A Survey of Computational Assumptions on Bilinear and Multilinear - PowerPoint PPT Presentation

A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University

Group Basics “There are two kinds of people in this world. Those who like additive group notation, and those who like multiplicative group notation .” inefficient: ? discrete log efficient: ? group operation identity test

Bilinear Groups efficient:

When Faced with a New Group Assumption: Is it secret? Is it safe? Is it useful? Is it needed?

Kinds of Assumptions • Generic group models • q-type assumptions • static assumptions Variants: Symmetric/Asymetric Composite Order/ Prime Order Linear/ Bilinear/ MultiLinear

Kinds of Proof Techniques • Brute Force basic generic group arguments • Cancelation BB IBE • Encoding G06 , W’05 … W09, LW10, LOSTW10,… • Dual System CM14, W16 • Deja Q • …

Billinear Diffie-Hellman Assumption Symmetric group: Given: Distinguish:

SXDH Assumption Asymmetric group: Given: Distinguish:

A Basic q-type Assumption Symmetric group: Given: Distinguish:

A Driving Example: IBE Decryption:

Arguing Generic Security Look at the blinding factor: Look at exponents you are given in G: All you can do is take linear combinations of degree at most 2

Proof Challenges Beyond Generic Security Hard Problem  Attacker Simulator Simulator must balance two competing goals: answer leverage attacker attacker queries success

Arguing Selective Security - Embed the challenge as a function of known ID* Given: Distinguish: Choose then Simulator can produce key for any ID not equal to ID*!

How to Leverage a q-Type Assumption [example from W05] What if we don’t want to fix ID* ahead of time? Can’t make To partition small PP with parameter q: Keys the simulator can make Use a q-size assumption!

Simulation Techniques Deja Q [CM13,W16] q-type Composite Order Dual pairing vector spaces Subgroup Decision [OT08,OT09,…] SXDH/DLIN *These arrows are partial and not transitive!

Composite Order Bilinear Groups How the pairing operates: a c d E b f ab df

Subgroup Decision Assumptions in Composite Order Bilinear Groups Example: Given Distinguish from

Subgroup Decision in a Multilinear Group? Here’s what it might look like in a 3 -linear group: Given Distinguish from

Deja Q – Basic Example r 1 a r 1 a r 1 a r 1 a 2 r 1 a 2 r 1 a 2 Subgroup decision r 1 a 3 r 1 a 3 r 1 a 3 … … r 1 a q r 1 a q r 1 a q

Deja Q – Basic Example Mod p Mod q Mod p Mod q r 1 a r 1 a r 1 a t 1 b Chinese r 1 a 2 r 1 a 2 r 1 a 2 t 1 b 2 Remainder Theorem r 1 a 3 r 1 a 3 r 1 a 3 t 1 b 3 … … r 1 a q r 1 a q r 1 a q t 1 b q

Deja Q – Basic Example Mod p Mod q Mod p Mod q r 1 a t 1 b 1 r 1 a t 1 b 1 + t 2 b 2 Subgroup 2 + t 2 b 2 r 1 a 2 2 t 1 b 1 r 1 a 2 2 t 1 b 1 Decision + Chinese r 1 a 3 3 t 1 b 1 r 1 a 3 3 + t 2 b 2 3 t 1 b 1 Remainder Theorem … … r 1 a q q t 1 b 1 r 1 a q q + t 2 b 2 q t 1 b 1

Deja Q – Basic Example Mod q Mod p r 1 a t 1 b 1 + t 2 b 2 + … + t q b q Subgroup 2 + t 2 b 2 r 1 a 2 2 + … + t q b q 2 Subgroup t 1 b 1 Decision + Decision + Chinese Chinese r 1 a 3 3 + t 2 b 2 3 + … + t q b q 3 t 1 b 1 Remainder Remainder Theorem Theorem … … r 1 a q q + t 2 b 2 q + … + t q b q q t 1 b 1

Deja Q – Basic Example 𝑐 1 ⋯ 𝑐 𝑟 𝑢 1 = ⋮ ⋱ ⋮ ⋮ Uniformly random Mod q 𝑟 𝑟 𝑐 1 ⋯ 𝑐 𝑟 𝑢 𝑟 Full rank

Deja Q – Basic Example Mod q Mod p r 1 a t 1 b 1 + t 2 b 2 + … + t q b q z 1 2 + t 2 b 2 r 1 a 2 t 1 b 1 2 + … + t q b q 2 z 2 Identically Distributed to r 1 a 3 3 + t 2 b 2 3 + … + t q b q 3 z 3 t 1 b 1 z 3 … … r 1 a q q + t 2 b 2 q + … + t q b q q z q t 1 b 1

Dual Pairing Vector Spaces 𝑐 2 𝑐 1 Emulates some features of composite order, asymmetric group: r t E s z rs tz

Emulating Subgroup Decision using SXDH Asymmetric group: Given: Distinguish:

Dual System – Using Subgroup Assumptions for Functional Encryption [W09 + too many to cite*] Most Basic Template: PP: CT: Unconstrained by PP! SK: SF CT: SF SK:

Using Subgroup Assumptions for Obfuscation [GBSW 15] • Reduction will isolate each input. • Main idea: • Have poly many “parallel” obfuscations, C 0 C 0 C 1 each responsible for a bucket of inputs • Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. • Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed.

Ok, So what are these buckets really like? Matrix Branching Programs Simple example: [Barrington, GGHRSW] Want to implement: • Oblivious Matrix Branching Program for F: F(x 1 x 2 ) = XOR( x 1 , x 2 ) M 1, 0 M 1, 1 • n-bit input x=x 1 x 2 … x n (e.g. n=3 here) æ ö æ ö • 2k invertible matrices over Z N 0 1 1 0 M 1,1 = M 1,0 = ç ÷ ç ÷ • Evaluation on x: M 2, 0 M 2, 1 è ø è ø 0 1 1 0 ì I if F ( x ) = 0 ï Õ = í M i , x ( i mod n ) M 3, 0 M 3, 1 æ ö æ ö B if F ( x ) = 1 ï î 0 1 1 0 i = 1... k M 2,1 = M 2,0 = ç ÷ ç ÷ • Where B is fixed matrix ≠ I over Z N è ø è ø 0 1 1 0 M 4, 0 M 4, 1 æ ö 0 1 … … B = ç ÷ è ø 1 0 [ Barrington ] : All log-depth (NC 1 ) circuits M k, 0 M k, 1 have poly-size Matrix Branching Programs

Kilian Simulation Towards Obfuscation • Oblivious Matrix Branching Program for F: ~ ~ M 1, 0 M 1, 1 • n-bit input x=x 1 x 2 … x n (e.g. n=3 here) • 2k invertible matrices over Z N ~ ~ • Evaluation on x: M 2, 0 M 2, 1 ì I if F ( x ) = 0 ï Õ ~ ~ = í M i , x ( i mod n ) M 3, 0 M 3, 1 B if F ( x ) = 1 ï î i = 1... k • Where B is fixed matrix ≠ I over Z N ~ ~ M 4, 0 M 4, 1 • Kilian Randomization: • Chose R 1 , …, R k-1 random over Z N … … • Kilian shows that for each x, can statistically ~ ~ M k, 0 M k, 1 simulate M x matrices knowing only product. ~

Hybrids Intuition C 0 C 0 C 0 ~ ~ ~ M 1, 1 M 1, 0 M 1, 1 ~ ~ ~ ~ ~ M 2, 0 M 2, 1 M 2, 0 M 2, 1 M 2, 0 ~ ~ ~ ~ ~ M 3, 0 M 3, 1 M 3, 0 M 3, 1 M 3, 0 … ~ ~ ~ ~ ~ M 4, 0 M 4, 1 M 4, 0 M 4, 1 M 4, 1 … … … … … ~ ~ ~ ~ ~ M k, 0 M k, 1 M k, 0 M k, 1 M k, 0