the clt multilinear map
play

The CLT Multilinear Map From DGHV to Zeroizing Tancrde Lepoint - PowerPoint PPT Presentation

Feb 15, 2023 •370 likes •2.01k views

The CLT Multilinear Map From DGHV to Zeroizing Tancrde Lepoint Paris - October 14-15, 2015 School on FHE and MMAPs outline Introduction & timeline Syntax of MMAPs Interlude: HE over Z The CLT13 Candidate

  1. numerical example ◮ p = 541 , q 0 = 809 ⇒ x 0 = 437669 ◮ noise size: ρ = 4 Encryption : ◮ c 1 = 737 · 541 + 2 · 6 + 1 = 398730 ◮ c 2 = 368 · 541 + 2 · 9 + 0 = 199106 Addition and Multiplication : ◮ c 3 = c 1 + c 2 mod x 0 = ( 398730 + 199106 ) mod 437669 = 160167 ◮ c 4 = c 1 · c 2 mod x 0 = ( 398730 · 199106 ) mod 437669 = 317801 18 / 68

  2. numerical example ◮ p = 541 , q 0 = 809 ⇒ x 0 = 437669 ◮ noise size: ρ = 4 Encryption : ◮ c 1 = 737 · 541 + 2 · 6 + 1 = 398730 ◮ c 2 = 368 · 541 + 2 · 9 + 0 = 199106 Addition and Multiplication : ◮ c 3 = c 1 + c 2 mod x 0 = ( 398730 + 199106 ) mod 437669 = 160167 ◮ c 4 = c 1 · c 2 mod x 0 = ( 398730 · 199106 ) mod 437669 = 317801 Decryption : ◮ c 3 mod p = 160167 mod 541 = 31 = 2 · 15 + 1 = 2 · 15 + ( 1 XOR 0 ) ◮ c 4 mod p = 317801 mod 541 = 234 = 2 · 117 + 0 = 2 · 117 + ( 1 AND 0 ) 18 / 68

  3. semantic security Consider D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } Security of the scheme based on: (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D , decide whether z is uniformly generated in [ 0 , x 0 ) or in D 19 / 68

  4. semantic security Consider D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } Security of the scheme based on: (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Semantic security of the scheme: ◮ Recall that c = q · p + 2 r + m ◮ Assume gcd ( 2 , q 0 ) = 1 , � � c = 2 · ( q / 2 mod q 0 ) · p + r + m mod ( q 0 · p ) � �� � indistinguishable from uniform mod x 0 19 / 68

  5. semantic security Consider D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } Security of the scheme based on: (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Semantic security of the scheme: ◮ Recall that c = q · p + 2 r + m ◮ Assume gcd ( 2 , q 0 ) = 1 , � � c = 2 · ( q / 2 mod q 0 ) · p + r + m mod ( q 0 · p ) � �� � indistinguishable from uniform mod x 0 ◮ Therefore ciphertext of m indistinguishable from uniform 19 / 68

  6. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ w 1 w 2 w 3 · · · w ℓ 20 / 68

  7. batching (1) ◮ In one ciphertext, encode ℓ plaintexts ◮ Addition and Multiplication: in parallel u 1 u 2 u 3 u 1 u 2 u 3 u 4 · · · · · · u ℓ u ℓ over the ℓ slots π u 2 u ℓ · · · u 3 · · · u 1 u 4 · · · ◮ Permutations between the slots (algebraic structure) 20 / 68

  8. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ ◮ Permutations between the slots (algebraic w 1 w 2 w 3 · · · w ℓ structure) 20 / 68

  9. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ ◮ Permutations between the slots (algebraic w 1 w 2 w 3 · · · w ℓ structure) ◮ Public element x 0 = q 0 · p ◮ Ciphertext of m ∈ { 0 , 1 } : c = q · p + 2 r + m 20 / 68

  10. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ ◮ Permutations between the slots (algebraic w 1 w 2 w 3 · · · w ℓ structure) ◮ Public element x 0 = q 0 · p ◮ Ciphertext of m ∈ { 0 , 1 } : c = q · p + 2 r + m ◮ c mod p = 2 r + m c mod q 0 = · p + 2 r + m mod q 0 q ; ���� uniform in [ 0 , q 0 ) 20 / 68

  11. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ ◮ Permutations between the slots (algebraic w 1 w 2 w 3 · · · w ℓ structure) ◮ Public element x 0 = q 0 · p ◮ Ciphertext of m ∈ { 0 , 1 } : c = q · p + 2 r + m ◮ c mod p = 2 r + m c mod q 0 = · p + 2 r + m mod q 0 q ; ���� uniform in [ 0 , q 0 ) ◮ We can write � � q ′ , 2 r + m c = CRT q 0 , p 20 / 68

  12. batching (2): extend using the Chinese Remainder Theorem � � q ′ , 2 r + m c = CRT q 0 , p ◮ Gener alization to several slots is easy! m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n 21 / 68

  13. batching (2): extend using the Chinese Remainder Theorem � � q ′ , 2 r + m c = CRT q 0 , p ◮ Gener alization to several slots is easy! m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n ◮ Decryption: m i = ( c mod p i ) mod 2 21 / 68

  14. batching (2): extend using the Chinese Remainder Theorem � � q ′ , 2 r + m c = CRT q 0 , p ◮ Gener alization to several slots is easy! m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n ◮ Decryption: m i = ( c mod p i ) mod 2 ◮ Thanks to the structure of the CRT : ◮ Addition : the addition is performed modulo each p i similarly to DGHV ◮ Multiplication : the multiplication is performed modulo each p i similarly to DGHV 21 / 68

  15. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D 22 / 68

  16. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n 22 / 68

  17. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD 22 / 68

  18. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem 22 / 68

  19. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote D i the distribution of elements of the form CRT q 0 , p 1 ,..., p n ( q , ∗ , . . . , ∗ , r i , . . . , r n ) � �� � n − i random 22 / 68

  20. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote D i the distribution of elements of the form CRT q 0 , p 1 ,..., p n ( q , ∗ , . . . , ∗ , r i , . . . , r n ) � �� � n − i random ◮ ∃ j 0 s.t. A has advantage ≥ ǫ/ n to distinguish D j 0 − 1 and D j 0 22 / 68

  21. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote D i the distribution of elements of the form CRT q 0 , p 1 ,..., p n ( q , ∗ , . . . , ∗ , r i , . . . , r n ) � �� � n − i random ◮ ∃ j 0 s.t. A has advantage ≥ ǫ/ n to distinguish D j 0 − 1 and D j 0 ◮ With proba 1 / n , you can place p at the position j 0 (generate the n − 1 other p i ’s yourself), and you use the challenge z for this slot 22 / 68

  22. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem Security based on same problem as before! ◮ Denote D i the distribution of elements of the form CRT q 0 , p 1 ,..., p n ( q , ∗ , . . . , ∗ , r i , . . . , r n ) � �� � n − i random ◮ ∃ j 0 s.t. A has advantage ≥ ǫ/ n to distinguish D j 0 − 1 and D j 0 ◮ With proba 1 / n , you can place p at the position j 0 (generate the n − 1 other p i ’s yourself), and you use the challenge z for this slot 22 / 68

  23. advantages of the batch variant ◮ Par allelization: u 1 u 2 u 3 · · · u ℓ + × v 1 v 2 v 3 · · · v ℓ w 1 w 2 w 3 w ℓ · · · ◮ Use the fact that q ≫ p to pack elements ◮ (Also asymptotic reduction of overhead per gate with permutations) [CCKLLTY13] With essentially same complexity costs and same security , operations over ℓ ≥ 1 bits! 23 / 68

  24. outline ◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zer oizing”, again and again ◮ Conclusion & open problems 24 / 68

  25. from HE to MMAPs ◮ Large plaintext space ◮ Add the “tags ” ◮ We will get it via some multiplicative masks ◮ Add a zero-testing procedure ◮ The secret key will be the p i ’s and the secret mask: we will mix them together 25 / 68

  26. extend to larger plaintext ring m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n ◮ what is the problem? (hint: multiplication) 26 / 68

  27. extend to larger plaintext ring m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n ◮ what is the problem? (hint: multiplication) ◮ Ciphertext of � m = ( m 1 , . . . , m n ) ∈ Z g 1 × · · · × Z g n : � � q ′ , g 1 · r 1 + m 1 , . . . , g n · r n + m n c = CRT q 0 , p 1 ,..., p n 26 / 68

  28. tags=levels using a random mask ◮ Let z ← [ 0 , x 0 ) be a random (invertible) multiplicative mask 27 / 68

  29. tags=levels using a random mask ◮ Let z ← [ 0 , x 0 ) be a random (invertible) multiplicative mask ◮ Encoding of � m ∈ Z g 1 × · · · × Z g n at level j : m ] j = c / z j mod x 0 [ � = CRT q , p 1 ,..., p n ( q ′ , r 1 · g 1 + m 1 , . . . , r n · g n + m n ) mod x 0 z j 27 / 68

  30. tags=levels using a random mask ◮ Let z ← [ 0 , x 0 ) be a random (invertible) multiplicative mask ◮ Encoding of � m ∈ Z g 1 × · · · × Z g n at level j : m ] j = c / z j mod x 0 [ � = CRT q , p 1 ,..., p n ( q ′ , r 1 · g 1 + m 1 , . . . , r n · g n + m n ) mod x 0 z j ◮ Operations over Z x 0 : m ′ ] j m ′ ] j [ � m ] j + [ � ≃ [ � m + � Addition m ′ ] j 2 m ′ ] j 1 + j 2 [ � m ] j 1 × [ � ≃ [ � m · � Multiplication 27 / 68

  31. main ingredient: zero testing ◮ How to test whether two degree- κ encodings are equal? m ] κ ≃ [ � m = � m − � ℓ ] κ ≃ [ � [ � ℓ ] κ (i.e. � ℓ ) ⇐ ⇒ [ � 0 ] κ 28 / 68

  32. main ingredient: zero testing ◮ How to test whether two degree- κ encodings are equal? m ] κ ≃ [ � m = � m − � ℓ ] κ ≃ [ � [ � ℓ ] κ (i.e. � ℓ ) ⇐ ⇒ [ � 0 ] κ m = � ◮ What is an encoding of � 0 at the top-level? 0 ] κ = CRT q , p 1 ,..., p n ( q ′ , r 1 · g 1 , . . . , r n · g n ) [ � mod x 0 z κ 28 / 68

  33. main ingredient: zero testing ◮ How to test whether two degree- κ encodings are equal? m ] κ ≃ [ � m = � m − � ℓ ] κ ≃ [ � [ � ℓ ] κ (i.e. � ℓ ) ⇐ ⇒ [ � 0 ] κ m = � ◮ What is an encoding of � 0 at the top-level? 0 ] κ = CRT q , p 1 ,..., p n ( q ′ , r 1 · g 1 , . . . , r n · g n ) [ � mod x 0 z κ ◮ Idea of [GGH13]: multiply by an element which will cancel z κ and when the r i ’s are small ( r i g i ≪ p i ), yield something small compared to x 0 . 28 / 68

  34. main ingredient: zero testing (ctnd.) ◮ let’s rewrite [ � 0 ] κ : � � − 1 / z κ mod p i ) · p ∗ p j ) · q ′′ mod x 0 [ � g i r i · ( p ∗ 0 ] κ = i + ( i i i = � where p ∗ j � = i p j 29 / 68

  35. main ingredient: zero testing (ctnd.) ◮ let’s rewrite [ � 0 ] κ : � � − 1 / z κ mod p i ) · p ∗ p j ) · q ′′ mod x 0 [ � g i r i · ( p ∗ 0 ] κ = i + ( i i i = � where p ∗ j � = i p j ◮ The random value q ′′ makes difficult to obtain something small... except if we are working modulo � p j 29 / 68

  36. main ingredient: zero testing (ctnd.) ◮ let’s rewrite [ � 0 ] κ : � � − 1 / z κ mod p i ) · p ∗ p j ) · q ′′ mod x 0 [ � g i r i · ( p ∗ 0 ] κ = i + ( i i i = � where p ∗ j � = i p j ◮ The random value q ′′ makes difficult to obtain something small... except if we are working modulo � p j ◮ In the following x 0 = � p j , and m ] j = CRT p 1 ,..., p n ( r 1 · g 1 + m 1 , . . . , r n · g n + m n ) [ � mod x 0 z j 29 / 68

  37. main ingredient: zero testing (ctnd.) ◮ now � − 1 / z κ mod p i ) · p ∗ [ � g i r i · ( p ∗ 0 ] κ = i mod x 0 i i i = � where p ∗ j � = i p j 30 / 68

  38. main ingredient: zero testing (ctnd.) ◮ now � − 1 / z κ mod p i ) · p ∗ [ � g i r i · ( p ∗ 0 ] κ = i mod x 0 i i i = � where p ∗ j � = i p j ◮ Multiply by the public element (where h i ≪ p i ) � z κ mod p i ) · p ∗ h i · ( g − 1 p zt = i mod x 0 i i 30 / 68

  39. main ingredient: zero testing (ctnd.) ◮ now � − 1 / z κ mod p i ) · p ∗ [ � g i r i · ( p ∗ 0 ] κ = i mod x 0 i i i = � where p ∗ j � = i p j ◮ Multiply by the public element (where h i ≪ p i ) � z κ mod p i ) · p ∗ h i · ( g − 1 p zt = i mod x 0 i i ◮ We have (we prove equivalence whp when many p zt ’s are given) � m = � r i · ( h i p ∗ � 0 ⇒ | [ � m ] κ · p zt mod x 0 | = | i ) | ≪ x 0 i 30 / 68

  40. Partial Conclusion ◮ Second candidate multilinear map ◮ Hardness assumptions: ◮ GDDH ◮ but also DLIN, SubM, etc. ◮ Composite-order multilinear maps ◮ Used in multiple schemes and obfuscation candidates 31 / 68

  41. outline ◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zer oizing”, again and again ◮ Conclusion & open problems 32 / 68

  42. CLT13 properties ◮ Encoding is related to a numerator u ∼ ( e 1 , . . . , e n ) ◮ e i = g i · r i + m i ◮ Finding the e i ’s means breaking the scheme ◮ An encoding of 0 is u ∼ ( g 1 r 1 , . . . , g n r n ) ◮ Adding / multiplying encodings operate on the numerators over Z (not modulo x 0 ) u 1 + u 2 ∼ ( e 1 i + e 2 i ) i , u 1 · u 2 ∼ ( e 1 i · e 2 i ) i ◮ Zero-testing top-level encodings u ∼ ( g 1 r 1 , . . . , g n r n ) we get ztst ( u ) = � i r i · ( h i p ∗ i ) over Z (no mod q ) 33 / 68

  43. public procedures ◮ Sample : subset-sum of publicly available random level- 0 encodings � [ u i ] 0 = [ u ] 0 i ∈ S 34 / 68

  44. public procedures ◮ Sample : subset-sum of publicly available random level- 0 encodings � [ u i ] 0 = [ u ] 0 i ∈ S ◮ Encode at level 1 : multiply by a level- 1 encoding of � 1 [ u ] 0 · [ � 1 ] 1 = [ u ] 1 34 / 68

  45. public procedures ◮ Sample : subset-sum of publicly available random level- 0 encodings � [ u i ] 0 = [ u ] 0 i ∈ S ◮ Encode at level 1 : multiply by a level- 1 encoding of � 1 [ u ] 0 · [ � 1 ] 1 = [ u ] 1 ◮ reRandomization : add a subset-sum of level- 1 encodings of 0 to drown the noise obtained by sampling/encoding � [ u ] 1 + [ 0 i ] 1 i ∈ S 34 / 68

  46. public extraction ◮ Extraction : extract the λ most significant bits of ext ([ � m ] κ ) = MSB λ ( p zt · [ � m ] κ mod x 0 ) � n � � ( r i + m i · g − 1 mod p i ) · ( h i p ∗ = MSB λ i ) i i = 1 � n � � ( m i · g − 1 mod p i ) · ( h i p ∗ = MSB λ i ) i i = 1 ◮ for � m 1 = � m 2 , we will have ext ([ � m 1 ] κ ) == ext ([ � m 2 ] κ ) 35 / 68

  47. Diffie-Hellman Key Exchange ◮ Setup : For N participants, initialization of a N − 1 -multilinear map 36 / 68

  48. Diffie-Hellman Key Exchange ◮ Setup : For N participants, initialization of a N − 1 -multilinear map ◮ Publish : Use the public params, sample a level- 0 encoding c i , and publish c ′ i = reRand ( enc ( c i , 1 )) 36 / 68

  49. Diffie-Hellman Key Exchange ◮ Setup : For N participants, initialization of a N − 1 -multilinear map ◮ Publish : Use the public params, sample a level- 0 encoding c i , and publish c ′ i = reRand ( enc ( c i , 1 )) c i = c i · � j � = i c ′ ◮ KeyGen : Compute ˜ j , and get the shared key s = ext (˜ c i ) 36 / 68

  50. main security assumption m i ] 1 and [ � m ′ ] κ , de- GDDH: Given ( κ + 1 ) elements [ � m ′ ≃ � κ + 1 termine whether � i = 1 � m i . 37 / 68

  51. main security assumption m i ] 1 and [ � m ′ ] κ , de- GDDH: Given ( κ + 1 ) elements [ � m ′ ≃ � κ + 1 termine whether � i = 1 � m i . ◮ At the heart of the multipartite key echange protocol 37 / 68

  52. main security assumption m i ] 1 and [ � m ′ ] κ , de- GDDH: Given ( κ + 1 ) elements [ � m ′ ≃ � κ + 1 termine whether � i = 1 � m i . ◮ At the heart of the multipartite key echange protocol ◮ Assumed to be hard (but no reduction to Approx.-GCD) 37 / 68

  53. main security assumption m i ] 1 and [ � m ′ ] κ , de- GDDH: Given ( κ + 1 ) elements [ � m ′ ≃ � κ + 1 termine whether � i = 1 � m i . ◮ At the heart of the multipartite key echange protocol ◮ Assumed to be hard (but no reduction to Approx.-GCD) ◮ Asymptotic parameters determined from several attacks: ◮ orthogonal lattice attack on encodings ◮ GCD attack on zero-testing ◮ hidden subset sum attack on zero-testing ◮ attacks on the inverse zero-testing matrix ◮ brute-force on the noises, . . . 37 / 68

  54. zeroizing attack [CheonHanLeeRyuStehlé’15] 38 / 68

  55. exploiting the linearity of the zero-testing 39 / 68

  56. exploiting the linearity of the zero-testing 0 ] κ · p zt = � i r i · ( h i · p ∗ [ � i ) ∈ Z 39 / 68

  57. exploiting the linearity of the zero-testing c ] 1 · p zt = � i r i · ˆ [ � 0 ] κ − 2 · [ � c i · ( h i · p ∗ b i · ˆ b ] 1 · [ � i ) ∈ Z 39 / 68

  58. exploiting the linearity of the zero-testing c ] 1 · p zt = � i r i · ˆ [ � 0 ] κ − 2 · [ � c i · ( h i · p ∗ b i · ˆ b ] 1 · [ � i ) ∈ Z r i ˆ c i ˆ b i · ( h i · p ∗ i ) 39 / 68

  59. exploiting the linearity of the zero-testing c ] 1 · p zt = � i r i · ˆ [ � 0 ] κ − 2 · [ � c i · ( h i · p ∗ b i · ˆ b ] 1 · [ � i ) ∈ Z r i ˆ c i ˆ b i · ( h i · p ∗ i ) 39 / 68

  60. inversion over Q c ] 1 and two targets [ � b ] 1 , [ � ◮ Let’s do it with many [ � b ′ ] 1 0 ] κ − 2 , [ � 40 / 68

  61. inversion over Q c ] 1 and two targets [ � b ] 1 , [ � ◮ Let’s do it with many [ � b ′ ] 1 0 ] κ − 2 , [ � r i r i ˆ ˆ c i c i ˆ ˆ b i · ( h i · p ∗ b ′ i · ( h i · p ∗ i ) i ) 40 / 68

  62. inversion over Q c ] 1 and two targets [ � b ] 1 , [ � ◮ Let’s do it with many [ � b ′ ] 1 0 ] κ − 2 , [ � 1 c i ) − 1 ( r − 1 r i ˆ (ˆ ) c i ˆ b i · ( h i · p ∗ i i ) ˆ b ′ i · ( h i · p ∗ i ) 40 / 68

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa Research) Crypto Innovation School Shanghai 2019 1 What are multilinear maps? 2 3 Cool. So what are the multilinear maps in cryptography? 4

2.17k views • 147 slides
Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The

Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The

Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 Timeline: The Hype Cycle of Multilinear Maps 2 / 30 visibility Timeline time 2 / 30

1.61k views • 112 slides
Algebraic models for multilinear dependence Jason Morton Stanford University February 21, 2009

Algebraic models for multilinear dependence Jason Morton Stanford University February 21, 2009

Algebraic models for multilinear dependence Jason Morton Stanford University February 21, 2009 NSF Tensor Workshop Joint work with Lek-Heng Lim of U.C. Berkeley J. Morton (Stanford) Algebraic models for multilinear dependence 2/21/09 NSF

504 views • 37 slides
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton

Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton

Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan , Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai,

762 views • 49 slides
The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem

The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem

. . . . . . . . . . . . . . . . The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem After L. Guth, A. Carbery, I. Valdimarsson Pavel Zorin-Kranich University of Bonn Kopp, October 2017

327 views • 20 slides
Oscillatory 1 Philip T. Gressman, University of Pennsylvania multilinear Joint work with

Oscillatory 1 Philip T. Gressman, University of Pennsylvania multilinear Joint work with

Oscillatory 1 Philip T. Gressman, University of Pennsylvania multilinear Joint work with Ellen Urheim Radon-like transforms In honor of the 90th birthday of Guido Weiss 2 Problem Statement This falls within the framework of Christ,

425 views • 10 slides
Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps Liang Feng Zhang, Reihaneh Safavi-Naini Institute for Security, Privacy and Information Assurance Department of Computer Science University of

197 views • 19 slides
Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee,

Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee,

Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 1 / 26 Jung Hee Cheon 1 , Pierre-Alain Fouque 2 , 3 , Changmin Lee 1 , Brice Minaud 2 , Hansol

456 views • 28 slides
Numerical methods for the best low multilinear rank approximation of higher-order tensors M.

Numerical methods for the best low multilinear rank approximation of higher-order tensors M.

Introduction Some applications Algorithms Local minima Numerical methods for the best low multilinear rank approximation of higher-order tensors M. Ishteva 1 .-A. Absil 1 S. Van Huffel 2 L. De Lathauwer 2 , 3 P 1 Department of Mathematical

461 views • 45 slides
More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl e, ENS

706 views • 39 slides
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and

A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and

A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group notation, and those who like

657 views • 31 slides
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13,

649 views • 39 slides
Nonconcentration, L p -Improving Estimates, and Multilinear Kakeya Philip T. Gressman Department

Nonconcentration, L p -Improving Estimates, and Multilinear Kakeya Philip T. Gressman Department

Nonconcentration, L p -Improving Estimates, and Multilinear Kakeya Philip T. Gressman Department of Mathematics University of Pennsylvania 13 May 2019 Madison Lectures in Fourier Analysis N-C, L p , and M-K Philip T. Gressman 0 / 23 0. The

256 views • 24 slides
Multilinear Algebra Based Fitting of a Sum of Exponentials to Oversampled Data Lieven De

Multilinear Algebra Based Fitting of a Sum of Exponentials to Oversampled Data Lieven De

Multilinear Algebra Based Fitting of a Sum of Exponentials to Oversampled Data Lieven De Lathauwer Jean-Michel Papy Sabine Van Huffel K.U.Leuven FMTC /K.U.Leuven K.U.Leuven Catholic University of Leuven Flanders

398 views • 35 slides
The multilinear actor-network-apparatus A play of lines beyond the black box What is the

The multilinear actor-network-apparatus A play of lines beyond the black box What is the

The multilinear actor-network-apparatus A play of lines beyond the black box What is the apparatus? A formation, tangle, network...: The apparatus is the system of relations which can be established between elements in a thoroughly

700 views • 16 slides
A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer Science and Engineering Department, Indian Institute of Technology, Bombay, (IITB) India. Joint work with Suryajith Chillara, Christian Engels,

2.53k views • 191 slides
WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest / Hungary Agenda Education & Research Identity Federations SAML Terminology Overview of SAML auth call flow WebRTC Identity model

1.09k views • 52 slides
More on PSL some examples, some pitfalls pulsed signal The PSL was right assert always (req

More on PSL some examples, some pitfalls pulsed signal The PSL was right assert always (req

More on PSL some examples, some pitfalls pulsed signal The PSL was right assert always (req -> next (not req)) English description was nonsense Pulsed signal means a signal in which a high signal always goes low on next cycle so the

851 views • 60 slides
Neural Networks for Natural Language Processing Alexandre Allauzen Universit e Paris-Sud /

Neural Networks for Natural Language Processing Alexandre Allauzen Universit e Paris-Sud /

Neural Networks for Natural Language Processing Alexandre Allauzen Universit e Paris-Sud / LIMSI-CNRS 19/01/2017 A. Allauzen (Univ. Paris-Sud/LIMSI) NNet & NLP 19/01/2017 1 / 46 Introduction Outline 1 Introduction 2 The language

1.15k views • 79 slides
Automated Testing of Debian Packages Status Update Lucas Nussbaum lucas@debian.org Lucas

Automated Testing of Debian Packages Status Update Lucas Nussbaum lucas@debian.org Lucas

Introduction Tests Building packages more efficiently Piuparts State of the archive collab-qa Conclusion Automated Testing of Debian Packages Status Update Lucas Nussbaum lucas@debian.org Lucas Nussbaum Automated Testing of Debian

622 views • 34 slides
Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre

Spectre and Meltdown Clifford Wolf q/Talk 2018-01-30 Spectre and Meltdown Spectre (CVE-2017-5753 and CVE-2017-5715) Is an architectural security bug that effects most modern processors with speculative execution It allows a program

441 views • 16 slides
DQM Status DQM Status Status as used (or not used) during 04/2016 test beam GUI CSS Gui

DQM Status DQM Status Status as used (or not used) during 04/2016 test beam GUI CSS Gui

DQM Status DQM Status Status as used (or not used) during 04/2016 test beam GUI CSS Gui prepared for 40 ladders (precompiled) Available from belle2 software repository but rolled-out only scaled down version for used sensors to avoid confusion

363 views • 9 slides
Evaluating Technologies UNC COMP 523 Wed Sep 2, 2020 Prof. Jeff Terrell 1 / 30 Announcements

Evaluating Technologies UNC COMP 523 Wed Sep 2, 2020 Prof. Jeff Terrell 1 / 30 Announcements

Evaluating Technologies UNC COMP 523 Wed Sep 2, 2020 Prof. Jeff Terrell 1 / 30 Announcements intro music: Any Colour You Like by Pink Floyd, because (a) you get to pick colors (colours) in your designs and (b) most of you get some say in what

621 views • 30 slides
October 7th, 1997 6:00pm Arrive hotel in New York City. Phone system does not support

October 7th, 1997 6:00pm Arrive hotel in New York City. Phone system does not support

October 7th, 1997 6:00pm Arrive hotel in New York City. Phone system does not support my modem. Cell phone reception is terrible. 8:45pm Phone call from Eric Bates. I think that we have a visitor. Wed October

836 views • 37 slides

More recommend