So I've recently become acquainted with deniable encryption and I got to thinking, wouldn't a way to do this involve using a group that can be decomposed into direct summands which already have well-established cryptosystems using a one-way projection map.
A one-way projection map is:
- Easy to compute with a trapdoor
- Hard to compute without this trapdoor
- Idempotent, repeated applications lead to no change.
So, $G$ is taken to be direct sum of two groups $G_1$ and $G_2$, which means that it comes equipped with non-unique projection maps which map surjectively from $G$ to $G_x$ (a special tough-to-compute one can be chosen).
The idea is then that cryptosystems can considered on the two groups independently because of these projection map. A general message exchange then looks like the following:
- Bob securely sends Alice $G=G_1\oplus G_2$ and $Enc_{pub}^1$ and $Enc_{pub}^2$.
- Alice encrypts $m_1$ and $m_2$ to $Enc_{pub}^1(m_1)\oplus Enc_{pub}^2(m_2)=c$
- Bob can then use $m_1=Denc_1(c_1) = Denc_1\circ\pi_1(c)$
- Or Bob can use $m_2=Denc_2(c_2) = Denc_2\circ\pi_2(c)$
Where $\pi_1$ and $\pi_2$ are projection maps to $G_1$ and $G_2$ respectively and the encrypting function on the original groups are $Enc_{pub}^x:G_x\to G_x$. Only Bob has access to $Denc_i$ and $\pi_i$.
The "under coercion" scenario is then that the appropriate decryption projection map can be surrendered and allow the cryptographer to escape having actually revealed the more valuable message.
Could this setup be considered "deniable"?
