Optimal-Rate Non-Committing Encryption in a CRS Model

Non-committing encryption (NCE) implements secure channels under adaptive corruptions in situations when data erasures are not trustworthy. In this paper we are interested in the rate of NCE, i.e. in how many bits the sender and receiver need to send per plaintext bit. In initial constructions (e.g. Canetti, Feige, Goldreich and Naor, STOC 96) the length of both the receiver message, namely the public key, and the sender message, namely the ciphertext, is m · poly(λ) for an m-bit message, where λ is the security parameter. Subsequent works improve efficiency significantly, achieving rate poly log(λ). We construct the first constant-rate NCE. In fact, our scheme has rate 1+ o(1), which is comparable to the rate of plain semantically secure encryption. Our scheme operates in the common reference string (CRS) model. Our CRS has size poly(m · λ), but it is reusable for an arbitrary polynomial number of m-bit messages. In addition, it is the first NCE protocol with perfect correctness. We assume one way functions and indistinguishability obfuscation for circuits. As an essential step in our construction, we develop a technique for dealing with adversaries that modify the inputs to the protocol adaptively depending on a public key or CRS that contains obfuscated programs, while assuming only standard (polynomial) hardness of the obfuscation mechanism. This technique may well be useful elsewhere. ∗This work was done [in part] while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant #CNS-1523467. †Tel-Aviv University and Boston University. [email protected]. Supported in addition by the Check Point Institute for Information Security and NSF Algorithmic Foundations grant 1218461, NSF grant 1421102. ‡Boston University. [email protected]. Supported in addition by the Check Point Institute for Information Security and NSF Algorithmic Foundations grant 1218461, NSF grant 1421102. §SRI, Yale University. [email protected]. Supported by NSF grant 1421102