2015-05-17 102K 102 0 0

##### Description

1 No1 May 2009 668 SenderSide Public Key Deniable Encryption Scheme Jaydeep Howlader and Deepa Naik 1 National Institute of Technology Information Technology Department India Durgapur Email jaydeephowladrenitdgpacin 2 National Institute of Technolo ID: 68415

**Embed code:**

## Download this pdf

DownloadNote - The PPT/PDF document "SHORT PAPER International Journal of Rec..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

## Presentations text content in SHORT PAPER International Journal of Recent Trends in

Page 1

SHORT PAPER International Journal of Recent Trends in Engineering, Vol. 1, ,No.1 , May 2009 668 Sender-Side Public Key Deniable Encryption Scheme Jaydeep Howlader and Deepa Naik 1 National Institute of Technology, Information Technology Department, India, Durgapur Email: jaydeep.howladre@nitdgp.ac.in 2 National Institute of Technology, India, Durgapur Email: deepasavant@rediffmail.com Abstract Consider a situation in which the transmission of encrypted message is intercepted by an adversary who can later ask the sender to reveal the random choices (and also the secrete key, if one exists) used in generating the cipher text, thereby exposing the plai ntext. An encryption scheme is deniable if the sender can generate `fake random choice` that will make the cipher text `look like` an encryption of a different plaintext, thus keeping the real plaintext private. Analogous requirements can be fo rmulated with respect to attacking the receiver and with respect to attacking both parties. In this paper we propose a scheme for the sender side deniable encryption. Index Terms —deniable encryption, public key encryption, quadratic residue, probabilistic encryption I. NTRODUCTION The traditional goal of encryption is to maintain the privacy of communicated data against passive eavesdroppers. That is, assume that Alice wants to communicate private informati on to Bob over a channel where Eve can eavesdrop. A lice obtain Bob's (public) encryption key of an asymme tric encryption scheme and uses it, together with local randomness, to encrypt her messages. Now only Bob, wh o possesses the decryption key, should be able to decrypt. The above encryption scheme maintains the semantic security [1]. We investigate the additional properties required to protect the privacy of transmitting data in yet another hostile setting. Assume that the adversary Eve has the power to approach Alice (or Bob, or both) after the ciphertext was transmitted, and demands to see all the private information: the plai ntext, the random bits used for encryption and keys that Alice (or Bob) has. Once Alice hands over this information, Eve can verify that the plaintext and randomness provided by Alice indeed matche with the transmitted ciphertext. Can the privacy of the communicated data be still somehow maintained, in case of such an attack? We refer Alice as sender, Bob as receiver and Eve as coercer. In this paper we concentrate on the case where coercer attacks only on the sender in the above way. Certainly, if sender must have to handover real cleartext and random bits to the coercer then no protection is possible. Also if coercer approaches to the sender before the transmission and orders the sender to send specific message, there is no way to hide information. However, coercer has no direct phys ical access to the sender's physical memory, and sender is allowed to handed over some fake plaintext and fake randomness to the coercer, instate of the true plaintext and the randomness , such that th e encryption of the true message looks like , the encryption of the fake message. This encryption scheme is called deniable encryption [2]. It is obvious that the coercer has no physical access to the sender 's physical memory, then why should sender present any data at all or sender may say “sorry, I have erased all the plaintext and the randomness bits that I have us ed”. If coercer accepts such an answer, then deniability is straight forward. In fact, there are many cases where se nder is required to record all her history including the randomness, and can be punished or prosecuted if he claims to have destroyed the “evidence” by the coercer. This usually happens in the electronic voting protocols [3] and electronic auction mechanism [4], [5]. Standard encryption schemes do not guarantee deniability. There don`t exist two different messages that may result in the same ciphertext (with any random input). In fact, encryption is often considered of as a committing process, in the se nse that the ciphertext may serve as a commitment to the plaintext. Deniable encryption scheme can be classified on the basis of which party may be coerced: a sender-deniable scheme is resilient against coercing of the sender to produce his secret information. Receiver-de niable is analogous to the sender-deniability. In this paper we propose a sender- deniable public-key encryption scheme based on the probabilistic encryption [1]. The scheme describes a method of encryption single bit information. We also present the notion of secrecy and the bandwidth overhead. A similar type of deniability is also present in the authentication called deniable authentication. Mario Di and Raimondo Rosario Gennaro in [6] presented some techniques for deniable authentication. Ibrahim in his [7] presented a technique for receiver-deniability. The paper is organized as follows: the section 2 describes the preliminaries and the foundation of the scheme. In section 3 we present the encryption and decryption technique. Section 4 presents an informal analysis of the proposed scheme. We conclude our work in the section 5. An sort example and explanation is presented in the Appendix I 2009 ACADEMY PUBLISHER

Page 2

SHORT PAPER International Journal of Recent Trends in Engineering, Vol. 1, No.1 , May 2009 669 II. RELIMINARIES In a standard encryption scheme the confidentiality of the data is ensured by protecting the privacy of the sender and receiver against passive eav esdroppers, but it fails to provide protection against coercers. A coercer is an adversary, who has the power to approach the sender or the receiver to order them to reveal all the random inputs and stored keys used for encryption. The coercer usually captures the transmitted messages (ciphers) and commands the sender to disclose the randomness, key along with the plaintext used in the encryption (in an asymmetric key encryption scheme), or he can command the receiver to disclose the se cret key used for decryption along with the shares secret with the sender. Since the standard encryption schemes (RSA, ElGammal, DES) are one-way and one-to-one mapping from the message space to the cipher space , all the ciphers are committed, the sender cannot lie about his true plaintext and the random input. Such commitments allow coerciveness. The deniable encryption scheme allows a party to produce a fake massage and a random input such that the encryption of looks like the encryption of the true message and a random input , that is, . The deniable encr yption provides a mechanism to escape coercion . If the coercer commands the sender to open the plaintext, sender has the option to open the true plaintext with the random input or he can open the fake message with the random input with equally likely. The coercer has no way to identify whether sender is true or lie. However, the receiver is able to decrypt the cipher correctly. The above notion of deniability is called sender side deniability. A. Properties of Sender-S ide Deniable Encryption Protocol A public-key encryption protocol is a sender-side deniable encryption if. Correctness The probability of the receiver's decryption differs from the sender's original message is negligible. Security For any two message pair and the communications for transmitting m are computationally indistinguishable from the communications for transmitting . We denote the indistinguishably as: ) Deniability Given a message , a random input and a communication protocol , where the cipher is derived as then there exists a fake algorithm that takes the input parameters as the true message , the true random input and any fake message and produces a fake random , that is, such that: ) The deniability provides a mechanism to derive a pair such that, the encryptio n of message with the random input according the communication protocol is indistinguishable from the encryption of the message with random input . Thus the coercion can be overcome by hiding the true message and disclosing the fake massage with the random input . B. Quadratic Residue The deniable encryption scheme proposed in this paper is based on the quadratic residue of a composite , which is a product of two distinct primes. An integer is a quadratic residue modulo n, if there exists some such . We denote . Otherwise a is quadratic nonresidue modulo n and denoted as . Let be odd number, the Jacobi symbol is defined as: For n is a product of two large primes, given an element , then it is a hard problem to decide whether . Whereas, if , then it is sure that . If and the two prime factors of are known then, given any , and , it is easy to determine whether . In that case if both and . On the other hand, if both and , then . Let be an odd composite number is the set of all pseudosquares and defied . is the set of all quadratic nonresidues and defined as . Let n is a product of two distinct primes. Then half of the elements in are quadratic residues and other half are quadratic nonresidues. That is, if then the probability of is . III. ENDER IDE ENIABLE NCRYPTION CHEME In this section we are going to propose a sender side deniable encryption scheme. The scheme realizes the receiver's public key is , a product of two prime numbers and the private key is such that . The encryption scheme is used to encrypt a single bit . Our scheme is based on probabilistic encryption method [1]. The encryption of a single bit is done as follows: Encryption: Sender selects a bit stream of bits and performs the operation The bit is recursively with bits , where denotes the bit of the bit stream . 2009 ACADEMY PUBLISHER

Page 3

SHORT PAPER International Journal of Recent Trends in Engineering, Vol. 1, No.1 , May 2009 670 Decryption The receiver decrypts the bit as: To decrypt , the receiver should know beforehand. The deniability is realized on the deniability of . In this scheme we device a technique to negotiate between the sender and receiver withou t any ambiguity, but the coercer can be bluffed by the sender with false . Let is a binary stream of bits. For each bit the sender does the following: Method I: If the bit is 1, that is, Sender selects number of elements , for 0 and computes . Method II: If the bit is 0, that is, Sender selects number of elements , for 0. So the representation of is: each block of elements are selected either by Method I r Method II . The sender knows which method is used for the selection. So sender knows how to interpret into . The sender performers the encryption as: Sender computes Sender derives the bit stream as follows: if all if all Sender computes for . The encryption is . Sender sends to the receiver. The receiver decrypts the bit as: Receiver receives Receiver interprets to as follows: if there exists some if all Receiver computes . IV. ECURITY AND ERFORMANCE In this section we present the correctness and deniability property of our scheme. Correctness: We claim that the receiver interprets correctly. Receiver interprets the block of elements either as bit 0 or bit 1. If the block of elements are selected by Method I then all the elements are from . Whereas, if the block of elements are selected by Method II then the probability of being all elements are from is . So the probability of being at least one element in is . Deniability: In case of coercion the sender dishonestly disclose to th e coercer. As all elements are from and coercer does not know the prime factors of , he cannot interpret . He has to belief on the sender. The sender is able to convince the coercer that a bit , whereas the truth is . To do this, the sender would say that all for are random selection from , that is, using Method II . However, sender cannot opens a bit , whereas the truth . So, in case of coercion the sender would flip some odd numbers of ‘1’ bits to ‘0 bits by dishonestly opening . The example in the Appendix I explains the scheme. V. ONCLUSION Our proposed scheme for sender deniable encryption is the weakest notion of semantic security. The scheme is based on probabilistic encryption model. The scheme enjoys the following properties: No pre-shared secret in formation is required between the sender and receiver. The encryption and decryption enjoys the notion of public-key mechanism. The probability of erroneous deciphering is . So, with t > 10 the probability of error is less than 0:00097 The bandwidth (ciphertext length) is of the order of . No extra computation is required for dishonest opening of in presence of coercion. The scheme proposed a technique for one bit of deniable encryption. However, this scheme can be extended for multiple bit deniable encryptions. PPENDIX I Let , and . We assume that is an eight bit binary stream. We also consider that a block of four elements repr esents one bit. Therefore, is a sequence of numbers from the set . Let . To represent in the form of , sender perform the following: Sender encrypts th e bit as , where 2009 ACADEMY PUBLISHER

Page 4

SHORT PAPER International Journal of Recent Trends in Engineering, Vol. 1, No.1 , May 2009 671 and is: , Sender sends to the receiver . Receiver interpreters as follows: So, receiver correctly interprets and decrypts the bit as . However, the sender may open dishonestly to the coercer by saying as: So, coercer interprets and decrypts as . Sender has flipped odd number of ‘1’ to ‘0’ and able to make a bluff on the bit . REFERENCES [1] S. Goldwasser and S. Micali: Probabilistic Encryption. Journal of Computer and System Sciences , vol 28, pp-270-299, 1984. [2] Ran Canetti, Cynthia Dwork , Moni Naor and Rafail Ostrovsky: Deniable Encryption , In Crypto 97, pp-90.104 1997, [3] Josh Benaloh and Dwight Tuinstra: Receipt-Free Secret-Ballot Elections. In 26 th STOC, pp 544-552, 1994 [4] Masayuki Abe and Koutarou Suzuki: Receipt-Free Sealed-Bid Auction In ISC 02, LNCS 2433, pp 191-199, 2002 [5] Xiaofeng Chen, Byoungcheon Lee and Kwangjo Kim: Receipt- Free Electronic Auction Schemes Using Homomorphic Encryption In ICISC03, LNCS 2971, pp 259-273, 2004 [6] Mario Di and Raimondo Rosario Gennaro: New Approaches for Deniable Authentication. In EUROCRYPT 99 , pp 112.121, 2005 [7] M. H. Ibrahim: Receiver-Deniable Public-Key Encryption. Trans. On International Journal of Network Security (IJNS) , to appear. 2009 ACADEMY PUBLISHER