1 Introduction

In the last few years, much research in cryptography has focused on exploring powerful new cryptographic primitives such as witness encryption (WE) [7] and indistinguishability obfuscation (iO) [1, 6]. Although we have candidate constructions of these primitives, they rely on a new class of assumptions over multilinear maps (MMAPs) [5] whose computational hardness properties are poorly understood and we lack a high degree of confidence in their security. The grand challenge is to construct WE and iO under standard and well established hardness assumptions, such as the learning with errors (LWE) assumption [16]. In this work we show that this is possible for a non-trivial relaxation of these primitives. But first, let us review what these primitives are.

Witness Encryption. Witness encryption (WE), introduced by Garg et al. [7], allows us to use an arbitrary \({{\textsf {NP}}}\) statement x as a public key to encrypt a message. If x is a true statement then any user who knows the corresponding witness w for x will be able to decrypt the message, but if x is a false statement then the encrypted message is computationally hidden. For example, we could encrypt a bitcoin reward under the \({{\textsf {NP}}}\) statement that corresponds to the Riemann hypothesis being true and having a proof of some polynomially bounded size. If anyone comes up with such a proof for the Riemann hypothesis, then they can use that as the witness to decrypt the ciphertext and recover the bitcoin reward.

Indistinguishability Obfuscation (for Null Circuits). The goal of obfuscation [1] is to convert a program/circuit C into a functionally equivalent program/circuit in a way that hides all aspects of the internal implementation of C, but still allows to evaluate it on arbitrary inputs. Ideally, seeing an obfuscated version of C would reveal nothing more than what one could learn via black-box access to the functionality that C implements. Unfortunately, this strong definition of obfuscation, called virtual black box (VBB) is known to be unachievable in general for all programs [1]. A weaker variant called indistinguishability obfuscation (iO) [1, 6] only insists that if two equal size circuits \(C,C'\) are functionally equivalent, meaning that \(C(x) = C'(x)\) for all inputs x, then their obfuscations should be indistinguishable. A huge body of recent works starting with [17] shows how to use iO to construct a plethora of advanced cryptographic primitives for which no constructions were previously known. An even weaker variant called null iO (niO, see [11, 19]) only insists that the obfuscations of C and \(C'\) are indistinguishable if the two circuits are both null circuits meaning that \(C(x) = C'(x) = 0\) for all inputs x. Although security is only defined for null circuits, we still require the niO obfuscator to work correctly and preserve the functionality of all circuits, including ones that are not null.

It is obvious that iO implies niO and relatively easy to see that niO implies WE. In particular, to encrypt a message b under an \({{\textsf {NP}}}\) statement x we can use an niO scheme to obfuscate the circuit C[xb] that outputs b given a valid witness w for x as an input and otherwise outputs 0; to argue security we rely on the fact that when x is not in the language then this is a null circuit. The works of [11, 19] show that, under the Learning-With-Errors (LWE) assumption, witness encryption (WE) also implies null iO (niO). It remains as a major open problem whether niO implies full iO.

Non-trivially Exponentially-Efficient Schemes. In the standard definition of witness encryption, the encryption procedure is required to run in polynomial time. Indeed, otherwise there would be a trivial perfectly secure witness encryption scheme where the encryption procedure simply checks whether the statement x is true (by trying every possible witness) and if so it outputs the message in the clear and otherwise it outputs a dummy value as the ciphertext. For \({{\textsf {NP}}}\) relations where the witness is of size m, the run-time of the trivial encryption procedure is \(\widetilde{O}(2^m)\). Similarly, there are trivial perfectly secure iO and niO schemes where, for circuits with input size n, the obfuscation procedure runs in \(\widetilde{O}(2^n)\) time and outputs the entire truth table of the circuit. Such schemes are trivially exponentially efficient.

We define the notion of non-trivially exponentially efficient WE (XWE) as a relaxation of WE where we require that for \({{\textsf {NP}}}\) relations with witness length m, the encryption run-time is \(\widetilde{O}(2^{\gamma m})\) for some constant \(\gamma < 1\). Similarly, we define non-trivially exponentially efficient niO (XniO) analogously by requiring that for circuits with input size n the obfuscator run-time is \(\widetilde{O}(2^{\gamma n})\) for some constant \(\gamma < 1\). We call \(\gamma \) the compression factor. The above notions are analogous to the notion of non-trivially exponentially efficient iO (XiO) defined by Lin et al. [15], which requires that the size of the obfuscated program is \(\widetilde{O}(2^{\gamma n})\).Footnote 1 In [15] it was shown that XiO implies fully efficient iO under the sub-exponential LWE assumptions. Unfortunately, we do not have any such connections showing that XWE implies WE or that XniO implies niO and it remains as an open problem to explore whether any such connections hold. Nevertheless, we believe that XWE and XniO are interesting relaxations of WE and niO and are worthy of study.

Our Results. We show how to construct XWE and XniO with compression factor \(\gamma = \frac{1}{2}\) under the sub-exponential LWE assumption. For \({{\textsf {NP}}}\) relations that can be verified in \({{\textsf {NC}}^1}\) (e.g., SAT) we also get XWE with compression factor \(\gamma = \frac{1}{2}\) under the Decisional Bilinear Diffie-Hellman (DBDH) assumption. Our constructions turn out to be extremely simple applications of attribute based encryption (ABE) [3, 4, 9, 18].

Improving on our result and pushing the compression factor further below \(\frac{1}{2}\) remains an open problem. Note that XWE and XniO with a sufficiently small compression factor \(O(\log m/m)\) is equivalent to the standard notions of WE and niO respectively. Currently even achieving a compression factor of \(\frac{1}{3}\) would be significant progress. Our only result in this direction is a scheme under the sub-exponential LWE assumption which achieves ciphertext length as short as \(\widetilde{O}(2^{m/3})\), but at the cost of increasing the encryption complexity to \(\widetilde{O}(2^{2 m/3})\). We also suggest an approach for getting smaller compression factors and ultimately fully efficient WE and niO schemes via multi-input ABE. Unfortunately, we currently do not have any instantiation of this primitive under standard assumptions.

Our Techniques: From ABE to XWE. An (unbounded collusion) ABE scheme allows us to create ciphertexts \(c = \mathsf {Enc}(\alpha ,b)\) encrypting a message b with respect to an attribute \(\alpha \). Furthermore, we can release secret keys \(\mathsf {sk}_f\) that are tied to some functions f. If \(f(\alpha )=1\) then the secret key \(\mathsf {sk}_f\) can correctly decrypt c and recover b. However, given only secret keys \(\mathsf {sk}_{f_1},\ldots ,\mathsf {sk}_{f_p}\) for functions such that \(f_1(\alpha )= \cdots = f_p(\alpha ) = 0\), the ciphertext c cannot be decrypted and the message b remains hidden. We can use ABE to construct an XWE scheme for any \({{\textsf {NP}}}\) language having witness size m where the running time of the encryption procedure is \(\widetilde{O}(2^{m/2})\). To create a WE encryption of a message b under a statement x, we create \(2^{m/2}\) secret keys \(\mathsf {sk}_{f_{w_1}}\) for all choices of \(w_1 \in \{0,1\} ^{m/2}\) and we create \(2^{m/2}\) ciphertexts \(c_{w_2} = \mathsf {Enc}(w_2,b)\) for all choices of \(w_2 \in \{0,1\} ^{m/2}\), where we define the function \(f_{w_1}(w_2) = 1\) if \(w=w_1w_2\) is a valid witness for the statement x. Given a witness \(w = w_1w_2\) we can recover b by decrypting the ciphertext \(c_{w_2}\) with the secret key \(\mathsf {sk}_{f_{w_1}}\).Footnote 2 However, if x is a false statement, we can rely on sub-exponential ABE security to argue that the bit b is computationally hidden. This gives us an XWE scheme with compression \(\gamma = \frac{1}{2}\) by instantiating the ABE with known constructions based on LWE and DBDH. An analogous idea was used by Bitansky et al. [2] to go from symmetric-key functional encryption to XiO, but we currently do not have any constructions of the former primitive under any standard assumptions.

It turns out that the transformation from WE to niO from [11, 19] also transforms XWE to XniO while preserving the compression factor and therefore, under the sub-exponential LWE assumption, the above technique also gives us XniO schemes with compression \(\gamma = \frac{1}{2}\). Alternately, if we apply the above technique but start with a predicate encryption (PE) [10] instead of ABE then the above transformation gives an XWE scheme where the ciphertext also hides the statement x (as long as it is a false statement) which is equivalent to XniO.

We show that the above technique can also be extended to get more general tradeoffs between encryption time, ciphertext size and decryption time in XWE. For example, under the sub-exponential LWE assumption, we can decrease the ciphertext size to \(\widetilde{O}(2^{m/3})\) at the cost of increasing the encryption time to \(\widetilde{O}(2^{2m/3})\).

In Appendix A, we also show that the above technique can be extended to getting a better compression factor by relying on multi-input ABE. In particular, if we had a k-input ABE scheme we would get an XWE scheme with compression factor \(1/(k+1)\) for languages with instances of size n and witnesses of size \(k\cdot \log n\).

Paper Organization. The rest of the paper is organized as follows: In Sect. 2, we recall basic cryptographic notions involved in this work. Our transform from ABE to non-trivially exponentially efficient witness encryption is then described in Sect. 3. The latter section also contains instantiations under standard assumptions and our extension to non-trivially exponentially efficient null-iO. Finally, Section A details our generalized transform from multi-input ABE. Definitions of null-iO and multi-input ABE are provided in the relevant sections.

2 Preliminaries

In this section we present the notation and basic definitions that are used in this work. For a distribution X we denote by \(x \leftarrow X\) the process of sampling a value x from the distribution X. Similarly, for a set \(\mathcal {X}\) we denote by \(x \leftarrow \mathcal {X}\) the process of sampling a value x from the uniform distribution over \(\mathcal {X}\). For a randomized function f and an input \(x\in \mathcal {X}\), we denote by \(y\leftarrow f(x)\) the process of sampling a value y from the distribution f(x). For an integer \(n \in \mathbb {N}\) we denote by [n] the set \(\{1,\ldots , n\}\). A function \({\mathsf {neg}}:\mathbb {N}\rightarrow \mathbb {R}\) is negligible if for every constant \(c > 0\) there exists an integer \(N_c\) such that \({\mathsf {neg}}(\lambda ) < \lambda ^{-c}\) for all \(\lambda > N_c\). Throughout this paper we denote by \(\lambda \) the security parameter.

Two sequences of random variables \(X = \{ X_\lambda \}_{\lambda \in \mathbb {N}}\) and \(Y = \{Y_\lambda \}_{\lambda \in \mathbb {N}}\) are \((t,\epsilon )\) -computationally indistinguishable for \(t=t(\lambda )\) and \(\epsilon =\epsilon (\lambda )\), denoted by \(X \approx _{t,\epsilon } Y\), if for any probabilistic distinguisher D that runs in time \(t=t(\lambda )\), it holds that \(\left| \Pr [D(1^{\lambda }, X_\lambda ) = 1] - \Pr [D(1^{\lambda },Y_\lambda ) = 1] \right| \le \epsilon (\lambda )\) for all sufficiently large \(\lambda \in \mathbb {N}\). We say that XY are sub-exponentially indistinguishable if they are \((t,\epsilon )\)-computationally indistinguishable with \(t(\lambda ) = 2^{\lambda ^\delta }\) and \(\epsilon (\lambda ) = 2^{-\lambda ^\delta }\) for some \(\delta >0\).

2.1 Attribute-Based Encryption

We provide a definition of (key-policy, unbounded collusion) attribute-based encryption (ABE). We focus on the private-key variant which suffices for our purposes. An ABE scheme is a standard (private-key) encryption scheme for bits augmented with an additional key-generation procedure for an ensemble of Boolean function families \(\mathcal {F}= \{\mathcal {F}_{\lambda }\}_{\lambda \in \mathbb {N}}\) each mapping \(\mathcal {X}=\{\mathcal {X}_{\lambda }\}_{\lambda \in \mathbb {N}}\) to \(\{ 0,1 \}\), where \(\mathcal {X}\) is some sequence of finite sets. Such a scheme is described by four procedures \((\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})\) with the following syntax:

  1. 1.

    \(\mathsf {Setup}(1^\lambda )\) gets as input a security parameter and outputs a master secret key \(\mathsf {msk}\).

  2. 2.

    \(\mathsf {KG}(\mathsf {msk}, f)\) gets as input a master secret key \(\mathsf {msk}\) and a function \(f\in \mathcal {F}_\lambda \) and outputs a key \(\mathsf {sk}_f\).

  3. 3.

    \(\mathsf {Enc}(\mathsf {msk}, \alpha , b)\) gets as input a master secret key \(\mathsf {msk}\), an attribute \(\alpha \in \mathcal {X}_\lambda \) and a message \(b\in \{ 0,1 \}\), and outputs a ciphertext \(\mathsf {ct}_{\alpha ,b}\). We assume, without loss of generality, that \(\mathsf {ct}_{\alpha ,b}\) contains \(\alpha \) in the clear.

  4. 4.

    \(\mathsf {Dec}(\mathsf {sk}_f, \mathsf {ct}_{\alpha ,b})\) gets as input a key for the function f and ciphertext of \((\alpha , b)\) and outputs a message \(b'\).

The correctness and security of such a scheme are provided in the next definition.

Definition 1

A tuple of four procedures \((\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})\) is said to be a \((t,\epsilon )\)-selectively-secure unbounded collusion ABE scheme if

  1. 1.

    Correctness: For every \(\lambda \in \mathbb {N}\), \(b\in \{ 0,1 \}\), \(\alpha \in \mathcal {X}\), \(f \in \mathcal {F}\), it holds that if \(f(\alpha ) = 1\), then

    $$\begin{aligned} \Pr [ \mathsf {Dec}(\mathsf {KG}(\mathsf {msk}, f), \mathsf {Enc}(\mathsf {msk}, \alpha , b)) = b ] = 1 \end{aligned}$$

    where the probability if over the choice of \(\mathsf {msk}\leftarrow \mathsf {Setup}(1^\lambda )\) and over the internal randomness of \(\mathsf {KG}\) and \(\mathsf {Enc}\).

  2. 2.

    Security: For every polynomial \(p=p(\lambda )\), every (selectively chosen) \(f_1,\dots ,f_{p} \in \mathcal {F}\), and every \(\alpha _1,\dots ,\alpha _{p} \in \mathcal {X}\), it holds that if \(f_i(\alpha _j) = 0\) for all \(i,j\in [p]\), then

    $$\begin{aligned} \{\mathsf {KG}(\mathsf {msk}, f_i), \mathsf {Enc}(\mathsf {msk}, \alpha _j, 0)\}_{i,j \in [p]}\approx _{t,\epsilon } \{\mathsf {KG}(\mathsf {msk}, f_i), \mathsf {Enc}(\mathsf {msk}, \alpha _j, 1)\}_{i,j \in [p]}, \end{aligned}$$

    where the randomness is over the choice of \(\mathsf {msk}\leftarrow \mathsf {Setup}(1^\lambda )\) and the internal randomness of \(\mathsf {KG}\) and \(\mathsf {Enc}\).

Known Instantiations. There are several known constructions of ABE schemes based on different assumptions and offering various notions of efficiency. Three of the most well-known schemes are those of Goyal et al. [12], of Gorbunov et al. [9], and of Boneh et al. [3]. The work of Goyal et al. gives a construction of an ABE scheme for all \({{\textsf {NC}}^1}\) circuits based on the existence of a bilinear map where the decisional bilinear Diffie-Hellman problem is hard.

Theorem 1

([12]). Assuming a group with a bilinear map in which the decisional bilinear Diffie-Hellman problem is sub-exponentially hard, there exists a sub-exponentially-secure ABE scheme for all NC\(^1\) circuits.

The works of Gorbunov et al. and of Boneh et al. achieved an ABE scheme for all a-priori depth-bounded polynomial-size circuits based on the sub-exponential hardness of the learning with errors assumption (LWE). Both of these ABE schemes satisfy that the key generation algorithm runs in time \(|f|\cdot \mathsf {poly}(\lambda ,d)\) on input a function f of depth d. We call this property time-efficient key generation. The scheme by Boneh et al. has an additional unique property that we will use: The size of an ABE functional key is independent of the size of the function and only depends on its depth. Specifically, given a function \(f\in \mathcal {F}\), the size of a functional key for it is \(\mathsf {poly}(d,\lambda )\) for some fixed polynomial function \(\mathsf {poly}\). We henceforth call this property short functional keys. Note that in order to decrypt, the description of f needs to be provided in addition to the key \(\mathsf {sk}_f\).

Theorem 2

([3]). Assuming the sub-exponential hardness of LWE, there exists a sub-exponentially-secure ABE scheme with time-efficient key generation and short functional keys.

2.2 Witness Encryption for \({{\textsf {NP}}}\)

Definition 2

(Witness encryption [7]). A witness encryption scheme for an NP relation \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) with induced language L has the following syntax:

  • \(\mathsf {Enc}(1^\lambda , x, b)\): Takes as input a security parameter \(1^\lambda \), a string \(x\in \{ 0,1 \}^n\) and a bit \(b\in \{ 0,1 \}\), and outputs a ciphertext \(\mathsf {ct}_{x,b}\).

  • \(\mathsf {Dec}(\mathsf {ct}, w)\): Takes as input a ciphertext \(\mathsf {ct}_{x,b}\) and a string \(w\in \{ 0,1 \}^{m}\), and outputs a bit \(b'\) or the symbol \(\bot \).

These algorithms satisfy the following two conditions:

  1. 1.

    Correctness: For any security parameter \(\lambda \), any \(b\in \{ 0,1 \}\) and any \(x\in L\) with witness w, it holds that

    $$\begin{aligned} \Pr [\mathsf {Dec}(\mathsf {Enc}(1^\lambda , x, b), w) = b] = 1, \end{aligned}$$

    where the probability is over the internal randomness of the encryption procedure.

  2. 2.

    Security: A witness encryption scheme is \((t,\epsilon )\)-secure if for every ensemble \(x =\{x_\lambda \}\) of false statements \(x_\lambda \notin L\) it holds that

    $$\begin{aligned} \mathsf {Enc}(1^\lambda , x_\lambda , 0) \approx _{t,\epsilon } \mathsf {Enc}(1^\lambda , x_\lambda , 1) \end{aligned}$$

    where the randomness is over the internal randomness of the encryption procedure.

3 Non-trivial Witness Encryption and ABE

In this section we show that any attribute encryption scheme directly implies a non-trivially exponentially-efficient witness encryption scheme (XWE). This gives us a construction of the latter under the DBDH or LWE assumptions. Lastly, we recall the notion of null-iO, define non-trivially exponentially-efficient null-iO (XniO) and construct it based on previously built XWE.

3.1 Non-trivially Exponentially-Efficient Witness Encryption

Our notion of exponentially-efficient witness encryption (XWE) allows the encryptor to have running time almost as large as the brute-force algorithm that solves the instance. This is analogous to the notion of XiO introduced by Lin et al. [15] which requires the size of an obfuscation to be slightly smaller than the truth-table of the function. See comparison below.

Definition 3

A witness encryption scheme for a relation \(R \subseteq \{\{0,1\}^n \times \{0,1\}^{m(n)}\}_{n \in \mathbb {N}}\) with induced language L is said to be \(\gamma \)-exponentially-efficient if for any \(\lambda ,n \in \mathbb {N}\) with \(m=m(n)\) and every instance \(x \in \{ 0,1 \}^n\) and \(b\in \{ 0,1 \}\), the run-time of \(\mathsf {Enc}(1^\lambda , x,b)\) is at most \(2^{\gamma m}\cdot \mathsf {poly}(\lambda , n)\).

Comparison with XiO and SXiO. The notion of XiO, introduced by Lin et al. [15], requires an obfuscator to output a circuit of size \(2^{\gamma n}\cdot \mathsf {poly}(\lambda , |C|) \) given a circuit C that accepts n bits as input. This notion has been proven to be very useful in constructions of iO when combined with LWE. SXiO is a strengthening of XiO in which we require not only the obfuscated circuit to be of non-trivial size, but also the running time of the obfuscator.

Our notion of XWE only concerns the time it takes to encrypt a bit (which gives an upper bound on the size of the obfuscation). The reason is that an encryptor can always brute-force all possible witnesses and try each one to decide whether the instance is in the language or not. If so, it can output the message in the clear, and if not it can output some fixed output (recall that in WE correctness holds only for instances that are in the language while security is required only for instances that are not in the language).

3.2 From ABE to Non-trivial Witness Encryption

We observe a connection between ABE schemes and exponentially-efficient WE schemes. This is similar to the observation of [2] in the context of functional encryption and exponentially-efficient iO. However, in our case we will be able to instantiate our ABE scheme based on somewhat standard assumptions.

Theorem 3

Let \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) be an NP relation with induced language L. Assume the existence of a sub-exponentially-secure ABE scheme for all circuits. Then, there exists a polynomial \(\mathsf {poly}\) and a witness encryption scheme for R with the following properties. For any \(\lambda ,n \in \mathbb {N}\) with \(m = m(n)\) and every instance \(x \in \{ 0,1 \}^n\) and \(b\in \{ 0,1 \}\):

  1. 1.

    The run-time of the encryption procedure \(\mathsf {Enc}(1^\lambda , x,b)\) is at most \(2^{m/2}\cdot \mathsf {poly}(\lambda , n, m)\).

  2. 2.

    The ciphertext size is at most \(2^{m/2}\cdot \mathsf {poly}(\lambda , n, m)\).

  3. 3.

    The decryption time is at most \(2^{m/2}\cdot \mathsf {poly}(\lambda , n, m)\). In particular, it is \(\mathsf {poly}(\lambda ,n, m)\) in the RAM model.Footnote 3

Proof

Assume that we have an ABE scheme \(\mathsf {ABE}= (\mathsf {ABE.Setup}, \mathsf {ABE.KG}, \mathsf {ABE.Enc}, \mathsf {ABE.Dec})\) for all circuits. The ABE scheme is sub-exponentially-hard so when instantiated with security parameter \(\lambda \), no adversary that runs in time \(2^{\lambda ^\tau }\) can break it for a constant \(\tau >0\). We construct a witness encryption scheme \(\mathsf {WE}=(\mathsf {WE.Enc},\mathsf {WE.Dec})\).

Denote by \(V^{(L)}\) the verification procedure of the \({{\textsf {NP}}}\) language L. This procedure gets as input x and a possible witness w split into two parts \(w_1\) and \(w_2\), and it outputs a bit that specifies whether w is a valid witness attesting to the fact that \(x\in L\). Given an instance \(x\in \{ 0,1 \}^{n}\) and a message \(b\in \{ 0,1 \}\), the witness encryption \(\mathsf {WE.Enc}(1^\lambda , x,b)\) is computed as follows:

  1. 1.

    Sample a master secret key for the ABE scheme \(\mathsf {msk}\leftarrow \mathsf {ABE.Setup}(1^{\tilde{\lambda }})\), where \(\tilde{\lambda }= \max \{\lambda ,m^{2/\tau }\}\).

  2. 2.

    For every \(w_1\in \{ 0,1 \}^{m/2}\), use the ABE scheme to generate a key for the function \(V^{(L)}_{x,w_1}(w_2) = V^{(L)}(x, w_1w_2)\):

    $$\begin{aligned} \mathsf {sk}_{f,w_1} \leftarrow \mathsf {ABE.KG}(\mathsf {msk}, V^{(L)}_{x,w_1}). \end{aligned}$$
  3. 3.

    For every \(w_2\in \{ 0,1 \}^{m/2}\), use the ABE scheme to encrypt b under attribute \(w_2\):

    $$\begin{aligned} \mathsf {ct}_{w_2,b} \leftarrow \mathsf {ABE.Enc}(\mathsf {msk}, w_2, b). \end{aligned}$$
  4. 4.

    Output \(\{\mathsf {sk}_{f,w_1}\}_{w_1\in \{ 0,1 \}^{m/2}}\) and \(\{\mathsf {ct}_{w_2,b}\}_{w_2\in \{ 0,1 \}^{m/2}}\).

To decrypt \(\mathsf {WE.Dec}(\mathsf {ct}, w)\), where

$$\begin{aligned} \mathsf {ct}= (\{\mathsf {sk}_{f,w_1}\}_{w_1\in \{ 0,1 \}^{m/2}},\{\mathsf {ct}_{w_2,b}\}_{w_2\in \{ 0,1 \}^{m/2}}) \end{aligned}$$

and \(w = w_1w_2\in \{ 0,1 \}^{m}\), we execute the decryption procedure of the ABE scheme as follows:

$$\begin{aligned} \mathsf {ABE.Dec}(\mathsf {sk}_{f,w_1}, \mathsf {ct}_{w_2,b}). \end{aligned}$$

Correctness immediately follows from the correctness of the underlying ABE scheme. Security also easily follows from the security of the latter. Namely, if \(x \notin L\), then for any \(w_1 w_2 \in \{0,1\}^{m}\), we have \(V^{(L)}(x,w_1 w_2) = 0\). Let \(\mathsf {ct}\) denote an encryption of 0 for a statement \(x \notin L\), that is:

$$\begin{aligned} \mathsf {ct}= \mathsf {WE.Enc}(1^\lambda ,x,0) = (\{\mathsf {sk}_{f,w_1}\}_{w_1\in \{ 0,1 \}^{m/2}},\{\mathsf {ct}_{w_2,0}\}_{w_2\in \{ 0,1 \}^{m/2}}). \end{aligned}$$

For security, first observe that we instantiated our ABE scheme with security parameter \(\tilde{\lambda }= \max \{\lambda , m^{2/\tau }\}\). This means that our scheme is secure against adversaries that run in time \(\max \{2^{\lambda ^\tau }, 2^{m^{2}}\}\). In particular, it is secure for all adversaries running in time \(\mathsf {poly}(2^m)\) which is the size of our ciphertext (see below). Moreover, since for any \(w_1,w_2 \in \{ 0,1 \}^{m/2}\), we have \(V^{(L)}(x,w_1 w_2) = 0\), it is clear that, assuming the security of \(\mathsf {ABE}\), \(\mathsf {ct}_{w_2,0} \approx _{c} \mathsf {ct}_{w_2,1}\), and security follows.

Let us analyze the complexity of the scheme and in particular the running time of the encryption procedure. When encrypting a message b under instance x our scheme generates and outputs \(2^{m/2}\) functional keys (for a function whose complexity is at most the complexity of \(V^{(L)}\)) and \(2^{m/2}\) ciphertexts of the underlying ABE scheme. This takes time at most

$$\begin{aligned} 2^{m/2} \cdot \mathsf {poly}(\lambda , n,m) \end{aligned}$$

for some fixed polynomial \(\mathsf {poly}\) which depends on the complexity of encryption of the underlying ABE scheme and the complexity of \(V^{(L)}\). The same bound holds for the ciphertext size. Decryption upon witness \(w=w_1w_2\) requires reading the functional key and ciphertext and a single invocation of the decryption procedure of the underlying ABE scheme on the key for the function \(f(w_1,\cdot )=V_{x,w_1}^{(L)}(\cdot )\) and the ciphertext that corresponds to \(w_2\).

3.3 Instantiations

We instantiate Theorem 3 using known attribute-based encryption schemes mentioned in Sect. 2.1. The first construction of Goyal et al. [12] which works only for \({{\textsf {NC}}^1}\) circuits and is based on the decisional bilinear Diffie-Hellman assumption leads to non-trivially exponentially-efficient witness encryption for any \({{\textsf {NP}}}\) relation with verification in \({{\textsf {NC}}^1}\). One can also instantiate a similar corollary based on the LWE-based constructions of Gorbunov et al. [9] and of Boneh et al. [3] and get a construction that works for all languages with a polynomial-size circuit verifier, so for any \({{\textsf {NP}}}\) relation.

Corollary 1

Let \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) be an NP relation with induced language L. Assume the sub-exponential security of the learning with errors assumption. Then, there exists a polynomial \(\mathsf {poly}\) and a sub-exponentially-secure witness encryption scheme \(\mathsf {WE}=(\mathsf {WE.Enc},\mathsf {WE.Dec})\) for R with the following properties:

  1. 1.

    The time it takes to encrypt a bit is at most \(2^{m/2} \cdot \mathsf {poly}(\lambda ,n,m)\).

  2. 2.

    The ciphertext size is at most \(2^{m/2} \cdot \mathsf {poly}(\lambda , n, m) \).

  3. 3.

    The decryption time is at most \(2^{m/2} \cdot \mathsf {poly}(\lambda , n, m)\).

Moreover, assuming also that the verification for L is in NC\(^1\), the same is true assuming the sub-exponential security of the decisional bilinear Diffie-Hellman assumption.

A Variant Based on ABE with Short Functional Keys. Below we provide a variant of Theorem 3 in which we take advantage of an ABE scheme that has a particular notion of succinctness we referred to as short functional keysFootnote 4. This property is satisfied by the LWE-based scheme by Boneh et al.

Theorem 4

Let \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) be an NP relation with induced language L. Assume an attribute-based encryption scheme for all circuits with time-efficient key generation and short functional keys. Let \(m_1(n),m_2(n),m_3(n) \ge 0\) be polynomials such that \(m_1 + m_2 + m_3 = m\). Then, there exists a sub-exponentially-secure witness encryption scheme with the following properties:

  1. 1.

    The time it takes to encrypt a bit is at most \( 2^{\max \{m_1+m_3,m_2\}} \cdot \mathsf {poly}(\lambda ,n,m)\).

  2. 2.

    The ciphertext size is at most \(2^{\max \{m_1,m_2\}} \cdot \mathsf {poly}(\lambda ,n,m)\).

  3. 3.

    The decryption time is at most \(2^{\max \{m_1,m_2,m_3\}} \cdot \mathsf {poly}(\lambda , n, m)\).

Proof

Assume that we have a ABE scheme \(\mathsf {ABE}= (\mathsf {ABE.Setup}, \mathsf {ABE.KG}, \mathsf {ABE.Enc}, \mathsf {ABE.Dec})\) with time-efficient key generation and short functional keys. The ABE scheme is secure for adversaries running in time \(2^{\lambda ^\tau }\) for a constant \(\tau >0\). We construct a witness encryption scheme \(\mathsf {WE}=(\mathsf {WE.Enc},\mathsf {WE.Dec})\).

Given an instance \(x\in \{ 0,1 \}^n\) and a message \(b\in \{ 0,1 \}\), the witness encryption \(\mathsf {WE.Enc}(1^\lambda , x,b)\) is done as follows:

  1. 1.

    Sample a master secret key for the ABE scheme \(\mathsf {msk}\leftarrow \mathsf {ABE.KG}(1^{\tilde{\lambda }})\), where \(\tilde{\lambda }= \max \{\lambda ,m^{2/\tau }\}\).

  2. 2.

    For every \(w_1\in \{ 0,1 \}^{m_1}\), use the ABE scheme to generate a key for the function \(V^{(L)}_{x,w_1}(w_2) = \bigvee _{w_3\in \{ 0,1 \}^{m_3}} V^{(L)}(x,w_1 w_2 w_3)\):

    $$\begin{aligned} \mathsf {sk}_{f,w_1} \leftarrow \mathsf {ABE.KG}(\mathsf {msk}, V^{(L)}_{x,w_1}). \end{aligned}$$
  3. 3.

    For every \(w_2\in \{ 0,1 \}^{m_2}\), use the ABE scheme to encrypt b under attribute \(w_2\):

    $$\begin{aligned} \mathsf {ct}_{w_2,b} \leftarrow \mathsf {ABE.Enc}(\mathsf {msk}, w_2, b). \end{aligned}$$
  4. 4.

    Output \(\{\mathsf {sk}_{f,w_1}\}_{w_1\in \{ 0,1 \}^{m_1}}\) and \(\{\mathsf {ct}_{w_2,b}\}_{w_2\in \{ 0,1 \}^{m_2}}\).

Correctness is immediate and security follows as in the proof of Theorem 3, since for \(x\notin L\), there are no \(w_1\) and \(w_2\) for which \(V^{(L)}_{x,w_1}(w_2)\) evaluates to 1. Thus, we can directly reduce security of our construction to the security of the underlying ABE scheme.

Given \(x\in \{ 0,1 \}^{m}\) and \(b\in \{ 0,1 \}\), the time it takes to compute \(\mathsf {Enc}(1^\lambda , x,b)\) is at most

$$\begin{aligned} 2^{m_1} \cdot (|V^{(L)}_{x,w_1}|\cdot \mathsf {poly}(\lambda , d)) + 2^{m_2} \cdot \mathsf {poly}(\lambda , n, m), \end{aligned}$$

where d is the depth of the circuit \(V^{(L)}_{x,w_1}\) (recall that the LWE-based ABE scheme has time-efficient key generation; see Theorem 2). Notice that d is bounded by the depth of \(V^{(L)}\) which is at most some polynomial in n and m. Furthermore, notice that \(|V^{(L)}_{x,w_1}|\), the size of \(V^{(L)}_{x,w_1}\), is at most \(2^{m_3}\) times some polynomial in n and m. Overall, we get that the time it takes to generate a ciphertext is at most

$$\begin{aligned} 2^{\max \{m_1+m_3,m_2\}} \cdot \mathsf {poly}(\lambda ,n,m). \end{aligned}$$

The size of a ciphertext is shorter because the size of a key does not depend on the size of the function but only on its depth (which is \(\mathsf {poly}(n,m)\)). This means that the ciphertext size is

$$\begin{aligned} (2^{m_1} + 2^{m_2}) \cdot \mathsf {poly}(\lambda ,n,m) = 2^{\max \{m_1,m_2\}} \cdot \mathsf {poly}(\lambda ,n,m). \end{aligned}$$

For decryption, one needs to read the whole ciphertext and perform a single decryption operation of the underlying ABE scheme. However, notice that the size of the function is \(2^{m_3} \cdot \mathsf {poly}(\lambda ,n,m)\) which means that time to decrypt is at most:

$$\begin{aligned} 2^{\max \{m_1,m_2,m_3\}} \cdot \mathsf {poly}(\lambda , n, m). \end{aligned}$$

Note that for decryption, the description of the function must be known. This can be done by providing a (single) generic description of

$$\begin{aligned} V_{x,\cdot }(w_2) = \bigvee _{w_3\in \{ 0,1 \}^{m_3}} V^{(L)}(x, \cdot || w_2 || w_3) \end{aligned}$$

as a public parameter.

We then obtain the following corollary using the construction by Boneh et al. [3] in Theorem 4 with \(m_1 = m_2 = m_3 = m/3\).

Corollary 2

Let \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) be an NP relation with induced language L. Assuming the sub-exponential hardness of the learning with errors problem, there exists a sub-exponentially-secure witness encryption scheme \(\mathsf {WE}=(\mathsf {WE.Enc},\mathsf {WE.Dec})\) for R with the following properties:

  1. 1.

    The time it takes to encrypt a bit is at most \( 2^{2m/3} \cdot \mathsf {poly}(\lambda ,n,m)\).

  2. 2.

    The ciphertext size is at most \(2^{m/3} \cdot \mathsf {poly}(\lambda ,n,m)\).

  3. 3.

    The decryption time is at most \(2^{m/3} \cdot \mathsf {poly}(\lambda , n, m)\).

3.4 A Similar Transformation for Null-iO

A similar result, i.e., a non-trivially exponentially-efficient construction based on the LWE assumption, can be obtained for a weakening of iO called null-iO (niO, see [11, 19]). An niO is an obfuscation scheme which takes as input an arbitrary circuit and outputs a functionally equivalent one but security only guarantees that we cannot distinguish the obfuscations of any two circuits \(C,C'\) of the same size such that \(C(x) = C'(x) = 0\) for all inputs x.

Definition 4

(Null-iO). A null-iO (niO) obfuscation scheme is an efficient compiler \({\mathcal {O}}\) for circuits that satisfies the following properties:

  1. 1.

    Correctness: For any security parameter \(\lambda \) and all circuits \(C:\{0,1\}^n\rightarrow \{0,1\}\):

    $$\begin{aligned} \Pr [\forall x \in \{0,1\}^n : C(x)=\tilde{C}(x)| \tilde{C}\leftarrow {\mathcal {O}}(1^{\lambda },C) ] = 1, \end{aligned}$$

    where the probability is taken over the randomness of \({\mathcal {O}}\).

  2. 2.

    Security: Let \(C=\{C_{\lambda }\}\), \(C'=\{C'_{\lambda } \}\) be two ensembles of circuits with equal input length \(n(\lambda )\) and circuit size, which satisfy \(C_{\lambda }(x)=C'_{\lambda }(x)=0\) for all \(x \in \{0,1\}^{n(\lambda )}\). Then, we have that:

    $$\begin{aligned} {\mathcal {O}}(1^{\lambda },C_{\lambda }) \approx _{t,\epsilon } {\mathcal {O}}(1^{\lambda },C'_{\lambda }). \end{aligned}$$

It is natural to define the exponentially-efficient version of niO such that the running time of the obfuscator (and thus the size of the obfuscated circuit as well) is smaller than \(2^n\).

Definition 5

(XniO). A null-iO is said to be \(\gamma \)-exponentially-efficient (XniO) if for any security parameter \(\lambda \in \mathbb {N}\) and every circuit C, the running time obfuscation \({\mathcal {O}}(1^\lambda , C)\) is at most \(2^{ \gamma n}\cdot \mathsf {poly}(|C|)\).

In a recent work, Wichs and Zirdelis [19] showed that assuming LWE one can generically translate any witness encryption scheme into a niO. Thus, using our Theorem 1 (instantiated with LWE) together with their transformation, we get a 1/2-XniO (for all polynomial-size circuits) assuming sub-exponentially-secure LWE. Using our Corollary 2 together with their transformation, we get an XniO whose running time is \(2^{2n/3}\) and such that the size of the obfuscated circuit is \(2^{n/3}\), assuming sub-exponentially-secure LWE.

Remark 1

A different way to get the same result is to directly construct an XniO based on any predicate encryption scheme [10], similarly to our construction of an XWE based on any ABE scheme.