TCS+ Talk

Abstract:  While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker that has no knowledge of the communicating parties' keys and randomness of encryption, deniable encryption [Canetti et al., Crypto'96] provides the additional guarantee that the plaintext remains secret even in face of entities that attempt to coerce (or bribe) the communicating parties to expose their internal states, including the plaintexts, keys and randomness. To achieve this guarantee, deniable encryption  equips the parties with faking algorithms which allow them to generate fake keys and randomness that make the ciphertext appear consistent with any plaintext of the parties' choice.   To date, however, only partial results were known: Either deniability against coercing only the sender, or against coercing only the receiver [Sahai-Waters, STOC '14] or schemes satisfying weaker notions of deniability [O'Neil et al., Crypto '11].

In this paper we present the first fully bideniable interactive encryption scheme, thus resolving the 20-years-old open problem. Our scheme also provides an additional and new guarantee: Even if the sender claims that one plaintext was used and the receiver claims a different one, the adversary has no way of figuring out who is lying - the sender, the receiver, or both. This property, which we call off-the-record deniability, is useful when the parties don't have means to agree on what fake plaintext to claim, or when one party defects against the other. Our protocol has three messages, which is optimal [Bendlin et al., Asiacrypt'11], and needs a globally available reference string. We assume subexponential indistinguishability obfuscation (IO) and one-way functions.

Joint work with  Sunoo Park and Oxana Poburinnaya.