Paper 2023/812
How to Use (Plain) Witness Encryption: Registered ABE, Flexible Broadcast, and More
Abstract
Witness encryption is a generalization of public-key encryption where the public key can be any NP statement x and the associated decryption key is any witness w for x. While early constructions of witness encryption relied on multilinear maps and indistinguishability obfuscation (iO), recent works have provided direct constructions of witness encryption that are more efficient than iO (and also seem unlikely to yield iO). Motivated by this progress, we revisit the possibility of using witness encryption to realize advanced cryptographic primitives previously known only in "obfustopia." In this work, we give new constructions of trustless encryption systems from plain witness encryption (in conjunction with the learning-with-errors assumption): (1) flexible broadcast encryption (a broadcast encryption scheme where users choose their own secret keys and users can encrypt to an arbitrary set of public keys); and (2) registered attribute-based encryption (a system where users choose their own keys and then register their public key together with a set of attributes with a deterministic and transparent key curator). Both primitives were previously only known from iO. We also show how to use our techniques to obtain an optimal broadcast encryption scheme in the random oracle model. Underlying our constructions is a novel technique for using witness encryption based on a new primitive which we call function-binding hash functions. Whereas a somewhere statistically binding hash function statistically binds a digest to a few bits of the input, a function-binding hash function statistically binds a digest to the output of a function of the inputs. As we demonstrate in this work, function-binding hash functions provide us new ways to leverage the power of plain witness encryption and use it as the foundation of advanced cryptographic primitives. Finally, we show how to build function-binding hash functions for the class of disjunctions of block functions from leveled homomorphic encryption; this in combination with witness encryption yields our main results.
Note: Added comparison of hash function definitions with concurrent work.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- A major revision of an IACR publication in CRYPTO 2023
- Keywords
- Witness EncryptionBroadcast EncryptionAttribute-Based Encryption
- Contact author(s)
-
freitag @ bu edu
bwaters @ cs utexas edu
dwu4 @ cs utexas edu - History
- 2023-07-21: last of 2 revisions
- 2023-06-02: received
- See all versions
- Short URL
- https://ia.cr/2023/812
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/812, author = {Cody Freitag and Brent Waters and David J. Wu}, title = {How to Use (Plain) Witness Encryption: Registered {ABE}, Flexible Broadcast, and More}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/812}, year = {2023}, url = {https://eprint.iacr.org/2023/812} }