Uncoercible Communication and Deniable Encryption, or How to Lie With Impunity

Use of some cryptographic protocols implies a commitment to the data operated on by those protocols. For example, a digital signature may ensure the property of nonrepudiation: the signer would be unable to claim that the signed document is a forgery. Similarly, encrypting data can form a kind of commitment to the data: the decryption process reveals the committed plaintext. In some scenarios, commitment to a plaintext may be undesirable. For example, in an election setting, we would like to prevent voters from being able to generate proof of their votes, ensuring that they cannot be coerced into voting a certain way, or rewarded for doing so. A secret agent may wish to be able to communicate with her sponsoring organization freely even if a coercive adversary is applying pressure to have her send a particular message. A corporate employee may wish to act as a whistle-blower without fear of management reprisal for having disclosed sensitive information. A variety of techniques have been developed in recent years to provide various cryptographic services, including privacy, without implying a commitment to the plaintext, even under coercive circumstances. We examine a variety of techniques in this vein. But first, we should establish some informal definitions. Coercion occurs when one party forces another, through physical threats, monetary or other rewards, legal action, or other pressure to follow certain behavior. Coercion can occur before, during or after a transaction of interest. Multiple parties involved in a transaction may be coerced, by the same or different adversaries, and each may be asked to follow different behavior. Uncoercible protocols specify a faking algorithm which the coerced party may follow under coercion, which makes it impossible for her to prove to the adversary that she has followed the coercive instructions, or equivalently, to provide the coercer with a forged receipt indicating compliance which is indistinguishable from an actual non-forged receipt. Since uncoercible protocols make it impossible to prove something to the adversary, the coerced party has several options.