uncoercible communication or how to lie with impunity n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Uncoercible Communication, or How to Lie with Impunity PowerPoint Presentation
Download Presentation
Uncoercible Communication, or How to Lie with Impunity

Loading in 2 Seconds...

play fullscreen
1 / 7

Uncoercible Communication, or How to Lie with Impunity - PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on

Uncoercible Communication, or How to Lie with Impunity. Matthew Kerner CSEP 590 3/5/06. Problem Statement. Alice broadcasts encrypted messages over a public channel Eve can see ciphertext and coerces Alice before and/or after communication Demands that Alice sends a particular message

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Uncoercible Communication, or How to Lie with Impunity' - eliza


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
problem statement
Problem Statement
  • Alice broadcasts encrypted messages over a public channel
  • Eve can see ciphertext and coerces Alice before and/or after communication
    • Demands that Alice sends a particular message
    • Demands plaintext & receipt to compare with ciphertext
  • Encryption is often a “committing” process
  • How can Alice signal coercion to Bob yet still avoid reprisal by Eve?
benaloh tuinstra parallel uncoercible communication protocol
Benaloh & Tuinstra: Parallel Uncoercible Communication Protocol

Shared key K: (L-bit head) 10110101…101001 (N bit tail)

Alice

Bob

Shared private channel

(e.g. synchronized SecurID units)

L-bit message M: 01001101…

Shared key K: 10110101…

Ciphertext C: 11111000… || 101001 (N bit tail of K)

  • What happens if Eve forces L-bit message beforehand?
  • Alice corrupts N-bit tail
  • What happens if Eve specifies ALL bits beforehand?
  • Eve must guess N-bit tail correctly (P = 2-N)
  • Later, Alice gives Eve “receipt” with some K
  • All Ks equally plausible!
  • Can correspond to any plaintext – free or forced

Check N-bit tail against K

Accept message

Reject message

rivest chaffing winnowing
Rivest: Chaffing & Winnowing
  • Encryption-free privacy mechanism via std authentication mechanism (keyed HMAC)

Bob

Alice

Shared session authentication key KAB

101…

m-bit Message M:

101…

101…

101…

Split into m 1-bit packets:

(i, Mi, HMAC(KAB, i || Mi))

(1, 1, HMAC(KAB, 1 || 1))

Check HMACs and

throw away

unauthenticated packets

Send in the clear

(1, 0, Random)

Now Alice adds “chaff”

(2, 0, HMAC(KAB, 2 || 0))

Bob will throw chaff away (bad MAC)

(2, 1, Random)

Hard for Eve to calculate HMAC without KAB

Eve cannot tell wheat from chaff!

Multiple simultaneous chaff streams with KABi

Alice & Bob can claim any KABi is the real one!

(3, 1, HMAC(KAB, 3 || 1))

(3, 0, Random)

Plausible deniability for precomputed plaintexts

summary practical considerations
Summary & Practical Considerations
  • Methods to exploit degrees of freedom in key/private randomness to generate multiple plausible explanations for communication
    • Choose forged plaintext at time of encryption
    • Choose forged plaintext at time of coercion
    • Some resistant to coercion beforehand (uncoercible) and others resistant to coercion only afterwards (deniable)
  • Must use the method all the time or an adversary may coerce you with a more restricted mechanism
  • Multiple coercion targets must coordinate stories
  • Cleanest option for post-facto coercion: just delete or forget key & randomness
other methods
Other Methods
  • Clayton & Danezis: Plausibly Deniable Routing
  • Steganography
    • Steganography is information hiding
      • Example: low-order pixel bits in image contain string
    • Weak: security through obscurity
    • Stronger: “keyed” steganography
      • Example: keyed hash selects pixels to encode with
    • Plausible deniability in steganography
      • Rely on security by obscurity: claim the cover text is the message
      • Parallel steganographic methods: claim that one of n methods is correct
      • Keyed steganographic methods with multiple keys: claim that one of n keys is correct