Compared with witness encryption, offline witness encryption is more extensive in the practical applications because of its high-efficiency by transferring the hard computation work to a setup phase. However, most of the current offline witness encryption schemes only satisfy the selective security, that is, the adversary must commit a pair of challenge messages(m₀,m₁) and an instance x before obtaining the public parameters. Chvojka et al. proposed an offline witness encryption construction that achieves semi-adaptive security by introducing the puncturable encryption. The semi-adaptive security permits the adversary to choose challenge messages adaptively. However, the instance x of the considered NP language that is used to create the challenge ciphertext must be fixed before the adversary gets the public parameters (pp_e,pp_d). Therefore, they leave it as an open problem to construct offline witness encryption schemes with fully adaptive security.
In this paper, we firstly propose an offline witness encryption scheme that achieves the fully adaptive security. The setup algorithm outputs public parameters (pp_e,pp_d), wherepp_eused as encryption key contains two public keys, a common reference, a commitment, and the decryption keypp_dis an obfuscated circuit. This algorithm needs to be only run once, and the parameters can be used for arbitrary many encryptions. The encryption algorithm outputs a Naor-Yung’s ciphertext by using key encapsulation mechanism and non-interactive witness indistinguishable proofs system. We have solved the problem of outputting the challenge plaintext in advance during the proving process of selective security by selecting the encapsulation key in advance. In addition, our scheme can also be turned into a functional offline witness encryption scheme directly to realize the reuse of the decryption key for the function f by embedding f into the decryption key in the key generation phase.