An Efficient Receiver Deniable Encryption Scheme and Its Applications
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
683
An Efficient Receiver Deniable Encryption Scheme and Its Applications Bo Meng School of Computer, South-Center University for Nationalities, Wuhan, China E-mail: [email protected]
JiangQing Wang School of Computer, South-Center University for Nationalities, Wuhan, China
E-mail: [email protected] Abstract—Deniable encryption is an important cryptographic primitive, essential in all cryptographic protocols where a coercive adversary comes to play with high potential. Deniable encryption plays a key role in the internet/electronic voting, electronic bidding, electronic auctions and secure multiparty computation. In this study a practical efficient receiver deniable encryption scheme based on BCP commitment scheme and idea of Klonowski et al. is proposed. The proposed scheme is a onemove scheme without any pre-encryption information required to be sent between the sender and the receiver prior to encryption. Moreover, the overhead is low in term of the size of the ciphertext. At the same time we compare the typical deniable encryption schemes with our proposed scheme. Finally, applying the proposed deniable encryption, we originally give a coercionresistant internet voting model without physical assumptions. We also compare the typical internet voting protocols with our proposed model. Index Terms—deniable encryption, BCP commitment scheme, internet voting, protocol security
I.
INTRODUCTION
The traditional encryption scheme is to protect the privacy of information against the attacks and unauthorized access from the passive adversary. In some scenarios the coercive adversary accesses the ciphertext and force the sender/receiver to present information including his random number, the key or the plaintext used in encryption or decryption. For traditional encryption, the sender and receiver can not cheat and disclose an incorrect plaintext owning to the fake key would produce senseless information. So the coercer can verify the validity of the opened message. Deniable encryption can be used against revealing information that the owner of the information may decrypt it in an alternative way to a different plaintext. Namely if this user opens all his inputs including the claimed encrypted message to a coercer, the coercer fails to prove the validity or invalidity of the opened message. For receiver deniable encryption the sender produces a ciphertext C that looks like an encryption of a true message mtrue and as an encryption of a fake message m fake . The receiver is able to decrypt C either
Corresponding author: Bo Meng, School of Computer, South-Center University for Nationalities, Wuhan, China, 430074
© 2010 ACADEMY PUBLISHER doi:10.4304/jnw.5.6.683-690
mtrue or mtrue to a coercer which when verified, produces the same ciphertext C. The notion of deniable encryption was introduced by Canett et al. in 1996 [1]. Deniable encryption is an important cryptographic primitive, essential in all cryptographic protocols where a coercive adversary comes to play with high potential. Deniable encryption can be used to develop the receipt-freeness and coercion-resistance in the internet/electronic voting protocols and inelectronic bidding, electronic auctions and secure multiparty computation. Deniable encryption maybe classified according to which party may be coerced: the sender-deniable scheme, the receiver-deniable scheme and the-sender-and-receiver deniable schemes. Sender-deniable encryption scheme is resilient against coercing the sender. The definitions for receiver-deniable and sender-receiver-deniable follow analogously. When the sender and the receiver initially share a common secret key, this is spoken to as shared-key deniable encryption. In deniable public-key encryption, no pre-shared information and no communications are assumed prior to the encryption process. This follows from the assumptions of standard public-key encryption schemes. In the last several decades people have focused on developing more practical efficient deniable encryptions. Canetti et al. [2] propose a public-key deniable encryption, which includes basic and party deniable schemes, and a shared-key deniable encryption, which includes a one-timepad and plan-ahead shared-key deniable schemes. Assange and Weinmann [3] propose a deniable encryption file system called Rubberhose file system. But their deniable can not be used in network communication. Rja¡¦skov´a [4] proposes a sender-deniable public-key deniable encryption based on RSA cryptosystem. The deniable encryption is very inefficient. Sending 1 bit through the deniable encryption means sending 105 bits through the public channel. Klonowski et al. [5] expand the schemes [2] and propose a receiver deniable encryption scheme based on the ElGamal cryptosystem and apply it to implement the covert channel. But their deniable scheme is not used in large scale networks. Ibrahim [6] devises a sender-deniable public-key encryption based on quadratic residuosity of a composite modulus and showed how to device a sender-deniable public-key encryption from any trapdoor permutation. His scheme is impractical. In his later work [8] he also proposes a receiver-deniable public-key encryption scheme based on mediated RSA PKI and oblivious
684
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
transfer protocol. But deniability in the scheme is worth discussing. All above these schemes is either low efficient or is implemented with physical assumptions or is not suitable to the large scale networks. Motivated by this we propose an efficient deniable encryption scheme based on idea of Klonowski et al. [5] and the BCP commitment scheme and cryptosystem [9]. The contributions of this paper are described as follows: D An efficient receiver-deniable encryption scheme is proposed. Our proposed scheme enjoys the following properties: It is a one-move scheme without any preencryption information required to be sent between the sender and the receiver prior to encryption. No pre-shared secret information is required between the sender and the receiver. Achieves a deniability equivalent to the factorization of a large two-prime modulus. The less overhead in term of the size of the ciphertext. D A secure internet voting model base on the proposed deniable scheme is originally developed. The internet voting model have the following properties: The model is coercion-resistance. Coercion-resistance is implemented without physical assumptions. The rest of this paper is organized as follows: Section II presents the related work in the field. Section III describes the related cryptographic primitives including ElGamal cryptosystem, BCP cryptosystem, BCP Commitment Scheme. Section IV describes the proposed efficient receiver deniable encryption scheme. Section V gives an application on internet voting. Finally, the conclusions are given in Section VI. II.
RELATED WORK
In 1996 Canett et al. [1] introduced the notion of deniable encryption. They also propose a deniable encryption scheme in which the sender is able to deniable encryption to encrypt a hit b in such a way that the resulting ciphertext can he interpreted as either b or 1 - b to a coercer. In their later work [2] they classify deniable encryption into three schemes according to which parties may be coerced: the senderdeniable scheme, the receiver-deniable scheme and thesender-and-receiver deniable schemes. At the same time they also proposed a public-key deniable encryption, which includes basic and party deniable schemes, and a shared-key deniable encryption, which includes a one-time-pad and planahead shared-key deniable schemes. They also showed that it is possible by simple tricks to transform any sender-deniable encryption scheme to a receiver-deniable encryption scheme and vice-versa. Also, they showed that, with the help of other parties with at least one of them remains un-attacked, it is
© 2010 ACADEMY PUBLISHER
possible to transform a sender-deniable encryption scheme to a sender-receiver-deniable encryption scheme. Assange and Weinmann [3] propose a deniable encryption file system called Rubberhose file system which is a deniable encryption package that lets a person not wanting to disclose plaintext data corresponding to their encrypted data show that there is more than one interpretation of the latter. But their deniable encryption can be used in network communication. Rja¡¦skov´a [4] proposes a sender-deniable public-key deniable encryption based on RSA cryptosystem, in which the message is encrypted per bits. The sender encrypts the message using the public key of the receiver and he can later fake his random choices. The deniable encryption is very inefficient. Sending 1 bit through the deniable encryption proposed by Rja¡¦skov´a means sending 105 bits through the public channel. Klonowski et al. [5] expand the schemes [2] and propose a receiver deniable encryption scheme based on the ElGamal cryptosystem and apply it to implement the covert channel. However according to our analysis we find that the receiver deniable scheme is not receiver-deniability.Because the sender, receiver and coercer know the deniable encryption scheme the coercer can force the receiver reveals the secret key s , then the coercer can compute k = HASH (s || m f ) and gets m = β • g −k . So the coercer can know the illegal message m . According to the definition of receiver deniable encryption the receiver deniable encryption scheme proposed by Klonowski et al. is not receiver deniable encryption scheme. In order to address the problem one method is that we can use the parity deniable encryption scheme proposed by Canett et al. Why the coercer can know the illegal message m ? The reasons are that the coercer knows the deniable encryption scheme according to Kerckhoffs principle and the secret information x and s . If we do not point that which message in two messages is illegal in the deniable encryption scheme, however we decide which message is the illegal message in each run based on the choice of the sender or the receiver using the parity deniable encryption scheme. The new deniable encryption scheme is the sender-receiver deniable encryption. The parity scheme is firstly executed then the deniable encryption is run. The parity scheme tell the receiver which message is the illegal message, the first one or second, then the receiver can know which message the illegal message. If the coercer know the message m f and m , he can find which message is illegal, so the receiver can tell the coercer any one of two message m f and m is illegal, thus make the deniable encryption have receiver deniable encryption. Owning to the parity deniable encryption scheme the encryption is the receiver deniable encryption. Canetti and Gennaro [7] apply the public-key, senderdeniable encryption scheme to propose a secure multiparty computation which permit a set of parties to compute a common function of their inputs while keeping their internal data private even in the presence of a coercer and can be used to provide the receipt-freeness of electronic voting protocol.
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
Ibrahim [6] devises a sender-deniable public-key encryption based on quadratic residuosity of a composite modulus and showed how to device a sender-deniable public-key encryption from any trapdoor permutation. He supposes that s is generated and used on the fly to reach a QNR value in J N+ . He supposes that the program does not store s anywhere on the system since it is not part of the encryption pattern. At the same time when the schemes are transformed to be receiverdeniable using the tricks of [2], the schemes are no more onemove schemes. His scheme is impractical. In his later work [8] he also proposes a receiver-deniable public-key encryption scheme based on mediated RSA PKI and oblivious transfer protocol. But deniability in the scheme is worth discussing. All above these schemes is either low efficient or is implemented with physical assumptions or is not suitable to the large scale networks. III.
CRYPTOGRAPHIC PRIMITIVES
In this section we introduce the related cryptographic primitives which are used to develop our proposed efficient receiver deniable encryption scheme. These cryptographic primitives include ElGamal cryptosystem and BCP cryptosystem and BCP commitment scheme. A. ElGamal cryptosystem ElGamal cryptosystem, invented by ElGamal Taher, is introduced in [10, 11], which is based on discrete logarithm problem. ElGamal cryptosystem is a public key cryptosystem. D ElGamal public and private key generation Let p be a large prime, and g be a generator of the multiplicative group Z p of the integers modulo p . The private key x is a random integer and x ∈ {1, ", p − 2} . Let y = g x mod p . The public key for ElGamal cryptosystem is the triplet (p, g, y ) . The private key is x .Owning to discrete logarithms problem, releasing y = g x mod p , people does not get x . D ElGamal encryption Bob obtains Alice’s public key (p, g, y ) . Bob wants to encrypt a message m ∈ {0, ", p } for Alice. He should do the following: 1. Select a random integer r (0 ≤ r ≤ p − 2) . 2. Compute α = g r mod p , β = my r mod p . 3. Send the ciphertext C = (α, β ) to Alice. D ElGamal decryption To recover plaintext m from C = (α, β ) , Alice should compute m = β αx mod p .The correctness of the ElGamal encryption scheme is easy to verify. Indeed, we have: −1 m = β αx mod p = my r (αx ) mod p −1 = mg xr (g rx ) mod p = m
© 2010 ACADEMY PUBLISHER
685
B. BCP cryptosystem BCP cryptosystem, introduced by Bresson, Catalano, and Pointcheval in [9], is a public key cryptosystem. BCP cryptosystem is a variant of the Cramer-Shoup scheme whose main feature is to offer two different decryption procedures, based on two different trapdoors. BCP cryptosystem can be seen as an additively homomorphic variant of the well-known ElGamal cryptosystem. Let h and g be two elements of maximal order in G . If h is computed as g x , where x ∈ ⎡⎢⎣1, λ (N 2 )⎤⎥⎦ , then x is comprise with ord (G) high R probability, and thus h is of maximal order. The message space here is Z N . D BCP public and private key generation Choose a random element α ∈ Z∗N 2 , a random value a ∈ [1, ord (G)] and set g = α 2 mod N 2 and h = g a mod N 2 .
The public key is given by the triplet (N , g, h ) while the corresponding secret key is a . D BCP encryption Bob obtains Alice’s public key (N , g, h ) . Bob wants to encrypt a message m ∈ ZN for Alice. He should do the following: a random pad r is chosen uniformly and at random in ZN 2 , the ciphertext (A, B ) is computed as A = g r mod N 2 , B = h r (1 + mN ) mod N 2
sends the ciphertext (A, B ) to Alice. D BCP decryption To recover plaintext m from (A, B ) , Alice can compute: First Decryption Procedure - Knowing a , Alice B a − 1mod N 2 (A ) . can compute m as follows m = N Alternate Decryption Procedure - If the factorization of the modulus is provided, Alice can compute a mod N and r mod N . Let ar mod ord (G) = γ1 + γ2N , thus γ1 = ar mod N is efficiently computable. Alice can compute m as follows m = the inverse of λ (N ) in Z∗N .
D − 1 mod N 2 • π (mod N ) . π is N
C. BCP Commitment Scheme A trapdoor commitment scheme is a function with associated a pair of matching public and private keys. The main property we want from such a function is collisionresistance: unless one knows the trapdoor, it is infeasible to find two inputs that map to the same value. On the other hand, knowledge of the trapdoor suffices to find collisions easily. BCP commitment scheme [9] is based on BCP cryptosystem. A trapdoor commitment scheme consists of key generation algorithm, commitment function, and collision-finding function.
686
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
D Key Generation The key generation algorithm, on input a security parameter l produces a modulus N product of two safe primes of size l / 2 together with a square h of maximal order in G . The public key is given by N and h . The factorization of the modulus is the private key (p, q ) . D Committing a Message To commit to a message m ∈ ZN the sender chooses a r ∈ R ZN λ(N ) / 2 random number and sets B = C (r , m ) = h r (1 + mN ) mod N 2 , and sent (B, r, m ) to the receiver. D Collision-finding function Now given a commitment B = C (r , m ) ∈ G together with the corresponding (r , m ) , knowing the factorization of the modulus, one can find collisions, for any message m ' as follows r ' = r + (m − m ')dλ (N ) mod N λ (N ) / 2 . Thus the receiver can get B = C (r, m ) = C (r ', m ') ∈ G IV.
THE PROPOSED PRACTICAL EFFICIENT RECEIVER DENIABLE ENCRYPTION SCHEME
A. Assumptions and Model We define a receiver-deniable encryption scheme as a scheme by which, the receiver is able to lie about the decrypted message to a coercer and hence, escape coercion. On one hand, the receiver is able to decrypt the correct message, on the other hand, all the information held by the receiver when opened to a coercer, do not allow this coercer to verify the encrypted message ,or the coercer can not find the message is a fake message. Consequently, approaching the receiver becomes useless from the very beginning. The participants in our scheme are the sender, the receiver and the coercive adversary. As usual, the sender is assumed to be beyond the reach of any coercer while the receiver is possibly coerced. The coercer has the power to approach the receiver coercing him to reveal the decrypted message, the decryption key and all the parameters he used during decryption. In our proposed receiver deniable encryption scheme, we assume that the coercer has the ability to eavesdrop the communication channels. B. The idea of the proposed deniable encryption scheme In our proposed scheme the sender and the receiver have the private and public keys based on BCP cryptosystem. The sender has the public and private keys (N , g, h ), a . The public and private key of the receiver is (N , g, h ), (p, q ) . The receiver also has private and public keys a, y = g a mod p based on ElGamal cryptosystem. First, the sender chooses a random number r2 generates message m , computes B = C (r, m ) = C (r2 , m ) which is a part of
© 2010 ACADEMY PUBLISHER
ciphertext in BCP cryptosystem and is created with the sender’s private key of BCP cryptosystem. At the same time the sender generates r1 according to the fake message m ' . After
that
the
sender
sends
B = C (r, m ) = C (r2 , m )
and (∂, ℘ ) generated with the idea [5] to the receiver. (∂, ℘ ) is the
ciphertext
of r1
and r2 .
When
the
receiver
receives B = C (r, m ) = C (r2 , m ) , he can recover m with the private key (p, q ) based on BCP decryption algorithm. At the same time he can get the random number r1 from (∂, ℘ ) and the fake message m ' with B = C (r , m ) = C (r1 , m ') . So the receiver can escape the coercion through giving the coercer (r1, m ') . The coercer can not find the message m ' is a fake message. C. The proposed deniable encryption scheme The proposed deniable encryption scheme consists of preliminaries, encryption, decryption and dishonest opening phases. In preliminaries phase the sender and receiver generate their public/private keys based on BCP cryptosystem. At the same time the receiver generate his public/private keys based on ElGamal cryptosystem. In encryption phase the sender produces the ciphertext (∂, ℘ ) using the idea of Klonowski et al [5] and commitment B = C (r, m ) based on BCP commitment scheme. In decryption phase the receiver decrypts B = C (r, m ) with his private key based on BCP cryptosystem gets the message m . In dishonest opening phase the receiver decrypt (∂, ℘ ) with his private key based on ElGamal cryptosystem and gets the random number r1, r2 . Then he uses m and r2 to generate m ' which has B = C (r , m ) = C (r2 , m ) = C (r1 , m ') . Finally he provides m ' and r1 to coercer and escape the coercion owning to coercer can not find m ' is a fake message. D Preliminaries
The receiver chooses a random element α ∈ Z∗N 2 , and sets g = α 2 mod N 2 , publishes publicly (N , g ) . Then the sender gets and chooses a random (N , g ) number a ∈ [1, ord (G)] , computes h = g a mod N 2 and publish publicly (g ) .The public key of the receiver is given by the triplet (N , g, h ) , while the corresponding secret key is private key (p, q ) . At the same time the sender can generates his public key (N , g, h ) and private key a based on BCP cryptosystem. Finally he creates his private key a and public key y = g a mod p according to ElGamal cryptosystem. Because everyone can know the public key (N , g, h ) of the sender, the receiver can get the sender’ private key a owning to the knowledge of h = g a mod N 2 and N = p × q . Figure 1 describes the key generation of the sender and receiver. Note that a is the private key of the sender based on both ElGamal
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
687
cryptosystem and BCP cryptosystem. Figure 1 describes the preliminaries.
cryptosystem. (∂, ℘ ) is the ciphertext of r2 . Finally he sends
(∂, ℘ ) and B = C (r, m ) to the receiver. Figure 2 describes the procedure of encryption. D Decryption
α ∈ Z∗N 2 a ∈ ⎡⎢1, ord (G)⎤⎥ ⎣ ⎦ g = α 2 mod N 2
a ∈ ⎡⎢1, ord (G )⎤⎥ ⎣ ⎦
(p, q ), (N , g, h )
h = g a mod N 2
D − 1mod N 2 • π (mod N ) N
m=
⎧h = g a mod N 2 ⎪ ⎫ ⎪ ⎪→a ⎪ ⎨ ⎬ ⎪N = p × q ⎪ ⎪ ⎪ ⎪ ⎪ ⎩ ⎭
a, (N , g, h ) ; {a }
Figure 3. Procedure of decryption
(p, g , y ) •
{a, y = g
a •
mod p
}
The receiver uses the private key (p, q ) to recover D − 1 mod N 2 • π (mod N ) based on BCP cryptosystem. N Figure 3 describes the procedure of decryption. D Dishonest Opening m=
Figure 1.
Preliminaries
D Encryption
(
)
(
r2 = ℘ • ∂−a = y k • r1x • r2 g•k • r1 r1 = ∂ • g •
m ∈ ZN
r
r2
(1 + mN ) mod N
B m1 =
r1 = r2 + (m − m ')dλ (N ) mod N λ (N ) / 2
(
hash ( r2 )
(A )
m2 =
a 1
− 1 mod N 2 N
B
B = C (r2 , m ) = C (r1, m ')
• r1, ℘ = y
A2 = g 2 mod N 2
2
m ' ∈ ZN
hash (r2 )
r
A1 = g 1 mod N 2
B == C (r, m ) = C (r2 , m ) = h
•
−a
−hash (r2 )
r2 ∈ g
(∂ = g
)
(A ) a 2
− 1 mod N 2 N
if m = m1 then r = r1 if m = m2 then r = r2
) )
• r1a • r2
(∂,℘ )
let r = r2
C (r , m )
B = C (r, m )
m' =
hr
−1
N
mod N 2
B = (r1, m ')
Figure 2. Procedure of encryption
The sender choose random numbers r2 ∈ g , after that the sender generate the message m ∈ ZN , which will be sent to the receiver in deniable encryption scheme. The sender computes B = C (r, m ) = C (r2 , m ) = h r2 (1 + mN ) mod N 2 based on BCP commitment scheme. Generating the fake m' message , he can find which make r1 = r2 + (m − m ')d λ (N ) mod N λ (N ) / 2 B = C (r2 , m ) = C (r1 , m ')
(∂ = g
hash (r2 )
(
• r1 , ℘ = y
hash ( r2 )
.Then
) )
• r1a • r2
© 2010 ACADEMY PUBLISHER
he
computes
using
ElGamal
Figure 4. Procedure of dishonest opening
The receiver uses the private key a to recover the plaintext −a r2 with r2 = ℘ • ∂−a = (y k • r1x ) • r2 (g•k • r1 ) , then he can compute hash (r2 ) , and gets r1 = ∂ • g•−hash (r2 ) . The receiver computes A1 = g r1 mod N 2 and A2 = g r2 mod N 2 based on BCP cryptosystem, then he recovers B a − 1mod N 2 B a − 1 mod N 2 (A1 ) (A2 ) and m2 = m1 = N N with the BCP decryption algorithm. If m = m1 then r = r1 . If
688
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
m = m2 then r = r2 . According to the encryption algorithm, let r = r2 , at the same time, the receiver knows m , so he can
C (r , m ) h r − 1 mod N 2 get , which m = N makes B = C (r , m ) = C (r1 , m ') . Thus if the receiver coerced '
he can provide the fake message m ' to the coercer. The coercer can not verify the fake message. Figure 4 describes the procedure of dishonest opening. V.
ANALYSIS
In this section we will discuss the security and receiver deniability of the proposed deniable encryption scheme. A. Security In the proposed receiver deniable encryption scheme message m is encrypted with the receiver’s public key based on BCP cryptosystem. Without the private key of the receiver people beside the sender can not open the ciphertext own to , the security of BCP cryptosystem. B. Receiver deniability In the proposed receiver deniable encryption scheme the sender is assumed to be beyond the reach of any coercer while the receiver is possibly coerced. The coercer has the power to approach the receiver coercing him to reveal the decrypted message, the decryption key and all the parameters he used during decryption. In our proposed receiver deniable encryption scheme, we also assume that the coercer has the ability to eavesdrop the communication channels. Hence the coercer can get
(∂ = g
hash (r2 )
(
• r1, ℘ = y
hash ( r2 )
) )
• r1a • r2
B = C (r, m ) = C (r2 , m ) = h (1 + mN ) mod N r2
and
by
THE COERCION-RESISTANT INTERNET VOTING MODEL WITHOUT PHYSICAL ASSUMPTIONS
In this section we apply the proposed deniable scheme to develop a coercion-resistant internet voting model without physical assumption.
© 2010 ACADEMY PUBLISHER
A. The proposed internet voting model In order to express the idea clearly and simplify the model we suppose there is only one authority. The proposed internet voting model includes four phases: preparation phase, registration phase, voting phase and tallying phase. c j is the credential of voterVj produced by A for Vj . (∂1, ℘ ) || C (r, c j )
2
eavesdropping the communication channels .At the same time the coercer can force the receiver to expose his private key (p, q ) and a . In order to escape the coercion the receiver must generate a fake message m ' . With m ' , the coercer can B = C (r ', m ') = C (r, m ) = C (r2 , m ) get . Given r ' = r1 , = h r ' (1 + m ' N ) mod N 2 ⎣⎡r ' ∈ {r1, r2 }⎦⎤ according the proposed deniable encryption scheme, the C (r , m ) ' h r − 1 mod N 2 . Finally the receiver can get m = N receiver can claim m ' is sent by the sender. The coercer can not found the truth. Hence the proposed deniable encryption scheme is receiver , deniability. V.
With the progress of society and development of democracy of nation, the needs of the voting are more and more intense. Owning to the development of internet, many transactions are processed through internet. Voter can use express their opinions through Internet voting system. The internet voting protocol is the base of the internet voting system. The internet voting protocols can be categorized by different technologies into three classes: homomorphic cryptosystem, blind signature, mix net-based protocols. The secure and practical internet voting protocol should have the following properties: D Basic properties: privacy, completeness, soundness, unreusability, fairness, eligibility, and invariableness. D Expanded properties: universal verifiability, receiptfreeness[12,13], coercion-resistance[14] A lot of protocols use ad hoc physical assumption or the trusted third party to accomplish receipt-freeness. Papers [14, 15, 16, 17] are better in the implementation of the expanded properties. They do not use strong physical assumption. They mainly applied deniable authentication protocol, plaintext equivalence test, secure multi-party computation, designated verifier proof to accomplish coercion-resistance. In this part we propose a new internet voting model applied the proposed receiver deniable encryption scheme to implement coercion-resistance. At the same time mix net [18] is also used.
are generated according to the proposed receiver deniable encryption scheme. Figure 5 describes the idea of the proposed internet voting model.
V1
(∂ , ℘ ) || C (r, c ) 1
j
EV (c j ) V2 #
Vl
Figure 5. Idea of the proposed internet voting model
D Preparation phase Authority and voters generate the public/private ElGamal keys. The private keys of voter and authorities are secret. At
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
689
the same time they generate the public and private keys according to the proposed receiver deniable encryption scheme. Authorities generate the ballot B t and send B t and its digital signature to bulletin board denoted by BB. D Registration phase Voter Vj firstly registered to authority A . Then A
According to the rules the authorities tallies the ballot and publish its results. The tallying algorithm can be found in [16].
generates (∂1, ℘ ) || C (r, c j ) . Vj receives (∂1, ℘ ) || C (r, c j ) and
B. Analysis of coercion-resistance The proposed internet voting protocol accomplishes coercion-resistant by confidentiality of voter credential and the proposed receiver deniable encryption scheme. According to the proposed receiver deniable encryption scheme voter can generate a fake c j ' . With m ' , the
verifies it through the proposed receiver deniable encryption scheme. If it is true, voter Vj goes to vote. Figure 6 describes
voter can claim c j ' is sent by authority. So the voter can not
the registration phase. Voter Vj
Autority
(1)
(
ENVPK SK j (ident j ), ident j , PK j i
)
coercer/vote buyer can get B = C (r ', c j ') == C (r, c j ) . The produce the receipt. The vote buyers do not give the money to the voter. Hence the protocol is receipt-free. At the same time the coercer also can not found the truth. According to the definition the protocol is coercion-resistance. VI.
(2) (∂ , ℘ ) || C (r, c ) 1
Figure 6.
D
j
Registration phase
Voting phase Voter Vj
BB
(3)
( )
E V (c j ) || E V B jt
Figure 7. Voting phase
Firstly, voter Vj chooses his favorite ballot and generates
E
V
(Bjt )
.Then he sends EV (c j ) , EV (B jt ) randomly in BB.
Figure 7 describes the voting phase. D Tallying phase TABLE I.
CONCLUSION
In this study we propose a practical efficient receiver deniable encryption scheme based on BCP commitment scheme and idea of Klonowski et al. [5]. The proposed scheme is a one-move scheme without any pre-encryption information required to be sent between the sender and the receiver prior to encryption. Moreover, the overhead is low in term of the size of the ciphertext. At the same time we compare the typical deniable encryption schemes [2, 5, 6, 8] with our proposed scheme. The result can be found in TABLE I. Finally, to our best knowledge, we originally give an internet voting model with coercion-resistance without physical assumptions based on our proposed deniable encryption scheme. We also compare the typical internet voting protocols [14, 15, 16, 17] with our proposed model. The result can be found in TABLE II. In the future we will work on giving a formal model of deniable encryption scheme based on universal composability framework to analyze deniability.
COMPARISON OF [2, 5, 6, 8] AND THE PROPOSED SCHEME. THE MARK” ⊕ ” REPRESENTS THE DENIABLE ENCRYPTION SCHEME HAS THE PROPERTY OR : ” REPRESENTS THE DENIABLE ENCRYPTION SCHEME HAS THE PROPERTY WITH SOME CONDITIONS.
USE THE TECHNOLOGY. THE MARK”
[2]
[5]
[6]
[8]
⊕
ElGamal cryptosystem BCP cryptosystem Core technologies
Trapdoor permutation Goldrich-Levin predicate
⊕ ⊕ ⊕
Quadratic residuosity Mediated RSA Oblivious transfer Deniability Property TABLE II.
Receiver Sender Efficiency
our
⊕ ⊕ ⊕
BCP commitment scheme
⊕ ⊕
:
low
high
⊕ ⊕ :
⊕
low
high
⊕ low
COMPARISON OF [14, 15, 16, 17] AND THE PROPOSED MODEL. THE MARK” ⊕ ” REPRESENTS THE VOTING PROTOCOL HAS THE PROPERTY OR USE THE TECHNOLOGY. THE MARK” : ” REPRESENTS THE VOTING PROTOCOL HAS THE PROPERTY WITH SOME CONDITIONS.
© 2010 ACADEMY PUBLISHER
690
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
[14]
[15]
[16]
[17]
⊕
Deniable authentication protocol Core technologies
Plaintext equivalence test Designated verifier proof
⊕ ⊕ ⊕
⊕ ⊕ ⊕
⊕ ⊕ ⊕
⊕ ⊕
⊕
:
⊕
⊕
Proof protocol that two ciphertexts are encryption of the same plaintext Weak
Physical assumptions
No
Property
Coercion-resistance
REFERENCES [1] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky, “Deniable encryption,” (preliminary version), May 10, 1996. [2] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky, “Deniable encryption,” Proceedings of the 17th Annual international Cryptology Conference on Advances in Cryptology, pp. 90-104, Springer-Verlag, London, 1997. [3] J. Assange, R. Weinmann, “Rubberhose filesystem, ” http://iq.org/~proff/rubberhose.org/,1997 [4] Z. Rja¡¦skov´a,, “Electronic Voting Schemes,” Master thesis. Department of Computer Science Faculty of Mathematics, Physics and Informatics Comenius University, Bratislava, April 2002. [5] M. Klonowski, P. Kubiak, and M. Kutyłowsk, “Practical Deniable Encryption,” SOFSEM 2008: Theory and Practice of Computer Science,34th Conference on Current Trends in Theory and Practice of Computer Science, Nový Smokovec, Slovakia, January 19-25, 2008. pp599-609. [6] M.H.Ibrahim, “A Method for Obtaining Deniable PublicKey Encryption,” International Journal of Network Security, Vol.8, No.1, PP.1–9, Jan. 2009 [7] R. Canetti, R. Gennaro, “Incoercible multiparty computation,” In Proceedings of the 37th Annual Symposium on Foundations of Computer Science (October 14 - 16, 1996). FOCS. IEEE Computer Society, Washington, DC, 504. [8] M.H.Ibrahim, “Receiver-deniable Public-Key Encryption,” International Journal of Network Security, Vol.8, No.2, PP.159-165, Mar. 2009 [9] E.Bresson, D. Catalano,and D. Pointcheval, “A simple public key cryptosystem with a double trapdoor decryption mechanism and its applications”. In: Laih CS, ed. Aciacrypt 2003. LNCS 2894, Berlin: Springer-Verlag, 2003. 37-54. [10] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196,pp. 10– 18. Springer, Heidelberg (1985) [11] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inf. Theory 31(4), 469–472 (1985) [12] J. Benaloh, D. Tuinstra, “Receipt-free secret-ballot elections,” Proceeding of the Twenty-Sixth Annual ACM Symposium on theory of Computing, Montréal, Québec, Canada, May 1994. ACM New York, NY, USA [13] T. Okamoto, “Receipt-free electronic voting schemes for large scale elections,” Proceeding of Security Protocols Workshop, Springer-Verlag, LNCS 1361, 1997: 25–35. 1997
© 2010 ACADEMY PUBLISHER
our
⊕
Deniable encryption
⊕ ⊕
[14] A. Juels, M. Jakobsson, “Coercion-resistant electronic elections,” 2002. http://www.voteauction.net/VOTEAUCTION/165.pdf [15] A. Acquisti, “Receipt-Free Homomorphic Elections and Write-in Voter Verified Ballots,” Technical Report 2004/105, International Association for Cryptologic Research, May 2, 2004, and Carnegie Mellon Institute for Software Research International, CMU-ISRI-04-116, 2004. http://www.heinz.cmu.edu/~acquisti/papers/acquistielectronic_voting.pdf [16] B. Meng, “An Internet Voting Protocol with Receipt-free and Coercion-resistant,” IEEE 7th International Conference on Computer and Information Technology, University of Aizu, Fukushima Japan, 16 ~ 19 October, 2007.IEEE CS [17] B. Meng, “A Secure Internet Voting Protocol Based on Non-interactive Deniable Authentication Protocol and Proof Protocol that Two Ciphertexts are Encryption of the Same Plaintext,” Journal of Networks .2009,4(5):370-377. [18] D. L. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,” Communications of the ACM, 24(2), 1981: 84–88.
Bo Meng was born in 1974 in People’s Republic of China. He received his M.S. degree in computer science and technology, Ph.D. degree in traffic information engineering and control from Wuhan University of Technology, at Wuhan, People’s Republic of China, in 2000, 2003, respectively. From 2004 to 2006, he works in Wuhan University, People’s Republic of China as Postdoctoral researcher in information security. Currently he is an Associate Professor of school of computer, South-Center University for Nationalities, in People’s Republic of China. He has authored/coauthored over 40 papers in International/National journals and conferences. His current research interests include electronic commerce, internet voting, and protocol security. JiangQing Wang was born in 1964 in People’s Republic of China. She received his M.S. degree and Ph.D. degree in computer science and technology from Wuhan University, at Wuhan, People’s Republic of China, in 1989, 2007, respectively. From 2000 to 2001, she is a visiting scholar in Chonbuk National University, South Korea. From 2006 to 2007, she gets a visiting scholar position in University of Wisconsin in USA. Currently she is a professor and dean of school of computer, South-Center University for Nationalities, in People’s Republic of China. She has authored/coauthored over 50 papers in International/National journals and conferences. Her current research interests include protocol security, artificial intelligence. She has overall charge of a National Natural Science Funds of China.
683
An Efficient Receiver Deniable Encryption Scheme and Its Applications Bo Meng School of Computer, South-Center University for Nationalities, Wuhan, China E-mail: [email protected]
JiangQing Wang School of Computer, South-Center University for Nationalities, Wuhan, China
E-mail: [email protected] Abstract—Deniable encryption is an important cryptographic primitive, essential in all cryptographic protocols where a coercive adversary comes to play with high potential. Deniable encryption plays a key role in the internet/electronic voting, electronic bidding, electronic auctions and secure multiparty computation. In this study a practical efficient receiver deniable encryption scheme based on BCP commitment scheme and idea of Klonowski et al. is proposed. The proposed scheme is a onemove scheme without any pre-encryption information required to be sent between the sender and the receiver prior to encryption. Moreover, the overhead is low in term of the size of the ciphertext. At the same time we compare the typical deniable encryption schemes with our proposed scheme. Finally, applying the proposed deniable encryption, we originally give a coercionresistant internet voting model without physical assumptions. We also compare the typical internet voting protocols with our proposed model. Index Terms—deniable encryption, BCP commitment scheme, internet voting, protocol security
I.
INTRODUCTION
The traditional encryption scheme is to protect the privacy of information against the attacks and unauthorized access from the passive adversary. In some scenarios the coercive adversary accesses the ciphertext and force the sender/receiver to present information including his random number, the key or the plaintext used in encryption or decryption. For traditional encryption, the sender and receiver can not cheat and disclose an incorrect plaintext owning to the fake key would produce senseless information. So the coercer can verify the validity of the opened message. Deniable encryption can be used against revealing information that the owner of the information may decrypt it in an alternative way to a different plaintext. Namely if this user opens all his inputs including the claimed encrypted message to a coercer, the coercer fails to prove the validity or invalidity of the opened message. For receiver deniable encryption the sender produces a ciphertext C that looks like an encryption of a true message mtrue and as an encryption of a fake message m fake . The receiver is able to decrypt C either
Corresponding author: Bo Meng, School of Computer, South-Center University for Nationalities, Wuhan, China, 430074
© 2010 ACADEMY PUBLISHER doi:10.4304/jnw.5.6.683-690
mtrue or mtrue to a coercer which when verified, produces the same ciphertext C. The notion of deniable encryption was introduced by Canett et al. in 1996 [1]. Deniable encryption is an important cryptographic primitive, essential in all cryptographic protocols where a coercive adversary comes to play with high potential. Deniable encryption can be used to develop the receipt-freeness and coercion-resistance in the internet/electronic voting protocols and inelectronic bidding, electronic auctions and secure multiparty computation. Deniable encryption maybe classified according to which party may be coerced: the sender-deniable scheme, the receiver-deniable scheme and the-sender-and-receiver deniable schemes. Sender-deniable encryption scheme is resilient against coercing the sender. The definitions for receiver-deniable and sender-receiver-deniable follow analogously. When the sender and the receiver initially share a common secret key, this is spoken to as shared-key deniable encryption. In deniable public-key encryption, no pre-shared information and no communications are assumed prior to the encryption process. This follows from the assumptions of standard public-key encryption schemes. In the last several decades people have focused on developing more practical efficient deniable encryptions. Canetti et al. [2] propose a public-key deniable encryption, which includes basic and party deniable schemes, and a shared-key deniable encryption, which includes a one-timepad and plan-ahead shared-key deniable schemes. Assange and Weinmann [3] propose a deniable encryption file system called Rubberhose file system. But their deniable can not be used in network communication. Rja¡¦skov´a [4] proposes a sender-deniable public-key deniable encryption based on RSA cryptosystem. The deniable encryption is very inefficient. Sending 1 bit through the deniable encryption means sending 105 bits through the public channel. Klonowski et al. [5] expand the schemes [2] and propose a receiver deniable encryption scheme based on the ElGamal cryptosystem and apply it to implement the covert channel. But their deniable scheme is not used in large scale networks. Ibrahim [6] devises a sender-deniable public-key encryption based on quadratic residuosity of a composite modulus and showed how to device a sender-deniable public-key encryption from any trapdoor permutation. His scheme is impractical. In his later work [8] he also proposes a receiver-deniable public-key encryption scheme based on mediated RSA PKI and oblivious
684
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
transfer protocol. But deniability in the scheme is worth discussing. All above these schemes is either low efficient or is implemented with physical assumptions or is not suitable to the large scale networks. Motivated by this we propose an efficient deniable encryption scheme based on idea of Klonowski et al. [5] and the BCP commitment scheme and cryptosystem [9]. The contributions of this paper are described as follows: D An efficient receiver-deniable encryption scheme is proposed. Our proposed scheme enjoys the following properties: It is a one-move scheme without any preencryption information required to be sent between the sender and the receiver prior to encryption. No pre-shared secret information is required between the sender and the receiver. Achieves a deniability equivalent to the factorization of a large two-prime modulus. The less overhead in term of the size of the ciphertext. D A secure internet voting model base on the proposed deniable scheme is originally developed. The internet voting model have the following properties: The model is coercion-resistance. Coercion-resistance is implemented without physical assumptions. The rest of this paper is organized as follows: Section II presents the related work in the field. Section III describes the related cryptographic primitives including ElGamal cryptosystem, BCP cryptosystem, BCP Commitment Scheme. Section IV describes the proposed efficient receiver deniable encryption scheme. Section V gives an application on internet voting. Finally, the conclusions are given in Section VI. II.
RELATED WORK
In 1996 Canett et al. [1] introduced the notion of deniable encryption. They also propose a deniable encryption scheme in which the sender is able to deniable encryption to encrypt a hit b in such a way that the resulting ciphertext can he interpreted as either b or 1 - b to a coercer. In their later work [2] they classify deniable encryption into three schemes according to which parties may be coerced: the senderdeniable scheme, the receiver-deniable scheme and thesender-and-receiver deniable schemes. At the same time they also proposed a public-key deniable encryption, which includes basic and party deniable schemes, and a shared-key deniable encryption, which includes a one-time-pad and planahead shared-key deniable schemes. They also showed that it is possible by simple tricks to transform any sender-deniable encryption scheme to a receiver-deniable encryption scheme and vice-versa. Also, they showed that, with the help of other parties with at least one of them remains un-attacked, it is
© 2010 ACADEMY PUBLISHER
possible to transform a sender-deniable encryption scheme to a sender-receiver-deniable encryption scheme. Assange and Weinmann [3] propose a deniable encryption file system called Rubberhose file system which is a deniable encryption package that lets a person not wanting to disclose plaintext data corresponding to their encrypted data show that there is more than one interpretation of the latter. But their deniable encryption can be used in network communication. Rja¡¦skov´a [4] proposes a sender-deniable public-key deniable encryption based on RSA cryptosystem, in which the message is encrypted per bits. The sender encrypts the message using the public key of the receiver and he can later fake his random choices. The deniable encryption is very inefficient. Sending 1 bit through the deniable encryption proposed by Rja¡¦skov´a means sending 105 bits through the public channel. Klonowski et al. [5] expand the schemes [2] and propose a receiver deniable encryption scheme based on the ElGamal cryptosystem and apply it to implement the covert channel. However according to our analysis we find that the receiver deniable scheme is not receiver-deniability.Because the sender, receiver and coercer know the deniable encryption scheme the coercer can force the receiver reveals the secret key s , then the coercer can compute k = HASH (s || m f ) and gets m = β • g −k . So the coercer can know the illegal message m . According to the definition of receiver deniable encryption the receiver deniable encryption scheme proposed by Klonowski et al. is not receiver deniable encryption scheme. In order to address the problem one method is that we can use the parity deniable encryption scheme proposed by Canett et al. Why the coercer can know the illegal message m ? The reasons are that the coercer knows the deniable encryption scheme according to Kerckhoffs principle and the secret information x and s . If we do not point that which message in two messages is illegal in the deniable encryption scheme, however we decide which message is the illegal message in each run based on the choice of the sender or the receiver using the parity deniable encryption scheme. The new deniable encryption scheme is the sender-receiver deniable encryption. The parity scheme is firstly executed then the deniable encryption is run. The parity scheme tell the receiver which message is the illegal message, the first one or second, then the receiver can know which message the illegal message. If the coercer know the message m f and m , he can find which message is illegal, so the receiver can tell the coercer any one of two message m f and m is illegal, thus make the deniable encryption have receiver deniable encryption. Owning to the parity deniable encryption scheme the encryption is the receiver deniable encryption. Canetti and Gennaro [7] apply the public-key, senderdeniable encryption scheme to propose a secure multiparty computation which permit a set of parties to compute a common function of their inputs while keeping their internal data private even in the presence of a coercer and can be used to provide the receipt-freeness of electronic voting protocol.
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
Ibrahim [6] devises a sender-deniable public-key encryption based on quadratic residuosity of a composite modulus and showed how to device a sender-deniable public-key encryption from any trapdoor permutation. He supposes that s is generated and used on the fly to reach a QNR value in J N+ . He supposes that the program does not store s anywhere on the system since it is not part of the encryption pattern. At the same time when the schemes are transformed to be receiverdeniable using the tricks of [2], the schemes are no more onemove schemes. His scheme is impractical. In his later work [8] he also proposes a receiver-deniable public-key encryption scheme based on mediated RSA PKI and oblivious transfer protocol. But deniability in the scheme is worth discussing. All above these schemes is either low efficient or is implemented with physical assumptions or is not suitable to the large scale networks. III.
CRYPTOGRAPHIC PRIMITIVES
In this section we introduce the related cryptographic primitives which are used to develop our proposed efficient receiver deniable encryption scheme. These cryptographic primitives include ElGamal cryptosystem and BCP cryptosystem and BCP commitment scheme. A. ElGamal cryptosystem ElGamal cryptosystem, invented by ElGamal Taher, is introduced in [10, 11], which is based on discrete logarithm problem. ElGamal cryptosystem is a public key cryptosystem. D ElGamal public and private key generation Let p be a large prime, and g be a generator of the multiplicative group Z p of the integers modulo p . The private key x is a random integer and x ∈ {1, ", p − 2} . Let y = g x mod p . The public key for ElGamal cryptosystem is the triplet (p, g, y ) . The private key is x .Owning to discrete logarithms problem, releasing y = g x mod p , people does not get x . D ElGamal encryption Bob obtains Alice’s public key (p, g, y ) . Bob wants to encrypt a message m ∈ {0, ", p } for Alice. He should do the following: 1. Select a random integer r (0 ≤ r ≤ p − 2) . 2. Compute α = g r mod p , β = my r mod p . 3. Send the ciphertext C = (α, β ) to Alice. D ElGamal decryption To recover plaintext m from C = (α, β ) , Alice should compute m = β αx mod p .The correctness of the ElGamal encryption scheme is easy to verify. Indeed, we have: −1 m = β αx mod p = my r (αx ) mod p −1 = mg xr (g rx ) mod p = m
© 2010 ACADEMY PUBLISHER
685
B. BCP cryptosystem BCP cryptosystem, introduced by Bresson, Catalano, and Pointcheval in [9], is a public key cryptosystem. BCP cryptosystem is a variant of the Cramer-Shoup scheme whose main feature is to offer two different decryption procedures, based on two different trapdoors. BCP cryptosystem can be seen as an additively homomorphic variant of the well-known ElGamal cryptosystem. Let h and g be two elements of maximal order in G . If h is computed as g x , where x ∈ ⎡⎢⎣1, λ (N 2 )⎤⎥⎦ , then x is comprise with ord (G) high R probability, and thus h is of maximal order. The message space here is Z N . D BCP public and private key generation Choose a random element α ∈ Z∗N 2 , a random value a ∈ [1, ord (G)] and set g = α 2 mod N 2 and h = g a mod N 2 .
The public key is given by the triplet (N , g, h ) while the corresponding secret key is a . D BCP encryption Bob obtains Alice’s public key (N , g, h ) . Bob wants to encrypt a message m ∈ ZN for Alice. He should do the following: a random pad r is chosen uniformly and at random in ZN 2 , the ciphertext (A, B ) is computed as A = g r mod N 2 , B = h r (1 + mN ) mod N 2
sends the ciphertext (A, B ) to Alice. D BCP decryption To recover plaintext m from (A, B ) , Alice can compute: First Decryption Procedure - Knowing a , Alice B a − 1mod N 2 (A ) . can compute m as follows m = N Alternate Decryption Procedure - If the factorization of the modulus is provided, Alice can compute a mod N and r mod N . Let ar mod ord (G) = γ1 + γ2N , thus γ1 = ar mod N is efficiently computable. Alice can compute m as follows m = the inverse of λ (N ) in Z∗N .
D − 1 mod N 2 • π (mod N ) . π is N
C. BCP Commitment Scheme A trapdoor commitment scheme is a function with associated a pair of matching public and private keys. The main property we want from such a function is collisionresistance: unless one knows the trapdoor, it is infeasible to find two inputs that map to the same value. On the other hand, knowledge of the trapdoor suffices to find collisions easily. BCP commitment scheme [9] is based on BCP cryptosystem. A trapdoor commitment scheme consists of key generation algorithm, commitment function, and collision-finding function.
686
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
D Key Generation The key generation algorithm, on input a security parameter l produces a modulus N product of two safe primes of size l / 2 together with a square h of maximal order in G . The public key is given by N and h . The factorization of the modulus is the private key (p, q ) . D Committing a Message To commit to a message m ∈ ZN the sender chooses a r ∈ R ZN λ(N ) / 2 random number and sets B = C (r , m ) = h r (1 + mN ) mod N 2 , and sent (B, r, m ) to the receiver. D Collision-finding function Now given a commitment B = C (r , m ) ∈ G together with the corresponding (r , m ) , knowing the factorization of the modulus, one can find collisions, for any message m ' as follows r ' = r + (m − m ')dλ (N ) mod N λ (N ) / 2 . Thus the receiver can get B = C (r, m ) = C (r ', m ') ∈ G IV.
THE PROPOSED PRACTICAL EFFICIENT RECEIVER DENIABLE ENCRYPTION SCHEME
A. Assumptions and Model We define a receiver-deniable encryption scheme as a scheme by which, the receiver is able to lie about the decrypted message to a coercer and hence, escape coercion. On one hand, the receiver is able to decrypt the correct message, on the other hand, all the information held by the receiver when opened to a coercer, do not allow this coercer to verify the encrypted message ,or the coercer can not find the message is a fake message. Consequently, approaching the receiver becomes useless from the very beginning. The participants in our scheme are the sender, the receiver and the coercive adversary. As usual, the sender is assumed to be beyond the reach of any coercer while the receiver is possibly coerced. The coercer has the power to approach the receiver coercing him to reveal the decrypted message, the decryption key and all the parameters he used during decryption. In our proposed receiver deniable encryption scheme, we assume that the coercer has the ability to eavesdrop the communication channels. B. The idea of the proposed deniable encryption scheme In our proposed scheme the sender and the receiver have the private and public keys based on BCP cryptosystem. The sender has the public and private keys (N , g, h ), a . The public and private key of the receiver is (N , g, h ), (p, q ) . The receiver also has private and public keys a, y = g a mod p based on ElGamal cryptosystem. First, the sender chooses a random number r2 generates message m , computes B = C (r, m ) = C (r2 , m ) which is a part of
© 2010 ACADEMY PUBLISHER
ciphertext in BCP cryptosystem and is created with the sender’s private key of BCP cryptosystem. At the same time the sender generates r1 according to the fake message m ' . After
that
the
sender
sends
B = C (r, m ) = C (r2 , m )
and (∂, ℘ ) generated with the idea [5] to the receiver. (∂, ℘ ) is the
ciphertext
of r1
and r2 .
When
the
receiver
receives B = C (r, m ) = C (r2 , m ) , he can recover m with the private key (p, q ) based on BCP decryption algorithm. At the same time he can get the random number r1 from (∂, ℘ ) and the fake message m ' with B = C (r , m ) = C (r1 , m ') . So the receiver can escape the coercion through giving the coercer (r1, m ') . The coercer can not find the message m ' is a fake message. C. The proposed deniable encryption scheme The proposed deniable encryption scheme consists of preliminaries, encryption, decryption and dishonest opening phases. In preliminaries phase the sender and receiver generate their public/private keys based on BCP cryptosystem. At the same time the receiver generate his public/private keys based on ElGamal cryptosystem. In encryption phase the sender produces the ciphertext (∂, ℘ ) using the idea of Klonowski et al [5] and commitment B = C (r, m ) based on BCP commitment scheme. In decryption phase the receiver decrypts B = C (r, m ) with his private key based on BCP cryptosystem gets the message m . In dishonest opening phase the receiver decrypt (∂, ℘ ) with his private key based on ElGamal cryptosystem and gets the random number r1, r2 . Then he uses m and r2 to generate m ' which has B = C (r , m ) = C (r2 , m ) = C (r1 , m ') . Finally he provides m ' and r1 to coercer and escape the coercion owning to coercer can not find m ' is a fake message. D Preliminaries
The receiver chooses a random element α ∈ Z∗N 2 , and sets g = α 2 mod N 2 , publishes publicly (N , g ) . Then the sender gets and chooses a random (N , g ) number a ∈ [1, ord (G)] , computes h = g a mod N 2 and publish publicly (g ) .The public key of the receiver is given by the triplet (N , g, h ) , while the corresponding secret key is private key (p, q ) . At the same time the sender can generates his public key (N , g, h ) and private key a based on BCP cryptosystem. Finally he creates his private key a and public key y = g a mod p according to ElGamal cryptosystem. Because everyone can know the public key (N , g, h ) of the sender, the receiver can get the sender’ private key a owning to the knowledge of h = g a mod N 2 and N = p × q . Figure 1 describes the key generation of the sender and receiver. Note that a is the private key of the sender based on both ElGamal
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
687
cryptosystem and BCP cryptosystem. Figure 1 describes the preliminaries.
cryptosystem. (∂, ℘ ) is the ciphertext of r2 . Finally he sends
(∂, ℘ ) and B = C (r, m ) to the receiver. Figure 2 describes the procedure of encryption. D Decryption
α ∈ Z∗N 2 a ∈ ⎡⎢1, ord (G)⎤⎥ ⎣ ⎦ g = α 2 mod N 2
a ∈ ⎡⎢1, ord (G )⎤⎥ ⎣ ⎦
(p, q ), (N , g, h )
h = g a mod N 2
D − 1mod N 2 • π (mod N ) N
m=
⎧h = g a mod N 2 ⎪ ⎫ ⎪ ⎪→a ⎪ ⎨ ⎬ ⎪N = p × q ⎪ ⎪ ⎪ ⎪ ⎪ ⎩ ⎭
a, (N , g, h ) ; {a }
Figure 3. Procedure of decryption
(p, g , y ) •
{a, y = g
a •
mod p
}
The receiver uses the private key (p, q ) to recover D − 1 mod N 2 • π (mod N ) based on BCP cryptosystem. N Figure 3 describes the procedure of decryption. D Dishonest Opening m=
Figure 1.
Preliminaries
D Encryption
(
)
(
r2 = ℘ • ∂−a = y k • r1x • r2 g•k • r1 r1 = ∂ • g •
m ∈ ZN
r
r2
(1 + mN ) mod N
B m1 =
r1 = r2 + (m − m ')dλ (N ) mod N λ (N ) / 2
(
hash ( r2 )
(A )
m2 =
a 1
− 1 mod N 2 N
B
B = C (r2 , m ) = C (r1, m ')
• r1, ℘ = y
A2 = g 2 mod N 2
2
m ' ∈ ZN
hash (r2 )
r
A1 = g 1 mod N 2
B == C (r, m ) = C (r2 , m ) = h
•
−a
−hash (r2 )
r2 ∈ g
(∂ = g
)
(A ) a 2
− 1 mod N 2 N
if m = m1 then r = r1 if m = m2 then r = r2
) )
• r1a • r2
(∂,℘ )
let r = r2
C (r , m )
B = C (r, m )
m' =
hr
−1
N
mod N 2
B = (r1, m ')
Figure 2. Procedure of encryption
The sender choose random numbers r2 ∈ g , after that the sender generate the message m ∈ ZN , which will be sent to the receiver in deniable encryption scheme. The sender computes B = C (r, m ) = C (r2 , m ) = h r2 (1 + mN ) mod N 2 based on BCP commitment scheme. Generating the fake m' message , he can find which make r1 = r2 + (m − m ')d λ (N ) mod N λ (N ) / 2 B = C (r2 , m ) = C (r1 , m ')
(∂ = g
hash (r2 )
(
• r1 , ℘ = y
hash ( r2 )
.Then
) )
• r1a • r2
© 2010 ACADEMY PUBLISHER
he
computes
using
ElGamal
Figure 4. Procedure of dishonest opening
The receiver uses the private key a to recover the plaintext −a r2 with r2 = ℘ • ∂−a = (y k • r1x ) • r2 (g•k • r1 ) , then he can compute hash (r2 ) , and gets r1 = ∂ • g•−hash (r2 ) . The receiver computes A1 = g r1 mod N 2 and A2 = g r2 mod N 2 based on BCP cryptosystem, then he recovers B a − 1mod N 2 B a − 1 mod N 2 (A1 ) (A2 ) and m2 = m1 = N N with the BCP decryption algorithm. If m = m1 then r = r1 . If
688
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
m = m2 then r = r2 . According to the encryption algorithm, let r = r2 , at the same time, the receiver knows m , so he can
C (r , m ) h r − 1 mod N 2 get , which m = N makes B = C (r , m ) = C (r1 , m ') . Thus if the receiver coerced '
he can provide the fake message m ' to the coercer. The coercer can not verify the fake message. Figure 4 describes the procedure of dishonest opening. V.
ANALYSIS
In this section we will discuss the security and receiver deniability of the proposed deniable encryption scheme. A. Security In the proposed receiver deniable encryption scheme message m is encrypted with the receiver’s public key based on BCP cryptosystem. Without the private key of the receiver people beside the sender can not open the ciphertext own to , the security of BCP cryptosystem. B. Receiver deniability In the proposed receiver deniable encryption scheme the sender is assumed to be beyond the reach of any coercer while the receiver is possibly coerced. The coercer has the power to approach the receiver coercing him to reveal the decrypted message, the decryption key and all the parameters he used during decryption. In our proposed receiver deniable encryption scheme, we also assume that the coercer has the ability to eavesdrop the communication channels. Hence the coercer can get
(∂ = g
hash (r2 )
(
• r1, ℘ = y
hash ( r2 )
) )
• r1a • r2
B = C (r, m ) = C (r2 , m ) = h (1 + mN ) mod N r2
and
by
THE COERCION-RESISTANT INTERNET VOTING MODEL WITHOUT PHYSICAL ASSUMPTIONS
In this section we apply the proposed deniable scheme to develop a coercion-resistant internet voting model without physical assumption.
© 2010 ACADEMY PUBLISHER
A. The proposed internet voting model In order to express the idea clearly and simplify the model we suppose there is only one authority. The proposed internet voting model includes four phases: preparation phase, registration phase, voting phase and tallying phase. c j is the credential of voterVj produced by A for Vj . (∂1, ℘ ) || C (r, c j )
2
eavesdropping the communication channels .At the same time the coercer can force the receiver to expose his private key (p, q ) and a . In order to escape the coercion the receiver must generate a fake message m ' . With m ' , the coercer can B = C (r ', m ') = C (r, m ) = C (r2 , m ) get . Given r ' = r1 , = h r ' (1 + m ' N ) mod N 2 ⎣⎡r ' ∈ {r1, r2 }⎦⎤ according the proposed deniable encryption scheme, the C (r , m ) ' h r − 1 mod N 2 . Finally the receiver can get m = N receiver can claim m ' is sent by the sender. The coercer can not found the truth. Hence the proposed deniable encryption scheme is receiver , deniability. V.
With the progress of society and development of democracy of nation, the needs of the voting are more and more intense. Owning to the development of internet, many transactions are processed through internet. Voter can use express their opinions through Internet voting system. The internet voting protocol is the base of the internet voting system. The internet voting protocols can be categorized by different technologies into three classes: homomorphic cryptosystem, blind signature, mix net-based protocols. The secure and practical internet voting protocol should have the following properties: D Basic properties: privacy, completeness, soundness, unreusability, fairness, eligibility, and invariableness. D Expanded properties: universal verifiability, receiptfreeness[12,13], coercion-resistance[14] A lot of protocols use ad hoc physical assumption or the trusted third party to accomplish receipt-freeness. Papers [14, 15, 16, 17] are better in the implementation of the expanded properties. They do not use strong physical assumption. They mainly applied deniable authentication protocol, plaintext equivalence test, secure multi-party computation, designated verifier proof to accomplish coercion-resistance. In this part we propose a new internet voting model applied the proposed receiver deniable encryption scheme to implement coercion-resistance. At the same time mix net [18] is also used.
are generated according to the proposed receiver deniable encryption scheme. Figure 5 describes the idea of the proposed internet voting model.
V1
(∂ , ℘ ) || C (r, c ) 1
j
EV (c j ) V2 #
Vl
Figure 5. Idea of the proposed internet voting model
D Preparation phase Authority and voters generate the public/private ElGamal keys. The private keys of voter and authorities are secret. At
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
689
the same time they generate the public and private keys according to the proposed receiver deniable encryption scheme. Authorities generate the ballot B t and send B t and its digital signature to bulletin board denoted by BB. D Registration phase Voter Vj firstly registered to authority A . Then A
According to the rules the authorities tallies the ballot and publish its results. The tallying algorithm can be found in [16].
generates (∂1, ℘ ) || C (r, c j ) . Vj receives (∂1, ℘ ) || C (r, c j ) and
B. Analysis of coercion-resistance The proposed internet voting protocol accomplishes coercion-resistant by confidentiality of voter credential and the proposed receiver deniable encryption scheme. According to the proposed receiver deniable encryption scheme voter can generate a fake c j ' . With m ' , the
verifies it through the proposed receiver deniable encryption scheme. If it is true, voter Vj goes to vote. Figure 6 describes
voter can claim c j ' is sent by authority. So the voter can not
the registration phase. Voter Vj
Autority
(1)
(
ENVPK SK j (ident j ), ident j , PK j i
)
coercer/vote buyer can get B = C (r ', c j ') == C (r, c j ) . The produce the receipt. The vote buyers do not give the money to the voter. Hence the protocol is receipt-free. At the same time the coercer also can not found the truth. According to the definition the protocol is coercion-resistance. VI.
(2) (∂ , ℘ ) || C (r, c ) 1
Figure 6.
D
j
Registration phase
Voting phase Voter Vj
BB
(3)
( )
E V (c j ) || E V B jt
Figure 7. Voting phase
Firstly, voter Vj chooses his favorite ballot and generates
E
V
(Bjt )
.Then he sends EV (c j ) , EV (B jt ) randomly in BB.
Figure 7 describes the voting phase. D Tallying phase TABLE I.
CONCLUSION
In this study we propose a practical efficient receiver deniable encryption scheme based on BCP commitment scheme and idea of Klonowski et al. [5]. The proposed scheme is a one-move scheme without any pre-encryption information required to be sent between the sender and the receiver prior to encryption. Moreover, the overhead is low in term of the size of the ciphertext. At the same time we compare the typical deniable encryption schemes [2, 5, 6, 8] with our proposed scheme. The result can be found in TABLE I. Finally, to our best knowledge, we originally give an internet voting model with coercion-resistance without physical assumptions based on our proposed deniable encryption scheme. We also compare the typical internet voting protocols [14, 15, 16, 17] with our proposed model. The result can be found in TABLE II. In the future we will work on giving a formal model of deniable encryption scheme based on universal composability framework to analyze deniability.
COMPARISON OF [2, 5, 6, 8] AND THE PROPOSED SCHEME. THE MARK” ⊕ ” REPRESENTS THE DENIABLE ENCRYPTION SCHEME HAS THE PROPERTY OR : ” REPRESENTS THE DENIABLE ENCRYPTION SCHEME HAS THE PROPERTY WITH SOME CONDITIONS.
USE THE TECHNOLOGY. THE MARK”
[2]
[5]
[6]
[8]
⊕
ElGamal cryptosystem BCP cryptosystem Core technologies
Trapdoor permutation Goldrich-Levin predicate
⊕ ⊕ ⊕
Quadratic residuosity Mediated RSA Oblivious transfer Deniability Property TABLE II.
Receiver Sender Efficiency
our
⊕ ⊕ ⊕
BCP commitment scheme
⊕ ⊕
:
low
high
⊕ ⊕ :
⊕
low
high
⊕ low
COMPARISON OF [14, 15, 16, 17] AND THE PROPOSED MODEL. THE MARK” ⊕ ” REPRESENTS THE VOTING PROTOCOL HAS THE PROPERTY OR USE THE TECHNOLOGY. THE MARK” : ” REPRESENTS THE VOTING PROTOCOL HAS THE PROPERTY WITH SOME CONDITIONS.
© 2010 ACADEMY PUBLISHER
690
JOURNAL OF NETWORKS, VOL. 5, NO. 6, JUNE 2010
[14]
[15]
[16]
[17]
⊕
Deniable authentication protocol Core technologies
Plaintext equivalence test Designated verifier proof
⊕ ⊕ ⊕
⊕ ⊕ ⊕
⊕ ⊕ ⊕
⊕ ⊕
⊕
:
⊕
⊕
Proof protocol that two ciphertexts are encryption of the same plaintext Weak
Physical assumptions
No
Property
Coercion-resistance
REFERENCES [1] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky, “Deniable encryption,” (preliminary version), May 10, 1996. [2] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky, “Deniable encryption,” Proceedings of the 17th Annual international Cryptology Conference on Advances in Cryptology, pp. 90-104, Springer-Verlag, London, 1997. [3] J. Assange, R. Weinmann, “Rubberhose filesystem, ” http://iq.org/~proff/rubberhose.org/,1997 [4] Z. Rja¡¦skov´a,, “Electronic Voting Schemes,” Master thesis. Department of Computer Science Faculty of Mathematics, Physics and Informatics Comenius University, Bratislava, April 2002. [5] M. Klonowski, P. Kubiak, and M. Kutyłowsk, “Practical Deniable Encryption,” SOFSEM 2008: Theory and Practice of Computer Science,34th Conference on Current Trends in Theory and Practice of Computer Science, Nový Smokovec, Slovakia, January 19-25, 2008. pp599-609. [6] M.H.Ibrahim, “A Method for Obtaining Deniable PublicKey Encryption,” International Journal of Network Security, Vol.8, No.1, PP.1–9, Jan. 2009 [7] R. Canetti, R. Gennaro, “Incoercible multiparty computation,” In Proceedings of the 37th Annual Symposium on Foundations of Computer Science (October 14 - 16, 1996). FOCS. IEEE Computer Society, Washington, DC, 504. [8] M.H.Ibrahim, “Receiver-deniable Public-Key Encryption,” International Journal of Network Security, Vol.8, No.2, PP.159-165, Mar. 2009 [9] E.Bresson, D. Catalano,and D. Pointcheval, “A simple public key cryptosystem with a double trapdoor decryption mechanism and its applications”. In: Laih CS, ed. Aciacrypt 2003. LNCS 2894, Berlin: Springer-Verlag, 2003. 37-54. [10] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196,pp. 10– 18. Springer, Heidelberg (1985) [11] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inf. Theory 31(4), 469–472 (1985) [12] J. Benaloh, D. Tuinstra, “Receipt-free secret-ballot elections,” Proceeding of the Twenty-Sixth Annual ACM Symposium on theory of Computing, Montréal, Québec, Canada, May 1994. ACM New York, NY, USA [13] T. Okamoto, “Receipt-free electronic voting schemes for large scale elections,” Proceeding of Security Protocols Workshop, Springer-Verlag, LNCS 1361, 1997: 25–35. 1997
© 2010 ACADEMY PUBLISHER
our
⊕
Deniable encryption
⊕ ⊕
[14] A. Juels, M. Jakobsson, “Coercion-resistant electronic elections,” 2002. http://www.voteauction.net/VOTEAUCTION/165.pdf [15] A. Acquisti, “Receipt-Free Homomorphic Elections and Write-in Voter Verified Ballots,” Technical Report 2004/105, International Association for Cryptologic Research, May 2, 2004, and Carnegie Mellon Institute for Software Research International, CMU-ISRI-04-116, 2004. http://www.heinz.cmu.edu/~acquisti/papers/acquistielectronic_voting.pdf [16] B. Meng, “An Internet Voting Protocol with Receipt-free and Coercion-resistant,” IEEE 7th International Conference on Computer and Information Technology, University of Aizu, Fukushima Japan, 16 ~ 19 October, 2007.IEEE CS [17] B. Meng, “A Secure Internet Voting Protocol Based on Non-interactive Deniable Authentication Protocol and Proof Protocol that Two Ciphertexts are Encryption of the Same Plaintext,” Journal of Networks .2009,4(5):370-377. [18] D. L. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,” Communications of the ACM, 24(2), 1981: 84–88.
Bo Meng was born in 1974 in People’s Republic of China. He received his M.S. degree in computer science and technology, Ph.D. degree in traffic information engineering and control from Wuhan University of Technology, at Wuhan, People’s Republic of China, in 2000, 2003, respectively. From 2004 to 2006, he works in Wuhan University, People’s Republic of China as Postdoctoral researcher in information security. Currently he is an Associate Professor of school of computer, South-Center University for Nationalities, in People’s Republic of China. He has authored/coauthored over 40 papers in International/National journals and conferences. His current research interests include electronic commerce, internet voting, and protocol security. JiangQing Wang was born in 1964 in People’s Republic of China. She received his M.S. degree and Ph.D. degree in computer science and technology from Wuhan University, at Wuhan, People’s Republic of China, in 1989, 2007, respectively. From 2000 to 2001, she is a visiting scholar in Chonbuk National University, South Korea. From 2006 to 2007, she gets a visiting scholar position in University of Wisconsin in USA. Currently she is a professor and dean of school of computer, South-Center University for Nationalities, in People’s Republic of China. She has authored/coauthored over 50 papers in International/National journals and conferences. Her current research interests include protocol security, artificial intelligence. She has overall charge of a National Natural Science Funds of China.
