Multilinear Maps From Ideal

sunflowerplateΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

58 εμφανίσεις

Multilinear Maps From Ideal
Lattices

and Applications

Sanjam

Garg

(UCLA)

Joint work with

Craig Gentry (IBM) and
Shai

Halevi

(IBM)

Outline


Bilinear Maps: Recall and Applications


Motivating Multilinear maps


Our Results


Definitions of Multi
-
linear Maps


Classical Notion


Our Notion


Our Construction


Security

Cryptographic
Bi
linear
Maps

(Weil and Tate Pairings)

Recalling Bilinear Maps

and its Applications: Motivating
Multilinear Maps

Cryptographic
Bi
linear Maps



Bilinear maps are
extremely

useful in cryptography


lots of applications



As the name suggests allow pairing two things
together

Bi
linear Maps


Definitions


Cryptographic bilinear map


Groups
𝐺
1

and
𝐺
2

of order


with
generators

1
,

2
=


1
,

1
and
a bilinear map


𝐺
1
×
𝐺
1


𝐺
2

such that


























,






,


1

,

1

=

2



Instantiation
:
Weil or Tate pairings
over elliptic
curves.


CDH

is

hard

Given

1

,

1

hard
to get

1


DDH

is easy

Given

1

,

1

,






=

?


1




1

,

1

=


1
,



Bilinear Maps: ``
Hard
” Problems


3
-
party Decisional
Diffie
-
Hellman
: Given

1
,

1

,

1

,

1


𝐺

hard to distinguish


1

from

Random



Bilinear
Diffie
-
Hellman
: Given





1
,

1

,

1

,

1


𝐺

hard to distinguish




1
,

1

=

2


from Random



Non
-
Interactive Key Agreement
[DH76]



Easy
Application:
Tri
-
partite
key
agreement [Joux00]:


Alice, Bob, Carol generate

,

,


and broadcast

1

,

1

,

1

.


They each separately compute the key
𝐾

=



1
,

1




What if we have more than
3
-
parties
?
[BS03]








1



1


𝐾

=


1


Application 1



Prover






Verifier

Non
-
Interactive Zero Knowledge
[
BMF88
]

Soundness:

Statement is true

Zero
-
knowledge:

Nothing but truth revealed


Common reference string :
𝐴
&
$%3
(


?

Proof:


Witness
for
statement
being true


Statement :


Application 2

Only know constructions are from
Bilinear Maps[GOS06]
and
Trapdoor permutation[FLS90]
.

What if we had
Bilinear maps
from some other
assumption
?

PKE with Enhanced Capabilities


Identity
Based Encryption
[Sha84]


Boneh

and Franklin using bilinear maps [BF01
]



More general notion



Attribute Based Encryption [SW05]

Application 3

10

PK

MSK

“Tel
-
Aviv University”

“Professor”

“Tel
-
Aviv University”

“Grad
-
student”

OR

Chancellor

AND

TAU

Professor















OR

Chancellor

AND

TAU

Professor

SK’

SK

Key Authority



Attribute
-
Based Encryption
[SW05]

How general can
this policy be?

Bottom line:
Very few
policies such as
formulas

are known to be
realizable.

Application 3

What if we had
multilinear

maps
?

Other Applications


Traitor
-
Tracing
(with
small
ciphertexts
)[BSW06
]


Efficient Signature Schemes [BLS04]


Efficient Broadcast Encryption


Attribute based signatures


Blind Signatures/Anonymous Credentials


Structure Preserving Signatures


And many more
….


There is a conference on
Pairing based Cryptography


What if we had
multilinear

map? [BS03]

Outline


Bilinear Maps: Recall and Applications


Motivating Multilinear maps


Our Results


Definitions of Multi
-
linear Maps


Classical Notion


Our Notion


Our Construction


Security

Our Results



constructions

of multi
-
linear maps


Use

these to get



-
party
non
-
interactive
Diffie

Hellman


NIZKs from lattice

assumptions


Attribute based encryption for
general circuits

[
GGH12
,
SW12]


Witness Encryption [GGSW12]


Insufficient for [Rot12] counterexample


Every bit encryption remains secure even when
encryption of the secret key is given out


Candidate


approximate

Constructions
of multi
-
linear maps


(Public parameters hide secrets)




Encrypter

Witness Encryption

Soundness:

Statement is
false


Semantic Security



Witness for
statement

.


Statement :






Encrypter




Receiver

Application 4

Outline


Bilinear Maps: Recall and Applications


Motivating Multilinear maps


Our Results


Definitions of Multi
-
linear Maps


Classical Notion


Our Notion


Our Construction


Security

Cryptographic

Multi
-
linear
Maps


Definitions: Classical notion and our Approximate variant

Multilinear Maps:
Classical Notion


Cryptographic n
-
multilinear

map (for groups)


Groups
𝐺
1
,

,
𝐺


of order


with generators

1
,

,




Family of maps:









,

:

𝐺

×

𝐺



𝐺

+


for


+





, where









,




,



=


+






,





.



And at least
the
``discrete
log” problems in
each
𝐺


is ``hard’’.


And hopefully the
generalization of 3
-
party DH




Getting to our Notion

Our
visualization
of (traditional)
Bilinear Maps

Step by step I will
make changes to
get our notion of
Bilinear Maps

At each step
provide
Extension to
Multi
-
linear
Maps

Bilinear Maps:
Our visualization




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2


Bilinear
Maps:
Our visualization
Sampling




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2


It was easy to sample uniformly from


.

Bilinear
Maps:
Our visualization

Equality Checking




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2


Trivial to check if two terms are the same.

Bilinear
Maps:
Our visualization

Addition




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2



1
3

Bilinear
Maps:
Our visualization

Multiplication




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2


Bilinear
Maps:
Sets

(Our Notion)




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2





0
1





0
2





0






1
1





1
2





1






2
1





2
2





2






0





1





2


Level
-
0 encodings

Multilinear Maps: Our Notion


Finite ring


and
sets








:

``level
-


encodings”


Each set




is partitioned into




for each




: ``level
-


encodings of

”.

Bilinear
Maps:
Sampling

(Our Notion)




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2





0
1





0
2





0






1
1





1
2





1






2
1





2
2





2






0





1





2


It was easy to sample uniformly from


.

I should be efficient to sample



0

such that



0


for a
u
niform


.

It
may not be
uniform
in

0

or

0

.

Multilinear Maps: Our Notion


Finite ring


and
sets








:

``level
-


encodings”


Each set




is partitioned into




for each




: ``level
-


encodings of

”.


Sampling:
Output


such

that




0


for a u
nifrom




Bilinear
Maps:
Equality Checking

(Our Notion)




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2





0
1





0
2





0






1
1





1
2





1






2
1





2
2





2






0





1





2


It was trivial to check if two terms are the same.

Check if two
values come
from the
same set.

Multilinear Maps: Our Notion


Finite ring


and
sets








:

``level
-


encodings”


Each set




is partitioned into




for each




: ``level
-


encodings of

”.


Sampling:
Output


such

that




0


for a random



Equality testing(

,

,

)
: Output
1

iff




such that

,






Bilinear
Maps:
Addition

(Our Notion)




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2





0
1





0
2





0






1
1





1
2





1






2
1





2
2





2






0





1





2



1
3




1
3

Multilinear Maps: Our Notion


Finite ring


and
sets








:

``level
-


encodings”


Each set




is partitioned into




for each




: ``level
-


encodings of

”.


Sampling:
Output


such

that




0


for a random



Equality testing(

,

,

)
: Output
1

iff




such that

,







Addition/Subtraction
: There are ops
+

and


such
that:







,

,




,





,





:



We have

+





+

and









.


Bilinear
Maps:
Multiplication

(Our Notion)




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2





0
1





0
2





0






1
1





1
2





1






2
1





2
2





2






0





1





2


Multilinear Maps: Our Notion


Finite ring


and
sets








:

``level
-


encodings”


Each set




is partitioned into




for each




: ``level
-


encodings of

”.


Sampling:
Output


such

that




0


for a random



Equality testing(

,

,

)
: Output
1

iff




such that

,







Addition/Subtraction
: There are ops
+

and


such
that:


Multiplication:
There is an op
×

such that
:




,


such that

+





,


,




,





,





:



We have

×




+


.


Bilinear
Maps:
Noisy

(Our Notion)




1

2





𝐺
1


1
1


1
2




1


𝐺
2


2
1


2
2




2





0
1





0
2





0






1
1





1
2





1






2
1





2
2





2






0





1





2


All operations
are required
to work as
long as
``noise’’ level
remains small.

Multilinear
Maps: Our Notion


Discrete Log
: Given
level
-


encoding of

, hard
to compute level
-
(

-
1
)

encoding of

.



n
-
Multilinear

DDH
:
Given level
-
1

encodings of
1
,

1
,

,

𝑛
+
1

and a level
-
n encoding T distinguish
whether T encodes

1




𝑛
+
1

or not.



Outline


Bilinear Maps: Recall and Applications


Motivating Multilinear maps


Our Results


Definitions of Multi
-
linear Maps


Classical Notion


Our Notion


Our Construction


Security

(Kind of like NTRU
-
Based FHE, but with Equality Testing)

``Noisy” Multilinear
Maps

Our Construction


We work in polynomial ring

=

[

]
/

(

)


E.g.,

(

)
=

𝑛
+
1

(


is a power of two)


Also use


=


/


=

[

]
/
(

(

)
,

)


Public parameters hide a small






and a random (
l
arge)









defines a principal ideal
𝐼
=
(

)

over



The ``scalars” that we encode are
cosets

of
𝐼

(i.e., elements in the quotient ring

/
𝐼
)


e
.g., if
|

/
𝐼
|
=


is a prime, then we can represent these
cosets

using the integers
1
,
2

,


Our Construction




0
1





0
2





0






0







1
1





1
2





1






1







2
1





2
2





2






2




1
+

𝐼

2
+

𝐼


𝐼



=

[

]
/





and



=


/



Small






defines a principal ideal
𝐼
=
(

)

over











A
random (large)
















2


+

and

×



should have
small
coefficients

If





+
𝐼
,





+
𝐼
,
are both short then,




+



has the
form

+



,


where

+


is
still short and

+




+

+
𝐼

If





+
𝐼
,





+
𝐼
,
are both short then,



×



has the
form

×


2

,


where

×


is
still short and

×






+
𝐼

Our
Construction
(in general)


In general, ``level
-
k encoding” of a
coset


+
𝐼

has
the form




for a short



+
𝐼


Addition:
Add encodings


=







as long as
|


_



|




Multi
-
linear
: Multiply encodings


=









to get an encoding of the product at level







as long as








``Somewhat
homomorphic
” encoding

Sampling and equality check?


Sampling



Sampling
:
If


𝐷 𝐺 
(

𝑛
)

(
wider
than smoothing parameter of


but still smaller than

), then


encodes a random
coset
.


Why should this work?


Recall

𝐼

=



--

vector with
tiny

coefficients


Encoding this random
coset


Publish an encoding of 1:



=







Sampling
:
If


𝐷 𝐺 
(

𝑛
)

(
wide
enough), then


encodes a random
coset
.


Don’t know how to encode specific elements



Given this short

, set

=
[

·

]





is a valid level
-
1

encoding of the
coset


+
𝐼


Translating from level


to

+
1
:


+
1
=






Equality

Checking


Do

,
’

encode the same
coset
?


Suffices to check
-






encodes
0
.


Publish a (level
-
k
) zero
-
testing
param




=









h

is ``somewhat short” (e.g. of size

)


To test, if

=
[

/



]


encodes
0
, compute




=

·




=







𝑔

=


𝑔



Which is small if



𝐼

(or,


=




)

Re
-
randomizaton




0






0






0






0



































C
ompute



=






And
encode



=
[



]

,


=
[



]

,


=
[



]



But then


=







We need to re
-
randomize the encoding, to break
these simple algebraic relations



































1




1


0




0






0
′′




Need to re
-
randomize
this as well.

This
re
-
randomization
gets us statistically
close to the
actual
distribution
[
AGHS12].



1
0

The Complete Encoding Scheme


Parameters:


















=




,


=





, and


=



𝑔



Encode a random element:


S
ample



and

set



=


+












𝐷 𝐺 


(

)


Re
-
randomize
u
(at level 1):




=

+









Zero Test:


Map to level



(by multiplying by



for appropriate
j
)


Check if






is small

Variants


Asymmetric variants (many
z
i
’s
), XDH analog





=






,


,

=


,





,

,



=





𝑔



Partially symmetric and partially asymmetric


Statistical Zero
-
test security

Security: Cryptanalysis

Attacks
















=




,


=





, and


=



𝑔



Goal:
To find



or



Covering
the
basics
(Not ``Trivially’’
broken)


Adversary that only (iteratively) adds, subtracts,
multiplies, or divides pairs of elements that it has
already computed

cannot break the scheme


Similar in spirit to Generic Group model


Without the


-

essentially the NTRU problem



Attacks
















=




,


=





, and


=



𝑔



Goal:
To find



or



Algebraic and Lattice Attacks


Averaging attacks


Other attacks for Principal Ideals



Summary


Presented ``noisy” cryptographic
multilinear

map.


Construction is similar to NTRU
-
based
homomorphic

encryption, but with
an equality
-
testing
parameter.


Security is based on somewhat stronger
computational assumptions than NTRU.


But
more cryptanalysis
needs to be done!


And
more applications
need to be found!


Thank You! Questions?