Multilinear Maps From Ideal
Lattices
and Applications
Sanjam
Garg
(UCLA)
Joint work with
Craig Gentry (IBM) and
Shai
Halevi
(IBM)
Outline
Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results
Definitions of Multi

linear Maps
Classical Notion
Our Notion
Our Construction
Security
Cryptographic
Bi
linear
Maps
(Weil and Tate Pairings)
Recalling Bilinear Maps
and its Applications: Motivating
Multilinear Maps
Cryptographic
Bi
linear Maps
Bilinear maps are
extremely
useful in cryptography
lots of applications
As the name suggests allow pairing two things
together
Bi
linear Maps
–
Definitions
Cryptographic bilinear map
Groups
𝐺
1
and
𝐺
2
of order
with
generators
1
,
2
=
1
,
1
and
a bilinear map
∶
𝐺
1
×
𝐺
1
→
𝐺
2
such that
∀
,
∈
,
1
,
1
=
2
Instantiation
:
Weil or Tate pairings
over elliptic
curves.
CDH
is
hard
Given
1
,
1
hard
to get
1
DDH
is easy
Given
1
,
1
,
=
?
1
1
,
1
=
1
,
Bilinear Maps: ``
Hard
” Problems
3

party Decisional
Diffie

Hellman
: Given
1
,
1
,
1
,
1
∈
𝐺
hard to distinguish
1
from
Random
Bilinear
Diffie

Hellman
: Given
1
,
1
,
1
,
1
∈
𝐺
hard to distinguish
1
,
1
=
2
from Random
Non

Interactive Key Agreement
[DH76]
Easy
Application:
Tri

partite
key
agreement [Joux00]:
Alice, Bob, Carol generate
,
,
and broadcast
1
,
1
,
1
.
They each separately compute the key
𝐾
=
1
,
1
What if we have more than
3

parties
?
[BS03]
1
1
𝐾
=
1
Application 1
Prover
Verifier
Non

Interactive Zero Knowledge
[
BMF88
]
Soundness:
Statement is true
Zero

knowledge:
Nothing but truth revealed
Common reference string :
𝐴
&
$%3
(
?
Proof:
Witness
for
statement
being true
Statement :
Application 2
Only know constructions are from
Bilinear Maps[GOS06]
and
Trapdoor permutation[FLS90]
.
What if we had
Bilinear maps
from some other
assumption
?
PKE with Enhanced Capabilities
Identity
Based Encryption
[Sha84]
Boneh
and Franklin using bilinear maps [BF01
]
More general notion
–
Attribute Based Encryption [SW05]
Application 3
10
PK
MSK
“Tel

Aviv University”
“Professor”
“Tel

Aviv University”
“Grad

student”
OR
Chancellor
AND
TAU
Professor
OR
Chancellor
AND
TAU
Professor
SK’
SK
Key Authority
Attribute

Based Encryption
[SW05]
How general can
this policy be?
Bottom line:
Very few
policies such as
formulas
are known to be
realizable.
Application 3
What if we had
multilinear
maps
?
Other Applications
Traitor

Tracing
(with
small
ciphertexts
)[BSW06
]
Efficient Signature Schemes [BLS04]
Efficient Broadcast Encryption
Attribute based signatures
Blind Signatures/Anonymous Credentials
Structure Preserving Signatures
And many more
….
There is a conference on
Pairing based Cryptography
What if we had
multilinear
map? [BS03]
Outline
Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results
Definitions of Multi

linear Maps
Classical Notion
Our Notion
Our Construction
Security
Our Results
constructions
of multi

linear maps
Use
these to get

party
non

interactive
Diffie
Hellman
NIZKs from lattice
assumptions
Attribute based encryption for
general circuits
[
GGH12
,
SW12]
Witness Encryption [GGSW12]
Insufficient for [Rot12] counterexample
Every bit encryption remains secure even when
encryption of the secret key is given out
Candidate
approximate
Constructions
of multi

linear maps
(Public parameters hide secrets)
Encrypter
Witness Encryption
Soundness:
Statement is
false
⟹
Semantic Security
Witness for
statement
.
Statement :
Encrypter
Receiver
Application 4
Outline
Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results
Definitions of Multi

linear Maps
Classical Notion
Our Notion
Our Construction
Security
Cryptographic
Multi

linear
Maps
Definitions: Classical notion and our Approximate variant
Multilinear Maps:
Classical Notion
Cryptographic n

multilinear
map (for groups)
Groups
𝐺
1
,
…
,
𝐺
of order
with generators
1
,
…
,
Family of maps:
,
:
𝐺
×
𝐺
→
𝐺
+
for
+
≤
, where
,
,
=
+
∀
,
∈
.
And at least
the
``discrete
log” problems in
each
𝐺
is ``hard’’.
And hopefully the
generalization of 3

party DH
Getting to our Notion
Our
visualization
of (traditional)
Bilinear Maps
Step by step I will
make changes to
get our notion of
Bilinear Maps
At each step
provide
Extension to
Multi

linear
Maps
Bilinear Maps:
Our visualization
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
Bilinear
Maps:
Our visualization
Sampling
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
It was easy to sample uniformly from
.
Bilinear
Maps:
Our visualization
Equality Checking
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
Trivial to check if two terms are the same.
Bilinear
Maps:
Our visualization
Addition
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
1
3
Bilinear
Maps:
Our visualization
Multiplication
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
Bilinear
Maps:
Sets
(Our Notion)
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
0
1
0
2
0
1
1
1
2
1
2
1
2
2
2
0
1
2
Level

0 encodings
Multilinear Maps: Our Notion
Finite ring
and
sets
∀
∈
:
``level

encodings”
Each set
is partitioned into
for each
∈
: ``level

encodings of
”.
Bilinear
Maps:
Sampling
(Our Notion)
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
0
1
0
2
0
1
1
1
2
1
2
1
2
2
2
0
1
2
It was easy to sample uniformly from
.
I should be efficient to sample
←
0
such that
∈
0
for a
u
niform
.
It
may not be
uniform
in
0
or
0
.
Multilinear Maps: Our Notion
Finite ring
and
sets
∀
∈
:
``level

encodings”
Each set
is partitioned into
for each
∈
: ``level

encodings of
”.
Sampling:
Output
such
that
∈
0
for a u
nifrom
Bilinear
Maps:
Equality Checking
(Our Notion)
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
0
1
0
2
0
1
1
1
2
1
2
1
2
2
2
0
1
2
It was trivial to check if two terms are the same.
Check if two
values come
from the
same set.
Multilinear Maps: Our Notion
Finite ring
and
sets
∀
∈
:
``level

encodings”
Each set
is partitioned into
for each
∈
: ``level

encodings of
”.
Sampling:
Output
such
that
∈
0
for a random
Equality testing(
,
,
)
: Output
1
iff
∃
such that
,
∈
Bilinear
Maps:
Addition
(Our Notion)
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
0
1
0
2
0
1
1
1
2
1
2
1
2
2
2
0
1
2
1
3
1
3
Multilinear Maps: Our Notion
Finite ring
and
sets
∀
∈
:
``level

encodings”
Each set
is partitioned into
for each
∈
: ``level

encodings of
”.
Sampling:
Output
such
that
∈
0
for a random
Equality testing(
,
,
)
: Output
1
iff
∃
such that
,
∈
Addition/Subtraction
: There are ops
+
and
–
such
that:
∀
∈
,
,
∈
,
∈
,
∈
:
We have
+
∈
+
and
−
∈
−
.
Bilinear
Maps:
Multiplication
(Our Notion)
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
0
1
0
2
0
1
1
1
2
1
2
1
2
2
2
0
1
2
Multilinear Maps: Our Notion
Finite ring
and
sets
∀
∈
:
``level

encodings”
Each set
is partitioned into
for each
∈
: ``level

encodings of
”.
Sampling:
Output
such
that
∈
0
for a random
Equality testing(
,
,
)
: Output
1
iff
∃
such that
,
∈
Addition/Subtraction
: There are ops
+
and
–
such
that:
Multiplication:
There is an op
×
such that
:
∀
,
such that
+
≤
,
∀
,
∈
,
∈
,
∈
:
We have
×
∈
+
.
Bilinear
Maps:
Noisy
(Our Notion)
1
2
⋮
𝐺
1
1
1
1
2
⋮
1
𝐺
2
2
1
2
2
⋮
2
0
1
0
2
0
1
1
1
2
1
2
1
2
2
2
0
1
2
All operations
are required
to work as
long as
``noise’’ level
remains small.
Multilinear
Maps: Our Notion
Discrete Log
: Given
level

encoding of
, hard
to compute level

(

1
)
encoding of
.
n

Multilinear
DDH
:
Given level

1
encodings of
1
,
1
,
…
,
𝑛
+
1
and a level

n encoding T distinguish
whether T encodes
1
∙
∙
∙
𝑛
+
1
or not.
Outline
Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results
Definitions of Multi

linear Maps
Classical Notion
Our Notion
Our Construction
Security
(Kind of like NTRU

Based FHE, but with Equality Testing)
``Noisy” Multilinear
Maps
Our Construction
We work in polynomial ring
=
[
]
/
(
)
E.g.,
(
)
=
𝑛
+
1
(
is a power of two)
Also use
=
/
=
[
]
/
(
(
)
,
)
Public parameters hide a small
∈
and a random (
l
arge)
∈
defines a principal ideal
𝐼
=
(
)
over
The ``scalars” that we encode are
cosets
of
𝐼
(i.e., elements in the quotient ring
/
𝐼
)
e
.g., if

/
𝐼

=
is a prime, then we can represent these
cosets
using the integers
1
,
2
…
,
Our Construction
0
1
0
2
0
0
⋮
1
1
1
2
1
1
⋮
2
1
2
2
2
2
⋮
1
+
𝐼
2
+
𝐼
𝐼
=
[
]
/
and
=
/
Small
∈
defines a principal ideal
𝐼
=
(
)
over
A
random (large)
∈
2
+
and
×
should have
small
coefficients
If
∈
+
𝐼
,
∈
+
𝐼
,
are both short then,
+
has the
form
+
,
where
+
is
still short and
+
∈
+
+
𝐼
If
∈
+
𝐼
,
∈
+
𝐼
,
are both short then,
×
has the
form
×
2
,
where
×
is
still short and
×
∈
∙
+
𝐼
Our
Construction
(in general)
In general, ``level

k encoding” of a
coset
+
𝐼
has
the form
for a short
∈
+
𝐼
Addition:
Add encodings
=
as long as

_

≪
Multi

linear
: Multiply encodings
=
to get an encoding of the product at level
as long as
≪
``Somewhat
homomorphic
” encoding
Sampling and equality check?
Sampling
Sampling
:
If
←
𝐷 𝐺
(
𝑛
)
(
wider
than smoothing parameter of
but still smaller than
), then
encodes a random
coset
.
Why should this work?
Recall
𝐼
=

vector with
tiny
coefficients
Encoding this random
coset
Publish an encoding of 1:
=
Sampling
:
If
←
𝐷 𝐺
(
𝑛
)
(
wide
enough), then
encodes a random
coset
.
Don’t know how to encode specific elements
Given this short
, set
=
[
·
]
is a valid level

1
encoding of the
coset
+
𝐼
Translating from level
to
+
1
:
+
1
=
⋅
Equality
Checking
Do
,
’
encode the same
coset
?
Suffices to check

−
′
encodes
0
.
Publish a (level

k
) zero

testing
param
=
ℎ
h
is ``somewhat short” (e.g. of size
)
To test, if
=
[
/
]
encodes
0
, compute
=
·
=
∙
ℎ
𝑔
=
ℎ
𝑔
Which is small if
∈
𝐼
(or,
=
′
)
Re

randomizaton
0
0
0
0
C
ompute
=
And
encode
=
[
]
,
=
[
]
,
=
[
]
But then
=
We need to re

randomize the encoding, to break
these simple algebraic relations
1
1
0
0
′
0
′′
⋯
⋯
⋯
Need to re

randomize
this as well.
This
re

randomization
gets us statistically
close to the
actual
distribution
[
AGHS12].
1
0
The Complete Encoding Scheme
Parameters:
=
,
=
, and
=
ℎ
𝑔
Encode a random element:
S
ample
and
set
=
+
←
𝐷 𝐺
(
)
Re

randomize
u
(at level 1):
′
=
+
Zero Test:
Map to level
(by multiplying by
for appropriate
j
)
Check if
⋅
is small
Variants
Asymmetric variants (many
z
i
’s
), XDH analog
=
,
,
=
,
,
,
=
ℎ
𝑔
Partially symmetric and partially asymmetric
Statistical Zero

test security
Security: Cryptanalysis
Attacks
=
,
=
, and
=
ℎ
𝑔
Goal:
To find
or
Covering
the
basics
(Not ``Trivially’’
broken)
Adversary that only (iteratively) adds, subtracts,
multiplies, or divides pairs of elements that it has
already computed
cannot break the scheme
Similar in spirit to Generic Group model
Without the

essentially the NTRU problem
Attacks
=
,
=
, and
=
ℎ
𝑔
Goal:
To find
or
Algebraic and Lattice Attacks
Averaging attacks
Other attacks for Principal Ideals
Summary
Presented ``noisy” cryptographic
multilinear
map.
Construction is similar to NTRU

based
homomorphic
encryption, but with
an equality

testing
parameter.
Security is based on somewhat stronger
computational assumptions than NTRU.
But
more cryptanalysis
needs to be done!
And
more applications
need to be found!
Thank You! Questions?
Comments 0
Log in to post a comment