Download - Candidate Multilinear Maps
Candidate Multilinear Maps
Sanjam Garg (IBM)Based on joint works with
Craig Gentry (IBM) and Shai Halevi (IBM)
Outline Bilinear Maps: Recall
Intuitively: Multilinear Maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
Cryptographic Bilinear Maps(Weil and Tate Pairings)Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps
Cryptographic Bilinear Maps Bilinear maps are extremely useful in cryptography
lots of applications [Joux00, BF01]
As the name suggests allow pairing two things together
Bilinear Maps โ Definitions Cryptographic bilinear map
Groups and of order with generators and a bilinear map such that
Instantiation: Weil or Tate pairings over elliptic curves.
Given hard to get
DDH is easyGiven
Bilinear Maps: ``Hardโ Problem Bilinear Diffie-Hellman: Givenhard to distinguish from Random
Multilinear Maps [BS03] generalize this concept.
Our Multilinear Maps constructions of multi-
linear maps Many exciting application
Candidate approximateConstructions of multi-linear maps
Non-Interactive Key Agreement [DH76]
๐ ๐พ๐ ๐ ๐พ๐
Alice Bob
๐พ ๐ ,๐
Extended to three parties by [Joux00] Mmaps would give solution for more than 3-
parties. [BS03]
Application 1
Non-Interactive Key Agreement [DH76]
Easy Application: Tri-partite key agreement [Joux00]: Alice, Bob, Carol generate and broadcast . They each separately compute the key
More than 3-parties โ easy application. [GGH13]
๐ ๐
๐1๐ ๐1
๐
๐พ=๐1๐๐
Application 1
10
Software Obfuscation
O(P)
P
โข Obfuscation aims to make computer programs โunintelligibleโ while preserving their functionality.
Alice Bob
Application 2
Indistinguishability Obfuscation [BGIRSVY01, GR07, GGHRSW13]
Obfuscator
๐ (๐ถ )๐ถ
Security : Canโt tell if = or As long as and
Might seem useless: but actually is very usefulโฆ
Application 2
Obfuscation + Mmaps Applications Witness Encryption Attribute Based Encryption [GGHSW13] Functional Encryption [GGHRSW13, GJKS13, GGJS13, ABGSZ13,โฆ] Round Optimal Multiparty Secure computation [GGHR14] Deniable Encryption [SW13] Removing random oracles [HSW13a, FHPS13, HSW13b] Broadcast Encryption and Traitor-Tracing [GGHRSW13, BZ13, ABGSZ13] Impossibility results [BCPR13a,BP13,GK13,BCPR13b,KRW13,MO13,โฆ] Functional Witness Encryption [BCP13] Mmaps optimizations and extensions [CLT13,GGH13b,โฆ] Obfuscation optimizations and extensions [BCP13, ABGSZ13, BR13,
BGKPS13, PTS13,โฆ] Pick your favorite primitive in cryptography
Can it be improved?
Outline Bilinear Maps: Recall
And Multilinear maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
Cryptographic Multi-linear MapsDefinitions: Classical notion and our Approximate variant
Multilinear Maps: Classical Notion Cryptographic n-multilinear map (for groups)
Groups of order with generators Family of maps:
, where
.
And at least the ``discrete logโ problems in each is ``hardโโ. And hopefully the generalization of Bilinear DH
Getting to our Notion
Our visualization
of (traditional)
Bilinear Maps
Step by step I will make changes to get our notion of
Bilinear Maps
At each step provide
Extension to Multi-linear
Maps
Bilinear Maps: Our visualization๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
Bilinear Maps: Our visualization Sampling๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
It was easy to sample uniformly from .
Bilinear Maps: Our visualizationEquality Checking
๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
Trivial to check if two terms are the same.
Bilinear Maps: Our visualizationAddition๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
๐13
Bilinear Maps: Our visualizationMultiplication๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
Bilinear Maps: Sets(Our Notion)
๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
๐01
๐02
๐0๐
๐11
๐12
๐1๐
๐21
๐22
๐2๐
๐0โ ๐1
โ ๐2โ
Level-0 encodings
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodingsโ Each set is partitioned into for each : ``level- encodings of
โ.
Bilinear Maps: Sampling(Our Notion)๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
๐01
๐02
๐0๐
๐11
๐12
๐1๐
๐21
๐22
๐2๐
๐0โ ๐1
โ ๐2โ
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodingsโ Each set is partitioned into for each : ``level- encodings of
โ. Sampling: Output for a u
Bilinear Maps: Equality Checking(Our Notion)
๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
๐01
๐02
๐0๐
๐11
๐12
๐1๐
๐21
๐22
๐2๐
๐0โ ๐1
โ ๐2โ
It was trivial to check if two terms are the same.
Check if two values come from the same set.
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodingsโ Each set is partitioned into for each : ``level- encodings of
โ. Sampling: Output for a random Equality testing(): Output iff such that
Bilinear Maps: Addition(Our Notion)
๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
๐01
๐02
๐0๐
๐11
๐12
๐1๐
๐21
๐22
๐2๐
๐0โ ๐1
โ ๐2โ
๐13 ๐1
3
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodingsโ Each set is partitioned into for each : ``level- encodings of
โ. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that:
We have and
Bilinear Maps: Multiplication(Our Notion)๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
๐01
๐02
๐0๐
๐11
๐12
๐1๐
๐21
๐22
๐2๐
๐0โ ๐1
โ ๐2โ
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodingsโ Each set is partitioned into for each : ``level- encodings of
โ. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that: Multiplication: There is an op such that:
such that We have .
Bilinear Maps: Noisy(Our Notion)
๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
๐01
๐02
๐0๐
๐11
๐12
๐1๐
๐21
๐22
๐2๐
๐0โ ๐1
โ ๐2โ
All operations are required to work as long as ``noiseโโ level remains small.
Multilinear Maps: Our Notion
Discrete Log: Given level- encoding of , hard to compute level-- encoding of .
n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.
Outline Bilinear Maps: Recall
And Multilinear maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
(Kind of like NTRU-Based FHE, but with Equality Testing)
``Noisyโ Multilinear Maps
Background We work in polynomial ring
E.g., ( is a power of two)
Such is irreducible over
,
Our Construction We work in polynomial ring
E.g., ( is a power of two) Also use
Public parameters hide a small and a random invertible (large)
Let be the ideal generated by g, also has lattice structure
is required to be Small and invertible in should be a large prime is not too large
The ``scalarsโ that we encode are cosets of (i.e., elements in the quotient ring )
Our Construction
๐01
๐02
๐0๐
๐0โ
โฎ
๐11
๐12
๐1๐
๐1โ
โฎ
๐21
๐22
๐2๐
๐2โ
โฎ
1+๐ผ2+๐ผ
๐ผ
Small defines a principal ideal over
A random (large)
[ ๐๐ง ]๐
๐
[ ๐๐ง 2 ]๐
+ and ร
should have small coefficients
If , are both short then, has the form ,
where is still short and
If , are both short then,has the form ,
where is still short and Multiplication
Addition
Our Construction (in general)
In general, ``level-k encodingโ of a coset has the form for a short
Addition: Add encodings as long as ||
Multi-linear: Multiply encodings to get an encoding of the product at level as long as
``Somewhat homomorphicโ encoding
Sampling and equality check?
Bilinear Maps: Sampling(Our Notion)๐ ๐
12โฎ๐
๐บ1
๐11
๐12
โฎ๐1๐
๐บ2
๐21
๐22
โฎ๐2๐
๐01
๐02
๐0๐
๐11
๐12
๐1๐
๐21
๐22
๐2๐
๐0โ ๐1
โ ๐2โ
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
Sampling Sampling: Sample small , but larger than then
encodes a random coset. Why should this work? -- vector with tiny coefficients
Encoding this random coset
Publish an encoding of 1:
Sampling: If (wide enough), then encodes a random coset.
Donโt know how to encode specific elements
Given this short , set is a valid level- encoding of the coset
Translating from level to :
Equality Checking Do encode the same coset?
Suffices to check - encodes . Publish a (level-k) zero-testing param
h is ``somewhat shortโ (e.g. of size ) To test, if encodes , compute
= = (output yes if )
Equality Checking โ Correctness I
Do encode the same coset? Suffices to check - encodes .
Publish a (level-k) zero-testing param
h is ``somewhat shortโ (e.g. of size ) To test, if encodes , compute
= = (output yes if ) Correctness: if (or, ) Problem: may not be small Solution: is small, is same as in
Equality Checking โ Correctness II
Do encode the same coset? Suffices to check - encodes .
Publish a (level-k) zero-testing param
h is ``somewhat shortโ (e.g. of size ) To test, if encodes , compute
= = (output yes if ) Correctness: if Assume then both and are Hence in Implies divides or .
Re-randomizaton๐0
๐ ๐0๐ก ๐0
๐ ๐ก ๐0๐
๐๐ ๐๐ก๐๐ ๐ก๐๐
And But then
We need to re-randomize the encoding, to break these simple algebraic relations
๐ข๐ ๐ข๐ก๐ข๐ ๐ก๐ข๐
๐1๐ ๐ก
๐1โ
๐ฅ0๐ฅ0โฒ ๐ฅ0
โฒ โฒโฏโฏโฏ
Need to re-randomize
this as well.
This re-randomization gets us statistically close to the actual distribution [AGHS12,AR13].
๐10
The Complete Encoding Scheme
Parameters: , , and Encode a random element:
S
Re-randomize u (at level 1):
Zero Test: Map to level(by multiplying by for appropriate j) Check if is small
Re-randomization not needed for applications like
obfuscation.
Variants Asymmetric variants (many ziโs), XDH analog , , Partially symmetric and partially asymmetric
Security: Cryptanalysis
Attacks, , and Goal: To find or Covering the basics (Not ``Triviallyโโ broken)
Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme
Similar in spirit to Generic Group model Without the - essentially the NTRU problem
Summary Presented ``noisyโ cryptographic multilinear map. Construction is similar to NTRU-based
homomorphic encryption, but with an equality-testing parameter.
Security is based on somewhat stronger computational assumptions than NTRU.
But more cryptanalysis needs to be done!
??Thank You! Questions?