# Multilinear Maps From Ideal

Τεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 4 χρόνια και 5 μήνες)

73 εμφανίσεις

Multilinear Maps From Ideal
Lattices

and Applications

Sanjam

Garg

(UCLA)

Joint work with

Craig Gentry (IBM) and
Shai

Halevi

(IBM)

Outline

Bilinear Maps: Recall and Applications

Motivating Multilinear maps

Our Results

Definitions of Multi
-
linear Maps

Classical Notion

Our Notion

Our Construction

Security

Cryptographic
Bi
linear
Maps

(Weil and Tate Pairings)

Recalling Bilinear Maps

and its Applications: Motivating
Multilinear Maps

Cryptographic
Bi
linear Maps

Bilinear maps are
extremely

useful in cryptography

lots of applications

As the name suggests allow pairing two things
together

Bi
linear Maps

Definitions

Cryptographic bilinear map

Groups
𝐺
1

and
𝐺
2

of order

with
generators

1
,

2
=


1
,

1
and
a bilinear map


𝐺
1
×
𝐺
1

𝐺
2

such that


,


,


1

,

1

=

2


Instantiation
:
Weil or Tate pairings
over elliptic
curves.

CDH

is

hard

Given

1

,

1

hard
to get

1


DDH

is easy

Given

1

,

1

,




=

?


1




1

,

1

=


1
,


Bilinear Maps: ``
Hard
” Problems

3
-
party Decisional
Diffie
-
Hellman
: Given

1
,

1

,

1

,

1


𝐺

hard to distinguish


1

from

Random

Bilinear
Diffie
-
Hellman
: Given


1
,

1

,

1

,

1


𝐺

hard to distinguish



1
,

1

=

2


from Random

Non
-
Interactive Key Agreement
[DH76]

Easy
Application:
Tri
-
partite
key
agreement [Joux00]:

Alice, Bob, Carol generate

,

,



1

,

1

,

1

.

They each separately compute the key
𝐾

=



1
,

1



What if we have more than
3
-
parties
?
[BS03]






1


1


𝐾

=


1


Application 1

Prover

Verifier

Non
-
Interactive Zero Knowledge
[
BMF88
]

Soundness:

Statement is true

Zero
-
knowledge:

Nothing but truth revealed

Common reference string :
𝐴
&
\$%3
(

?

Proof:

Witness
for
statement
being true

Statement :


Application 2

Only know constructions are from
Bilinear Maps[GOS06]
and
Trapdoor permutation[FLS90]
.

Bilinear maps
from some other
assumption
?

PKE with Enhanced Capabilities

Identity
Based Encryption
[Sha84]

Boneh

and Franklin using bilinear maps [BF01
]

More general notion

Attribute Based Encryption [SW05]

Application 3

10

PK

MSK

“Tel
-
Aviv University”

“Professor”

“Tel
-
Aviv University”

-
student”

OR

Chancellor

AND

TAU

Professor

OR

Chancellor

AND

TAU

Professor

SK’

SK

Key Authority

Attribute
-
Based Encryption
[SW05]

How general can
this policy be?

Bottom line:
Very few
policies such as
formulas

are known to be
realizable.

Application 3

multilinear

maps
?

Other Applications

Traitor
-
Tracing
(with
small
ciphertexts
)[BSW06
]

Efficient Signature Schemes [BLS04]

Attribute based signatures

Blind Signatures/Anonymous Credentials

Structure Preserving Signatures

And many more
….

There is a conference on
Pairing based Cryptography

multilinear

map? [BS03]

Outline

Bilinear Maps: Recall and Applications

Motivating Multilinear maps

Our Results

Definitions of Multi
-
linear Maps

Classical Notion

Our Notion

Our Construction

Security

Our Results

constructions

of multi
-
linear maps

Use

these to get


-
party
non
-
interactive
Diffie

Hellman

NIZKs from lattice

assumptions

Attribute based encryption for
general circuits

[
GGH12
,
SW12]

Witness Encryption [GGSW12]

Insufficient for [Rot12] counterexample

Every bit encryption remains secure even when
encryption of the secret key is given out

Candidate

approximate

Constructions
of multi
-
linear maps

(Public parameters hide secrets)

Encrypter

Witness Encryption

Soundness:

Statement is
false

Semantic Security



Witness for
statement

.

Statement :


Encrypter

Application 4

Outline

Bilinear Maps: Recall and Applications

Motivating Multilinear maps

Our Results

Definitions of Multi
-
linear Maps

Classical Notion

Our Notion

Our Construction

Security

Cryptographic

Multi
-
linear
Maps

Definitions: Classical notion and our Approximate variant

Multilinear Maps:
Classical Notion

Cryptographic n
-
multilinear

map (for groups)

Groups
𝐺
1
,

,
𝐺


of order

with generators

1
,

,



Family of maps:



,

:

𝐺

×

𝐺


𝐺

+


for

+



, where



,



,



=


+




,


.

And at least
the
``discrete
log” problems in
each
𝐺

is ``hard’’.

And hopefully the
generalization of 3
-
party DH

Getting to our Notion

Our
visualization
Bilinear Maps

Step by step I will
make changes to
get our notion of
Bilinear Maps

At each step
provide
Extension to
Multi
-
linear
Maps

Bilinear Maps:
Our visualization

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2

Bilinear
Maps:
Our visualization
Sampling

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2

It was easy to sample uniformly from

.

Bilinear
Maps:
Our visualization

Equality Checking

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2

Trivial to check if two terms are the same.

Bilinear
Maps:
Our visualization

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2


1
3

Bilinear
Maps:
Our visualization

Multiplication

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2

Bilinear
Maps:
Sets

(Our Notion)

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2


0
1


0
2


0


1
1


1
2


1


2
1


2
2


2


0


1


2

Level
-
0 encodings

Multilinear Maps: Our Notion

Finite ring

and
sets



:

``level
-

encodings”

Each set



is partitioned into


for each


: ``level
-

encodings of

”.

Bilinear
Maps:
Sampling

(Our Notion)

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2


0
1


0
2


0


1
1


1
2


1


2
1


2
2


2


0


1


2

It was easy to sample uniformly from

.

I should be efficient to sample


0

such that


0

for a
u
niform


.

It
may not be
uniform
in

0

or

0

.

Multilinear Maps: Our Notion

Finite ring

and
sets



:

``level
-

encodings”

Each set



is partitioned into


for each


: ``level
-

encodings of

”.

Sampling:
Output

such

that


0

for a u
nifrom



Bilinear
Maps:
Equality Checking

(Our Notion)

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2


0
1


0
2


0


1
1


1
2


1


2
1


2
2


2


0


1


2

It was trivial to check if two terms are the same.

Check if two
values come
from the
same set.

Multilinear Maps: Our Notion

Finite ring

and
sets



:

``level
-

encodings”

Each set



is partitioned into


for each


: ``level
-

encodings of

”.

Sampling:
Output

such

that


0

for a random


Equality testing(

,

,

)
: Output
1

iff



such that

,




Bilinear
Maps:

(Our Notion)

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2


0
1


0
2


0


1
1


1
2


1


2
1


2
2


2


0


1


2


1
3


1
3

Multilinear Maps: Our Notion

Finite ring

and
sets



:

``level
-

encodings”

Each set



is partitioned into


for each


: ``level
-

encodings of

”.

Sampling:
Output

such

that


0

for a random


Equality testing(

,

,

)
: Output
1

iff



such that

,




: There are ops
+

and

such
that:


,

,


,



,





:

We have

+




+

and






.

Bilinear
Maps:
Multiplication

(Our Notion)

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2


0
1


0
2


0


1
1


1
2


1


2
1


2
2


2


0


1


2

Multilinear Maps: Our Notion

Finite ring

and
sets



:

``level
-

encodings”

Each set



is partitioned into


for each


: ``level
-

encodings of

”.

Sampling:
Output

such

that


0

for a random


Equality testing(

,

,

)
: Output
1

iff



such that

,




: There are ops
+

and

such
that:

Multiplication:
There is an op
×

such that
:

,


such that

+



,


,


,



,





:

We have

×




+


.

Bilinear
Maps:
Noisy

(Our Notion)

1

2

𝐺
1


1
1


1
2


1

𝐺
2


2
1


2
2


2


0
1


0
2


0


1
1


1
2


1


2
1


2
2


2


0


1


2

All operations
are required
to work as
long as
``noise’’ level
remains small.

Multilinear
Maps: Our Notion

Discrete Log
: Given
level
-


encoding of

, hard
to compute level
-
(

-
1
)

encoding of

.

n
-
Multilinear

DDH
:
Given level
-
1

encodings of
1
,

1
,

,

𝑛
+
1

and a level
-
n encoding T distinguish
whether T encodes

1


𝑛
+
1

or not.

Outline

Bilinear Maps: Recall and Applications

Motivating Multilinear maps

Our Results

Definitions of Multi
-
linear Maps

Classical Notion

Our Notion

Our Construction

Security

(Kind of like NTRU
-
Based FHE, but with Equality Testing)

``Noisy” Multilinear
Maps

Our Construction

We work in polynomial ring

=

[

]
/

(

)

E.g.,

(

)
=

𝑛
+
1

(


is a power of two)

Also use


=

/


=

[

]
/
(

(

)
,

)

Public parameters hide a small





and a random (
l
arge)





defines a principal ideal
𝐼
=
(

)

over

The ``scalars” that we encode are
cosets

of
𝐼

(i.e., elements in the quotient ring

/
𝐼
)

e
.g., if
|

/
𝐼
|
=

is a prime, then we can represent these
cosets

using the integers
1
,
2

,

Our Construction


0
1


0
2


0


0


1
1


1
2


1


1


2
1


2
2


2


2

1
+

𝐼

2
+

𝐼

𝐼

=

[

]
/



and


=

/


Small





defines a principal ideal
𝐼
=
(

)

over

A
random (large)











2


+

and

×



should have
small
coefficients

If



+
𝐼
,



+
𝐼
,
are both short then,



+



has the
form

+



,

where

+


is
still short and

+



+

+
𝐼

If



+
𝐼
,



+
𝐼
,
are both short then,



×



has the
form

×


2

,

where

×


is
still short and

×





+
𝐼

Our
Construction
(in general)

In general, ``level
-
k encoding” of a
coset


+
𝐼

has
the form




for a short



+
𝐼



=






as long as
|


_

|



Multi
-
linear
: Multiply encodings


=







to get an encoding of the product at level



as long as





``Somewhat
homomorphic
” encoding

Sampling and equality check?

Sampling

Sampling
:
If


𝐷 𝐺 
(

𝑛
)

(
wider
than smoothing parameter of


but still smaller than

), then


encodes a random
coset
.

Why should this work?

Recall

𝐼

=



--

vector with
tiny

coefficients

Encoding this random
coset

Publish an encoding of 1:

=




Sampling
:
If


𝐷 𝐺 
(

𝑛
)

(
wide
enough), then


encodes a random
coset
.

Don’t know how to encode specific elements

Given this short

, set

=
[

·

]




is a valid level
-
1

encoding of the
coset


+
𝐼

Translating from level

to

+
1
:


+
1
=




Equality

Checking

Do

,
’

encode the same
coset
?

Suffices to check
-






encodes
0
.

Publish a (level
-
k
) zero
-
testing
param



=






h

is ``somewhat short” (e.g. of size

)

To test, if

=
[

/


]


encodes
0
, compute


=

·




=






𝑔

=


𝑔


Which is small if


𝐼

(or,


=




)

Re
-
randomizaton


0



0



0



0














C
ompute



=





And
encode



=
[



]

,


=
[



]

,


=
[



]


But then


=





We need to re
-
randomize the encoding, to break
these simple algebraic relations














1



1


0


0


0
′′

Need to re
-
randomize
this as well.

This
re
-
randomization
gets us statistically
close to the
actual
distribution
[
AGHS12].


1
0

The Complete Encoding Scheme

Parameters:

=



,


=





, and


=



𝑔


Encode a random element:

S
ample



and

set


=


+









𝐷 𝐺 


(

)

Re
-
randomize
u
(at level 1):



=

+







Zero Test:

Map to level



(by multiplying by



for appropriate
j
)

Check if






is small

Variants

Asymmetric variants (many
z
i
’s
), XDH analog

=




,


,

=


,





,

,



=



𝑔


Partially symmetric and partially asymmetric

Statistical Zero
-
test security

Security: Cryptanalysis

Attacks

=



,


=





, and


=



𝑔


Goal:
To find

or


Covering
the
basics
(Not ``Trivially’’
broken)

multiplies, or divides pairs of elements that it has

cannot break the scheme

Similar in spirit to Generic Group model

Without the


-

essentially the NTRU problem

Attacks

=



,


=





, and


=



𝑔


Goal:
To find

or


Algebraic and Lattice Attacks

Averaging attacks

Other attacks for Principal Ideals

Summary

Presented ``noisy” cryptographic
multilinear

map.

Construction is similar to NTRU
-
based
homomorphic

encryption, but with
an equality
-
testing
parameter.

Security is based on somewhat stronger
computational assumptions than NTRU.

But
more cryptanalysis
needs to be done!

And
more applications
need to be found!

Thank You! Questions?