Practical Witness Encryption for Algebraic Languages And How to Reply an Unknown Whistleblower

Witness encryption (WE) is a recent powerful encryption paradigm. It greatly extends the scope of encryption as it allows to encrypt a message using the description of a hard problem (a word in some language) and someone who knows a solution to this problem (a witness) is able to decrypt. Recent work thereby focuses on constructing WE for NP-complete languages (and thus obtaining WE for any language in NP). While this is an interesting challenge, it is also the main source for inefficiency and requires non-standard assumptions related to multilinear maps and obfuscation. We ask whether it is possible to come up with practically efficient WE schemes, which are still expressive enough to provide a solution to the following problem. Assume that an anonymous whistleblower, say Edwarda, wants to leak authoritative secrets in a way that the public will be convinced of its authenticity, but she wants to stay anonymous. Therefore, she signs the leaked document using a ring signature. Such a signature hides her identity unconditionally among other carefully selected people in an ad-hoc group and does not require getting their approval or assistance. But now the question arises as how to confidentially reply to such an unknown (anonymous) whistleblower. In this paper we answer this question and introduce practical constructions of WE that are expressive enough to elegantly solve the seeming paradox sketched above. To this end, we restrict the class of supported languages from any NP-language to algebraic languages (defined over bilinear groups). In doing so, we obtain simple generic constructions, which only rely on smooth projective hash functions and can be instantiated from standard assumptions. Based on our generic constructions, we then show how to encrypt a message with respect to a given ring signature. Thereby, we only use information from a given ring signature (specifying an NP-language) such that only the anonymous signer behind the ring signature can decrypt (as only she holds the respective witness). In particular, we provide efficient instantiations for any ring signature scheme obtained from EUF-CMA-secure signature schemes and witness-indistinguishable Groth-Sahai proofs.