**Non-Trivial Witness Encryption and Null-iO from Standard Assumptions**

*Zvika Brakerski and Aayush Jain and Ilan Komargodski and Alain Passelegue and Daniel Wichs*

**Abstract: **A witness encryption (WE) scheme can take any NP statement as a public-key and use it to encrypt a message. If the statement is true then it is possible to decrypt the message given a corresponding witness, but if the statement is false then the message is computationally hidden. Ideally, the encryption procedure should run in polynomial time, but it is also meaningful to define a weaker notion, which we call non-trivially exponentially efficient WE (XWE), where the encryption run-time is only required to be much smaller than the trivial $2^{m}$ bound for NP relations with witness size $m$. We show how to construct such XWE schemes for all of NP with encryption run-time $2^{m/2}$ under the sub-exponential learning with errors (LWE) assumption. For NP relations that can be verified in NC1 (e.g., SAT) we can also construct such XWE schemes under the sub-exponential Decisional Bilinear Diffie-Hellman (DBDH) assumption. Although we find the result surprising, it follows via a very simple connection to attribute-based encryption.

We also show how to upgrade the above results to get non-trivially exponentially efficient indistinguishability obfuscation for null circuits (niO), which guarantees that the obfuscations of any two circuits that always output 0 are indistinguishable. In particular, under the LWE assumptions we get a XniO scheme where the obfuscation time is $2^{n/2}$ for all circuits with input size $n$. It is known that in the case of indistinguishability obfuscation (iO) for all circuits, non-trivially efficient XiO schemes imply fully efficient iO schemes (Lin et al., PKC '16) but it remains as a fascinating open problem whether any such connection exists for WE or niO.

Lastly, we explore a potential approach toward constructing fully efficient WE and niO schemes via multi-input ABE.

**Category / Keywords: **foundations / witness encryption, non-trivial efficiency, null-iO

**Date: **received 7 Sep 2017, last revised 26 May 2019

**Contact author: **komargodski at cornell edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20190526:081547 (All versions of this report)

**Short URL: **ia.cr/2017/874

[ Cryptology ePrint archive ]