Receiver-deniable Public-Key Encryption

Abstract

Incoercible (or deniable) encryption is an important notion that allows a user (a sender and/or a receiver) to escape a coercion attempted by a coercive adversary. Such an adversary approaches the coerced user after transmission forcing him to reveal all his random inputs used during encryption or decryption. Since traditional encryption schemes commits the user to his random inputs, the user is forced to reveal the true values of all his random inputs (including the encrypted/decrypted messages and the encryption/decryption keys) which are verifiable by this coercer using the intercepted ciphertext. In this scenario, a coercer may force the user to perform actions against his wish. An appealing property in the mediated RSA PKI introduced in [2] is that, the user has no in- formation, neither about his full private (decryption) key, nor the factorization of the RSA public modulus, which represents an excellent step toward achieving incoercibility in public key encryption, since, a coercer cannot ask the user to reveal such unknown information. In this pa- per we present a scheme for receiver-deniable public-key encryption, by which, the receiver is able to lie about the decrypted message to a coercer and hence, escape a coercion. On one hand, the receiver is able to decrypt for the correct message, on the other hand, all the information held by the receiver, when opened to a coercer, do not allow this coercer to verify the encrypted message and consequently, approaching this user becomes useless from the very beginning.