n a s a n

S- e l e m e n t ) . I f

t h e r e a r e

no ~q - e l e m e n t s

(i.e.,

i = 0 ) t h e n

cheat ing fai l s .

T h e o r e m 5 .

A s s um e t r apdoor pe r m u t a t i ons

e z i s L

Then the Par i t y Scheme i s a

4/n-sender-denz able enc ~yp t ion sch em e.

P r o o f ( S k e t c h ) : T h e p r o b a b i l i ty o f e r r o n e o u s d e c r y p t i o n is a t m o s t n 2 - ~ . S e-

c u r i t y o f t h e P a r i t y S c h e m e a g a i n s t e a v e s d r o p p e r s t h a t s ee o n ly t h e c i p h e r t e x t

is s t r a ig h t f o r w a r d . W e s h o w d e n i a b i l i t y . A s s u m e t h a t n is o d d , a n d l e t c b e a n

e n c r y p t i o n o f 1. L e t i b e t h e n u m b e r c h o s e n f o r g e n e r a t i n g c . T h e n , i w as ch o s e n

a t r a n d o m f r o m 1 , 3 , . .. n . C o n s e q u e n t l y , t h e v a l u e i - 1 is u n i f o r m l y d i s t r i b u t e d

o v e r 0, 2 . . .. , n - 1 . T h u s , w h e n t h e s e n d e r c l a i m s t h a t s h e h a s c h o s e n i - 1 , s h e

d e m o n s t r a t e s t h e c o r r e c t d i s t r i b u t i o n o f i f o r e n c r y p t i n g 0 . T h u s , c h e a t i n g in t h is

d i r e c ti o n is u n d e t e c t a b l e ( a s lo n g a s S - e l e m e n t s c a n n o t b e d i s ti n g u is h e d f r o m

T ~ - e le m e n ts ). A s s u m e n o w t h a t c is a n e n c r y p t i o n o f 0 . T h u s i is c h o s e n u n i -

f o r m l y f r o m 0 , 2 , . .. , n - 1 . N o w , i - 1 i s d i s t r i b u t e d u n i f o r m l y i n - 1 , 1 , 3 , . .. , n - 2

( w h e r e - 1 is i n t e r p r e t e d a s c h e a t i n g i m p o s s i b l e ) . I t is e a s y t o v e r if y t h a t t h e

s t a ti s ti c a l d i s ta n c e b e t w e e n t h e d i s t r i b u t i o n o f i in t h e c a s e o f a n h o n e s t o p e n i n g

( i. e. , u n i f o r m o n 1 , 3 , . .. , n ) a n d t h e d i s t r i b u t i o n o f { i n t h e c a s e o f f a k e o p e n i n g

( i .e . , u n i f o r m o n - 1 , 1 , 3 , . .. , n - 2 ) i s 4 / n . I t f o l l o w s t h a t , a s l o n g a s S - e l e m e n t s

c a n n o t b e d i st in g u i sh e d f r o m k - e l e m e n t s , c h e a t i n g is d et e c ta b l e w i th p r o b a b i l i t y

a t m o s t 4 / n .

[ ]

T h e P a r i t y S c h e m e c a n b e m o d i f i e d t o l e t t h e s e n d e r f i r s t c h o o s e a v e c t o r

v u n i f o r m l y o u t o f a l l v e c t o r s i n { 0 , I ~ ~ w i t h t h e p a r i t y o f t h e b i t t o b e e n -

c r y p t e d . N e x t t h e c i p h e r t e x t is c o n s t r u c t e d b y r e p l a c in g e a ch I e n t r y in v w i t h

a n S - e l e m e n t , a n d r e p l a c i n g e a c h 0 w i t h a n 7 ~ - e l e m e n t . H e r e t h e p r o b a b i l i t y o f

i = 0 ( i . e. , h e p r o b a b i l i t y o f t h e c a s e w h e r e c h e a t i n g i s i m p o s s i b l e ) i s n e g l i -

g ib l e . N o w , h o w e v e r , t h e s t at i s t i c a l d i s t a n c e b e t w e e n i s d i s t r i b u t i o n i n h o n e s t



1

/ '7- .

and fake openings grows to f2(~/~). A 'hybrid' scheme, omitted from this ab-

stract, achieves both negligible probabil ity o f impossible cheating and probability

O(1/n) of detection.

The unique shortes~ vector prob lem for la ttices is: =Find the shortest non~.ero

vector in an n dimensional lattice L where the shortest vector v is unique in the

sense that any other vector whose length is at most

n l l v l l

is parallel to v. The

unique shortest vector problem is one of the three famous problems listed in [1].

There, a random method is given to generate hard instances of a particular lattice

problem so that if it has a polynomial time solution then all of the three worst-

case problems (including the unique-shortest vector problem) has a solution.

The cryptosystem in [2] outlined above is secure provided the unique shortest

vector problem is hard in the worst case. From th is and the proof of Theorem 5

we have.

T h e o r e m 6 . Assume that the unique shortest vector problem is hard in the worst

case. Then the Parity Scheme is a 4/n-sender-deniable enc~ /ption scheme.

A FLEXIBLY DENIABLE SCHEME. Let To = {7~, 7~}, T1 = C1 = {S, 7~}, and

c 0 = { s , s .

Encryp t lon : To encrypt b without preserving the ability to open dishonestly

(that is, if Preserve = 0), send V 6a Tb. To encrypt b preserving the ability to

open dishonestly

P r e s e r v e

= 1), send V Ea Cb.

Deeryp t ion : Output the parity" of the number of elements in V that belong to

S.

Opening an encryp t ion d rawn f rom Tb: Reread the true random choices

used.

Openin g an encry p t io n d ra wn f rom Co as va lue v: Let b be the number of

elements in the ciphertext drawn from S. if v = 0 then claim that V was chosen

as {TO, T~}. If v = 1 then c/aim that V was chosen as {S, 7~}.

Opening an encry p t io n d raw n f r om Cl as va lue v: If v = 0 then cladm

that V was chosen as {~,T~}. Ifv = 1 then revea2 the read random choices used

in generating V.

Analysis: Security against eavesdroppers seeing only the ciphertext is straightfor-

ward. The probability of erroneous decryption is a t most 2 -~. Weak deniability

with negligible 6(n) is immediate by inspection , assuming polynomial time in-

distinguishabi lity of S and 7~.

4 E f f i c i e n c y V s . D e n i a b i l i t y

In this section we describe an attack suggesting that no one-round scheme of

the type presented above can enjoy negligible6(n). The attack works against all

schemes that we describe as separable (the reason for the name will become clear

shortly). Roughly, in a separable scheme the decryption key is the trapdoor of

some translucent set S C {0, 1}t; a ciphertext consists o f a sequence of elements

yl .... Ym in {0, 1} t. The sender chooses some of the y~'s at random, and the rest



1 1

a t r a n d o m f r o m S . T h e e n c r y p t e d b i t i s e n c o d e d i n t h e n u m b e r a n d p l a c e m e n t

o f t h e y i s t h a t a r e i n t h e t r a n s l u c e n t s e t 8 . T o f a k e t h e v a l u e o f t h e c l e a r t e x t

t h e s e n d e r c l a i m s t h a t o n e ( o r m o r e ) o f t h e y i s w a s r a n d o m l y c h o s e n , w h e r e a s

t h i s y ~ w a s c h o s e n f r o m S .

F o r a n y s e p a r a b l e s c h e m e , a n d f o r e a c h v a l u e b E { 0, i } , o n e c a n c o m p u t e t h e

e x p e c t e d n u m b e r o f V i S i n 8 i n a n e n c r y p t i o n o f b . D e n o t e t h i s n u m b e r b y E b .

N o w , s i n c e t h e f a k i n g a l g o r i t h m a l w a y s

d e c r e a s e s

t h e n u m b e r o f y i s f o r w h i c h

t h e s e n d e r c l a i m s t o k n o w t h e p r e i m a g e , t h e a d v e r s a r y d e c i d e s t h a t t h e s e n d e r

i s l y i n g i f t h e s e n d e r c l a i m s t o h a v e s e n t b b u t t h e n u m b e r o f y i s w h i c h t h e

s e n d e r c l a i m s t o h a v e c h o s e n f r o m S i s l e s s t h a n E b . I t i s s h o w n b e l o w t h a t t h i s

s t r a t e g y s u c c e e d s w i t h p r o b a b i l i t y a t l e a s t ; 2 ( ~ ) .

A m o r e p r e c i s e ( a n d s o m e w h a t m o r e g e n e r a l ) d e s c r i p t i o n f ol lo w s.

D e f i n i t i o n 7 . A - ~ - s e n d e r - d e n i a b l e p u b l i c k e y e n c r y p t i o n s c h e m e 7r i s m - s e p a r a b l e

i f t h e r e e x i s ts a n e f f ic i e n t, d e t e r m i n i s t i c c l as s if ic a ti o n a l g or it hm C t h a t , o n a n y

i n p u t p ( i n te r p r e te d a s a c l a im e d r a n d o m i n p u t o f t h e se n d e r) , o u t p u t s a n u m b e r

C ( p ) E 1 , . . . , m . F u r t h e r m o r e :

1 . F o r a v a l u e p ( i n t e r p r e t e d a s a r a n d o m i n p u t f o r th e s e n d e r ) , l e t p (b ) b e

t h e r a n d o m v a r i a b l e d e s c r i b i n g r p , e ) , w h e r e r i s t h e se n d e r s f a k i n g

a l g o r i th m , b E { 0 , 1 } , r R i s t h e r e c e i v e r s r a n d o m i n p u t , a n d a n d e -

c o M , ( b , p , r R ) i s t h e r e s u l t i n g c o m m u n i c a t i o n . L e t E C ( b ) (p ) d e n o t e t h e e x -

p e c t e d v a l u e ( o v e r t h e c h o i c e s o f r R ) o f

C p b ) ) .

T h e n f o r a n y v a lu e p s u c h t h a t C p ) > 1 , e i t h e r E C ( ~ _< C p ) - 1 o r

E C 1 ) p ) < _ C p ) - I .

2 . If t h e s e n d e r s r a n d o m i n p u t p s at is fi es

C p )

= i t h e n t h e f a k i n g a l g o r i t h m

fa ils , . e . t o u t p u t s a s p e c i a l s y m b o l d e n o t i n g t h a t n o s u i t a b l e f a k e r a n d o m

i n p u t w a s f o u n d .

C l a i m 8

F o r a n y

m -s e p a ra b l e ~ - -s e n d e r -d e n ia b le p u b l i c k e y e n c r y p t io n s c h e m e w e

h a v e 2 m >

k .

R E M A R K S :

U s i ng t h e t e r m i n o l o g y o f t h e a b o v e i n f o r m a l d e s c r ip t io n o f s e p a ra b l e s c h e m e s ,

t h e c o e r c e r w i l l u s e t h e c l a s s i f ic a t i o n a l g o r i t h m t h a t o u t p u t s t h e n u m b e r o f

y i s w h i c h t h e s e n d e r c l a i m s t o h a v e c h o s e n a s S - e le m e n t s . I t f o ll o w s t h a t

a n y s u c h s c h e m e w i t h o n l y m y i s is m - s e p a r a b l e .

- I n al l t h e n ~ - s e pa r a b le s c h e m e s t h a t w e k n o w o f , t h e l e n g t h o f t h e c i p h e r -

t e x t g r o w s l i n e a rl y w i t h m . T h i s s e e m s t o b e i n h e r e n t i n o u r a p p r o a c h f o r

c o n s t r u c t i n g d e n i a b l e s c h e m e s .

Proo f . C o n s id e r a n m - s e p a r a b l e d e n i a b l e s c h e m e lr w i t h f a k in g a l g o r it h m r W e

s h o w a n M g o r i t h m A t h a t f o r s o m e b E { 0 , 1 } d i s t i n g u i s h e s b e t w e e n

b, r b), C O M ~ ( b , r s , r R ) ) a n d ( b , r s , C O M . ( b, r s , r R ) ) ( 3 )



1 2

w i t h p r o b a b i l i t y ~ , w h e r e r s , r R a x e r a n d o m i n p u t s fo r t h e s e n d e r a n d t h e

r e c e i v e r r e s p ec t i v e ly , a n d r (b)

= r r s ,

C O M , r ( b , r s , r R ) ) .

L e t C b e t h e c la s si f ic a ti o n a l g o r i t h m . F o r b 6 ( 0 , i } , l et

D C

d e n o t e t h e

d i s t r i b u t i on o f

C ( r s )

w h e r e

r s

i s c h o s e n a t r a n d o m f r o m t h e d o m a i n o f r a n d o m

i n p u t s o f t h e s e n d e r , a n d l et D C (b) d e n o t e t h e d i s t r i b u t i o n o f C ( r ( b) ) w h e n r a

i s c h o s e n a t r a n d o m . L e t E C , E C (b) d e n o t e t h e e x p e c t e d v a l u e s o f D C , D C (b),

r e sp e ct i ve l y. I t f o l l o w s f r o m D e f i n i t i o n 7 t h a t e i t h e r

E C - E C ( ~ > _ 8 9

r

E C

EC Z ) !

L e t S D ( D I , D 2 ) d e n o t e t h e s t a t i s t i c a l d i s t a n c e b e t w e e n t w o d i st r i b ut i o n s

D z , D 2 o v e r 1 , . . . , n , a n d l et E l , E 2 d e n o t e t h e c o r r e s p o n d i n g e x p e c t e d v a l u es .

I t c a n b e v er if ie d t h a t I E I - E 2 1 < r n - S D ( D z , D 2 ) . I n o u r c a s e t h i s i m p l i e s t h a t

e i t he r S D D C , D C ~ > ~ or S D D C , D C X )) > - ~ .

T h e d is ti n g u is h e r A is n o w s t r a i g h t f o r w a r d . A s s u m e t h a t S D D C , D C ~ >

T h e n A d i st ingu i s hes be t w e e n 0 , r s ) , C O M~ 1 , r s , r a ) ) a nd

2~'n

0 , r s , C O M~ 0, r s , r R ) ) a s f o ll ow s . L e t Z C 1 . . . m be t he s e t o f num be r s t ha t ha ve

h i ghe r p r oba b i l i t y unde r

D C ~

t h a n u n d e r

D C .

T he n, given a t r iple t 0 , p , c ) ,

f ir s t c he ck t ha t t he c i phe r t e x t c is c ons i s t e n t w i t h 0 a nd p . N e x t , i f

C p ) = 1

t he n b y D e f i n it ion 7 a bove A c a n d i s t i ngu i s h be t w e e n t he t w o d i s t ri bu t i ons o f 3 ).

O t he r w i s e , s ay t ha t t he t r i p l e t de s c r i be s a n hon e s t e n c r yp t i on o f 0 i ff C p ) E Z .

B y de f in i ti on o f s t a ti s ti c a l d i s ta nc e , A d i s t i ngu i s he s c o r r e c t l y w i t h p r oba b i l i ty

a t l e a s t 1 S ince Z is a subse t o f 1 . . .rn , i t c an be fo un d by sam pl ing . )

~ -

5 S h a r e d - k e y d e n i a b l e e n c r y p t i o n

I n t h i s s e c t i o n w e b r i ef ly r e m a r k o n s o m e s h a r e d - k e y d e n i a b l e s c h e m e s . C l e a x l y ,

a p u b l i c - k e y d e n i a b l e s c h e m e i s a l s o d e n i a b l e i n t h e s h a r e d - k e y s e tt i ng . T h u s t h e

p u b l i c k e y c o n s t r u c t i o n s d e s c r i b e d i n p r e v i o u s s e c t i o n s a p p l y h e r e a s w e l l. Y e t

b e t t e r s h a r e d - k e y d e n i a b l e s c h e m e s m a y b e e a s i e r t o f i n d t h a n p u b l i c - k e y o n e s .

A o n e - t i m e - p a d i s a s h a r e d - k e y d e n i a b l e e n c r y p t i o n s c h e m e : A s s u m e t h a t t h e

s e n d e r a n d t h e r e ce i ve r s h a r e a s u f f i c i e n t l y l o n g r a n d o m s t r i ng , a n d e a c h m e s s a g e

r n i s e n c r y p t e d b y b i t w i s e x o r i n g i t w i t h t h e n e x t u n u s e d [ m [ b i t s o f t h e k e y . L e t

k d e n o t e t h e p a r t o f t h e r a n d o m k e y u s e d t o e n c r y p t r n , a n d l e t c = m @ k d e n o t e

t h e c o r r e s p o n d i n g c i p h e r t e x t . T h e n , i n o r d e r t o c l a i m t h a t c is a n e n c r y p t i o n

o f a m e s s a g e m ~ m , t h e p a r t i e s c l a i m t h a t t h e s h a r e d k e y i s k - c ~ m . I t

i s e a s y t o v e r if y t h a t t h i s t ri v i al s c h e m e s at i s fi es D e f i n i t i o n 4 . H e r e t h e m e s s a g e

m c a n b e c h o s e n a s l a t e a s a t t i m e o f a t t a c k . H o w e v e r , u s i n g a o n e - t i m e p a d i s

g e n e r a l l y i m p r a c t i c a l , s i n c e t h e k e y h a s t o b e a s l o n g a s a ll t h e c o m m u n i c a t i o n

b e t w e e n t h e p ar ti es .

R e c a l l t h a t in p l a n - a h e a d s e n d e r - d e n i a b i l i t y t h e s e n d e r c h o o s e s t h e f a k e m e s -

s a g e ( s )

a t t i m e o f e n c r y p t i o n .

A l t h o u g h r e s t r i c t i v e , t h i s n o t i o n c a n b e u se fu l ,

e .g . f o r m a i n t a i n i n g d e n i a b l e r e c o r d s o f d a t a , s u c h a s a p r i v a t e d i a r y, t h a t m a y

b e p u b l i c l y a c c e s s i bl e b u t i s k e p t p r i v a t e u s i n g a d e n i a b l e e n c r y p t i o n s c h e m e

( a lt e r n a ti v e e x a m p l e s i n c l u d e a p s y c h ia t r i s t s o r l a w y e r s n o t e s . ) T h e r e c o r d s a r e

r T h a t is, S D ( D ~ , D 2 ) = ~ e * . . . . . [ P r o b D , ( i ) = P r o b D ~ ( i ) l .



1 3

deniable if, when coerced to reveal the cleartext and the secret key used for en-

cryption and decryption, the owner of the record can instead reveal a variety

of fake cleartexts o f her choice.

Plan-ahead shared-key deniability is trivially solved: given l alternative mes-

sages to encrypt, use I different keys, and construct the ciphertext as the con-

catenation of the encryptions of all messages, where the i th message is encrypted

using the ith key. When coerced, the party simply claims that the key he used

is the one that corresponds to the message he wishes to open.

One problem with this simple scheme is tha t the size of the ciphertext grows

linearly in the number of different messages to be encrypted. It is possible (details

omitted for lack of space) to transform any given shared key encryption to a

deniable one, without any increase in the message length, and with a key of

length 1 - } times the length of the message. The shared-key deniable schemes

can also be used to make public-key deniable schemes more efficient by way

of first sending (using public-key deniable scheme) a deniable shared key and

then switching to a private-key (deniable) scheme. We omit the details from this

abstract.

6 Coercing the Sen der vs Coer cing the Receiver

We describe simple constructions t ha t transform sender-deniable schemes into

receiver-deniable schemes and vice-versa. If there are other parties th at can help

in transmitt ing the data, we also construct a sender-and-receiver-deniable scheme

from any sender-deniable scheme. We describe the constructions with respect to

schemes that encrypt only one bit at a time. Generalizing these constructions

to schemes that encrypt arbitrarily long messages is straightforward. These con-

structions apply to both shared-key and public-key settings.

RECBIVBI~ DBNIABILITY FROM SBN DER DB NIAB ILITY.

Assume a sender-deniabl(

encryption scheme .4, and construct the following scheme •. Let b denote the

bit to be transmitted from S to R. First R chooses a random bit r, and invokes

the scheme .4 to send r to S. (That is, with respect to scheme ,4, R is the sender

and S is the receiver.) Next, S sends b ~ r to R, in the clear.

If scheme ,4 is sender-deniable then, when attacked, R can convincingly claim

that the value of r was either 0 or 1, as desired. Consequently R can claim that

the bit b was either 0 or 1, at wish, and scheme B is receiver-deniable.

S E ND E R D E N IA BIL IT Y F RO M RE CE I V E R D E N I A BI L I T Y .

~N'e use the exact same

construction. It is easy to verify that if .4 is receiver-deniable then B is sender-

deniable.

SENDI~P~ AND RECEIVER DENIABILITY.

Assume that S and R can use other

parties I i, ..., I,~ as intermediaries in their communicat ion. The following scheme

is resilient against at tacking the sender, the receiver and some intermediaries, as

long as at least one intermediary remains unattacked.

In order to transmit a bit b to R, S first chooses n bits

b i b n

such that

Gibi -- b. Next, S transmits b~ to each in termediary I~, using a sender-deniable



104

s c h e m e . N e x t , e a c h I~ t r a n s m i t s b~ t o

R

u s i n g a r e c e i v e r - d e n i a b l e s c h e m e . F i n a l ly

R c o m p u t e s ~ b i

= b

W h e n a n i n t e r m e d i a r y I~ is a t t a c k e d , i t r e v e a l s t h e t r u e v a l u e o f h i. H o w e v er ,

a s l o n g as on e i n t e r m e d i a r y I i r e m a i n s u n a t t a c k e d , b o t h S a n d R c a n c o n v in c -

i n g l y c l a im , w h e n a tt a c k e d , t h a t t h e v a l u e o f b ( a n d c o n s e q u e n t l y t h e v al u e o f

b) i s e i the r 0 or 1 .

N o t e t h a t t h is s c h e m e w o r k s o n l y i f t h e p a r t i e s c a n ' c o o r d i n a t e t h e i r s to r ie s '.

( T h i s i s f u r t h e r t r e a t e d i n [ 5 ] . )

e f e r e n c e s

1 . M . A j ta i, G e n e r a t in g H a r d I n s t a n c e s o f L a t t i c e P r o b l e m s , S T O C ' 9 6

2 . M . A j ta i, C . D w o rk , A P u b l i c - K e y C r y p t o s y s t e m w i t h A v e r a g e - C a s e/ W o r s t -

Case Equiva lence , ST00 97; see a lso Elect ronic

Colloquium on Computational Complexity TR96-Ofi5,

h t t p : / / w w w . e c c c . u n i -

t r i e r . d e / e c c c - l o c a l / L i s t s / T R - 1 9 9 6 . h t m l

3 . D . Be a ve r a nd S . H a b e r , C r yp t og r a ph i c P r o t oc o l s P r ova b l y S e c u r e A ga i n s t

Dynamic Adversa r i e s ,

Eurocr~pt,

1992.

4 . J . Be na l oh a nd D . T un i s t ra , R e c e i p t - F r e e S e c r e t- Ba U o t E le c t ions ,

~fith STOC,

1994, pp. 544-552.

5 . R . Ca ne t t i a nd R . G e nna r o , I nc oe r c i b l e m u l t i pa r t y c om pu t a t i on ,

FOCS'gfi

6 . R . Ca ne t t i , C . D w or k , M . N a o r a nd R . O s t r ovs ky , D e n i a b le E nc r yp t i on , T he o r y

of Cryptology L=brary,

h t t p : / / t h e o r y . l o s .m i t .

edn/~r

1996.

7 . R . Can e t t i , U . Fe ige , O . Goldre ich an d M . Naor , Ad apt ive ly secure com puta -

t ion , 28 th

STOC,

1996.

8 . D . D o le v , C . D w o r k a nd M . N a o r , N o n- m a l l e a b l e c r yp t og r a phy ,

STOC'91

9. P . Feldm an,

Private Communication,

1986.

10. A . H e r z be r g , Rum p- S e s si on p r e s e n t a t i on a t

C R Y P T O

1991.

11. R . G e nna r o , unpub l i s he d m a nus c r i p t .

12. O . G o l d re ic h a nd L . L e v i n , A H a r d - C or e P r e d i c a t e t o a ny O n e - W a y F unct ion ,

~ I s t

STOC

1989, pp. 25 32.

13. O . Goldre ich , S . Mica l i and A . Wigderson , P roofs tha t Y ie ld Noth ing bu t

t he V a l id i ty o f t he A s s e r ti on , a nd a M e t ho do l ogy o f Cr yp t og r a ph i c P r o t oc o l

Design,

27th FOCS,

174-187, 1986.

14 . O . G o l d r e i c h , S . M i c a h a nd A . W i gde r s on , H ow t o P l a y a ny M e n t a l G a m e ,

19th STO0, pp. 218-229, 1987.

15 . S . Goldwasser and S . Mica li , P ro ba bi l i s t i c en c ryp t ion , JOSS, Vol. 28 ,

N o

2,

A pri l 1984 , pp. 270-299.

16. P . G u t m a n , S e c u r e D e l e t ion o f D a t a f r om M a gne t i c a nd S o l id - S t a te M e m or y ,

S i x t h U S E N I X S e c u r i t y S ym pos i um P r oc e e d i ngs , S a n J o s e , Ca l i f o r n i a , J u l y

22-25, 1 996 , pp. 77-89.

17. M . N a o r a nd M . Y ung P u b l i c ke y c r y p t o s ys t e m s p r ova b l y s e c u re a ga in s t c ho -

s e n c i p h e rt e x t a t ta c k s , P r o c . 2 2 n d A C M A n n u a l S y m p o s i u m o n t h e T h e o r y

of Com put ing , 1990 , pp . 427 -437 .

18 . C . Rackof f and D . S imon, No n- in te rac t ive ze ro-kno wledg e pro of of knowledge

a nd c hose n c i phe r t e x t a t t a c k ,

CRYPTO'91,

L N C S 57fi), 991.

19. K . Sako and J . K i l ian , Rec e ip t -F ree M ix -T yp e Vot ing Scheme, Euroc~y pt 1995 ,

pp. 393-403.

criptografia_negável-ran_canetti

Documents