Plausible deniability seems like the ultimate get-out-of-jail-free card. But how can we make it work when it comes to digital information sent in a public network. Deniable encryption, defined by Canetti et al (Crypto 1997), suggests a method to achieve deniability by the sender of encrypted messages to overcome this problem. The idea is especially interesting in the context of electronic elections to eliminate the threat of vote buying after a vote has been cast.

I will present two new works on the subject.

1. With Agarwal and S. Mossel (Crypto21) we define and construct sender Deniable Fully Homomorphic Encryption with compact ciphertexts based on the Learning With Errors (LWE) polynomial hardness assumption. Deniable FHE enables storing encrypted data in the cloud to be processed securely without decryption, maintaining deniability of the encrypted data.
2. With Coladangelo and Vazirani (STOC22), we show a sender deniable encryption scheme where the encryption scheme is a quantum algorithm but the ciphertext is classical which is secure under the LWE polynomial hardness assumption. This scheme achieves for the first time simultaneously compactness, negligible deniability and polynomial encryption timeunder LWE. Furthermore, it is possible to extend the scheme so that coercion in an election cannot take place when the coercer is able to dictate all inputs to the deniable encryption algorithm even prior to encryption.

Traditional blockchains use consensus to sequence and execute transactions. More recent blockchain proposals use broadcast, a weaker, more scalable and lower latency primitive. However, the latter is limited in terms of expressiveness, and system maintenance operations require or at least are simpler given the stronger guarantees provided by consensus. In this talk I will present both paradigms, and describe how we combine them in a single system to get both low-latency for important categories of transactions, as well as the full expressiveness of consensus in general. Safety and liveness become tricky, since the two paradigms have to be combined in a consistent way, and further the broadcast based paths need to provide robust guarantees upon reconfiguration, which relies on consensus. The schemes presented for the first time form the basis of a production system, and I will discuss challenges of defining protocols for production.