Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows equivocation of encrypted communication.
In this work we generalize its study to functional encryption (FE).
Our results are summarized as follows:
We first put forward and motivate the concept of receiver deniable FE, for which we consider two models. In the first model, as previously considered by O'Neill et al. (CRYPTO 2011) in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are ``normal'' and ``deniable'' secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own.
In the first model, we show a compiler from any FE scheme for the general circuit functionality to a FE scheme having receiver deniability.
In addition we show an efficient receiver deniable FE scheme for Boolean Formulae from bilinear maps. In the second (multi-distributional) model, we present a specific FE scheme for the general circuit functionality having receiver deniability. To our knowledge, a scheme in the multi-distributional model was not previously known even for the special case of identity-based encryption.
Finally, we construct the first sender (non-multi-distributional) deniable FE scheme
