Professional Documents
Culture Documents
5 3 Deniable Functional Encryption
5 3 Deniable Functional Encryption
5 3 Deniable Functional Encryption
1
IBM Research, Zurich
2
University of Luxembourg
3
Georgetown University, USA
PKC 2016
Academia Sinica, Taipei, TAIWAN March 6-9, 2016
Deniable Encryption (explained to kids)
Grrr… IIsam
Ohhh… there a manwill
so sorry, in the
you ever How can you doubt my fidelity?!
middle?!?
forgive me? I intercepted this
We is
This will
my see tonight…
SK, see with your own
encrypted msg, show me what
eyes…
is inside!
See
See
Your you
husband’s
you tonight.
suit is
tonight.
ready. The
Adam
Adam
Laundress
= Setup(1λ)
(during the night…)
Functional Encryption
PK MSK
Token(f)=KeyGen(MSK,f) f
Enc(msg)
{
If From=‘’Adam’’ return Priority,
f(msg)= If From=‘’Bob’’ return Discard,
Else ….
Motivating Deniability for FE: Secure Routing
Encrypted package goes from
Alice to Adam
5
Our Results
Receiver-deniable FE for general functions BB from any FE
Efficient constructions
Receiver-deniable FE
Receiver Deniability Games: RealRecDenExp FakeRecDenExp
RealRecDenExp and K1(f, Ct*, x*): K2(f, Ct*, x*):
FakeRecDenExp Sk f= KeyGen(Msk, f); Sk f= RecFake(Msk, Ct,* x*);
Output: Skf Output: Skf
AdvO1,O2,K Challenger
PK
Ct = Enc(PK, x; r);
Msk
(x*,y*) Skf = RecFake(Msk,Ct,y);
O (f,x,y):
1
Ct = Enc(PK,x;r);
O2(f,x,y):
Ct = Enc(PK, y; r);
f(y) = Dec(Ct,Sk f);
Sk = KeyGen(Msk,
f f); Skf = RecFake(Msk, f, Ct, x);
Ct = Enc(PK,x’;
Real: Ct* = Enc(x*;r)
Output:r);
(Ct,Sk )f Output: (Ct, Skf)
Decryption Decryption
f(m) f(m)
DIJOPP13’s transform (simplified)
IND-secure scheme:
Ciphertext Token
msg f
SIM-secure scheme:
Ciphertext Token
[msg , flag , encryption key] [f, encrypted output]
Normal mode [msg,0,$] [f,$]
Trapdoor mode [0n,1,key] [f , Enckey(f(msg))]
Trapdoor circuit for RecDen (simplified)
Circuit Trap[C,t,z,t’,z’](x’):
(x,s) x’;
If F(s,t)=z return 1;
Else if F(s,t’)=z’ return 0; Target Ciphertext
Else return C(x); Ct*=Enc(x,s)
Other Ciphertexts
Decryption
Decryption
1 if Fs(t)=z
C(x) 0 if Fs(t’)=z’
MultiDistRecDen (General Idea)
Token=(Trap2Tok, TCt), where Trap2Tok is a Token for
a trapdoor circuit for a 2-FE
Decrypt(Trap2Tok, Ct*,TCt)=C(y)
MultiDistRecDen Construction (simplified)
c=Ct Normal
cCt Trapdoor mode
mode
Tok(C)=(Trap2Tok[t],
Tok(C)=(Trap2Tok[t],TCt=Enc(z,
TCt=Enc(z,Ct, x’))
c, x’)) Ct =Enc(x)
C(x’)
C(x)
Trapdoor circuit for MultiDistRecDen
Negative implications and Optimality of our results
Vincenzo thanks FNR (Luxembourg) to fund his research and Gabriele Lenzini for the drawings in the 3 rd slide