Multilinear maps from lattices Constructions, attacks, and - - PowerPoint PPT Presentation

Multilinear maps from lattices

Constructions, attacks, and applications

Yilei Chen (Visa Research)

1

Crypto Innovation School Shanghai 2019

2

What are multilinear maps?

3

4

• Cool. So what are the multilinear

maps in cryptography?

Multilinear maps in Cryptography

5

> Discrete-log problem [ Diffie, Hellman 76 ]

Given g, gS mod q, finding s is hard

Multilinear maps in Cryptography

6

> Discrete-log problem [ Diffie, Hellman 76 ]

Given g, gS mod q, finding s is hard

> Bilinear maps from Weil pairing over elliptic curve groups [ Miller 86 ] How to compute Weil pairing [ Sakai, Ohgishi, Kasahara 00 ] Identity-based key-exchange [ Joux 00 ] Three-party non-interactive key exchange [ Boneh, Franklin 02 ] Identity-base key exchange

gS1, gS2 → gS1S2

Multilinear maps in Cryptography

7

> Multilinear maps: motivated in [ Boneh, Silverberg 03 ] with the potential applications

• f constructing unique signature, broadcast encryption, etc.

gS1, gS2, gS3, ... → g∏S

> Discrete-log problem [ Diffie, Hellman 76 ]

Given g, gS mod q, finding s is hard

> Bilinear maps from Weil pairing over elliptic curve groups [ Miller 86 ] How to compute Weil pairing [ Sakai, Ohgishi, Kasahara 00 ] Identity-based key-exchange [ Joux 00 ] Three-party non-interactive key exchange [ Boneh, Franklin 02 ] Identity-base key exchange

gS1, gS2 → gS1S2

8

Where to find multilinear maps.

gS1, gS2, gS3, ... → g∏S

Multilinear maps in Cryptography

9

Where to find multilinear maps.

gS1, gS2, gS3, ... → g∏S

“If an n-multilinear map is computable, it is reasonable to expect it to come from geometry, as is the case for Weil and Tate pairings when n = 2.” – Boneh, Silverberg, 2003

Multilinear maps in Cryptography

10

Where to find multilinear maps.

gS1, gS2, gS3, ... → g∏S

“If an n-multilinear map is computable, it is reasonable to expect it to come from geometry, as is the case for Weil and Tate pairings when n = 2.” – Boneh, Silverberg, 2003 *New: Trilinear maps from abelian varieties [ Huang 2018 ], requires further investigation.

Multilinear maps in Cryptography

11

What are multilinear maps? Why from lattices?

Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE

Multilinear maps since 2013

12

> Multilinear maps: motivated in [ Boneh, Silverberg 2003 ]

g, gS1, gS2, gS3, ... → g∏S

Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE

Think of as homomorphic encryption + public zero-test i.e. being able to distinguish g0 versus gnon-zero

Multilinear maps since 2013

13

> Multilinear maps: motivated in [ Boneh, Silverberg 2003 ]

g, gS1, gS2, gS3, ... → g∏S

Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE

Think of as homomorphic encryption + public zero-test i.e. being able to distinguish g0 versus gnon-zero

Coron, Lepoint, Tibouchi [ CLT 13 ]: modifying the FHE based on approximate gcd Gentry, Gorbunov, Halevi [ GGH 15 ]: from non-standard use of the GSW FHE

Multilinear maps since 2013

14

> Multilinear maps: motivated in [ Boneh, Silverberg 2003 ]

g, gS1, gS2, gS3, ... → g∏S

Multilinear maps

Indistinguishability obfuscation

Lockable obfuscation

(Compute-then-Compare obf.)

Private constrained PRFs Multiparty key agreement

15

Multilinear maps: applications and security

Witness encryption Deniable encryption Broadcast encryption

Multilinear maps

Indistinguishability obfuscation

16

Multilinear maps: applications and security [Garg, Gentry, Halevi, Raykova, Sahai, Waters 13]

Indistinguishability obfuscation

17

Defined by [ Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang 01 ]

iO[ F0 ] ≈ iO[ F1 ]

if F0 and F1 have identical functionality

a d v

Indistinguishability obfuscation

18

Defined by [ Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang 01 ]

iO[ F0 ] ≈ iO[ F1 ]

if F0 and F1 have identical functionality

Candidate constructions: [Garg, Gentry, Halevi, Raykova, Sahai, Waters 13], [Barak, Garg, Kalai, Paneth, Sahai 14], [Brakerski, Rothblum 14], [ Zimmerman 15], [Applebaum, Brakerski 15], [Ananth, Jain 15], [Bitansky, Vaikuntanathan ‘15], [Gentry, Gorbunov, Halevi 15], [Lin 16], … Cryptanalyses: [Cheon, Han, Lee, Ryu, Stehle 15], [Coron et al. 15], [Hu, Jia 16], [Miles, Sahai, Zhandry 16], [Chen, Gentry, Halevi 17], [Coron, Lee, Lepoint, Tibouchi 17], [Chen, Vaikuntanathan, Wee 18], ...

Multilinear maps

Indistinguishability obfuscation

Lockable obfuscation

(Compute-then-Compare obf.)

Private constrained PRFs Multiparty key agreement

19

Multilinear maps: applications and security

Witness encryption Deniable encryption Broadcast encryption

Multilinear maps

Indistinguishability obfuscation

Lockable obfuscation

(Compute-then-Compare obf.)

Private constrained PRFs Multiparty key agreement

20

Multilinear maps: applications and security

Witness encryption

Reduction from LWE; Candidates exists; Broken

Plan of today:

• 1. Introduction
• 2. The GGH15 construction: functionality and security overview
• 3. Applications

Open problems will be mentioned throughout the talk Bonus: interesting missing topics in the previous talks

21

22

+

mod q

A

s

E x Y =

A

Uniform Small Unspecified

Recall Learning with Errors [ Regev 05 ]

𝐵 ∈ 𝑎$

%×' (m > n log q)

Search LWE: Given 𝐵, 𝑍 = 𝑇𝐵 + 𝐹, find S. Decisional LWE: Given A, distinguish Y from random.

Secret Public matrix noise/error

23

𝐵 ∈ 𝑎$

%×' (m > n log q)

Search LWE: Given 𝐵, 𝑍 = 𝑇𝐵 + 𝐹, find S. Decisional LWE: Given A, distinguish Y from random. +

mod q

A

s E

x

Y

=

A

Uniform Small Unspecified

Recall Learning with Errors [ Regev 05 ]

Secret Public matrix noise/error

24

+

mod q

A

s E

x

Y

=

A

Uniform Small Unspecified

Secret Public matrix noise/error

Entries of S from the error distribution As hard as normal LWE [ Applebaum, Cash, Peikert, Sahai 09 ] Recall Learning with Errors [ Regev 05 ]

25

> Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] > (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q

g, gS1, gS2, gS3, ... → g∏S

GGH15 in a nutshell

26

> Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] > (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q

g, gS1, gS2, gS3, ... → g∏S

GGH15 in a nutshell

How to put them together?

27

> Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] > (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q

g, gS1, gS2, gS3, ... → g∏S

GGH15 in a nutshell

Idea: using lattice trapdoor sampling to chain them together

28

> Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] > (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q

g, gS1, gS2, gS3, ... → g∏S

GGH15 in a nutshell

GGH15: “the blockchain in multilinear maps”

(also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])

Idea: using lattice trapdoor sampling to chain them together

29

Recall lattice trapdoor

[ Ajtai 99 ], [ Alwen, Peikert 09 ], [ Micciancio, Peikert 12 ]

A

The trapdoor for can be used to solve SIS and LWE.

30

Recall lattice trapdoor

[ Ajtai 99 ], [ Alwen, Peikert 09 ], [ Micciancio, Peikert 12 ]

= mod q

Y

x

A

Y

Given an image , find a short vector D s.t.

A

The trapdoor for can be used to solve SIS and LWE.

D

31

Lattice trapdoor

[Ajtai 99]

= mod q x

A

T T

is short and full rank in Z

32

Lattice trapdoor

[Ajtai 99]

= mod q x

A

T T

is short and full rank in Z Example of solving LWE given T: Given A, y = sA+E mod q Compute yT mod q = (sA+E)T = ET, note that ET is small. Then E can be obtained by multiplying 𝑈/0 on the right.

G

Gadget =

1, b, … bk-1 … … 1, b, … bk-1

= 𝐽% ⊗

1, b, … bk-1

Let 𝑙 = log7 𝑟. 𝐻 ∈ 𝑎%×%:

“Power-of-b” matrix

The kernel-lattice of G has an easily computable short basis. Solving SIS for the public matrix G is easy.

(Bonus) Trapdoor from [Micciancio, Peikert 12]

A

= mod q

G R __ I

where A = [ A’ | G – A’R ]

Trapdoor for A

Let 𝑙 = log7 𝑟. We have 𝐻 ∈ 𝑎%×%: , 𝐵 ∈ 𝑎%×%(<=:)

(Bonus) Trapdoor from [Micciancio, Peikert 12]

35

Preimage sampling [GPV 08]

For random images, there is a way to sample the preimage without revealing the trapdoor.

36

Preimage sampling [GPV 08]

= mod q

U

x

A

D

For random images, there is a way to sample the preimage without revealing the trapdoor. A

D

U s.t. Real:

37

Preimage sampling [GPV 08]

= mod q

U

x

A

D

For random images, there is a way to sample the preimage without revealing the trapdoor. A

D

U s.t.

= mod q

U

x

A

D

A

D

U s.t.

≈ statistical

Real:

Simulated:

GGH15 in a nutshell

38

> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])

A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q

> (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q

GGH15 in a nutshell

39

> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])

A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q

> (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q Di is sampled using the trapdoor of Ai-1

= mod q

GGH15 in a nutshell

40

> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])

A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q

> (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q Di is sampled using the trapdoor of Ai-1 = mod q

A1

D2

A0

D1

S1A1+E1 S2A2+E2

=

Zoom in the most important relation of this talk

41

Di is sampled using the trapdoor of Ai-1

Ai-1

Di

Si + E mod q x

Ai

S is the eigenvalue of D

GGH15 in a nutshell

42

> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])

A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q

> (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q Publish A0 , D1 , D2 as the encodings of S1 , S2 Di is sampled using the trapdoor of Ai-1

GGH15 in a nutshell

43

> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])

A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q Eval = A0 D1 D2 = (S1A1+E1)D2 = S1S2A2 + S1E2 + E1D2 mod q

small functionality > (Ring)LWE analogy:

A, S1A+E1,..., SkA+Ek → ∏SA+E mod q Publish A0 , D1 , D2 as the encodings of S1 , S2 Di is sampled using the trapdoor of Ai-1

44

D4,1 D4,0 D3,1 D3,0 D2,1 D2,0

Eval(0110) = A0D1,0D2,1D3,1D4,0

A0

D1,1 D1,0

A toy example

• f GGH15 eval

=

Ai-1

Di, b

Si, b + E mod q x

Ai

45

A1

S1,1 S1,0

+

E1,1

+

E1,0

( )

Eval(0110) = A0D1,0D2,1D3,1D4,0 = (s1,0A1+E1,0)D2,1D3,1D4,0

D4,1 D4,0 D3,1 D3,0 D2,1 D2,0

=

Ai-1

Di, b

Si, b + E mod q x

Ai A toy example

• f GGH15 eval

46

+ “small” Eval(0110) = A0D1,0D2,1D3,1D4,0 = (s1,0A1+E1,0)D2,1D3,1D4,0 = s1,0A1D2,1D3,1D4,0 + “small”

A1

S1,1 S1,0

D4,1 D4,0 D3,1 D3,0 D2,1 D2,0

A toy example

• f GGH15 eval

47

A2

S2,1 S2,0 S1,1 S1,0

+ “small” +

E2,1

+

E2,0

( )

Eval(0110) = A0D1,0D2,1D3,1D4,0 = (s1,0A1+E1,0)D2,1D3,1D4,0 = s1,0A1D2,1D3,1D4,0 + “small” = s1,0(s2,1A2+E2,1)D3,1D4,0 + “small”

D4,1 D4,0 D3,1 D3,0

A toy example

• f GGH15 eval

48

A2

S2,1 S2,0 S1,1 S1,0

“still small”

D4,1 D4,0 D3,1 D3,0

Eval(0110) = A0D1,0D2,1D3,1D4,0 = (s1,0A1+E1,0)D2,1D3,1D4,0 = s1,0A1D2,1D3,1D4,0 + “small” = s1,0(s2,1A2+E2,1)D3,1D4,0 + “small” = s1,0s2,1A2D3,1D4,0 + “still small” +

A toy example

• f GGH15 eval

Eval(0110) = A0D1,0D2,1D3,1D4,0 = (s1,0A1+E1,0)D2,1D3,1D4,0 = s1,0A1D2,1D3,1D4,0 + “small” = s1,0(s2,1A2+E2,1)D3,1D4,0 + “small” = s1,0s2,1A2D3,1D4,0 + “still small” = s1,0s2,1s3,1A3D4,0 + “still smallish” = s1,0s2,1s3,1s4,0A4 + “small”

49

A4

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

+

A toy example

• f GGH15 eval

“still small”

50

A4

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

+ “small”

D4,1 D4,0 D3,1 D3,0 D2,1 D2,0

A0

D1,1 D1,0

E v a l u a t e

A toy example

• f GGH15 eval

51

Functionality

Functionality: evaluate and test whether ∏S is zero or not. (Designing GGH15 applications: put structures in Si, b)

A0, S1A1+E1,..., SkAk+Ek → ∏SAk+E mod q

D4,1 D4,0 D3,1 D3,0 D2,1 D2,0

A0

D1,1 D1,0

52

Functionality and Security

Functionality: evaluate and test whether ∏S is zero or not. (Designing GGH15 applications: put structures in Si, b)

A0, S1A1+E1,..., SkAk+Ek → ∏SAk+E mod q

Security (intuitively): hides Si, b for all i, b

D4,1 D4,0 D3,1 D3,0 D2,1 D2,0

A0

D1,1 D1,0

53

D1,1 D1,0

A2

S +E S Functionality & Security

toy examples

D2,1 D2,0

A1 A2

+E S = =

A1 A1

S S

A1

S = = +E +E

F(00) = 0 F(01) = 1 F(10) = 1 F(11) = 1

A0 A0

∏SA2+E

54

D1,1 D1,0

A2

S +E S Functionality & Security

toy examples

D2,1 D2,0

A1 A2

S +E S = =

A1 A1

S S

A1

S S = = +E +E

Claim: this construction hides all the structures in the S matrices.

A0 A0

55

S + E Recall decisional LWE

≈ computational

A A , U A , x Permutation - LWE: S + E

≈ computational

,

U

, x S S A(1) A(2) A(3) A(1) A(2) A(3) A(1) A(2) A(3)

56

D1,1 D1,0

A2

S +E S Functionality & Security

toy examples

D2,1 D2,0

A1 A2

S +E S = =

A1 A1

S S

A1

S S = = +E +E

Claim: this construction hides all the structures in the S matrices.

A0 A0

57

D1,1 D1,0

U2,1 Functionality & Security

toy examples

D2,1 D2,0

A1

= =

A1 A1

S S

A1

S S = = +E +E

Permutation LWE

U2,0

A0 A0

58

D1,1 D1,0

U2,1 Functionality & Security

toy examples

D2,1 D2,0

A1

= =

A1 A1

S S

A1

S S = = +E +E

Turn off the trapdoor using GPV

U2,0

A0 A0

59

D1,1 D1,0

U2,1 Functionality & Security

toy examples

A0

D2,1 D2,0

= = = =

Permutation LWE

U2,0 U1,1 U1,0

A0 A1 A1

60

D1,1 D1,0

U2,1 Functionality & Security

toy examples

A0

D2,1 D2,0

= = = = U2,0 U1,1 U1,0

A0

Turn off the trapdoor using GPV

A1 A1

61

Ok, looks simple. Are there insecure examples?

Insecurity example

62

For example, let S2 = 0 in A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q = mod q = mod q

A1

D2

A0

D1

S1A1+E1 E2

Insecurity example

63

For example, let S2 = 0 in A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q D2 becomes a “weak trapdoor” of A1, then S1 is in danger = mod q = mod q

A1

D2

A0

D1

S1A1+E1 E2

Insecurity example

64

For example, let S2 = 0 in A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q D2 becomes a “weak trapdoor” of A1, then S1 is in danger = mod q = mod q

A1

D2

A0

D1

S1A1+E1 E2

Eval = A0 D1 D2 = (S1A1+E1)D2 = S1E2 + E1D2 mod q Recover S1E2 + E1D2 over integers, can do many things.

Plan of today:

• 1. Introduction
• 2. The GGH15 construction: functionality and security overview
• 3. Applications

Open problems will be mentioned throughout the talk

65

Multilinear maps

Indistinguishability obfuscation

Lockable obfuscation

(Compute-then-Compare obf.)

Private constrained PRFs [ Canetti, Chen 17 ] Multiparty key agreement

66

Witness encryption

[ Chen, Vaikuntanathan, Wee 18 ]

Deniable encryption Broadcast encryption

Reduction from LWE; Candidates exists; Broken

67

What are private constrained PRFs?

68

Private constrained Pseudorandom Function in 3 slides

69

Private constrained Pseudorandom Function in 3 slides

a d v

PRF A truly random function

With oracle access to either left or right

70

Private constrained Pseudorandom Function in 3 slides Private key owner

• riginal key

Privately modified key a d v either the original key

• r the modified one

71

What are private constrained PRFs? Fine, so why is it useful?

Reminiscent of obfuscation ...

H i d e t h e p r

• g

r a m i n t h e c

• n

s t r a i n t

73

Theorem [ Canetti Chen 17 ]: Two-key PCPRF (for a circuit class C) implies obfuscation (for C)

C

Z

Obfuscation

Construction: Obf = ( K[C], K[Original] ) Eval(x): check consistency Eval( K[C], x) =? Eval( K[Original], x)

74

Jumping ahead, if you publish two constrained keys, there is an attack … In the rest of the talk, we will focus on: 1-key secure PCPRFs.

1-key PCPRF => Reusable Garbled Circuits

D e c r y p t a n d e v a l

Construction: from normal encryption Sym and PCPRF F Enc(m;r): ct = EncSym.K(m;r); tag = F[K](ct) FSK[Sym.K, F.K, C]: constrained key for the “decryption and eval” functionality C(DecSym.K( . )) Eval: compute F[C(DecSym.K( . ))](ct), and compare with tag

Theorem [ Canetti Chen 17 ] 1-key PCPRF implies 1-key private-key functional encryption (reusable garbled circuits).

77

Applications of PCPRFs: *Obfuscation Reusable garbled circuits Privately-detectable watermarking Maybe more …

78

What are private constrained PRFs? Why is it useful? How to construct?

79

Step 1: We need a PRF. Step 2: Add a constraint privately.

80

mod q

A

s2,1 s2,0 sn,1 sn,0 s1,1 s1,0 F(x) = { ∏si,xi A }2

[ Banerjee, Peikert, Rosen ’12 ] Subset-product & rounding

Key: Eval:

... ... si,b

are LWE secrets from low-norm distributions

81

Rounding: {t}p: Zq -> Zp Compute t*p/q, then round to the nearest integer In this talk, p=2, q/p>exp(L), q/p ∼ super-polynomial

q

Amount of noise

82

Main observation: After rounding, can inject noises without changing functionality whp.

F(x) = { ∏si,xi A }2

Uniform Small Unspecified A is public, Si,xi are secret mod q

A

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

[ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness

83

F(x) = { ∏si,xi A }2

F(0110) = { s1,0s2,1s3,1s4,0 A }2

Uniform Small Unspecified A is public, Si,xi are secret mod q

A

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

[ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness

84

F(x) = { ∏si,xi A }2

F(0110) = { s1,0s2,1s3,1s4,0 A }2 ≈s { s1,0s2,1s3,1(s4,0 A+E4,0) }2

Uniform Small Unspecified A is public, Si,xi are secret mod q

A

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

[ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness

85

F(x) = { ∏si,xi A }2

F(0110) = { s1,0s2,1s3,1s4,0 A }2 ≈s { s1,0s2,1s3,1(s4,0 A+E4,0) }2 ≈c { s1,0s2,1s3,1Y***0 }2

Uniform Small Unspecified A is public, Si,xi are secret mod q

A

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

[ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness

86

F(x) = { ∏si,xi A }2

F(0110) = { s1,0s2,1s3,1s4,0 A }2 ≈s { s1,0s2,1s3,1(s4,0 A+E4,0) }2 ≈c { s1,0s2,1s3,1Y***0 }2 ≈s { s1,0s2,1(s3,1Y***0+E3,1) }2

Uniform Small Unspecified A is public, Si,xi are secret mod q

A

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

[ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness

87

F(x) = { ∏si,xi A }2

F(0110) = { s1,0s2,1s3,1s4,0 A }2 ≈s { s1,0s2,1s3,1(s4,0 A+E4,0) }2 ≈c { s1,0s2,1s3,1Y***0 }2 ≈s { s1,0s2,1(s3,1Y***0+E3,1) }2 ≈c { s1,0s2,1Y**10 }2 ≈ … ≈{ Y0110 }2

Uniform Small Unspecified A is public, Si,xi are secret mod q

A

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

[ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness

88

mod q

A

s2,1 s2,0 sn,1 sn,0 s1,1 s1,0 F(x) = { ∏si,xi A }2

[ Banerjee, Peikert, Rosen ’12 ] Subset-product & rounding

Key: Eval:

... ...

Exercise: show that taking matrix subset-product without rounding does not give a PRF.

89

mod q

A

s2,1 s2,0 sn,1 sn,0 s1,1 s1,0 F(x) = { ∏si,xi A }2

[ Banerjee, Peikert, Rosen ’12 ] Subset-product & rounding

Key: Eval:

... ...

Open problem: prove or disprove that when q is a polynomial, the construction is a PRF.

90

mod q

A

s2,1 s2,0 sn,1 sn,0 s1,1 s1,0 F(x) = { ∏si,xi A }2

Key: Eval: What we need in addition to build a Private Constrained PRF: + Embed structures in the secret terms to perform functionality (Barrington’s theorem) + A proper public mode of the function (GGH15 encoding)

... ...

91

A4

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

+ “small”

D4,1 D4,0 D3,1 D3,0 D2,1 D2,0

A0

D1,1 D1,0

E v a l u a t e

Imagine the GGH15 encoding of the PRF

92

Barrington’s theorem (used to embed a circuit into the key)

93

Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 1 Input wire 1 Input wire 1 Input wire 2 Input wire 2

P-1 P Q Q-1 I I I I

(Bonus)

94

Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 0 and 0 1 Input wire 1 Input wire 1 Input wire 2 Input wire 2

I I I I

(Bonus)

95

Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 0 and 1 1 Input wire 1 Input wire 1 Input wire 2 Input wire 2

I I Q Q-1

(Bonus)

96

Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 1 and 0 1 Input wire 1 Input wire 1 Input wire 2 Input wire 2

I I P-1 P

(Bonus)

97

Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 1 and 1 PQP-1Q-1 = C ≠ I 1 Input wire 1 Input wire 1 Input wire 2 Input wire 2

P-1 P Q Q-1

(Bonus)

98

Representation of the constraint predicate: branching program

1 B1,1 B2,1 B3,1 ... BL,1 0 B1,0 B2,0 B3,0 ... BL,0 Steps 1 2 3 ... L Input z(1) z(2) z(3) ... z(L) Eval: ∏Bz(i),x_z(i) = I or C

99

We set the secrets like: Representation of secrets (to be encoded by GGH15): Bi,b⊗si,b e.g. I ⊗ s =

S S S S S S S S S S S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0 S S S S S

P ⊗ s = A4

100

PCPRF for NC1 constraints (permutation branching programs)

101

PCPRFs for Branching programs from GGH15 Master public key: A0 … AL (L = #steps in BP) Master secret key: trapdoors of A1 … AL, s1,0 , s1,1, ..., sL,0, sL,1 Constrained key gen: let Si,b:=Bi,b⊗si,b, sample GGH15 encodings for Si,b Eval: F(x) = { A0 ∏Di,x_z(i) }2 , then pick the first row

D2,1

Constrained key:

D3,1 D2,0 D3,0 D1,1 D1,0 D4,1 D4,0 1 2 1 2

A’0

S +E x S S A(1) A(2) A(3)

102

Functionality check: When C(x)=1: F(x) = { A0 ∏Di,x_z(i) }2 = { ( I⊗∏si,x_z(i) ) AL + small noise }2 ≈s{ ( I⊗∏si,x_z(i) ) AL }2 When C(x)=0: F(x) = { A0 ∏Di,x_z(i) }2 = { ( C⊗∏si,x_z(i) ) AL + small noise }2 ≈s{ ( C⊗∏si,x_z(i) ) AL }2

PCPRFs for Branching programs from GGH15 Master public key: A0 … AL (L = #steps in BP) Master secret key: trapdoors of A1 … AL, s1,0 , s1,1, ..., sL,0, sL,1 Constrained key gen: let Si,b:=Bi,b⊗si,b, sample GGH15 encodings for Si,b Eval: F(x) = { A0 ∏Di,x_z(i) }2 , then pick the first row

103

Uniform Small Unspecified

si,xi are secret, Ai , Di,xi are public

Real

{ I⊗(s1,1s2,1s3,1s4,1 )A4 }2 Example: C(x)=0 iff x1=x2=1 query x=11

D2,1

A0

D3,1 D2,0 D3,0 D1,1 D1,0 D4,1 D4,0

How to show that the branching program is hidden by GGH15 encoding?

PCPRFs for Branching programs from GGH15

104

Uniform Small Unspecified

si,xi are secret, Ai , Di,xi are public

Simulator Real

A0

D1,1 D3,1 D4,1 D1,0 D3,0 D4,0 D2,0 D2,1

{ I⊗(s1,1s2,1s3,1s4,1 )A4 }2 { Uniform }2

D2,1

A0

D3,1 D2,0 D3,0 D1,1 D1,0 D4,1 D4,0

Example: C(x)=0 iff x1=x2=1 query x=11 PCPRFs for Branching programs from GGH15

105

Uniform Small Unspecified

si,xi are secret, Ai , Di,xi are public

A0 A1 A2 A3 A4

Real

D2,1 D3,1 D2,0 D3,0 D1,1 D1,0 D4,1 D4,0

Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 Example: C(x)=0 iff x1=x2=1 query x=11 PCPRFs for Branching programs from GGH15

106

Uniform Small Unspecified

si,xi are secret, Ai , Di,xi are public

re-express Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 ≈s { (Q⊗(s1,1s2,1s3,1))((Q-1⊗s4,1)A4+E4,1 ) }2

D3,1

A3 A4

D3,0 D4,1 D4,0

A0 A1 A2

D2,1 D2,0 D1,1 D1,0

Y4,1= (Q-1⊗s4,1)A4+E4,1 Y4,0= (I⊗s4,0)A4+E4,0 Example: C(x)=0 iff x1=x2=1 query x=11 PCPRFs for Branching programs from GGH15

107

Uniform Small Unspecified

si,xi are secret, Ai , Di,xi are public

Perm-LWE Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 ≈s { (Q⊗(s1,1s2,1s3,1))U4,1 }2

D3,1 D3,0 D4,1 D4,0 D2,1 D2,0 D1,1 D1,0

U4,1 U4,0 Example: C(x)=0 iff x1=x2=1 query x=11 PCPRFs for Branching programs from GGH15 A3 A4 A0 A1 A2

108

Uniform Small Unspecified

si,xi are secret, Ai , Di,xi are public

Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 ≈s { (Q⊗(s1,1s2,1s3,1))((Q-1⊗s4,1)A4+E4,1 ) }2 ≈c { (Q⊗(s1,1s2,1s3,1))A3D4,1 }2

D3,1 D3,0 D4,1 D4,0 D2,1 D2,0 D1,1 D1,0

GPV Example: C(x)=0 iff x1=x2=1 query x=11 PCPRFs for Branching programs from GGH15 A3 A4 A0 A1 A2

109

Uniform Small Unspecified

si,xi are secret, Ai , Di,xi are public

re-express Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 ≈s { (Q⊗(s1,1s2,1s3,1))((Q-1⊗s4,1)A4+E4,1 ) }2 ≈c { (Q⊗(s1,1s2,1s3,1))A3D4,1 }2 ≈s { (QP⊗(s1,1s2,1))((P-1⊗s3,1)A3+E3,1 )D4,1 }2

D3,1

A3 A4

D3,0 D4,1 D4,0 D2,1 D2,0 D1,1 D1,0

Y3,1= (P-1⊗s3,1)A3+E3,1 Y3,0= (I⊗s3,0)A3+E3,0 Example: C(x)=0 iff x1=x2=1 query x=11 PCPRFs for Branching programs from GGH15 A0 A1 A2

110

Uniform Small Unspecified

si,xi are secret, Ai , Di,xi are public

Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 ≈s { (Q⊗(s1,1s2,1s3,1))((Q-1⊗s4,1)A4+E4,1 ) }2 ≈c { (Q⊗(s1,1s2,1s3,1))A3D4,1 }2 ≈s { (QP⊗(s1,1s2,1))((P-1⊗s3,1)A3+E3,1 )D4,1 }2 ≈c { (QP⊗(s1,1s2,1))A2D3,1D4,1 }2 ≈c … ≈c { C-1A0∏Dz(x),x_z(x)}2

D2,1

A0

D3,1

A1 A2 A3 A4

D2,0 D3,0 D4,1 D4,0 D1,1 D1,0

Example: C(x)=0 iff x1=x2=1 query x=11 PCPRFs for Branching programs from GGH15

Takeaway from the PCPRF construction: It is safe to use GGH15 to encode permutation matrices and make it useful.

111

D2,1 D3,1 D2,0 D3,0 D1,1 D1,0 D4,1 D4,0 1 2 1 2

A’0

S x S S A(1) A(2) A(3)

112

Genealogy of Lattices-based PRFs

[BPR12] -- the first lattice-based PRF [BLMR13] -- key homomorphic *[BP14] -- better key homomorphic, embed a tree *[BFPPS15] -- [BP14] is puncturable *[BV15] -- embed a circuit, constrained for P *[BKM17] -- puncture privately, built from [BV15] [CC17] -- constrained privately for NC1, influenced by GGH15 mmaps *[BTVW17] -- constrained privately for all P, built from [BV15] *[PS18] -- constrained and program privately for all P, built from [BV15] [CVW18] -- constrained privately for BP, influenced by GGH15 mmaps * uses gadget matrix G, adapted from the lattices-based FHE, ABE, PE

Question: Is there a transformation between Dual-Regev-based homomorphic schemes and GGH15-based ones?

GGH15 Multilinear maps

Lockable obfuscation

(Compute-then-Compare obf.)

Private constrained PRFs

113

Multilinear maps: applications with reductions from LWE

Traitor tracing *Hash functions for Fiat-Shamir (exercise)

114

A4

S4,1 S4,0 S3,1 S3,0 S2,1 S2,0 S1,1 S1,0

+ “small”

D4,1 D4,0 D3,1 D3,0 D2,1 D2,0

A0

D1,1 D1,0

E v a l u a t e

Open problem: use the PCPRF construction as a hash function: prove more properties.

Application 1: Private constrained PRF from GGH15 encoding

• 1. PRF from lattices
• 2. Constrained PRF
• 3. Private constrained PRF with a reduction from LWE

Mainly based on [ Canetti, Chen 17 ] Application 2: Witness encryption

• 1. A candidate construction (without reduction from anything)
• 2. The proof techniques we developed.

Mainly based on [ Chen, Vaikuntanathan, Wee 18 ]

115

116

WitnessEnc( x, m ) -> CT, x = instance, m = message Decryption( CT, w ), w = witness Functionality: if x = SAT -----> can use the witness to decrypt the msg. Security: if x = UNSAT -------> msg is hidden. WitnessEnc( x = “GapSVP is in BQP”, msg = 100 Bitcoins)

> Current status of witness encryption: there are several candidates (more-or-less based on multilinear maps); none of them are based on established cryptographic assumptions.

> [Garg et al. 13] candidate witness encryption based on GGH13. > Broken by [Hu, Jia 16] > [Gentry, Lewko, Waters 14 ] from multilinear subgroup decision assumption (which is open)

Do we have secure Witness encryption?

117

118

When witness encryption meets multilinear maps ...

[ Gentry, Lewko, Waters 14 ] witness encryption from “mmaps subgroup decision assumption”

119

S S

Example: encoding a point function C(x) = 0 iff x = 100 [ Gentry, Lewko, Waters 14 ] gives a simple encoding of CNF.

S S

1

S S S S S S S S S S S

1 2 3

In general: Any CNF => diagonal matrix read-once branching programs

120

A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

S’

…

S’

Mh,1 Ⓧ S’h,1 =

CNF slots msg

The CNF slots are all on the diagonal

A strawman implementation of GLW14 in GGH15 [ Gentry, Lewko, Waters 14 ] gives a simple encoding of CNF.

Q: Can we show anything secure for low-rank BP + GGH15? A: Yes! … In some limited cases

121

So far: A witness encryption with special structure that uses GGH15 + diagonal / low-rank matrix branching program.

122

A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Anything

S11

As secure as LWE: When there is one “slot” that is always random in all the matrices.

Anything

Sh1

The “always random” slot

123

Where can the special type of BP be useful?

A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Anything

S11

Anything

The “always random” slot

Sh1

124

Where can the special type of BP be useful?

We don’t know how to build a witness encryption or iO from this type of BP :(

A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Anything

S11

Anything

The “always random” slot

Sh1

125

Where can the special type of BP be useful?

We don’t know how to build a witness encryption or iO from this type of BP :( We can simplify the private constrained PRF, Lockable obfuscation :) E.g. Instantiate the private puncturable PRF from [Boneh, Lewi, Wu 17] described under the multilinear subgroup decision assumption:

126

A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

s

S11

Where can the special type of BP be useful?

We don’t know how to build a witness encryption or iO from this type of BP :( We can simplify the private constrained PRF, Lockable obfuscation :) E.g. Instantiate the private puncturable PRF from [Boneh, Lewi, Wu 17] described under the multilinear subgroup decision assumption:

s

Sh1

The “always random” slot The “puncturable” slot

127

Open problem: prove or disprove that the structures are hidden when the evaluation is big for ALL inputs => witness encryption

S S S S

1

S S S S S S S S S S

1 2 3

128

How to prove security for GGH15 + low-rank BPs?

Semantic security:

A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q Uh,0 Uh,1 U1,0 U1,1

≈ computational

A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

“A” matrices: using trapdoors; not using trapdoors

Ah(1)

S

129

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Ah(2) Yh-1(1) Yh-1(2)

=

Ah-1(1) Ah-1(2)

Dh,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Ah(1)

S

130

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Ah(2) Yh-1(1) Yh-1(2)

=

Ah-1(1) Ah-1(2)

Dh,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Observation: Yh-1(1) is not random The problem: How to close the trapdoor of Ah-1 ?

A(1)

Lattice trapdoor Lemma 1:

D

=

131

Z U

x A(2)

Z is arbitrary U is uniform A trapdoor is used

A(1)

Lattice trapdoor Lemma 1:

D

=

132

Z U

x A(2)

≈ statistical

A(1)

D

=

Z U

x A(2)

close the trapdoor of A(2) Z is arbitrary U is uniform A trapdoor is used

Ah(1)

S

133

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Ah(2) Yh-1(1) Yh-1(2)

=

Ah-1(1) Ah-1(2)

Dh,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back

S

134

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Yh-1(1) Yh-1(2)

=

Ah-1(2)

Dh,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back

Ah(1) Ah(2) Ah-1(1)

S

135

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Y1(1) Y1(2)

=

A0(2)

D1,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q …

A1(2)

Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back

A0(1) A1(1)

S

136

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Y1(1) Y1(2)

=

A0(2)

D1,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back Problem: Now how to deal with the upper matrices?

…

A1(2) A1(1) A0(1)

Y1(1) A1(1) A0(1)

S

137

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Y1(2)

=

A0(2)

D1,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back Problem: Now how to deal with the upper matrices? Solution: In the real construction, give out A0(1) + A0(2).

…

A1(2)

A Z

D

=

138

Lattice trapdoor Lemma 2:

+E

For any Z, for a uniformly random A, D is the preimage of Z+E.

A Z

D

=

139

Lattice trapdoor Lemma 2:

+E

For any Z, for a uniformly random A, D is the preimage of Z+E. If A & Z+ E is hidden,

You cannot see A & Z+E

A Z

D

=

140

Lattice trapdoor Lemma 2:

+E

For any Z, for a uniformly random A, D is the preimage of Z+E. If A & Z+ E is hidden, then D is indistinguishable from random Gaussian.

A Z

D

= +E

≈ computational

You cannot see A & Z+E

Y1(1) A1(1) A0(1)

S

141

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Y1(2)

=

A0(2)

D1,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back Problem: Now how to deal with the upper matrices? Solution: In the real construction, give out A0(1) + A0(2), + Lemma 2

A1(2)

Y1(1) A1(1) A0(1)

S

142

For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)

Y1(2)

=

A0(2)

D1,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back Problem: Now how to deal with the upper matrices? Solution: In the real construction, give out A0(1) + A0(2), + Lemma 2

A1(2)

S

143

Y1(1) Y1(2)

=

A0(2)

D1,1

= x +E A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q …

A1(2) A0(1) A1(1)

First use the lower level random matrices to come left (need new lemma 1)

Replay: the proof for GGH15 + low-rank BP

First use the lower level random matrices to come left (need new lemma 1) Then use the upper level “hidden A at the left” to go right (need new lemma 2)

144

A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q

Y1(1) A1(1) A0(1)

S

Y1(2)

=

A0(2)

= x +E

A1(2)

Replay: the proof for GGH15 + low-rank BP

D1,1

Multilinear maps

Indistinguishability obfuscation

Lockable obfuscation

(Compute-then-Compare obf.)

Private constrained PRFs [ Canetti, Chen 17 ] Multiparty key agreement

145

Witness encryption

[ Chen, Vaikuntanathan, Wee 18 ]

Deniable encryption Broadcast encryption

Reduction from LWE; Candidates exists; Broken

Summary

146

Future directions

> Identifying more safe/insecure modes for GGH15, GGH13, CLT13, analysis with new concrete assumptions/conjectured hard problems. > One of the concrete direction: Build applications from multilinear maps with “slots” => instantiate using GGH15 with diagonal matrices, see if there is a chance of proving from LWE.

THANKS FOR YOUR TIME

THE END

147

Crypto Innovation School Shanghai 2019