Download - Candidate Multilinear Maps

Candidate Multilinear Maps

Sanjam Garg (IBM)Based on joint works with

Craig Gentry (IBM) and Shai Halevi (IBM)

Outline Bilinear Maps: Recall

Intuitively: Multilinear Maps Our Results and Applications

Definitions of Multi-linear Maps Classical Notion Our Notion

Our Construction Security

Cryptographic Bilinear Maps(Weil and Tate Pairings)Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps

Cryptographic Bilinear Maps Bilinear maps are extremely useful in cryptography

lots of applications [Joux00, BF01]

As the name suggests allow pairing two things together

Bilinear Maps – Definitions Cryptographic bilinear map

Groups and of order with generators and a bilinear map such that

Instantiation: Weil or Tate pairings over elliptic curves.

Given hard to get

DDH is easyGiven

Bilinear Maps: ``Hard” Problem Bilinear Diffie-Hellman: Givenhard to distinguish from Random

Multilinear Maps [BS03] generalize this concept.

Our Multilinear Maps constructions of multi-

linear maps Many exciting application

Candidate approximateConstructions of multi-linear maps

Non-Interactive Key Agreement [DH76]

𝑃 𝐾𝑎 𝑃 𝐾𝑏

Alice Bob

𝐾 𝑎 ,𝑏

Extended to three parties by [Joux00] Mmaps would give solution for more than 3-

parties. [BS03]

Application 1

Non-Interactive Key Agreement [DH76]

Easy Application: Tri-partite key agreement [Joux00]: Alice, Bob, Carol generate and broadcast . They each separately compute the key

More than 3-parties – easy application. [GGH13]

𝑎 𝑏

𝑔1𝑎 𝑔1

𝑏

𝐾=𝑔1𝑎𝑏

Application 1

10

Software Obfuscation

O(P)

P

• Obfuscation aims to make computer programs “unintelligible” while preserving their functionality.

Alice Bob

Application 2

Indistinguishability Obfuscation [BGIRSVY01, GR07, GGHRSW13]

Obfuscator

𝑂 (𝐶 )𝐶

Security : Can’t tell if = or As long as and

Might seem useless: but actually is very useful…

Application 2

Obfuscation + Mmaps Applications Witness Encryption Attribute Based Encryption [GGHSW13] Functional Encryption [GGHRSW13, GJKS13, GGJS13, ABGSZ13,…] Round Optimal Multiparty Secure computation [GGHR14] Deniable Encryption [SW13] Removing random oracles [HSW13a, FHPS13, HSW13b] Broadcast Encryption and Traitor-Tracing [GGHRSW13, BZ13, ABGSZ13] Impossibility results [BCPR13a,BP13,GK13,BCPR13b,KRW13,MO13,…] Functional Witness Encryption [BCP13] Mmaps optimizations and extensions [CLT13,GGH13b,…] Obfuscation optimizations and extensions [BCP13, ABGSZ13, BR13,

BGKPS13, PTS13,…] Pick your favorite primitive in cryptography

Can it be improved?


And Multilinear maps Our Results and Applications



Cryptographic Multi-linear MapsDefinitions: Classical notion and our Approximate variant

Multilinear Maps: Classical Notion Cryptographic n-multilinear map (for groups)

Groups of order with generators Family of maps:

, where

.

And at least the ``discrete log” problems in each is ``hard’’. And hopefully the generalization of Bilinear DH

Getting to our Notion

Our visualization

of (traditional)

Bilinear Maps

Step by step I will make changes to get our notion of

Bilinear Maps

At each step provide

Extension to Multi-linear

Maps

Bilinear Maps: Our visualization𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

Bilinear Maps: Our visualization Sampling𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

It was easy to sample uniformly from .

Bilinear Maps: Our visualizationEquality Checking

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

Trivial to check if two terms are the same.

Bilinear Maps: Our visualizationAddition𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑔13

Bilinear Maps: Our visualizationMultiplication𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

Bilinear Maps: Sets(Our Notion)

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

Level-0 encodings

Multilinear Maps: Our Notion

Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of

”.

Bilinear Maps: Sampling(Our Notion)𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑


I should be efficient to sample such that for a uIt may not be uniform in or .



”. Sampling: Output for a u

Bilinear Maps: Equality Checking(Our Notion)

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

It was trivial to check if two terms are the same.

Check if two values come from the same set.



”. Sampling: Output for a random Equality testing(): Output iff such that

Bilinear Maps: Addition(Our Notion)

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

𝑔13 𝑆1

3



”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such

that:

We have and

Bilinear Maps: Multiplication(Our Notion)𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑



”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such

that: Multiplication: There is an op such that:

such that We have .

Bilinear Maps: Noisy(Our Notion)

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

All operations are required to work as long as ``noise’’ level remains small.


Discrete Log: Given level- encoding of , hard to compute level-- encoding of .

n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.


And Multilinear maps Our Results and Applications



(Kind of like NTRU-Based FHE, but with Equality Testing)

``Noisy” Multilinear Maps

Background We work in polynomial ring

E.g., ( is a power of two)

Such is irreducible over

,

Our Construction We work in polynomial ring

E.g., ( is a power of two) Also use

Public parameters hide a small and a random invertible (large)

Let be the ideal generated by g, also has lattice structure

is required to be Small and invertible in should be a large prime is not too large

The ``scalars” that we encode are cosets of (i.e., elements in the quotient ring )

Our Construction

𝑆01

𝑆02

𝑆0𝑝

𝑆0❑

⋮

𝑆11

𝑆12

𝑆1𝑝

𝑆1❑

⋮

𝑆21

𝑆22

𝑆2𝑝

𝑆2❑

⋮

1+𝐼2+𝐼

𝐼

Small defines a principal ideal over

A random (large)

[ 𝑐𝑧 ]𝑞

𝑐

[ 𝑐𝑧 2 ]𝑞

+ and ×

should have small coefficients

If , are both short then, has the form ,

where is still short and

If , are both short then,has the form ,

where is still short and Multiplication

Addition

Our Construction (in general)

In general, ``level-k encoding” of a coset has the form for a short

Addition: Add encodings as long as ||

Multi-linear: Multiply encodings to get an encoding of the product at level as long as

``Somewhat homomorphic” encoding

Sampling and equality check?

Bilinear Maps: Sampling(Our Notion)𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑


I should be efficient to sample such that for a uIt may not be uniform in or .

Sampling Sampling: Sample small , but larger than then

encodes a random coset. Why should this work? -- vector with tiny coefficients

Encoding this random coset

Publish an encoding of 1:

Sampling: If (wide enough), then encodes a random coset.

Don’t know how to encode specific elements

Given this short , set is a valid level- encoding of the coset

Translating from level to :

Equality Checking Do encode the same coset?

Suffices to check - encodes . Publish a (level-k) zero-testing param

h is ``somewhat short” (e.g. of size ) To test, if encodes , compute

= = (output yes if )

Equality Checking – Correctness I

Do encode the same coset? Suffices to check - encodes .

Publish a (level-k) zero-testing param


= = (output yes if ) Correctness: if (or, ) Problem: may not be small Solution: is small, is same as in

Equality Checking – Correctness II

Do encode the same coset? Suffices to check - encodes .

Publish a (level-k) zero-testing param


= = (output yes if ) Correctness: if Assume then both and are Hence in Implies divides or .

Re-randomizaton𝑆0

𝑠 𝑆0𝑡 𝑆0

𝑠𝑡 𝑆0𝑟

𝑐𝑠𝑐𝑡𝑐𝑠𝑡𝑐𝑟

And But then

We need to re-randomize the encoding, to break these simple algebraic relations

𝑢𝑠𝑢𝑡𝑢𝑠𝑡𝑢𝑟

𝑆1𝑠𝑡

𝑆1❑

𝑥0𝑥0′ 𝑥0

′ ′⋯⋯⋯

Need to re-randomize

this as well.

This re-randomization gets us statistically close to the actual distribution [AGHS12,AR13].

𝑆10

The Complete Encoding Scheme

Parameters: , , and Encode a random element:

S

Re-randomize u (at level 1):

Zero Test: Map to level(by multiplying by for appropriate j) Check if is small

Re-randomization not needed for applications like

obfuscation.

Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric

Security: Cryptanalysis

Attacks, , and Goal: To find or Covering the basics (Not ``Trivially’’ broken)

Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme

Similar in spirit to Generic Group model Without the - essentially the NTRU problem

Summary Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based

homomorphic encryption, but with an equality-testing parameter.

Security is based on somewhat stronger computational assumptions than NTRU.

But more cryptanalysis needs to be done!

??Thank You! Questions?

Download - Candidate Multilinear Maps

Top Related