Deniable Messaging Under Strong Surveillance / Förnekelsebar kommunikation under hård övervakning

Johansson, Fredrik

January 2018

In today’s society, people are more aware of the need for encryption to keep their private information safe. Therefore chat apps like WhatsApp and Signal are popular since they allow people to talk encrypted over instant messaging. However, normal encryption might not always be enough to keep the data safe. An adversary who can record and keep a transcript of everything a person sends over the Internet, could force the person to reveal the key used for encryption and therefore know what they sent. OTPKX is a protocol that prevents this with the help of deniable encryption, by giving a user the ability to create a fake message and key to show to the adversary. This thesis continues the work to create a protocol that gives deniability against an adversary that can record everything, force both sender and receiver to reveal their keys, and also have access to both devices. The protocol proposed in this thesis uses One Time Pad for encryption and for creating fake keys. A user creates both a real message, a fake message, combines them, and sends them to the receiver. Then both users have access to the fake message and can therefore both create the same fake key. The original key used for encryption is then replaced with the fake key and the fake message is stored on the device. No evidence of the real message or key is stored, and the fake data is the same at the sender and receiver. We find that our protocol is Indistinguishably under Chosen-CiphertextsAttack and provides Integrity of CipherTexts and therefore gives integrity and confidentiality. The protocol also gives users deniability so that they are protected against all attacker models in this thesis. The deniability could fail if an attacker has a keylogger on a users device or if the attacker has access to a device without the user knowing about it. The proof of concept implementation showed that it is possible to implement the protocol and have the same security and deniability at the cost of some performance. The biggest performance cost was replacing the original key with the fake key, which took most of the time when encrypting and decrypting. The total time for sending a message was around 40ms on a new device and around 620ms on an older device, receiving a message also took around 40ms on a new device and around 780ms on an older device. Normal Symmetric encryption takes about 1ms, which is much faster than our implementation. However in practice we do not believe this increase in time to be noticeable. / I dagens samhälle är människor mer medvetna om vikten att använda kryptering för att skydda sin privata information. Därför har chatt-appar som WhatsApp och Signal blivit mer populära eftersom de erbjuder möjligheten att kryptera alla meddelande man skickar. Detta räcker inte alltid dock för att skydda den dataman skickar, en motståndare som har förmågan att spara alla meddelande en användare skickar och som kan tvinga användaren att ge bort nyckeln som använts vid kryptering, då räcker inte alltid normal kryptering. I OTPKX rapporten kom de på ett protokoll som skyddar användaren mot en som motståndare med hjälp av deniable encryption, vilket ger användaren möjligheten att skapa en falsk nyckel vilket gör så att motståndaren ser ett falskt meddelande. Denna rapport bygger vidare på OTPKX protokollet för att skydda användare mot en motståndare som kan spara alla meddelande som skickas, tvinga både skickare och mottagare att ge bort krypteringsnycklarna och har tillgång till bådas enheter. Protokollet i denna rapport använder sig av OTP för kryptering och för att skapa falska nycklar. En användare skapar både ett riktigt och ett falskt meddelande och sätter ihop dem och skickar det tillmottagaren. Då har båda parterna både det riktiga och falskameddelandet och kan därför skapa samma falska nyckel att visamotståndaren. Den orginala krypteringsnyckeln byts ut mot den falska och det falskameddelandet sparas på enheterna. Utifrån resultaten såg vi att våra protokoll ger Indistinguishably under Chosen-CiphertextsAttack och ger Integrity ofCipherTexts, vilket betyder att protokollen ger integritet och konfidentialitet. Protokollen skyddar användare mot motståndaren i rapporten. En användares deniability kan misslyckas om en motståndare skulle installera en key-logger på användarens enhet eller om motståndaren har tillgång till en användares enhet utan att användaren vet om det. Implementationen visade att protokollet går att implementeras och att den fortfarande ger samma säkerhet och deniability i verkligheten på kostnad av prestanda. Att byta ut den orignala nyckeln mot den falska nyckeln var den del som tog mest tid och försämrade prestandan mest.Den totala tiden det tog för att skicka ett meddelande på en ny enhet var ungefär 40ms och tog ungefär 620 på en äldre enhet. Att ta emot ett meddelande tog ungefär 40ms på en ny enhet och ungefär 780ms på en äldre enhet. Normal symmetrisk kryptering tar ungefär 1ms, vilket är mycket snabbare än vår implementation. Men i praktiken så anser vi inte att ökningen i tid för vår implementation är märkbar.

Deniable Encryption

Security

Computer Sciences

Datavetenskap (datalogi)

Studies in incoercible and adaptively secure computation

Poburinnaya, Oxana

05 November 2020

Despite being a relatively young field, cryptography taught us how to perform seemingly-impossible tasks, which now became part of our everyday life. One of them is secure multiparty computation (MPC), which allows mutually distrustful parties to jointly perform a computation on their private inputs, so that each party only learns its prescribed output, but nothing else. In this work we deal with two longstanding challenges of MPC: adaptive security and deniability (or, incoercibility). A protocol is said to be adaptively secure, if it still guarantees security for the remaining honest parties, even if some parties turn dishonest during the execution of the protocol, or even after the execution. (In contrast, statically secure protocols give security guarantees only when the set of dishonest parties is fixed before the execution starts.) While adaptive security threat model is often more realistic than the static one, there is a huge gap between efficiency of statically and adaptively secure protocols: adaptively secure protocols often require more complicated constructions, stronger assumptions, and more rounds of interaction. We improve in efficiency over the state of the art in adaptive security for a number of settings, including the first adaptively secure MPC protocol in constant number of rounds, under assumptions comparable to those of static protocols (previously known protocols required as many rounds of interaction as the depth of the circuit being computed). The second challenge we deal with is providing resilience in the situation where an external coercer demands that participants disclose their private inputs and all their secret keys - e.g. via threats, bribe, or court order. Deniable (or, incoercible) protocols allow coerced participants to convincingly lie about their inputs and secret keys, thereby still maintaining their privacy. While the concept was proposed more than twenty years ago, to date secure protocols withstanding coercion of all participants were not known, even for the simple case of encryption. We present the first construction of such an encryption scheme, and then show how to combine it with adaptively secure protocols to obtain the first incoercible MPC which withstands coercion of all parties.

Computer science

Cryptography

Deniable encryption

Secure multiparty computation

Security

Popiratelné šifrování / Deniable encryption

Šebek, Marcel

January 2012

In the thesis we study deniable encryption, as proposed by Canetti et al. (CRYPTO 1997). Standard encryption schemes guarantee good security level unless the adversary is able to force the sender and/or receiver to reveal her secret knowledge. Assuming that the adversary knows true ciphertext, the se- cret inputs usually commits the sender/receiver to the true plaintext. On the contrary, deniable scheme is equipped with algorithms that provide alternative secrets which makes the adversary believe that different plaintext was encrypted. We recall the most important results in the area, in particular, the schemes of Canetti et al. (CRYPTO 1997), the scheme of Klonowski et al. (SOFSEM 2008) based on ElGamal encryption, schemes of O'Neill et al. (CRYPTO 2011), and schemes and impossibility result of Bendlin et al. (ASIACRYPT 2011). In ad- dition to presenting known results in an unified environment, we deeply investi- gate simulatable-encryption based schemes. In particular, we construct a scheme that is bideniable, and both of its induced schemes are receiver-deniable (in the flexible/multi-distributional setting). We also disprove part of the results of Bendlin et al. (ASIACRYPT 2011) by showing that their construction of fully bideniable scheme is wrong. This result is verified using computer simulation....