Cryptosystems have been developed over the years under the typical prevalent setting which assumes that the receiver’s key is kept secure from the adversary, and that the choice of the message to be sent is freely performed by the sender and is kept secure from the adversary as well. Under these fundamental and basic operational assumptions, modern Cryptography has flourished over the last half a century or so, with amazing achievements: New systems (including public-key Cryptography), beautiful and useful models (including security definitions such as semantic security), and new primitives (such as zero-knowledge proofs) have been developed. Furthermore, these fundamental achievements have been translated into actual working systems, and span many of the daily human activities over the Internet.
However, in recent years, there is an overgrowing pressure from many governments to allow the government itself access to keys and messages of encryption systems (under various names: escrow encryption, emergency access, communication decency acts, etc.). Numerous non-direct arguments against such policies have been raised, such as "the bad guys can utilize other encryption system" so all other cryptosystems have to be declared illegal, or that "allowing the government access is an ill-advised policy since it creates a natural weak systems security point, which may attract others (to masquerade as the government)." It has remained a fundamental open issue, though, to show directly that the above mentioned efforts by a government (called here “a dictator” for brevity) which mandate breaking of the basic operational assumption (and disallowing other cryptosystems), is, in fact, a futile exercise. This is a direct technical point which needs to be made and has not been made to date.
In this work, as a technical demonstration of the futility of the dictator’s demands, we invent the notion of “Anamorphic Encryption” which shows that even if the dictator gets the keys and the messages used in the system (before anything is sent) and no other system is allowed, there is a covert way within the context of well established public-key cryptosystems for an entity to immediately (with no latency) send piggybacked secure messages which are, in spite of the stringent dictator conditions, hidden from the dictator itself! We feel that this may be an important direct technical argument against the nature of governments’ attempts to police the use of strong cryptographic systems, and we hope to stimulate further works in this direction.
I want to share an interesting cryptography paper which introduces “anamorphic encryption”, where the ciphertext encrypts two messages. One is a message to reveal to a dictator, who wants the secret key and message to control the narrative. Behind it lies a hidden message, guarded behind a “double key”, which is to communicate messages of intent secretly.
It’s kind of like having a duress key to reveal, but instead you can send real messages with the real key.
For instance, an investigative journalist could encrypt a fake message “Everyone is content in our utopia” as a smokescreen to show to the dictator, while true messages like “Minorities are forced into labor camps” can be hidden in the anamorphically encrypted ciphertexts to notify the outside free press.
The authors argue that cryptosystems already in use supports the anamorphic mode, where you encrypt a normal-looking ciphertext which contains the hidden message.
Given that it has been 3 years since this paper, I think there would have been some applications of this technology. Do you guys know of any?
the way it works is that the veracrypt container basically contains 2 encrypted partitions. if it can’t decrypt the first one with the password, it will try the second one, but always pretend to try both so that the time it takes to unlock it does not give it away. by writing to either, you risk overwriting data in the other one (except that you can input both the hidden and main partition passwords and it will make sure to keep the hidden partition unaffected), but otherwise both partitions are fully functional
But if two different messages are encrypted with the same key, doesn’t it by nature produce two different ‘plaintext’ ciphertext? Unless the real secret is much smaller than the decoy message as in the example of the ww2 artist
plaintext is the unencrypted form of data. encryption produces ciphertext. encrypting the same data with the same key twice results in the same ciphertext, unless additional steps were taken to insert additional data that does not match (like a nonce) to the plaintext
I recall truecrypt having this as a file system feature where you could decrypt two different filesystems on the same volume.
One password would show you files you didn’t care much about if anyone got them, the other password would show you the actually important files.
This way there was always a realistic method to say “this is it”
deleted by creator
Isn’t there some information theory that says you can’t have two pieces of unique information inside one ?
the way it works is that the veracrypt container basically contains 2 encrypted partitions. if it can’t decrypt the first one with the password, it will try the second one, but always pretend to try both so that the time it takes to unlock it does not give it away. by writing to either, you risk overwriting data in the other one (except that you can input both the hidden and main partition passwords and it will make sure to keep the hidden partition unaffected), but otherwise both partitions are fully functional
But if two different messages are encrypted with the same key, doesn’t it by nature produce two different
‘plaintext’ciphertext? Unless the real secret is much smaller than the decoy message as in the example of the ww2 artistplaintext is the unencrypted form of data. encryption produces ciphertext. encrypting the same data with the same key twice results in the same ciphertext, unless additional steps were taken to insert additional data that does not match (like a nonce) to the plaintext
Sorry. Got the terms mixed up. Ciphertext is it. Thanks