______PROCEEDING OF THE 20TH CONFERENCE OF FRUCT ASSOCIATION

Deniable Encryption Protocols Based on Probabilistic Public-Key Encryption

1LNROD\Moldovyan1,$QGUH\Berezin2, $QDWRO\Kornienko3,$OH[DQGHUMoldovyan1 1SaintPetersburgInstituteforInformaticsandAutomationofRussianAcademyofSciences 2SaintPetersburgElectrotechnicalUniversity”LETI” 3PetersburgStateTransportUniversity St.Petersburg,RussianFederation [email protected],[email protected],{kaa.pgups,maa1305}@yandex.ru

Abstract—The paper proposes a new method for designing where P is a public key. At time of the coercive attack the deniable encryption protocols characterized in using RSA-like sender of the message can open a fake message m with another probabilistic public-key encryption algorithms. Sender-, receiver-, random value r =r such that c = EP (m, r ). The fake random and bi-deniable protocols are described. To provide bi-deniability value r can be computed with some faking algorithm FP , in the case of attacks perfored by an active coercer stage of entity parametrized with the public-key value P. The algorithm FP authentication is used in one of described protocols. is considered as a part of the DE scheme. Its input is the pair (c, m), i.e. r = FP (c, m). The fake message can be I. INTRODUCTION selected arbitrary at time when the sender and/or the receiver The regular encryption schemes provide very high security of the ciphertext are coerced. Examples of such design of against known-plaintext and chosen text attacks, therefore they the DE protocols are presented in papers [12], [13]. In that are widely used to protect information sent via telecommuni- protocols the secret message is encrypted consecutively bit by cation channels from unauthorized access. However, in real bit. Besides, each bit is sent in form of large pseudo-random world sometimes an adversary (coercer) has power to force a number having size more than 1000 bits. user to open encryption keys. Such attacks are called coercive. To provide security against such attacks it was introduced Present paper proposes a novel design of flexible public- notion of deniable encryption (DE) [1]. The DE schemes key DE protocols in which the message is transformed as a sin- are classified according to which party of the communication gle data block that provides significantly higher performance. session may be coerced: sender-deniable, receiver-deniable, Besides, the proposed protocols provide simple and very sender- and receive-deniable (bi-deniable) schemes in which fast procedure (performing only one modulo multiplication coercer attacks the sender, the receiver, and the both parties, operation) for computing the fake random input (which plays correspondingly. There are also considered shared-key DE pro- role of the local encryption key) connected with the fake tocols [2] and public key ones [2], [3]. Practical applications message. The main feature of the proposed design is com- of the DE protocols relate to prevention of the vote buying in bining probabilist public-key encryption with the commutative the internet-voting systems [4], [5], to providing secure multi- encryption, the last being implemented without exchanging party computations [6], and to providing information secrecy encryption keys (called local keys). The random values are with practical methods of the public-key deniable encryption generated independently of the secret and fake messages, [7], [8], [9], [10]. therefore they are not saved in computer memory. The role Resistance of the DE protocols to coercive attacks is of the random values used while performing the public-key provided due to potential possibility to decrypt the ciphertext encryption consists only in randomizing the ciphertexts. Due to c in different ways. The receiver can open the secret message such destination of the random values and due to lack of their t, but when being coerced he opens the fake message m. connection with messages (secret and fake ones) it is supposed It should be mentioned the issue about time at which the that at time of coercive attack the coercer demands opening attacked parties have to decide on the fake message. In the the source message, the secret and private keys, including the plan-ahead DE protocols the fake message is selected at local keys, but not values of the randomization parameter of time of encryption. There are known practical public-key DE the probabilistic public-key encryption algorithm. schemes [11] and shared-key DE ones [2] in which the fake message is fixed and selected before or during the encryption The paper organized as follows. Section 2 describes the process. From theoretic point of view the flexible DE protocols commutative encryption algorithm and RSA-like public-key represent significant interest, in which the fake massage can encryption algorithms used in the proposed DE protocols. be selected arbitrary at time of the coercive attack. Section 3 describes the sender-deniable, receiver-deniable, and Possibility of the alternative decryption in the flexible sender&receiver-deniable protocols in which the fake message public-key DE protocols is connected with using a random is selected at time of attack. Section 4 describes a bi-deniable value r when encrypting the secret message t. The public-key plan-ahead DE protocol. Section 5 presents discussion. Section encryption can be represented with the formula c = EP (t, r), 6 concludes the paper.

ISSN 2305-7254 ______PROCEEDING OF THE 20TH CONFERENCE OF FRUCT ASSOCIATION

II. ENCRYPTION ALGORITHMS USED IN FRAME OF THE The RSA cryptoscheme [15] is used for performing the public PROPOSED DE PROTOCOLS encryption with Bob’s public key (nB,eB) that is generated simultaneously with his private key dB as follows. Bob selects A. Commutative encryption two strong [16] primes p and q having large size (for example, If some encryption function E satisfies the following 1024 bits). Then it is computed the value nB = pq and selected condition a random number eB (of comparatively small size,for example, EK [EQ(M)] = EQ[EK (M)], 32 bits) that is relatively prime to Euler phi function values φ(nB)=(p−1)(q−1) and φ(π)=π−1. The private key dB is where K and Q are encryption keys and M is some plaintext, −1 calculated as number dB = eB mod (p − 1)(q − 1)(π − 1). then it is called a commutative encryption function. Commu- Probabilistic public-key encryption of some message M (such tative encryption is used in Shamir’s no key protocol (also that M

If the used encryption function E is secure to the know 1) To send the secret message M, where M

−1 eB C3 =((C2K mod nB)||ρ) mod nBπ = B. RSA-like public encryption algorithm eB =((MQ mod nB)||ρ) mod nBπ} To perform probabilistic public-key encryption we will use a modification of the RSA algorithm [15] in which it is and sends the value C3 to Bob. specified a prime π =2μ+1, where μ is equal to the following Bob decrypts the ciphertext C3 :(MQ mod 128-bit prime number d nB)||ρ =(C3) B mod nBπ and discloses the secret −1 338507469684516321177847385852415861521. message M as follows: M =(MQ mod nB)Q mod nB.

------285 ------______PROCEEDING OF THE 20TH CONFERENCE OF FRUCT ASSOCIATION

1) To send the secret message M, where M

K ←$ ZnA Fig. 1. Flexible sender-side deniable public-key encryption protocol gcd(K, nA)=1 C1 = MK mod nA

The protocol resists the sender-side coercive attack at C1 which it is supposed that some coercer intercepts the cipher- Q ←$ Z texts C1,C2, and C3 sent during the communication session nA and after termination of the protocol he forces Alice to open gcd(Q, nA)=1 the secret message and her local key. When being coerced C2 = C1Q mod nA Alice chooses some fake message M such that M

------286 ------______PROCEEDING OF THE 20TH CONFERENCE OF FRUCT ASSOCIATION

nA for which the following inequality holds M K Q mod Alice Bob nB = MKQ mod nB. However for the coercer it is compu- tationally infeasible to disclose Bob’s lie because of the prob- K ←$ ZnB abilistic encryption performed at step 2. Indeed, the ciphertext gcd(K, nB )=1 C2 depends on the random value ρ, therefore to demonstrate C = MK mod nB M K Q nB MKQ nB inequality mod = mod one should eB 128 ∗ C1 =(C||ρ) mod nB π to compute 2 different values C2 =((M K Q mod eB nB)||ρ) mod nBπ to show that for all possible values of C1 ∗ the parameter ρ it always holds the inequality C2 = C2. dB C||ρ = C1 mod nB π Thus, the described protocol in receiver-deniable one and Q ←$ Zn its resistance to coercive attack has the same order as compu- B n . gcd(Q, nB )=1 tational difficulty of the problem of factoring modulus A C2 = CQ mod nB C C ||ρ eA C. Sender&receiver-side public key DE protocol 2 =(( 2) ) mod nAπ In the proposed sender-side and receiver-side public-key C DE protocol there are used public keys of both the sender 2 and the receiver (fig. 3), i.e. Alice’s public key (nA,eA) and C2||ρ =(MKQ mod nB )|| Bob’s public key (nB,eB) that satisfy the condition nA >nB. ||ρ C dA n π The proposed DE scheme represents a three-pass protocol =( 2) mod A −1 described as follows. C3 = C2K mod nB = = MQ mod nB 1) To send the secret message M, where M

eB eB mod nB π C1 =(C||ρ) mod nBπ =((MK mod nB)||ρ) mod nBπ. C3 Then she sends the ciphertext C1 to Bob. (MQ mod nB ) ||ρ = 2) Using his private key dB Bob decrypts the ciphertext C1: dB dB =(C3) mod nB π C||ρ = C1 mod nBπ, generates a random value Q

Then he sends the value C2 to Alice. flexible DE protocols [17], [18] that provide possibility to 3) Alice decrypts the ciphertext C2 : C2||ρ =(MKQ mod dA select arbitrary fake messages. Bi-deniability in the sense of nB)||ρ =(C2) mod nAπ, where dA is Alice’s private key. resistance to attack at which sender and receiver are coerced Then she computes the ciphertext simultaneously is provided with the plan-ahead public-key DE −1 C3 = C2K mod nB = MQ mod nB protocols described in papers [11], [3]. and To provide resistance to the attack in which sender and eB receiver are coerced simultaneously as well as to active coer- C3 =(C )||ρ) mod nBπ = 3 cive attacks we propose the plan-ahead public-key DE scheme MQ n ||ρ eB n π (( mod B) ) mod B described in next section. and sends the last value to Bob.

Bob decrypts the ciphertext C3 : IV. PLAN-AHEAD PUBLIC-KEY DE PROTOCOL dB (MQ mod nB) ||ρ =(C3) mod nBπ and discloses the −1 Suppose Alice and Bob are users of the RSA cryptosystem; secret message M as follows: M =(MQ mod nB)Q mod the pair of numbers (nA,eA) is Alices public key; dA is her nB. private key; (nB,eB) is Bobs public key; dB is his private key. This protocol combines the protocols from Subsections 3.1 Besides, Alices and Bobs public keys are such that the numbers and 3.2 and it is easy to see that the last protocol resists the PA =2nA +1 and PB =2nB +1 are primes and order of sender-side and the receiver-side coercive attacks. However the number 7 is equal to 2nA or nA modulo PA and is equal one should indicate that it does not resist attack at which to 2nB or nB modulo PB. Earlier primes with such structure Alice and Bob are coerced simultaneously since in this case were used in papers [19], [20]. To provide secure transmission they have to select the same fake message, otherwise their lie of the secret message from Alice to Bob they can use the DE will be evident to the coercer. This is a common problem for protocol that includes the following steps (see fig. 4 in which

------287 ------______PROCEEDING OF THE 20TH CONFERENCE OF FRUCT ASSOCIATION

the steps of generation and verification of digital signatures Alice Bob are omitted): 512 kA ←$ {0, 1} 1) Alice selects a 512-bit random value kA and computes R kA P k A =7 mod B RA =7A mod PB and sends the value RA to Bob as her R random choice. A k 512 2) Bob selects a 512-bit random number B, calculates the kB ←$ {0, 1} R kB P S value B =7 mod B and his signature B to the sum kB RB =7 mod PB (RA + RB mod nB): RB dB SB =(RA + RB) mod nB. Z RkA P Then he transmits the values RB and SB to Alice. A = B mod B V = TZA mod nB , 3) Alice verifies validity of Bobs signature to the value eB C1 =(M + V ) mod nB (RA+RB mod nB). If the signature SB is false she terminates C V eB n the protocol. If the signature SB is valid, she computes her 2 = mod B S R R n signature A to the value ( A + B mod B): C1,C2

dA SA =(RA + RB) mod nA. kB ZB = RA mod PB Then Alice select a fake message M, calculates the values dB V = C2 mod nB Z RkA P ,V TZ n , −1 A = B mod B = A mod B T = VZB mod nB eB eB C1 =(M + V ) mod nB,C2 = V mod nB.

Then Alice sends the ciphertext (C1,C2) and signature SA to Fig. 4. Flexible receiver-side deniable public-key encryption protocol Bob.

4) Bob verifies validity of Alices signature to the value features flexibility of the DE protocols has been provided (RA +RB mod nB). If the signature SA is false he terminates S together with the super-polynomial security against sender-side the protocol. If the signature A is valid, he computes the and receiver-side coercive attacks. Comparing the proposed DE values protocols with the flexible DE scheme from papers [12], [21], kB dB ZB = RA mod PB; V = C2 mod nB. [22] one can conclude that the first are more practical. Then Bob computes the value The protocols from Section 3 do not resist simultaneous coercion of the both parties of the communication session, i.e. T VZ−1 n = B mod B the protocol from Subsection 3.3 is not fully bi-deniable. To that is equal to T , i.e. he discloses the secret message T sent provide full bi-deniability in the DE protocol from Section by Alice. 4 it is used selection of the fake message at moment of performing the protocol. To provide resistance to active attacks This protocol performs correctly. Correctness proof is as of the potential coercer that protocol includes operations of follows:  the mutual entity authentication. If a party of the protocol is kB kAkB unable to confirm its validity the other party terminated the ZB ≡ RA ≡ 7 mod PB ⇒ ZB ZA ⇒ k1 kB kA = process of performing the protocol. At steps 2 and 3 Alice ZA ≡ RB ≡ 7 mod PB −1 −1 verifies validity of Bob and at steps 3 and 4 Bob verifies T ≡ VZB ≡ VZA ≡ validity of Alice. Actually, the active coercer is detected before −1 ≡ TZAZA ≡ T mod nB performing procedures connected directly with the deniable ⇒ T ≡ T. encryption. Thus, security of the proposed protocol against active V. D ISCUSSION attacks is provided due to performing the authentication stage. Alice sends the ciphertext to Bob only after his proving ability A particular design feature of the protocols described in to sign correctly the value RA + RB mod nB that depends on Section 3 is using commutative encryption function, like in Alices random choice RA. Correspondingly, Bob decrypts the the well known three-pass no-key protocols. Like in the lasts, ciphertext only after Alices proving her authenticity with her in the proposed DE protocols the commutative encryption valid signature to the value RA + RB mod nB that depends is performed with local keys selected by each party of the on Bobs random choice RB. communication session independently. The local keys play the role of input randomness of the DE scheme which should Besides serving as random requests, the values RA and RB be computed to provide relation of the selected fake message are used by Alice and Bob to perform a hidden public key with the ciphertexts send during the communication session. agreement procedure that allows them to compute the single- Other significant feature of the proposed three-pass public-key use shared key Z, the last being applied to encrypt the secret DE protocols is performing probabilistic public-key encryption message T. Actually, the values RA and RB are computation- providing randomization of the ciphertexts that restricts signif- ally indistinguishable from uniformly random ones, therefore icantly possibilities of the coercer. Due to these two design attacker is unable to show that these values play the role of the

------288 ------______PROCEEDING OF THE 20TH CONFERENCE OF FRUCT ASSOCIATION

single-use public keys computed depending on some single- of exchanging the single-use public keys. The lasts are used use private keys kA and kB, correspondingly. The masked to mask the ciphertext containing the secrete message. single-use public keys RA and RB are used for computing the single-use shared key Z = ZA = ZB. In its turn the single-use REFERENCES shared key Z is applied to compute some pseudo-random value V TZ n T [1] R. Canetti, C. Dwork, M. Naor, and R. Ostrovsky, “Deniable encryp- = mod B that contains the secret message and is tion”, in Proc. Adv. in Cryptol.–CRYPTO’97, vol. 1294, 1997, pp. 90- used for randomizing the encryption of the fake message M. 104. At time of bi-side simultaneous coercive attack Alice and [2] A.A. Moldovyan, N.A. Moldovyan, D.N. Moldovyan, V.A. Shcherba- cov, “Stream Deiable-Encryption Algorithm Satisfying Criterion of Bob have possibility to declare plausible about their using the the Computational Indistinguishability from Probabilistic Ciphering”, following probabilistic public-key encryption algorithm: Comput. Sci. J. of Moldova, vol. 24, no. 1, 2016, pp. 68-82. W [3] N.A. Moldovyan, A.A. Moldovyan, V.A. Shcherbacov, “Generating Cu- 1) Generate a random number , bic Equations as a Method for Public Encryption”, Buletinul Academiei 2) Encrypt the message M as fallows: de Stiinte a Republicii Moldova. Matematica, vol. 79, no. 3, 2015, pp. e 60-71. C1 =(M + W ) 2 mod n2, [4] B. Meng, “A secure internet voting protocol based on non-interactive e2 deniable authentication protocol and proof protocol that two ciphertexts 3) Encrypt the value W as fallows: C2 = W mod n2. are encryption of the same plaintext”, J. of Netw., vol. 5, 2009, pp. 370- It can be potentially selected the value W such that W = V, 377. therefore the associated probabilistic encryption algorithm can [5] B. Meng, J. Wang, “An efficient receiver deniable encryption scheme potentially generate the ciphertext produced by the public-key and its applications“, J. of Netw., vol. 6, 2010, pp. 683-690. DE protocol. [6] Y. Ishai, E. Kushilevitz, R. Ostrovsky, M. Prabhakaran, A. Sa- hai, “Efficient non-interactive secure computation”, Adv. in Cryptol.– At time of coercive attack Bob opens to coercer both the EUROCRYPT 2011, vol. 6632, 2011, pp. 406-425. message M and his private key dB. However the coercer [7] A. ONeill, C. Peikert, B. Waters, “Bi-deniable public-key encryption”, can open only the randomization parameter V that connects in Adv. in Cryptol.–CRYPTO 2011,, vol. 6841, 2011 pp. 525-542. [8] B. Meng, J. Wang, “A receiver deniable encryption scheme”, in Int. plausible the fake message M and the ciphertext (C1,C2). Symp. on Inf. Proc. (ISIP09), 2009, pp. 254-257. For an arbitrary plaintext T there exists a single-use key Z V T Z n . [9] M. Klonowski, P. Kubiak, and M. Kutylowski, “Practical deniable such that = mod B To disclose the secret message encryption”, in SOFSEM 2008: Theory and Pract. of Comput. Sci., coercer need to know at least one of the values kA and kB, i.e. 2008, pp. 599-609. he should compute the discrete logarithm log7 R1 mod PB or [10] M.H. Ibrahim, “Receiver-deniable public-key encryption”, Int. J. of log7 RB mod PB. It is supposed Alice and Bob generate their Netw. Secur., vol. 2, 2009, pp. 159-165. public keys so that the primes PA and PB have sufficiently [11] A.A. Moldovyan, N.A. Moldovyan “Practical Method for Bi-Deniable large size: more than 1024 bits (2500 bits) in the case of Public-Key Encryption”, Quasigroups and related systems, vol. 22, providing 80-bit (128-bit) resistance to simultaneous bi-side 2014, p. 277-282. coercive attack. One soul note that the number PB −1 contains [12] M.T. Barakat, “A New Sender-Side Public-Key Deniable Encryption p q Scheme with Fast Decryption”, KSII T Internet Info, vol. 8, no. 9, 2014, large prime factors (numbers and ), and number 7 has a pp. 3231-3249. large order ω (ω ≥ pBqB) for arbitrary values pB and qB ω [13] M.H. Ibrahim, “A method for obtaining deniable public-key encryp- with probability very close to 1. Due to large value , the tion”, Int. J. of Netw. Secur., vol.1, 2009, pp. 1-9. discrete logarithm problem is computationally difficult and it [14] A. J. Menezes, P. C. Van Oorschot, S. A. Vanstone, Handbook of applied is supposed the coercer is not able to find discrete logarithms cryptography, CRC press, 1996. modulo PB. [15] R.L. Rivest, A. Shamir, L.M. Adleman, “A Method for Obtaining Digital Signatures and Public Key Cryptosystems”, Comm. of the ACM, vol. 21, 1978, pp. 120-126. VI. CONCLUSION [16] J. Gordon, “Strong primes are easy to find’, in Proc. Adv. in Cryptol.– There have been proposed flexible sender-side, receiver- EUROCRYPT 84, 1984. pp. 216-223. side, and sender&receiver-side DE protocols that are very [17] D. Dachman-Soled “On minimal assumptions for sender-deniable public attractive from practical point of view due to their pro- key encryption”, LNCS, vol. 8383, 2014, pp. 574-591. viding super-polynomial resistance to coercive attacks and [18] D. Dachman-Soled “On the impossibility of sender-deniable public key encryption”, IACR Cryptol. ePrint Archive, 2012:727, 2012. comparatively high performance. The proposed design can be [19] N.A. Moldovyan, “An approach to shorten digital signature length’, potentially extended on the case of combining the commutative Comput. Sci. J. of Moldova, vol. 14, no. 3(42), 2006,pp.390-396. functions with probabilistic public-key encryption based on [20] A.A. Moldovyan , N.A. Moldovyan, V.A. Shcherbacov, “Short signa- computational difficulty of the discrete logarithm problem on tures from difficulty of the factoring problem’, Buletinul Academiei de an elliptic curve. This case will give potentially exponential Stiinte a Republicii Moldova. Matematica, no. 2(72)-3(73), 2013, pp. resistance to coercive attack. Besides, this research direction 27-36. can give DE protocols more suitable for using standard public- [21] A. Sahai, B. Waters, “How to use indistinguishability obfuscation: De- key infrastructure, like plan-ahead public-key DE protocol niable encryption and more”, IACR Cryptol. ePrint Archive, 2013:454, 2013. introduced in paper [23]. [22] D. Markus, D.M. Freeman, “Deniable encryption with negligible detec- It has been also proposed fully bi-deniable public encryp- tion probability: An interactive construction”, in Proc. Adv. in Cryptol.– tion protocol with plan-ahead fake message, which is secure EUROCRYPT 2011, 2011, vol. 6632, pp. 610-626. against active attacks. The last DE scheme includes steps [23] N.A. Moldovyan, A.N. Berezin, A.A. Kornienko, A.A. Moldovyan, “Bi- deniable public-encryption protocols based on standard PKI”, in Proc. of the entity mutual authentication in frame of which the 18th FRUCT ISPIT Conf., April 2016, pp. 212-219. parties of the protocol they hide execution of the procedure

------289 ------