Adaptive Witness Encryption and Asymmetric Password-Based Cryptography

We show by counter-example that the soundness security requirement for witness encryp-tion given by Garg, Gentry, Sahai and Waters (STOC 2013) does not suffice for the securityof their own applications. We introduce adaptively-sound (AS) witness encryption to fill thegap. We then introduce asymmetric password-based encryption (A-PBE). This offers gains overclassical, symmetric password-based encryption in the face of attacks that compromise serversto recover hashed passwords. We distinguish between invasive A-PBE schemes (they introducenew password-based key-derivation functions) and non-invasive ones (they can use existing, de-ployed password-based key-derivation functions). We give simple and efficient invasive A-PBEschemes and use AS-secure witness encryption to give non-invasive A-PBE schemes. 1 Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, LaJolla, California 92093, USA. Email: [email protected]. URL: http://cseweb.ucsd.edu/~mihir/. Supported inpart by NSF grants CNS-1116800 and CNS-1228890.Department of Computer Science, University of Maryland, College Park, and Department of Computer Science,Georgetown University, 37th and O Streets, NW, Washington, DC 20057, USA. Email: [email protected]. URL:http://csiflabs.cs.ucdavis.edu/~tvhoang/. Supported in part by NSF award CNS-1223623. Part of the workwas done while Hoang was working at UCSD and supported in part by NSF grants CNS-1116800, and CNS-1228890.