candidate multilinear maps
DESCRIPTION
Candidate Multilinear Maps. Sanjam Garg (IBM) Based on joint works with Craig Gentry (IBM) and Shai Halevi (IBM). Outline. Bilinear Maps: Recall Intuitively: Multilinear Maps Our Results and Applications Definitions of Multi-linear Maps Classical Notion Our Notion Our Construction - PowerPoint PPT PresentationTRANSCRIPT
Candidate Multilinear Maps
Sanjam Garg (IBM)Based on joint works with
Craig Gentry (IBM) and Shai Halevi (IBM)
Outline Bilinear Maps: Recall
Intuitively: Multilinear Maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
Cryptographic Bilinear Maps(Weil and Tate Pairings)Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps
Cryptographic Bilinear Maps Bilinear maps are extremely useful in cryptography
lots of applications [Joux00, BF01]
As the name suggests allow pairing two things together
Bilinear Maps – Definitions Cryptographic bilinear map
Groups and of order with generators and a bilinear map such that
Instantiation: Weil or Tate pairings over elliptic curves.
Given hard to get
DDH is easyGiven
Bilinear Maps: ``Hard” Problem Bilinear Diffie-Hellman: Givenhard to distinguish from Random
Multilinear Maps [BS03] generalize this concept.
Our Multilinear Maps constructions of multi-
linear maps Many exciting application
Candidate approximateConstructions of multi-linear maps
Non-Interactive Key Agreement [DH76]
𝑃 𝐾𝑎 𝑃 𝐾𝑏
Alice Bob
𝐾 𝑎 ,𝑏
Extended to three parties by [Joux00] Mmaps would give solution for more than 3-
parties. [BS03]
Application 1
Non-Interactive Key Agreement [DH76]
Easy Application: Tri-partite key agreement [Joux00]: Alice, Bob, Carol generate and broadcast . They each separately compute the key
More than 3-parties – easy application. [GGH13]
𝑎 𝑏
𝑔1𝑎 𝑔1
𝑏
𝐾=𝑔1𝑎𝑏
Application 1
10
Software Obfuscation
O(P)
P
• Obfuscation aims to make computer programs “unintelligible” while preserving their functionality.
Alice Bob
Application 2
Indistinguishability Obfuscation [BGIRSVY01, GR07, GGHRSW13]
Obfuscator
𝑂 (𝐶 )𝐶
Security : Can’t tell if = or As long as and
Might seem useless: but actually is very useful…
Application 2
Obfuscation + Mmaps Applications Witness Encryption Attribute Based Encryption [GGHSW13] Functional Encryption [GGHRSW13, GJKS13, GGJS13, ABGSZ13,…] Round Optimal Multiparty Secure computation [GGHR14] Deniable Encryption [SW13] Removing random oracles [HSW13a, FHPS13, HSW13b] Broadcast Encryption and Traitor-Tracing [GGHRSW13, BZ13, ABGSZ13] Impossibility results [BCPR13a,BP13,GK13,BCPR13b,KRW13,MO13,…] Functional Witness Encryption [BCP13] Mmaps optimizations and extensions [CLT13,GGH13b,…] Obfuscation optimizations and extensions [BCP13, ABGSZ13, BR13,
BGKPS13, PTS13,…] Pick your favorite primitive in cryptography
Can it be improved?
Outline Bilinear Maps: Recall
And Multilinear maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
Cryptographic Multi-linear MapsDefinitions: Classical notion and our Approximate variant
Multilinear Maps: Classical Notion Cryptographic n-multilinear map (for groups)
Groups of order with generators Family of maps:
, where
.
And at least the ``discrete log” problems in each is ``hard’’. And hopefully the generalization of Bilinear DH
Getting to our Notion
Our visualization
of (traditional)
Bilinear Maps
Step by step I will make changes to get our notion of
Bilinear Maps
At each step provide
Extension to Multi-linear
Maps
Bilinear Maps: Our visualization𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Bilinear Maps: Our visualization Sampling𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
It was easy to sample uniformly from .
Bilinear Maps: Our visualizationEquality Checking
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Trivial to check if two terms are the same.
Bilinear Maps: Our visualizationAddition𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑔13
Bilinear Maps: Our visualizationMultiplication𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Bilinear Maps: Sets(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
Level-0 encodings
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”.
Bilinear Maps: Sampling(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a u
Bilinear Maps: Equality Checking(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was trivial to check if two terms are the same.
Check if two values come from the same set.
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that
Bilinear Maps: Addition(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
𝑔13 𝑆1
3
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that:
We have and
Bilinear Maps: Multiplication(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that: Multiplication: There is an op such that:
such that We have .
Bilinear Maps: Noisy(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
All operations are required to work as long as ``noise’’ level remains small.
Multilinear Maps: Our Notion
Discrete Log: Given level- encoding of , hard to compute level-- encoding of .
n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.
Outline Bilinear Maps: Recall
And Multilinear maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
(Kind of like NTRU-Based FHE, but with Equality Testing)
``Noisy” Multilinear Maps
Background We work in polynomial ring
E.g., ( is a power of two)
Such is irreducible over
,
Our Construction We work in polynomial ring
E.g., ( is a power of two) Also use
Public parameters hide a small and a random invertible (large)
Let be the ideal generated by g, also has lattice structure
is required to be Small and invertible in should be a large prime is not too large
The ``scalars” that we encode are cosets of (i.e., elements in the quotient ring )
Our Construction
𝑆01
𝑆02
𝑆0𝑝
𝑆0❑
⋮
𝑆11
𝑆12
𝑆1𝑝
𝑆1❑
⋮
𝑆21
𝑆22
𝑆2𝑝
𝑆2❑
⋮
1+𝐼2+𝐼
𝐼
Small defines a principal ideal over
A random (large)
[ 𝑐𝑧 ]𝑞
𝑐
[ 𝑐𝑧 2 ]𝑞
+ and ×
should have small coefficients
If , are both short then, has the form ,
where is still short and
If , are both short then,has the form ,
where is still short and Multiplication
Addition
Our Construction (in general)
In general, ``level-k encoding” of a coset has the form for a short
Addition: Add encodings as long as ||
Multi-linear: Multiply encodings to get an encoding of the product at level as long as
``Somewhat homomorphic” encoding
Sampling and equality check?
Bilinear Maps: Sampling(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
Sampling Sampling: Sample small , but larger than then
encodes a random coset. Why should this work? -- vector with tiny coefficients
Encoding this random coset
Publish an encoding of 1:
Sampling: If (wide enough), then encodes a random coset.
Don’t know how to encode specific elements
Given this short , set is a valid level- encoding of the coset
Translating from level to :
Equality Checking Do encode the same coset?
Suffices to check - encodes . Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute
= = (output yes if )
Equality Checking – Correctness I
Do encode the same coset? Suffices to check - encodes .
Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute
= = (output yes if ) Correctness: if (or, ) Problem: may not be small Solution: is small, is same as in
Equality Checking – Correctness II
Do encode the same coset? Suffices to check - encodes .
Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute
= = (output yes if ) Correctness: if Assume then both and are Hence in Implies divides or .
Re-randomizaton𝑆0
𝑠 𝑆0𝑡 𝑆0
𝑠𝑡 𝑆0𝑟
𝑐𝑠𝑐𝑡𝑐𝑠𝑡𝑐𝑟
And But then
We need to re-randomize the encoding, to break these simple algebraic relations
𝑢𝑠𝑢𝑡𝑢𝑠𝑡𝑢𝑟
𝑆1𝑠𝑡
𝑆1❑
𝑥0𝑥0′ 𝑥0
′ ′⋯⋯⋯
Need to re-randomize
this as well.
This re-randomization gets us statistically close to the actual distribution [AGHS12,AR13].
𝑆10
The Complete Encoding Scheme
Parameters: , , and Encode a random element:
S
Re-randomize u (at level 1):
Zero Test: Map to level(by multiplying by for appropriate j) Check if is small
Re-randomization not needed for applications like
obfuscation.
Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric
Security: Cryptanalysis
Attacks, , and Goal: To find or Covering the basics (Not ``Trivially’’ broken)
Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme
Similar in spirit to Generic Group model Without the - essentially the NTRU problem
Summary Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based
homomorphic encryption, but with an equality-testing parameter.
Security is based on somewhat stronger computational assumptions than NTRU.
But more cryptanalysis needs to be done!
??Thank You! Questions?