Sender-Side Public Key Deniable Encryption Scheme

2009 International Conference on Advances in Recent Technologies in Communication and Computing

Sender-Side Public Key Deniable Encryption Scheme Jaydeep Howlader National Institute of Technology, Durgapur, India [email protected]

Saikat Basu National Institute of Technology, Durgapur, India [email protected]

r, such that the encryption of the true message E(m, r) looks like the encryption of the fake plaintext E(mf , rf ). This encryption scheme is called deniable encryption [2]. It is obvious that the coercer has no physical access to the sender’s physical memory, then why should sender present any data at all or sender may say ”sorry, I have erased all the plaintext and the randomness bits that I have used”. If coercer accepts such an answer, then deniability is straight forward. In fact, there may be cases where the sender has to record all the history including the randomness, and can be punished/prosecuted if he claims to have destroyed the evidence, by the coercer. This usually happens in the electronic voting protocols [4] and electronic auction mechanism [5], [6]. Standard encryption schemes donot guarantee deniability. There doesn’t exist two different messages that may result in the same ciphertext (with any random input). In fact, encryption is often conceived of as a committing process, in the sense that the ciphertext may serve as a commitment to the plaintext. Deniable encryption scheme can be classified into catagories based on which party is coerced: a sender-side deniable scheme is resilient against coercion of the sender to produce his secret information. Similarly receiver-side deniable scheme is analogous to the previous, but in this case the corcion is on the receiver. This paper presents a scheme for sender-side deniable encryption based on public-key and probabilistic encryption [1] mechanism. Firstly, we present a scheme for single bit deniable encryption, subsequently we extend the scheme for multi-bit deniable encryption. Finally, we present a scheme where the sender can produce a fake message mf that belongs to a valid set of messages. In fact, every communication has a particular context and the messages that are exchanged between two parties belongs to a subset of the possible message set. So, in case of coercion, the sender can not produce any random string as a fake message to the coercer. He has to derive the fake message mf form the message set that satisfy the context of the communication. For example: consider an electronic voting scenario. There are three nominations A, B and C. The voter has to mark any one of them. So, the valid messages are {M ARKA , M ARKB , M ARKC }. Let I be a voter and E be a coercer (an agent of candidate A). If the voter I votes for candidate C, encrypts his vote and transmits the vote over a public channel to the counting

Abstract—Consider a situation in which the transmission of encrypted message is intercepted by an adversary who can later ask the sender to reveal the random choices (and also the secret key, if one exists) used in generating the cipher text, thereby exposing the plaintext. An encryption scheme is deniable if the sender can generate ‘fake random choice’ that will make the cipher text ‘look like’ an encryption of a different plaintext, thus keeping the real plaintext private. Analogous requirements can be formulated with respect to attacking the receiver and with respect to attacking both parties. In this paper we propose a scheme for the sender side deniable encryption. Keywords-deniable encryption, probabilistic encryption, quadratic residue modulo prime

I. I NTRODUCTION The traditional goal of encryption is to maintain the privacy of communicated data against passive eavesdroppers. Assume that Alice wants to communicate private information to Bob over a channel where Eve can eavesdrop. Alice obtains Bob’s (public) encryption key of an asymmetric encryption scheme and uses it, together with local randomness, to encrypt her messages. Now only Bob, who possesses the decryption key, should be able to decrypt. The above encryption scheme maintains the semantic security [1]. Assume that the adversary Eve has the power to approach Alice (or Bob, or both) after the ciphertext was transmitted, and demands to see all the private information: the plaintext and the random bits used for encryption. Once Alice hands over this information, Eve can verify the ciphertext, ie, whether it was the encryption of the plaintext along with the randomness provided by Alice. Can the privacy of the communicated data be still somehow maintained, in case of such an attack? We refer Alice as sender, Bob as receiver and Eve as coercer. This paper deals with sender side coercion. That is, the coercer asks the sender to reveal the plaintext and the secret information used for encryption. Certainly, sender can not keep the information secret as he has to hand over the real cleartext and secret to the coercer. Similarly, if the coercer approaches the sender before the transmission and orders the sender to send specific message, there is no way to disobey the coercer’s order. However, coercer doesnot have direct access to the sender’s physical memory. So sender may disclose some fake plaintext mf and fake randomness rf instead of the true plaintext m and the randomness 978-0-7695-3845-7/09 $26.00 $25.00 © 2009 IEEE DOI 10.1109/ARTCom.2009.107

9

of the true message m and a random input r, that is, E(mf , rf ) = E(m, r). The deniable encryption provides a mechanism to escape coercion. If the coercer commands the sender to open the plaintext, sender has the option to open the true plaintext m with the random input r or he can open the fake message mf with the random input rf with equal likeliness. The coercer has no way to identify whether sender is true or is lying. However, the receiver is able to decrypt the cipher correctly. The above notion of deniability is called sender side deniability.

server, the coercer, who eavesdrops the channel, captures the encrypted vote. Now, the coercer E asks the voter I to disclose the original vote and the secret keys used for encryption. Even if the sender uses a deniable encryption, he can not produce any message as a fake message. He has to show that mf ∈ {M ARKA , M ARKB , M ARKC }. In this case, his fake message should be M ARKA . The deniable encryption scheme was first studied by R. Canetti et al. in [2]. In that paper the authors presented the notion of deniability and the basic mechanism to implement the deniable encryption. They defined a Translucent Set and used a trapdoor function to achieve the deniable encryption. In [3] Canetti and Gennaro presented a general multiparty computation with a set of players to compute a common function of their inputs to overcome the coercion. In their scheme, deniability was realized as non-committing message. M. H. Ibrahim in [9] presented a method for senderside deniable encryption based on public-key and uncertainty of Jacobi Symbol. Ibrahim’s scheme was not able to derive the fake message mf that belongs to a valid message set. In this paper, we present a sender-side deniable encryption scheme based on public-key and uncertainty of Jacobi Symbol, that allows the sender to present a fake message mf from a valid message set. A similar type of deniability is also present in authentication called deniable authentication. Di and Gennaro in [7] presented some techniques for deniable authentication. The paper is organized as follows: section 2 describes the preliminaries and the foundation of the scheme. In section 3 we present the encryption and decryption technique. Section 4 presents an informal analysis of the proposed scheme. We conclude our work in the section 5.

A. Properties of Sender-Side Deniable Encryption Protocol A public-key encryption protocol π is a sender-side deniable encryption if. Correctness: The probability of the receiver’s decryption differing from the sender’s original message is negligible. Security For any two messages (m, mf ) the communications for transmitting m are computationally indistinguishable from the communications for transmitting mf . We denote the indistinguishability as: COMπ (m) ≈ COMπ (mf ) Deniability Given a message m, a random input r and a communication protocol COMπ , then the cipher c = COMπ (m, r), and there exists a fake algorithm φ that takes the input parameters as the true message m, the true random input r and any fake message mf ∈ M and produces a fake random rf = φ(m, r, mf ) such that: COMπ (m, r) ≈ COMπ (mf , rf ) The deniability provides a mechanism to derive a pair (mf , rf ) such that, the encryption of message m with the random input r according to the communication protocol π is indistinguishable from the encryption of the message mf with random input rf . Thus the coercion can be overcome by hiding the true message m and disclosing the fake massage mf with the random input rf .

II. P RELIMINARIES In a standard encryption scheme the confidentiality of the data is ensured by protecting the privacy of the sender and receiver against passive eavesdroppers, but it fails to provide protection against coercers. A coercer is an adversary, who has the power to approach the sender or the receiver to reveal all the random inputs and stored keys used for encryption. The coercer usually captures the transmitted messages (ciphers) and commands the sender to disclose the randomness, key along with the plaintext used in the encryption (in an asymmetric key encryption scheme), or he can command the receiver to disclose the secret key used for decryption along with the secret shared with the sender. Since the standard encryption schemes (RSA,ElGammal,DES) are one-way and one-to-one mapping from the message space to the cipher space, all the ciphers are committed, the sender cannot lie about his true plaintext and the random input. Such commitments allow coerciveness. The deniable encryption scheme allows a party to produce a fake massage mf and a random input rf such that the encryption of E(mf , rf ) looks like the encryption

B. Quadratic Residue The deniable encryption scheme proposed in this paper is based on the quadratic residue of a composite n, which is a product of two distinct primes. An integer a ∈ Z∗n is a quadratic residue modulo n, if there exists some x ∈ Z∗n such that a ≡ x2 mod n. We denote a ∈ Qn . Otherwise a is quadratic nonresidue modulo n and ¯ n. denoted as a ∈ Q Let n ≥ 3 be odd number, the Jacobi symbol ( na ) is defined as: ⎧ ¯n ⎪−1 a ∈ Q a ⎨ = 1 a ∈ Qn with probability α < 1 ⎪ n ⎩ 0 gcd(a, n) > 1 For n being a product of two large primes, given an element a ∈ Z∗n , if ( na ) = 1, it is a hard to decide whether a ∈ Qn . ¯ n. Whereas, if ( na ) = −1, then it is sure that a ∈ Q If n = p × q and the two primes factors of n are known then, given any a ∈ Z∗n , if ( na ) = 1, it is easy to determine

10

whether a ∈ Qn . In that case a ∈ Qn if both ( ap ) = 1 and ( aq ) = 1. On the other hand, if both ( ap ) = −1 and ¯ n. ( aq ) = −1, then a ∈ Q Let n ≥ 3 be an odd composite number, Jn+ is the set of all pseudosquares and defined as Jn+ = {a ∈ Z∗n | ( na ) = 1}. Jn− is the set of all quadratic nonresidues and defined as Jn− = {a ∈ Z∗n | ( na ) = −1}. Let n be a product of two distinct primes. Then half of the elements in Jn+ are quadratic residues and the other half are quadratic nonresidues. That is, if a ∈ Jn+ , then the probability of a ∈ Qn is 12 .

So the representation of y is   a(0,0) a(0,1)   a(1,0) a(1,1)  A(i,j) =  .. ..  . .  a(k−1,0) a(k−1,1)

In this section we are going to propose the sender side deniable encryption scheme for single bit and subsequently multibit message. The scheme realizes that the receiver’s public key is n, a product of two prime numbers and the private key is (p, q) such that n = p × q. Firstly, we present the deniable-encryption scheme for 1-bit message. Then we extend the scheme for multi-bit message. A single bit message is very common in voting protocol, where, the message set is {T RU E, F ALSE} or equivqlent to {1, 0}. Let the bit to be communicated be bt , called true bit. Our scheme is based on probabilistic encryption method [1].

byi = 0 byi

=1

if, all a(i,j) ∈ Jn+ , 0 ≤ j ≤ t − 1

if, all a(i,j) ≡ x2(i,j) mod n, 0 ≤ j ≤ t − 1

iii. Sender computes b = bt ⊕ byi for 0 ≤ i ≤ k. iv. The encryption is (b, A(i,j) ). Sender sends (b, A(i,j) ) to the receiver. The receiver decrypts the bit as: 3) Correct Decryption: i. Receiver receives (b, A(i,j) ). ii. Receiver interprets A(i,j) to y as follows: byi = 0 byi = 1

A. Single Bit Deniable-Encryption Scheme The encryption of a single bit bt is done as follows: Encryption Sender selects a bit stream y of k bits and performs the operation

¯ n, 0 ≤ j ≤ t − 1 if, ∃ some a(i,j) ∈ Q if, ∀ a(i,j) ∈ Qn , 0 ≤ j ≤ t − 1

iii. Receiver computes bt = b ⊕ byi . The decryption of b is bt . 4) Deniability in Presence of Coercer: If there is a sender-side coercion, the sender opens A(i,j) dishonestly to the coercer. As all elements a(i,j) ∈ A(i,j) are from Jn+ and coercer does not know the prime factors of n, he cannot interpret A(i,j) . He has to believe the sender. The sender is able to convince the coercer, that a bit byi = 0, whereas the truth is byi = 1. To do this, the sender would say that all a(i,j) s for 0 ≤ j ≤ t − 1 are random selection from Jn+ , that is, randomly selected using Method II, whereas the elements are selected using Method I. However, sender cannot open a bit byi = 1, whereas the truth is byi = 0. So, in case of coercion the sender would flip some odd number of 1’s to 0’s by dishonestly opening A(i,j) .

for 0 ≤ i ≤ k − 1

The bit bt is recursively ⊕ with k bits by0 , by1 , ..., byk−1 , where byi denotes the ith bit of the bit stream y. Decryption The receiver decrypts the bit b as: bt = b ⊕ byi

...

        a(k−1,t−1)  a(0,t−1) a(1,t−1) .. .

Each block of t elements (in one row) are selected either by Method I or Method II. The sender knows which method is used for the selection. So sender knows how to interpret A(i,j) into y. The sender performs the encryption as: 2) Deniable-Encryption: i. Sender computes A(i,j) . ii. Sender derives the bit stream y as follows:

III. S ENDER S IDE D ENIABLE E NCRYPTION S CHEME

b = bt ⊕ byi

... ...

for 0 ≤ i ≤ k − 1

To decrypt b, the receiver should know y beforehand. The deniability is realized on the deniability of y. In this scheme we device a technique to negotiate y between the sender and receiver without any ambiguity, but the coercer can be bluffed by the sender with false y. 1) How to Communicate y: Let y is a binary stream of k bits. For each bit byi , 0 ≤ i ≤ k − 1 the sender does the following: Method I If the ith bit is 1 (i.e, byi = 1)

B. Multi-bit Deniable Encryption In the single-bit deniable encryption scheme, we found that a random bit stream y is constructed and used for onetime padding with the true bit bt to form the cipher. The cipher contains the encrypted bit and the representation of y in the form of A(i,j) , such that any other party other than the receiver, extracts no information about y. The scheme is visualized as:

Sender selects t number of elements xj ∈ Z∗n , for 0 ≤ j ≤ t − 1 and computes aj ≡ x2j mod n. Method II If the ith bit is 0 (i.e. byi = 0) Sender selects t number of elements such that aj ∈ Jn+ , for 0 ≤ j ≤ t − 1.

11

Single-bit Encryption is an XOR of true bit with a horizontal bit vector.

b = bt ⊕ byi . . . by1 by0

deniability is very common in voting protocol. Formally, we define the deniability with valid message as: Let m, mf ∈ MV a set of valid message. The sender uses a deniable encryption E(., .) to communicate the message m to the receiver as (c, A(i,j) ) = E(m, y) and is able to produce a different bit stream y¯ to the coercer such that E(mf , y¯) looks like (c, A(i,j) ) 1) Valid Message Deniable Encryption: Sender wants to communicate message m to the receiver and if he has been coerced, he would be able to produce mf before the coercer. Sender does the following: i. Sender computes md = m ⊕ mf . The bit vector mf represents the bit difference between m and mf . That is,  1 if m and mf differ in the ith bit position md bi = 0 if m and mf same in the ith bit position

where bt is the true bit and [byi . . . by1 by0 ] represents the bit vector corresponding to y. Single-bit Decryption is an XOR of encrypted bit with a horizontal bit vector.

bt = b ⊕ byi . . . by1 by0 where b is the received encrypted bit and [byi . . . by1 by0 ] is the bit vector corresponding to y that is correctly interpreted from A(i,j) by the receiver. In this section we extend the single bit deniable encryption scheme to multi-bit deniable encryption scheme. Let m be the k bit message to be communicated. The bit representam m tion of m is [bm k−1 . . . b1 , b0 ]. To encrypt the message m, the sender constructs a bit stream y of k bits. The encryption y operation is bit-wise XOR with bm i and bi . 1) Multi-bit Deniable Encryption: i. Sender constructed the bit stream y using Method I and Method II. ii. Sender encrypts the message m to c as: ⎡ c ⎤ ⎡ m ⎤ ⎡ y ⎤ bk−1 bk−1 bk−1 ⎢ .. ⎥ ⎢ .. ⎥ ⎢ .. ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ c = ⎢ . ⎥ = ⎢ . ⎥ ⊕ ⎢ .y ⎥ ⎣ ⎣ bc1 ⎦ ⎣ bm ⎦ b1 ⎦ 1 c m b0 b0 by0

ii. Sender selects a random bit stream y as long as the message m. Sender computes y˜ = y ∨ md . (The ∨ is logical OR operation). iii. Sender computes A(i,j) that represents the bit vector y˜ and computes the cipher c as: ⎡ m ⎤ ⎡ y˜ ⎤ bk−1 bk−1 ⎢ .. ⎥ ⎢ .. ⎥ ⎢ ⎥ ⎢ ⎥ c=⎢ . ⎥⊕⎢ . ⎥ y˜ ⎦ ⎣ ⎣ bm ⎦ b 1 1 bm by0˜ 0 iv. 2) i. ii. iii.

iii. Sender sends (c, A(i,j )) to the receiver. The matrix A should have k rows. 2) Multi-bit Correct Decryption: i. Receiver receives (c, A(i,j) ). ii. Receiver reconstructs the string y from A(i,j) . iii. Receiver decrypts the cipher c as: ⎡ m ⎤ ⎡ c ⎤ ⎡ y ⎤ bk−1 bk−1 bk−1 ⎢ .. ⎥ ⎢ .. ⎥ ⎢ .. ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ m = ⎢ . ⎥ = ⎢ . ⎥ ⊕ ⎢ .y ⎥ c ⎦ ⎣ ⎣ ⎣ bm ⎦ ⎦ b b 1 1 1 y c bm b b 0 0 0

Sender sends (c, A(i,j) ) to the receiver. Valid Message Correct Decryption: Receiver receives (c, A(i,j) ). Receiver reconstructs the bit vector y˜ from (c, A(i,j) ). Receiver decrypts the cipher as: ⎡ c ⎤ ⎡ y˜ ⎤ bk−1 bk−1 ⎢ .. ⎥ ⎢ .. ⎥ ⎢ ⎥ ⎢ ⎥ m=⎢ . ⎥⊕⎢ . ⎥ ⎣ bc1 ⎦ ⎣ by˜ ⎦ 1 bc0 by0˜

3) Valid Message Deniability in Presence of Coercer: If the sender is coerced, he would open A(i,j) dishonestly such that, the encryption of mf results to c. Sender does the following: i. Sender can’t flip the 0 bits of y˜. So, if byi˜ = 0, sender opens it as 0. ii. Sender would flip some of the 1 bits of y˜. Sender opens the ith bit of y˜ = 1 as:  d 0 if byi˜ = 1 and bm =1 y˜ i bi = y˜ md 1 if bi = 1 and bi = 0

3) Multi-bit Deniability in Presence of Coercer: In case of sender side coercion, the sender would dishonestly open A(i,j) such that, he can flip some bits as byi = 1 to 0. So, the coercer is bluffer by the sender with a different bit stream y¯ and a fake message mf . The fake message mf is constructed as mf = c ⊕ y¯. Sender produces mf and y¯ to the coercer. C. Deniability with Valid Message Sometimes it is required that, the sender wants to communicate the true message m and if he has been coerced, he would be able to produce a fake message mf to the coercer. That is, the fake message is not a random string but a fixed message that belongs to a valid message set. This type of

That is, sender would flip the bit byi˜ = 1 to 0, where the ith bit of m and mf are different. iii. Sender opens as different bit stream yˆ = y˜ ∧ m¯d and presents mf to the coercer. (∧ logical AND).

12

4) Justification: The encryption of the message m is done by taking bit wise XOR with a random bit vector y˜, that contains the bit-difference of m and mf . The cipher is c = m ⊕ (y ∨ md ). Here we show that the encryption of mf and yˆ results in the same cipher c. mf ⊕ yˆ = =

is the fake message mf . Whereas, if y and md differ in every bit positions then, the encryption of m would be ¯ Therefore, we select c = m ⊕ (y ∨ md ) = m ⊕ [1] = m. the random stream y such that, it should be sufficiently ¯ d . To apply the deniability with different form md and m valid message, we use a set of limited valid messages MV where the messages m ∈ MV are sufficiently long and the md for any two messages m1 and m2 is uniformly distributed.

mf ⊕ (y ∨ md ) ∧ m¯d m ⊕ md ⊕ y ∧ m¯d

= =

m ⊕ (m¯d ∧ y ∨ md ∧ y¯ ∨ md ) m ⊕ (m¯d ∧ y ∨ md )

=

m ⊕ (md ∨ y)

=

V. C ONCLUSION Our proposed scheme for sender deniable encryption is the weakest notion of semantic security. The scheme is based on probabilistic encryption model. The scheme enjoys the following properties: • No pre-shared secret information is required between the sender and receiver. • The encryption and decryption enjoys the notion of public-key mechanism. t • The probability of erroneous deciphering is (1/2) . • The bandwidth (ciphertext length) is of the order of O(k × t × log2 n) for k bit message. • No extra computation is required for dishonest opening of y in presence of coercion. The scheme deniability with valid message is applicable for voting and auction protocols.

c

IV. S ECURITY AND P ERFORMANCE In this section we present the correctness and deniability property of our scheme. Correctness The sender transmits the cipher (c, A(i,j) ) to the receiver. To decrypt the cipher the receiver has to decode A(i,j) to a bit stream y = byk−1 . . . by1 byo . The decoding is as follows:  1 if ∀a(i,j) ∈ Qn , for 0 ≤ l ≤ t − 1 y bi = ¯ n , for 0 ≤ l ≤ t − 1 0 if ∃a(i,j) ∈ Q The 1 bits are correctly decoded, as the sender uses the Method I for encoding the 1 bit. But, the 0 bits may be decoded wrongly with probability ( 12 )t . The sender uses the Method II for encoding the 0 bit. That is, a set of t elements a(i,j) ∈ Jn+ is randomly selected for encoding a 0 bit. The probability that all the elements a(i,j) ∈ Jn+ are in Qn is ( 12 )t . Therefore, a set of t elements randomly selected by the sender using Method II, would be interpreted as 1 by the receiver with probability ( 12 )t . The correctness of decryption is measured with the probability 1 − ( 12 )t . Security The encryption and decryption function is simple, one-time padding. The padding stream is encoded and transmitted with the cipher. The decoding of the padding string is a trap-door function that requires the two prime factors of a composite number n. The secret key of the receiver is the p and q, the prime factors of the public key n, so receiver can decode the padding string correctly with error probability negligible. The coercer can not factor n, and unable to decode the padding stream. He has to believe on the version produced by the sender. Deniability The deniability of the schemes presented here is based on dishonest opening of A(i,j) . As all elements a(i,j) ∈ A(i,j) are from Jn+ , coercer can not make out any information about the padding stream. Moreover, coercer can not factor n, hence can not compute whether a(i,j) ∈ Qn or not. So sender can open A(i,j) dishonestly and produce some different message mf to the coercer. In case of deniability with valid message; the random stream y selected for padding should be sufficiently different from the md . If y = md then, the encryption of m would be c = m ⊕ (y ∨ md ) = m ⊕ y = mf , that

R EFERENCES [1] S. Goldwasser and S. Micali: Probabilistic Encryption. Journal of Computer and System Sciences, vol 28, pp-270-299, 1984. [2] Ran Canetti, Cynthia Dwork , Moni Naor and Rafail Ostrovsky: Deniable Encryption, In Crypto 97, pp-90–104 1997, [3] Ran Canetti and Rosario Gennaro: Incoercible Multiparty Computation (extended abstract), In 37th IEEE Symp. on Foundation of Computer Science, pp 504-513, 1996 [4] Josh Benaloh and Dwight Tuinstra: Receipt-Free Secret-Ballot Elections. In 26th STOC, pp 544-552, 1994 [5] Masayuki Abe and Koutarou Suzuki: Receipt-Free SealedBid Auction In ISC 02, LNCS 2433, pp 191-199, 2002 [6] Xiaofeng Chen, Byoungcheon Lee and Kwangjo Kim: Receipt-Free Electronic Auction Schemes Using Homomorphic Encryption In ICISC 03, LNCS 2971, pp 259-273, 2004 [7] Mario Di and Raimondo Rosario Gennaro: New Approaches for Deniable Authentication. In EUROCRYPT 99, pp 112– 121, 2005 [8] M. H. Ibrahim: Receiver-Deniable Public-Key Encryption. Trans. on International Journal of Network Security (IJNS), (to be appear) [9] M. H. Ibrahim: A Method for Obtaining Deniable PublicKey Encryption Trans. on International Journal of Network Security (IJNS), vol. 8, no. 1, pp 1-9, Jan 2009

13