函数加密体制（一） (13-7)

Defining security of abstract functional encryption turns out to be highly non-trivial We begin with a natural indistinguishability game-based definition (based on a defini- tion of secure predicate encryption from |BW07.KSW081). Unfortunately, we show that this simple definition is inadeguate for certain functionalities since trivially inse- cure constructions may satisfy it.

Given the inadequacy of game-based definitions we move to simulation-based def- initions in the spirit of the original notion of semantic security of Goldwasser and Micali [GM84].The goal is to capture the notion that the adversary learns nothing about the plaintext other than functions F(k，·) of the plaintext for which he has a secret key. Somewhat surprisingly, we show a connection to non-committing encryp- tion [CFGN96，Nie02] which proves that our definition cannot be satisfied for the same reason that non-interactive non-committing encryption is impossible. However, we show that our definition can be satisfied in the random oracle model,and we ex- hibit constructions for interesting functionalities that can be shown to be secure.(Inde- pendently, O'Neill[ON10]also observed a gap between simulation and game-based definitions and a connection to non-committing encryption.)

数学联邦政治世界观提示您：看后求收藏（同人小说网http://tongren.me），接着再看更方便。