The use of the well known provably secure public-key cryptoscheme by Rabin is extended for the case of the deniable encryption. In the proposed new sender-deniable encryption scheme the cryptogram is computed as coefficients of quadratic congruence, the roots of which are two simultaneously encrypted texts. One of the texts is a fake message and the other one is a ciphertext produced by public-...

Deniable encryption (Canetti et al. CRYPTO ’97) is an intriguing primitive that provides a security guarantee against not only eavesdropping attacks as required by semantic security, but also stronger coercion attacks performed after the fact. The concept of deniability has later demonstrated useful and powerful in many other contexts, such as leakage resilience, adaptive security of protocols,...

We revisit the definitions of zero-knowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zero-knowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property...

We show how to implement a deniable encryption method from secret sharing. Unlike the related concept of honey encryption, which employs preprocessing step in symmetric re-shape distribution plaintext towards making real indistinguishable ciphertext for fake message, we can avoid both, computational intractability assumptions and data. This accomplishes deniability against an attacker that forc...

Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows a sender and/or receiver of encrypted communication to produce fake but authentic-looking coins and/or secret keys that “open” the communication to a different message. Here we initiate its study for the more general case of functional encryption (FE), as introduced by Boneh et al. (TCC 2011), wherein a receiver in po...

Consider a situation in which the transmission of encrypted messages is intercepted by an adversary who can later ask the sender to reveal the random choices (and also the secret key, if one exists) used in generating the ciphertext, thereby exposing the cleartext. An encryption scheme is deniable if the sender can generate ‘fake random choices’ that will make the ciphertext ‘look like’ an encr...

The key exchange protocol that establishes initial shared secrets in the handshake of Signal end-to-end encrypted messaging has several important characteristics: (1) it runs asynchronously (without both parties needing to be simultaneously online), (2) provides implicit mutual authentication while retaining deniability (transcripts cannot used prove either party participated protocol), and (3)...

Generally, the goal of identification schemes is to provide security assurance against impersonation attacks. Identification schemes based on zero knowledge protocols have more advantages, for example, deniability, which enables the prover to deny an identification proof so that the verifier couldn’t persuade others that it is indeed the prover who identified itself to him. This kind of identif...

Deniable Storage Encryption for Mobile Devices Adam Skillen Smartphones, and other mobile computing devices, are being widely adopted globally as the de-facto personal computing platform. Given the amount of sensitive information accumulated by these devices, there are serious privacy and security implications for both personal use and enterprise deployment. Confidentiality of data-at-rest can ...