Paper 2023/812

How to Use (Plain) Witness Encryption: Registered ABE, Flexible Broadcast, and More

Cody Freitag, Boston University
Brent Waters, UT Austin, NTT Research
David J. Wu, UT Austin
Abstract

Witness encryption is a generalization of public-key encryption where the public key can be any NP statement x and the associated decryption key is any witness w for x. While early constructions of witness encryption relied on multilinear maps and indistinguishability obfuscation (iO), recent works have provided direct constructions of witness encryption that are more efficient than iO (and also seem unlikely to yield iO). Motivated by this progress, we revisit the possibility of using witness encryption to realize advanced cryptographic primitives previously known only in "obfustopia." In this work, we give new constructions of trustless encryption systems from plain witness encryption (in conjunction with the learning-with-errors assumption): (1) flexible broadcast encryption (a broadcast encryption scheme where users choose their own secret keys and users can encrypt to an arbitrary set of public keys); and (2) registered attribute-based encryption (a system where users choose their own keys and then register their public key together with a set of attributes with a deterministic and transparent key curator). Both primitives were previously only known from iO. We also show how to use our techniques to obtain an optimal broadcast encryption scheme in the random oracle model. Underlying our constructions is a novel technique for using witness encryption based on a new primitive which we call function-binding hash functions. Whereas a somewhere statistically binding hash function statistically binds a digest to a few bits of the input, a function-binding hash function statistically binds a digest to the output of a function of the inputs. As we demonstrate in this work, function-binding hash functions provide us new ways to leverage the power of plain witness encryption and use it as the foundation of advanced cryptographic primitives. Finally, we show how to build function-binding hash functions for the class of disjunctions of block functions from leveled homomorphic encryption; this in combination with witness encryption yields our main results.

Note: Added comparison of hash function definitions with concurrent work.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2023
Keywords
Witness EncryptionBroadcast EncryptionAttribute-Based Encryption
Contact author(s)
freitag @ bu edu
bwaters @ cs utexas edu
dwu4 @ cs utexas edu
History
2023-07-21: last of 2 revisions
2023-06-02: received
See all versions
Short URL
https://ia.cr/2023/812
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/812,
      author = {Cody Freitag and Brent Waters and David J. Wu},
      title = {How to Use (Plain) Witness Encryption: Registered ABE, Flexible Broadcast, and More},
      howpublished = {Cryptology ePrint Archive, Paper 2023/812},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/812}},
      url = {https://eprint.iacr.org/2023/812}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.