 And the next talk will be be deniable public key encryption by O'Neill Peikert and Waters and Chris Peikert will Give the talk Thank you. Oh my time's up already. Oh, I'll fix that. Don't worry This work is by deniable public key encryption with Adam O'Neill and Brent waters So many talks start with a story and this one is no different today's story Alice and Bob are siblings and one of them is away at school and They want to plan a party for their big brother for when Alice comes home to school So they're using public key encryption to keep their messages safe because big brother is watching them and So Alice encrypts this message saying let's have a surprise party for big brother and big brother sees Sees his traffic goes by but it's encrypted so he can't tell What the message is? But he's awfully curious about it. So when she comes home He kind of uses his prerogative as a big brother and twists their arm and says hey Tell me you're public, you know the coins that you used to encrypt this and hey Bob Tell me the secret key that you used and the party is now ruined. So that's pretty unfortunate for everybody all around So what we would like is something called by deniability and we'd like a property like this that Alice can send Bob an encrypted ciphertext using some kind of deniably Encrypt and denyably encrypted process encryption process and Bob should be able to decrypt Alice's message correctly But if Bob rather of big brother comes around and tries to twist their arm or maybe in advance Anticipating that he might do so Alice and Bob can prepare some fake encryption coins on the left and a fake secret key on the right so that when big brother does come around and They have to hand these these keys and coins over magically. It looks like an innocuous message that everyone can agree on Okay, so it looks the fake coins and keys actually make it look as if another message had been encrypted Okay, and encrypted honestly, it's not like there's nothing suspicious about these coins and keys Okay, so an important fact is an important thing about the model We're considering is that the coercion is always after the fact so Alice and Bob are able to encrypt and decrypt You know not subject to any coercion, but then later on they might be coerced to reveal their coins And this is really a kind of a dual concept to Something that Ben alone to instra Janistra called a uncoercible Communication which would allow Alice, you know when she's under control of Bob a big brother to send the message But secretly indicate that hey, I'm you know, I'm being coerced to send this message so ignore it Okay, so we're talking about after the fact coercion here today So there you know This is a kind of a toy example, but there are a lot of serious examples where deniability might be might be needed Kind of any kind of anti-coercion Scenario Roger Dingledine's talk gave countless excellent examples of scenarios where people might be able might really need Deniability for their own safety or security. So for example journalists or whistleblowers Really would who might want to keep their sources safe Would definitely benefit well from deniability these two fellows know definitely well or if you find yourself on With a different kind of big brother to deal with you might need it Deniabilities often been proposed for voting protocols and the basic idea is that well if you encrypt your vote But then later on your your boss asks you to show how you voted Well, you could reveal any votes So, you know, there's no way to force you to reveal your vote or you couldn't be able to sell your vote come back to this Question a little bit later in terms of theoretical Cryptographic concepts. It's a nice concept because it actually implies a strong notion called selective opening security for encryption and It also implies something called non-committing encryption Which helps you design adaptively secure protocols But it's actually strictly stronger than both of these in particular for property for it stronger because the ciphertexts that are Equivocable actually can be decrypted by real players. They're not just generated by a simulator. So they actually have real content behind them Okay, so those are applications. There's been some prior work this notion was first formalized in this paper CDNO Kennedy Dwork now on Ostrowski in 97 and They they give nice definitions and some feasibility results. They showed that the sender deniable Public key encryption as possible. So it allows you to coerce only the sender but not the receiver and then they also show that you can With interaction you can kind of flip the roles of the two players So you could course only the receiver but not the sender and and then they also showed that you could do by deniable encryption If you interact with third parties as long as at least one of those parties doesn't remains uncoerced Okay, and then but in practice people have also asked for this kind of some kind of deniability property It's usually goes by the name of plausible deniability. So there are programs called true crypt or rubber hose file system and they basically allow you to say If you're coerced to reveal what's on your hard drive or decrypt what's on your hard drive You can say well that this part of the hard drive is actually just random noise. I never stored anything here So there's no message there move along Now that might be work well for storage with your within your own computer But it's arguably not very useful for communication because if you're sending messages back and forth It's hard for you to argue. Well, there's there's actually no message here. I've just been talking to Bob for years okay, so Anyway, we'd like something more and we'd like to actually be able to equivocate the message and not just claim that there's no message there at all So in this work we give we make some progress on these problems We give a by deniable encryption schemes. This means that you can simultaneously coerce the sender and the receiver And you can reveal any message that you like Even chosen as late as the time of coercion or in advance And this works importantly in what's called the multi-distributional or for my own mouth's sake Well called a flexible deniability model and what that means is that they're actually alternative deniable key generation and encryption algorithms which Alice and Bob would run in advance, but then when they get coerced they would actually equivocate and claim to have run the normal sanctioned encryption and key generation algorithms, so I'll say more about how we formalize this later So I want to emphasize these are true public key schemes. They're non-interactive in contrast to the previous by deniable scheme And there's no third parties. We actually give two very different styles of schemes. One is a generic construction It's based on what's called a simulatable encryption and an idea introduced by a dumb garden Nielsen and they introduced it for the purpose of non-committing encryption and we find it interesting that it's possible to actually build Deniable encryption with this basic primitive and then we have a special some arguably more efficient or different definitely certainly more efficient and definitely different Construction that uses some peculiar properties of lattice encryption Now both of these schemes have key sizes greater than the message size But if you think about it for a moment This is inherent because if you have a fixed ciphertext and you want to be able to open it in 10 different ways There must be at least 10 different secret keys that you can reveal So it's inherent, but it's still not very Nice because we'd like to be able to encrypt messages that are longer than the keys So we give a way to do this with a limited restricted notion called plan ahead by deniability and plan ahead basically means You give up on this ability to reveal any message under coercion you simply say that in advance I'll choose two three some bounded number of messages which I can then later reveal and And now we can do it with short keys and long messages Interesting this is an analog of what's called somewhat non-committing encryption by Gary Wicks and so from crypto Oh, nine and another good benefit of this is that the sender and receiver automatically Agree on what is the fake message and what's the real message? When you have this coercion problem you have the problem of well if you put Alice and Bob in separate rooms and tell them You know what what was the real message they might equivocate to different messages and that would look bad So the plan ahead scheme actually tell you know lets them both know what the innocent messages And then third we give some analogous solutions and models in the identity based setting And this is kind of an interesting setting That's arguably pretty interest pretty useful because it says that in the identity based setting you aren't the curator or generator of your own secret keys rather you go to a Public key if generator or an authority who extracts a secret key for you So the model is something like when you go under your coercion You say well I have to go to the the public key generator to get my secret key and you can tell the public key generator Hey, please make it decrypt in this way rather than the real real message There's also been some subsequent work following the first announcement of our results here So in the past year a crypt there was in paper on interactive an interactive scheme Which gets a full sender deniability so not in the flexible model, but rather and the full full deniability model It uses an interesting primitive called sampleable encryption, which really looks like it solves the problem But unfortunately if you look very closely there turns out to be a fatal bug And it for some reason it doesn't seem to be enough to solve the problem So full deniability is really a very interesting problem even just for one side even with interaction It's a very neat problem second work, which will appear in The upcoming Asia Crypt by Bendlin at all They actually show that fully receiver deniable encryption is impossible So formally that statement means if your secret key is only a sigma bits long then There's always a way to distinguish between Real messages and faked messages with one over sigma distinguishing advantage So basically there's no hope to get full receiver deniability if your scheme is non interactive So this actually motivates why we really have to work in this flexible deniability model And so again when faced with this impossibility we don't deny it We were just going to be flexible about our security notion Okay, so this is the model that we ask for flexible by deniability as usual we have three Algorithms so key generation encryption and decryption and these three by themselves form a valid encryption scheme, so The decryption is correct. It's semantically secure and so forth and then on top of those three things We have deniable algorithms so a deniable key generator and a deniable encryption algorithm and corresponding faking algorithms And so here's what we ask for the deniability experiment Security-wise so for any two message bits B and B prime the left experiment is simply you generate a key you encrypt a bit B and then The coercer comes along and says give me your keys and coins and you hand them over Okay, so that's what the coercer gets to see there's actually a lot of redundancy here It's enough to give the coercer just sk and r Because he can derive pk and see from that but that's what you get and The alternative experiment is what happens when you actually use the deniable algorithms So now we Deniably generate a public key together with something called a faking key and then we deniably encrypt a message the message B prime Okay, to get a ciphertext and then later when the Coercer comes along We use this faking algorithm together with a faking key to say you know what I want cipher text C to decrypt As a message bit B and that's gonna output some fake secret key here and the receiver Sorry the sender Simultaneously runs he says here's my original randomness that I used I'd like this bit B prime that I originally encrypted to appear as if I encrypted a B and So that's going to output some fake encryption randomness and as usual the Coercer gets to see all all four items Okay, so we'd like these two experiments to be indistinguishable Even better well Instead of a secret key you could actually have the coins for Jen will treat these as if they're equivalent But in the paper we show that coins can be done Okay, so and just just to give you an idea full full deniability would say You can't use different algorithms here. You actually have to run Jen and Anke here And you they're still faking algorithms, but they have to take the original coins and the original coins here So that's what we would ask for So it's a it's it's after lunch. We're all digesting so I think I'll keep it pretty light And I won't go into too many technical details, but I'd rather consider you know, is this definition actually meaningful or useful and They're kind of two two common objections that that I've often have raised about deniability in general and the flexible model And the first objection is well, you know, everybody knows that you could have you could have run these faking algorithms So who do you think you're fooling when the coercer comes along? You're not going to convince them that you really sent this message that you're claiming to have sent and I say Yeah, you're not the point is not to convince anybody I mean everyone knows they could be faked and that's that's the world We live in so the point is that if you consider like perfectly secure communication Talking through a lead pipe where there's no record at all that anything had happened This is ideally perfectly deniable you can claim after the fact to have said anything to anybody But the problem is that encryption itself has the side effects that mostly usually it introduces a risk of being coerced So now there's a record of a ciphertext that you sent and now you can later be coerced to open it up Okay, so this is an undesirable side effect and deniable encryption is attempting to get rid of that Side effect, okay, so you're not trying you're not going to fool anybody into believing Into convincing the coercer of anything but actually just to preempt the possibility of coercion in the first place by making it useless Okay, the second objection is typically to this flexible model Which is a very natural question the first one you think of is well, there's these alternative Deniable generation and encryption algorithms. Why wouldn't the coercer just ask for the coins from those algorithms? And and if he did then then there would be a way to You know, you wouldn't have a way to equivocate your message And the answer is yeah, he could he could ask for those coins I would recommend as a user that you just really insist. No, I really did run the recommended algorithms Okay, Jan and Inc The coercer has no evidence You know He may have reason to believe that you want to change your message But he really has no evidence that you ran those alternative algorithms and had you run these original algorithms You couldn't give him the coins of the deniable algorithms, okay? You just computationally wouldn't be able to so they're kind of two cases here The first is that the coercer says you know, I guess I've sent my subpoena you've submitted, you know What you claim and I have to be happy with that so the coercer goes away and all's well and and we win The second case is that maybe the coercer says no, I'm not satisfied I'm really gonna punish you and put you in prison until you give me coins for Jen and Inc. Okay in that case You're arguably living in kind of an unjust society because there's no reason to believe that you've run these algorithms But here you are rotting in jail. So Flexible deniability does allow you to to cry uncle and say okay, okay I admit it. I ran the deniable algorithms here the coins and now you've very now you've proved what message was truly sent the problem is if you're in this world deniability is the least of your problems in In fact full deniability doesn't even save you in that world because again just as you could with flexible deniability Anticipating that you might end up rotting in jail until you prove in a valid way that you've what message you've really encrypted Well, you could just use verifiable randomness like the digits of pie to encrypt, right? So there's still a way in a full deniable scheme to prove the way you bet that you really sent the message. Okay, so Arguably, it's it's not a flexible versus full Problem there. So this also calls into question the applicability to voting because if you really want to sell your vote You can even do so in a fully deniable scheme just by using digits of pie or some kind of output of a pseudo random generator something like that Okay, so now I will do some Technical things, but still with pictures So the main tool for deniability from the CDNO paper is something they called translucent sets, which is a really nice idea The idea is that we have the set you which is the whole universe and then inside of it We have a set P which is parameterized by a public key Okay, so the public key specifies what is this P set and there's a trapdoor that comes along with With this with this translucent set So there's a few simple properties if you have the public key you can sample efficiently from the P set You can also sample from the you set just by picking K random bits But a P sample is pseudo random So if you pick a random from P it actually is indistinguishable computationally from if you had picked from the whole set And so this allows you to fake Later on you say you chose a P sample to start with but then later on you can claim that it was a you sample just by saying Yeah, the P sample. I just picked these K random bits Okay, so you can fake in one way from P to you, but not vice versa and For the receiver the receiver using the secret key can easily distinguish a P sample from a sample So the receiver can tell which which set it falls into and there are many instantiations of this idea This very basic idea. So let's see how you could do it How could you use this to get a deniable encryption scheme? Well, the normal encryption scheme to encrypt a zero you just take two U samples and to encrypt a one You take a U sample and then a P sample Okay, and Bob can tell which of the two samples they are and so he can distinguish a zero from a one and decrypt On the deniable side the deniable encryption algorithm to encrypt a zero He just takes two P samples instead and for the one. It's the same as before So let's see what happens The courser comes along and Alice can fake so for any you know if the original message is zero or one It doesn't matter you can fake it as a zero or one in either direction Just by changing claiming that P samples were actually U samples Okay, so you can just check that all possibilities are doable there but if you course Bob you get a secret key and The true message is revealed. Okay, so we really need to work on the receiver side here So one of our contributions is one of the two Schemes is something we call by translucent set and it's to take care of this their receiver problem So a public key now has many secret keys and the P tests are slightly different So this you know this secret key might call those values P samples and this one might call those P samples and so the idea is if you pick a P sample then most secret keys will indeed classify it correctly, but Given the faking key you can actually generate Secret key that makes the P sample fall outside. So it forces it makes it look as if This P sample is actually a U sample Okay, and so this allows Bob to fake a P as a you and then using the previous encoding everything works So instantiation Just uses the fact that in the GPV identity based encryption You can cause a decryption error, but obliviously so the user doesn't know it just kind of a Anyway seemed like an annoying fact an annoying property that we're using for deniability So I have no time so extensions Just like I said the planet to head deniability is what something we do and full deniability is still a really Interesting open question. Thanks. I'll take your comments questions. There's any question. Yeah Yeah, the faking key you can't reveal. Yeah, that's something you cannot reveal that. Yeah, the faking key is very special No, you yeah, I don't see any reason why it couldn't be although Revealing a faking key already reveals that you've run the the deniable generator. So There's already some The faking key is only output by the deniable generator Okay, yeah, maybe they handed it Okay, yeah Yes There actually are a large number of possible faking keys for a for a given public key. We don't use that property, but it's true That's right. Yes. So the question is why not just erase In fact, it's not very common for you to keep your encryption coins around. So in coursing a sender You know, I forgot my coins is definitely a could be a credible answer It's a less of a credible answer for the receiver who typically has to keep a secret key around in order to decrypt things So that's another reason why we wanted to focus on the receiver side Things but there's discussion in the paper about erasures and what we think of them Okay, let's thanks the speaker again And if there are more questions, I'm sure that Chris will be able to take them offline during the break