1 / 7

Uncoercible Communication, or How to Lie with Impunity

Uncoercible Communication, or How to Lie with Impunity. Matthew Kerner CSEP 590 3/5/06. Problem Statement. Alice broadcasts encrypted messages over a public channel Eve can see ciphertext and coerces Alice before and/or after communication Demands that Alice sends a particular message

eliza
Download Presentation

Uncoercible Communication, or How to Lie with Impunity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Uncoercible Communication, or How to Lie with Impunity Matthew Kerner CSEP 590 3/5/06

  2. Problem Statement • Alice broadcasts encrypted messages over a public channel • Eve can see ciphertext and coerces Alice before and/or after communication • Demands that Alice sends a particular message • Demands plaintext & receipt to compare with ciphertext • Encryption is often a “committing” process • How can Alice signal coercion to Bob yet still avoid reprisal by Eve?

  3. Benaloh & Tuinstra: Parallel Uncoercible Communication Protocol Shared key K: (L-bit head) 10110101…101001 (N bit tail) Alice Bob Shared private channel (e.g. synchronized SecurID units) L-bit message M: 01001101… Shared key K: 10110101… Ciphertext C: 11111000… || 101001 (N bit tail of K) • What happens if Eve forces L-bit message beforehand? • Alice corrupts N-bit tail • What happens if Eve specifies ALL bits beforehand? • Eve must guess N-bit tail correctly (P = 2-N) • Later, Alice gives Eve “receipt” with some K • All Ks equally plausible! • Can correspond to any plaintext – free or forced Check N-bit tail against K Accept message Reject message

  4. Rivest: Chaffing & Winnowing • Encryption-free privacy mechanism via std authentication mechanism (keyed HMAC) Bob Alice Shared session authentication key KAB 101… m-bit Message M: 101… 101… 101… Split into m 1-bit packets: (i, Mi, HMAC(KAB, i || Mi)) (1, 1, HMAC(KAB, 1 || 1)) Check HMACs and throw away unauthenticated packets Send in the clear (1, 0, Random) Now Alice adds “chaff” (2, 0, HMAC(KAB, 2 || 0)) Bob will throw chaff away (bad MAC) (2, 1, Random) Hard for Eve to calculate HMAC without KAB Eve cannot tell wheat from chaff! Multiple simultaneous chaff streams with KABi Alice & Bob can claim any KABi is the real one! (3, 1, HMAC(KAB, 3 || 1)) (3, 0, Random) Plausible deniability for precomputed plaintexts

  5. Summary & Practical Considerations • Methods to exploit degrees of freedom in key/private randomness to generate multiple plausible explanations for communication • Choose forged plaintext at time of encryption • Choose forged plaintext at time of coercion • Some resistant to coercion beforehand (uncoercible) and others resistant to coercion only afterwards (deniable) • Must use the method all the time or an adversary may coerce you with a more restricted mechanism • Multiple coercion targets must coordinate stories • Cleanest option for post-facto coercion: just delete or forget key & randomness

  6. Backup

  7. Other Methods • Clayton & Danezis: Plausibly Deniable Routing • Steganography • Steganography is information hiding • Example: low-order pixel bits in image contain string • Weak: security through obscurity • Stronger: “keyed” steganography • Example: keyed hash selects pixels to encode with • Plausible deniability in steganography • Rely on security by obscurity: claim the cover text is the message • Parallel steganographic methods: claim that one of n methods is correct • Keyed steganographic methods with multiple keys: claim that one of n keys is correct

More Related