Fully Bideniable Interactive Encryption

That's some dedication from Ran Canetti. The abstract gives the two bits of information, but it never connects them explicitly (writing is very formal): he was the author of the original paper that presented the problem in '96, and now he finally managed to find a valid solution for it, 22 years later. Well, I only understand the basics of crypto, but props to the man.

&gt; deniable encryption [Canetti et al., Crypto’96] provides the additional guarantee that the plaintext remains secret even in face of authoritative entities that attempt to coerce (or bribe) communicating parties to expose their internal states, including the plaintexts, keys and randomness. To achieve this guarantee, deniable encryption is equipped with a faking algorithm which allows parties to generate fake keys and randomness that make the ciphertext appear consistent with any plaintext of the parties’ choice.<p>Does the faking algorithm for the scheme proposed in the paper require any of the private information as input? In other words: given a ciphertext only, can I come up with keys and randomness to provide an arbitrary plaintext?<p>OTP for example does have this property, I can just simply XOR the plaintext I want to have with the ciphertext and claim that this is the key.<p>Edit: this question is relevant as if the private information is needed, it might limit your options once you do give them fake stuff. If some party can prove that the fake plaintext&#x2F;key pair you gave them is indeed fake, then you should be able to walk back on your claims and say that you never had the plaintext or forgot the password or whatever.

I wrote a program, stes[1], back in 2000 which did something similar (but less complex): it created a ciphertext C which could be decrypted to different plaintexts dependent on key, so K1 produces P1, K2 produces P2, etc, and there was no way of proving there were or weren&#x27;t any more keys.<p>[1] see <a href="https:&#x2F;&#x2F;github.com&#x2F;cabalamat&#x2F;stes&#x2F;blob&#x2F;master&#x2F;SPECIFICATION" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;cabalamat&#x2F;stes&#x2F;blob&#x2F;master&#x2F;SPECIFICATION</a>

I must read too much about politics, I took the title as a dig against former VP Biden, rather than &quot;bi-deniable&quot;. :-)

I see potential for application in Australia, given the new &quot;mandatory backdoor&quot; thing they&#x27;ve got going. Just claim you&#x27;ve made a back door for the government, then use a scheme like this and provide them only bogus keys.

Awesome maths.<p>A practical problem I see is that even if everyone used this everywhere, an attacker has no reason to believe any forceably decrypted plaintext.<p>The disclosing party would have had to beforehand craft a fake plaintext that was credible enough to trick an alerted attacker based on its contents alone.

If an adversary demands the key to decrypt a given ciphertext, what stops the sender or receiver from claiming that it was encrypted by a onetime pad (i.e., a bitwise exclusive-or with the encryption key) and then furnishing the &quot;key&quot; that &quot;decrypts&quot; it to some unrelated plaintext of his choice? Not to diminish the authors&#x27; work, but if this is the problem of deniable encryption, I don&#x27;t get why it isn&#x27;t trivial. Any advice?

Remembered me of the fun &quot;Angecryption&quot;, where you can decrypt the ciphertext with AES or decrypt it with DES and get different plaintexts depending on the scheme: <a href="https:&#x2F;&#x2F;github.com&#x2F;indrora&#x2F;corkami&#x2F;blob&#x2F;master&#x2F;src&#x2F;angecryption&#x2F;slides&#x2F;AngeCryption.pdf" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;indrora&#x2F;corkami&#x2F;blob&#x2F;master&#x2F;src&#x2F;angecrypt...</a>

From the paper:<p>&gt; To address this issue, Canetti et al. introduced the notion of deniable encryption, in which a party may send a ciphertext c which is an encryption of message m, and later, for any plaintext m2!=m, the party can reveal fake keys and randomness with respect to which c appears to be an encryption of m2<p>This is only really possible if your key is as big as m2, which in practise for many applications it would not be.

What does Bidenable mean? Google thinks I&#x27;m asking about Joe Biden, and that just makes me think there&#x27;s an XKCD connection in there somewhere that would be super hilarious if we could just find it.