Witness Encryption and Null-IO from Evasive LWE

Abstract

Witness encryption (WE) allows us to use an arbitrary NP statement x as a public key to encrypt a message, and the witness w serves as a decryption key. Security ensures that, when the statement x is false, the encrypted message remains computationally hidden. WE appears to be significantly weaker than indistinguishability obfuscation (iO). Indeed, WE is closely related to a highly restricted form of iO that only guarantees security for null circuits (null iO). However, all current approaches towards constructing WE under nice assumptions go through iO. Such constructions are quite complex and are unlikely to lead to practically instantiable schemes. In this work, we revisit a very simple WE and null iO candidate of Chen, Vaikuntanathan and Wee (CRYPTO 2018). We show how to prove its security under a nice and easy-to-state assumption that we refer to as evasive LWE following Wee (EUROCRYPT 2022). Roughly speaking, the evasive LWE assumption says the following: assume we have some joint distributions over matrices \(\textbf{P}\), \(\textbf{S}\) and auxiliary information \(\textsf{aux}\) such that

$$({\textbf{S}\textbf{B}+ \textbf{E}},{\textbf{S}\textbf{P}+ \textbf{E}'}, \textsf{aux}) \approx _c ({\textbf{U}},{\textbf{U}'}, \textsf{aux}),$$

for a uniformly random (and secret) matrix \(\textbf{B}\), where \(\textbf{U}, \textbf{U}'\) are uniformly random matrices, and \(\textbf{E},\textbf{E}'\) are chosen from the LWE error distribution with appropriate parameters. Then it must also be the case that:

$$({\textbf{S}\textbf{B}+ \textbf{E}}, \textbf{B}^{-1}(\textbf{P}),\textsf{aux}) \approx _c (\textbf{U}, \textbf{B}^{-1}(\textbf{P}),\textsf{aux}).$$

Essentially the above says that given \({\textbf{S}\textbf{B}+ \textbf{E}}\), getting the additional component \(\textbf{B}^{-1}(\textbf{P})\) is no more useful than just getting the product \(({\textbf{S}\textbf{B}+ \textbf{E}})\cdot \textbf{B}^{-1}(\textbf{P}) \approx \textbf{S}\textbf{P}+ \textbf{E}'\).

A Comparison with [Tsa22]

An independent work of Tsabary [Tsa22] (also independent of [Wee22]) presents a new witness encryption scheme under a variant of evasive LWE. We describe some high-level differences between the two works:

• Tsabary [Tsa22] presents a new witness encryption scheme that uses read-many branching programs and does not consider null-IO. We prove security of existing candidate WE and null-IO schemes in CVW, where the former uses read-once (matrix) branching programs.

• The formulation of evasive LWE in [Tsa22] allows \((\textbf{P},\textsf{aux})\) to depend on \(\textbf{B}\), whereas ours and that in [Wee22] does not. In particular, our formulation of evasive LWE is more conservative.

• The analysis in [Tsa22] relies on a formulation of evasive LWE with polynomial hardness and oracle access to a possibly exponential number of matrices, whereas we crucially rely on evasive LWE with instances of exponential size \(2^h\) (which in turn requires a careful setting of parameters). In our security reduction, the adversary receives all possible partial evaluated products, whereas the adversary in [Tsa22] only has oracle access to these quantities. Note that in both analysis, the complexity of the adversary could double with each invocation of evasive LWE, so that we would necessarily need to consider adversaries running in time at least \(2^h\), for which there is no real distinction between receiving and oracle access to all possible partial products.