On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland Deniable Public Key Encryption [Canetti, Dwork, Naor, Ostrovsky, 97] ππ π = πΈππππ (π; π) Sender Receiver sπ Outputs: π·πππ π π = π For any πβ² in the message space, can produce a fake opening (πβ², π πβ²) explaining the transcript as an encryption of πβ² . Sender-Deniable Public Key Encryption [Canetti, Dwork, Naor, Ostrovsky, 97] ππ π = πΈππππ (π; π) Sender Receiver sπ Outputs: π·πππ π π = π Applications: definition Receiver-Deniable Key For Analogous any πβ² in the messageforspace, can produce aPublic fake opening β’ After the fact incoercibility Encryption πβ² explaining the transcript as an encryption of πβ² . β’ Adaptive security What is known? β’ Receiver-Deniable PKE and thus Deniable PKE is impossible [Bendlin, Nielsen, Nordholt, Orlandi, 11]. β’ Sender-Deniable encryption with weak security from standard assumptions [Canetti, Dwork, Naor, Ostrovsky, 97]. β’ Bi-Deniable encryption in the multi-distributional model constructed by [OβNeill, Peikert, Waters, 11] β’ [Sahai, Waters 14] achieve Sender-Deniable public key encryption from indistinguishability obfuscation (IO). β Non-black box use of underlying primitives. β Requires strong assumptions (FHE + multilinear maps). Our Goal β’ Understand minimal assumptions necessary for sender-deniable public key encryption. β’ Necessity of non-black-box techniques. Is there a black-box construction of senderdeniable public key encryption from simulatable public key encryption? Underlying primitive we consider Simulatable Public Key Encryption Algorithms (ππΊππ, ππΊππ), (ππΈππ, ππΈππ) (ππΊ , pk) s.t. ππΊππ ππΊ = ππ βObliviousβ (ππ, ππΈ , π) s.t. ππΈππ ππ, ππΈ = π β (π β² πΊ , pk) s.t. πΊππ ππΊ = ππ π β² πΊ = ππΊππ ππ (ππ, π β² πΈ , π) s.t. πΈππ ππ, ππΈ = π π β² πΈ = ππΈππ ππ, π Why this primitive? Simulatable PKE is sufficient for related primitives: Intuition: β’ Bi-deniable Can generate encryption a public in the key/ciphertext multi-distributional honestly model and claim [OPW11] that it β’ 1/poly-secure was sender-deniable generated obliviously. encryption [CDNO97] β’ Non-committing encryption [CFGN96]. Weak Sender-Deniable PKEfrom Simulatable PKE Simplification of [CDNO97] construction: πΈππ (0π ) Obliv. Obliv Obliv πΈππ (0π ) Obliv. ... πΈππ (0π ) Obliv Obliv k ciphertexts ToToencrypt a 0, setsay odd number of ciphertexts to oblivious. deny, lie and that an honestly generated ciphertext was generated To encrypt a 1, set an even number of ciphertexts to oblivious. obliviously. Polynomial security: Real and Fake openings can be distinguished with 1/poly Problem: Cannot lie and claim that an obliviously generated ciphertext was advantage generated non-obliviously. Super-polynomial security: Real and Fake openings can only be distinguished with Only achieves O(k) security, where k is the number of queries made by encryption. negligible advantage Our Results Theorem: There is no black-box construction of sender-deniable public key encryption with super-polynomial security from simulatable public key encryption. More specifically: Every black-box construction of a senderdeniable PKE scheme from simulatable PKE which makes π queries to the simulatable PKE cannot achieve security better than O(π4 ). Nearly tight with [CDNO97] construction. Some Proof Intuition Oracle separation: Oracle relative to which Simulatable PKE exists, Sender-Deniable PKE does not exist. Our oracle: Important: random string is unlikely to be in the range β’ πΊ: 0,1 π β 0,1 3π takes inputs π π and outputs ππ.of πΊ or πΉ ππ,β . β’ πΉ: 0,1 4π β 0,1 12π takes inputs (ππ, π₯) and outputs π¦. β’ πΉ β1 : 0,1 13π β 0,1 π takes inputs (π π, π¦ )and returns π₯ if πΊ(π π) = ππ and πΉ(ππ, π₯) = π¦ and β₯ otherwise. Simulatable PKE relative to oracle: β’ First π bits of input x is plaintext. β’ Public keys and ciphertexts are indistinguishable from random strings: ππΊππ(ππΊ ), ππΈππ(ππΈ ) output ππΊ , ππΈ . ππΊππ(ππ), ππΈππ(ππ, π) output ππ and π itself. Some Proof Intuition Impossibility of Sender-Deniable Encryption: In a super-polynomially-secure scheme, should be able to run deny an unbounded polynomial π number of times and have that: β’ π0 , π = πΈππππ π; π0 original randomness β’ π1 = π·πππ¦ππ π0 , 1 β π , π looks fresh β’ (π2 = π·πππ¦ππ π1 , π , π) looks fresh ... β’ (ππ = π·πππ¦ππ ππβ1 , 1 β π , π) looks fresh In the oracle case: We consider sequences of Sender views ππππ€π0 , ππππ€π1 , β¦ , ππππ€ππ . Each view contains the input bit, random tape, oracle queries + responses. Some Proof Intuition β’ Correctness of encryption guarantees: β If Senderβs view is an encryption of a bit b, then Receiverβs view sampled conditioned on Senderβs view will be a decryption of the same bit b w.h.p. ππππ€π | ππππ€π β Using [Impagliazzo, Rudich, 89]-type techniques: π is the set of likely intersection β’ π can use Eve algorithm to findqueries set π of likely intersection between π, π given πβsqueries view. between π and π : ππππ€π ππππ€π , π β ππππ€π ππ, π, π β Note that (ππ, π) are fixed. β The only way to change the distribution of ππππ€π | ππππ€π , π is to change the set π. β Distribution must change in each iteration. A First Attempt β’ β’ β’ β’ Consider the set π0 generated by π from its real ππππ€π0 . Let ππ be the set corresponding to fake ππππ€ππ . βClaimβ: Q π β π0 Therefore, in order to change distribution over Receiverβs view, queries must be removed each time. β’ There are at most poly number of queries in real π0 so deny can be run at most a polynomial number of times before it fails. So cannot get super-polynomial security. β’ βClaimβ: Intuitively, this is what happens in [CDNO97] construction. Problem β’ βClaimβ is false! It is possible that ππ β π0 β β . β’ Toy Example: 12n encryptions To encrypt a 0: πΈ(ππ, 0π ) πΈ(ππ, 0π ) πΈ(ππ, 0π ) πΈ(ππ, 0π ) Obliv πΈ(ππ, 0π ) To encrypt a 1: Compute π β = πΉ(ππ, π β ); Say π β = 01. . .10, length 12π bits. πΈ(ππ, 0π ) Obliv π ; π . 0. Decrypt: Note:Decrypt In 0 case, 12n intersection ciphertexts. queries If theywill all consist output of 0π0 , output π β β β Otherwise, In 1 case, compute intersection π and queries decrypt will to get contain π . Output π . 1. Problem β’ βClaimβ is false! It is possible ππ β π0 β β . β’ Toy Example: Can claim an encryption of 0 is an encryption of 1: In the process will add an arbitrary query to set of intersection queries. πΈ(ππ, 0π ) πΈ(ππ, 0π ) πΈ(ππ, 0π ) πΈ(ππ, 0π ) Obliv πΈ(ππ, 0π ) Compute π β = πΉ(ππ, π β ); Say π β = 01. . .10 πΈ(ππ, 0π ) Obliv Note: Intersection queries now include, π β . Some Proof Intuition β’ Main technical part of proof is to deal with the case that ππ β π0 β β . β’ Use an information compression argument to show that w.h.p. over choice of oracle, we cannot have a sequence of openings with too many new queries. Some Proof Intuition β’ Since Eve makes a polynomial number of queries: Can encode a sequence of openings with a short string. So total possible number of encodings is small. β Intuition: To encode a query π β ππ , use its index in the Eve algorithm. β’ For a fixed encoding, probability randomly chosen oracle is consistent with the encoded sequence of openings is small. β Follows from property of oracle that a random string is unlikely to be in image of πΉ(ππ,β). β’ Since number of encodings is small, prob. a randomly chosen oracle is consistent with any sequence is small. Open Problems β’ Extend impossibility result to trapdoor permutations. β’ Extend impossibility results to multiple round encryption schemes. β’ Construct sender-deniable public key encryption without relying on IO? Thank you!
© Copyright 2026 Paperzz