Strictly stronger than [[Non-Committing Encryption]]?
Yes—if secure with both sender and receiver opening! From "Deniable Encryption", Canetti, Dwork, Naor, Ostrovsky, CRYPTO'97:
> However, non-committing encryptions are strictly weaker than deniable ones. For example, in non-committing encryptions the parties using the scheme are, in general, not able to generate ciphertexts that can be opened both ways; such ciphertexts can only be generated by a simulator (which is an artifact of the [7]model). In contrast, in deniable encryption each ciphertext generated by parties using the scheme has unique decryption, and at the same time can be opened in several ways for an adversary (thus, the non-committing encryption scheme in [7] is not deniable). *The key insight is that any deniable encryption scheme resilient against attacking both the sender and the receiver is non-committing.*
If so, by Jesper's result, constructing deniable encryption requires programming [[Random Oracle Model]] ... and yet the deniability functionality should be granted the end user somehow.
My intuition tells me that these should be unachievable for arbitrary-length messages, since [[Non-Committing Encryption]] is without programming [[Random Oracle Model]], and an end-user can't program random oracles. Yet Canetti et al. write (Sect. 6):
Generalizing these constructions to schemes that encrypt arbitrarily long messages is straightforward.
... I am confused. They *are* non-interactive, right? (Maybe it's just ignorance: this paper predates Jesper's result by 5 years after all.)
Kanskje the "straightforward" generalization to arbitrarily long messages innebærer nøkkelstørrelser som øker lineært med antall bits (igjen). (Svar: når de transformerer fra sender opening til receiver opening så gjør de samtidig protokollen *interaktiv*.)
Se også [[Quantum-enabled deniable encryption]]: Deniable Encryption in a Quantum World, av Coladangelo, Goldwasser (!) og Umesh Vazirani (!) https://arxiv.org/pdf/2112.14988.pdf
Se deres related works for en veldig god oversikt over situasjonen klassisk. Som jeg skrev til Joseph:
"In summary, there is no contradiction because _either_ only sender opening is considered (for which NCE is achievable in the standard model), _or else_ the protocol is made to be interactive."
Also very interesting to note that assuming quantum communication, achieving (perfect-secrecy) public-key deniable encryption is trivial: simply use QKD to share keys for one-time padding, and you're done!
Se også [[Tanker om transformasjoner]].
#### Partly-deniable encryption
Gammel paragrafskisse fra [[SoK - Public Key Encryption with Openings]]:
> As with NCE, we can weaken the requirements so that a given ciphertext no longer has
to decrypt to *any* message, but for instance to only two
predetermined messages under two different keys. Then, one can
construct non-interactive schemes with limited
deniability functionality; in fact, several common
blockciphers, including AES-GCM, come with such deniability-like
properties~\cite{C:GruLuRis17}, and prior works have rather focused
on how to rid these schemes of deniability, and thus achieve fully
*committing* authenticated encryption~\cite{C:GruLuRis17,C:DGRW18}.
#### Connection to [[Indistinguishability Obfuscation]]
Fra [Quanta-artikkel](https://www.quantamagazine.org/computer-scientists-achieve-crown-jewel-of-cryptography-20201110/):
> While the protocol is far from ready to be deployed in real-world applications, from a theoretical standpoint it provides an instant way to build an array of cryptographic tools that were previously out of reach. For instance, it enables the creation of “deniable” encryption, in which you can plausibly convince an attacker that you sent an entirely different message from the one you really sent, and “functional” encryption, in which you can give chosen users different levels of access to perform computations using your data.