Uncoercible Communication, or How to Lie with Impunity - PowerPoint PPT Presentation

About This Presentation
Title:

Uncoercible Communication, or How to Lie with Impunity

Description:

Benaloh & Tuinstra: Parallel Uncoercible Communication Protocol Rivest: Chaffing & Winnowing Encryption-free privacy mechanism via std authentication mechanism ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 8
Provided by: MatthewK154
Category:

less

Transcript and Presenter's Notes

Title: Uncoercible Communication, or How to Lie with Impunity


1
Uncoercible Communication, or How to Lie with
Impunity
  • Matthew Kerner
  • CSEP 590
  • 3/5/06

2
Problem Statement
  • Alice broadcasts encrypted messages over a public
    channel
  • Eve can see ciphertext and coerces Alice before
    and/or after communication
  • Demands that Alice sends a particular message
  • Demands plaintext receipt to compare with
    ciphertext
  • Encryption is often a committing process
  • How can Alice signal coercion to Bob yet still
    avoid reprisal by Eve?

3
Benaloh Tuinstra Parallel Uncoercible
Communication Protocol
Shared key K (L-bit head) 10110101101001 (N bit
tail)
Alice
Bob
Shared private channel (e.g. synchronized SecurID
units)
L-bit message M 01001101
Shared key K 10110101
Ciphertext C 11111000 101001 (N bit tail of
K)
  • What happens if Eve forces L-bit message
    beforehand?
  • Alice corrupts N-bit tail
  • What happens if Eve specifies ALL bits
    beforehand?
  • Eve must guess N-bit tail correctly (P 2-N)
  • Later, Alice gives Eve receipt with some K
  • All Ks equally plausible!
  • Can correspond to any plaintext free or forced

Check N-bit tail against K
Accept message
Reject message
4
Rivest Chaffing Winnowing
  • Encryption-free privacy mechanism via std
    authentication mechanism (keyed HMAC)

Bob
Alice
Shared session authentication key KAB
101
m-bit Message M
101
101
101
Split into m 1-bit packets
(i, Mi, HMAC(KAB, i Mi))
(1, 1, HMAC(KAB, 1 1))
Check HMACs and throw away unauthenticated
packets
Send in the clear
(1, 0, Random)
Now Alice adds chaff
(2, 0, HMAC(KAB, 2 0))
Bob will throw chaff away (bad MAC)
(2, 1, Random)
Hard for Eve to calculate HMAC without KAB Eve
cannot tell wheat from chaff! Multiple
simultaneous chaff streams with KABi Alice Bob
can claim any KABi is the real one!
(3, 1, HMAC(KAB, 3 1))
(3, 0, Random)
Plausible deniability for precomputed plaintexts
5
Summary Practical Considerations
  • Methods to exploit degrees of freedom in
    key/private randomness to generate multiple
    plausible explanations for communication
  • Choose forged plaintext at time of encryption
  • Choose forged plaintext at time of coercion
  • Some resistant to coercion beforehand
    (uncoercible) and others resistant to coercion
    only afterwards (deniable)
  • Must use the method all the time or an adversary
    may coerce you with a more restricted mechanism
  • Multiple coercion targets must coordinate stories
  • Cleanest option for post-facto coercion just
    delete or forget key randomness

6
Backup
7
Other Methods
  • Clayton Danezis Plausibly Deniable Routing
  • Steganography
  • Steganography is information hiding
  • Example low-order pixel bits in image contain
    string
  • Weak security through obscurity
  • Stronger keyed steganography
  • Example keyed hash selects pixels to encode with
  • Plausible deniability in steganography
  • Rely on security by obscurity claim the cover
    text is the message
  • Parallel steganographic methods claim that one
    of n methods is correct
  • Keyed steganographic methods with multiple keys
    claim that one of n keys is correct
Write a Comment
User Comments (0)
About PowerShow.com