Functional EncryptionFunctional encryption (FE) enables fine-grained access control of sensitive data. In an FE scheme, decryption keys are associated with functions. Decrypting an encryption of a message m using a secret key associated with a function f yields the function evaluation f(x), and nothing more about x. In this line of work, we explore the connections between different flavors of functional encryption and give new candidate constructions of functional encryption. A major theme of my recent work is on removing trust from advanced encryption schemes (i.e., realizing functional encryption without a central key-issuing authority). Registered ABE and Adaptively-Secure Broadcast Encryption from Succinct LWEJeffrey Champion, Yao-Ching Hsieh, and David J. Wu Abstract:
Registered attribute-based encryption (ABE) is a generalization of public-key encryption that enables fine-grained access control to encrypted data (like standard ABE), but without needing a central trusted authority. In a key-policy registered ABE scheme, users choose their own public and private keys and then register their public keys together with a decryption policy with an (untrusted) key curator. The key curator aggregates all of the individual public keys into a short master public key which serves as the public key for an ABE scheme. Currently, we can build registered ABE for restricted policies (e.g., Boolean formulas) from pairing-based assumptions and for general policies using witness encryption or indistinguishability obfuscation. In this work, we construct a key-policy registered ABE for general policies (specifically, bounded-depth Boolean circuits) from the \( \ell \)-succinct learning with errors (LWE) assumption in the random oracle model. The ciphertext size in our registered ABE scheme is \( \mathsf{poly}(\lambda, d) \), where \( \lambda \) is a security parameter and \( d \) is the depth of the circuit that computes the policy circuit \( C \). Notably, this is independent of the length of the attribute \( \mathbf{x} \) and is optimal up to the \( \mathsf{poly}(d) \) factor. Previously, the only lattice-based instantiation of registered ABE uses witness encryption, which relies on private-coin evasive LWE, a stronger assumption than \( \ell \)-succinct LWE. Moreover, the ciphertext size in previous registered ABE schemes that support general policies (i.e., from obfuscation or witness encryption) scales with \( \mathsf{poly}(\lambda, |\mathbf{x}|, |C|) \). The ciphertext size in our scheme depends only on the depth of the circuit (and not the length of the attribute or the size of the policy). This enables new applications to identity-based distributed broadcast encryption. Our techniques are also useful for constructing adaptively-secure (distributed) broadcast encryption, and we give the first scheme from the \( \ell \)-succinct LWE assumption in the random oracle model. Previously, the only lattice-based broadcast encryption scheme with adaptive security relied on witness encryption in the random oracle model. All other lattice-based broadcast encryption schemes only achieved selective security. Resources:
BibTeX:
@misc{CHW25, author = {Jeffrey Champion and Yao-Ching Hsieh and David J. Wu}, title = {Registered {ABE} and Adaptively-Secure Broadcast Encryption from Succinct {LWE}}, misc = {Full version available at \url{https://eprint.iacr.org/2025/044}}, year = {2025} } Distributed Broadcast Encryption from LatticesJeffrey Champion and David J. Wu Abstract:
A broadcast encryption scheme allows a user to encrypt a message to \( N \) recipients with a ciphertext whose size scales sublinearly with \( N \). While broadcast encryption enables succinct encrypted broadcasts, it also introduces a strong trust assumption and a single point of failure; namely, there is a central authority who generates the decryption keys for all users in the system. Distributed broadcast encryption offers an appealing alternative where there is a one-time (trusted) setup process that generates a set of public parameters. Thereafter, users can independently generate their own public keys and post them to a public-key directory. Moreover, anyone can broadcast an encrypted message to any subset of user public keys with a ciphertext whose size scales sublinearly with the size of the broadcast set. Unlike traditional broadcast encryption, there are no long-term secrets in distributed broadcast encryption and users can join the system at any time (by posting their public key to the public-key directory). Previously, distributed broadcast encryption schemes were known from standard pairing-based assumptions or from powerful tools like indistinguishability obfuscation or witness encryption. In this work, we provide the first distributed broadcast encryption scheme from a falsifiable lattice assumption. Specifically, we rely on the \( \ell \)-succinct learning with errors (LWE) assumption introduced by Wee (CRYPTO 2024). Previously, the only lattice-based candidate for distributed broadcast encryption goes through general-purpose witness encryption, which in turn is only known from the private-coin evasive LWE assumption, a strong and non-falsifiable lattice assumption. Along the way, we also describe a more direct construction of broadcast encryption from lattices that does not rely on any homomorphic evaluation machinery. Resources:
BibTeX:
@inproceedings{CW24, author = {Jeffrey Champion and David J. Wu}, title = {Distributed Broadcast Encryption from Lattices}, booktitle = {{TCC}}, year = {2024} } Reducing the CRS Size in Registered ABE SystemsRachit Garg, George Lu, Brent Waters, and David J. Wu Abstract:
Attribute-based encryption (ABE) is a generalization of public-key encryption that enables fine-grained access control to encrypted data. In (ciphertext-policy) ABE, a central trusted authority issues decryption keys for attributes \( x \) to users. In turn, ciphertexts are associated with a decryption policy \( \mathcal{P} \). Decryption succeeds and recovers the encrypted message whenever \( \mathcal{P}(x) = 1 \). Recently, Hohenberger, Lu, Waters, and Wu (Eurocrypt 2023) introduced the notion of registered ABE, which is an ABE scheme without a trusted central authority. Instead, users generate their own public/secret keys (just like in public-key encryption) and then register their keys (and attributes) with a key curator. The key curator is a transparent and untrusted entity. Currently, the best pairing-based registered ABE schemes support monotone Boolean formulas and an a priori bounded number of users \( L \). A major limitation of existing schemes is that they require a (structured) common reference string (CRS) of size \( L^2 \cdot |\mathcal{U}| \) where \( |\mathcal{U}| \) is the size of the attribute universe. In other words, the size of the CRS scales quadratically with the number of users and multiplicatively with the size of the attribute universe. The large CRS makes these schemes expensive in practice and limited to a small number of users and a small universe of attributes. In this work, we give two ways to reduce the CRS size in pairing-based registered ABE schemes. First, we introduce a combinatoric technique based on progression-free sets that enables registered ABE for the same class of policies but with a CRS whose size is sub-quadratic in the number of users. Asymptotically, we obtain a scheme where the CRS size is nearly linear in the number of users \( L \) (i.e., \( L^{1 + o(1)} \)). If we take a more concrete-efficiency-oriented focus, we can instantiate our framework to obtain a construction with a CRS of size \( L^{\log_2 3} \approx L^{1.6} \). For instance, in a scheme for 100,000 users, our approach reduces the CRS by a factor of over \( 115\times \) compared to previous approaches (and without incurring any overhead in encryption/decryption time). Our second approach for reducing the CRS size is to rely on a partitioning-based argument when arguing security of the registered ABE scheme. Previous approaches took a dual-system approach. Using a partitioning-based argument yields a registered ABE scheme where the size of the CRS is independent of the size of the attribute universe. The cost is the resulting scheme satisfies a weaker notion of static security. Our techniques for reducing the CRS size can be combined, and taken together, we obtain a pairing-based registered ABE scheme that supports monotone Boolean formulas with a CRS size of \( L^{1 + o(1)} \). Notably, this is the first pairing-based registered ABE scheme that does not require imposing a bound on the size of the attribute universe during setup time. As an additional application, we also show how to apply our techniques based on progression-free sets to the batch argument (BARG) for \( \mathsf{NP} \) scheme of Waters and Wu (Crypto 2022) to obtain a scheme with a nearly-linear CRS without needing to rely on non-black-box bootstrapping techniques. Resources:
BibTeX:
@inproceedings{GLWW24, author = {Rachit Garg and George Lu and Brent Waters and David J. Wu}, title = {Reducing the {CRS} Size in Registered {ABE} Systems}, booktitle = {{CRYPTO}}, year = {2024} } Realizing Flexible Broadcast Encryption: How to Broadcast to a Public-Key DirectoryRachit Garg, George Lu, Brent Waters, and David J. Wu Abstract:
Suppose a user wants to broadcast an encrypted message to \( K \) recipients. With public-key encryption, the sender would construct \( K \) different ciphertexts, one for each recipient. The size of the broadcasted message then scales linearly with \( K \). A natural question is whether the sender can encrypt the message with a ciphertext whose size scales sublinearly with the number of recipients. Broadcast encryption offers one solution to this problem, but at the cost of introducing a central trusted party who issues keys to different users (and correspondingly, has the ability to decrypt all ciphertexts). Recently, several works have introduced notions like distributed broadcast encryption and flexible broadcast encryption, which combine the decentralized, trustless model of traditional public-key encryption with the efficiency guarantees of broadcast encryption. In the specific case of a flexible broadcast encryption scheme, users generate their own public/private keys and can then post their public key in any public-key directory. Subsequently, a user can encrypt to an arbitrary set of user public keys with a ciphertext whose size scales polylogarithmically with the number of public keys in the broadcast set. A distributed broadcast encryption scheme is a more restrictive primitive where each public key is also associated with an index, and one can only encrypt to a set of public keys corresponding to different indices. In this work, we introduce a generic compiler that takes any distributed broadcast encryption scheme and produces a flexible broadcast encryption scheme. Moreover, whereas existing concretely-efficient constructions of distributed broadcast encryption have public keys whose size scales with the maximum number of users in the system, our resulting flexible broadcast encryption scheme has the appealing property that the size of each public key scales with the size of the maximum broadcast set. We provide an implementation of the flexible broadcast encryption scheme obtained by applying our compiler to the distributed broadcast encryption scheme of Kolonelos, Malavolta, and Wee (ASIACRYPT 2023). With our scheme, a sender can encrypt a 128-bit symmetric key to a set of over 1000 recipients (from a directory with a million users) with a 2 KB ciphertext. This is 16\( \times \) smaller than separately encrypting to each user using standard ElGamal encryption. The cost is that the user public keys in flexible broadcast encryption are much larger (50 KB) compared to standard ElGamal public keys (32 bytes). Compared to the similarly-instantiated distributed broadcast encryption scheme, we achieve a 32\( \times \) reduction in the user's public key size (50 KB vs. 1.6 MB) without changing the ciphertext size. Thus, flexible broadcast encryption provides an efficient way to encrypt messages to large groups of users at the cost of larger individual public keys (relative to vanilla public-key encryption). Resources:
BibTeX:
@inproceedings{GLWW23, author = {Rachit Garg and George Lu and Brent Waters and David J. Wu}, title = {Realizing Flexible Broadcast Encryption: How to Broadcast to a Public-Key Directory}, booktitle = {ACM Conference on Computer and Communications Security ({ACM} {CCS})}, year = {2023} } How to Use (Plain) Witness Encryption: Registered ABE, Flexible Broadcast, and MoreCody Freitag, Brent Waters, and David J. Wu Abstract:
Witness encryption is a generalization of public-key encryption where the public key can be any \( \mathsf{NP} \) statement \( x \) and the associated decryption key is any witness \( w \) for \( x \). While early constructions of witness encryption relied on multilinear maps and indistinguishability obfuscation (\( i\mathcal{O} \)), recent works have provided direct constructions of witness encryption that are more efficient than \( i\mathcal{O} \) (and also seem unlikely to yield \( i\mathcal{O} \)). Motivated by this progress, we revisit the possibility of using witness encryption to realize advanced cryptographic primitives previously known only in “obfustopia.” In this work, we give new constructions of trustless encryption systems from plain witness encryption (in conjunction with the learning-with-errors assumption): (1) flexible broadcast encryption (a broadcast encryption scheme where users choose their own secret keys and users can encrypt to an arbitrary set of public keys); and (2) registered attribute-based encryption (a system where users choose their own keys and then register their public key together with a set of attributes with a deterministic and transparent key curator). Both primitives were previously only known from \( i\mathcal{O} \). We also show how to use our techniques to obtain an optimal broadcast encryption scheme in the random oracle model. Underlying our constructions is a novel technique for using witness encryption based on a new primitive which we call function-binding hash functions. Whereas a somewhere statistically binding hash function statistically binds a digest to a few bits of the input, a function-binding hash function statistically binds a digest to the output of a function of the inputs. As we demonstrate in this work, function-binding hash functions provide us new ways to leverage the power of plain witness encryption and use it as the foundation of advanced cryptographic primitives. Finally, we show how to build function-binding hash functions for the class of disjunctions of block functions from leveled homomorphic encryption; this in combination with witness encryption yields our main results. Resources:
BibTeX:
@inproceedings{FWW23, author = {Cody Freitag and Brent Waters and David J. Wu}, title = {How to Use (Plain) Witness Encryption: Registered {ABE}, Flexible Broadcast, and More}, booktitle = {{CRYPTO}}, year = {2023} } Registered Attribute-Based EncryptionSusan Hohenberger, George Lu, Brent Waters, and David J. Wu Abstract:
Attribute-based encryption (ABE) generalizes public-key encryption and enables fine-grained control to encrypted data. However, ABE upends the traditional trust model of public-key encryption by requiring a single trusted authority to issue decryption keys. If an adversary compromises the central authority and exfiltrates its secret key, then the adversary can decrypt every ciphertext in the system. This work introduces registered ABE, a primitive that allows users to generate secret keys on their own and then register the associated public key with a “key curator” along with their attributes. The key curator aggregates the public keys from the different users into a single compact master public key. To decrypt, users occasionally need to obtain helper decryption keys from the key curator which they combine with their own secret keys. We require that the size of the aggregated public key, the helper decryption keys, the ciphertexts, as well as the encryption/decryption times to be polylogarithmic in the number of registered users. Moreover, the key curator is entirely transparent and maintains no secrets. Registered ABE generalizes the notion of registration-based encryption (RBE) introduced by Garg et al. (TCC 2018), who focused on the simpler setting of identity-based encryption. We construct a registered ABE scheme that supports an a priori bounded number of users and policies that can be described by a linear secret sharing scheme (e.g., monotone Boolean formulas) from assumptions on composite-order pairing groups. Our approach deviates sharply from previous techniques for constructing RBE and only makes black-box use of cryptography. All existing RBE constructions (a weaker notion than registered ABE) rely on heavy non-black-box techniques. The encryption and decryption costs of our construction are comparable to those of vanilla pairing-based ABE. Two limitations of our scheme are that it requires a structured reference string whose size scales quadratically with the number of users (and linearly with the size of the attribute universe) and the running time of registration scales linearly with the number of users. Finally, as a feasibility result, we construct a registered ABE scheme that supports general policies and an arbitrary number of users from indistinguishability obfuscation and somewhere statistically binding hash functions. Resources:
BibTeX:
@inproceedings{HLWW23, author = {Susan Hohenberger and George Lu and Brent Waters and David J. Wu}, title = {Registered Attribute-Based Encryption}, booktitle = {{EUROCRYPT}}, year = {2023} } Multi-Authority ABE from Lattices without Random OraclesBrent Waters, Hoeteck Wee, and David J. Wu Abstract:
Attribute-based encryption (ABE) extends public-key encryption to enable fine-grained control to encrypted data. However, this comes at the cost of needing a central trusted authority to issue decryption keys. A multi-authority ABE (MA-ABE) scheme decentralizes ABE and allows anyone to serve as an authority. Existing constructions of MA-ABE only achieve security in the random oracle model. In this work, we develop new techniques for constructing MA-ABE for the class of subset policies (which captures policies such as conjunctions and DNF formulas) whose security can be based in the plain model without random oracles. We achieve this by relying on the recently-proposed “evasive” learning with errors (LWE) assumption by Wee (EUROCRYPT 2022) and Tsabury (CRYPTO 2022). Along the way, we also provide a modular view of the MA-ABE scheme for DNF formulas by Datta et al. (EUROCRYPT 2021) in the random oracle model. We formalize this via a general version of a related-trapdoor LWE assumption by Brakerski and Vaikuntanathan (ITCS 2022), which can in turn be reduced to the plain LWE assumption. As a corollary, we also obtain an MA-ABE scheme for subset policies from plain LWE with a polynomial modulus-to-noise ratio in the random oracle model. This improves upon the Datta et al. construction which relied on LWE with a sub-exponential modulus-to-noise ratio. Moreover, we are optimistic that the generalized related-trapdoor LWE assumption will also be useful for analyzing the security of other lattice-based constructions. Resources:
BibTeX:
@inproceedings{WWW22, author = {Brent Waters and Hoeteck Wee and David J. Wu}, title = {Multi-Authority {ABE} from Lattices without Random Oracles}, booktitle = {{TCC}}, year = {2022} } Function-Hiding Inner Product Encryption is PracticalSam Kim, Kevin Lewi, Avradip Mandal, Hart Montgomery, Arnab Roy, and David J. Wu Abstract:
In a functional encryption scheme, secret keys are associated with functions and ciphertexts are associated with messages. Given a secret key for a function f and a ciphertext for a message x, a decryptor learns f(x) and nothing else about x. Inner product encryption is a special case of functional encryption where both secret keys and ciphertexts are associated with vectors. The combination of a secret key for a vector x and a ciphertext for a vector y reveal ⟨x,y⟩ and nothing more about y. An inner product encryption scheme is function-hiding if the keys and ciphertexts reveal no additional information about both x and y beyond their inner product. In the last few years, there has been a flurry of works on the construction of function-hiding inner product encryption, starting with the work of Bishop, Jain, and Kowalczyk (Asiacrypt 2015) to the more recent work of Tomida, Abe, and Okamoto (ISC 2016). In this work, we focus on the practical applications of this primitive. First, we show that the parameter sizes and the run-time complexity of the state-of-the-art construction can be further reduced by another factor of 2, though we compromise by proving security in the generic group model. We then show that function privacy enables a number of applications in biometric authentication, nearest-neighbor search on encrypted data, and single-key two-input functional encryption for functions over small message spaces. Finally, we evaluate the practicality of our encryption scheme by implementing our function-hiding inner product encryption scheme. Using our construction, encryption and decryption operations for vectors of length 50 complete in a tenth of a second in a standard desktop environment. Resources:
BibTeX:
@inproceedings{KLMMRW18, author = {Sam Kim and Kevin Lewi and Avradip Mandal and Hart Montgomery and Arnab Roy and David J. Wu}, title = {Function-Hiding Inner Product Encryption is Practical}, booktitle = {{SCN}}, year = {2018} } Access Control Encryption for General Policies from Standard AssumptionsSam Kim and David J. Wu Abstract:
Functional encryption enables fine-grained access to encrypted data. In many scenarios, however, it is important to control not only what users are allowed to read (as provided by traditional functional encryption), but also what users are allowed to send. Recently, Damgård et al. (TCC 2016) introduced a new cryptographic framework called access control encryption (ACE) for restricting information flow within a system in terms of both what users can read as well as what users can write. While a number of access control encryption schemes exist, they either rely on strong assumptions such as indistinguishability obfuscation or are restricted to simple families of access control policies. In this work, we give the first ACE scheme for arbitrary policies from standard assumptions. Our construction is generic and can be built from the combination of a digital signature scheme, a predicate encryption scheme, and a (single-key) functional encryption scheme that supports randomized functionalities. All of these primitives can be instantiated from standard assumptions in the plain model, and so, we obtain the first ACE scheme capable of supporting general policies from standard assumptions. One possible instantiation of our construction relies upon standard number-theoretic assumptions (namely, the DDH and RSA assumptions) and standard lattice assumptions (namely, LWE). Finally, we conclude by introducing several extensions to the ACE framework to support dynamic and more fine-grained access control policies. Resources:
BibTeX:
@inproceedings{KW17b, author = {Sam Kim and David J. Wu}, title = {Access Control Encryption for General Policies from Standard Assumptions}, booktitle = {{ASIACRYPT}}, year = {2017} } Functional Encryption: Deterministic to Randomized Functions from Simple AssumptionsShashank Agrawal and David J. Wu Abstract:
Functional encryption (FE) enables fine-grained control of sensitive data by allowing users to only compute certain functions for which they have a key. The vast majority of work in FE has focused on deterministic functions, but for several applications such as privacy-aware auditing, differentially-private data release, proxy re-encryption, and more, the functionality of interest is more naturally captured by a randomized function. Recently, Goyal et al. (TCC 2015) initiated a formal study of FE for randomized functionalities with security against malicious encrypters, and gave a selectively secure construction from indistinguishability obfuscation. To date, this is the only construction of FE for randomized functionalities in the public-key setting. This stands in stark contrast to FE for deterministic functions which has been realized from a variety of assumptions. Our key contribution in this work is a generic transformation that converts any general-purpose, public-key FE scheme for deterministic functionalities into one that supports randomized functionalities. Our transformation uses the underlying FE scheme in a black-box way and can be instantiated using very standard number-theoretic assumptions (for instance, the DDH and RSA assumptions suffice). When applied to existing FE constructions, we obtain several adaptively-secure, public-key functional encryption schemes for randomized functionalities with security against malicious encrypters from many different assumptions such as concrete assumptions on multilinear maps, indistinguishability obfuscation, and in the bounded-collusion setting, the existence of public-key encryption, together with standard number-theoretic assumptions. Additionally, we introduce a new, stronger definition for malicious security as the existing one falls short of capturing an important class of correlation attacks. In realizing this definition, our compiler combines ideas from disparate domains like related-key security for pseudorandom functions and deterministic encryption in a novel way. We believe that our techniques could be useful in expanding the scope of new variants of functional encryption (e.g., multi-input, hierarchical, and others) to support randomized functionalities. Resources:
BibTeX:
@inproceedings{AW17, author = {Shashank Agrawal and David J. Wu}, title = {Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions}, booktitle = {{EUROCRYPT}}, year = {2017} } |