Noë Flatreaud

About Anamorphic Cryptography

I recently discovered the excellent work of Giuseppe Persiano, Duong Hieu Phan and Moti Yung about Anamorphic cryptography.

IRL, Anamorphosis is a concept where an image changes depending on the viewer's perspective or POV. Meaning that, in cryptography, we can create ciphertexts that reveal different messages depending on the recipients, even though they use the same encrypted data.

The Idea

In a scenario where you are under the surveillance of a dictator that, because he's a dictator, can and will read all encrypted messages, forbid all trusted encryption schemes and impose you to give him your private keys.

In this senario, traditional encryption methods will fail, and won't help. You'd be required to use tricks and decoys to delay or deceive your opponent. Anamorphic cryptography tries to address this issue by creating two meaningfull cleartexts from one ciphertext, depending on the used secret key.

You have

You then encrypts the two messages with the public key:

C=Enc(pk,msg0,msg1)

The Dictator will then decrypt with his private key sk0 , and reveal the first message:

Dec(sk0,C)m0

Your recipient will also decrypt the same ciphertext with his key sk1, and reveal the second message:

Dec(sk1,C)m1

This way, the dictator is misled into thinking they have full control, while the actual secret message remains hidden. As far as the dictator knows, he has the ONLY real key needed for the ciphertext.

Implementation

Anamorphic cryptography may and can be implemented with various encryption schemes. You can use RSA-OAEP, Paillier, Goldwasser-Micali, ElGamal, Cramer-Shoup, or Smooth Projective Hash-based systems but, by far, ElGamal method is particularly well-suited for this purpose.

The ElGamal encryption scheme is based on the difficulty of the discrete logarithm problem just like Diffie-Hellman . Here's a quick recap of how it works:

  1. Key Generation:

    • Choose a large prime number p.
    • Choose a base g for the discrete logarithm.
    • Generate a secret key sk.
    • Compute the public key pk=gskmodp.
  2. Encryption:

    • For a message m, generate a random value r.
    • Compute the ciphertext (c1,c2) where:
      c1=m·pkrmodp
      c2=grmodp
  3. Decryption:

    • To decrypt the ciphertext (c1,c2):
      m=c1·c2skmodp

ElGamal for Anamorphic Cryptography

We can modify the ElGamal method for anamorphic cryptography where, Alice and Bob needs to correspond, spied by the dictator Eve. Alice creates a secret key ska and a public key pk as usual. However, the random value r is generated in a specific way to embed a secret message hm to Bob.

Key Generation

  1. Secret Key Generation:

    • Choose a large prime number p.
    • Choose a base g for the discrete logarithm.
    • Generate a secret key ska.
    • Compute the public key pk=gskamodp.
  2. Bob's Key Generation:

    • generate a second secret key skb for Bob.

Encryption

  1. Message Preparation:

    • Alice has two messages: m (the decoy message for the dictator) and hm (the secret message for Bob).
  2. Random Value Generation:

    • Instead of generating a random r, Alice computes r as:
      r=(hm+skb)modp
  3. Ciphertext Generation:

    • Alice can then compute the ciphertext as usual (c1,c2) where:
      c1=m·pkrmodp
      c2=grmodp

Decryption

  1. Eves's Decryption:

    • The dictator decrypts the ciphertext (c1,c2) using Alice's secret key (She knows it remember, she's a dictator), ska:
      m=c1·c2skmodp
    • Eve sees the decoy message m.
  2. Bob's Decryption:

    • Bob decrypts the ciphertext (c1,c2) using his own secret key skb:
      val=c2·gskbmodp
    • Wich simplifies to:
      val=gr·gskbmodp=g(hm+skb)skbmodp=ghmmodp
    • Bob then solves the discrete logarithm problem to find hm by searching for the value of hm that satisfies ghmmodp=val. Since hm has a smaller range than p, this search is practially feasible.

In summary, this approach allows Alice to send a secret message to Bob while deceiving the dictator Eve with a decoy message. Some people might not see how nice it is, but I plan to leverage this for a secret path routing system. Hope you found and you'll find it interesting,

See you,

https://eprint.iacr.org/2022/639.pdf
https://asecuritysite.com/principles_pub/ana

#anamorphic #cryptography #infosec