About Anamorphic Cryptography
I recently discovered the excellent work of Giuseppe Persiano, Duong Hieu Phan and Moti Yung about Anamorphic cryptography.
IRL, Anamorphosis is a concept where an image changes depending on the viewer's perspective or POV. Meaning that, in cryptography, we can create ciphertexts that reveal different messages depending on the recipients, even though they use the same encrypted data.
The Idea
In a scenario where you are under the surveillance of a dictator that, because he's a dictator, can and will read all encrypted messages, forbid all trusted encryption schemes and impose you to give him your private keys.
In this senario, traditional encryption methods will fail, and won't help. You'd be required to use tricks and decoys to delay or deceive your opponent. Anamorphic cryptography tries to address this issue by creating two meaningfull cleartexts from one ciphertext, depending on the used secret key.
You have
: a private key given to the dictator
: another private key, now given to your desired recipient
: A decoy message, such as I love the Dictator.
: The actual secret message, such as I hate the Dictator.
You then encrypts the two messages with the public key:
The Dictator will then decrypt with his private key , and reveal the first message:
Your recipient will also decrypt the same ciphertext with his key , and reveal the second message:
This way, the dictator is misled into thinking they have full control, while the actual secret message remains hidden. As far as the dictator knows, he has the ONLY real key needed for the ciphertext.
Implementation
Anamorphic cryptography may and can be implemented with various encryption schemes. You can use RSA-OAEP, Paillier, Goldwasser-Micali, ElGamal, Cramer-Shoup, or Smooth Projective Hash-based systems but, by far, ElGamal method is particularly well-suited for this purpose.
The ElGamal encryption scheme is based on the difficulty of the discrete logarithm problem just like Diffie-Hellman . Here's a quick recap of how it works:
Key Generation:
- Choose a large prime number .
- Choose a base for the discrete logarithm.
- Generate a secret key .
- Compute the public key .
Encryption:
- For a message , generate a random value .
- Compute the ciphertext where:
Decryption:
- To decrypt the ciphertext :
- To decrypt the ciphertext :
ElGamal for Anamorphic Cryptography
We can modify the ElGamal method for anamorphic cryptography where, Alice and Bob needs to correspond, spied by the dictator Eve. Alice creates a secret key and a public key as usual. However, the random value is generated in a specific way to embed a secret message to Bob.
Key Generation
Secret Key Generation:
- Choose a large prime number .
- Choose a base for the discrete logarithm.
- Generate a secret key .
- Compute the public key .
Bob's Key Generation:
- generate a second secret key for Bob.
Encryption
Message Preparation:
- Alice has two messages: (the decoy message for the dictator) and (the secret message for Bob).
Random Value Generation:
- Instead of generating a random , Alice computes as:
- Instead of generating a random , Alice computes as:
Ciphertext Generation:
- Alice can then compute the ciphertext as usual where:
- Alice can then compute the ciphertext as usual where:
Decryption
Eves's Decryption:
- The dictator decrypts the ciphertext using Alice's secret key (She knows it remember, she's a dictator), :
- Eve sees the decoy message .
- The dictator decrypts the ciphertext using Alice's secret key (She knows it remember, she's a dictator), :
Bob's Decryption:
- Bob decrypts the ciphertext using his own secret key :
- Wich simplifies to:
- Bob then solves the discrete logarithm problem to find by searching for the value of that satisfies . Since has a smaller range than , this search is practially feasible.
- Bob decrypts the ciphertext using his own secret key :
In summary, this approach allows Alice to send a secret message to Bob while deceiving the dictator Eve with a decoy message. Some people might not see how nice it is, but I plan to leverage this for a secret path routing system. Hope you found and you'll find it interesting,
See you,
https://eprint.iacr.org/2022/639.pdf
https://asecuritysite.com/principles_pub/ana