Semi-Adaptively Secure Offline Witness Encryption from Puncturable Witness PRF

Abstract

In this work, we introduce the notion of puncturable witness pseudorandom function (pWPRF) which is a stronger variant of WPRF proposed by Zhandry, TCC 2016. The punctured technique is similar to what we have seen for puncturable PRFs and is capable of extending the applications of WPRF. Specifically, we construct a semi-adaptively secure offline witness encryption (OWE) scheme using a pWPRF, an indistinguishability obfuscation (\(i\mathcal {O}\)) and a symmetric-key encryption (SKE), which enables us to encrypt messages along with NP statements. We show that replacing \(i\mathcal {O}\) with extractability obfuscation, the OWE turns out to be an extractable offline witness encryption scheme. To gain finer control over data, we further demonstrate how to convert our OWEs into offline functional witness encryption (OFWE) and extractable OFWE. All of our OWEs and OFWEs produce an optimal size ciphertext, in particular, encryption of a message is as small as the size of the message plus the security parameter multiplied with a constant, which is optimal for any public-key encryption scheme. On the other hand, in any previous OWE, the size of a ciphertext increases polynomially with the size of messages. Finally, we show that the WPRF of Pal et al. (ACISP 2019) can be extended to a pWPRF and an extractable pWPRF.

A Formal Proof of Theorem 3

Proof

We prove the security using two games. We start with Game 0 which is the standard selective security experiment as in Definition 6. Let \(\mathsf {G_i}\) be the event \(b = b^{\prime }\) in each Game i.

: Game 1 is exactly same as the Game 0 except we replace the circuit \(C[\textsf {K}]\) with a new circuit \(C[\textsf {fk}_{x^*}, x^*]\) defined in Fig. 10, where \(\textsf {fk}_{x^*} \leftarrow \textsf {pPRF.PuncKey}(\textsf {K}, x^*)\). We show that the two circuits \(C[\textsf {K}]\) and \(C[\textsf {fk}_{x^*}, x^*]\) are functionally equivalent. For any arbitrary input \((\bar{x}, \bar{w})\) to the circuits, we see that if \(\bar{x} \ne x^*\), then both the circuits return the same value as \(\textsf {pPRF.Eval}(\textsf {K}, \bar{x}) = \textsf {pPRF.PuncEval}(\textsf {fk}_{x^*}, \bar{x})\). Otherwise, if \(\bar{x} = x^*\) then the circuit \(C[\textsf {K}]\) returns \(\perp \), because \(x^* \not \in L\) implies that \(R(\bar{x}, \bar{w}) = 0\) for all \(\bar{w} \in \mathcal {W}\), and the circuit \(C[\textsf {fk}_{x^*}, x^*]\) returns \(\perp \) because of the check in line 2 (Fig. 10). Thus, the indistinguishability property of \(i\mathcal {O}\) (Definition 12) guarantees that

$$|\text {Pr}[\mathsf {G}_0] - \text {Pr}[\mathsf {G}_1]| = \mathsf {Adv}_{\mathcal {D}}^{i\mathcal {O}}(\lambda )$$

where \(\mathcal {D}\) is a PPT distinguisher for \(i\mathcal {O}\).

Fig. 10.

Game 1

Suppose, the advantage of \(\mathcal {A}\) in Game 1 is non-negligible. Then we construct an adversary \(\mathcal {B}\) against the security of pPRF (Definition 2) with the same advantage as follow.

:

1. 1.

   send \(x^*\) to its challenger

2. 2.

   The pPRF-challenger does the following:

   1. (a)

      generate K \(\leftarrow \) pPRF.Gen(\(1^{\lambda }\))

   2. (b)

      compute \(\textsf {fk}_{x^*} \leftarrow \textsf {pPRF.PuncKey}(\textsf {K}, x^*)\)

   3. (c)

      set \(y_0 \leftarrow \textsf {pPRF.Eval}(\textsf {K}, x^*)\) and \(y_1 \leftarrow \mathcal {Y}\)

   4. (d)

      pick \(b \leftarrow \{0, 1\}\)

   5. (e)

      return (\(\textsf {fk}_{x^*}, y_{b}\)) to \(\mathcal {B}\)

3. 3.

   compute \(\widetilde{C} \leftarrow i\mathcal {O}(1^{\lambda }, C[\textsf {fk}_{x^*}, x^*])\) and set \(\mathsf {ek} = \widetilde{C}\)

4. 4.

   get \(b^{\prime } \leftarrow \mathcal {A}(\textsf {ek}, \textsf {fk}_{x^*}, y_b)\)

5. 5.

   return 1 if \(b = b^{\prime }\)

Note that \(\mathcal {B}\) perfectly simulates Game 1 for \(\mathcal {A}\). If \(\mathcal {A}\) can guess the bit b in Game 1 with a non-negligible advantage, then \(\mathcal {B}\) breaks the security of pPRF with the same advantage. From the security of pPRF, we have

$$|\text {Pr}[\mathsf {G}_1] - \frac{1}{2}| = \mathsf {Adv}_{\mathcal {B}}^{\textsf {pPRF}}(\lambda )$$

Finally, combining all the probabilities we conclude the proof.