**The Edited Truth**

*Shafi Goldwasser and Saleet Klein and Daniel Wichs*

**Abstract: **We introduce two new cryptographic notions in the realm of public and symmetric key encryption.

Encryption with invisible edits is an encryption scheme with two tiers of users: "privileged" and "unprivileged". Privileged users know a key pair $(pk, sk)$ and "unprivileged" users know a key pair $(pk_e, sk_e)$ which is associated with an underlying edit $e$ to be applied to messages encrypted. Each key pair on its own works exactly as in standard public-key encryption, but when an unprivileged user attempts to decrypt a ciphertext generated by a privileged user of an underlying plaintext $m$, it will be decrypted to an edited $m' = Edit(m,e)$. Here, $Edit$ is some supported edit function and $e$ is a description of the particular edit to be applied. For example, we might want the edit to overwrite several sensitive blocks of data, replace all occurrences of one word with a different word, airbrush an encrypted image, etc. A user shouldn't be able to tell whether he's an unprivileged or a privileged user.

An encryption with deniable edits is an encryption scheme which allows a user who owns a ciphertext $c$ encrypting a large corpus of data $m$ under a secret key $sk$, to generate an alternative but legitimate looking secret key $sk_{e,c}$ that decrypts $c$ to an "edited" version of the data $m'=Edit(m,e)$. This generalizes classical receiver deniable encryption, which can be viewed as a special case of deniable edits where the edit function performs a complete replacement of the original data. The new flexibility allows us to design solutions with much smaller key sizes than required in classical receiver deniable encryption, and in particular allows the key size to only scale with the description size of the edit $e$ which can be much smaller than the size of the plaintext data $m$.

We construct encryption schemes with deniable and invisible edits for any polynomial-time computable edit function under minimal assumptions: in the public-key setting we only require the existence of standard public-key encryption and in the symmetric-key setting we only require the existence of one-way functions.

The solutions to both problems use common ideas, however there is a significant conceptual difference between deniable edits and invisible edits. Whereas encryption with deniable edits enables a user to modify the meaning of a single ciphertext in hindsight, the goal of encryption with invisible edits is to enable ongoing modifications of multiple ciphertexts.

**Category / Keywords: **Deniable Encryption, Functional Encryption

**Date: **received 20 Jul 2017, last revised 25 Jul 2017

**Contact author: **saleet at mit edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20170727:181036 (All versions of this report)

**Short URL: **ia.cr/2017/714

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]