Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like...
Transcript of Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like...
![Page 1: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/1.jpg)
Functional Encryption: Deterministic to Randomized Functions from
Simple Assumptions
Shashank Agrawal and David J. Wu
![Page 2: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/2.jpg)
Public-Key Functional Encryption [BSW11, O’N10]
Keys are associated with deterministic functions 𝑓
𝑚 Decrypt(sk𝑓 , ct𝑚) 𝑓(𝑚)
𝑥
𝑓(𝑥)
sk𝑓
sk𝑓
![Page 3: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/3.jpg)
Public-Key Functional Encryption [BSW11, O’N10]
• Setup 1𝜆 : Outputs (msk,mpk)
• KeyGen(msk, 𝑓): Outputs decryption key sk𝑓
• Encrypt mpk,𝑚 : Outputs ciphertext ct𝑚
• Decrypt(sk𝑓, ct𝑚): Outputs 𝑓 𝑚
![Page 4: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/4.jpg)
Public-Key Functional Encryption [BSW11, O’N10]
• Setup 1𝜆 : Outputs (msk,mpk)
• KeyGen(msk, 𝑓): Outputs decryption key sk𝑓
• Encrypt mpk,𝑚 : Outputs ciphertext ct𝑚
• Decrypt(sk𝑓, ct𝑚): Outputs 𝑓 𝑚
Deterministicfunction 𝑓
![Page 5: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/5.jpg)
Functional Encryption for Randomized Functionalities (rFE) [GJKS15]
But what if 𝑓 is randomized?
Many interesting functions are randomized
𝑥
𝑓(𝑥 ; 𝑟)
𝑟
![Page 6: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/6.jpg)
Application 1: Proxy Re-Encryption
Alice Alice
personal email
work email
Secretary
Mail server has functional key to re-encrypt message under
secretary’s public key
![Page 7: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/7.jpg)
Application 2: Auditing an Encrypted Database
Encrypted database of records
𝑟1 𝑟2 𝑟3 𝑟4 𝑟5 𝑟6
Sample a random subset to audit
𝑟2 𝑟6
![Page 8: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/8.jpg)
Does Public-Key rFE Exist?
iOGeneral-
Purpose rFE
[GJKS15]
(selectively secure)
![Page 9: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/9.jpg)
Public-Key Functional Encryption [BSW11, O’N10]
PKE / LWEBounded-
Collusion FE
Multilinear Maps / iO
General-Purpose FE
[SS10, GVW12, GKPVZ13, …]
[GGHRSW13, Wat15, GGHZ16, …]
Can be instantiated from a wide range of assumptions
![Page 10: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/10.jpg)
The Landscape of (Public-Key) Functional Encryption
PKE / LWEBounded-
Collusion FE
Multilinear Maps / iO
General-Purpose FE
Generally adaptively secure
iOGeneral-
Purpose rFE
Selectively secure
Deterministic functionalities Randomized functionalities[SS10, GVW12, …]
[GGHRSW13, GGHZ16, … ]
[GJKS15]
![Page 11: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/11.jpg)
PKE / LWE
Multilinear Maps / iO
General-Purpose rFE
The Landscape of (Public-Key) Functional Encryption
Does extending FE to support randomized functionalities require
much stronger tools?
![Page 12: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/12.jpg)
Our Main Result
General-purpose FE for deterministic
functionalities
Number Theory
(e.g., DDH, RSA)
General-purpose FE for randomized functionalities
Implication: randomized FE is not much more difficult to construct than standard FE.
![Page 13: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/13.jpg)
Defining rFE
![Page 14: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/14.jpg)
Correctness for FE
Deterministic functions
𝑚 Decrypt(sk𝑓 , ct𝑚) 𝑓(𝑚)sk𝑓
![Page 15: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/15.jpg)
Correctness for rFE [GJKS15]
Randomized functions
𝑚 Decrypt(sk𝑓 , ct𝑚) 𝑓(𝑚; 𝑟)sk𝑓
𝑚′ Decrypt(sk𝑓 , ct𝑚′) 𝑓(𝑚′; 𝑟′)sk𝑓
Same function key
Different ciphertexts
Independent draws from output distribution
![Page 16: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/16.jpg)
Correctness for rFE [GJKS15]
Randomized functionalities
𝑚 Decrypt(sk𝑓 , ct𝑚) 𝑓(𝑚; 𝑟)sk𝑓
𝑚 Decrypt(sk𝑓′ , ct𝑚) 𝑓′(𝑚; 𝑟′)sk𝑓′
Different function keys
Same ciphertexts
Independent draws from output distribution
![Page 17: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/17.jpg)
Simulation-Based Security (Informally)
Real World: honestly generated ciphertexts
and secret keys
Ideal World: simulated ciphertexts
and secret keys
𝑚
sk𝑓𝑓
𝑓(𝑚)
𝑚
msk
𝑓
𝑚
sk𝑓
![Page 18: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/18.jpg)
Simulation-Based Security (Informally)
Real World: honestly generated ciphertexts
and secret keys
Ideal World: simulated ciphertexts
and secret keys
𝑚
sk𝑓𝑓
𝑓(𝑚)
𝑚
msk
𝑓
𝑚
sk𝑓
Simulator only sees 𝑓 𝑚
![Page 19: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/19.jpg)
Encrypted database of records
𝑟1 𝑟2 𝑟3 𝑟4 𝑟5 𝑟6
Sample a random subset to audit
𝑟2 𝑟6
What if encrypter (bank)
is adversarial?
The Case for Malicious Encrypters [GJKS15]
![Page 20: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/20.jpg)
Randomized functionalities
𝑚 Decrypt(sk𝑓 , ct𝑚) 𝑓(𝑚; 𝑟)sk𝑓
𝑚′ Decrypt(sk𝑓 , ct𝑚′) 𝑓(𝑚′; 𝑟)sk𝑓
Dishonest encrypters can construct “bad” ciphertexts such
that decryption produces correlated outputs
The Case for Malicious Encrypters [GJKS15]
![Page 21: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/21.jpg)
Randomized functionalities
𝑚 Decrypt(sk𝑓 , ct𝑚) 𝑓(𝑚; 𝑟)sk𝑓
𝑚′ Decrypt(sk𝑓 , ct𝑚′) 𝑓(𝑚′; 𝑟)sk𝑓
Formally captured by giving adversary access to a decryption oracle (like in the CCA-security
game). [See paper for details.]
The Case for Malicious Encrypters [GJKS15]
![Page 22: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/22.jpg)
Our Generic Transformation
![Page 23: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/23.jpg)
Starting Point: Derandomization
𝑥
𝑓 𝑥; PRF 𝑘, 𝑥
𝑘
Starting point: construct “derandomizedfunction” where randomness for 𝑓
derived from outputs of a PRF
Randomized functionality
Derandomized functionality
𝑥
𝑓(𝑥 ; 𝑟)
𝑟
![Page 24: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/24.jpg)
Starting Point: Derandomization
𝑥
𝑓 𝑥; PRF 𝑘, 𝑥
𝑘
Randomized functionality
Derandomized functionality
𝑥
𝑓(𝑥 ; 𝑟)
𝑟
Randomized function 𝑓Derandomized function 𝑔𝑘:
𝑔𝑘 𝑥 = 𝑓 𝑥, PRF 𝑘, 𝑥
![Page 25: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/25.jpg)
Starting Point: Derandomization
𝑥
𝑓 𝑥; PRF 𝑘, 𝑥
𝑘
Randomized functionality
Derandomized functionality
𝑥
𝑓(𝑥 ; 𝑟)
𝑟
Randomized function 𝑓Derandomized function 𝑔𝑘:
𝑔𝑘 𝑥 = 𝑓 𝑥, PRF 𝑘, 𝑥
PRF key embedded inside 𝑔𝑘
![Page 26: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/26.jpg)
Starting Point: Derandomization
sk𝑔𝑘
rFE. KeyGen(msk, 𝑓)
FE. KeyGen(msk, 𝑔𝑘)
But in public-key setting, keys do not hide the
function!𝑘 R𝒦
𝑔𝑘 𝑥 = 𝑓 𝑥, PRF 𝑘, 𝑥
![Page 27: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/27.jpg)
Starting Point: Derandomization
sk𝑔𝑘
rFE. KeyGen(msk, 𝑓)
FE. KeyGen(msk, 𝑔𝑘)
Given sk𝑔𝑘, adversary can
learn the PRF key 𝑘𝑘 R𝒦
𝑔𝑘 𝑥 = 𝑓 𝑥, PRF 𝑘, 𝑥
![Page 28: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/28.jpg)
How to Hide the Key?
Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext
PRF key 𝑘
𝑘1 𝑘2Key share in ciphertext
Secret-share the PRF key
Key share in function key
![Page 29: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/29.jpg)
How to Hide the Key?
Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext
rFE. Encrypt(mpk,𝑚)
FE. Encrypt mpk, 𝑚, 𝑘1
𝑘1 R𝒦
(𝑚, 𝑘1)
![Page 30: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/30.jpg)
How to Hide the Key?
Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext
rFE. KeyGen(msk, 𝑓)
FE. KeyGen msk, 𝑔𝑘2
𝑘2 R𝒦
sk𝑔𝑘2
𝑔𝑘2 𝑚, 𝑘1 = 𝑓(𝑚 ; PRF(𝑘1 ⋄ 𝑘2, 𝑚)
Some operation to combine shares of key
![Page 31: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/31.jpg)
How to Hide the Key?
Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext
rFE. KeyGen(msk, 𝑓)
FE. KeyGen msk, 𝑔𝑘2
𝑘2 R𝒦
sk𝑔𝑘2
𝑔𝑘2 𝑚, 𝑘1 = 𝑓(𝑚 ; PRF(𝑘1 ⋄ 𝑘2, 𝑚)
Encrypter controls 𝑘1so we need related-
key security
![Page 32: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/32.jpg)
Security Against Dishonest Encrypters
Encrypter has a lot of flexibility in constructing ciphertexts:
rFE. Encrypt(mpk,𝑚)
FE. Encrypt mpk, 𝑚, 𝑘1
𝑘1 R𝒦
(𝑚, 𝑘1)
Encrypter can choose the key-
share
Encrypter can choose the randomness
Cannot influence output distribution due to RKA-security
Potentially problematic
![Page 33: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/33.jpg)
Security Against Dishonest Encrypters
Encrypter has a lot of flexibility in constructing ciphertexts:
FE. Encrypt mpk, 𝑚, 𝑘1
(𝑚, 𝑘1) (𝑚, 𝑘1)
Two distinct FE ciphertexts encrypting the same message
Run encryption algorithm twice with different randomness
![Page 34: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/34.jpg)
Security Against Dishonest Encrypters
Encrypter has a lot of flexibility in constructing ciphertexts:
(𝑚, 𝑘1)
(𝑚, 𝑘1)
Reality: Decryption always produces same output
Desired: Two different ciphertexts, so should produces independent outputs
Encrypter has too much freedom in constructing ciphertexts
![Page 35: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/35.jpg)
Applying Deterministic Encryption
Key observation: honestly generated ciphertexts have high entropy
(𝑚, 𝑘1)
Derive encryption randomness from 𝑘1 and
include a NIZK argument that ciphertext is well-formed
Should be random PRF key – high entropy!
![Page 36: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/36.jpg)
Putting the Pieces Together
rFE. Encrypt(mpk,𝑚)
FE. Encrypt mpk, 𝑚, 𝑘1 ; ℎ(𝑘1)
𝑘1 R𝒦
𝜋
NIZK argument of knowledge of (𝑚, 𝑘1)
that explains ciphertext
Randomness for FE encryption derived from deterministic function on 𝑘1 (e.g., a PRG) [See paper for full details.]
![Page 37: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/37.jpg)
Putting the Pieces Together
rFE. Encrypt(mpk,𝑚)
FE. Encrypt mpk, 𝑚, 𝑘1 ; ℎ(𝑘1)
𝑘1 R𝒦
𝜋
Ciphertext is a deterministic function of 𝑚, 𝑘1 so for any distinct pairs (𝑚, 𝑘1), (𝑚
′, 𝑘1′ ), outputs of PRF
uniform and independently distributed by RKA-security
[See paper for full details.]
![Page 38: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/38.jpg)
Our Transformation in a Nutshell
Simulation-secure FE
DDH + RSA
NIZK arguments
RKA-secure PRF
deterministic encryption
Simulation-secure rFE
Security properties of underlying FE scheme is preserved (e.g., adaptive
security)
![Page 39: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/39.jpg)
The State of (Public-Key) Functional Encryption
PKE / LWEBounded-
Collusion FE
Multilinear Maps / iO
General-Purpose FE
Generally adaptively secure
iOGeneral-
Purpose rFE
Selectively secure
Deterministic functionalities Randomized functionalities[SS10, GVW12, …]
[GGHRSW13, GGHZ16, … ]
[GJKS15]
![Page 40: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/40.jpg)
The State of (Public-Key) Functional Encryption
PKE / LWEBounded-
Collusion FE
Multilinear Maps / iO
General-Purpose FE
[SS10, GVW12, …]
[GGHRSW13, GGHZ16, … ]
Bounded-Collusion rFE
General-Purpose rFE
Number-theoretic assumptions
Adaptively secure against malicious
encrypters!
This work
![Page 41: Functional Encryption: Deterministic to Randomized …adversary access to a decryption oracle (like in the CCA-security game). [See paper for details.] The Case for Malicious Encrypters](https://reader035.fdocuments.us/reader035/viewer/2022071102/5fdb4421c6a6566bed3e72c1/html5/thumbnails/41.jpg)
Open Questions
• More direct / efficient constructions of rFE for simpler classes of functionalities (e.g., sampling random entries from a vector)?
• Generic construction of rFE from FE without making additional assumptions?
• Generic transformation for indistinguishability-based notions of security?
Thank you!http://eprint.iacr.org/2016/482