Cryptography for Those Assumed Guilty Until Proven Innocent
The presumption of innocence is a crucial and prevailing legal principle in free societies. This principle has informed and influenced the privacy and security needs of users in these societies, and has shaped much of security research from high level systems to underlying threat models and fundemental security definitions and formalisms.
However, many users worldwide live under oppressive regimes and do not enjoy this principle. These users have different security needs and operate under a different threat model. As a result, they require alternative systems and definitions.
Active Projects
End-to-end encrypted messaging systems like Signal and Whatsapp are popular and widely used. They ensure that conversation content remains private and secure even in the presence of powerful adversaries. Because of their popularity, the mere fact that a user sent an encrypted message does not indicate the user is engaged in any sensitive or nefarious behavior: in a free society, this mere fact by itself does not provide "probable cause" for intruding on the conversation, e.g., confuscating the user's phone to view the conversation. However, oppressive regimes operate under a different rationale where the threshold for intrusion is much lower and users are often presumed guilty unless proven innocent. For example, user phones may be regularly searched at checkpoints, due to baseless rumors, or for arbitrary reasons.
We believe that users in such scenarios need different security properties. They need to be able to deny having sent any particular sensitive message even if their phones and keys are compromised, for example, using deniable encryption, so as to avoid being demonstrably guilty. At the same time, that ability to deny must be hidden from adversaries ("denying the deniability") in order to be able to prove their innocence, even when adversaries have access to users' phones and their communication transcript.
We are building a messaging protocol and system that provide users under oppressive regimes with these exact guarantees, essentially allowing users of this protocol to blend in with users of standard messaging applications undetected.
Future Ideas
We observe that standard textbook cryptographic security definitions are often geared towards the security needs and requirements of users in free countries, and reflect the legal and political modus operandi in these countries. While those needs are indeed very valuable, we observe that users operating under different legal, political, or societal regimes often have different needs that at times go unmet. We are interested in formally defining these security properties using the tools of cryptography, e.g., as security games, and investigate how they can be realized in various settings. Central to our view is the notion of "forging innocence" even with respect to strong adversaries that e.g. have adaptive access to user devices.