Mult ltilinear Maps From Id Ideal Lattic ices Sanjam Garg (IBM) - PowerPoint PPT Presentation

Mult ltilinear Maps From Id Ideal Lattic ices Sanjam Garg (IBM) Joint work with Craig Gentry (IBM) and Shai Halevi (IBM)

Outline  Bilinear Maps: Recall and Applications  Motivating Multilinear maps  Our Results  Definitions of Multi-linear Maps  Classical Notion  Our Notion  Our Construction  Security

Cry ryptographic Bi Bilinear Maps (Weil and Tate Pairings) Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps

Cry ryptographic Bi Bilinear Maps  Bilinear maps are extremely useful in cryptography  lots of applications  As the name suggests allow pairing two things together

Bi Bilinear Maps – Definitions  Cryptographic bilinear map  Groups 𝐻 1 and 𝐻 2 of order 𝑞 with generators 𝑕 1 , 𝑕 2 = 𝑓 𝑕 1 , 𝑕 1 and a bilinear map 𝑓 ∶ 𝐻 1 × 𝐻 1 → 𝐻 2 such that 𝑐 = 𝑕 2 𝑏 , 𝑕 1 𝑏𝑐 ∀ 𝑏, 𝑐 ∈ 𝑎 𝑞 , 𝑓 𝑕 1  Instantiation: Weil or Tate pairings over elliptic curves. DDH is easy 𝑏 , 𝑕 1 𝑐 , 𝑈 Given 𝑕 1 CDH is hard ? 𝑏 , 𝑕 1 𝑐 hard 𝑏𝑐 Given 𝑕 1 𝑈 = 𝑕 1 𝑐 = 𝑓 𝑕 1 , 𝑈 𝑏𝑐 𝑏 , 𝑕 1 to get 𝑕 1 𝑓 𝑕 1

Bilinear Maps: `` ``Hard ” Problem  Bilinear Diffie-Hellman: Given 𝑑 ∈ 𝐻 1 hard to distinguish 𝑏 , 𝑕 1 𝑐 , 𝑕 1 𝑕 1 , 𝑕 1 𝑏𝑐𝑑 from Random 𝑏𝑐𝑑 = 𝑕 2 𝑓 𝑕 1 , 𝑕 1

Application 1 Non-Interactive Key Agreement [DH76] Non 𝑏 𝑕 1 𝑐 𝑕 1 𝑏 𝑐 𝑏𝑐 𝐿 = 𝑕 1  Easy Application: Tri-partite key agreement [Joux00]: 𝑏 , 𝑕 1 𝑐 , 𝑕 1 𝑑 .  Alice, Bob, Carol generate 𝑏, 𝑐, 𝑑 and broadcast 𝑕 1  They each separately compute the key 𝐿 = 𝑓 𝑕 1 , 𝑕 1 𝑏𝑐𝑑  What if we have more than 3-parties? [BS03]

Outline  Bilinear Maps: Recall and Applications  Motivating Multilinear maps  Our Results  Definitions of Multi-linear Maps  Classical Notion  Our Notion  Our Construction  Security

Our Results  Candidate approximate constructions of multi- linear maps  Lots of Applications:-  Witness Encryption  Indistinguishability Obfuscation

Application 2 Wit itness Encry ryption [G [GGSW13] [TW87, Rudich89, IOS97, IS91, KMV07, CS02, CCKV08, GOVW12 …] Witness for statement Statement : 𝑦 𝑦 . 𝑑 𝑛 Encrypter Encrypter Receiver Soundness: Statement is false ⟹ Semantic Security

Application 3 In Indistinguishability Obfuscation [G [GGHRSW13] [Barak et al…] 𝑃(𝐷) 𝐷 Obfuscator Security : Can’t tell if 𝐷 = 𝐷 1 or 𝐷 2 As long as ∀𝑦 𝐷 1 𝑦 = 𝐷 2 𝑦 and 𝐷 1 = 𝐷 2

Outline  Bilinear Maps: Recall and Applications  Motivating Multilinear maps  Our Results  Definitions of Multi-linear Maps  Classical Notion  Our Notion  Our Construction  Security

Cry ryptographic Multi-linear Maps Definitions: Classical notion and our Approximate variant

Multilinear Maps: Classical Notion  Cryptographic n-multilinear map (for groups)  Groups 𝐻 1 , … , 𝐻 𝑜 of order 𝑞 with generators 𝑕 1 , … , 𝑕 𝑜  Family of maps: 𝑓 𝑗,𝑙 : 𝐻 𝑗 × 𝐻 𝑙 → 𝐻 𝑗+𝑙 for 𝑗 + 𝑙 ≤ 𝑜 , where 𝑐 = 𝑕 𝑗+𝑙 𝑏 , 𝑕 𝑙 𝑏𝑐  𝑓 𝑗,𝑙 𝑕 𝑗 ∀𝑏, 𝑐 ∈ 𝑎 𝑞 .  And at least the ``discrete log” problems in each 𝐻 𝑗 is ``hard’’.  And hopefully the generalization of Bilinear DH

Getting to our Notion At each step Our Step by step I will provide visualization make changes to Extension to of (traditional) get our notion of Multi-linear Bilinear Maps Bilinear Maps Maps

Bilinear Maps: Our visualization 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 𝑕 1 𝑕 2 2 2 2 𝑕 1 𝑕 2 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2

Bilinear Maps: Our visualization Sampling 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 𝑕 1 𝑕 2 2 2 2 𝑕 1 𝑕 2 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 It was easy to sample uniformly from 𝑎 𝑞 .

Bilinear Maps: Our visualization Equality Checking 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 𝑕 1 𝑕 2 2 2 2 𝑕 1 𝑕 2 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 Trivial to check if two terms are the same.

Bilinear Maps: Our visualization Addition 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 𝑕 1 𝑕 2 2 2 2 𝑕 1 𝑕 2 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 3 𝑕 1

Bilinear Maps: Our visualization Multiplication 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 𝑕 1 𝑕 2 2 2 2 𝑕 1 𝑕 2 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2

Bilinear Maps: Sets (Our Notion) 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 1 1 𝑕 1 1 𝑕 2 𝑇 0 𝑇 2 𝑇 1 2 2 2 2 𝑕 1 𝑕 2 2 2 𝑇 0 𝑇 2 𝑇 1 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 𝑞 𝑞 𝑞 𝑇 0 𝑇 2 𝑇 1 𝑇 0 𝑇 2 𝑇 1 Level-0 encodings

Multilinear Maps: Our Notion  Finite ring 𝑆 and sets 𝑇 𝑗 ∀𝑗 ∈ 𝑜 : ``level- 𝑗 encodings” 𝑏 for each 𝑏 ∈ 𝑆 : ``level- 𝑗  Each set 𝑇 𝑗 is partitioned into 𝑇 𝑗 encodings of 𝑏 ”.

Bilinear Maps: Sampling (Our Notion) I should be efficient to sample 𝛽 ← 𝑇 0 such that 𝛽 ∈ 𝑏 for a u niform 𝑏. It may not be uniform in 𝑇 0 or 𝑇 0 𝑏 . 𝑇 0 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 1 1 𝑕 1 1 𝑕 2 𝑇 0 𝑇 2 𝑇 1 2 2 2 2 𝑕 1 𝑕 2 2 2 𝑇 0 𝑇 2 𝑇 1 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 𝑞 𝑞 𝑞 𝑇 0 𝑇 2 𝑇 1 𝑇 0 𝑇 2 𝑇 1 It was easy to sample uniformly from 𝑎 𝑞 .

Multilinear Maps: Our Notion  Finite ring 𝑆 and sets 𝑇 𝑗 ∀𝑗 ∈ 𝑜 : ``level- 𝑗 encodings” 𝑏 for each 𝑏 ∈ 𝑆 : ``level- 𝑗  Each set 𝑇 𝑗 is partitioned into 𝑇 𝑗 encodings of 𝑏 ”. 𝑏 for a u nifrom 𝑏  Sampling: Output 𝛽 such that 𝛽 ∈ 𝑇 0

Bilinear Maps: Equality Checking (Our Notion) 𝐻 1 𝐻 2 𝑎 𝑞 Check if two values come 1 1 1 1 1 𝑕 1 1 𝑕 2 𝑇 0 𝑇 2 𝑇 1 from the 2 2 2 2 𝑕 1 𝑕 2 same set. 2 2 𝑇 0 𝑇 2 𝑇 1 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 𝑞 𝑞 𝑞 𝑇 0 𝑇 2 𝑇 1 𝑇 0 𝑇 2 𝑇 1 It was trivial to check if two terms are the same.

Multilinear Maps: Our Notion  Finite ring 𝑆 and sets 𝑇 𝑗 ∀𝑗 ∈ 𝑜 : ``level- 𝑗 encodings” 𝑏 for each 𝑏 ∈ 𝑆 : ``level- 𝑗  Each set 𝑇 𝑗 is partitioned into 𝑇 𝑗 encodings of 𝑏 ”. 𝑏 for a random 𝑏  Sampling: Output 𝛽 such that 𝛽 ∈ 𝑇 0  Equality testing( 𝛽, 𝛾, 𝑗 ): Output 1 iff ∃𝑏 such that 𝛽, 𝛾 ∈ 𝑏 𝑇 𝑗

Bilinear Maps: Addition (Our Notion) 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 1 1 𝑕 1 1 𝑕 2 𝑇 0 𝑇 2 𝑇 1 2 2 2 2 𝑕 1 𝑕 2 2 2 𝑇 0 𝑇 2 𝑇 1 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 𝑞 𝑞 𝑞 𝑇 0 𝑇 2 𝑇 1 𝑇 0 𝑇 2 𝑇 1 3 3 𝑕 1 𝑇 1

Multilinear Maps: Our Notion  Finite ring 𝑆 and sets 𝑇 𝑗 ∀𝑗 ∈ 𝑜 : ``level- 𝑗 encodings” 𝑏 for each 𝑏 ∈ 𝑆 : ``level- 𝑗  Each set 𝑇 𝑗 is partitioned into 𝑇 𝑗 encodings of 𝑏 ”. 𝑏 for a random 𝑏  Sampling: Output 𝛽 such that 𝛽 ∈ 𝑇 0  Equality testing( 𝛽, 𝛾, 𝑗 ): Output 1 iff ∃𝑏 such that 𝛽, 𝛾 ∈ 𝑏 𝑇 𝑗  Addition/Subtraction: There are ops + and – such that: 𝑏 , 𝛾 ∈ 𝑇 𝑗 𝑐 :  ∀𝑗 ∈ 𝑜 , 𝑏, 𝑐 ∈ 𝑆, 𝛽 ∈ 𝑇 𝑗 𝑏+𝑐 and 𝛽 − 𝛾 ∈ 𝑇 𝑗 𝑏−𝑐 .  We have 𝛽 + 𝛾 ∈ 𝑇 𝑗

Bilinear Maps: Multiplication (Our Notion) 𝐻 1 𝐻 2 𝑎 𝑞 1 1 1 1 1 𝑕 1 1 𝑕 2 𝑇 0 𝑇 2 𝑇 1 2 2 2 2 𝑕 1 𝑕 2 2 2 𝑇 0 𝑇 2 𝑇 1 ⋮ ⋮ ⋮ 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 𝑞 𝑞 𝑞 𝑇 0 𝑇 2 𝑇 1 𝑇 0 𝑇 2 𝑇 1

Multilinear Maps: Our Notion  Finite ring 𝑆 and sets 𝑇 𝑗 ∀𝑗 ∈ 𝑜 : ``level- 𝑗 encodings” 𝑏 for each 𝑏 ∈ 𝑆 : ``level- 𝑗  Each set 𝑇 𝑗 is partitioned into 𝑇 𝑗 encodings of 𝑏 ”. 𝑏 for a random 𝑏  Sampling: Output 𝛽 such that 𝛽 ∈ 𝑇 0  Equality testing( 𝛽, 𝛾, 𝑗 ): Output 1 iff ∃𝑏 such that 𝛽, 𝛾 ∈ 𝑏 𝑇 𝑗  Addition/Subtraction: There are ops + and – such that:  Multiplication: There is an op × such that: 𝑏 , 𝛾 ∈ 𝑇 𝑙 𝑐 :  ∀𝑗, 𝑙 such that 𝑗 + 𝑙 ≤ 𝑜, ∀𝑏, 𝑐 ∈ 𝑆, 𝛽 ∈ 𝑇 𝑗 𝑏𝑐 .  We have 𝛽 × 𝛾 ∈ 𝑇 𝑗+𝑙

Bilinear Maps: Noisy (Our Notion) All operations 𝐻 1 𝐻 2 𝑎 𝑞 are required 1 1 to work as 1 1 1 𝑕 1 1 𝑕 2 𝑇 0 𝑇 2 𝑇 1 long as 2 2 2 2 𝑕 1 𝑕 2 2 2 𝑇 0 𝑇 2 𝑇 1 ``noise’’ level ⋮ ⋮ ⋮ remains small. 𝑞 𝑞 𝑞 𝑕 1 𝑕 2 𝑞 𝑞 𝑞 𝑇 0 𝑇 2 𝑇 1 𝑇 0 𝑇 2 𝑇 1

Multilinear Maps: Our Notion  Discrete Log : Given level- 𝑘 encoding of 𝑏 , hard to compute level- (𝑘 - 1) encoding of 𝑏 .  n-Multilinear DDH: Given level- 1 encodings of 1, 𝑏 1 , … , 𝑏 𝑜+1 and a level-n encoding T distinguish whether T encodes 𝑏 1 ∙∙∙ 𝑏 𝑜+1 or not.