introduction to cryptographic multilinear maps
DESCRIPTION
Introduction to Cryptographic Multilinear Maps. Sanjam Garg , Craig Gentry, Shai Halevi IBM T.J. Watson Research Center. Multilinear Maps (MMAPs). A technical tool Think “trapdoor-permutations” or “smooth-projective-hashing”, or “randomized-encoding” - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/1.jpg)
Visions of Cryptography, Weizmann Inst.
1
Introduction to
Cryptographic Multilinear Maps
Sanjam Garg, Craig Gentry, Shai HaleviIBM T.J. Watson Research Center
Dec 2013
![Page 2: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/2.jpg)
Visions of Cryptography, Weizmann Inst.
2
Multilinear Maps (MMAPs)A technical tool
◦Think “trapdoor-permutations” or “smooth-projective-hashing”, or “randomized-encoding”
◦More a technique than a single primitive Several different variants, all share the same core
properties but differ in details
Extension of bilinear maps [J00,SOK00,BF01]◦Bilinear maps are extensions of DL-based crypto◦Took the crypto world by storm in 2000, used in
dozens of applications, hundreds of papers◦Applications from IBE to NIZK and more
Dec 2013
![Page 3: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/3.jpg)
Visions of Cryptography, Weizmann Inst.
3
DL/DDH and Bilinear MapsWhy is DDH such a “gold mine”?
◦You can take values and “hide them” in ◦Some tasks are still easy in this
representation Can compute any linear/affine function of the ’s,
and check if
◦Other tasks are seemingly hard E.g., computing/checking quadratic functions
Bilinear maps are similar: we can compute quadratics, while cubics seem hard
Turns out to be even more useful
Dec 2013
![Page 4: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/4.jpg)
Visions of Cryptography, Weizmann Inst.
4
Why Stop at Two?Can we find groups that would let us
compute cubics but not 4th powers?◦Or in general, upto degree but no more?
Cryptographic multilinear maps (MMAPs)
◦Even more useful than bilinear[Boneh-Silverberg’03] explored some
applications of MMAPs◦Also argued that they are unlikely to be
constructed similarly to bilinear maps
Dec 2013
![Page 5: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/5.jpg)
Visions of Cryptography, Weizmann Inst.
5
The [GGH’13] ApproachAn “approximate” cryptographic
MMAPs◦Degree- functions, zero-test are easy◦Some degree- functions seem hard◦Enabling many new applications
Built using “FHE techniques”◦From a variant of the NTRU HE scheme
Another construction in [CLT’13]◦Using a variant of “HE over integers”
instead◦All degree- functions seem hard
Dec 2013
![Page 6: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/6.jpg)
Visions of Cryptography, Weizmann Inst.
6
This TalkAn overview of [GGH’13]
◦Some details◦Which degree- functions are
easy/hard Source- vs. target-group assumptions
Examples of using it:◦-partite key exchange [J00,BS03]◦Witness encryption [GGSW’13]◦Full domain hash [FHPS’13, HSW’13]◦Obfuscation(just a hint)
Dec 2013
![Page 7: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/7.jpg)
Visions of Cryptography, Weizmann Inst.
7
THE [GGH’13] CONSTRUCTION
Dec 2013
![Page 8: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/8.jpg)
Visions of Cryptography, Weizmann Inst.
8
“Somewhat Homomorphic” Encryption (SWHE) vs. MMAPs
MMAPs• “Encoding” Computing low-
deg polynomials of the ’s is easy
Sharp threshold for easy vs. hard
Can test for zero
SWHE• Encrypting Computing low-
deg polynomials of the ’s is easy
? Fuzzy threshold for easy vs. hard?Cannot test anything• But if you have
skey you can recover itself Dec 2013
![Page 9: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/9.jpg)
Visions of Cryptography, Weizmann Inst.
9
Main Ingredient: Testing for ZeroTo be useful, we must be able to test
if two degree- expressions are equal◦Using homomorphism, that’s the same as
testing if a degree- expression equals zeroOur approach: augment a SWHE
scheme with a “handicapped” secret key◦Can test if a ciphertext decrypts to zero,
but cannot decrypt arbitrary cipehrtexts Assuming that the plaintext-space is large
◦Called a “zero-test parameter”
Dec 2013
![Page 10: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/10.jpg)
Visions of Cryptography, Weizmann Inst.
10
A Few Words About LevelsA “level-” ciphertext encrypts a
degree- expression◦Fresh cipehrtexts, =Enc(), are at
level
Contemporary SWHE schemes are “naturally leveled”◦Often a ciphertext in these schemes
would be tagged with its levelDec 2013
![Page 11: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/11.jpg)
Visions of Cryptography, Weizmann Inst.
11
A Few Words About Levels (2)A zero-test parameter that works for
all levels, would give a “black-box field”◦Could be useful, but it’s not MMAPs◦Also we don’t know how to get one
Our zero-test parameter only works for ciphertexts at one particular level ◦The zero-test level is a parameter, equal
to the multi-linearity degree that we want to implement
Dec 2013
![Page 12: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/12.jpg)
Visions of Cryptography, Weizmann Inst.
12
‘s from some large finite field/ring
Our Goal (“approximate MMAPs”)-Graded Encoding SchemeKeyGen(): Generating public parametersEncode: level- encoding of plaintext ’s
◦Plaintext ’s themselves are considered “level-0”
◦Encoding can be randomizedArithmetic: addition & multiplication
Zero-test: does encode 0? ◦Only works for level- encoding
Dec 2013
![Page 13: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/13.jpg)
Visions of Cryptography, Weizmann Inst.
13
Some VariationsCan extract “random canonical
representation”of from any level- encoding of
Can only encode random ’s, not specific onesKeyGen outputs a matching secret key
◦ Secret key may be needed for encodingEncoding can be re-randomizable
◦ Given any level- encoding of , output a random level- encoding of the same
More complicated level structure than just 0,1,2, …◦ E.g., levels are vectors, with partial ordering◦ Yields an extension of “asymmetric maps”Dec 2013
![Page 14: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/14.jpg)
Visions of Cryptography, Weizmann Inst.
14
Overview of [GGH’13]Start from an NTRU-like SWHE
scheme◦Semantic-security under some
“reasonable assumptions”Add zero-test parameter
◦Some things that were hard now become easy
◦Other things are still seemingly hard But hardness assumptions are stronger,
uglier
◦Separating hard from easy is challenging
Dec 2013
![Page 15: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/15.jpg)
Visions of Cryptography, Weizmann Inst.
15
Starting From NTRU-like SWHE
All ops are in some polynomial rings◦,
Secret key is ◦ is short , is random in ◦Plaintext elements are from
An encryption of is ◦ and
To decrypt set
In NTRU
Dec 2013
![Page 16: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/16.jpg)
Visions of Cryptography, Weizmann Inst.
16
Homomorphic NTRULevel- encryption of is
◦ and To decrypt set Can add, multiply ciphertexts in
Because and
Because and
as long as numerator remains
Dec 2013
![Page 17: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/17.jpg)
Visions of Cryptography, Weizmann Inst.
17
The Public KeyLet
To encrypt a small , choose small , set
If is Gaussian with suitable parameter then and is ~uniform mod ◦So we can encrypt random elements◦But not any pre-set element
Dec 2013
![Page 18: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/18.jpg)
Visions of Cryptography, Weizmann Inst.
18
Zero-Test ParameterNeed to publish information to
help recognize elements of the form ◦But not of the form ◦Also not of the form for
First idea: publish ◦, with ◦But ,
and entails wraparound mod So typically
Dec 2013
![Page 19: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/19.jpg)
Visions of Cryptography, Weizmann Inst.
19
Zero-Test Parameter (2)Main problem is that enables
also zero-testing at levels ◦E.g., ,
To counter this, set ◦With ◦Now squaring already yields
wraparoundZero-testing procedure:
◦Check if
Dec 2013
![Page 20: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/20.jpg)
Visions of Cryptography, Weizmann Inst.
20
Correctness of Zero-TestingIf encodes zero at level then
(mod )◦We know that , since all valid
encodings have small numerators◦Hence also
This assumes is small in the field of fractions
◦Since then and so the zero-test pass
Dec 2013
![Page 21: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/21.jpg)
Visions of Cryptography, Weizmann Inst.
21
Correctness of Zero-Testing (2)The converse is a bit more
complicated:Let be such that the two ideals
are co-primeLemma: Let be s.t. and let . If is small enough, , then
◦i.e., for some
Proof: over (since both ) and since co-prime then .
Dec 2013
![Page 22: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/22.jpg)
Visions of Cryptography, Weizmann Inst.
22
Correctness of Zero-Testing (3)Lemma: Let be s.t. and let . If is small enough, , then
Corollary: if is a valid level- encoding ( and it passes zero-test ( is small), so it is an encoding of zero
Dec 2013
![Page 23: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/23.jpg)
Visions of Cryptography, Weizmann Inst.
23
Security of Zero-TestingThis Zero-Test procedure provides
functionality, not security◦Easy to come up with an “invalid
encoding” that passes the zero test.If we need security, publish many
’sfor many different mid-size ’es◦Check for all of them◦Can prove that whp over the ’es,
only valid zero-encodings pass this test. Dec 2013
![Page 24: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/24.jpg)
Visions of Cryptography, Weizmann Inst.
24
What’s HardSome degree- functions seem hard
to compute, or even testMultilinear-DDH (MDDH)For level- encoding of random
elements, ,and another level- encoding ,hard to distinguish from random
Dec 2013
![Page 25: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/25.jpg)
Visions of Cryptography, Weizmann Inst.
25
What’s Not HardOther degree- functions are easy
Multilinear-DDHFor level- encoding of random
elements, ,and another level-1 encoding ,easy to decide if
Dec 2013
![Page 26: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/26.jpg)
Visions of Cryptography, Weizmann Inst.
26
What’s the Difference?A “target group” problem includes some
elements encoded at the highest level ()◦Such problems are seemingly hard in these
encodings
A “source group” problem includes only elements encoded at levels ◦Include things like decision-linear
assumption◦These problems are easy, assuming that we
indeed provide the public-key elements
Dec 2013
![Page 27: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/27.jpg)
Visions of Cryptography, Weizmann Inst.
27
Why the Difference?These encodings are subject to a
“weak discrete-logarithm” attacks. Given:◦Level- encoding of some , and ◦Level- encoding of 0 (e.g., ), with
Can compute “in the clear” ◦I.e., for some
is not small, so you cannot re-encode it at level and break MDDH or similar◦But if you have and , you can check
whether Dec 2013
![Page 28: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/28.jpg)
Visions of Cryptography, Weizmann Inst.
28
Dealing with “Weak DL” AttacksSome applications only rely on “target
group” assumptions◦Those are not affected by the attack
More applications can get by without providing , so attack does not apply
Or use other MMAPs◦[CTL’13] seemingly not susceptible to weak-
DL◦Can perhaps “immunize” [GGH’13] against it
Using GGH-encoded matrices and their eigenvalues
Dec 2013
![Page 29: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/29.jpg)
Visions of Cryptography, Weizmann Inst.
29
Computation ProblemsThe source/target distinction is about
decision problemsComputation problems have their own
issuesRoughly speaking, anything that
requires division is hard◦But division in the ring is easy: from we
can compute ◦ is unlikely to be a valid encoding, can
perhapsbe discarded using the “secure zero-test”
Dec 2013
![Page 30: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/30.jpg)
Visions of Cryptography, Weizmann Inst.
30
APPLICATIONS OF MMAPS
Dec 2013
![Page 31: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/31.jpg)
Visions of Cryptography, Weizmann Inst.
31
Application I:()-partite key exchangePublic parameters include draws small , , publishes the level-
encoding computes level- encoding of product
All parties have level- encodings of the same thing◦ Indistinguishable from encoding of a
random element, under MDDHHow to get a shared secret key out of
it?Dec 2013
![Page 32: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/32.jpg)
Visions of Cryptography, Weizmann Inst.
32
Extracting Canonical RepresentationAll of encode the same thing
is small Roughly use MSBs of as a shared key
Public params also include◦Seed of strong randomness extractor◦Random element
Shared key computed as
◦Whp over , all ’s are equal◦ Indistinguishable to observer from random
bits
Dec 2013
![Page 33: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/33.jpg)
Visions of Cryptography, Weizmann Inst.
33
Application II: Witness Encryption“Encryption without any key”
◦Relative to an arbitrary riddle◦Defined here relative to exact-cover (XC)
Use NP-hardness to get any NP statement
Message encrypted wrt to XC instance◦Encryptor need not know a solution, or
even if a solution existsAnyone with a solution can decryptSemantic-security if no solution exists
Dec 2013
![Page 34: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/34.jpg)
Visions of Cryptography, Weizmann Inst.
34
Recall Exact CoverInstance: A universe and a
collection of subsets A solution: sub-collection of the
’s that forms a partition of , i.e., ◦Subsets are pairwise disjoint, and◦Their union is the entire .
Dec 2013
![Page 35: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/35.jpg)
Visions of Cryptography, Weizmann Inst.
35
The [GGSW13] ConstructionOn an XC instance and
a message ◦Use -linear maps◦Choose random elements ◦For every subset , publish a level-
encoding of ◦Use a level- encoding of to encrypt,
by publishing the ciphertext
Dec 2013
![Page 36: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/36.jpg)
Visions of Cryptography, Weizmann Inst.
36
The [GGSW] Construction (2)If is a solution, then multiplying the
corresponding ’s we get a level- encoding of U, then we can decrypt
Every non-solvable instance defines a computational problem◦Distinguish a level- encoding of from a
level- encoding of randomWe assume all these problems to be
hard◦Is this a reasonable assumption to make?
Dec 2013
![Page 37: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/37.jpg)
Visions of Cryptography, Weizmann Inst.
37
Application III: Full-Domain HashConsider the following hash
function, level--encodings:◦Public version of Naor-Reingold PRF◦Let be random elements, and
publish their level- encoding ,
What can you do with it?
Dec 2013
![Page 38: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/38.jpg)
Visions of Cryptography, Weizmann Inst.
38
BLS-type Signatures [HWS13]Use , publish also
◦ is the secret key
◦Level- encoding of an -productVerify using zero-test:
Can be aggregated, made identity-based
Dec 2013
![Page 39: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/39.jpg)
Visions of Cryptography, Weizmann Inst.
39
“Programmable” Hash Functions [FHPS13]For any fixed “basis” (encoded at
level ), can generate a random as above with a trapdoor s.t.:◦Using we can find for any a
“representation of in this basis”
at level zero, at level
◦Roughly, for all but a random fraction of the ’es, we have
This is useful for “partition-type” proofs of security
Dec 2013
![Page 40: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/40.jpg)
Visions of Cryptography, Weizmann Inst.
40
Obfuscation [GGHRSW13]Goal: take an arbitrary circuit and
“encrypt it”, so that:◦Can still evaluate the result on any input◦But “not much else”
Formulating “not much else” is hard◦ [BGIRSVY01] show that some natural
formulations cannot be met◦Also defined the weaker notion of
“indistinguishability Obfuscation” (iO):◦ If compute the same function, then
Dec 2013
![Page 41: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/41.jpg)
Visions of Cryptography, Weizmann Inst.
41
iO for Begin with a corollary of
Barrington’s theorem, we can recognize via matrix multiplication:◦ represented by a sequence of
matrices of length ◦Input determines a sub-sequence◦ iff their product is the identity
Dec 2013
![Page 42: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/42.jpg)
Visions of Cryptography, Weizmann Inst.
42
Obfuscating Randomize the matrices for
◦How to randomize is the hard part, need to counter several attacks
Provide level- encoding of matrices
To evaluate on ◦Choose a subset and multiply the
encoding◦Use zero-testing to check for identity
Dec 2013
![Page 43: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/43.jpg)
Visions of Cryptography, Weizmann Inst.
43
SecurityMostly heuristic, but supported
by generic-group argumentsEvery pair of circuits defines a
decision problem◦We assume that they are all hard
These are all source-group assumptions◦Since the matrices are encoded at
level ◦But we are not giving , so the weak-
DL attack does not applyDec 2013
![Page 44: Introduction to Cryptographic Multilinear Maps](https://reader036.vdocuments.us/reader036/viewer/2022062422/56812ead550346895d9450b8/html5/thumbnails/44.jpg)
Visions of Cryptography, Weizmann Inst.
44
SummaryCan approximate cryptographic MMAPs
◦Using SWHE with “handicapped secret key”◦Known constructions from NTRU, “integer HE”◦Can we do the same thing from other
schemes?Enabling many new applications
◦But hardness assumptions are strong, “ugly”◦In desperate need of a coherent theory
Practical performance lacking◦Worse than the [Gen09] HE scheme
Dec 2013