A Definitional Framework for Functional Encryption

Matt, Christian; Maurer, Ueli

doi:10.1109/csf.2015.22

Cited by 8 publications

(35 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Relation to functional encryption. Identity-based encryption is known to be a special case of functional encryption [5], which has already been modeled in the constructive cryptography framework [12]. However, the results from that paper cannot directly be applied to the context of non-interactive communication as studied in our paper.…”

Section: Related Workmentioning

confidence: 95%

“…However, the results from that paper cannot directly be applied to the context of non-interactive communication as studied in our paper. One reason is that a different goal was modeled in [12] (namely adding access control to a public repository), where only three parties are considered. More importantly, we analyze security definitions which are specific to IBE, while [12] only considers (simulation based) security definitions for general functional encryption, which are more involved.…”

Section: Related Workmentioning

confidence: 99%

“…One reason is that a different goal was modeled in [12] (namely adding access control to a public repository), where only three parties are considered. More importantly, we analyze security definitions which are specific to IBE, while [12] only considers (simulation based) security definitions for general functional encryption, which are more involved. We note, however, that the same commitment problem arises in the context of functional encryption [5].…”

Section: Related Workmentioning

confidence: 99%

“…Our protocol IBE ro uses the same idea as Nielsen's scheme [18] and essentially corresponds to the transformation from [5,Section 5.3] (see also [12]) applied to an IBE scheme. At a high level, it works as follows: To send a message m for identity id , choose a bit string r (of sufficient length, say λ) uniformly at random, input (r, 1), .…”

Section: Construction Of Delivery Controlled Channelsmentioning

confidence: 99%

See 3 more Smart Citations

Idealizing Identity-Based Encryption

Hofheinz

Matt

Maurer

2015

Advances in Cryptology -- ASIACRYPT 2015

Self Cite

View full text Add to dashboard Cite

We formalize the standard application of identity-based encryption (IBE), namely noninteractive secure communication, as realizing an ideal system which we call delivery controlled channel (DCC). This system allows users to be registered (by a central authority) for an identity and to send messages securely to other users only known by their identity.Quite surprisingly, we show that existing security definitions for IBE are not sufficient to realize DCC. In fact, it is impossible to do so in the standard model. We show, however, how to adjust any IBE scheme that satisfies the standard security definition IND-ID-CPA to achieve this goal in the random oracle model.We also show that the impossibility result can be avoided in the standard model by considering a weaker ideal system that requires all users to be registered in an initial phase before any messages are sent. To achieve this, a weaker security notion, which we introduce and call IND-ID1-CPA, is actually sufficient. This justifies our new security definition and might open the door for more efficient schemes. We further investigate which ideal systems can be realized with schemes satisfying the standard notion and variants of selective security.As a contribution of independent interest, we show how to model features of an ideal system that are potentially available to dishonest parties but not guaranteed, and which such features arise when using IBE.

show abstract

Section: Related Workmentioning

confidence: 95%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Construction Of Delivery Controlled Channelsmentioning

confidence: 99%

See 2 more Smart Citations

Idealizing Identity-Based Encryption

Hofheinz

Matt

Maurer

2015

Advances in Cryptology -- ASIACRYPT 2015

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [30] the authors formally prove security of the proposed protocol, however their proof is in the standalone setting. In a related work, Matt and Maurer [45] show (building on [3]) that composable functional encryption (CFE) is impossible to achieve in the standard model, but achievable in the random oracle model. For another important variant of the primitive, namely, randomized functional encryption, existing constructions [2,34,41], are limited in the sense that they require a new functional key for each invocation of the function, i.e., decryptions with the same functional key always return the same output.…”

Section: Introductionmentioning

confidence: 99%