Timed encryption with application to deniable key exchange

In this paper, we propose a new notion of timed encryption, in which the encryption is secure within time t   while it is completely insecure after some time T>tT>t. We consider the setting where t and T are both polynomial (in the security parameter). This primitive seems useful in applications where some intermediate data needs to be private temporarily while later it is desired to be public. We propose two schemes for this. One is reasonably efficient in the random oracle model; the other is generic without a random oracle. To demonstrate its usefulness, we use it as a building block to construct a new deniable key exchange (KE) protocol. A deniable KE protocol is a protocol that allows two parties to securely agree on a secret while neither of them can prove to a third party the fact of communication. So an honest party can deny his participation in the communication. Our protocol is adaptively deniable and secret in the concurrent and non-eraser model that admits session state reveal attacks and eavesdropping attacks. Here a session state reveal attack in a non-eraser model means that a user does not erase his intermediate data (e.g., due to a system backup) and, when compromised, will hand it out faithfully to an adversary. An eavesdropping attack allows an adversary to eavesdrop transcripts between honest users, in which he is unaware of the randomness. As emphasized by Di Raimondo et al. [14] and Yao and Zhao [30], an eavesdropping attack is very serious toward breaking the deniability. Our protocol is the first to simultaneously achieve all of the above properties without random oracles. The only price we pay is a timing restriction on the protocol execution. However, this restriction is rather weak and is essentially to require a user to answer an incoming message as soon as possible, which can be satisfied by almost all protocols that are executed online.