Primitives required for the main construction, and their parameters

We require the primitives listed below. Note that these primitives can be constructed fromiO, injective PRFs (which in turn can be constructed from standard OWFs, [SW14]) and injective OWFs (which in turn can be constructed fromiOand standard OWFs, [BPW16]); thus it is enough to requireiOand OWFs. By starting with subexponentially-secureiOand OWFs, we can get subexponential security of these primitives. Definitions can be found in section 5.

Notation. We denote security parameter byλ.We parametrize sizes in our construction byτ(λ), which is the length of the first message in the protocol (also equal to the size of a tag for the level system, since we use

µ1, µ2as tags), andT(λ), which is an upper bound of the level system.

Injective PRFs with sparse image.As shown in [SW14], for any lengthlthere exists a family of PRFs{Fk}λ

mappingl-sized inputs to2l+λ-sized outputs, such that with probability at least1−2−λ(over the choice of the key), the PRF is injective. Note that PRF with these parameters has exponentially sparse image, i.e. a

randomly chosen element is in its image with probability2−l−λ. These PRFs are used in the construction of ACE and relaxed ACE.

Sparse extracting PRF.As shown in [SW14], for any lengthl, as long as the input has entropy at least

l≥τ /2 + 2λ+ 2, there exists a family of extracting PRFs{Fk}λmapping at leastl-sized inputs toτ /2-sized

outputs, which are strong extractors with statistical distance at most 2−λ. It can be shown in a simple reduction that applying a length-doubling prg to the output of such a PRF results in a (computationally) extracting PRF, such that a random string is in its image with probability2τ /2.

These PRFs are used to compute the first two messages in the protocol.

ACE.As shown in [CHJV14], for any plaintext lengthl, there exists an ACE with ciphertexts of size3l+λ

(as long as injective PRFs used are fromlbits to2l+λbits).

ACE is used as the main encryption scheme (used to compute the third message of the protocol).

Relaxed ACE.As we show in the appendix C by modifying the construction of [CHJV14], for any plaintext lengthland suffix parametert, there exists a relaxed ACE with ciphertexts of size(l−t+ 1)(2l−t+λ) +λ

(as long as each injective PRFFi,i=t, . . . , l,is fromibits to2i+λbits). . Further, ciphertexts of this ACE

are sparse, with ratio of ciphertexts at most2−λ. Relaxed ACE is used as an encryption scheme to generate fake sender and receiver randomness.

Length-doubling PRG.We use a prg from λto2λbits. It is used in programRFake to randomize fake randomness of the receiver. (In addition, as part of the construction of a sparse extracting PRF, we also use a prg fromτ(λ)/2toτ(λ)bits).

Level system.We require a level system for any superpolynomial upper boundT and any sublinear tag size.

Length of variables as a function of the first message sizeτ and level upper boundT.Below we express sizes in our construction (which in turn specify parameters of all primitives) as a function of the first message sizeτ(λ)and the upper bound of the level systemT(λ). We require that bothτ(λ)andlogT(λ)are sublinear inλ. We assume that the plaintext of the deniable encryption scheme is one bit long. Somewhat abusing notation, in this discussion we will be denoting the size of the ACE ciphertext ofl-size input asACE(l); size of levels as|`|,|L|; size of the output of a prg as|prg|.

• |µ1|=τ;

• |µ2|=τ;

• |`|=|ACE(|µ1|+ logT)|= 3(τ + logT) +λ=O(λ);

• |L|=|ACE(|µ1|+|µ2|+ logT)|= 3(2τ+ logT) +λ=O(λ);

• |µ3|=|ACE(1 +|µ1|+|µ2|+|L|)|= 3(1 + 2τ+ 3(2τ+ logT) +λ) +λ= 3 + 24τ+ 9 logT+ 4λ=

O(λ);

• |s|=relaxedACE(1 +|µ1|+|µ2|+|µ3|+|`|)(for suffix parametert=|`|), thus the size is equal to

(1 + 2τ+ (3 + 15τ+ 9 logT+ 4λ) + 1)(2(1 + 2τ+ (3 + 15τ+ 9 logT+ 4λ) + 3(τ+ logT) +λ)− (3(τ+ logT) +λ) +λ) +λ= (5 + 17τ+ 9 logT+ 4λ)(8 + 37τ+ 21 logT+ 20λ) +λ=O(λ2);

• |r|=relaxedACE(1 +|µ1|+|µ2|+|µ3|+|L|+|prg|)(for suffix parametert=|prg|), thus the size is equal to((1+2τ+3+24τ+9 logT+4λ+3(2τ+logT)+λ+2λ)−2λ+1)(2(1+2τ+3+24τ+9 logT+ 4λ+3(2τ+logT)+λ+2λ)−2λ+λ)+λ= (5+32τ+12 logT+5λ)(8+64τ+24 logT+13λ)+λ=

O(λ2).

Further, since in our construction of deniable encryption we use the first messageµ1as a tag for the level system, we need a level system for upper boundT and tag sizeτ.

The size of the programs, and removing layers ofiO. Note that the source code on fig. 18, fig. 19 includes the description ofobfuscatedprograms of the level system. In turn, the source code of programs of the level system contains ACE keys which are again obfuscations of some other programs. Thus, the CRS contains programs which have3layers of obfuscation.

However, this layering is only for convenience: it enables proving the security of component primitives (e.g., ACE and the level system) separately and then combine them into a bigger proof (e.g., of deniable encryption or the level system). It is possible to prove security of our deniable encryption where programs of deniable encryption are obfuscatedonly once. That is, programs of deniable encryption can useunobfuscatedcode of the programs of the level system and ACE. However, to show security in this case, one would have to “unroll” all proofs, i.e., substitute the proof of, say, ACE instead of each reduction to security of ACE in the main proof. Needless to say, writing, and more importantly,verifyingsuch a proof would be very onerous (certainly from the perspective of the authors, who think of themselves as polynomially-bounded Turing machines). Nevertheless, in appendix B we briefly explain why such a proofcouldbe written. Intuitively, this holds because of the following: let’s say in the proof of ACE we punctured the PRF and reduced it to security of the obfuscation (of ACE source code). Then we can do the same reduction in the “unrolled” proof, since that punctured PRF key, which is now a part of a source code of deniable encryption program, is still protected by obfuscation on top of that program.

We state our theorem with a parameterσrepresenting the size of the source code of the programs of the deniable encryption scheme. As long as our construction uses only one layer ofiO,σ =O(λ3)(λ3 comes from the fact that all programs of deniable encryption use keys of a relaxed ACE, which have sizeO(λ3)

due to the fact each key consists ofO(λ)PRF keys, these keys are punctured in the security proof, and each punctured PRF key has sizeO(λ2)).