Documente Academic
Documente Profesional
Documente Cultură
Public-key Deniability
31
bit [6, 16, 13], or allow several message bits per ciphertext, but the from random data [26]. Since TrueCrypt always fills the unallo-
ciphertext size is still exponential in the number of message bits cated space with random data, the existence of the hidden volume
transmitted [13]. Since our goal is to seek a practical solution, we can be denied. Czeskis et al. examine in [8] the efficacy with which
concentrate on plan-ahead deniability. In particular, we are con- TrueCrypt v5.1a provides deniability. They found that Microsoft
cerned with practical applications of deniable encryption and con- Windows and several common applications and utilities compro-
sider the following scenario as our target functionality: an adver- mise the deniability of TrueCrypt hidden volumes. As an example,
sary obtains access to a laptop computer, the owner of which keeps Windows keeps track of the serial number of each volume it mounts
the stored data encrypted. Some of the encrypted data is shared, and also creates a link to recently opened documents. Both these
using a cloud service, with one or more collaborating users; file features clearly compromise the deniability of a hidden volume. As
updates are exchanged over the Internet. The adversary, who may with other deniable file system implementations, we assume that
have intercepted the updates, may have injected new files and may the OS and application are aware of such property of the file sys-
have reconstructed multiple snapshots of the encrypted data, forces tem and avoid to keep track of the content of the deniable files. This
the owner to decrypt the content of the hard drive by revealing any assumption allows us to consider the security of our proposal alone,
key material and necessary auxiliary information. alleviating the need to examine the whole system. From a practi-
The original formulation of deniable encryption assumes that an cal point of view, however, we show that our deniable filesystem is
adversary captures only communication traffic. We, however, view immune to some of the attacks illustrated by Czeskis et al., while
as one of the most prominent uses of deniable encryption the case the impact of the remaining threats can be mitigated as discussed
where encrypted contents are stored on a laptop or a desktop com- in section 4.
puter and on a remote server as well, and the adversary forces the Assange and Weinmann introduced a deniable file system called
owner of the machine to unlock its encrypted contents. This means Rubberhose [23], which transparently encrypts data on a storage
that the only information that can stay hidden is a small secret, such device and allows users to hide that encrypted data. Rubberhose
as a decryption key, that the owner of the machine can hide from needs a dedicated hard disk and creates several partitions, encrypted
the coercer. Note that existing deniable encryption schemes do not with a different passphrase, in which blocks are not contiguous, but
necessarily work in this context since extra information must be scattered in a pseudorandom manner across the drive.
stored in order to be able to open a ciphertext to a fake value. Once Anderson et al. [1] proposed two deniable file systems schemes,
this additional information is provided to the coercer, he can use it which they call steganographic file systems (stegfs). The first ini-
to uncover the original message. We would like the owner to have tializes the disk with a large number of cover files which contain
the ability to open the data in two different ways through a usable random data. Deniable files are stored as the XOR of subsets of
mechanism, e.g., by entering a password that will unlock the key the cover files, which are identified by a secret key. The main dis-
material and decrypt the data. advantage of this file system is the high overhead associated with
Considering that certain encryption algorithms are well-known, each read and write operation. With their second scheme, the disk
widely accepted and used in practice, it would be desirable to use is filled with random data and the deniable files are written at ran-
such algorithms, if possible, instead of custom-built schemes to dom positions; the likelihood of overwriting hidden data increases
achieve wider adoption of deniable encryption. Since the conven- with the amount of information stored on the disk. The schemes
tional encryption schemes are not deniable, the existing deniable of Anderson et al. are vulnerable against an adversary who can ob-
encryption schemes normally do not use standard tools. One of tain multiple different copies of the encrypted content of the disk
our goal, however, is to explore what deniability properties can be (snapshots) over a period of time.
achieved with conventional encryption schemes. In order to avoid the problem of data collisions in the scheme
Contributions: First, we construct a sender-deniable plan-ahead of Anderson et al., Pang et al. [20] proposed the use of a bitmap
public key encryption scheme using RSA-OAEP [3] and the to track block allocation. Dummy data are added when the disk is
Damgård-Jurik generalization [9] of Paillier’s encryption scheme formatted to provide deniability. Since dummy data cannot be re-
[19] as building blocks. Then we extend it to provide allocated without formatting the disk, an adversary who can access
non-interactive sender-and-receiver deniable plan-ahead public-key multiple snapshots of the disk can easily break the deniability of
encryption. Finally, we show how to efficiently construct a public- the scheme. This problem was addressed by Zhou et al. [31]. Their
key deniable encryption scheme using any IND-CPA encryption solution requires the use of a trusted agent to manage the dummy
scheme as a black box. Our constructions have a high throughput data. To perform this task, the trusted agent needs to know the
(i.e., linear in the size of the ciphertext) for messages that can be de- password used to protect the deniable files.
niably communicated. An essential component of this work is the Unfortunately, none of the available deniable file systems pro-
design and implementation of DenFS, a distributed file system that vide a solution for the scenario proposed earlier in this section,
allows a group of collaborators seeking deniability to view, edit, where an adversary obtains access to a laptop and also records com-
and exchange documents as if they were working on a standard file munication. In particular, none of the existing schemes can be ap-
system. Finally, in the appendix we give extensions to our work plied to the cloud environment. In this scenario we further assume
that allow us to increase the bandwidth of the deniable channel and that a malicious cloud provider has complete control over the user’s
provide other efficiency improvements. data. Moreover, all these file systems require users to share a se-
cret key, which may not be always possible and severely limits the
Deniability in practice. TrueCrypt [25] is a widely used disk en-
flexibility of the file system, as discussed in section 4.
cryption tool that provides deniability in the form of a deniable
file system. TrueCrypt refers to a deniable file system as a hidden
volume, which is created inside a non-deniable encrypted disk im-
age, using the space marked as not allocated by the file system. To
mount the hidden volume, a user must first provide the password
to decrypt the non-deniable file system and then provide a second
password to decrypt and mount the hidden volume. If the second
password is not known, the unallocated space is indistinguishable
32
2. BACKGROUND AND DEFINITIONS phertext always encodes a fake message and can additionally con-
In this section we first review related work and then proceed with tain a real hidden message. Furthermore, the assumption that the
defining the model. Canetti et al. [6] introduced the notion of deni- sender and the receiver share a secret appears powerful, and we
able encryption and gave several constructions for sender-deniable investigate what can be achieved without this assumption.
encryption. In particular, their work shows that public-key sender- The original definitions of deniable encryption in [6] are stated
deniable ad-hoc encryption can be built from translucent sets and in terms of computational indistinguishability of views associated
trapdoor permutation, where each ciphertext encodes a single bit. with real and fake messages. In particular, after encryption of real
It also reports that a shared-key sender-deniable plan-ahead en- message m is transmitted, the so-called faking algorithm allows it
cryption can be constructed by either concatenating encryptions of to be opened to reveal a fake message mf . The security require-
several messages under different keys (and thus increasing the ci- ment is such that, given any messages m1 and m2 , the encryption
phertext size) or sharing a key proportional in size to the message of m1 is computationally indistinguishable from the encryption of
length. Additionally, [6] shows that sender-deniable encryption m2 . Additionally, the deniability property requires that the view of
can be converted to receiver-deniable encryption (or vice versa) us- the adversary, that includes communication of the ciphertext c cor-
ing an extra round of communication; namely, the receiver uses a responding to the encryption of m, the random choices calculated
sender-deniable scheme to transmit encryption of a random bit r to by the faking algorithm and the opening to mf of the ciphertext,
the sender, and the sender transmit b ⊕ r to the receiver in the clear, is indistinguishable from communication of encryption of mf , its
where bit b is the actual message to be transmitted. This interactive opening and the random choices used to encrypt it. Sender (re-
solution, however, is not applicable to the scenario of encrypted ceiver) deniability means that the sender (resp., receiver) reveals
storage considered in this work. her random choices/keys upon coercion. The definition of a (plan-
Ibrahim [13] gives ad-hoc sender-deniable public-key encryption ahead) deniable public-key encryption is strictly stronger than the
schemes based on the hardness of the quadratic residuosity problem standard definition of CPA-security, i.e., deniability also implies
for N , which is a product of two large primes. The first scheme CPA-security.
allows transmission of one bit per ciphertext. The second scheme In this work, we define deniable encryption as the ability to hide
can transmit more than one message bits per ciphertext, but only the presence of the real message: the adversary’s view when trans-
a small number of such bits (ciphertext size is exponential in the mitting a fake message with a hidden real message should be indis-
message length). tinguishable from the case when no hidden message is included.
In [14] Ibrahim gives an ad-hoc receiver-deniable public-key D EFINITION 1. A (plan-ahead) deniable public-key encryption
scheme, which has higher bandwidth than other ad-hoc deniable scheme consists of the following four efficient algorithms:
schemes. The scheme is based on RSA and 1-out-of-n oblivious
transfer, and permits transmission of messages of log N − δ bits • Setup : a probabilistic algorithm that, on input a security
long with ciphertexts of size 2 log N , where N is the RSA modu- parameter 1κ , outputs (pk, sk) ∈ Kpub × Kpri . The private
+ −
lus and δ is a randomizing string (e.g., 128 bits long). This solution, key space Kpri consists of two partitions, Kpri and Kpri
however, requires usage of mediated RSA, where a user does not • Enc : a probabilistic algorithm that, on input pk and mes-
have full knowledge of her secret key, i.e., each private key is split sages mf and m, outputs a ciphertext C(mf ; m). We explic-
between the owner of the key and a third party. This means that itly denote by r the random choices made by this algorithm.
such a solution has a limited applicability and will not work in our • Dec : a deterministic algorithm that, on input (pk, sk) and
setting. Additionally, this solution relies on trusted hardware. ciphertext C, outputs message mf encoded in the ciphertext.
+
A recent work of Klonowski et al. [16] extends the ad-hoc sender- Dec also outputs m iff sk ∈ Kpri
deniable public-key scheme of Canetti et al. through a nested con- • Open : a deterministic algorithm that on input a ciphertext
struction. The authors also show how hidden messages can be C and public key pk, outputs private information P I that
transmitted using standard ElGamal encryption, which achieves the opens the encryption to message mf .
functionality of plan-ahead receiver-deniable encryption. In partic- In the above, what the opening algorithm outputs depends on what
ular, the sender and receiver share a secret S, and the sender also party is coerced into opening the encryption. If it is the sender, P I
has access to the receiver’s private key (associated with the public can consist of random choices r used in ciphertext generation. For
key the encryption scheme uses). This allows a ciphertext to en- this reason Enc stores all its random choices in a system-wide table
code, besides a fake message, an additional secret message of the accessible by Open. If the receiver is opening the ciphertext, P I
same size. In fact, this provides a broad-band subliminal channel if can consist of the private key sk. Finally, if both of them are to
the receiver is willing to trust the sender with her private key. Meng open the ciphertext, the information P I available to the adversary
and Wang [17] extent the idea of Klonowski et al. [16] providing will consist of the union of the sender’s and receiver’s information.
a receiver deniable encryption scheme based on BCP commitment When Open is invoked by the sender, we denote it by OpenS , and
scheme of Bresson et al. [5]. Their scheme does not require sender when it is invoked by the receiver, it is denoted by OpenR .
and receiver to exchange any pre-encryption information. Let D = (Setup, Enc, Dec, OpenS , OpenR ) be a deniable
To summarize, existing public-key constructions are either flex- public-key encryption scheme, where (pk, sk) ← Setup(1κ ). The
ible, but inefficient or are able to communicate several secret bits security properties required by D are inspired by the security def-
and use standard tools, but require the recipient to give up its pri- inition in [6], adapted to our setting. However, instead of using
vate key. Furthermore, all suitable solutions are sender-deniable definitions based on computational indistinguishability of the view
and therefore are not applicable to the problem of deniable stor- of the adversary, we provide a rigorous definition of (public-key)
age. The motivation of this work thus comes from a usability per- deniability in terms of interactive experiments.
spective: can we design an efficient solution that does not require When discussing sender deniability, we assume that a coercer
revealing the private key of the receiver? Can we achieve receiver- can guess who the intended recipient of the transmission is (e.g., if
deniability without using mediated settings? the message is communicated via email, recipient identity can be
Following Klonowski et al., we investigate communication of deduced from the transmission). Thus, the sender has to use the
hidden messages by means of an additional channel. That is, a ci- true recipient’s public key during the opening phase.
33
We define the security requirement of a (plan-ahead) deniable Enc(mf , m, pk) :
public-key encryption scheme by adapting the standard definition 1. Compute C(mf ; m).
of IND-CPA to our setup. Let E = (Gen, E, D) denote a public- 2. Store the tuple (mf , m, C(mf ; m), r) in T , where r denotes
key encryption scheme where Gen, E and D are polynomial-time the set of the random choices used during the encryption.
algorithms defined in the standard way (in particular, Gen and E 3. Output C(mf ; m).
are probabilistic algorithms while D is deterministic). Given a pub-
OpenS (C, pk) :
lic key pk generated by Gen, we will denote by Mpk and Cpk the
message and ciphertext spaces defined by pk. In addition, for sim- 1. If C is in T return the tuple (mf , m, C, r).
plicity and without loss of generality, we assume that messages in 2. If C is the challenge ciphertext, return the random choices
Mpk and ciphertexts in Cpk , respectively, have all the same size. derived from r to open C as an encryption of (mf ; −), re-
We next state the properties of an encryption scheme we rely on. gardless of whether C = C(mf ; m) or C = C(mf ; −).
Consider the IND-CPA experiment defined as follows: 3. Otherwise return ⊥.
Experiment IND-CPAA,E (κ) Note that we allow the adversary to open any ciphertext including
the challenge ciphertext (produced on a message of its choice).
1. Run (pk, sk) ← Gen(1κ ).
A more detailed explanation of this definition is in order. The
2. Adversary A is given pk and eventually outputs two mes-
adversary A is given access to an opening oracle and an encryption
sages m0 , m1 ∈ Mpk of its choice.
oracle under the public key pk. Note that even though the definition
3. A random bit b is drawn and the encryption Epk (mb ) is re-
is for public-key encryption schemes we still provide access to an
turned to A.
encryption oracle to model the ability of the coercer to choose ar-
4. A outputs bit b0 , and the experiment outputs 1 iff b = b0 .
bitrary messages (mf , m), have them encrypted by the sender, and
D EFINITION 2 (IND-CPA SECURITY ). An encryption scheme have the sender reveal the random choices used in the encryption.
E = (Gen, E, D) has indistinguishable encryptions under chosen D EFINITION 4. A public-key encryption scheme D is sender-
plaintext attack if there exists a negligible function negl such that deniable if there exists a negligible function negl such that for any
for any probabilistic polynomial time A, Pr[IND-CPAA,E (κ) = probabilistic polynomial time (PPT) A, Pr[SDenA,D (κ) = 1] ≤
1] ≤ 1/2 + negl(κ). 1/2 + negl(κ).
Recall that in a plan-ahead deniable encryption scheme D a cipher- The experiment for receiver-deniability of a deniable encryption
text can encrypt a fake and a real messages or just the fake message. scheme D = (Setup, Enc, Dec, OpenR ) is defined as follows:
Let C(mf ; m) denote a ciphertext that encrypts both of them, and
Experiment RDenA,D (κ)
C(mf ; −) denote a ciphertext that encrypts only mf . The above
IND-CPA experiment for D will then mean that in step 2 A out- 1. Run (pk, sk) ← Setup(1κ ).
puts two pairs of messages (mf,0 , m0 ), (mf,1 , m1 ) ∈ Mpk and 2. A is given pk and oracle access to OpenR (·, pk) and even-
obtains Enc(mf,b , mb , pk) = C(mf,b ; mb ) in step 3. Note that tually outputs a message pair (mf , m), with |mf | = |m|.
R
one of messages m0 and m1 or both of them can be −. 3. A random bit b ← {0, 1} is drawn; if b = 0, A is given
We also provide the definition of sampleable ciphertext space, C(mf ; m), and if b = 1, A is given C(mf ; −).
which will be used to construct our schemes: 4. Adversary A continues to have access to OpenR (·, pk).
5. A outputs bit b0 , and the experiment outputs 1 iff b = b0 .
D EFINITION 3 (S AMPLEABLE ). An encryption scheme E =
(Gen, E, D) has sampleable ciphertext space if there exists a poly- By allowing the adversary to have oracle access to OpenR , we
nomial time (in κ) algorithm such that, on input pk (produced by make it very powerful. In particular, for existing receiver-
Gen(1κ )), can choose an element of Cpk with the same distribution deniable constructions, calling OpenR once will give the adversary
the algorithm Epk (·) produces on a fixed message m. access to the private decryption key sk. In practice, once a receiver
is coerced and reveals the private key, the key pair should no longer
Note that when the encryption scheme E is IND-CPA-secure, the be used and a new key will be generated. We, however, grant the
above definition will imply that the distribution of ciphertexts adversary this level of power to show that, even after revealing the
Epk (m) is computationally indistinguishable from the distribution private key, the real message m remains hidden.
of ciphertexts Epk (m0 ) for m 6= m0 . Then we can sample the
D EFINITION 5. A public-key encryption scheme D is receiver-
ciphertext space by creating Epk (m), and the view will be indis-
deniable if there exists a negligible function negl such that for any
tinguishable from the distribution of encryptions of other messages.
PPT A, Pr[RDenA,D (κ) = 1] ≤ 1/2 + negl(κ).
Unlike prior literature, we specify deniability using interactive
experiments to more precisely capture the adversary’s abilities. We Additionally, we say that a public-key encryption scheme D is
define the experiment for sender-deniability of deniable encryption sender-and-receiver deniable if it satisfies the requirements for both
scheme D = (Setup, Enc, Dec, OpenS ) as follows: sender deniability and receiver deniability.
Experiment SDenA,D (κ) We emphasize that, in this paper, we are not considering adver-
saries with access to a decryption oracle.
1. Set a system-wide table T initially empty.
2. Run (pk, sk) ← Setup(1κ ).
3. Adversary A is given pk and oracle access to OpenS (·, pk) 3. DENIABLE ENCRYPTION
and to Enc(·, ·, pk). Eventually A outputs a message pair FROM STANDARD TOOLS
(mf , m), with |mf | = |m|.
R
4. A random bit b ← {0, 1} is drawn; if b = 0, A is given 3.1 A Sender-deniable Solution
C(mf ; m), and if b = 1, A is given C(mf ; −). First we propose an efficient sender-deniable encryption scheme,
5. A continues to have access to OpenS (·, pk) and Enc(·, ·, pk). then we extend it to provide sender-and-receiver deniability. We de-
6. A outputs bit b0 , and the experiment outputs 1 iff b = b0 . note with Ē(N, e, m) and D̄(N, d, c) the encryption of message m
34
using RSA-OAEP [3] with public key (N, e) and the decryption of Experiment 1 In this experiment we modify the way the chal-
the ciphertext c with the private key (N, d), i.e., Ē(N, e, m) = lenger constructs the challenge ciphertext. In particular, sit con-
(OAEP(m))e mod N and D̄(N, d, c) = OAEP−1 (cd mod N ). structs the challenge ciphertext as C = ((1 + N )mf ) · (r)N mod
RSA-OAEP is IND-CCA-secure (and therefore it is also IND-CPA- N s+1 where r ← Z∗N . The adversary can only distinguish Experi-
secure). When the OAEP padding is removed, the result is either ment 1 from Experiment 0 with negligible probability, since in the
the plaintext m if the ciphertext is valid or ⊥ otherwise. We base random oracle model the ciphertexts of RSA-OAEP are distributed
our solution on an efficient generalization of Paillier’s probabilistic as random elements in Z∗N for a PPT adversary. Therefore there
public key system [19] introduced by Damgård-Jurik in [9]. exists a negligible function negl0 such that
Setup: On input a security parameter 1κ , choose an RSA modulus |Pr[win0 ] − Pr[win1 ]| ≤ negl0 (κ)
N = pq of length κ bits, with p ≡ q ≡ 3 (mod 4) and gcd(p −
1, q − 1) = 2. Set λ = (p − 1)(q − 1)/2, i.e., λ is the least Experiment 2 In this experiment we further modify the way the
common multiple of p − 1 and q − 1. Then choose a value e such challenger constructs the ciphertext. Here the challenge ciphertext
that gcd(e, λ) = 1 and calculate d such that e · d ≡ 1 mod λ. The C is chosen as the encryption of a random element in Mpk . Since
public key is pk = (N, e) and the secret key is sk = (λ, d, p, q). the scheme of Damgård-Jurik is IND-CPA-secure, A has only neg-
Enc: Given a public key pk = (N, e), the sender forms a ciphertext ligible advantage in noticing that it is playing Experiment 2. There-
as follows, depending on whether deniability is used or not: To fore we have that
deniably transmit a message m along with an innocent-looking fake
|Pr[win1 ] − Pr[win2 ]| ≤ negl1 (κ)
message mf < N s , the sender computes
s for some negligible function negl1 . Combining the probabilities in
Enc(pk, mf , m) = ((1 + N )mf ) · (Ē(N, e, m))N mod N s+1 all Experiments, we have that
To transmit a message mf without the ability to deny it, the sender Pr[IND-CPAA,D (κ) = 1] = Pr[win2 ] + negl(κ)
picks a random r from Z∗N and forms the encryption as
s for some negligible function negl. To conclude the proof, we show
Enc(pk, mf , −) = ((1 + N )mf ) · rN mod N s+1 that the probability Pr[win2 ] is exactly 1/2. This is because the
Dec: Given a ciphertext c, the recipient with the public key pk = challenge ciphertext in Experiment 2 is chosen independently from
(N, e) and the private key sk = (λ, d, p, q) proceeds as follows: bit b, therefore A can only guess b with probability 1/2. For this
0 reason the advantage of A into breaking the sender-deniable scheme
1. Calculate v = cλ mod N s+1 , i.e., (1+N )mf λ mod N s+1 . must be negligible.
2. Use the technique described in [9] to compute mf λ mod N s
from v and multiply it by λ−1 mod N s to obtain mf . Deniability We show that there is no adversary with non-negligible
3. Using p and q, calculate d0 such that d0 · N s ≡s 1 mod λ. advantage in breaking the sender-deniability of our scheme through
4. Compute c0 = c mod N . If c = (1+N )a ·bN mod N s+1 , a sequence of experiments.
s s
then c mod N = (1 + N )a · bN mod N = bN mod N . Experiment 0 This experiment is the standard SDen experiment,
0
5. Compute m0 = D̄(N, d, c0d mod N ). If m0 6=⊥, set m = i.e., adversary A receives a public key pk = (N, e) and answers to
0
m , else set m = −. its Enc and OpenS queries, and then outputs a message (mf , m).
6. Return (mf , m). The challenger picks a random bit b and sends the challenge cipher-
text either as C(mf , m) if b = 0 or C(mf , −) if b = 1 to A. A
OpenS : Suppose a coercer obtains a ciphertext c generated by eventually outputs its choice for b0 . By definition we have that
the sender and requests its opening. Given the public key pk =
(N, e), the sender reveals mf . If the ciphertext was encrypted as Pr[win0 ] = Pr[SDenA,D (κ) = 1]
Enc(pk, mf , −) then the sender outputs r as the random choices.
Analogously, if the ciphertext was obtained as Enc(pk, mf , m) Experiment 1 In this experiment we modify the way the chal-
then the sender simply outputs Ē(N, e, m) mod N as the random lenger constructs the challenge ciphertext. In particular, sit con-
choices. structs the challenge ciphertext as c = ((1 + N )mf ) · (r)N mod
N s+1 where r ← Z∗N . The adversary can only distinguish Ex-
T HEOREM 1. Assuming that both the scheme of Damgård-Jurik periment 1 from Experiment 0 with negligible probability, since in
and RSA-OAEP are IND-CPA-secure encryption schemes, the the random oracle model the ciphertexts of RSA-OAEP are dis-
scheme above is sender-deniable. tributed as random elements in Z∗N for a PPT adversary. Note that
P ROOF. In order to prove that our scheme is sender-deniable, the challenger can still respond to the Enc and Open queries prop-
we need to show that an adversary A which separately plays the erly. Therefore there exists a negligible function negl0 such that
IND-CPA experiment (for the security property) and the sender
|Pr[win0 ] − Pr[win1 ]| ≤ negl0 (κ)
deniability experiment (for the deniability property) can have only
negligible advantage in having any of the experiments to output 1, Combining the probabilities in Experiments 0 and 1, we have that
i.e. it has a negligible advantage in wining any of the experiments.
Pr[SDenA,D (κ) = 1] = Pr[win1 ] + negl(κ)
Security We show that there is no adversary with non-negligible
advantage in breaking the IND-CPA security of our scheme through for some negligible function negl. To conclude the proof, we show
a sequence of experiments. that the probability Pr[win1 ] is exactly 1/2. This is because the
Experiment 0 This experiment is the standard IND-CPA experi- challenge ciphertext in Experiment 1 is constructed independently
ment, i.e., the adversary A receives a public key pk = (N, e) and from the bit b, so A can only guess b with probability 1/2. For
outputs two messages (m0,f , m0 ) and (m1,f , m1 ). The challenger this reason the advantage of A into breaking the sender-deniable
picks a random bit b and sends the encryption of (mb,f , mb ) to A. scheme must be negligible.
A eventually outputs a bit b0 . By definition we have that
Note that by fixing the value e for all keys (e.g., e = 3) we can
Pr[win0 ] = Pr[IND-CPAA,D (κ) = 1] remove e from the public key and set pk = (N ), i.e., a standard
35
public key for the scheme of Damgård-Jurik [9]. In this case the co- co-domain of the function red(·), set m = red−1 (m0 ), oth-
ercer has no way to distinguish our deniable scheme from the stan- erwise set m = −.
dard non-deniable scheme of Damgård-Jurik and the claim made 4. Return (m0 , m00 , m).
by the sender that an observed ciphertext is the sole encryption of OpenS : Suppose a coercer obtains a ciphertext (c1 , c2 ) generated
mf is hard to contradict. by the sender and requests its opening. The sender exposes mes-
This scheme does not provide receiver deniability. Upon coer- sages m0f and m00f . Then it reveals the associated random choices
cion, the receiver would have to surrender the factorization of N , by claiming that c̄1 and c̄2 are random values uniformly chosen
which allows the coercer to decrypt the deniable message m. Re- from QR(N ).
ceiver deniability can be obtained using the technique described by
OpenR : Suppose a coercer obtains a ciphertext (c1 , c2 ) generated
Canetti et al. in [6]; however, this would make the scheme inter-
by the sender. Given the public key pk = (N, g, h) and the private
active. To achieve receiver deniability, we construct another non-
key sk = (λ, x), the receiver opens its private key as sk = (λ, ⊥)
interactive encryption scheme which is detailed next.
such that λ matches N . Basically the receiver claims that it does
3.2 Sender-and-receiver Deniability not have knowledge of a value x such that the h = g x .
The idea behind this scheme is to use two ciphertexts of the Note that OpenR reveals the factorization of N to the adversary.
scheme of Damgård-Jurik to transport an ElGamal encryption. Even T HEOREM 2. Assuming that the scheme of Damgård-Jurik is
if the receiver surrenders the factorization of N , the coercer still an IND-CPA-secure encryption scheme and ElGamal over QR(N )
needs another secret value to decrypt the ElGamal encryption. In is an IND-CPA-secure encryption scheme given the factorization of
order to achieve receiver deniability, the receiver should claim that N , our scheme is sender-deniable.
it does not know such secret information. To achieve this result,
we use a well known generalization of ElGamal based on quadratic P ROOF. In order to prove that our scheme is sender-deniable,
residues modulo a composite (see, e.g., [15]). For simplicity, we we need to show that an adversary A which separately plays the
will also employ a public redundancy function red(·) in conjunc- IND-CPA experiment (for the security property) and the sender
tion with the ElGamal encryption. Such function maps elements deniability experiment (for the deniability property) can win any
from a generic message space to a redundancy space which is a of them with only negligible advantage.
subset of QR(N ) (the set of quadratic residues modulo N ). Both Security We show that there is no adversary with non-negligible
red(·) and red−1 (·) are efficiently computable. Moreover, a ran- advantage in breaking the IND-CPA security of our sender-and-
dom quadratic residue is in the redundancy space with negligible receiver deniable scheme through a sequence of experiments.
probability. In this way it is trivial for a receiver which knows how Experiment 0 This experiment is the standard IND-CPA exper-
to decrypt the ElGamal ciphertext to distinguish the encryption of iment, i.e., the adversary A receives a public key pk = (N, g, h)
(m0f , m00f , m) from the encryption of (m0f , m00f , −). and outputs two messages (m00,f , m000,f , m0 ) and (m01,f , m01,f , m1 ).
Setup: On input a security parameter 1κ , choose an RSA modulus The challenger picks a random bit and sends the challenge cipher-
N = pq of length κ where p and q are safe primes, i.e., p = 2p0 +1 text corresponding to the encryption of (m0b,f , m00b,f , mb ) to A. A
and q = 2q 0 + 1 for primes p0 , q 0 . Let λ = 2p0 q 0 and g be a random eventually outputs a bit b0 . By definition we have that
R
generator of QR(N ). Either choose x ← Zp0 q0 and set h = g x or Pr[win0 ] = Pr[IND-CPAA,D (κ) = 1]
R
set h ← QR(N ). The public key is pk = (N, g, h); the secret
key is either sk = (λ, x) or sk = (λ, ⊥) depending on how h was Experiment 1 In this experiment we modify the way the chal-
chosen. lenger constructs the challenge ciphertext. In particular, it con-
The public key pk is disseminated. If such keys get registered or structs the challenge ciphertext as
certified, the certifying authority will request a proof of knowledge 0 s 00 s
C = (((1+N )mf )·(r1 )N , ((1+N )mf )·(r2 )N ) (mod N s+1 )
of the private key corresponding to λ, but not to x.
R where both r1 and r2 are random elements from QR(N ). The ad-
Enc: Given a public key pk = (N, g, h) and a value r ← ZN 2 , the versary can only distinguish Experiment 1 from Experiment 0 with
sender forms a ciphertext as follows, depending on whether denia- negligible probability, since the elements r1 and r2 are distributed
bility is used or not: To deniably transmit a message m along with properly for any PPT adversary. Therefore there exists a negligible
two innocent-looking fake messages m0f , m00f , the sender computes function negl0 such that
Enc(pk, m0f , m00f , m) = (c1 , c2 ) =
m0f s 00 s |Pr[win0 ] − Pr[win1 ]| ≤ negl0 (κ)
((1 + N ) (c̄1 )N , (1 + N )mf (c̄2 )N ) (mod N s+1 )
where c̄1 = g r mod N and c̄2 = red(m)·hr mod N . To transmit Experiment 2 In this experiment we further modify the way the
two messages m0f , m00f without the ability to deny them, the sender challenger constructs the ciphertext. Here the challenge ciphertext
chooses two random values r1 , r2 from QR(N ) and sets c̄1 = r1 is constructed as C = (c1 , c2 ) where c1 and c2 are chosen as the
and c̄2 = r2 in the equation above. encryption of two random element in Mpk . Since the scheme of
Damgård-Jurik is IND-CPA-secure, A has only negligible advan-
Dec: Given a ciphertext (c1 , c2 ), the recipient with the public key
tage in noticing that it is playing Experiment 2. Thus, we have that
pk = (N, g, h) and a private key sk = (λ, x) proceeds as follows:
0 |Pr[win1 ] − Pr[win2 ]| ≤ negl1 (κ)
1. Calculate v = cλ1 mod N s+1 = (1 + N )mf λ mod N s+1
and use the technique described in [9] to compute m0f λ mod for some negligible function negl1 . Combining the probabilities in
N s . The message m0f is calculated by multiplying the result all Experiments, we have that
by λ−1 .
Pr[IND-CPAA,D (κ) = 1] = Pr[win2 ] + negl(κ)
2. Proceed analogously to calculate m00f .
3. If sk = (λ, x), compute m0 = (c2 mod N ) · (c1 mod for some negligible function negl. To conclude the proof, we show
N )−x mod N . If m0 is in the redundancy space, i.e., the that the probability Pr[win2 ] is exactly 1/2. This is because the
36
challenge ciphertext in Experiment 2 is chosen independently from to respond to OpenR (C, pk) queries with (λ, ⊥). Eventually A
bit b, therefore A can only guess b with probability 1/2. For this outputs b0 , and B outputs the same guess to the challenger.
reason the advantage of A into breaking the sender-deniable scheme It is not hard to see that Pr[IND-CPAB,ElGamal (κ) = 1] =
must be negligible. Pr[RDenA,d (κ) = 1]. That is, if b = 0, B receives the encryp-
Deniability We show that there is no adversary with non-negligible tion of m and A receives the encryption of (m0f , m00f , m), in which
advantage in breaking the sender-deniability of our scheme through case B answers the challenge correctly if and only if A answers its
a sequence of experiments. challenge correctly. If b = 1, B receives the encryption of R and
A receives the encryption of (m0f , m00f , R), which is interpreted as
Experiment 0 This experiment is the standard SDen experiment, (m0f , m00f , −) since R is a random message. Therefore B guesses
i.e., A receives a public key pk = (N, g, h) and answers to its correctly if and only if A guesses correctly. Since B cannot guess
Enc and OpenS queries according to the experiment. A outputs correctly non-negligibly more than half of the times, δ ≤ negl(κ)
a triplet (m00,f , m000,f , m0 ) in Mpk . The challenger picks a ran- for some negligible function negl. A cannot detect the simulation
dom bit b and sends to A the challenge ciphertext corresponding to for the same reasons as in theorem 2.
the encryption of (m0b,f , m00b,f , m) if b = 0 and (m0b,f , m00b,f , −)
otherwise. A eventually outputs a bit b0 . By definition we have that 3.3 Deniability from any Semantically Secure
Pr[win0 ] = Pr[SDenA,D (κ) = 1] Encryption Scheme
In this section we show that any IND-CPA-secure encryption
Experiment 1 In this experiment we modify the way the chal- scheme can be used to construct a sender-and-receiver deniable
lenger constructs the challenge ciphertext. In particular, it con- scheme. The main idea behind this solution is simple: a receiver’s
structs the challenge ciphertext as public key consists of two parts, where the first part is a public
0 s 00 s key and the second part could be another public key or a randomly
C = (((1+N )mf )·(r1 )N , ((1+N )mf )·(r2 )N ) (mod N s+1 )
chosen string. To achieve deniability, the second half of the key is
where both r1 and r2 are random elements from QR(N ). The ad- claimed to be random. Let E = (Gen, E, D) denote a IND-CPA-
versary can only distinguish Experiment 1 from Experiment 0 with secure encryption scheme. Let us also denote the domain of all
negligible probability, since the elements r1 and r2 are distributed possible public keys output by Gen(1κ ) as PK(κ). The redun-
properly for any PPT adversary. Note that the challenger can still dancy function red(·) now maps elements from a generic message
respond to the Enc and Open queries properly. Therefore there space to a subset of the message space of E.
exists a negligible function negl0 such that Setup: On input a security parameter 1κ , a user generates a key pair
|Pr[win0 ] − Pr[win1 ]| ≤ negl0 (κ) (pk1 , sk1 ) ← Gen(1κ ) and also either generates a second key pair
(pk2 , sk2 ) ← Gen(1κ ) or chooses a random value from PK(κ).
Combining the probabilities in Experiments 0 and 1, we have that The public key of the user is then pk = (k1 , k2 ), where k1 = pk1
and k2 is either pk2 or the random value. The user’s corresponding
Pr[SDenA,D (κ) = 1] = Pr[win1 ] + negl(κ)
private key is sk = (s1 , s2 ), where s1 = sk1 and s2 is either sk2
for some negligible function negl. To conclude the proof, we show or the empty string ⊥. As in the previous scheme, the public key
that the probability Pr[win1 ] is exactly 1/2. This is because the pk = (k1 , k2 ) is disseminated and, upon request, only a proof of
challenge ciphertext in Experiment 1 is constructed independently knowledge of the private key corresponding to k1 is provided.
from messages b, so A can only guess b with probability 1/2. For Enc: Given a public key pk = (k1 , k2 ), the sender forms a ci-
this reason the advantage of A into breaking the sender-deniable phertext as follows, depending on whether deniability is used or
scheme must be negligible. not. To deniably transmit a message m along with an innocent fake
message mf , the sender forms the encryption as
T HEOREM 3. Assuming that the scheme of Damgård-Jurik is
an IND-CPA-secure encryption scheme and ElGamal over QR(N ) Enc(pk, mf , m) = (c1 , c2 ) = (Ek1 (mf ), Ek2 (red(m))).
is an IND-CPA-secure encryption scheme given the factorization of
To transmit a message m without the ability to deny it, the sender
N , our scheme is receiver-deniable.
forms the encryption using R chosen according to the distribution
P ROOF. Since we already proved that the security property holds defined by Enc(pk; ·) on Ck2 as
for our scheme, in order to prove that it is receiver-deniable, we
Enc(pk; m) = (c1 , c2 ) = (Ek1 (m), R),
need to show that an adversary A can win the RDen experiment
only with negligible advantage. To prove it, we show that if ad-
Dec: Given a ciphertext (c1 , c2 ), the recipient with the public key
versary A wins the receiver deniability experiment with probabil-
pk = (k1 , k2 ) and private key sk = (s1 , s2 ) proceeds as follows:
ity non-negligible larger than 1/2, then we can build an efficient
algorithm B that wins in the IND-CPA experiment against ElGa- 1. Set m1 = Ds1 (c1 ).
mal over QR(N ) with non-negligible advantage. B engages in 6 ⊥, compute m2 = Ds2 (c2 ).
2. If s2 =
the IND-CPA experiment with the challenger, obtains the public 3. If m2 is in the redundancy space then return (m1 , red−1 (m2 )),
key pk = (g, N = pq, p, q, h = g x ) and sets pk = (N, g, h), otherwise return (m1 , −).
λ = (p − 1)(q − 1)/2. Then B uses pk to setup the receiver denia- OpenS : Suppose a coercer obtains a ciphertext (c1 , c2 ) generated
bility experiment for A. B responds to OpenR queries from A with by the sender and requests its opening. Given public key pk =
sk = (λ, ⊥). A eventually outputs its choice for (m0f , m00f , m). (k1 , k2 ), the sender opens the random choices made in generating
B outputs m0 , m1 to the challenger where m0 = red(m), and c1 . The sender also claims that c2 was chosen from Ck2 according
m1 = R is a random message from the message space such that to the distribution defined by Enc(pk; ·). Thus, the actual message
|R| = |red(m)|. The challenger picks a random bit b and returns the sender claims to have sent is (m1 , −).
(c̄1 , c̄2 ) = ElGamalpk (mb ). B builds the challenge ciphertext for OpenR : Suppose a coercer obtains a ciphertext (c1 , c2 ) that the
0 s 00 s
A as C = ((1 + N )mf (c̄1 )N , (1 + N )mf (c̄2 )N ). B continues recipient received. Given the recipient’s public key pk = (k1 , k2 ),
37
the recipient opens its private key as sk = (s1 , ⊥) such that s1
matches k1 . In other words, the recipient claims that the second )*#+,-."*/
part of the public key was chosen at random from PK(κ). 0(#+,-."*&(*12*(&
32%(&4,45(6&
T HEOREM 4. Assuming that E = (Gen, E, D) is an IND-CPA- 9(*37&
#$%%4&
3+"*5:
secure encryption scheme with security parameter κ, the scheme (*0& 7,*#&
above is sender-deniable. !"#$%& 4(+82#(&
#$#'(&
38
Table 1: Sequential Output on a 3GB Dataset Table 3: Small Files Sequential Performance – 512K Files
Per byte Block Rewrite Create Read Delete
K/sec % CPU K/sec % CPU K/sec % CPU files/s CPU files/s CPU files/s CPU
Ext3 31657 39% 34455 5% 14432 2% Ext3 45643 65% 551512 99% 1227 1%
DenFS 22579 37% 34056 5% 14442 3% DenFS 5459 76% 22212 85% 17059 15%
Table 2: Sequential and Random Input on a 3GB Dataset Table 4: Small Files Random Performance – 512K Files
Create Read Delete
Seq. per byte Seq. per block Random seeks
files/s CPU files/s CPU files/s CPU
K/sec % CPU K/sec % CPU K/sec % CPU
Ext3 19388 27% 502471 99% 561 0%
Ext3 35108 40% 53882 3% 4137 6%
DenFS 4902 67% 25766 84% 22280 22%
DenFS 35447 52% 51758 2% 143.2 0%
39
temporary folder for efficiency reasons. Note that when writing a '%"
78-9+"2*++,":/012;"
new file, the size of the file is not necessarily know so it is impossi- '$"
ble to predict the offset for the encryption of the deniable data. The <+=,"2*++,":/012;"
'#"
)*++,"-."/012"
temporary file contains the encryption of the deniable part of the '!"
document. The session keys are chosen and stored similarly to the &"
non-deniable case. Every write operation on the front-end trans- %"
lates in a write operation in the temporary deniable file. When the
$"
document is closed, a file from the non-deniable pool is encrypted
#"
and stored in the non-deniable part of the document. The file is
also removed from the non-deniable pool. The encryption of the !"
'" #" $" &" '%" (#" %$" '#&"
deniable content is stored after the encryption of the file from the 3-4+"2-5+"-."60"
non-deniable pool. When a stat request is made to the file system,
the attributes of the file in the backend are reported, except from
Figure 2: Read and write speed for small files.
the file size, which is read from the appropriate field. Hard links
are not supported in the current implementation.
("!'%
:;/2%</;=033;/%6/0129%
("#)%
4.3 Performance Evaluation
We performed a combination of synthetic and real-world bench- $"'+%
:;/2%</;=033;/%67/8509%
marks to verify the performance impact of DenFS over a regu- $"'#%
lar non-encrypted file system (Ext3 in our tests). We used Bon- ?@5)%
#"&$% A0>B-%
nie++ [4], a file system benchmark tool, and the OpenOffice pro- -./01234005%6/0129%
#"&'%
ductivity suite to evaluate the performance of our prototype. Bon-
nie++ performs sequential and random input/output tests. We mea- !"!*%
-./01234005%67/8509%
!"#$%
sured sequential output performance writing a single character at a
time, a whole block and rewriting one block at a time for 3GB of ,% &% $% )% !%
-0=;>23%
#% '% (% *%
40
6. REFERENCES [20] H. Pang, K. Tan, and X. Zhou. StegFS: A Steganographic
File System. In International Conference on Data
[1] R. Anderson, R. Needham, and A. Shamir. The Engineering (ICDE’03), page 657, 2003.
Steganographic File System. In International Workshop on [21] S. Pearson. Taking Account of Privacy when Designing
Information Hiding, pages 73–82, 1998. Cloud Computing Services. In ICSE Workshop on Software
[2] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Engineering Challenges of Cloud Computing (CLOUD ’09),
Katzand, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, pages 44–52, 2009.
I. Stoica, and M. Zaharia. Above the Clouds: A Berkeley [22] Amazon S3 http://aws.amazon.com/s3/.
View of Cloud Computing. Technical Report
[23] Rubberhose Project
UCB/EECS-2009-28, EECS Department, University of
http://iq.org/˜proff/rubberhose.org/.
California, Berkeley, Feb 2009.
[24] Dropbox http://www.dropbox.com/.
[3] Mihir Bellare and Phillip Rogaway. Optimal Asymmetric
[25] Truecrypt http://www.truecrypt.org/.
Encryption. In EUROCRYPT, pages 92–111, 1994.
[26] TrueCrypt Hidden Volumes
[4] Bonnie++: a free and open source filesystem benchmark.
http://www.truecrypt.org/hiddenvolume.
http://www.coker.com.au/bonnie++/.
[27] The OpenSSL Project website
[5] E. Bresson, D. Catalano, and D. Pointcheval. A Simple
http://www.openssl.org/.
Public-Key Cryptosystem with a Double Trapdoor
Decryption Mechanism and Its Applications. In Advances in [28] M. Vouk. Cloud Computing: Issues, Research and
Cryptology - ASIACRYPT’03, pages 37–54, 2003. Implementations. In International Conference on
Information Technology Interfaces (ITI’08), pages 31–40,
[6] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky. Deniable
2008.
Encryption. In Adnvances in Cryptology – CRYPTO’97,
volume 1294 of LNCS, pages 90–104, 1997. [29] Wired: “Spam Suspect Uses Google Docs; FBI Happy”
http://www.wired.com/threatlevel/2010/
[7] R. Canetti, S. Halevi, and J. Katz. A Forward-Secure
04/cloud-warrant/.
Public-Key Encryption Scheme. Journal of Cryptology,
20(3):265–294, 2007. [30] D. Yao, N. Fazio, Y. Dodis, and A. Lysyanskaya. ID-based
Encryption for Complex Hierarchies with Applications to
[8] A. Czeskis, D. J. St. Hilaire, K. Koscher, S. D. Gribble,
Forward Security and Broadcast Encryption. In ACM
T. Kohno, and B. Schneier. Defeating Encrypted and
Conference on Computer and Communications Security
Deniable File Systems: TrueCrypt v5.1a and the Case of the
(CCS’04), pages 354–363, 2004.
Tattling OS and Applications. In USENIX Workshop on Hot
Topics in Security (HotSec’08), 2008. [31] X. Zhou, H. Pang, and K. Tan. Hiding Data Accesses in
Steganographic File System. In International Conference on
[9] I. Damgard and M. Jurik. A Generalisation, a Simplification
Data Engineering (ICDE’04), page 572, 2004.
and some Applications of Paillier’s Probabilistic Public-Key
System. In Public Key Cryptography (PKC’01), pages
119–136, 2001.
APPENDIX
[10] Filesystem in Userspace.
http://fuse.sourceforge.net/. A. SECURITY PROOFS
[11] C. Gentry and A. Silverberg. Hierarchical ID-based
cryptography. In ASIACRYPT’02, pages 548–566, 2002. P ROOF OF T HEOREM 4. In order to prove that our scheme is
[12] J. Horwitz and B. Lynn. Toward Hierarchical Identity-Based deniable, we need to show that an adversary A which separately
Encryption. In Advances in Cryptology – EUROCRYPT’02, plays the IND-CPA experiment (for the security property) and the
pages 466–481, 2002. sender deniability experiment (for the deniability property) can have
[13] M. Ibrahim. A Method for Obtaining Deniable Public-key only negligible advantage in winning any of the experiments. First
Encryption. International Journal of Network Security, we show that there is no adversary with non-negligible advantage in
8(1):1–9, 2009. breaking the IND-CPA security of our scheme through a sequence
[14] M. Ibrahim. Receiver-deniable Public-key Encryption. of experiments.
International Journal of Network Security, 8(2):159–165, Experiment 0 This experiment is the standard IND-CPA exper-
2009. iment, i.e., the adversary A receives a public key pk and outputs
[15] A. Kiayias and M. Yung. Efficient Secure Group Signatures two messages (m0,f , m0 ) and (m1,f , m1 ). The challenger picks
with Dynamic Joins and Keeping Anonymity Against Group a random bit b and sends the encryption of (mb,f , mb ) to A. A
Managers. In Progress in Cryptology – Mycrypt’05, pages eventually outputs a bit b0 . By definition we have that Pr[win0 ] =
151–170, 2005. Pr[IND-CPAA,E (κ) = 1].
[16] M. Klonowski, P. Kubiak, and M. Kutylowski. Practical Experiment 1 In this experiment we modify the way the chal-
Deniable Encryption. In SPFSEM’08, volume 4910 of lenger constructs the challenge ciphertext. In particular, now it
LNCS, pages 599–609, 2008. constructs the challenge ciphertext as C = (c1 , c2 ) where c1 and
[17] B. Meng and J. Wang. A Receiver Deniable Encryption c2 are the encryption of two random messages from Mpk . The ad-
Scheme. In International Symposium on Information versary can only distinguish Experiment 1 from Experiment 0 with
Processing (ISIP’09), 2009. negligible probability, since E is IND-CPA-secure. Therefore there
[18] N. Mirzaei. Cloud Computing. Technical report, Indiana exists a negligible function negl0 such that |Pr[win0 ]−Pr[win1 ]| ≤
University, 2008. negl0 (κ). Combining the probabilities from Experiments 0 and 1,
[19] P. Paillier. Public-key Cryptosystems Based on Composite we have that Pr[IND-CPAA,E (κ) = 1] = Pr[win1 ] + negl(κ) for
Degree Residuosity Classes. In Advances in Cryptology – some negligible function negl. Note that the probability Pr[win1 ]
EUROCRYPT’99, pages 223–238, 1999. is exactly 1/2 because the challenge ciphertext in Experiment 1 is
41
chosen independently from bit b, therefore A can only guess b with B. RESILIENCE TO PHISHING ATTACKS
probability 1/2, therefore the advantage of A must be negligible. In order to obtain receiver-deniability, our sender-and-receiver
To prove the deniability property we show that if adversary A deniable schemes require the receiver to conceal the existence of
wins the sender deniability experiment with probability non- the second private key (if present), so that it does not have to reveal
negligibly larger than 1/2 then we can build an efficient algorithm it to the coercer. In practice, it may be possible for an adversary
B that wins in the IND-CPA experiment for E with non-negligible to obtain information about the existence of such secret key. A
advantage. Let Pr[SDenA,E (κ) = 1] − 1/2 = δ. B engages coercer can send to the receiver a deniable message which asks to
in the IND-CPA experiment with a challenger, obtains the pub- perform a specific action that the coercer will be able to notice, such
lic key pk and uses it to setup the sender deniability experiment as opening a maliciously crafted web page. Even if we assume that
for A by constructing pk = (k1 , k2 ) where k1 is generated using the receiver can avoid any action that the adversary might notice,
Gen(1κ ) and k2 = pk (i.e., B sends also k2 to A without knowing the coercer may obtain the same result by exploiting a vulnerabil-
the corresponding private key). B responds to the Enc(mi , mj , pk) ity in the receiver’s client. As far as we can ascertain, this type of
queries with C(mi ; mj ). Let (ri , rj ) be the randomness used by phishing attack has not been considered before in the deniability
B to respond to the Enc query. A eventually outputs its choice literature. Phishing attacks have obvious bearing in the cloud stor-
for the pair (mf , m). B outputs m0 , m1 to the challenger where age setting: a malicious cloud provider is in a favorable position to
m0 = m, and m1 = R is a random message from the message perform this kind of attack, since it could determine the existence
space such that |R| = |m|. The challenger picks a random bit b and of a private key by adding a (public-key) encrypted file to the cloud
returns c̄ = Epk (mb ). B builds the challenge ciphertext for A as storage and observing the resulting behavior of the targeted user.
C = (c1 ; c̄), where c1 = Ek2 (mf ). Let r be the randomness used As a trivial solution to this problem, instead of using the same
by B to encrypt c1 . B responds to OpenS (C, pk) queries with r if key pair for all encryptions the receiver generates several indepen-
C = C, with (ri , rj ) if C = C(mi , mj ), and with ⊥ otherwise. dent key pairs so that each message is encrypted using a different
Eventually A outputs b0 , and B outputs the same guess to the chal- and independent public key. Even if the coercer establishes the ex-
lenger. Clearly Pr[IND-CPAB,E (κ) = 1] = Pr[SDenA,E (κ) = istence of a specific private key, it does not learn any information
1]. That is, if b = 0, B receives the encryption of m and A re- about any other. Unfortunately, this trivial solution has a very high
ceives the encryption of (mf , m), in which case B answers the cost in terms of key distribution and imposes a limit on the number
challenge correctly if and only if A answers its challenge correctly. of messages which can be sent to a receiver.
If b = 1, B receives the encryption of R and A receives the en- Forward-secure schemes may seem to provide a more efficient
cryption of (mf , R), which is interpreted as (mf , −) since R is a solution. A forward-secure public key encryption scheme [7] pro-
random message. Therefore B guesses correctly if and only if A tects secret keys from exposure by evolving them at regular inter-
guesses correctly. Since B cannot guess correctly non-negligibly vals. When a key evolves into a new key, the old secret key is
more than half of the times, δ ≤ negl(κ) for some negligible func- deleted and cannot be reconstructed, and therefore cannot be pro-
tion negl. vided to the coercer. Unfortunately, the existence of a private key at
a specific time interval implies the existence of private keys corre-
P ROOF OF T HEOREM 5. For the security property see proof of sponding to all previous time intervals, making this solution invalid.
theorem 4. For the deniability problem, given an IND-CPA-secure A better solution is constructed using an identity-based encryp-
scheme E = (Gen, E, D), we show that if adversary A wins in tion scheme (IBE) to “compress” the public keys into a single value.
the receiver deniability experiment with probability non-negligibly Roughly, the receiver acts as the IBE trusted authority (PKG) itself,
larger than 1/2, then we can build an efficient algorithm B that divides the time in intervals, and generates an IBE key under his
wins in the IND-CPA experiment with non-negligible advantage. identity for a random subset of all intervals; then the recipient is
Let Pr[RDenA,E (κ) = 1]−1/2 = δ. B engages in the IND-CPA supposed to delete any master secrets of the PKG. The sender en-
experiment with a challenger, obtains the public key pk and uses it crypts messages for the receiver with a key valid at a specific time.
to setup the receiver deniability experiment for A by constructing If the coercer establishes the existence of the private key for a time
pk = (k1 , k2 ) where k1 is generated using Gen(1κ ) and k2 = pk interval, only the messages encrypted in that interval are compro-
Let s1 be the private key associated with k1 . B responds to any mised. The problem with this approach is that the secret key must
OpenR (C, pk) query with sk = (s1 , ⊥), regardless of whether consist of large number of values. To avoid this, the receiver can
C encrypts one messages or two. A eventually outputs its choice claim to delete the master secret keys of the IBE trusted authority
for the pair (mf , m). B outputs m0 , m1 to the challenger where but keep a copy instead deniably encrypted locally, so that new IBE
m0 = m, and m1 = R is a random message from the message keys can be generated when needed.
space such that |R| = |m|. The challenger picks a random bit b A more elegant solution can be built using a forward secure hi-
and returns c̄ = Epk (mb ). B constructs the challenge ciphertext erarchical identity-based encryption scheme (FS-HIBE) [30]. A
for A as C = (c1 ; c̄), where c1 = Ek1 (mf ). Eventually A hierarchical IBE (HIBE) [11, 12] allows a PKG to delegate the gen-
outputs b0 , and B outputs the same guess to the challenger. eration of private keys to lower-level PKGs. A FS-HIBE scheme
Clearly Pr[IND-CPAB,E (κ) = 1] = Pr[RDenA,E (κ) = 1]. allows each user in the hierarchy to refresh its private key period-
Indeed, if b = 1, B receives the encryption of R and A receives the ically while keeping the public key the same. Using a FS-HIBE
encryption C(mf ; R), which is interpreted as C(mf ; −) since R scheme, each user can construct a single path Username → Year
is a random message. Thus B answers the challenge correctly if → Month → Week and have some secret key to evolve while others
and only if A answers its challenge correctly. get deleted. As with the previous solution, the exposure of a secret
If b = 0, B receives the encryption of mf and A receives the en- key compromises only the messages encrypted in one time interval.
cryption of (mf , m). OpenR (C, pk) returns sk = (s1 , ⊥) which The existence of more efficient solutions is still an open prob-
exposes mf . Thus even in this case B guesses correctly if and lem. We do not investigate this further at this time and we point out
only if A guesses correctly. Since B cannot guess correctly non- that phishing attacks are relevant in this context and they seemingly
negligibly more than half of the times, δ ≤ negl(κ) for some neg- affect any plan-ahead public-key (i.e., non-interactive) deniable en-
ligible function negl. cryption scheme.
42