Deniable Encryption
Ran Canetti, Cynthia Dwork, Moni Naor, Rafi Ostrovsky
Abstract: Consider a situation in which the transmission of an encrypted message can be intercepted by an authority, and subsequently (say, in response to court order) the sender can be coerced to reveal the keys and random choices used in generating the ciphertext, thereby revealing the message sent. An encryption scheme is deniable if the sender can generate ``plausible'' keys and random choices that will satisfy the authority and at the same time keep the past communication private. Analogous requirements can be formulated with respect to coercion of the receiver and with respect to coercion of both parties. Deniable encryption is a strong primitive. In particular, it yields the first solution to the problem of incoercible (``receipt-free'') voting requiring no physical security assumptions. Deniable encryption also provides a simple and elegant implementation of adaptively secure multiparty computation. In this paper we define and construct various types of deniable encryption schemes.
Keywords: Encryption, Public key, Private key, Coercion, Voting.
comment: received May 10th, 1996. Revised June 11th, 1997 (with new abstract).
contact author: canetti@theory.lcs.mit.edu
Fetch PostScript file of the revised paper.
Fetch PostScript file of the original paper.