Practical Witness Encryption for Algebraic Languages And How to Reply an Unknown Whistleblower

Witness encryption (WE) is a recent powerful encryption paradigm. It greatly extends the scope of encryption as it allows to encrypt a message using the description of a hard problem (a word in some language) and someone who knows a solution to this problem (a witness) is able to decrypt. Recent work thereby focuses on constructing WE for NP-complete languages (and thus obtaining WE for any language in NP). While this is an interesting challenge, it is also the main source for inefficiency and requires non-standard assumptions related to multilinear maps and obfuscation. We ask whether it is possible to come up with practically efficient WE schemes, which are still expressive enough to provide a solution to the following problem. Assume that an anonymous whistleblower, say Edwarda, wants to leak authoritative secrets in a way that the public will be convinced of its authenticity, but she wants to stay anonymous. Therefore, she signs the leaked document using a ring signature. Such a signature hides her identity unconditionally among other carefully selected people in an ad-hoc group and does not require getting their approval or assistance. But now the question arises as how to confidentially reply to such an unknown (anonymous) whistleblower. In this paper we answer this question and introduce practical constructions of WE that are expressive enough to elegantly solve the seeming paradox sketched above. To this end, we restrict the class of supported languages from any NP-language to algebraic languages (defined over bilinear groups). In doing so, we obtain simple generic constructions, which only rely on smooth projective hash functions and can be instantiated from standard assumptions. Based on our generic constructions, we then show how to encrypt a message with respect to a given ring signature. Thereby, we only use information from a given ring signature (specifying an NP-language) such that only the anonymous signer behind the ring signature can decrypt (as only she holds the respective witness). In particular, we provide efficient instantiations for any ring signature scheme obtained from EUF-CMA-secure signature schemes and witness-indistinguishable Groth-Sahai proofs.

[1]  Mihir Bellare,et al.  Adaptive Witness Encryption and Asymmetric Password-Based Cryptography , 2015, Public Key Cryptography.

[2]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[3]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[4]  Georg Fuchsbauer,et al.  Offline Witness Encryption , 2016, ACNS.

[5]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[6]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[7]  Jonathan Katz,et al.  Ring Signatures: Stronger Definitions, and Constructions without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[8]  Moti Yung,et al.  A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[9]  Tibor Jager,et al.  How to build time-lock encryption , 2018, Designs, Codes and Cryptography.

[10]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[11]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[12]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[13]  Rafail Ostrovsky,et al.  Conditional Oblivious Transfer and Timed-Release Encryption , 1999, EUROCRYPT.

[14]  Xiaomin Liu,et al.  Private Mutual Authentication and Conditional Oblivious Transfer , 2009, CRYPTO.

[15]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[16]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[17]  Brent Waters,et al.  Witness encryption and its applications , 2013, STOC '13.

[18]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[19]  Antonio Faonio,et al.  Predictable Arguments of Knowledge , 2017, Public Key Cryptography.

[20]  Essam Ghadafi,et al.  Sub-linear Blind Ring Signatures without Random Oracles , 2013, IMACC.

[21]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[22]  Craig Gentry,et al.  On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input , 2014, CRYPTO.

[23]  Hoeteck Wee,et al.  Efficient Chosen-Ciphertext Security via Extractable Hash Proofs , 2010, CRYPTO.

[24]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[25]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[26]  Mark Zhandry,et al.  How to Avoid Obfuscation Using Witness PRFs , 2016, TCC.

[27]  Jonathan Katz,et al.  Round-Optimal Password-Based Authenticated Key Exchange , 2011, Journal of Cryptology.

[28]  David Pointcheval,et al.  New Techniques for SPHFs and Efficient One-Round PAKE Protocols , 2013, IACR Cryptol. ePrint Arch..

[29]  Stanislaw Jarecki Practical Covert Authentication , 2014, Public Key Cryptography.

[30]  Claudio Orlandi,et al.  How To Bootstrap Anonymous Communication , 2015, IACR Cryptol. ePrint Arch..

[31]  Shigeo Mitsunari A Fast Implementation of the Optimal Ate Pairing over BN curve on Intel Haswell Processor , 2013, IACR Cryptol. ePrint Arch..

[32]  Sanjit Chatterjee,et al.  Comparing two pairing-based aggregate signature schemes , 2010, Des. Codes Cryptogr..

[33]  Thomas Unterluggauer,et al.  Efficient Pairings and ECC for Embedded Systems , 2014, IACR Cryptol. ePrint Arch..

[34]  Aggelos Kiayias,et al.  Group Encryption , 2007, ASIACRYPT.

[35]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[36]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[37]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[38]  Allison Bishop,et al.  Witness Encryption from Instance Independent Assumptions , 2014, IACR Cryptol. ePrint Arch..

[39]  Glenn Greenwald,et al.  No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State , 2014 .

[40]  Yael Tauman Kalai,et al.  How to Run Turing Machines on Encrypted Data , 2013, CRYPTO.

[41]  Susan Hohenberger,et al.  Automating Fast and Secure Translations from Type-I to Type-III Pairing Schemes , 2015, IACR Cryptol. ePrint Arch..

[42]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[43]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[44]  Kainan Chen No place to hide: Edward Snowden, the NSA, and the U.S. surveillance state , 2017 .

[45]  David Pointcheval,et al.  Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages , 2013, IACR Cryptol. ePrint Arch..

[46]  David Pointcheval,et al.  Optimal Randomness Extraction from a Diffie-Hellman Element , 2009, EUROCRYPT.