Suppose Alice sends a message to Bob in an informal chat conversation. If a typical encryption scheme as the ElGamal public key encryption scheme or Rijndael/AES is used, an authority can ask Alice to reveal what she sent Bob. Indeed, in the case of ElGamal, when Alice sends \((C_1,C_2)=(g^r,my^r)\) and is forced to reveal her randomness r used, anybody can obtain m. So, one can view the ciphertext as some commitment to the message. In the case of AES, when Alice is forced to reveal the key she shares with Bob, the authority again can obtain the message. (Using zero-knowledge, Alice is not required to reveal the key.)
The goal of deniable encryption [1] is that Alice can send a private message to Bob, without having the ciphertext result in a commitment. This can be viewed as allowing her to deny having sent a particular message. A scheme satisfying this condition is called a sender-deniable encryption scheme.
There is a similar concern from Bob's viewpoint. Can Bob be forced to open...
References
Canetti, R., C. Dwork, M. Naor, and R. Ostrovsky (1997). “Deniable encryption.” Advances in Cryptology—CRYPTO'97, Proceedings Santa Barbara, CA, USA, August 17–21 (Lecture Notes in Computer Science vol. 1294), ed. B.S. Kaliski, Springer-Verlag, Berlin, 90–104.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this entry
Cite this entry
Desmedt, Y. (2005). Deniable encryption. In: van Tilborg, H.C.A. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA . https://doi.org/10.1007/0-387-23483-7_101
Download citation
DOI: https://doi.org/10.1007/0-387-23483-7_101
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-23473-1
Online ISBN: 978-0-387-23483-0
eBook Packages: Computer ScienceReference Module Computer Science and Engineering