Paper 2023/249

Anamorphic Encryption, Revisited

Fabio Banfi, ETH Zurich
Konstantin Gegier, ETH Zurich
Martin Hirt, ETH Zurich
Ueli Maurer, ETH Zurich

Anamorphic Encryption, recently introduced by Persiano, Phan, and Yung (EUROCRYPT 2022) is a new cryptographic paradigm challenging the conventional notion of an adversary. In particular they consider the receiver-anamorphic setting, where a dictator is able to obtain the receiver's secret key of a well-established public-key encryption (PKE) scheme, and they ask the question whether the sender can still embed covert messages in a way which the dictator is completely oblivious to, if sender and receiver share an anamorphic key. In this work, we identify two definitional limitations of Persiano et al.'s original model. First, they require anamorphic keys and key-pairs to be generated together, so a first modification we propose is to decouple the two processes. We allow for the extension of a regular PKE scheme to an anamorphic one to be possible on the fly, even after the public key of the regular scheme is already in use. Second, in their model the receiver cannot distinguish whether or not a ciphertext contains a covert message, so we propose a natural robustness notion which states that when anamorphically decrypting a regularly encrypted message, the receiver explicitly sees that no covert message is contained. This also eliminates certain attacks possible for the original definition. Regarding new constructions, we first propose a generic anamorphic extension that achieves robustness for any PKE scheme, but requires synchronization of sender and receiver. We then define a natural property of a PKE scheme, selective randomness recoverability, which allows for a robust anamorphic extension even for unsynchronized parties. We show that the well-established schemes of ElGamal and Cramer-Shoup satisfy this condition. Finally, we propose a generic transformation of any non-robust anamorphic extension into a robust one, and apply it to a synchronized anamorphic extension for RSA-OAEP.

Available format(s)
Public-key cryptography
Publication info
anamorphic encryptiondictator modelrobustnessselective randomness recoverability
Contact author(s)
fabio banfi @ inf ethz ch
konstantin gegier @ inf ethz ch
hirt @ inf ethz ch
maurer @ inf ethz ch
2023-02-22: approved
2023-02-21: received
See all versions
Short URL
Creative Commons Attribution


      author = {Fabio Banfi and Konstantin Gegier and Martin Hirt and Ueli Maurer},
      title = {Anamorphic Encryption, Revisited},
      howpublished = {Cryptology ePrint Archive, Paper 2023/249},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.