Non-trivial witness encryption and null-io from standard assumptions

A witness encryption (WE) scheme can take any NP statement as a public-key and use it to encrypt a message. If the statement is true then it is possible to decrypt the message given a corresponding witness, but if the statement is false then the message is computationally hidden. Ideally, the encryption procedure should run in polynomial time, but it is also meaningful to define a weaker notion, which we call non-trivially exponentially efficient WE (XWE), where the encryption run-time is only required to be much smaller than the trivial 2 ^m bound for NP relations with witness size m. We show how to construct such XWE schemes for all of NP with encryption run-time 2 ^{m / 2} under the sub-exponential learning with errors (LWE) assumption. For NP relations that can be verified in NC¹ (e.g., SAT) we can also construct such XWE schemes under the sub-exponential Decisional Bilinear Diffie-Hellman (DBDH) assumption. Although we find the result surprising, it follows via a very simple connection to attribute-based encryption. We also show how to upgrade the above results to get non-trivially exponentially efficient indistinguishability obfuscation for null circuits (niO), which guarantees that the obfuscations of any two circuits that always output 0 are indistinguishable. In particular, under the LWE assumptions we get a XniO scheme where the obfuscation time is 2 ^{n / 2} for all circuits with input size n. It is known that in the case of indistinguishability obfuscation (iO) for all circuits, non-trivially efficient XiO schemes imply fully efficient iO schemes (Lin et al., PKC ’16) but it remains as a fascinating open problem whether any such connection exists for WE or niO. Lastly, we explore a potential approach toward constructing fully efficient WE and niO schemes via multi-input ABE.