more efficient cryptographic multilinear maps from ideal
play

More Efficient Cryptographic Multilinear Maps from Ideal Lattices - PowerPoint PPT Presentation

Apr 30, 2023 •296 likes •706 views

Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl e, ENS

  1. Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl´ e, ENS Lyon, France) Monash Discrete Math Group, March 2014 Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 1/28

  2. Introduction GGH Construction GGHLite Conclusions Outline of the talk 1- Introduction Background: Cryptographic Multilinear Maps and Applications Background: Ideal Lattices 2- Review of GGH construction of approx. multilinear maps 3- GGHLite: Our more efficient construction Main ingredients Construction Asymptotic efficiency Using GGHLite in applications 4- Concluding Remarks Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 2/28

  3. Introduction GGH Construction GGHLite Conclusions Background: Cryptographic Multilinear Maps Non-interactive Key Exchange (NIKE): Alice and Bob want to communicate privately over public channel Marvin can see everything sent over the public channel Non-interactive setup Solution: Diffie-Hellman Key Exchange (1976) Publish a cyclic group G (generator g , order q ) where Discrete Log (DL) problem is hard. Alice chooses random x 1 ∈ Z q , publishes y 1 = g x 1 . Bob chooses random x 2 ∈ Z q , publishes y 2 = g x 2 . Correctness: Both Alice and Bob compute agreed secret key K = g x 1 x 2 = y x 2 1 = y x 1 2 . Security: Eavesdropper Marvin has to solve the Computational Diffie-Hellman problem (CDH), CDH : Given g , g x 1 , g x 2 , compute g x 1 x 2 . Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 3/28

  4. Introduction GGH Construction GGHLite Conclusions Background: Cryptographic Multilinear Maps Non-interactive Key Exchange (NIKE): Alice and Bob want to communicate privately over public channel Marvin can see everything sent over the public channel Non-interactive setup Solution: Diffie-Hellman Key Exchange (1976) Publish a cyclic group G (generator g , order q ) where Discrete Log (DL) problem is hard. Alice chooses random x 1 ∈ Z q , publishes y 1 = g x 1 . Bob chooses random x 2 ∈ Z q , publishes y 2 = g x 2 . Correctness: Both Alice and Bob compute agreed secret key K = g x 1 x 2 = y x 2 1 = y x 1 2 . Security: Eavesdropper Marvin has to solve the Computational Diffie-Hellman problem (CDH), CDH : Given g , g x 1 , g x 2 , compute g x 1 x 2 . Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 3/28

  5. Introduction GGH Construction GGHLite Conclusions Background: Cryptographic Multilinear Maps 21st Century variant (privacy for Facebook): Group of N > 2 parties want to communicate privately via ‘cloud’. Solution[J00,BS02]: Use a group where DL is hard and there is an efficient ( N − 1)-linear map e : G N − 1 → G T : e ( g x 1 , g x 2 , . . . , g x N − 1 ) = e ( g , . . . , g ) x 1 ··· x N − 1 ∀ x 1 , . . . , x N − 1 ∈ Z q . N-party Non-Interactive Key Exchange Publish cyclic groups G , G T (generators g , g T , order q ) where Discrete Log (DL) problem is hard, with an efficient ( N − 1)-linear map e . For i = 1 , . . . , N , party P i chooses x i ∈ Z q , publishes y i = g x i . Correctness: All parties can compute agreed secret key K = e ( g , . . . , g ) x 1 ··· x N = e ( y 2 , y 3 , . . . , y N ) x 1 . Security: Hardness of Multilinear CDH problem (MCDH), MCDH : Given g , g x 1 , . . . , g x N , compute e ( g , . . . , g ) x 1 ··· x N . Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 4/28

  6. Introduction GGH Construction GGHLite Conclusions Background: Cryptographic Multilinear Maps 21st Century variant (privacy for Facebook): Group of N > 2 parties want to communicate privately via ‘cloud’. Solution[J00,BS02]: Use a group where DL is hard and there is an efficient ( N − 1)-linear map e : G N − 1 → G T : e ( g x 1 , g x 2 , . . . , g x N − 1 ) = e ( g , . . . , g ) x 1 ··· x N − 1 ∀ x 1 , . . . , x N − 1 ∈ Z q . N-party Non-Interactive Key Exchange Publish cyclic groups G , G T (generators g , g T , order q ) where Discrete Log (DL) problem is hard, with an efficient ( N − 1)-linear map e . For i = 1 , . . . , N , party P i chooses x i ∈ Z q , publishes y i = g x i . Correctness: All parties can compute agreed secret key K = e ( g , . . . , g ) x 1 ··· x N = e ( y 2 , y 3 , . . . , y N ) x 1 . Security: Hardness of Multilinear CDH problem (MCDH), MCDH : Given g , g x 1 , . . . , g x N , compute e ( g , . . . , g ) x 1 ··· x N . Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 4/28

  7. Introduction GGH Construction GGHLite Conclusions Background: Cryptographic Multilinear Maps 21st Century variant (privacy for Facebook): Group of N > 2 parties want to communicate privately via ‘cloud’. Solution[J00,BS02]: Use a group where DL is hard and there is an efficient ( N − 1)-linear map e : G N − 1 → G T : e ( g x 1 , g x 2 , . . . , g x N − 1 ) = e ( g , . . . , g ) x 1 ··· x N − 1 ∀ x 1 , . . . , x N − 1 ∈ Z q . N-party Non-Interactive Key Exchange Publish cyclic groups G , G T (generators g , g T , order q ) where Discrete Log (DL) problem is hard, with an efficient ( N − 1)-linear map e . For i = 1 , . . . , N , party P i chooses x i ∈ Z q , publishes y i = g x i . Correctness: All parties can compute agreed secret key K = e ( g , . . . , g ) x 1 ··· x N = e ( y 2 , y 3 , . . . , y N ) x 1 . Security: Hardness of Multilinear CDH problem (MCDH), MCDH : Given g , g x 1 , . . . , g x N , compute e ( g , . . . , g ) x 1 ··· x N . Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 4/28

  8. Introduction GGH Construction GGHLite Conclusions Background: Cryptographic Multilinear Maps – History 2000: Bilinear ( k = 2) via Weil pairings on algebraic curves, applications: 2000: 3-party non-interactive key agreement [J00] 2000-2001: Identity-Based Encryption (IBE) [SK00,BF01] 2001: Short signatures [BS01] 2000-2013: lots of others 2002: Applications for k -linear maps [BS02] ( k + 1)-party non-interactive key agreement Efficient Broadcast Encryption and others... 2012: First plausible realization for k > 2, via ideal lattices [GGH12], applications: 2012-2013: Functional Encryption for arbitrary functions 2013: Program obfuscation notions for arbitrary functions 2014: GGHLite – More efficient variant of GGH construction (this talk) Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 5/28

  9. Introduction GGH Construction GGHLite Conclusions Approx. Multilin. Maps: GGH ‘Graded Encoding Scheme’ GGH realization: not quite a k -linear map, but essentially the same Technically, a k -graded encoding scheme: Replace groups Z q , G by Rings R g , R q and some public parameters par . Replace ‘Encode x ∈ Z q as g x ∈ G ’ by ‘Encode x ∈ R g as Enc 1 ( par , x ; ρ ) ∈ R q ’ – randomized ‘level 1 encoding’ of ‘level 0’ element x using randomness ρ . Replace e ( g x 1 1 , . . . , g x k k ) = e ( g 1 , . . . , g k ) x 1 ··· x k by Homomorphic up to ‘level k ’: Enc 1 ( par , x 1 ; ρ 1 ) · · · Enc 1 ( par , x k ; ρ k ) = Enc k ( par , x 1 · · · x k ; ρ ) and x · Enc k ( par , z ; ρ ) = Enc k ( par , x · z ; ρ ′ ) , for any x ∈ R g . Randomness-independent extraction at level k – Ext( par , Enc k ( par , x ; ρ )) = r ( x ) ∈ { 0 , 1 } n is independent of randomness ρ , and uniformly random for x ← ֓ U ( R g ). Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 6/28

  10. Introduction GGH Construction GGHLite Conclusions Multilinear Maps: GGH ‘Graded Encoding Scheme’ N-party NIKE from N − 1-Graded Encoding Scheme: Publish rings R g , R q and pub. params. par of N − 1-Graded Encoding Scheme. For i = 1 , . . . , N , party P i chooses x i ∈ R g , publishes y i = Enc 1 ( par , x i ; ρ i ). Correctness: All parties can compute agreed secret key K = Ext( par , Enc N − 1 ( par , x 1 · · · x N ; ρ )) = Ext( par , x 1 · y 2 · y 3 · · · y N ) Security: To compute K , eavesdropper Marvin has to solve the Extraction Graded Computational Diffie-Hellman problem – Ext-GCDH : Given par , y 1 = Enc 1 ( par , x 1 ; ρ 1 ), . . . , y N = Enc 1 ( par , x N ; ρ N ), compute Ext( par , Enc N − 1 ( par , x 1 · · · x N ; ρ )). Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 7/28

  11. Introduction GGH Construction GGHLite Conclusions Polynomial Rings Take φ ∈ Z [ x ] monic of degree n . � � R φ := Z [ x ] / ( φ ) , + , × . Interesting φ ’s: φ = x n − 1 → R − , φ = x n + 1 → R + . For n a power of 2, the ring R + is isomorphic to the ring of integers of K = Q [e i π/ n ]: Q [ x ] / ( x n + 1) K ≃ Z [ x ] / ( x n + 1) . O K ≃ ⇒ Rich algebraic structure (great for design and proofs). Ron Steinfeld More Efficient Cryptographic Multilinear Maps from Ideal Lattices Mar 2014 8/28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa Research) Crypto Innovation School Shanghai 2019 1 What are multilinear maps? 2 3 Cool. So what are the multilinear maps in cryptography? 4

2.17k views • 147 slides
Mult ltilinear Maps From Id Ideal Lattic ices Sanjam Garg (IBM) Joint work with Craig Gentry

Mult ltilinear Maps From Id Ideal Lattic ices Sanjam Garg (IBM) Joint work with Craig Gentry

Mult ltilinear Maps From Id Ideal Lattic ices Sanjam Garg (IBM) Joint work with Craig Gentry (IBM) and Shai Halevi (IBM) Outline Bilinear Maps: Recall and Applications Motivating Multilinear maps Our Results Definitions of

694 views • 52 slides
Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The

Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The

Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 Timeline: The Hype Cycle of Multilinear Maps 2 / 30 visibility Timeline time 2 / 30

1.61k views • 112 slides
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton

Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton

Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan , Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai,

762 views • 49 slides
Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps Liang Feng Zhang, Reihaneh Safavi-Naini Institute for Security, Privacy and Information Assurance Department of Computer Science University of

197 views • 19 slides
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and

A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and

A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group notation, and those who like

657 views • 31 slides
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13,

649 views • 39 slides
Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Three Ways to Argue for Cryptographic Security Cryptanalysis

933 views • 75 slides
Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee,

Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee,

Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 1 / 26 Jung Hee Cheon 1 , Pierre-Alain Fouque 2 , 3 , Changmin Lee 1 , Brice Minaud 2 , Hansol

456 views • 28 slides
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got both! (Maybe not quite

509 views • 47 slides
Quasiconformal distortion of projective maps and discrete conformal maps with Stefan Born and

Quasiconformal distortion of projective maps and discrete conformal maps with Stefan Born and

Quasiconformal distortion of projective maps and discrete conformal maps with Stefan Born and Ulrike B ucking arXiv:1505.01341 Bobenko, Pinkall, S Discrete conformal maps and ideal hyperbolic polyhedra Geom. Topol. 19-4 (2015), 2155-2215 S,

877 views • 51 slides
Kernel K -Means Low Rank Approximation for Spectral Clustering and Diffusion Maps IDEAL 2014

Kernel K -Means Low Rank Approximation for Spectral Clustering and Diffusion Maps IDEAL 2014

Kernel K -Means Low Rank Approximation for Spectral Clustering and Diffusion Maps IDEAL 2014 Salamanca Spain Carlos M. Ala z Angela Fern andez Yvonne Gala Jos e R. Dorronsoro Departamento de Ingenier a Inform atica

309 views • 20 slides
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity . Arnab Roy 1 and Tyge Tiessen 1 ) Technical University of Denmark 1 Royal Holloway, University of London 2 TU Graz 3 1 (joint work with Martin Albrecht

275 views • 26 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay CRYPTO August 2012 BLUF (Bottom Line Up

602 views • 19 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J. Kai-Tsay CRYPTO August 2012 BLUF (Bottom Line Up

584 views • 42 slides
Convolutional Feature Maps Elements of efficient (and accurate) CNN-based object detection

Convolutional Feature Maps Elements of efficient (and accurate) CNN-based object detection

Convolutional Feature Maps Elements of efficient (and accurate) CNN-based object detection Kaiming He Microsoft Research Asia (MSRA) Overview of this section Quick introduction to convolutional feature maps Intuitions: into the black

786 views • 41 slides
SFB 1102: Information Density and Linguistic Encoding The Empirical Basis of Slavic The Empirical

SFB 1102: Information Density and Linguistic Encoding The Empirical Basis of Slavic The Empirical

SFB 1102: Information Density and Linguistic Encoding The Empirical Basis of Slavic The Empirical Basis of Slavic Intercomprehension Intercomprehension Tania Avgustinova, Andrea Fischer, Klara Jagrova, Dietrich Klakow, Roland Marti, Irina Stenger

470 views • 26 slides
Similarity encoding for learning on dirty categorical variables Ga el Varoquaux

Similarity encoding for learning on dirty categorical variables Ga el Varoquaux

Similarity encoding for learning on dirty categorical variables Ga el Varoquaux Scikit-learn project lead Agenda today Bring to light a problem Show that statistical-learning can solve it Machine learning Let X R n p G

1.4k views • 45 slides
t ttst t

t ttst t

t ttst t tr s rts s Ptr

1.04k views • 64 slides
Statistical Model Checking for Markov Decision Processes David Henriques Joint work with Jo

Statistical Model Checking for Markov Decision Processes David Henriques Joint work with Jo

Statistical Model Checking for Markov Decision Processes David Henriques Joint work with Jo ao Martins, Paolo Zuliani, Andr e Platzer and Edmund M. Clarke QEST, September 18 th , 2012 David Henriques (CMU) SMC for MDPs QEST12 1 / 37

1.55k views • 117 slides
Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

Introduction Problems Outlook and Conclusion Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08 Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to

337 views • 30 slides
The Theory of Statistical Comparison in Quantum Information and Foundations Francesco Buscemi *

The Theory of Statistical Comparison in Quantum Information and Foundations Francesco Buscemi *

The Theory of Statistical Comparison in Quantum Information and Foundations Francesco Buscemi * Modern Topics in Quantum Information: Quantum Foundations and Quantum Information . International Institute of Physics (Natal, Brazil), 31 July 2018

412 views • 37 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
CS 403X Mobile and Ubiquitous Computing Lecture 3: Introduction to Android Programming Emmanuel

CS 403X Mobile and Ubiquitous Computing Lecture 3: Introduction to Android Programming Emmanuel

CS 403X Mobile and Ubiquitous Computing Lecture 3: Introduction to Android Programming Emmanuel Agu Android UI Tour Home Screen First screen, includes favorites tray (e.g phone, mail, messaging, web, etc) All Apps Screen Accessed by

663 views • 42 slides

More recommend