Receiver-and sender-deniable functional encryption

Deniable encryption, first introduced by Canetti et al. 1997, allows equivocation of encrypted communication. In this work, the authors generalise its study to functional encryption (FE). The authors' results are summarised as follows: They first put forward and motivate the concept of receiver-deniable FE, for which they consider two models. In the first model, as previously considered by O'Neill et al. 2011 in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are normal' and deniable' secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. In the first model, they show a compiler from any FE scheme for circuits to a FE scheme having receiver deniability. In addition, they show an efficient receiver-deniable FE scheme for Boolean formulae from bilinear maps. In the second (multi-distributional) model, they present a specific FE scheme for circuits having receiver deniability. To the authors' knowledge, a scheme in the multi-distributional model was not previously known even for the special case of identity-based encryption. Finally, they construct the first sender (non-multi-distributional) deniable FE scheme