Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

Published byBuck Sutton Modified over 9 years ago

Similar presentations

Presentation on theme: "On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland."— Presentation transcript:

1 On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland

2 Deniable Public Key Encryption [Canetti, Dwork, Naor, Ostrovsky, 97] SenderReceiver

3 Sender-Deniable Public Key Encryption [Canetti, Dwork, Naor, Ostrovsky, 97] SenderReceiver Receiver Analogous definition for Receiver-Deniable Public Key Encryption Applications: incoercibility After the fact incoercibility Adaptive Adaptive security

4 What is known? Receiver-Deniable PKE and thus Deniable PKE is impossible [Bendlin, Nielsen, Nordholt, Orlandi, 11]. Sender-Deniable encryption with weak security from standard assumptions [Canetti, Dwork, Naor, Ostrovsky, 97]. Bi-Deniable encryption in the multi-distributional model constructed by [O’Neill, Peikert, Waters, 11] [Sahai, Waters 14] achieve Sender-Deniable public key encryption from indistinguishability obfuscation (IO). – Non-black box use of underlying primitives. – Requires strong assumptions (FHE + multilinear maps).

5 Our Goal Understand minimal assumptions necessary for sender-deniable public key encryption. Necessity of non-black-box techniques. sender- deniable public key encryption simulatable public key encryption Is there a black-box construction of sender- deniable public key encryption from simulatable public key encryption?

6 Underlying primitive we consider Simulatable Public Key Encryption honestly obliviously Intuition: Can generate a public key/ciphertext honestly and claim that it was generated obliviously. “Oblivious” Why this primitive? Simulatable PKE is sufficient for related primitives: Bi-deniable encryption in the multi-distributional model [OPW11] 1/poly-secure sender-deniable encryption [CDNO97] Non-committing encryption [CFGN96].

7 Weak Sender-Deniable PKEfrom Simulatable PKE Simplification of [CDNO97] construction: Problem: Cannot lie and claim that an obliviously generated ciphertext was generated non-obliviously. Only achieves O(k) security, where k is the number of queries made by encryption. Polynomial security: Real and Fake openings can be distinguished with 1/poly advantage Super-polynomial security: Real and Fake openings can only be distinguished with negligible advantage Obliv... k ciphertexts Obliv. Obliv To encrypt a 0, set odd number of ciphertexts to oblivious. To encrypt a 1, set an even number of ciphertexts to oblivious. To deny, lie and say that an honestly generated ciphertext was generated obliviously.

8 Our Results Theorem: There is no black-box construction of sender-deniable public key encryption with super-polynomial security from simulatable public key encryption.

9 Some Proof Intuition Oracle separation: Oracle relative to which Simulatable PKE exists, Sender-Deniable PKE does not exist. Our oracle:

10 Some Proof Intuition

11

12 A First Attempt

13 Problem To encrypt a 0: 12n encryptions Obliv

14 Problem Can claim an encryption of 0 is an encryption of 1: In the process will add an arbitrary query to set of intersection queries. Obliv

15 Some Proof Intuition

16

17 Open Problems Extend impossibility result to trapdoor permutations. Extend impossibility results to multiple round encryption schemes. Construct sender-deniable public key encryption without relying on IO?

18 Thank you!

Download ppt "On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland."

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.

A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.

Muthuramakrishnan Venkitasubramaniam WORKSHOP: THEORY AND PRACTICE OF SECURE MULTIPARTY COMPUTATION Adaptive UC from New Notions of Non-Malleability Adaptive.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
How to Use Indistinguishability Obfuscation

How to Use Indistinguishability Obfuscation
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.

Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Nir Bitansky and Omer Paneth. Interactive Proofs.

Nir Bitansky and Omer Paneth. Interactive Proofs.
On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),

On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),

Similar presentations

Ads by Google