Skip to main content
SpringerLink
Log in

Practical witness encryption for algebraic languages or how to encrypt under Groth–Sahai proofs

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Witness encryption (\(\mathsf{WE}\)) is a recent powerful encryption paradigm, which allows to encrypt a message using the description of a hard problem (a word in an \({\mathbf{NP}}\)-language) and someone who knows a solution to this problem (a witness) is able to efficiently decrypt the ciphertext. Recent work thereby focuses on constructing \(\mathsf{WE}\) for \({\mathbf{NP}}\) complete languages (and thus \({\mathbf{NP}}\)). While this rich expressiveness allows flexibility w.r.t. applications, it makes existing instantiations impractical. Thus, it is interesting to study practical variants of \(\mathsf{WE}\) schemes for subsets of \({\mathbf{NP}}\) that are still expressive enough for many cryptographic applications. We show that such \(\mathsf{WE}\) schemes can be generically constructed from smooth projective hash functions (\(\mathsf {SPHF}\)s). In terms of concrete instantiations of \(\mathsf {SPHF}\)s (and thus \(\mathsf{WE}\)), we target languages of statements proven in the popular Groth–Sahai (\(\mathsf {GS}\)) non-interactive witness-indistinguishable/zero-knowledge proof framework. This allows us to provide a novel way to encrypt. In particular, encryption is with respect to a \(\mathsf {GS}\) proof and efficient decryption can only be done by the respective prover. The so obtained constructions are entirely practical. To illustrate our techniques, we apply them in context of privacy-preserving exchange of information.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Scheme 1
Scheme 2
Scheme 3
Scheme 4

Similar content being viewed by others

Notes

  1. Even if such special-purpose obfuscation exists, this does not rule out that extractable \(\mathsf{WE}\) for a sufficiently large interesting subset of \({\mathbf{NP}}\) exists.

  2. We mention this direction for completeness and stress that we are only interested in non-interactive \(\mathsf{WE}\) schemes.

  3. Our approach is also easily portable to the SXDH setting (and thus relying on DDH instead of DLIN).

  4. Similar to [1] we additionally partition the language \(L_{\mathsf {pp}}\) with respect to some auxiliary information \(\mathsf {aux}\in \mathsf{A}\), where \(\mathsf A\) is determined by \(\mathsf {pp}\). Note that without this partitioning, words \(x \in L_{\mathsf {pp}}\) additionally contain \(\mathsf {aux}\), i.e., so that \(x = (\mathsf {aux}, x')\).

References

  1. Abdalla M., Chevalier C., Pointcheval D.: Smooth projective hashing for conditionally extractable commitments. In: Advances in Cryptology—CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16–20, 2009. Proceedings, pp. 671–689 (2009).

  2. Abdalla M., Benhamouda F., Pointcheval D.: Disjunctions for hash proof systems: new constructions and applications. In: Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part II, pp. 69–100 (2015). https://doi.org/10.1007/978-3-662-46803-6_3.

    Google Scholar 

  3. Abusalah H., Fuchsbauer G., Pietrzak K.: Offline witness encryption. In: Applied Cryptography and Network Security—14th International Conference, ACNS 2016, Guildford, UK, June 19–22, 2016. Proceedings, pp. 285–303 (2016). https://doi.org/10.1007/978-3-319-39555-5_16.

    Google Scholar 

  4. Akinyele J.A., Garman C., Hohenberger S.: Automating fast and secure translations from type-I to type-III pairing schemes. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12–6, 2015, pp. 1370–1381 (2015)

  5. Bellare M., Hoang V.T.: Adaptive witness encryption and asymmetric password-based cryptography. IACR Cryptol. ePrint Arch. 2013, 704 (2013).

    MATH  Google Scholar 

  6. Bellare M., Fuchsbauer G.: Policy-based signatures. In: Public-Key Cryptography—PKC 2014—17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014, Proceedings, pp. 520–537 (2014). https://doi.org/10.1007/978-3-642-54631-0_30.

    Chapter  Google Scholar 

  7. Bellare M., Hoang V.T.: Adaptive witness encryption and asymmetric password-based cryptography. In: Public-Key Cryptography—PKC 2015—18th IACR International Conference on Practice and Theory in Public-Key Cryptography, Gaithersburg, MD, USA, March 30–April 1, 2015, Proceedings, pp. 308–331 (2015).

  8. Benhamouda F., Blazy O., Chevalier C., Pointcheval D., Vergnaud D.: Efficient UC-secure authenticated key-exchange for algebraic languages. In: PKC. LNCS, vol. 7778, pp. 272–291. Springer (2013).

  9. Benhamouda F., Blazy O., Chevalier C., Pointcheval D., Vergnaud D.: New techniques for SPHFs and efficient one-round PAKE protocols. In: Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2013, Proceedings, Part I, pp. 449–475 (2013).

  10. Blazy O., Chevalier C.: Structure-preserving smooth projective hashing. In: Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II, pp. 339–369 (2016). https://doi.org/10.1007/978-3-662-53890-6_12.

    Chapter  Google Scholar 

  11. Boneh D., Franklin M.K.: Identity-based encryption from the weil pairing. In: Advances in Cryptology—CRYPTO 2001, 21st Annual International Cryptology Conference, pp. 213–229 (2001).

    Chapter  Google Scholar 

  12. Boneh D., Boyen X., Shacham H.: Short group signatures. In: Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 15–19, 2004, Proceedings, pp. 41–55 (2004).

  13. Canetti R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14–17 October 2001, Las Vegas, NV, USA, pp. 136–145 (2001).

  14. Chen Y., Zhang Z.: Publicly evaluable pseudorandom functions and their applications. In: Security and Cryptography for Networks—9th International Conference, SCN 2014, Amalfi, Italy, September 3–5, 2014, Proceedings, pp. 115–134 (2014). https://doi.org/10.1007/978-3-319-10879-7_8.

    Google Scholar 

  15. Chevalier C., Fouque P., Pointcheval D., Zimmer S.: Optimal randomness extraction from a Diffie-Hellman element. In: Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009, Proceedings, pp. 572–589 (2009).

  16. Cramer R., Shoup V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Advances in Cryptology—CRYPTO ’98, 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 23–27, 1998, Proceedings, pp. 13–25 (1998).

  17. Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Advances in Cryptology—EUROCRYPT 2002, International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28–May 2, 2002, Proceedings, pp. 45–64 (2002).

  18. Crescenzo G.D., Ostrovsky R., Rajagopalan S.: Conditional oblivious transfer and timed-release encryption. In: Advances in Cryptology—EUROCRYPT ’99, International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, May 2–6, 1999, Proceeding, pp. 74–89 (1999).

  19. Escala A., Herold G., Kiltz E., Ràfols C., Villar J.L.: An algebraic framework for Diffie-Hellman assumptions. In: Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2013, Proceedings, Part II, pp. 129–147 (2013). https://doi.org/10.1007/978-3-642-40084-1_8.

    Chapter  Google Scholar 

  20. Faonio A., Nielsen J.B., Venturi D.: Predictable arguments of knowledge. In: Public-Key Cryptography—PKC 2017—20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28–31, 2017, Proceedings, Part I, pp. 121–150 (2017). https://doi.org/10.1007/978-3-662-54365-8_6.

    Google Scholar 

  21. Garg S., Gentry C., Halevi S., Raykova M., Sahai A., Waters B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 October, 2013, Berkeley, CA, USA, pp. 40–49 (2013).

  22. Garg S., Gentry C., Sahai A., Waters B.: Witness encryption and its applications. In: Symposium on Theory of Computing Conference, STOC’13, Palo Alto, CA, USA, June 1–4, 2013, pp. 467–476 (2013).

  23. Garg S., Gentry C., Halevi S., Wichs D.: On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. In: Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I, pp. 518–535 (2014).

  24. Gennaro R., Lindell Y.: A framework for password-based authenticated key exchange 1. ACM Trans. Inf. Syst. Secur. 9(2), 181–234 (2006). https://doi.org/10.1145/1151414.1151418.

    Article  Google Scholar 

  25. Gentry C., Lewko A.B., Waters B.: Witness encryption from instance independent assumptions. In: Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I, pp. 426–443 (2014).

  26. Goldwasser S., Micali S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984).

    Article  MathSciNet  Google Scholar 

  27. Goldwasser S., Kalai Y.T., Popa R.A., Vaikuntanathan V., Zeldovich N.: How to run turing machines on encrypted data. In: Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2013. Proceedings, Part II, pp. 536–553 (2013).

  28. Groth J., Sahai A.: Efficient non-interactive proof systems for bilinear groups. Cryptology ePrint Arch., Report 2007/155 (2007).

  29. Groth J., Sahai A.: Efficient non-interactive proof systems for bilinear groups. In: Advances in Cryptology—EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 415–432 (2008).

  30. Håstad J., Impagliazzo R., Levin L.A., Luby M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999).

    Article  MathSciNet  Google Scholar 

  31. Jager T.: How to build time-lock encryption. IACR Cryptol. ePrint Arch. 2015, 478 (2015).

    Google Scholar 

  32. Jarecki S.: Practical covert authentication. In: Public-Key Cryptography—PKC 2014—17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014, Proceedings, pp. 611–629 (2014).

  33. Jarecki S., Liu X.: Private mutual authentication and conditional oblivious transfer. In: Advances in Cryptology—CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16–20, 2009, Proceedings, pp. 90–107 (2009).

  34. Katz J., Lindell Y.: Introduction to modern cryptography. Chapman and Hall/CRC Press, Boca Raton (2007).

    Book  Google Scholar 

  35. Katz J., Vaikuntanathan V.: Round-optimal password-based authenticated key exchange. In: Theory of Cryptography—8th Theory of Cryptography Conference, TCC 2011, Providence, RI, USA, March 28–30, 2011, Proceedings, pp. 293–310 (2011).

  36. Kiayias A., Tsiounis Y., Yung M.: Group encryption. In: Advances in Cryptology—ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, pp. 181–199 (2007).

  37. Kiltz E., Pietrzak K., Stam M., Yung M.: A new randomness extraction paradigm for hybrid encryption. In: Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 590–609 (2009).

    Chapter  Google Scholar 

  38. Kurosawa K., Desmedt Y.: A new paradigm of hybrid encryption scheme. In: Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings, pp. 426–442 (2004).

  39. Liu J., Kakvi S.A., Warinschi B.: Extractable witness encryption and timed-release encryption from bitcoin. IACR Cryptol. ePrint Arch. 482, 2016 (2015).

    Google Scholar 

  40. Rivest R.L., Shamir A., Wagner D.A.: Time-Lock Puzzles and Timed-Release Crypto. Technical Report. Massachusetts Institute of Technology, Cambridge (1996).

    Google Scholar 

  41. Sahai A., Waters B.: Fuzzy identity-based encryption. In: Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473 (2005).

    Google Scholar 

  42. Wee H.: Efficient chosen-ciphertext security via extractable hash proofs. In: Advances in Cryptology—CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15–19, 2010, Proceedings, pp. 314–332 (2010).

  43. Zhandry, M.: How to avoid obfuscation using witness PRFs. In: Theory of Cryptography—13th International Conference, TCC 2016-A, LNCS, vol. 9563, pp. 421–448. Springer (2016). https://doi.org/10.1007/978-3-662-49099-0_16.

    Google Scholar 

Download references

Acknowledgements

The authors have been supported by EU H2020 Project Prismacloud, Grant Agreement No. 644962. We thank various anonymous referees for their valuable comments.

Author information

Authors and Affiliations

  1. IAIK, Graz University of Technology, Graz, Austria

    David Derler

  2. AIT Austrian Institute of Technology, Vienna, Austria

    Daniel Slamanig

Authors
  1. David Derler
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Slamanig
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Slamanig.

Additional information

Communicated by M. Albrecht.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Derler, D., Slamanig, D. Practical witness encryption for algebraic languages or how to encrypt under Groth–Sahai proofs. Des. Codes Cryptogr. 86, 2525–2547 (2018). https://doi.org/10.1007/s10623-018-0460-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-018-0460-y

Keywords

Mathematics Subject Classification

Search

Navigation