Skip to main content

14 November 2022 - Matteo Campanelli


Matteo Campanelli



How to Play with Witness Encryption without the Theoretical Hassle



Witness encryption (WE), allows one to encrypt a message to a statement for some NP language , such that any user holding a witness for it can decrypt the ciphertext. If we could construct this primitive, we would be able to do without certificate authorities, but also to use it as an extremely versatile building block in other cryptographic applications. 

Unfortunately, from a theoretical standpoint, it is still unclear whether we will be able to instantiate a general-purpose witness encryption scheme from reliable assumptions anytime soon.

In this talk we tackle the questions:

What are other weak-but-useful variants of WE that we can actually construct? And what efficiency properties would we require from them?

We discuss some recent works in this direction and their applications, in particular on forms of non-interactive (and reusable) MPC (Ben and Lin, TCC20), where parties can securely compute a function by broadcasting a single message, assuming only an encoding of their input exists on a bulletin board.

This talk is partly a presentation of the recent work



Matteo Campanelli is a research scientist at Protocol Labs. His main focus is on efficient zero-knowledge proof systems. He had previously been a post-doctoral researcher at Aarhus University (2020-2021) and at the IMDEA Software Institute in Madrid (2018-2020).  He studied for his doctorate at the City University  of New York (CUNY) where he worked with Rosario Gennaro.