Deniable Functional Encryption

Deniable encryption, first introduced by Canetti et al. [14], allows a sender and/or receiver of encrypted communication to produce fake but authentic-looking coins and/or secret keys that "open" the communication to a different message. Here we initiate its study for the more general case of functional encryption FE, as introduced by Boneh et al. [12], wherein a receiver in possession of a key k can compute from any encryption of a message x the value Fk,i¾?x according to the scheme's functionality F. Our results are summarized as follows: We put forth and motivate the concept of deniable FE, for which we consider two models. In the first model, as previously considered by O'Neill et al. [31] in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are "normal" and "deniable" secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. This parallels the "multi-distributional" model of deniability previously considered for public-key encryption. In the first model, we show that any FE scheme for the general circuit functionality as several recent candidate construction achieve can be converted into an FE scheme having receiver deniability, without introducing any additional assumptions. In addition we show an efficient receiver deniable FE for Boolean Formulae from bilinear maps. In the second multi-distributional model, we show a specific FE scheme for the general circuit functionality having receiver deniability. This result additionally assumes differing-inputs obfuscation and relies on a new technique we call delayed trapdoor circuits. To our knowledge, a scheme in the multi-distributional model was not previously known even in the simpler case of identity-based encryption. Finally, we show that receiver deniability for FE implies some form of simulation security, further motivating study of the latter and implying optimality of our results.

[1]  Qiang Tang,et al.  On the Power of Public-key Functional Encryption with Function Privacy , 2015, IACR Cryptol. ePrint Arch..

[2]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[3]  Vincenzo Iovino,et al.  Simulation-Based Secure Functional Encryption in the Random Oracle Model , 2015, LATINCRYPT.

[4]  Brent Waters,et al.  A Punctured Programming Approach to Adaptively Secure Functional Encryption , 2015, CRYPTO.

[5]  Manuel Barbosa,et al.  On the Semantic Security of Functional Encryption Schemes , 2013, Public Key Cryptography.

[6]  Brent Waters,et al.  Bi-Deniable Public-Key Encryption , 2011, CRYPTO.

[7]  Claudio Orlandi,et al.  Lower and Upper Bounds for Deniable Public-Key Encryption , 2011, ASIACRYPT.

[8]  Brent Waters,et al.  Attribute-Based Encryption for Circuits from Multilinear Maps , 2012, CRYPTO.

[9]  Dan Boneh,et al.  Function-Private Identity-Based Encryption: Hiding the Function in Functional Encryption , 2013, CRYPTO.

[10]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..

[11]  Kai-Min Chung,et al.  On Extractability Obfuscation , 2014, IACR Cryptol. ePrint Arch..

[12]  Craig Gentry,et al.  Fully Secure Functional Encryption without Obfuscation , 2014, IACR Cryptol. ePrint Arch..

[13]  Jonathan Katz,et al.  Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products , 2008, Journal of Cryptology.

[14]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[15]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[16]  Mark Zhandry,et al.  Differing-Inputs Obfuscation and Applications , 2013, IACR Cryptol. ePrint Arch..

[17]  Omer Paneth,et al.  On the Achievability of Simulation-Based Security for Functional Encryption , 2013, CRYPTO.

[18]  Ivan Damgård,et al.  Improved Non-committing Encryption Schemes Based on a General Complexity Assumption , 2000, Annual International Cryptology Conference.

[19]  Vinod Vaikuntanathan,et al.  Functional Encryption with Bounded Collusions via Multi-party Computation , 2012, CRYPTO.

[20]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[21]  Tatsuaki Okamoto,et al.  Adaptively Attribute-Hiding (Hierarchical) Inner Product Encryption , 2012, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[22]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[23]  Craig Gentry,et al.  Fully Secure Attribute Based Encryption from Multilinear Maps , 2014, IACR Cryptol. ePrint Arch..

[24]  Elaine Shi,et al.  Predicate Privacy in Encryption Systems , 2009, IACR Cryptol. ePrint Arch..

[25]  Vincenzo Iovino,et al.  Predicate Encryption with Partial Public Keys , 2010, CANS.

[26]  Feng-Hao Liu,et al.  Bi-Deniable Inner Product Encryption from LWE , 2015, IACR Cryptol. ePrint Arch..

[27]  Mihir Bellare,et al.  Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[28]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[29]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[30]  Adam O'Neill,et al.  Definitional Issues in Functional Encryption , 2010, IACR Cryptol. ePrint Arch..

[31]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[32]  Vinod Vaikuntanathan,et al.  Functional Encryption: New Perspectives and Lower Bounds , 2013, IACR Cryptol. ePrint Arch..

[33]  Vinod Vaikuntanathan,et al.  Attribute-based encryption for circuits , 2013, STOC '13.

[34]  Mihir Bellare,et al.  Semantically-Secure Functional Encryption: Possibility Results, Impossibility Results and the Quest for a General Definition , 2013, CANS.