**Offline Witness Encryption**

*Hamza Abusalah and Georg Fuchsbauer and Krzysztof Pietrzak*

**Abstract: **Witness encryption (WE) was introduced by Garg et al. (STOC'13). A WE scheme is defined for some NP language $L$ and lets a sender encrypt messages relative to instances $x$. A ciphertext for $x$ can be decrypted using $w$ witnessing $x\in L$, but hides the message if $x\notin L$. Garg et al. construct WE from multilinear maps and give another construction (FOCS'13) using indistinguishability obfuscation (iO) for encryption. Due to the reliance on such heavy tools, WE can currently hardly be implemented on powerful hardware and will unlikely be realizable on constrained devices like smart cards any time soon.

We construct a WE scheme where \emph{encryption} is done by simply computing a Naor-Yung ciphertext (two CPA encryptions and a NIZK proof). To achieve this, our scheme has a setup phase, which outputs public parameters containing an obfuscated circuit (only required for decryption), two encryption keys and a common reference string (used for encryption). This setup need only be run once, and the parameters can be used for arbitrary many encryptions. Our scheme can also be turned into a \emph{functional} WE scheme, where a message is encrypted w.r.t. a statement and a function $f$, and decryption with a witness $w$ yields $f(m,w)$.

Our construction is inspired by the functional encryption scheme by Garg et al. and we prove (selective) security assuming iO and statistically simulation-sound NIZK. We give a construction of the latter in bilinear groups and combining it with ElGamal encryption, our ciphertexts are of size $1.3$ kB at a 128-bit security level and can be computed on a smart card.

**Category / Keywords: **Witness Encryption, Indistinguishability Obfuscation, NIZK, Groth-Sahai Proofs.

**Original Publication**** (with minor differences): **ACNS 2016

**Date: **received 30 Aug 2015, last revised 5 Jan 2021

**Contact author: **hamza abusalah at tuwien ac at

**Available format(s): **PDF | BibTeX Citation

**Note: **The definition of SSS NIZK is revised such that it now has perfect soundness.

**Version: **20210105:194301 (All versions of this report)

**Short URL: **ia.cr/2015/838

[ Cryptology ePrint archive ]