Uncoercible Communication, or How to Lie with Impunity

1
Uncoercible Communication, or How to Lie with
Impunity

• Matthew Kerner
• CSEP 590
• 3/5/06

2
Problem Statement

• Alice broadcasts encrypted messages over a public
  channel
• Eve can see ciphertext and coerces Alice before
  and/or after communication
• Demands that Alice sends a particular message
• Demands plaintext receipt to compare with
  ciphertext
• Encryption is often a committing process
• How can Alice signal coercion to Bob yet still
  avoid reprisal by Eve?

3
Benaloh Tuinstra Parallel Uncoercible
Communication Protocol
Shared key K (L-bit head) 10110101101001 (N bit
tail)
Alice
Bob
Shared private channel (e.g. synchronized SecurID
units)
L-bit message M 01001101
Shared key K 10110101
Ciphertext C 11111000 101001 (N bit tail of
K)

• What happens if Eve forces L-bit message
  beforehand?
• Alice corrupts N-bit tail
• What happens if Eve specifies ALL bits
  beforehand?
• Eve must guess N-bit tail correctly (P 2-N)
• Later, Alice gives Eve receipt with some K
• All Ks equally plausible!
• Can correspond to any plaintext free or forced

Check N-bit tail against K
Accept message
Reject message
4
Rivest Chaffing Winnowing

• Encryption-free privacy mechanism via std
  authentication mechanism (keyed HMAC)

Bob
Alice
Shared session authentication key KAB
101
m-bit Message M
101
101
101
Split into m 1-bit packets
(i, Mi, HMAC(KAB, i Mi))
(1, 1, HMAC(KAB, 1 1))
Check HMACs and throw away unauthenticated
packets
Send in the clear
(1, 0, Random)
Now Alice adds chaff
(2, 0, HMAC(KAB, 2 0))
Bob will throw chaff away (bad MAC)
(2, 1, Random)
Hard for Eve to calculate HMAC without KAB Eve
cannot tell wheat from chaff! Multiple
simultaneous chaff streams with KABi Alice Bob
can claim any KABi is the real one!
(3, 1, HMAC(KAB, 3 1))
(3, 0, Random)
Plausible deniability for precomputed plaintexts
5
Summary Practical Considerations

• Methods to exploit degrees of freedom in
  key/private randomness to generate multiple
  plausible explanations for communication
• Choose forged plaintext at time of encryption
• Choose forged plaintext at time of coercion
• Some resistant to coercion beforehand
  (uncoercible) and others resistant to coercion
  only afterwards (deniable)
• Must use the method all the time or an adversary
  may coerce you with a more restricted mechanism
• Multiple coercion targets must coordinate stories
• Cleanest option for post-facto coercion just
  delete or forget key randomness

6
Backup
7
Other Methods

• Clayton Danezis Plausibly Deniable Routing
• Steganography
• Steganography is information hiding
• Example low-order pixel bits in image contain
  string
• Weak security through obscurity
• Stronger keyed steganography
• Example keyed hash selects pixels to encode with
• Plausible deniability in steganography
• Rely on security by obscurity claim the cover
  text is the message
• Parallel steganographic methods claim that one
  of n methods is correct
• Keyed steganographic methods with multiple keys
  claim that one of n keys is correct