Abstract
A witness encryption (WE) scheme can take any \({{\textsf {NP}}}\) statement as a public-key and use it to encrypt a message. If the statement is true then it is possible to decrypt the message given a corresponding witness, but if the statement is false then the message is computationally hidden. Ideally, the encryption procedure should run in polynomial time, but it is also meaningful to define a weaker notion, which we call non-trivially exponentially efficient WE (XWE), where the encryption run-time is only required to be much smaller than the trivial \(2^{m}\) bound for \({{\textsf {NP}}}\) relations with witness size m. We show how to construct such XWE schemes for all of \({{\textsf {NP}}}\) with encryption run-time \(2^{m/2}\) under the sub-exponential learning with errors (LWE) assumption. For \({{\textsf {NP}}}\) relations that can be verified in \({{\textsf {NC}}^1}\) (e.g., SAT) we can also construct such XWE schemes under the sub-exponential Decisional Bilinear Diffie-Hellman (DBDH) assumption. Although we find the result surprising, it follows via a very simple connection to attribute-based encryption.
We also show how to upgrade the above results to get non-trivially exponentially efficient indistinguishability obfuscation for null circuits (niO), which guarantees that the obfuscations of any two circuits that always output 0 are indistinguishable. In particular, under the LWE assumptions we get a XniO scheme where the obfuscation time is \(2^{n/2}\) for all circuits with input size n. It is known that in the case of indistinguishability obfuscation (iO) for all circuits, non-trivially efficient XiO schemes imply fully efficient iO schemes (Lin et al., PKC ’16) but it remains as a fascinating open problem whether any such connection exists for WE or niO.
Lastly, we explore a potential approach toward constructing fully efficient WE and niO schemes via multi-input ABE.
Z. Brakerski—Supported by the Israel Science Foundation (Grant No. 468/14), Binational Science Foundation (Grants No. 2016726, 2014276), and by the European Union Horizon 2020 Research and Innovation Program via ERC Project REACT (Grant 756482) and via Project PROMETHEUS (Grant 780701).
A. Jain and A. Passelègue—Research supported in part from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF grants 1619348, 1228984, 1136174, and 1065276, BSF grant 2012378, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the ARL under Contract W911NF-15-C-0205. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government.
I. Komargodski—Supported in part by a Packard Foundation Fellowship and by an AFOSR grant FA9550-15-1-0262. Most of this work was done at the Weizmann Institute of Science, supported by a grant from the Israel Science Foundation (no. 950/16) and by a Levzion Fellowship.
D. Wichs—Research supported by NSF grants CNS-1314722, CNS-1413964, CNS-1750795.
Access provided by CONRICYT-eBooks. Download conference paper PDF
Similar content being viewed by others
1 Introduction
In the last few years, much research in cryptography has focused on exploring powerful new cryptographic primitives such as witness encryption (WE) [7] and indistinguishability obfuscation (iO) [1, 6]. Although we have candidate constructions of these primitives, they rely on a new class of assumptions over multilinear maps (MMAPs) [5] whose computational hardness properties are poorly understood and we lack a high degree of confidence in their security. The grand challenge is to construct WE and iO under standard and well established hardness assumptions, such as the learning with errors (LWE) assumption [16]. In this work we show that this is possible for a non-trivial relaxation of these primitives. But first, let us review what these primitives are.
Witness Encryption. Witness encryption (WE), introduced by Garg et al. [7], allows us to use an arbitrary \({{\textsf {NP}}}\) statement x as a public key to encrypt a message. If x is a true statement then any user who knows the corresponding witness w for x will be able to decrypt the message, but if x is a false statement then the encrypted message is computationally hidden. For example, we could encrypt a bitcoin reward under the \({{\textsf {NP}}}\) statement that corresponds to the Riemann hypothesis being true and having a proof of some polynomially bounded size. If anyone comes up with such a proof for the Riemann hypothesis, then they can use that as the witness to decrypt the ciphertext and recover the bitcoin reward.
Indistinguishability Obfuscation (for Null Circuits). The goal of obfuscation [1] is to convert a program/circuit C into a functionally equivalent program/circuit in a way that hides all aspects of the internal implementation of C, but still allows to evaluate it on arbitrary inputs. Ideally, seeing an obfuscated version of C would reveal nothing more than what one could learn via black-box access to the functionality that C implements. Unfortunately, this strong definition of obfuscation, called virtual black box (VBB) is known to be unachievable in general for all programs [1]. A weaker variant called indistinguishability obfuscation (iO) [1, 6] only insists that if two equal size circuits \(C,C'\) are functionally equivalent, meaning that \(C(x) = C'(x)\) for all inputs x, then their obfuscations should be indistinguishable. A huge body of recent works starting with [17] shows how to use iO to construct a plethora of advanced cryptographic primitives for which no constructions were previously known. An even weaker variant called null iO (niO, see [11, 19]) only insists that the obfuscations of C and \(C'\) are indistinguishable if the two circuits are both null circuits meaning that \(C(x) = C'(x) = 0\) for all inputs x. Although security is only defined for null circuits, we still require the niO obfuscator to work correctly and preserve the functionality of all circuits, including ones that are not null.
It is obvious that iO implies niO and relatively easy to see that niO implies WE. In particular, to encrypt a message b under an \({{\textsf {NP}}}\) statement x we can use an niO scheme to obfuscate the circuit C[x, b] that outputs b given a valid witness w for x as an input and otherwise outputs 0; to argue security we rely on the fact that when x is not in the language then this is a null circuit. The works of [11, 19] show that, under the Learning-With-Errors (LWE) assumption, witness encryption (WE) also implies null iO (niO). It remains as a major open problem whether niO implies full iO.
Non-trivially Exponentially-Efficient Schemes. In the standard definition of witness encryption, the encryption procedure is required to run in polynomial time. Indeed, otherwise there would be a trivial perfectly secure witness encryption scheme where the encryption procedure simply checks whether the statement x is true (by trying every possible witness) and if so it outputs the message in the clear and otherwise it outputs a dummy value as the ciphertext. For \({{\textsf {NP}}}\) relations where the witness is of size m, the run-time of the trivial encryption procedure is \(\widetilde{O}(2^m)\). Similarly, there are trivial perfectly secure iO and niO schemes where, for circuits with input size n, the obfuscation procedure runs in \(\widetilde{O}(2^n)\) time and outputs the entire truth table of the circuit. Such schemes are trivially exponentially efficient.
We define the notion of non-trivially exponentially efficient WE (XWE) as a relaxation of WE where we require that for \({{\textsf {NP}}}\) relations with witness length m, the encryption run-time is \(\widetilde{O}(2^{\gamma m})\) for some constant \(\gamma < 1\). Similarly, we define non-trivially exponentially efficient niO (XniO) analogously by requiring that for circuits with input size n the obfuscator run-time is \(\widetilde{O}(2^{\gamma n})\) for some constant \(\gamma < 1\). We call \(\gamma \) the compression factor. The above notions are analogous to the notion of non-trivially exponentially efficient iO (XiO) defined by Lin et al. [15], which requires that the size of the obfuscated program is \(\widetilde{O}(2^{\gamma n})\).Footnote 1 In [15] it was shown that XiO implies fully efficient iO under the sub-exponential LWE assumptions. Unfortunately, we do not have any such connections showing that XWE implies WE or that XniO implies niO and it remains as an open problem to explore whether any such connections hold. Nevertheless, we believe that XWE and XniO are interesting relaxations of WE and niO and are worthy of study.
Our Results. We show how to construct XWE and XniO with compression factor \(\gamma = \frac{1}{2}\) under the sub-exponential LWE assumption. For \({{\textsf {NP}}}\) relations that can be verified in \({{\textsf {NC}}^1}\) (e.g., SAT) we also get XWE with compression factor \(\gamma = \frac{1}{2}\) under the Decisional Bilinear Diffie-Hellman (DBDH) assumption. Our constructions turn out to be extremely simple applications of attribute based encryption (ABE) [3, 4, 9, 18].
Improving on our result and pushing the compression factor further below \(\frac{1}{2}\) remains an open problem. Note that XWE and XniO with a sufficiently small compression factor \(O(\log m/m)\) is equivalent to the standard notions of WE and niO respectively. Currently even achieving a compression factor of \(\frac{1}{3}\) would be significant progress. Our only result in this direction is a scheme under the sub-exponential LWE assumption which achieves ciphertext length as short as \(\widetilde{O}(2^{m/3})\), but at the cost of increasing the encryption complexity to \(\widetilde{O}(2^{2 m/3})\). We also suggest an approach for getting smaller compression factors and ultimately fully efficient WE and niO schemes via multi-input ABE. Unfortunately, we currently do not have any instantiation of this primitive under standard assumptions.
Our Techniques: From ABE to XWE. An (unbounded collusion) ABE scheme allows us to create ciphertexts \(c = \mathsf {Enc}(\alpha ,b)\) encrypting a message b with respect to an attribute \(\alpha \). Furthermore, we can release secret keys \(\mathsf {sk}_f\) that are tied to some functions f. If \(f(\alpha )=1\) then the secret key \(\mathsf {sk}_f\) can correctly decrypt c and recover b. However, given only secret keys \(\mathsf {sk}_{f_1},\ldots ,\mathsf {sk}_{f_p}\) for functions such that \(f_1(\alpha )= \cdots = f_p(\alpha ) = 0\), the ciphertext c cannot be decrypted and the message b remains hidden. We can use ABE to construct an XWE scheme for any \({{\textsf {NP}}}\) language having witness size m where the running time of the encryption procedure is \(\widetilde{O}(2^{m/2})\). To create a WE encryption of a message b under a statement x, we create \(2^{m/2}\) secret keys \(\mathsf {sk}_{f_{w_1}}\) for all choices of \(w_1 \in \{0,1\} ^{m/2}\) and we create \(2^{m/2}\) ciphertexts \(c_{w_2} = \mathsf {Enc}(w_2,b)\) for all choices of \(w_2 \in \{0,1\} ^{m/2}\), where we define the function \(f_{w_1}(w_2) = 1\) if \(w=w_1w_2\) is a valid witness for the statement x. Given a witness \(w = w_1w_2\) we can recover b by decrypting the ciphertext \(c_{w_2}\) with the secret key \(\mathsf {sk}_{f_{w_1}}\).Footnote 2 However, if x is a false statement, we can rely on sub-exponential ABE security to argue that the bit b is computationally hidden. This gives us an XWE scheme with compression \(\gamma = \frac{1}{2}\) by instantiating the ABE with known constructions based on LWE and DBDH. An analogous idea was used by Bitansky et al. [2] to go from symmetric-key functional encryption to XiO, but we currently do not have any constructions of the former primitive under any standard assumptions.
It turns out that the transformation from WE to niO from [11, 19] also transforms XWE to XniO while preserving the compression factor and therefore, under the sub-exponential LWE assumption, the above technique also gives us XniO schemes with compression \(\gamma = \frac{1}{2}\). Alternately, if we apply the above technique but start with a predicate encryption (PE) [10] instead of ABE then the above transformation gives an XWE scheme where the ciphertext also hides the statement x (as long as it is a false statement) which is equivalent to XniO.
We show that the above technique can also be extended to get more general tradeoffs between encryption time, ciphertext size and decryption time in XWE. For example, under the sub-exponential LWE assumption, we can decrease the ciphertext size to \(\widetilde{O}(2^{m/3})\) at the cost of increasing the encryption time to \(\widetilde{O}(2^{2m/3})\).
In Appendix A, we also show that the above technique can be extended to getting a better compression factor by relying on multi-input ABE. In particular, if we had a k-input ABE scheme we would get an XWE scheme with compression factor \(1/(k+1)\) for languages with instances of size n and witnesses of size \(k\cdot \log n\).
Paper Organization. The rest of the paper is organized as follows: In Sect. 2, we recall basic cryptographic notions involved in this work. Our transform from ABE to non-trivially exponentially efficient witness encryption is then described in Sect. 3. The latter section also contains instantiations under standard assumptions and our extension to non-trivially exponentially efficient null-iO. Finally, Section A details our generalized transform from multi-input ABE. Definitions of null-iO and multi-input ABE are provided in the relevant sections.
2 Preliminaries
In this section we present the notation and basic definitions that are used in this work. For a distribution X we denote by \(x \leftarrow X\) the process of sampling a value x from the distribution X. Similarly, for a set \(\mathcal {X}\) we denote by \(x \leftarrow \mathcal {X}\) the process of sampling a value x from the uniform distribution over \(\mathcal {X}\). For a randomized function f and an input \(x\in \mathcal {X}\), we denote by \(y\leftarrow f(x)\) the process of sampling a value y from the distribution f(x). For an integer \(n \in \mathbb {N}\) we denote by [n] the set \(\{1,\ldots , n\}\). A function \({\mathsf {neg}}:\mathbb {N}\rightarrow \mathbb {R}\) is negligible if for every constant \(c > 0\) there exists an integer \(N_c\) such that \({\mathsf {neg}}(\lambda ) < \lambda ^{-c}\) for all \(\lambda > N_c\). Throughout this paper we denote by \(\lambda \) the security parameter.
Two sequences of random variables \(X = \{ X_\lambda \}_{\lambda \in \mathbb {N}}\) and \(Y = \{Y_\lambda \}_{\lambda \in \mathbb {N}}\) are \((t,\epsilon )\) -computationally indistinguishable for \(t=t(\lambda )\) and \(\epsilon =\epsilon (\lambda )\), denoted by \(X \approx _{t,\epsilon } Y\), if for any probabilistic distinguisher D that runs in time \(t=t(\lambda )\), it holds that \(\left| \Pr [D(1^{\lambda }, X_\lambda ) = 1] - \Pr [D(1^{\lambda },Y_\lambda ) = 1] \right| \le \epsilon (\lambda )\) for all sufficiently large \(\lambda \in \mathbb {N}\). We say that X, Y are sub-exponentially indistinguishable if they are \((t,\epsilon )\)-computationally indistinguishable with \(t(\lambda ) = 2^{\lambda ^\delta }\) and \(\epsilon (\lambda ) = 2^{-\lambda ^\delta }\) for some \(\delta >0\).
2.1 Attribute-Based Encryption
We provide a definition of (key-policy, unbounded collusion) attribute-based encryption (ABE). We focus on the private-key variant which suffices for our purposes. An ABE scheme is a standard (private-key) encryption scheme for bits augmented with an additional key-generation procedure for an ensemble of Boolean function families \(\mathcal {F}= \{\mathcal {F}_{\lambda }\}_{\lambda \in \mathbb {N}}\) each mapping \(\mathcal {X}=\{\mathcal {X}_{\lambda }\}_{\lambda \in \mathbb {N}}\) to \(\{ 0,1 \}\), where \(\mathcal {X}\) is some sequence of finite sets. Such a scheme is described by four procedures \((\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})\) with the following syntax:
-
1.
\(\mathsf {Setup}(1^\lambda )\) gets as input a security parameter and outputs a master secret key \(\mathsf {msk}\).
-
2.
\(\mathsf {KG}(\mathsf {msk}, f)\) gets as input a master secret key \(\mathsf {msk}\) and a function \(f\in \mathcal {F}_\lambda \) and outputs a key \(\mathsf {sk}_f\).
-
3.
\(\mathsf {Enc}(\mathsf {msk}, \alpha , b)\) gets as input a master secret key \(\mathsf {msk}\), an attribute \(\alpha \in \mathcal {X}_\lambda \) and a message \(b\in \{ 0,1 \}\), and outputs a ciphertext \(\mathsf {ct}_{\alpha ,b}\). We assume, without loss of generality, that \(\mathsf {ct}_{\alpha ,b}\) contains \(\alpha \) in the clear.
-
4.
\(\mathsf {Dec}(\mathsf {sk}_f, \mathsf {ct}_{\alpha ,b})\) gets as input a key for the function f and ciphertext of \((\alpha , b)\) and outputs a message \(b'\).
The correctness and security of such a scheme are provided in the next definition.
Definition 1
A tuple of four procedures \((\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})\) is said to be a \((t,\epsilon )\)-selectively-secure unbounded collusion ABE scheme if
-
1.
Correctness: For every \(\lambda \in \mathbb {N}\), \(b\in \{ 0,1 \}\), \(\alpha \in \mathcal {X}\), \(f \in \mathcal {F}\), it holds that if \(f(\alpha ) = 1\), then
$$\begin{aligned} \Pr [ \mathsf {Dec}(\mathsf {KG}(\mathsf {msk}, f), \mathsf {Enc}(\mathsf {msk}, \alpha , b)) = b ] = 1 \end{aligned}$$where the probability if over the choice of \(\mathsf {msk}\leftarrow \mathsf {Setup}(1^\lambda )\) and over the internal randomness of \(\mathsf {KG}\) and \(\mathsf {Enc}\).
-
2.
Security: For every polynomial \(p=p(\lambda )\), every (selectively chosen) \(f_1,\dots ,f_{p} \in \mathcal {F}\), and every \(\alpha _1,\dots ,\alpha _{p} \in \mathcal {X}\), it holds that if \(f_i(\alpha _j) = 0\) for all \(i,j\in [p]\), then
$$\begin{aligned} \{\mathsf {KG}(\mathsf {msk}, f_i), \mathsf {Enc}(\mathsf {msk}, \alpha _j, 0)\}_{i,j \in [p]}\approx _{t,\epsilon } \{\mathsf {KG}(\mathsf {msk}, f_i), \mathsf {Enc}(\mathsf {msk}, \alpha _j, 1)\}_{i,j \in [p]}, \end{aligned}$$where the randomness is over the choice of \(\mathsf {msk}\leftarrow \mathsf {Setup}(1^\lambda )\) and the internal randomness of \(\mathsf {KG}\) and \(\mathsf {Enc}\).
Known Instantiations. There are several known constructions of ABE schemes based on different assumptions and offering various notions of efficiency. Three of the most well-known schemes are those of Goyal et al. [12], of Gorbunov et al. [9], and of Boneh et al. [3]. The work of Goyal et al. gives a construction of an ABE scheme for all \({{\textsf {NC}}^1}\) circuits based on the existence of a bilinear map where the decisional bilinear Diffie-Hellman problem is hard.
Theorem 1
([12]). Assuming a group with a bilinear map in which the decisional bilinear Diffie-Hellman problem is sub-exponentially hard, there exists a sub-exponentially-secure ABE scheme for all NC\(^1\) circuits.
The works of Gorbunov et al. and of Boneh et al. achieved an ABE scheme for all a-priori depth-bounded polynomial-size circuits based on the sub-exponential hardness of the learning with errors assumption (LWE). Both of these ABE schemes satisfy that the key generation algorithm runs in time \(|f|\cdot \mathsf {poly}(\lambda ,d)\) on input a function f of depth d. We call this property time-efficient key generation. The scheme by Boneh et al. has an additional unique property that we will use: The size of an ABE functional key is independent of the size of the function and only depends on its depth. Specifically, given a function \(f\in \mathcal {F}\), the size of a functional key for it is \(\mathsf {poly}(d,\lambda )\) for some fixed polynomial function \(\mathsf {poly}\). We henceforth call this property short functional keys. Note that in order to decrypt, the description of f needs to be provided in addition to the key \(\mathsf {sk}_f\).
Theorem 2
([3]). Assuming the sub-exponential hardness of LWE, there exists a sub-exponentially-secure ABE scheme with time-efficient key generation and short functional keys.
2.2 Witness Encryption for \({{\textsf {NP}}}\)
Definition 2
(Witness encryption [7]). A witness encryption scheme for an NP relation \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) with induced language L has the following syntax:
-
\(\mathsf {Enc}(1^\lambda , x, b)\): Takes as input a security parameter \(1^\lambda \), a string \(x\in \{ 0,1 \}^n\) and a bit \(b\in \{ 0,1 \}\), and outputs a ciphertext \(\mathsf {ct}_{x,b}\).
-
\(\mathsf {Dec}(\mathsf {ct}, w)\): Takes as input a ciphertext \(\mathsf {ct}_{x,b}\) and a string \(w\in \{ 0,1 \}^{m}\), and outputs a bit \(b'\) or the symbol \(\bot \).
These algorithms satisfy the following two conditions:
-
1.
Correctness: For any security parameter \(\lambda \), any \(b\in \{ 0,1 \}\) and any \(x\in L\) with witness w, it holds that
$$\begin{aligned} \Pr [\mathsf {Dec}(\mathsf {Enc}(1^\lambda , x, b), w) = b] = 1, \end{aligned}$$where the probability is over the internal randomness of the encryption procedure.
-
2.
Security: A witness encryption scheme is \((t,\epsilon )\)-secure if for every ensemble \(x =\{x_\lambda \}\) of false statements \(x_\lambda \notin L\) it holds that
$$\begin{aligned} \mathsf {Enc}(1^\lambda , x_\lambda , 0) \approx _{t,\epsilon } \mathsf {Enc}(1^\lambda , x_\lambda , 1) \end{aligned}$$where the randomness is over the internal randomness of the encryption procedure.
3 Non-trivial Witness Encryption and ABE
In this section we show that any attribute encryption scheme directly implies a non-trivially exponentially-efficient witness encryption scheme (XWE). This gives us a construction of the latter under the DBDH or LWE assumptions. Lastly, we recall the notion of null-iO, define non-trivially exponentially-efficient null-iO (XniO) and construct it based on previously built XWE.
3.1 Non-trivially Exponentially-Efficient Witness Encryption
Our notion of exponentially-efficient witness encryption (XWE) allows the encryptor to have running time almost as large as the brute-force algorithm that solves the instance. This is analogous to the notion of XiO introduced by Lin et al. [15] which requires the size of an obfuscation to be slightly smaller than the truth-table of the function. See comparison below.
Definition 3
A witness encryption scheme for a relation \(R \subseteq \{\{0,1\}^n \times \{0,1\}^{m(n)}\}_{n \in \mathbb {N}}\) with induced language L is said to be \(\gamma \)-exponentially-efficient if for any \(\lambda ,n \in \mathbb {N}\) with \(m=m(n)\) and every instance \(x \in \{ 0,1 \}^n\) and \(b\in \{ 0,1 \}\), the run-time of \(\mathsf {Enc}(1^\lambda , x,b)\) is at most \(2^{\gamma m}\cdot \mathsf {poly}(\lambda , n)\).
Comparison with XiO and SXiO. The notion of XiO, introduced by Lin et al. [15], requires an obfuscator to output a circuit of size \(2^{\gamma n}\cdot \mathsf {poly}(\lambda , |C|) \) given a circuit C that accepts n bits as input. This notion has been proven to be very useful in constructions of iO when combined with LWE. SXiO is a strengthening of XiO in which we require not only the obfuscated circuit to be of non-trivial size, but also the running time of the obfuscator.
Our notion of XWE only concerns the time it takes to encrypt a bit (which gives an upper bound on the size of the obfuscation). The reason is that an encryptor can always brute-force all possible witnesses and try each one to decide whether the instance is in the language or not. If so, it can output the message in the clear, and if not it can output some fixed output (recall that in WE correctness holds only for instances that are in the language while security is required only for instances that are not in the language).
3.2 From ABE to Non-trivial Witness Encryption
We observe a connection between ABE schemes and exponentially-efficient WE schemes. This is similar to the observation of [2] in the context of functional encryption and exponentially-efficient iO. However, in our case we will be able to instantiate our ABE scheme based on somewhat standard assumptions.
Theorem 3
Let \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) be an NP relation with induced language L. Assume the existence of a sub-exponentially-secure ABE scheme for all circuits. Then, there exists a polynomial \(\mathsf {poly}\) and a witness encryption scheme for R with the following properties. For any \(\lambda ,n \in \mathbb {N}\) with \(m = m(n)\) and every instance \(x \in \{ 0,1 \}^n\) and \(b\in \{ 0,1 \}\):
-
1.
The run-time of the encryption procedure \(\mathsf {Enc}(1^\lambda , x,b)\) is at most \(2^{m/2}\cdot \mathsf {poly}(\lambda , n, m)\).
-
2.
The ciphertext size is at most \(2^{m/2}\cdot \mathsf {poly}(\lambda , n, m)\).
-
3.
The decryption time is at most \(2^{m/2}\cdot \mathsf {poly}(\lambda , n, m)\). In particular, it is \(\mathsf {poly}(\lambda ,n, m)\) in the RAM model.Footnote 3
Proof
Assume that we have an ABE scheme \(\mathsf {ABE}= (\mathsf {ABE.Setup}, \mathsf {ABE.KG}, \mathsf {ABE.Enc}, \mathsf {ABE.Dec})\) for all circuits. The ABE scheme is sub-exponentially-hard so when instantiated with security parameter \(\lambda \), no adversary that runs in time \(2^{\lambda ^\tau }\) can break it for a constant \(\tau >0\). We construct a witness encryption scheme \(\mathsf {WE}=(\mathsf {WE.Enc},\mathsf {WE.Dec})\).
Denote by \(V^{(L)}\) the verification procedure of the \({{\textsf {NP}}}\) language L. This procedure gets as input x and a possible witness w split into two parts \(w_1\) and \(w_2\), and it outputs a bit that specifies whether w is a valid witness attesting to the fact that \(x\in L\). Given an instance \(x\in \{ 0,1 \}^{n}\) and a message \(b\in \{ 0,1 \}\), the witness encryption \(\mathsf {WE.Enc}(1^\lambda , x,b)\) is computed as follows:
-
1.
Sample a master secret key for the ABE scheme \(\mathsf {msk}\leftarrow \mathsf {ABE.Setup}(1^{\tilde{\lambda }})\), where \(\tilde{\lambda }= \max \{\lambda ,m^{2/\tau }\}\).
-
2.
For every \(w_1\in \{ 0,1 \}^{m/2}\), use the ABE scheme to generate a key for the function \(V^{(L)}_{x,w_1}(w_2) = V^{(L)}(x, w_1w_2)\):
$$\begin{aligned} \mathsf {sk}_{f,w_1} \leftarrow \mathsf {ABE.KG}(\mathsf {msk}, V^{(L)}_{x,w_1}). \end{aligned}$$ -
3.
For every \(w_2\in \{ 0,1 \}^{m/2}\), use the ABE scheme to encrypt b under attribute \(w_2\):
$$\begin{aligned} \mathsf {ct}_{w_2,b} \leftarrow \mathsf {ABE.Enc}(\mathsf {msk}, w_2, b). \end{aligned}$$ -
4.
Output \(\{\mathsf {sk}_{f,w_1}\}_{w_1\in \{ 0,1 \}^{m/2}}\) and \(\{\mathsf {ct}_{w_2,b}\}_{w_2\in \{ 0,1 \}^{m/2}}\).
To decrypt \(\mathsf {WE.Dec}(\mathsf {ct}, w)\), where
and \(w = w_1w_2\in \{ 0,1 \}^{m}\), we execute the decryption procedure of the ABE scheme as follows:
Correctness immediately follows from the correctness of the underlying ABE scheme. Security also easily follows from the security of the latter. Namely, if \(x \notin L\), then for any \(w_1 w_2 \in \{0,1\}^{m}\), we have \(V^{(L)}(x,w_1 w_2) = 0\). Let \(\mathsf {ct}\) denote an encryption of 0 for a statement \(x \notin L\), that is:
For security, first observe that we instantiated our ABE scheme with security parameter \(\tilde{\lambda }= \max \{\lambda , m^{2/\tau }\}\). This means that our scheme is secure against adversaries that run in time \(\max \{2^{\lambda ^\tau }, 2^{m^{2}}\}\). In particular, it is secure for all adversaries running in time \(\mathsf {poly}(2^m)\) which is the size of our ciphertext (see below). Moreover, since for any \(w_1,w_2 \in \{ 0,1 \}^{m/2}\), we have \(V^{(L)}(x,w_1 w_2) = 0\), it is clear that, assuming the security of \(\mathsf {ABE}\), \(\mathsf {ct}_{w_2,0} \approx _{c} \mathsf {ct}_{w_2,1}\), and security follows.
Let us analyze the complexity of the scheme and in particular the running time of the encryption procedure. When encrypting a message b under instance x our scheme generates and outputs \(2^{m/2}\) functional keys (for a function whose complexity is at most the complexity of \(V^{(L)}\)) and \(2^{m/2}\) ciphertexts of the underlying ABE scheme. This takes time at most
for some fixed polynomial \(\mathsf {poly}\) which depends on the complexity of encryption of the underlying ABE scheme and the complexity of \(V^{(L)}\). The same bound holds for the ciphertext size. Decryption upon witness \(w=w_1w_2\) requires reading the functional key and ciphertext and a single invocation of the decryption procedure of the underlying ABE scheme on the key for the function \(f(w_1,\cdot )=V_{x,w_1}^{(L)}(\cdot )\) and the ciphertext that corresponds to \(w_2\).
3.3 Instantiations
We instantiate Theorem 3 using known attribute-based encryption schemes mentioned in Sect. 2.1. The first construction of Goyal et al. [12] which works only for \({{\textsf {NC}}^1}\) circuits and is based on the decisional bilinear Diffie-Hellman assumption leads to non-trivially exponentially-efficient witness encryption for any \({{\textsf {NP}}}\) relation with verification in \({{\textsf {NC}}^1}\). One can also instantiate a similar corollary based on the LWE-based constructions of Gorbunov et al. [9] and of Boneh et al. [3] and get a construction that works for all languages with a polynomial-size circuit verifier, so for any \({{\textsf {NP}}}\) relation.
Corollary 1
Let \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) be an NP relation with induced language L. Assume the sub-exponential security of the learning with errors assumption. Then, there exists a polynomial \(\mathsf {poly}\) and a sub-exponentially-secure witness encryption scheme \(\mathsf {WE}=(\mathsf {WE.Enc},\mathsf {WE.Dec})\) for R with the following properties:
-
1.
The time it takes to encrypt a bit is at most \(2^{m/2} \cdot \mathsf {poly}(\lambda ,n,m)\).
-
2.
The ciphertext size is at most \(2^{m/2} \cdot \mathsf {poly}(\lambda , n, m) \).
-
3.
The decryption time is at most \(2^{m/2} \cdot \mathsf {poly}(\lambda , n, m)\).
Moreover, assuming also that the verification for L is in NC\(^1\), the same is true assuming the sub-exponential security of the decisional bilinear Diffie-Hellman assumption.
A Variant Based on ABE with Short Functional Keys. Below we provide a variant of Theorem 3 in which we take advantage of an ABE scheme that has a particular notion of succinctness we referred to as short functional keysFootnote 4. This property is satisfied by the LWE-based scheme by Boneh et al.
Theorem 4
Let \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) be an NP relation with induced language L. Assume an attribute-based encryption scheme for all circuits with time-efficient key generation and short functional keys. Let \(m_1(n),m_2(n),m_3(n) \ge 0\) be polynomials such that \(m_1 + m_2 + m_3 = m\). Then, there exists a sub-exponentially-secure witness encryption scheme with the following properties:
-
1.
The time it takes to encrypt a bit is at most \( 2^{\max \{m_1+m_3,m_2\}} \cdot \mathsf {poly}(\lambda ,n,m)\).
-
2.
The ciphertext size is at most \(2^{\max \{m_1,m_2\}} \cdot \mathsf {poly}(\lambda ,n,m)\).
-
3.
The decryption time is at most \(2^{\max \{m_1,m_2,m_3\}} \cdot \mathsf {poly}(\lambda , n, m)\).
Proof
Assume that we have a ABE scheme \(\mathsf {ABE}= (\mathsf {ABE.Setup}, \mathsf {ABE.KG}, \mathsf {ABE.Enc}, \mathsf {ABE.Dec})\) with time-efficient key generation and short functional keys. The ABE scheme is secure for adversaries running in time \(2^{\lambda ^\tau }\) for a constant \(\tau >0\). We construct a witness encryption scheme \(\mathsf {WE}=(\mathsf {WE.Enc},\mathsf {WE.Dec})\).
Given an instance \(x\in \{ 0,1 \}^n\) and a message \(b\in \{ 0,1 \}\), the witness encryption \(\mathsf {WE.Enc}(1^\lambda , x,b)\) is done as follows:
-
1.
Sample a master secret key for the ABE scheme \(\mathsf {msk}\leftarrow \mathsf {ABE.KG}(1^{\tilde{\lambda }})\), where \(\tilde{\lambda }= \max \{\lambda ,m^{2/\tau }\}\).
-
2.
For every \(w_1\in \{ 0,1 \}^{m_1}\), use the ABE scheme to generate a key for the function \(V^{(L)}_{x,w_1}(w_2) = \bigvee _{w_3\in \{ 0,1 \}^{m_3}} V^{(L)}(x,w_1 w_2 w_3)\):
$$\begin{aligned} \mathsf {sk}_{f,w_1} \leftarrow \mathsf {ABE.KG}(\mathsf {msk}, V^{(L)}_{x,w_1}). \end{aligned}$$ -
3.
For every \(w_2\in \{ 0,1 \}^{m_2}\), use the ABE scheme to encrypt b under attribute \(w_2\):
$$\begin{aligned} \mathsf {ct}_{w_2,b} \leftarrow \mathsf {ABE.Enc}(\mathsf {msk}, w_2, b). \end{aligned}$$ -
4.
Output \(\{\mathsf {sk}_{f,w_1}\}_{w_1\in \{ 0,1 \}^{m_1}}\) and \(\{\mathsf {ct}_{w_2,b}\}_{w_2\in \{ 0,1 \}^{m_2}}\).
Correctness is immediate and security follows as in the proof of Theorem 3, since for \(x\notin L\), there are no \(w_1\) and \(w_2\) for which \(V^{(L)}_{x,w_1}(w_2)\) evaluates to 1. Thus, we can directly reduce security of our construction to the security of the underlying ABE scheme.
Given \(x\in \{ 0,1 \}^{m}\) and \(b\in \{ 0,1 \}\), the time it takes to compute \(\mathsf {Enc}(1^\lambda , x,b)\) is at most
where d is the depth of the circuit \(V^{(L)}_{x,w_1}\) (recall that the LWE-based ABE scheme has time-efficient key generation; see Theorem 2). Notice that d is bounded by the depth of \(V^{(L)}\) which is at most some polynomial in n and m. Furthermore, notice that \(|V^{(L)}_{x,w_1}|\), the size of \(V^{(L)}_{x,w_1}\), is at most \(2^{m_3}\) times some polynomial in n and m. Overall, we get that the time it takes to generate a ciphertext is at most
The size of a ciphertext is shorter because the size of a key does not depend on the size of the function but only on its depth (which is \(\mathsf {poly}(n,m)\)). This means that the ciphertext size is
For decryption, one needs to read the whole ciphertext and perform a single decryption operation of the underlying ABE scheme. However, notice that the size of the function is \(2^{m_3} \cdot \mathsf {poly}(\lambda ,n,m)\) which means that time to decrypt is at most:
Note that for decryption, the description of the function must be known. This can be done by providing a (single) generic description of
as a public parameter.
We then obtain the following corollary using the construction by Boneh et al. [3] in Theorem 4 with \(m_1 = m_2 = m_3 = m/3\).
Corollary 2
Let \(R \subseteq \left\{ \{0,1\}^n \times \{0,1\}^{m(n)}\right\} _{n \in \mathbb {N}}\) be an NP relation with induced language L. Assuming the sub-exponential hardness of the learning with errors problem, there exists a sub-exponentially-secure witness encryption scheme \(\mathsf {WE}=(\mathsf {WE.Enc},\mathsf {WE.Dec})\) for R with the following properties:
-
1.
The time it takes to encrypt a bit is at most \( 2^{2m/3} \cdot \mathsf {poly}(\lambda ,n,m)\).
-
2.
The ciphertext size is at most \(2^{m/3} \cdot \mathsf {poly}(\lambda ,n,m)\).
-
3.
The decryption time is at most \(2^{m/3} \cdot \mathsf {poly}(\lambda , n, m)\).
3.4 A Similar Transformation for Null-iO
A similar result, i.e., a non-trivially exponentially-efficient construction based on the LWE assumption, can be obtained for a weakening of iO called null-iO (niO, see [11, 19]). An niO is an obfuscation scheme which takes as input an arbitrary circuit and outputs a functionally equivalent one but security only guarantees that we cannot distinguish the obfuscations of any two circuits \(C,C'\) of the same size such that \(C(x) = C'(x) = 0\) for all inputs x.
Definition 4
(Null-iO). A null-iO (niO) obfuscation scheme is an efficient compiler \({\mathcal {O}}\) for circuits that satisfies the following properties:
-
1.
Correctness: For any security parameter \(\lambda \) and all circuits \(C:\{0,1\}^n\rightarrow \{0,1\}\):
$$\begin{aligned} \Pr [\forall x \in \{0,1\}^n : C(x)=\tilde{C}(x)| \tilde{C}\leftarrow {\mathcal {O}}(1^{\lambda },C) ] = 1, \end{aligned}$$where the probability is taken over the randomness of \({\mathcal {O}}\).
-
2.
Security: Let \(C=\{C_{\lambda }\}\), \(C'=\{C'_{\lambda } \}\) be two ensembles of circuits with equal input length \(n(\lambda )\) and circuit size, which satisfy \(C_{\lambda }(x)=C'_{\lambda }(x)=0\) for all \(x \in \{0,1\}^{n(\lambda )}\). Then, we have that:
$$\begin{aligned} {\mathcal {O}}(1^{\lambda },C_{\lambda }) \approx _{t,\epsilon } {\mathcal {O}}(1^{\lambda },C'_{\lambda }). \end{aligned}$$
It is natural to define the exponentially-efficient version of niO such that the running time of the obfuscator (and thus the size of the obfuscated circuit as well) is smaller than \(2^n\).
Definition 5
(XniO). A null-iO is said to be \(\gamma \)-exponentially-efficient (XniO) if for any security parameter \(\lambda \in \mathbb {N}\) and every circuit C, the running time obfuscation \({\mathcal {O}}(1^\lambda , C)\) is at most \(2^{ \gamma n}\cdot \mathsf {poly}(|C|)\).
In a recent work, Wichs and Zirdelis [19] showed that assuming LWE one can generically translate any witness encryption scheme into a niO. Thus, using our Theorem 1 (instantiated with LWE) together with their transformation, we get a 1/2-XniO (for all polynomial-size circuits) assuming sub-exponentially-secure LWE. Using our Corollary 2 together with their transformation, we get an XniO whose running time is \(2^{2n/3}\) and such that the size of the obfuscated circuit is \(2^{n/3}\), assuming sub-exponentially-secure LWE.
Remark 1
A different way to get the same result is to directly construct an XniO based on any predicate encryption scheme [10], similarly to our construction of an XWE based on any ABE scheme.
Notes
- 1.
One difference is that XiO only restricts the size of the obfuscated programs but not the run-time of the obfuscation procedure, while XWE and XniO also restricts the run-time of the encryption and obfuscation procedures (which then implicitly restricts the size of the ciphertexts and obfuscated programs). This is important since, without restricting the run-time, trivial WE and niO constructions can achieve short ciphertext and obfuscated program sizes.
- 2.
Notice that in the RAM model, decryption is very efficient as it requires accessing only one key and one ciphertext.
- 3.
The property that in the RAM model our decryption is very efficient is common to all of our results. We only state it here and avoid repeating it in the other results.
- 4.
Recall that a scheme with short functional keys has the property that the size of a functional key for a function of size s and depth d is \(\mathsf {poly}(d,\lambda )\) for some fixed polynomial function \(\mathsf {poly}\).
References
Barak, B., et al.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012). Preliminary version appeared in CRYPTO 2001
Bitansky, N., Nishimaki, R., Passelègue, A., Wichs, D.: From cryptomania to obfustopia through secret-key functional encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 391–418. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_15
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit abe and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Boneh, D., Sahai, A., Waters, B.: Functional encryption: a new vision for public-key cryptography. Commun. ACM 55(11), 56–64 (2012). https://doi.org/10.1145/2366316.2366333
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual Symposium on Foundations of Computer Science, pp. 40–49. IEEE Computer Society Press, October 2013
Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Symposium on Theory of Computing Conference, STOC, pp. 467–476 (2013)
Goldwasser, S., et al.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_32
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, 1–4 June 2013, pp. 545–554. ACM (2013)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, pp. 612–621. IEEE Computer Society (2017)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 89–98. ACM (2006)
Komargodski, I., Naor, M., Yogev, E.: Secret-sharing for NP. J. Cryptol. 30(2), 444–469 (2017)
Komargodski, I., Segev, G.: From minicrypt to obfustopia via private-key functional encryption. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 122–151. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_5
Lin, H., Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation with non-trivial efficiency. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 447–462. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8_17
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, May 2005
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, pp. 475–484. ACM Press, May/Jun 2014
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, pp. 600–611. IEEE Computer Society (2017)
Acknowledgements
We thank Nir Bitansky for many initial discussions on the topics of this work. We thank Antigoni Polychroniadou and Hoeteck Wee for their helpful comments on a previous version of our work. We also thank the anonymous reviewers for their remarks.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Multi-input ABE and Non-trivial Witness Encryption
A Multi-input ABE and Non-trivial Witness Encryption
In this section, we introduce the notion of multi-input attribute based encryption and show that, in the most general setting, it implies witness encryption for \({{\textsf {NP}}}\).
Recall that in a standard ABE scheme, one can encrypt a message b relative to some attribute \(\alpha \) to get \(\mathsf {ct}_{\alpha ,b}\) and independently generate keys for Boolean functions f to get \(\mathsf {sk}_f\). Together, \(\mathsf {ct}_{\alpha ,b}\) and \(\mathsf {sk}_f\) can be used to recover b if \(f(\alpha ) = 1\), and otherwise, b should remain computationally hidden. We extend this notion to the multi-input setting. Here f takes as input a sequence of attributes \(\alpha _1,\dots ,\alpha _k\) for \(k \ge 1\) and the encryption functionality takes an additional parameter \(i\in [k]\) (it ignores b for \(i\ne 1\)). Given ciphertexts \(\mathsf {ct}_{\alpha _1,b},\mathsf {ct}_{\alpha _2,\cdot },\dots ,\mathsf {ct}_{\alpha _k}\) and a key \(\mathsf {sk}_f\) for such a function, one is able to recover b if \(f(\alpha _1,\dots ,\alpha _k)=1\) while it should remain hidden if \(f(\alpha _1,\dots ,\alpha _k)=0\). Details follow.
A k-input ABE scheme is parametrized over an attribute space \(\mathcal {X}=\{\mathcal {X}_{\lambda }\}_{\lambda \in \mathbb {N}}\) and function space \(\{\mathcal {F}_{\lambda }\}_{\lambda \in \mathbb {N}}\), where each function maps \(\mathcal {X}=\{(\mathcal {X}_{\lambda })^k\}_{\lambda \in \mathbb {N}}\) to \(\{ 0,1 \}\). Such a scheme is described by four procedures \((\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})\) with the following syntax:
-
1.
\(\mathsf {Setup}(1^\lambda )\) gets as input a security parameter and outputs a master secret key \(\mathsf {msk}\).
-
2.
\(\mathsf {KG}(\mathsf {msk}, f)\) gets as input a master secret key \(\mathsf {msk}\) and a function \(f\in \mathcal {F}_\lambda \) and outputs a key \(\mathsf {sk}_f\).
-
3.
\(\mathsf {Enc}(\mathsf {msk}, \alpha , b,i)\) gets as input a master secret key \(\mathsf {msk}\), an attribute \(\alpha \in \mathcal {X}_\lambda \) and a message \(b\in \{ 0,1 \}\) and an index \(i\in [k]\), and outputs a ciphertext \(\mathsf {ct}_{\alpha ,b,i}\).
-
4.
\(\mathsf {Dec}(\mathsf {sk}_f, \mathsf {ct}_{\alpha _1,b_1,1},\dots ,\mathsf {ct}_{\alpha _k,b_k,k})\) gets as input a key for the function f and a sequence of ciphertext of \((\alpha _1, b_1),\dots ,(\alpha _k, b_k)\) and outputs a string \(b'\).
The correctness and security of such a scheme are provided in the next definition.
Definition 6
A tuple of four procedures \((\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})\) is a k-input \((t,\epsilon )\)-secure ABE scheme if
-
1.
Correctness: For every \(\lambda \in \mathbb {N}\), \(b_1,\dots ,b_k\in \{ 0,1 \}\), \(\alpha _1,\dots ,\alpha _k\in \mathcal {X}\), \(f \in \mathcal {F}\), it holds that if \(f(\alpha _1,\dots ,\alpha _k) = 1\), then
$$\begin{aligned} \Pr [ \mathsf {Dec}(\mathsf {KG}(\mathsf {msk}, f), \mathsf {Enc}(\mathsf {msk}, \alpha _1, b_1, 1), \dots , \mathsf {Enc}(\mathsf {msk}, \alpha _k, b_k, k) ) = b_1 ] = 1 \end{aligned}$$where the probability if over the choice of \(\mathsf {msk}\leftarrow \mathsf {Setup}(1^\lambda )\) and over the internal randomness of \(\mathsf {KG}\) and \(\mathsf {Enc}\). Note that only messages encrypted at index 1 can be recovered, thus every message encrypted at a different index could be set to \(\perp \) in our definition at the cost of a slightly more complex syntax.
-
2.
Security: For every polynomial \(p = p(\lambda )\), every \(\vec {\alpha }_1,\dots ,\vec {\alpha }_p\), where \(\vec {\alpha }_i = (\alpha ^{(i)}_1,\dots ,\alpha ^{(i)}_k)\in \mathcal {X}^k\) for \(i\in [p]\), and every \(f_1,\dots ,f_p \in \mathcal {F}\), it holds that if \(f_i(\alpha ^{i_1}_1,\dots ,\alpha ^{i_k}_k) = 0\) for every \(i,i_1,\ldots ,i_k\in [p]\), then
$$\begin{aligned}&\left\{ \mathsf {KG}(\mathsf {msk}, f_i)\right\} _{i\in [p]}, \left\{ \mathsf {Enc}(\mathsf {msk}, \alpha _j^{(i)}, 0, j)\right\} _{i\in [p],j \in [k]} \approx _{t,\epsilon } \\&\left\{ \mathsf {KG}(\mathsf {msk}, f_i)\right\} _{i\in [p]}, \left\{ \mathsf {Enc}(\mathsf {msk}, \alpha _j^{(i)}, 1, j)\right\} _{i\in [p],j \in [k]}, \end{aligned}$$where the randomness is over the choice of \(\mathsf {msk}\leftarrow \mathsf {Setup}(1^\lambda )\) and the internal randomness of \(\mathsf {KG}\) and \(\mathsf {Enc}\).
In the next lemma we show that a general-purpose \(\mathsf {poly}\)-input ABE scheme implies a witness encryption scheme. This is similar to an analogous statement in the functional encryption literature which says that a general purpose multi-input functional encryption scheme implies indistinguishability obfuscation for all circuits [8].
Lemma 1
Let \(L \in \) NP be a language where instances are of size \(n=n(\lambda )\) and witnesses are of size \(m=m(\lambda )\). An m-input ABE scheme for all polynomial-size circuits implies a witness encryption scheme for L.
Proof
Let \(\mathsf {MIABE} = (\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})\) be the m-input ABE scheme. Denote by \(V^{(L)}\) the verification procedure of the \({{\textsf {NP}}}\) language L. This procedure gets as input x and a possible witness w split into m bits \(w_1,\dots ,w_{m}\), and it outputs a bit that specifies whether w is a valid witness attesting to the fact that \(x\in L\). Given an instance \(x\in \{ 0,1 \}^{n}\) and a message \(b\in \{ 0,1 \}\), the witness encryption \(\mathsf {Enc}(1^\lambda , x,b)\) is computed as follows:
-
1.
Sample a master secret key for the multi-input ABE scheme \(\mathsf {msk}\leftarrow \mathsf {KG}(1^{\lambda })\).
-
2.
Use the ABE scheme to generate a key for the function \(V^{(L)}_x(w_1,\dots ,w_{m}) = V^{(L)}(x,w_1\dots w_{m})\):
$$\begin{aligned} \mathsf {sk}_f \leftarrow \mathsf {KG}(\mathsf {msk}, V^{(L)}_x). \end{aligned}$$ -
3.
For \(\ell \in \{ 0,1 \}\) and \(i \in [m]\), use the ABE scheme to encrypt b under attribute \(\ell \) for the index i:
$$\begin{aligned} \mathsf {ct}_{\ell ,b,i} \leftarrow \mathsf {Enc}(\mathsf {msk}, \ell , b, i). \end{aligned}$$ -
4.
Output \(\mathsf {sk}_f\), \(\{\mathsf {ct}_{\ell ,b,i}\}_{\ell \in \{ 0,1 \}, i\in [m]\}}\).
To decrypt a ciphertext \(\mathsf {ct}= (\mathsf {sk}_f, \{\mathsf {ct}_{\ell ,b,i}\}_{\ell \in \{ 0,1 \}, i\in [m]})\) with respect to a witness \(w = w_1\dots w_{m} \in \{ 0,1 \}^{m} \), we execute the decryption procedure of the ABE scheme as follows:
The correctness and security of the witness encryption scheme follow immediately from the correctness and security of the underlying multi-input ABE scheme. Correctness holds since given a valid witness w for which \(V^{(L)}(x,w)=1\), the ABE decryption procedure will output b. Security holds since for any \(x\notin L\), there is no witness for which \(V^{(L)}\) accepts x and thus \(V^{(L)}_x\) is always 0, which means that no combination of ciphertexts will lead to a successful decryption. The latter, by the security of the underlying ABE scheme implies that b is computationally hidden.
Using Fewer-Input ABE. Variants of the above theorem can be obtained in case we only have an ABE scheme that supports less inputs. Specifically, similarly to the refinement of [2] of the result of [8] mentioned above (see [14, Lemma 4.2] for the precise statement), one can show that a k-input ABE scheme for \(k=k(\lambda )\) implies a witness encryption scheme for languages with instances of size \(n=n(\lambda )\) and witnesses of size \(k\cdot \log n\). This means that a k-input ABE scheme for any \(k=\omega (1)\), is interesting as it could lead to non-trivial constructions of secret sharing schemes for all \({{\textsf {NP}}}\) based on somewhat weaker assumptions than currently known [13].
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Brakerski, Z., Jain, A., Komargodski, I., Passelègue, A., Wichs, D. (2018). Non-trivial Witness Encryption and Null-iO from Standard Assumptions. In: Catalano, D., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2018. Lecture Notes in Computer Science(), vol 11035. Springer, Cham. https://doi.org/10.1007/978-3-319-98113-0_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-98113-0_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98112-3
Online ISBN: 978-3-319-98113-0
eBook Packages: Computer ScienceComputer Science (R0)