International Association
for Cryptologic Research

Witness encryption was proposed by Garg, Gentry, Sahai, and Waters as

a means to encrypt to an instance, x, of an NP language and produce

a ciphertext. In such a system, any decryptor that knows of a witness w that

x is in the language can decrypt the ciphertext and learn the

message. In addition to proposing the concept, their work provided a candidate for a witness encryption scheme built using multilinear encodings. However, one

significant limitation of the work is that the candidate had no proof

of security (other than essentially assuming the scheme secure).

In this work we provide a proof framework for proving witness

encryption schemes secure under instance independent assumptions. At the

highest level we introduce the abstraction of positional witness

encryption which allows a proof reduction of a witness encryption

scheme via a sequence of 2^n hybrid experiments where n is the

witness length of the NP-statement. Each hybrid step proceeds by

looking at a single witness candidate and using the fact that it does not

satisfy the NP-relation to move the proof forward.

We show that this isolation strategy enables one to create a

witness encryption system that is provably secure from assumptions that

are (maximally) independent of any particular encryption instance.

We demonstrate the viability of our approach by implementing this strategy using

level n-linear encodings where n is the witness length. Our

complexity assumption has approximately n group elements,

but does not otherwise depend on the NP-instance x.