In this work we construct \emph{bi-deniable} public-key cryptosystems, in which both the sender and receiver can simultaneously equivocate; we stress that the schemes are noninteractive and involve no third parties. One of our systems is based generically on ``simulatable encryption'' as defined by Damgård and Nielsen (CRYPTO 2000), while the other is lattice-based and builds upon the results of Gentry, Peikert and Vaikuntanathan (STOC 2008) with techniques that may be of independent interest. Both schemes work in the so-called ``multi-distributional'' model, in which the parties run alternative key-generation and encryption algorithms for equivocable communication, but claim under coercion to have run the prescribed algorithms. Although multi-distributional deniability has not attracted much attention, we argue that it is meaningful and useful because it provides credible coercion resistance in certain settings, and suffices for all of the related properties mentioned above.
Category / Keywords: public-key cryptography / Deniable encryption, noncommitting encryption, simulatable encryption, lattice cryptography Publication Info: Full version of paper appearing in CRYPTO 2011 Date: received 30 Jun 2011, last revised 15 Sep 2011 Contact author: cpeikert at cc gatech edu Available format(s): PDF | BibTeX Citation Note: Included missing section on bi-deniability in the identity-based setting. Version: 20110915:124106 (All versions of this report) Short URL: ia.cr/2011/352 Discussion forum: Show discussion | Start new discussion