Mult ltilinear Maps From Id Ideal Lattic ices Sanjam Garg (IBM) - - PowerPoint PPT Presentation
Mult ltilinear Maps From Id Ideal Lattic ices Sanjam Garg (IBM) Joint work with Craig Gentry (IBM) and Shai Halevi (IBM) Outline Bilinear Maps: Recall and Applications Motivating Multilinear maps Our Results Definitions of
Sanjam Garg (IBM) Joint work with Craig Gentry (IBM) and Shai Halevi (IBM)
Motivating Multilinear maps
Classical Notion Our Notion
Security
Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps
Bilinear maps are extremely useful in cryptography
lots of applications
As the name suggests allow pairing two things together
Cryptographic bilinear map
Groups 𝐻1 and 𝐻2 of order 𝑞 with generators 1, 2 = 𝑓 1, 1 and a bilinear map 𝑓 ∶ 𝐻1 × 𝐻1 → 𝐻2 such that ∀ 𝑏, 𝑐 ∈ 𝑎𝑞 , 𝑓 1
𝑏, 1 𝑐 = 2 𝑏𝑐
Instantiation: Weil or Tate pairings over elliptic curves. CDH is hard Given 1
𝑏, 1 𝑐hard
to get 1
𝑏𝑐
DDH is easy Given 1
𝑏, 1 𝑐, 𝑈
𝑈 =
?
1
𝑏𝑐
𝑓 1
𝑏, 1 𝑐 = 𝑓 1, 𝑈
𝑏, 1 𝑐, 1 𝑑 ∈ 𝐻1 hard to distinguish
𝑏𝑐𝑑 = 2 𝑏𝑐𝑑 from Random
Easy Application: Tri-partite key agreement [Joux00]:
Alice, Bob, Carol generate 𝑏, 𝑐, 𝑑 and broadcast 1
𝑏, 1 𝑐, 1 𝑑.
They each separately compute the key 𝐿 = 𝑓 1, 1 𝑏𝑐𝑑
What if we have more than 3-parties? [BS03]
𝑏
𝑐
𝑏𝑐
Application 1
Motivating Multilinear maps
Classical Notion Our Notion
Security
constructions of multi- linear maps Lots of Applications:-
Witness Encryption Indistinguishability Obfuscation
Candidate approximate
Encrypter
[TW87, Rudich89, IOS97, IS91, KMV07, CS02, CCKV08, GOVW12 …]
Soundness: Statement is false ⟹ Semantic Security
Witness for statement 𝑦.
Encrypter Receiver Application 2
Obfuscator
[Barak et al…]
Application 3 Security : Can’t tell if 𝐷 = 𝐷1 or 𝐷2 As long as ∀𝑦 𝐷1 𝑦 = 𝐷2 𝑦 and 𝐷1 = 𝐷2
Motivating Multilinear maps
Classical Notion Our Notion
Security
Definitions: Classical notion and our Approximate variant
Cryptographic n-multilinear map (for groups)
Groups 𝐻1, … , 𝐻𝑜 of order 𝑞 with generators 1, … , 𝑜 Family of maps: 𝑓𝑗,𝑙: 𝐻𝑗 × 𝐻𝑙 → 𝐻𝑗+𝑙 for 𝑗 + 𝑙 ≤ 𝑜, where
𝑓𝑗,𝑙 𝑗
𝑏, 𝑙 𝑐 = 𝑗+𝑙 𝑏𝑐
∀𝑏, 𝑐 ∈ 𝑎𝑞 .
And at least the ``discrete log” problems in each 𝐻𝑗 is ``hard’’.
And hopefully the generalization of Bilinear DH
Our visualization
Bilinear Maps Step by step I will make changes to get our notion of Bilinear Maps At each step provide Extension to Multi-linear Maps
1
2
𝑞
1
2
𝑞
1
2
𝑞
1
2
𝑞
1
2
𝑞
1
2
𝑞
1
2
𝑞
1
2
𝑞
3
1
2
𝑞
1
2
𝑞
(Our Notion)
1
2
𝑞
1
2
𝑞
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇0 𝑇1 𝑇2 Level-0 encodings
Finite ring 𝑆 and sets 𝑇𝑗 ∀𝑗 ∈ 𝑜 : ``level-𝑗 encodings” Each set 𝑇𝑗 is partitioned into 𝑇𝑗
𝑏 for each 𝑏 ∈ 𝑆: ``level-𝑗
encodings of 𝑏”.
(Our Notion)
1
2
𝑞
1
2
𝑞
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇0 𝑇1 𝑇2
I should be efficient to sample 𝛽 ← 𝑇0 such that 𝛽 ∈ 𝑇0
𝑏 for a uniform 𝑏. It may not be uniform in 𝑇0 or 𝑇0 𝑏.
Finite ring 𝑆 and sets 𝑇𝑗 ∀𝑗 ∈ 𝑜 : ``level-𝑗 encodings” Each set 𝑇𝑗 is partitioned into 𝑇𝑗
𝑏 for each 𝑏 ∈ 𝑆: ``level-𝑗
encodings of 𝑏”. Sampling: Output 𝛽 such that 𝛽 ∈ 𝑇0
𝑏 for a unifrom 𝑏
(Our Notion)
1
2
𝑞
1
2
𝑞
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇0 𝑇1 𝑇2
Check if two values come from the same set.
Finite ring 𝑆 and sets 𝑇𝑗 ∀𝑗 ∈ 𝑜 : ``level-𝑗 encodings” Each set 𝑇𝑗 is partitioned into 𝑇𝑗
𝑏 for each 𝑏 ∈ 𝑆: ``level-𝑗
encodings of 𝑏”. Sampling: Output 𝛽 such that 𝛽 ∈ 𝑇0
𝑏 for a random 𝑏
Equality testing(𝛽, 𝛾, 𝑗): Output 1 iff ∃𝑏 such that 𝛽, 𝛾 ∈ 𝑇𝑗
𝑏
(Our Notion)
1
2
𝑞
1
2
𝑞
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇0 𝑇1 𝑇2
3
3
Finite ring 𝑆 and sets 𝑇𝑗 ∀𝑗 ∈ 𝑜 : ``level-𝑗 encodings” Each set 𝑇𝑗 is partitioned into 𝑇𝑗
𝑏 for each 𝑏 ∈ 𝑆: ``level-𝑗
encodings of 𝑏”. Sampling: Output 𝛽 such that 𝛽 ∈ 𝑇0
𝑏 for a random 𝑏
Equality testing(𝛽, 𝛾, 𝑗): Output 1 iff ∃𝑏 such that 𝛽, 𝛾 ∈ 𝑇𝑗
𝑏
∀𝑗 ∈ 𝑜 , 𝑏, 𝑐 ∈ 𝑆, 𝛽 ∈ 𝑇𝑗
𝑏, 𝛾 ∈ 𝑇𝑗 𝑐:
We have 𝛽 + 𝛾 ∈ 𝑇𝑗
𝑏+𝑐and 𝛽 − 𝛾 ∈ 𝑇𝑗 𝑏−𝑐.
(Our Notion)
1
2
𝑞
1
2
𝑞
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇0 𝑇1 𝑇2
Finite ring 𝑆 and sets 𝑇𝑗 ∀𝑗 ∈ 𝑜 : ``level-𝑗 encodings” Each set 𝑇𝑗 is partitioned into 𝑇𝑗
𝑏 for each 𝑏 ∈ 𝑆: ``level-𝑗
encodings of 𝑏”. Sampling: Output 𝛽 such that 𝛽 ∈ 𝑇0
𝑏 for a random 𝑏
Equality testing(𝛽, 𝛾, 𝑗): Output 1 iff ∃𝑏 such that 𝛽, 𝛾 ∈ 𝑇𝑗
𝑏
∀𝑗, 𝑙 such that 𝑗 + 𝑙 ≤ 𝑜, ∀𝑏, 𝑐 ∈ 𝑆, 𝛽 ∈ 𝑇𝑗
𝑏, 𝛾 ∈ 𝑇𝑙 𝑐:
We have 𝛽 × 𝛾 ∈ 𝑇𝑗+𝑙
𝑏𝑐 .
(Our Notion)
1
2
𝑞
1
2
𝑞
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇0 𝑇1 𝑇2
All operations are required to work as long as ``noise’’ level remains small.
n-Multilinear DDH: Given level-1 encodings of 1, 𝑏1, … , 𝑏𝑜+1 and a level-n encoding T distinguish whether T encodes 𝑏1 ∙∙∙ 𝑏𝑜+1 or not.
Motivating Multilinear maps
Classical Notion Our Notion
Security
(Kind of like NTRU-Based FHE, but with Equality Testing)
We work in polynomial ring 𝑆 = 𝑎[𝑦]/𝑔(𝑦)
E.g., 𝑔(𝑦) = 𝑦𝑜 + 1 (𝑜 is a power of two) Also use 𝑆𝑟 = 𝑆/𝑟𝑆 = 𝑎[𝑦]/(𝑔(𝑦), 𝑟)
Public parameters hide a small ∈ 𝑆𝑟 and a random (large) 𝑨 ∈ 𝑆𝑟
defines a principal ideal 𝐽 = () over 𝑆 The ``scalars” that we encode are cosets of 𝐽 (i.e., elements in the quotient ring 𝑆/𝐽)
e.g., if |𝑆/𝐽| = 𝑞 is a prime, then we can represent these cosets using the integers 1,2 … , 𝑞
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇0 ⋮ 𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇1 ⋮ 𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇2 ⋮ 1 + 𝐽 2 + 𝐽 𝐽
𝑆 = 𝑎[𝑦]/𝑔 𝑦 and 𝑆𝑟 = 𝑆/𝑟𝑆
Small ∈ 𝑆𝑟 defines a principal ideal 𝐽 = () over 𝑆 A random (large) 𝑨 ∈ 𝑆𝑟 𝑑 𝑨 𝑟
𝑑
𝑑 𝑨2 𝑟 + and × 𝑑 should have small coefficients
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇0 ⋮ 𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇1 ⋮ 𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇2 ⋮ 1 + 𝐽 2 + 𝐽 𝐽
𝑆 = 𝑎[𝑦]/𝑔 𝑦 and 𝑆𝑟 = 𝑆/𝑟𝑆
Small ∈ 𝑆𝑟 defines a principal ideal 𝐽 = () over 𝑆 A random (large) 𝑨 ∈ 𝑆𝑟 𝑑 𝑨 𝑟
𝑑
𝑑 𝑨2 𝑟 + and × 𝑑 should have small coefficients If 𝑑 ∈ 𝑡 + 𝐽, 𝑒 ∈ 𝑢 + 𝐽, are both short then,
𝑑 𝑨 + 𝑒 𝑨 𝑟has the form 𝑑+𝑒 𝑨 𝑟,
where 𝑑 + 𝑒 is still short and 𝑑 + 𝑒 ∈ 𝑡 + 𝑢 + 𝐽
𝑇0
1
𝑇0
2
𝑇0
𝑞
𝑇0 ⋮ 𝑇1
1
𝑇1
2
𝑇1
𝑞
𝑇1 ⋮ 𝑇2
1
𝑇2
2
𝑇2
𝑞
𝑇2 ⋮ 1 + 𝐽 2 + 𝐽 𝐽
𝑆 = 𝑎[𝑦]/𝑔 𝑦 and 𝑆𝑟 = 𝑆/𝑟𝑆
Small ∈ 𝑆𝑟 defines a principal ideal 𝐽 = () over 𝑆 A random (large) 𝑨 ∈ 𝑆𝑟 𝑑 𝑨 𝑟
𝑑
𝑑 𝑨2 𝑟 + and × 𝑑 should have small coefficients If 𝑑 ∈ 𝑡 + 𝐽, 𝑒 ∈ 𝑢 + 𝐽, are both short then,
𝑑 𝑨 + 𝑒 𝑨 𝑟has the form 𝑑+𝑒 𝑨 𝑟,
where 𝑑 + 𝑒 is still short and 𝑑 + 𝑒 ∈ 𝑡 + 𝑢 + 𝐽 If 𝑑 ∈ 𝑡 + 𝐽, 𝑒 ∈ 𝑢 + 𝐽, are both short then,
𝑑 𝑨 × 𝑒 𝑨 𝑟has the form 𝑑×𝑒 𝑨2 𝑟,
where 𝑑 × 𝑒 is still short and 𝑑 × 𝑒 ∈ 𝑡 ∙ 𝑢 + 𝐽
In general, ``level-k encoding” of a coset 𝑡 + 𝐽 has the form
𝑑 𝑨𝑙 𝑟for a short 𝑑 ∈ 𝑡 + 𝐽
Addition: Add encodings 𝑣𝑗 =
𝑑𝑗 𝑨𝑘 𝑟
as long as | 𝑗 𝑑_𝑗 |≪ 𝑟
Multi-linear: Multiply encodings 𝑣𝑗 =
𝑑𝑗 𝑨𝑘𝑗 𝑟
to get an encoding of the product at level 𝑗 𝑘𝑗 as long as 𝑗 𝑑𝑗 ≪ 𝑟
``Somewhat homomorphic” encoding
Sampling: If 𝑑 ← 𝐸𝑗𝑡𝑑𝑠𝑓𝑢𝑓𝐻𝑏𝑣𝑡𝑡𝑗𝑏𝑜(𝑎𝑜) (wider than smoothing parameter [MR05] of but still smaller than 𝑟), then 𝑑 encodes a random coset.
Why should this work? Recall 𝐽 = -- vector with tiny coefficients
Publish an encoding of 1:
𝑧 = 𝑏 𝑨 𝑟
Sampling: If 𝑑 ← 𝐸𝑗𝑡𝑑𝑠𝑓𝑢𝑓𝐻𝑏𝑣𝑡𝑡𝑗𝑏𝑜(𝑎𝑜) (wide enough), then 𝑑 encodes a random coset.
Don’t know how to encode specific elements
Given this short 𝑑, set 𝑣 = [𝑑 · 𝑧]𝑟
𝑣 is a valid level-1 encoding of the coset 𝑑 + 𝐽
Translating from level 𝑗 to 𝑗 + 1: 𝑣𝑗+1 = 𝑣𝑗 ⋅ 𝑧 𝑟
𝑑 𝑨𝑙 ∙ ℎ𝑨𝑙 𝑟
𝑟
𝑇0
𝑡
𝑇0
𝑢
𝑇0
𝑡𝑢
𝑇0
𝑠
Compute 𝑑𝑡𝑢 = 𝑑𝑡𝑑𝑢 And encode 𝑣𝑡 = [𝑑𝑡𝑧]𝑟, 𝑣𝑢 = [𝑑𝑢𝑧]𝑟, 𝑣𝑡𝑢 = [𝑑𝑡𝑢𝑧]𝑟
But then 𝑣𝑡𝑢 =
𝑣𝑡𝑣𝑢 𝑧
We need to re-randomize the encoding, to break these simple algebraic relations
𝑇0
𝑡
𝑇0
𝑢
𝑇0
𝑡𝑢
𝑇0
𝑠
𝑇1
𝑡𝑢
′
′′⋯ ⋯ ⋯
Need to re- randomize this as well.
This re-randomization gets us statistically close to the actual distribution [AGHS12].
Parameters: 𝑧 =
𝑏 𝑨 𝑟, 𝑦𝑗 = 𝑐𝑗 𝑨 𝑟 𝑗
, and 𝑤𝑙 =
ℎ𝑨𝑙 𝑟
Encode a random element:
Sample 𝑑 and set 𝑣 = 𝑑𝑧 + 𝑗 𝜍𝑗𝑦𝑗 𝑟 𝜍𝑗 ← 𝐸𝑗𝑡𝑑𝑠𝑓𝑢𝑓𝐻𝑏𝑣𝑡𝑡𝑗𝑏𝑜𝑡(𝑎)
Re-randomize u (at level 1):
𝑣′ = 𝑣 + 𝑗 𝜍𝑗𝑦𝑗 𝑟
Zero Test:
Map to level 𝑙 (by multiplying by 𝑧𝑘 for appropriate j) Check if 𝑣 ⋅ 𝑤𝑙 𝑟 is small
𝑏𝑗 𝑨𝑗 𝑟
𝑐𝑗,𝑘 𝑨𝑗 𝑟 𝑗,𝑘
ℎ 𝑗 𝑨𝑗 𝑟
𝑧0 =
𝑏0 𝑨 𝑟, … 𝑧𝑙 = 𝑏𝑙 𝑨 𝑟 and 𝑤𝑙 = ℎ𝑨𝑙 𝑟
Goal: Distinguish
𝑏𝑗 𝑨𝑙 𝑟 from 𝑠 𝑨𝑙 𝑟
Easy
𝑦𝑗 =
𝑐𝑗 𝑨 𝑟 𝑗
General computation and not just multilinear
Difficult
𝑧0 =
𝑏0 𝑨1 𝑟
, … 𝑧𝑙 =
𝑏𝑙 𝑨𝑙 𝑟
and 𝑤𝑙 =
ℎ 𝑨𝑗 𝑟
𝑧 =
𝑏 𝑨 𝑟, 𝑦𝑗 = 𝑐𝑗 𝑨 𝑟 𝑗
, and 𝑤𝑙 =
ℎ𝑨𝑙 𝑟
Goal: To find 𝑨 or Covering the basics (Not ``Trivially’’ broken) Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme Similar in spirit to Generic Group model
𝑧 =
𝑏 𝑨 𝑟, 𝑦𝑗 = 𝑐𝑗 𝑨 𝑟 𝑗
, and 𝑤𝑙 =
ℎ𝑨𝑙 𝑟
Goal: To find 𝑨 or Can easily find ideal for ℎ , 〈ℎ ⋅ 〉 and 〈〉 Can not hope to hide 𝐽 = itself
But not small This is the basis for conjectured hardness
Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based homomorphic encryption, but with an equality- testing parameter. Security is based on somewhat stronger computational assumptions than NTRU. But more cryptanalysis needs to be done!