The CLT Multilinear Map From DGHV to Zeroizing Tancrde Lepoint - - PowerPoint PPT Presentation

The CLT Multilinear Map

From DGHV to Zeroizing

Tancrède Lepoint

Paris - October 14-15, 2015 — School on FHE and MMAPs

• utline

◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zeroizing”, again and again ◮ Conclusion & open problems

2 / 68

• utline

◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zeroizing”, again and again ◮ Conclusion & open problems

2 / 68

compute on hidden data in a non-interactive way

m

[m]

f

[f (m)]

data is hidden by encoding it (for multilinear maps, a test will be possible on [f (m)])

3 / 68

example: discrete logarithm

◮ m

is encoded as

[m] = gm (in some group G)

◮ Recovering m from [m] is hard (discrete log)

◮ Compute linear functions is easy

◮

i[mi]ui = i uimi

• ◮ Can check whether m = 0

◮ Computing other functions seems hard

◮ [m1], [m2] → [m1 · m2] (Diffie-Hellman) ◮ Even testing an alleged solution is hard [m1 · m2] ≈c u (Decisional DH) 4 / 68

“DDH assumption is a gold mine” [Boneh98]

DLog cryptography has many applications

(e.g. CCA-secure PKE, commmitments, zero-knowledge proofs, etc.)

5 / 68

“DDH assumption is a gold mine” [Boneh98]

DLog cryptography has many applications

(e.g. CCA-secure PKE, commmitments, zero-knowledge proofs, etc.)

a ← $ K = [b]a = gab b ← $ K = [a]b = gab [a] [b] [a] , [b]

5 / 68

beyond DDH: bilinear maps

◮ m

is encoded as

[m]1 = gm (in group G1)

◮ map

e([m1]1, [m2]1) = [m1 · m2]2 (in group G2)

◮ in bilinear-map group, computing quadratic functions in the

exponent is easy

◮ but computing/checking cubics seems hard

◮ Many new applications

◮ 3-partite DH Key Exchange ◮ Efficient NIZK proofs ◮ ABE/functional encryption for simple func. ◮ Broadcast Encryption, Traitor Tracing, . . . 6 / 68

can we go beyond 2-linear maps?

7 / 68

can we go beyond 2-linear maps?

[c0] [c1] [c2] [c3] [c4] [c5] [c6] [c7] [c8] [c9] [c10] [c11] [c12] [c13] [c14] [c15] [c16] [c17] [c18] [c19] [c20] [c21] [c22] [c23] [c24] [c25]

7 / 68

can we go beyond 2-linear maps?

[c0] [c1] [c2] [c3] [c4] [c5] [c6] [c7] [c8] [c9] [c10] [c11] [c12] [c13] [c14] [c15] [c16] [c17] [c18] [c19] [c20] [c21] [c22] [c23] [c24] [c25] a0

7 / 68

can we go beyond 2-linear maps?

[c0] [c1] [c2] [c3] [c4] [c5] [c6] [c7] [c8] [c9] [c10] [c11] [c12] [c13] [c14] [c15] [c16] [c17] [c18] [c19] [c20] [c21] [c22] [c23] [c24] [c25] a0 a1

7 / 68

can we go beyond 2-linear maps?

[c0] [c1] [c2] [c3] [c4] [c5] [c6] [c7] [c8] [c9] [c10] [c11] [c12] [c13] [c14] [c15] [c16] [c17] [c18] [c19] [c20] [c21] [c22] [c23] [c24] [c25]

7 / 68

can we go beyond 2-linear maps?

[c0] [c1] [c2] [c3] [c4] [c5] [c6] [c7] [c8] [c9] [c10] [c11] [c12] [c13] [c14] [c15] [c16] [c17] [c18] [c19] [c20] [c21] [c22] [c23] [c24] [c25]

It would be useful... [BS03] . . . but seems hard to get from the realm of algebraic geometry

7 / 68

MMAPs are similar to Somewhat HE

MMAPs SWHE

• Encoding m into [m] =

gm

• Encrypting m into cm =

E(m)

• Computing

low-degree polynomials of the [m]’s is easy

• Computing

low-degree polynomials of the cm’s is easy

• Can test for zero but can-

not recover m

×

Cannot test anything (ex- cept with the secret key)

8 / 68

main ingredient: testing for zero

◮ To be useful, MMAPs should have the ability to test whether

two degree-κ expressions are equal

◮ Same as testing whether a degree-κ expr. is 0

◮ Current solutions: take a SWHE scheme and publish an

“handicapped” version of the SK

◮ called zero-test parameter ◮ can identify enc. of 0, but cannot decrypt (large plaintext space) 9 / 68

timeline: the hype cycle of MMAPs

10 / 68

timeline

time visibility

10 / 68

timeline 1

time visibility

10 / 68

timeline

first candidate construction [GGH13] second candidate construction [CLT13] time visibility

10 / 68

timeline

first candidate construction [GGH13] second candidate construction [CLT13]

2

time visibility

10 / 68

timeline

first candidate construction [GGH13] second candidate construction [CLT13]

3

time visibility

10 / 68

timeline

first candidate construction [GGH13] second candidate construction [CLT13] weak DL [GGH13] break of CLT [CHLRS15] tentatives fixes for CLT [BWZ14,GGHZ14] break of previous fixes and extensions [CGHLMMRST15] break of (G)DDH in GGH [HJ15] time visibility

10 / 68

timeline

first candidate construction [GGH13] second candidate construction [CLT13] weak DL [GGH13] break of CLT [CHLRS15] tentatives fixes for CLT [BWZ14,GGHZ14] break of previous fixes and extensions [CGHLMMRST15] break of (G)DDH in GGH [HJ15] New CLT [CLT15] Quadratic Zero-Test for GGH [GHL15] break of quadratic GGH [BGHLST15] break of CLT15 [MF15,CHL15] time visibility

10 / 68

• utline

◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zeroizing”, again and again ◮ Conclusion & open problems

11 / 68

syntax of MMAPs

◮ All constructions expose somewhat different interfaces. ◮ Syntax proposed by [Hal15] in three parts

◮ Initialization: generation of public/secret parameters ◮ Also define “plaintext space” and “encoding space” ◮ Encoding: use the secret parameters to encode plaintexts ◮ Operations: use the public parameters to add, multiply and test for 0 ◮ (with restrictions) 12 / 68

restricting operations with tags

◮ Each encoding has a tag ◮ Add elements with the same tag ◮ Multiply elements with compatible tags

◮ Resulting tag follow simple rule

◮ Zero-Test only an encoding at a distinguished tag

(top-level)

13 / 68

restricting operations with tags

◮ Each encoding has a tag ◮ Add elements with the same tag ◮ Multiply elements with compatible tags

◮ Resulting tag follow simple rule

◮ Zero-Test only an encoding at a distinguished tag

(top-level) Examples:

◮ T = {1, 2, . . . , κ}, addition of tags during multiplication, test

at level κ

◮ DAG [GGH15,Hal15]

13 / 68

security of MMAPs

◮ DL security: hard to recover m from [m]i ◮ hard to distinguish zeros at levels i = κ (except by lifting

them up)

◮ generalized DDH: hard to identify relations for incompatible

tags

◮ etc.

14 / 68

security of MMAPs

◮ DL security: hard to recover m from [m]i ◮ hard to distinguish zeros at levels i = κ (except by lifting

them up)

◮ generalized DDH: hard to identify relations for incompatible

tags

◮ etc.

Attacks on MMAPs often do not apply to obfuscation because everything is glued there: only “allowed operations” can be performed meaningfully → see Amit’s talks

14 / 68

• utline

◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zeroizing”, again and again ◮ Conclusion & open problems

15 / 68

simple SHE: DGHV scheme [vDGHV10]

◮ Public error-free element: x0 = q0 · p ◮ Secret key sk = p

16 / 68

simple SHE: DGHV scheme [vDGHV10]

◮ Public error-free element: x0 = q0 · p ◮ Secret key sk = p ◮ Ciphertext for m ∈ {0, 1}:

c = q · p + 2 · r + m

where q large random, r small random

16 / 68

simple SHE: DGHV scheme [vDGHV10]

◮ Public error-free element: x0 = q0 · p ◮ Secret key sk = p ◮ Ciphertext for m ∈ {0, 1}:

c = q · p + 2 · r + m

where q large random, r small random

◮ Decryption of c:

m = (c mod p) mod 2

16 / 68

homomorphic properties

◮ How to Add and Multiply Encrypted Bits:

◮ Add/Mult two near-multiples of p gives a near-multiple of p ◮ c1 = q1 · p + 2 · r1 + m1,

c2 = q2 · p + 2 · r2 + m2

◮ c1 + c2 = p · (q1 + q2) + 2 · (r1 + r2) + m1 + m2

• mod 2→m1⊕m2

◮ c1 · c2 = p · (c2q1 + c1q2 − q1q2) + 2 · (2r1r2 + r2m1 + r1m2) + m1 · m2

• mod 2→m1⊗m2

17 / 68

homomorphic properties

◮ How to Add and Multiply Encrypted Bits:

◮ Add/Mult two near-multiples of p gives a near-multiple of p ◮ c1 = q1 · p + 2 · r1 + m1,

c2 = q2 · p + 2 · r2 + m2

◮ c1 + c2 = p · (q1 + q2) + 2 · (r1 + r2) + m1 + m2

• mod 2→m1⊕m2

◮ c1 · c2 = p · (c2q1 + c1q2 − q1q2) + 2 · (2r1r2 + r2m1 + r1m2) + m1 · m2

• mod 2→m1⊗m2

+ × ×

Correctness for multiplicative depth of L: log2 p = η ≈ 2L · (ρ + 1)

17 / 68

numerical example

◮ p = 541, q0 = 809 ⇒ x0 = 437669 ◮ noise size: ρ = 4

18 / 68

numerical example

◮ p = 541, q0 = 809 ⇒ x0 = 437669 ◮ noise size: ρ = 4

Encryption:

◮ c1 = 737 · 541 + 2 · 6 + 1 = 398730 ◮ c2 = 368 · 541 + 2 · 9 + 0 = 199106

18 / 68

numerical example

◮ p = 541, q0 = 809 ⇒ x0 = 437669 ◮ noise size: ρ = 4

Encryption:

◮ c1 = 737 · 541 + 2 · 6 + 1 = 398730 ◮ c2 = 368 · 541 + 2 · 9 + 0 = 199106

Addition and Multiplication:

◮ c3 = c1 + c2 mod x0 = (398730 + 199106) mod 437669 = 160167 ◮ c4 = c1 · c2 mod x0 = (398730 · 199106) mod 437669 = 317801

18 / 68

numerical example

◮ p = 541, q0 = 809 ⇒ x0 = 437669 ◮ noise size: ρ = 4

Encryption:

◮ c1 = 737 · 541 + 2 · 6 + 1 = 398730 ◮ c2 = 368 · 541 + 2 · 9 + 0 = 199106

Addition and Multiplication:

◮ c3 = c1 + c2 mod x0 = (398730 + 199106) mod 437669 = 160167 ◮ c4 = c1 · c2 mod x0 = (398730 · 199106) mod 437669 = 317801

Decryption:

◮ c3 mod p = 160167 mod 541 = 31 = 2 · 15 + 1 = 2 · 15 + (1 XOR 0) ◮ c4 mod p = 317801 mod 541 = 234 = 2 · 117 + 0 = 2 · 117 + (1 AND 0)

18 / 68

semantic security

Consider

D = {q · p + r : q ← [0, q0), r ← [0, 2ρ)}

Security of the scheme based on:

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 · p and polynomially many xi ∈ D, decide whether z is uniformly generated in [0, x0) or in D

19 / 68

semantic security

Consider

D = {q · p + r : q ← [0, q0), r ← [0, 2ρ)}

Security of the scheme based on:

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 · p and polynomially many xi ∈ D, decide whether z is uniformly generated in [0, x0) or in D Semantic security of the scheme:

◮ Recall that c = q · p + 2r + m

◮ Assume gcd(2, q0) = 1,

c = 2 ·

• (q/2 mod q0) · p + r
• indistinguishable from uniform mod x0
• + m mod (q0 · p)

19 / 68

semantic security

Consider

D = {q · p + r : q ← [0, q0), r ← [0, 2ρ)}

Security of the scheme based on:

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 · p and polynomially many xi ∈ D, decide whether z is uniformly generated in [0, x0) or in D Semantic security of the scheme:

◮ Recall that c = q · p + 2r + m

◮ Assume gcd(2, q0) = 1,

c = 2 ·

• (q/2 mod q0) · p + r
• indistinguishable from uniform mod x0
• + m mod (q0 · p)

◮ Therefore ciphertext of m indistinguishable from uniform

19 / 68

batching (1)

◮ In one ciphertext, encode ℓ plaintexts ◮ Addition and Multiplication: in parallel

• ver the ℓ slots

u1 u2 u3 · · · uℓ + × v1 v2 v3 · · · vℓ w1 w2 w3 · · · wℓ

20 / 68

batching (1)

◮ In one ciphertext, encode ℓ plaintexts ◮ Addition and Multiplication: in parallel

• ver the ℓ slots

◮ Permutations between the slots (algebraic

structure)

u1 u2 u3 · · · uℓ u1 u2 u3 u4 · · · uℓ π u2 uℓ · · · u3 · · · u1 u4 · · ·

20 / 68

batching (1)

◮ In one ciphertext, encode ℓ plaintexts ◮ Addition and Multiplication: in parallel

• ver the ℓ slots

◮ Permutations between the slots (algebraic

structure)

u1 u2 u3 · · · uℓ + × v1 v2 v3 · · · vℓ w1 w2 w3 · · · wℓ

20 / 68

batching (1)

◮ In one ciphertext, encode ℓ plaintexts ◮ Addition and Multiplication: in parallel

• ver the ℓ slots

◮ Permutations between the slots (algebraic

structure)

u1 u2 u3 · · · uℓ + × v1 v2 v3 · · · vℓ w1 w2 w3 · · · wℓ

◮ Public element x0 = q0 · p ◮ Ciphertext of m ∈ {0, 1}:

c = q · p + 2r + m

20 / 68

batching (1)

◮ In one ciphertext, encode ℓ plaintexts ◮ Addition and Multiplication: in parallel

• ver the ℓ slots

◮ Permutations between the slots (algebraic

structure)

u1 u2 u3 · · · uℓ + × v1 v2 v3 · · · vℓ w1 w2 w3 · · · wℓ

◮ Public element x0 = q0 · p ◮ Ciphertext of m ∈ {0, 1}:

c = q · p + 2r + m

◮ c mod p = 2r + m

;

c mod q0 = q

• uniform in [0, q0)

·p + 2r + m mod q0

20 / 68

batching (1)

◮ In one ciphertext, encode ℓ plaintexts ◮ Addition and Multiplication: in parallel

• ver the ℓ slots

◮ Permutations between the slots (algebraic

structure)

u1 u2 u3 · · · uℓ + × v1 v2 v3 · · · vℓ w1 w2 w3 · · · wℓ

◮ Public element x0 = q0 · p ◮ Ciphertext of m ∈ {0, 1}:

c = q · p + 2r + m

◮ c mod p = 2r + m

;

c mod q0 = q

• uniform in [0, q0)

·p + 2r + m mod q0

◮ We can write

c = CRTq0,p

• q′, 2r + m
• 20 / 68

batching (2): extend using the Chinese Remainder Theorem

c = CRTq0,p

• q′, 2r + m
• ◮ Generalization to several slots is easy!

◮ Ciphertext of

m = (m1, . . . , mn) ∈ {0, 1}n: c = CRTq0,p1,...,pn

• q′, 2r1 + m1, . . . , 2rn + mn
• 21 / 68

batching (2): extend using the Chinese Remainder Theorem

c = CRTq0,p

• q′, 2r + m
• ◮ Generalization to several slots is easy!

◮ Ciphertext of

m = (m1, . . . , mn) ∈ {0, 1}n: c = CRTq0,p1,...,pn

• q′, 2r1 + m1, . . . , 2rn + mn
• ◮ Decryption:

mi = (c mod pi) mod 2

21 / 68

batching (2): extend using the Chinese Remainder Theorem

c = CRTq0,p

• q′, 2r + m
• ◮ Generalization to several slots is easy!

◮ Ciphertext of

m = (m1, . . . , mn) ∈ {0, 1}n: c = CRTq0,p1,...,pn

• q′, 2r1 + m1, . . . , 2rn + mn
• ◮ Decryption:

mi = (c mod pi) mod 2

◮ Thanks to the structure of the CRT:

◮ Addition: the addition is performed modulo each pi similarly to DGHV ◮ Multiplication: the multiplication is performed modulo each pi similarly to

DGHV

21 / 68

security of the batch scheme

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 ·p and polynomially many xi ∈ D = {q ·p +r : q ← [0, q0), r ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in D

22 / 68

security of the batch scheme

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 ·p and polynomially many xi ∈ D = {q ·p +r : q ← [0, q0), r ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in D

Sketch: (Error-Free) ℓ-Decisional Approximate-GCD Given x0 = q0 · p1 · · · pn and polynomially many xi ∈ Dn = {CRTq0,pi (q, . . . , ri, . . .) : q ← [0, q0), ri ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in Dn

22 / 68

security of the batch scheme

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 ·p and polynomially many xi ∈ D = {q ·p +r : q ← [0, q0), r ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in D

Sketch: (Error-Free) ℓ-Decisional Approximate-GCD Given x0 = q0 · p1 · · · pn and polynomially many xi ∈ Dn = {CRTq0,pi (q, . . . , ri, . . .) : q ← [0, q0), ri ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in Dn ◮ For n = 1, the above problem is the (Error-Free) Decisional Approximate-GCD

22 / 68

security of the batch scheme

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 ·p and polynomially many xi ∈ D = {q ·p +r : q ← [0, q0), r ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in D

Sketch: (Error-Free) ℓ-Decisional Approximate-GCD Given x0 = q0 · p1 · · · pn and polynomially many xi ∈ Dn = {CRTq0,pi (q, . . . , ri, . . .) : q ← [0, q0), ri ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in Dn ◮ For n = 1, the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem

22 / 68

security of the batch scheme

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 ·p and polynomially many xi ∈ D = {q ·p +r : q ← [0, q0), r ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in D

Sketch: (Error-Free) ℓ-Decisional Approximate-GCD Given x0 = q0 · p1 · · · pn and polynomially many xi ∈ Dn = {CRTq0,pi (q, . . . , ri, . . .) : q ← [0, q0), ri ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in Dn ◮ For n = 1, the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote Di the distribution of elements of the form CRTq0,p1,...,pn(q, ∗, . . . , ∗

• n − i random

, ri, . . . , rn)

22 / 68

security of the batch scheme

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 ·p and polynomially many xi ∈ D = {q ·p +r : q ← [0, q0), r ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in D

Sketch: (Error-Free) ℓ-Decisional Approximate-GCD Given x0 = q0 · p1 · · · pn and polynomially many xi ∈ Dn = {CRTq0,pi (q, . . . , ri, . . .) : q ← [0, q0), ri ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in Dn ◮ For n = 1, the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote Di the distribution of elements of the form CRTq0,p1,...,pn(q, ∗, . . . , ∗

• n − i random

, ri, . . . , rn) ◮ ∃j0 s.t. A has advantage ≥ ǫ/n to distinguish Dj0−1 and Dj0

22 / 68

security of the batch scheme

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 ·p and polynomially many xi ∈ D = {q ·p +r : q ← [0, q0), r ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in D

Sketch: (Error-Free) ℓ-Decisional Approximate-GCD Given x0 = q0 · p1 · · · pn and polynomially many xi ∈ Dn = {CRTq0,pi (q, . . . , ri, . . .) : q ← [0, q0), ri ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in Dn ◮ For n = 1, the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote Di the distribution of elements of the form CRTq0,p1,...,pn(q, ∗, . . . , ∗

• n − i random

, ri, . . . , rn) ◮ ∃j0 s.t. A has advantage ≥ ǫ/n to distinguish Dj0−1 and Dj0 ◮ With proba 1/n, you can place p at the position j0 (generate the n − 1 other pi’s yourself), and you use the challenge z for this slot

22 / 68

security of the batch scheme

(Error-Free) Decisional Approximate-GCD

Given x0 = q0 ·p and polynomially many xi ∈ D = {q ·p +r : q ← [0, q0), r ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in D

Sketch: (Error-Free) ℓ-Decisional Approximate-GCD Given x0 = q0 · p1 · · · pn and polynomially many xi ∈ Dn = {CRTq0,pi (q, . . . , ri, . . .) : q ← [0, q0), ri ← [0, 2ρ)}, decide whether z is uniformly generated in [0, x0) or in Dn ◮ For n = 1, the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote Di the distribution of elements of the form CRTq0,p1,...,pn(q, ∗, . . . , ∗

• n − i random

, ri, . . . , rn) ◮ ∃j0 s.t. A has advantage ≥ ǫ/n to distinguish Dj0−1 and Dj0 ◮ With proba 1/n, you can place p at the position j0 (generate the n − 1 other pi’s yourself), and you use the challenge z for this slot

Security based on same problem as before!

22 / 68

advantages of the batch variant

◮ Parallelization:

u1 u2 u3 · · · uℓ + × v1 v2 v3 · · · vℓ w1 w2 w3 · · · wℓ

◮ Use the fact that q ≫ p to pack elements

◮ (Also asymptotic reduction of overhead per gate with permutations)

[CCKLLTY13]

With essentially same complexity costs and same security, operations

• ver ℓ ≥ 1 bits!

23 / 68

• utline

◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zeroizing”, again and again ◮ Conclusion & open problems

24 / 68

from HE to MMAPs

◮ Large plaintext space ◮ Add the “tags”

◮ We will get it via some multiplicative masks

◮ Add a zero-testing procedure

◮ The secret key will be the pi’s and the secret mask: we will mix them

together

25 / 68

extend to larger plaintext ring

◮ Ciphertext of

m = (m1, . . . , mn) ∈ {0, 1}n: c = CRTq0,p1,...,pn

• q′, 2r1 + m1, . . . , 2rn + mn
• ◮ what is the problem? (hint: multiplication)

26 / 68

extend to larger plaintext ring

◮ Ciphertext of

m = (m1, . . . , mn) ∈ {0, 1}n: c = CRTq0,p1,...,pn

• q′, 2r1 + m1, . . . , 2rn + mn
• ◮ what is the problem? (hint: multiplication)

◮ Ciphertext of

m = (m1, . . . , mn) ∈ Zg1 × · · · × Zgn: c = CRTq0,p1,...,pn

• q′, g1 · r1 + m1, . . . , gn · rn + mn
• 26 / 68

tags=levels using a random mask

◮ Let z ← [0, x0) be a random (invertible) multiplicative mask

27 / 68

tags=levels using a random mask

◮ Let z ← [0, x0) be a random (invertible) multiplicative mask ◮ Encoding of

m ∈ Zg1 × · · · × Zgn at level j: [ m]j = c/zj mod x0 = CRTq,p1,...,pn(q′, r1 · g1 + m1, . . . , rn · gn + mn) zj mod x0

27 / 68

tags=levels using a random mask

◮ Let z ← [0, x0) be a random (invertible) multiplicative mask ◮ Encoding of

m ∈ Zg1 × · · · × Zgn at level j: [ m]j = c/zj mod x0 = CRTq,p1,...,pn(q′, r1 · g1 + m1, . . . , rn · gn + mn) zj mod x0

◮ Operations over Zx0:

Addition

[ m]j + [ m′]j ≃ [ m + m′]j

Multiplication

[ m]j1 × [ m′]j2 ≃ [ m · m′]j1+j2

27 / 68

main ingredient: zero testing

◮ How to test whether two degree-κ encodings are equal?

[ m]κ ≃ [ ℓ]κ (i.e. m = ℓ) ⇐ ⇒ [ m − ℓ]κ ≃ [ 0]κ

28 / 68

main ingredient: zero testing

◮ How to test whether two degree-κ encodings are equal?

[ m]κ ≃ [ ℓ]κ (i.e. m = ℓ) ⇐ ⇒ [ m − ℓ]κ ≃ [ 0]κ

◮ What is an encoding of

m = 0 at the top-level? [ 0]κ = CRTq,p1,...,pn(q′, r1 · g1, . . . , rn · gn) zκ mod x0

28 / 68

main ingredient: zero testing

◮ How to test whether two degree-κ encodings are equal?

[ m]κ ≃ [ ℓ]κ (i.e. m = ℓ) ⇐ ⇒ [ m − ℓ]κ ≃ [ 0]κ

◮ What is an encoding of

m = 0 at the top-level? [ 0]κ = CRTq,p1,...,pn(q′, r1 · g1, . . . , rn · gn) zκ mod x0

◮ Idea of [GGH13]: multiply by an element which will cancel zκ

and when the ri’s are small (rigi ≪ pi), yield something small compared to x0.

28 / 68

main ingredient: zero testing (ctnd.)

◮ let’s rewrite [

0]κ: [ 0]κ =

• i

giri · (p∗

i −1/zκ mod pi) · p∗ i + (

• pj) · q′′ mod x0

where p∗

i = j=i pj

29 / 68

main ingredient: zero testing (ctnd.)

◮ let’s rewrite [

0]κ: [ 0]κ =

• i

giri · (p∗

i −1/zκ mod pi) · p∗ i + (

• pj) · q′′ mod x0

where p∗

i = j=i pj

◮ The random value q′′ makes difficult to obtain something

small... except if we are working modulo pj

29 / 68

main ingredient: zero testing (ctnd.)

◮ let’s rewrite [

0]κ: [ 0]κ =

• i

giri · (p∗

i −1/zκ mod pi) · p∗ i + (

• pj) · q′′ mod x0

where p∗

i = j=i pj

◮ The random value q′′ makes difficult to obtain something

small... except if we are working modulo pj

◮ In the following x0 = pj, and

[ m]j = CRTp1,...,pn(r1 · g1 + m1, . . . , rn · gn + mn) zj mod x0

29 / 68

main ingredient: zero testing (ctnd.)

◮ now

[ 0]κ =

• i

giri · (p∗

i −1/zκ mod pi) · p∗ i mod x0

where p∗

i = j=i pj

30 / 68

main ingredient: zero testing (ctnd.)

◮ now

[ 0]κ =

• i

giri · (p∗

i −1/zκ mod pi) · p∗ i mod x0

where p∗

i = j=i pj

◮ Multiply by the public element (where hi ≪ pi)

pzt =

• i

hi · (g−1

i

zκ mod pi) · p∗

i mod x0

30 / 68

main ingredient: zero testing (ctnd.)

◮ now

[ 0]κ =

• i

giri · (p∗

i −1/zκ mod pi) · p∗ i mod x0

where p∗

i = j=i pj

◮ Multiply by the public element (where hi ≪ pi)

pzt =

• i

hi · (g−1

i

zκ mod pi) · p∗

i mod x0

◮ We have (we prove equivalence whp when many pzt’s are

given)

• m =

⇒ |[ m]κ · pzt mod x0| = |

• i

ri · (hip∗

i )| ≪ x0

30 / 68

Partial Conclusion

◮ Second candidate multilinear map ◮ Hardness assumptions:

◮ GDDH ◮ but also DLIN, SubM, etc.

◮ Composite-order multilinear maps ◮ Used in multiple schemes and obfuscation candidates

31 / 68

• utline

◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zeroizing”, again and again ◮ Conclusion & open problems

32 / 68

CLT13 properties

◮ Encoding is related to a numerator u ∼ (e1, . . . , en)

◮ ei = gi · ri + mi ◮ Finding the ei’s means breaking the scheme ◮ An encoding of 0 is u ∼ (g1r1, . . . , gnrn)

◮ Adding / multiplying encodings operate on the numerators

• ver Z (not modulo x0)

u1 + u2 ∼ (e1i + e2i)i, u1 · u2 ∼ (e1i · e2i)i

◮ Zero-testing top-level encodings u ∼ (g1r1, . . . , gnrn) we get

ztst(u) =

i ri · (hip∗ i ) over Z (no mod q)

33 / 68

public procedures

◮ Sample: subset-sum of publicly available random level-0

encodings

• i∈S

[ui]0 = [u]0

34 / 68

public procedures

◮ Sample: subset-sum of publicly available random level-0

encodings

• i∈S

[ui]0 = [u]0

◮ Encode at level 1: multiply by a level-1 encoding of

1 [u]0 · [ 1]1 = [u]1

34 / 68

public procedures

◮ Sample: subset-sum of publicly available random level-0

encodings

• i∈S

[ui]0 = [u]0

◮ Encode at level 1: multiply by a level-1 encoding of

1 [u]0 · [ 1]1 = [u]1

◮ reRandomization: add a subset-sum of level-1 encodings of

0 to drown the noise obtained by sampling/encoding [u]1 +

• i∈S

[0i]1

34 / 68

public extraction

◮ Extraction: extract the λ most significant bits of

ext([ m]κ) = MSBλ (pzt · [ m]κ mod x0) = MSBλ n

• i=1

(ri + mi · g−1

i

mod pi) · (hip∗

i )

• = MSBλ

n

• i=1

(mi · g−1

i

mod pi) · (hip∗

i )

• ◮ for

m1 = m2, we will have ext([ m1]κ) == ext([ m2]κ)

35 / 68

Diffie-Hellman Key Exchange

◮ Setup: For N participants, initialization of a N − 1-multilinear

map

36 / 68

Diffie-Hellman Key Exchange

◮ Setup: For N participants, initialization of a N − 1-multilinear

map

◮ Publish: Use the public params, sample a level-0 encoding

ci, and publish c′

i = reRand(enc(ci, 1))

36 / 68

Diffie-Hellman Key Exchange

◮ Setup: For N participants, initialization of a N − 1-multilinear

map

◮ Publish: Use the public params, sample a level-0 encoding

ci, and publish c′

i = reRand(enc(ci, 1))

◮ KeyGen: Compute ˜

ci = ci ·

j=i c′ j, and get the shared key

s = ext(˜ ci)

36 / 68

main security assumption

GDDH: Given (κ + 1) elements [

mi]1 and [ m′]κ, de-

termine whether

m′ ≃ κ+1

i=1

mi.

37 / 68

main security assumption

GDDH: Given (κ + 1) elements [

mi]1 and [ m′]κ, de-

termine whether

m′ ≃ κ+1

i=1

mi.

◮ At the heart of the multipartite key echange protocol

37 / 68

main security assumption

GDDH: Given (κ + 1) elements [

mi]1 and [ m′]κ, de-

termine whether

m′ ≃ κ+1

i=1

mi.

◮ At the heart of the multipartite key echange protocol ◮ Assumed to be hard (but no reduction to Approx.-GCD)

37 / 68

main security assumption

GDDH: Given (κ + 1) elements [

mi]1 and [ m′]κ, de-

termine whether

m′ ≃ κ+1

i=1

mi.

◮ At the heart of the multipartite key echange protocol ◮ Assumed to be hard (but no reduction to Approx.-GCD) ◮ Asymptotic parameters determined from several attacks:

◮ orthogonal lattice attack on encodings ◮ GCD attack on zero-testing ◮ hidden subset sum attack on zero-testing ◮ attacks on the inverse zero-testing matrix ◮ brute-force on the noises, . . . 37 / 68

zeroizing attack [CheonHanLeeRyuStehlé’15]

38 / 68

exploiting the linearity of the zero-testing

39 / 68

exploiting the linearity of the zero-testing

[ 0]κ · pzt =

i ri · (hi · p∗ i ) ∈ Z

39 / 68

exploiting the linearity of the zero-testing

[ 0]κ−2 · [ b]1 · [ c]1 · pzt =

i ri · ˆ

bi · ˆ ci · (hi · p∗

i ) ∈ Z

39 / 68

exploiting the linearity of the zero-testing

[ 0]κ−2 · [ b]1 · [ c]1 · pzt =

i ri · ˆ

bi · ˆ ci · (hi · p∗

i ) ∈ Z

ri ˆ bi · (hi · p∗

i )

ˆ ci

39 / 68

exploiting the linearity of the zero-testing

[ 0]κ−2 · [ b]1 · [ c]1 · pzt =

i ri · ˆ

bi · ˆ ci · (hi · p∗

i ) ∈ Z

ri ˆ bi · (hi · p∗

i )

ˆ ci

39 / 68

inversion over Q

◮ Let’s do it with many [

0]κ−2, [ c]1 and two targets [ b]1, [ b′]1

40 / 68

inversion over Q

◮ Let’s do it with many [

0]κ−2, [ c]1 and two targets [ b]1, [ b′]1 ri

ˆ bi · (hi · p∗

i )

ˆ ci ri

ˆ b′

i · (hi · p∗ i )

ˆ ci

40 / 68

inversion over Q

◮ Let’s do it with many [

0]κ−2, [ c]1 and two targets [ b]1, [ b′]1 ri

ˆ bi · (hi · p∗

i )

ˆ ci (ˆ ci)−1

1 ˆ b′

i · (hi · p∗ i )

(r −1

i

)

40 / 68

inversion over Q

◮ Let’s do it with many [

0]κ−2, [ c]1 and two targets [ b]1, [ b′]1 ri

ˆ bi · (hi · p∗

i )

ˆ ci × (ˆ ci)−1

1 ˆ b′

i · (hi · p∗ i )

(r −1

i

) = ri

ˆ bi/ˆ b′

i

(ri)−1

40 / 68

finishing up the attack

◮ Compute the eigenvalues βi/β′

i = ˆ

bi/ˆ b′

i over Q

41 / 68

finishing up the attack

◮ Compute the eigenvalues βi/β′

i = ˆ

bi/ˆ b′

i over Q

◮ We have that

pi | (β′

i · [

b]1 − βi · [ b′]1)

41 / 68

finishing up the attack

◮ Compute the eigenvalues βi/β′

i = ˆ

bi/ˆ b′

i over Q

◮ We have that

pi | (β′

i · [

b]1 − βi · [ b′]1)

◮ Compute

pi = gcd(β′

i · [

b]1 − βi · [ b′]1, x0)

41 / 68

finishing up the attack

◮ Compute the eigenvalues βi/β′

i = ˆ

bi/ˆ b′

i over Q

◮ We have that

pi | (β′

i · [

b]1 − βi · [ b′]1)

◮ Compute

pi = gcd(β′

i · [

b]1 − βi · [ b′]1, x0)

Recovering the secret pi’s is fatal - one can then recover all the parameters!

41 / 68

consequence: broken key-exchange

◮ The Diffie-Hellman key exchange uses many [0]’s for

rerandomization!

◮ sample random level-0 ◮ lift them to level-1 ◮ rerandomize them at level 1

◮ On the opposite side, we do not need rerandomization in

(most of) obfuscation schemes, which saves us!

◮ Some assumptions used to prove some iO constructions do not hold 42 / 68

an attempted fix (#1) [BWZ14]

◮ Let’s never reveal encodings of

0!

◮ tags = formal variables X, Y , top-level Y · X κ

43 / 68

an attempted fix (#1) [BWZ14]

◮ Let’s never reveal encodings of

0!

◮ tags = formal variables X, Y , top-level Y · X κ ◮ A level-j encoding of

m will be xL = [m1, . . . , mn, α, βL]X j, xR = [µ1, . . . , µn, α, βR]X j

43 / 68

an attempted fix (#1) [BWZ14]

◮ Let’s never reveal encodings of

0!

◮ tags = formal variables X, Y , top-level Y · X κ ◮ A level-j encoding of

m will be xL = [m1, . . . , mn, α, βL]X j, xR = [µ1, . . . , µn, α, βR]X j

◮ Additionals encodings at a special level Y :

tL = [1, . . . , 1, 1, 0]Y , tR = [0, . . . , 0, 1, 0]Y

43 / 68

an attempted fix (#1) [BWZ14]

◮ Let’s never reveal encodings of

0!

◮ tags = formal variables X, Y , top-level Y · X κ ◮ A level-j encoding of

m will be xL = [m1, . . . , mn, α, βL]X j, xR = [µ1, . . . , µn, α, βR]X j

◮ Additionals encodings at a special level Y :

tL = [1, . . . , 1, 1, 0]Y , tR = [0, . . . , 0, 1, 0]Y

◮ New zero-test:

w = pzt · (xL · tL − xR · tR)

43 / 68

attack! [CGHLMMRST15]

◮ High-level idea: still a 2(n + 2) linear form in the CRT

components of the CLT encodings xL and xR.

44 / 68

attack! [CGHLMMRST15]

◮ High-level idea: still a 2(n + 2) linear form in the CRT

components of the CLT encodings xL and xR.

◮ Compute

pzt·

• [

0, α, βL] [ 0, α, βR] [ b, α′, β′

L] · tL

−[ 0, α′, β′

R] · tR

[ c, α′′, β′′

L]

[ 0, α′′, β′′

R]

• 44 / 68

attack! [CGHLMMRST15]

◮ High-level idea: still a 2(n + 2) linear form in the CRT

components of the CLT encodings xL and xR.

◮ Compute

pzt·

• [

0, α, βL] [ 0, α, βR] [ b, α′, β′

L] · tL

−[ 0, α′, β′

R] · tR

[ c, α′′, β′′

L]

[ 0, α′′, β′′

R]

• ◮ Still

˜ A ·      ˆ b1 · (h1 · ρ1) ˆ b2 · (h2 · ρ2)

...

ˆ bn+2 · (hn+2 · ρn+2)      · ˜ C

44 / 68

an attempted fix (#2): matrix CLT [GGHZ14]

◮ Encoding = matrix

45 / 68

an attempted fix (#2): matrix CLT [GGHZ14]

◮ Encoding = matrix ◮ Secret parameters: z, gi and random P ∈ Zℓ×ℓ

x0

for

ℓ = 2ℓ′ + 1, vectors

• s = ([$], . . . , [$], [0], . . . , [0], [$]) · P−1,
• t = P · ([0], . . . , [0], [$], . . . , [$], [$])T · pzt

45 / 68

an attempted fix (#2): matrix CLT [GGHZ14]

◮ Encoding = matrix ◮ Secret parameters: z, gi and random P ∈ Zℓ×ℓ

x0

for

ℓ = 2ℓ′ + 1, vectors

• s = ([$], . . . , [$], [0], . . . , [0], [$]) · P−1,
• t = P · ([0], . . . , [0], [$], . . . , [$], [$])T · pzt

◮ To encode

m, define [[ m]] = P ·      [$] [0] · · · [0] [0] [$] [0]

. . . . . .

[0] [0] · · · [ m]      · P−1 mod x0

45 / 68

matrix CLT zero-testing

◮ To zero-test an encoding [[

m]], compute w = s · [[ m]] · t: w = s · P ·      [$] [0] · · · [0] [0] [$] [0]

. . . . . .

[0] [0] · · · [ m]      · P−1 · t = ([0] + [$] · [ m]) · pzt mod x0

◮ |w| ≪ x0 ⇐

⇒ m =

46 / 68

attack! [CGHLMMRST15]

◮ Compute w =

s · [[ 0]] · [[ b]] · [[ c]] · t mod x0

47 / 68

attack! [CGHLMMRST15]

◮ Compute w =

s · [[ 0]] · [[ b]] · [[ c]] · t mod x0

◮ Let’s rewrite

w = ˜ a · B · ˜ cT mod x0

47 / 68

attack! [CGHLMMRST15]

◮ Compute w =

s · [[ 0]] · [[ b]] · [[ c]] · t mod x0

◮ Let’s rewrite

w = ˜ a · B · ˜ cT mod x0

◮ B is not diagonal as before... but we can extend it into a

block-diagonal matrix ˜

B, with n sub-matrices B mod pi on

the diagonal

47 / 68

attack! [CGHLMMRST15]

◮ Same attack as before yields

A

˜ B

C

48 / 68

attack! [CGHLMMRST15]

◮ Same attack as before yields

A

˜ B

C

◮ Inversion in Q to obtain

A · ˜ B1 · ˜ B−1

2

· A−1

48 / 68

attack! [CGHLMMRST15]

◮ Same attack as before yields

A

˜ B

C

◮ Inversion in Q to obtain

A · ˜ B1 · ˜ B−1

2

· A−1

◮ Instead of computing eigenvalues use characteristic

polynomial.

48 / 68

the moral so far

◮ Previous fixes conserves a linear zero-testing function ◮ Extensions of Cheon et al. attack [CHLRS15] by Coron et al.

[CGHLMMRST15] capture these fixes, and many other settings

◮ General attack framework described ◮ Use of Cayley-Hamilton theorem instead of eigenvalues

◮ Essentially, the form of the encodings should not be a

problem: the zero-testing is the problem

◮ Can we make the zero-testing non linear?

49 / 68

an attempted fix (#3) [CLT15]

◮ A CLT13 encoding has the form

[ m]j = CRTpi(r1g1 + m1, . . . , rngn + mn) zj mod x0 = CRTpi((r1g1 + m1)/zj, . . . , (rngn + mn)/zj) + a′ · x0 =

• i

(ri + mi · g−1

i

) · ui + a · x0

◮ Can we use the element a, non-linear in the ri’s, in the

zero-testing?

50 / 68

an attempted fix (#3) [CLT15]

◮ A CLT13 encoding has the form

[ m]j = CRTpi(r1g1 + m1, . . . , rngn + mn) zj mod x0 = CRTpi((r1g1 + m1)/zj, . . . , (rngn + mn)/zj) + a′ · x0 =

• i

(ri + mi · g−1

i

) · ui + a · x0

◮ Can we use the element a, non-linear in the ri’s, in the

zero-testing?

◮ Define an other modulus N > x0, and do the zero-testing

modulo N

50 / 68

CLT15 zero-testing

◮ We want to generate a new zero-test value αzt such that

|[ m]κ · αzt mod N| ≪ N ⇐ ⇒ m = 0

51 / 68

CLT15 zero-testing

◮ We want to generate a new zero-test value αzt such that

|[ m]κ · αzt mod N| ≪ N ⇐ ⇒ m = 0

◮ In particular, we have

[ m]κ · αzt mod N =

• i

(mig−1

i

+ ri mod pi) · (ui · αzt) + a · x0 · αzt mod N

51 / 68

CLT15 zero-testing

◮ We want to generate a new zero-test value αzt such that

|[ m]κ · αzt mod N| ≪ N ⇐ ⇒ m = 0

◮ In particular, we have

[ m]κ · αzt mod N =

• i

(mig−1

i

+ ri mod pi) · (ui · αzt) + a · x0 · αzt mod N

◮ so we want |αzt · ui mod N| ≪ N and |αzt · x0 mod N| ≪ N

51 / 68

how to generate αzt?

◮ Given N, the generation of αzt ∈ ZN such that for all i,

|uiαzt mod N| and |x0αzt mod N| are small is not obvious.

52 / 68

how to generate αzt?

◮ Given N, the generation of αzt ∈ ZN such that for all i,

|uiαzt mod N| and |x0αzt mod N| are small is not obvious.

◮ The problem amounts to finding a relatively short vector in a

lattice

       1 u1 · · · un x0 N

...

N N       

52 / 68

how to generate αzt?

◮ Given N, the generation of αzt ∈ ZN such that for all i,

|uiαzt mod N| and |x0αzt mod N| are small is not obvious.

◮ The problem amounts to finding a relatively short vector in a

lattice

       1 u1 · · · un x0 N

...

N N       

◮ Use LLL? (we can tolerate an exponential approx. factor over

SVP), but typically n ≥ 105

52 / 68

generate αzt using the ui’s

◮ Remember that N ≫ x0 and ui = (gip∗

i −1zk mod pi)p∗ i in

[ m]κ =

• i

(mig−1

i

+ ri mod pi) · (ui · αzt) + a · x0 · αzt mod N

53 / 68

generate αzt using the ui’s

◮ Remember that N ≫ x0 and ui = (gip∗

i −1zk mod pi)p∗ i in

[ m]κ =

• i

(mig−1

i

+ ri mod pi) · (ui · αzt) + a · x0 · αzt mod N

◮ First note that p−1

j ui mod N is small for all i = j

◮ Only p−1

j

uj mod N is not a priori small

53 / 68

generate αzt using the ui’s

◮ Remember that N ≫ x0 and ui = (gip∗

i −1zk mod pi)p∗ i in

[ m]κ =

• i

(mig−1

i

+ ri mod pi) · (ui · αzt) + a · x0 · αzt mod N

◮ First note that p−1

j ui mod N is small for all i = j

◮ Only p−1

j

uj mod N is not a priori small

◮ Let us find αj such that αj · p−1

j uj mod N is small

◮ As before it amounts to finding a short vector in (for a suitable B)

⌈N/B⌉ p−1

j

uj N

• ◮ we obtain (αj · ⌈N/B⌉, βj)

53 / 68

generate αzt using the ui’s

◮ New zero-testing element:

αzt =

• j

hj · αj · p−1

j

mod N

54 / 68

generate αzt using the ui’s

◮ New zero-testing element:

αzt =

• j

hj · αj · p−1

j

mod N

◮ When applied on an encoding [

m]k: [ m]k · αzt mod N =

• i

(mig−1

i

+ ri mod pi) · (hiβi +

• j=i

hjαj · ui/pj) + a · x0 · αzt mod N

54 / 68

caveats

◮ x0 can no longer be public

◮ Recovering x0 allows to apply Cheon et al. attack!

◮ Each level includes a ladder of encodings (solution of

[DGHV10])

◮ encodings

X (j)

i

= (CRTpi(rigi)/zj mod x0) + qi · x0

with qi ← [0, 2i) for i = 1, . . . , log(x0)

◮ do the operation over Z, and remove X (j)

i

for decreasing i’s

55 / 68

the ladder

56 / 68

the ladder

56 / 68

the ladder

56 / 68

the ladder

56 / 68

the ladder

smaller than x0

56 / 68

attempt of Cheon et al. attack

◮ Consider u = [

ai]1 · [ b]1 · [ cj]1

◮ Apply the ladder to reduce its size to the size of x0:

u′ = u +

• m

smX (κ)

m

◮ Write u′ over Z:

u′ =

• k
• aik · bk · cjk +
• m

sm · rX,m,κ

• · uk − a · x0

◮ All sm’s and a come up in the way of Cheon et al. attack

57 / 68

attack! [MF15,CHL15]

◮ Two very nice ideas:

• 1. define the extraction over Z to forget about the sm’s
• 2. Apply Cheon et al. attack with one more dimension

◮ Recall that

ext([ m]κ) = MSBλ (αzt · [ m]κ mod N)

◮ Define

φ([ m]κ) = αzt · [ m]κ mod N

58 / 68

attack! [MF15,CHL15]

◮ φ is a multiplication, therefore linear

59 / 68

attack! [MF15,CHL15]

◮ φ is a multiplication, therefore linear ◮ The smallest element is the ladder can be extracted over Z:

φ(X (κ)

0 )

59 / 68

attack! [MF15,CHL15]

◮ φ is a multiplication, therefore linear ◮ The smallest element is the ladder can be extracted over Z:

φ(X (κ)

0 )

◮ The next element can be reduced by the first, and then

extracted over Z:

φ(X (κ)

1 ) = φ(X (κ) 1

mod X (κ)

0 ) + k · φ(X (κ) 0 )

59 / 68

attack! [MF15,CHL15]

◮ By repeating this, you can extract any encoding, and in

particular

[ 0]1 · [ b]1 · [ cj]1

60 / 68

attack! [MF15,CHL15]

◮ By repeating this, you can extract any encoding, and in

particular

[ 0]1 · [ b]1 · [ cj]1

◮ As before let us do it, but this time over Z via φ:

φ([ 0]1 · [ b]1 · [ cj]1) =

• k

(aik · bk · cjk) · uk − a′ · x0 · αzt

60 / 68

attack! [MF15,CHL15]

◮ By repeating this, you can extract any encoding, and in

particular

[ 0]1 · [ b]1 · [ cj]1

◮ As before let us do it, but this time over Z via φ:

φ([ 0]1 · [ b]1 · [ cj]1) =

• k

(aik · bk · cjk) · uk − a′ · x0 · αzt

◮ This time a′ is much bigger than it was before

◮ but modulo v0 = αzt · x0 this is the same linearity as the previous

zero-testing

60 / 68

attack! [MF15,CHL15]

◮ Similarly to last time, compute a determinant, but this time

with n + 1 [

0]1’s and n + 1 [ cj]1 instead of n

◮ It will be full rank over Z whp ◮ but modulo v0 = αzt · x0 it will be a rank-n matrix!! 61 / 68

attack! [MF15,CHL15]

◮ Similarly to last time, compute a determinant, but this time

with n + 1 [

0]1’s and n + 1 [ cj]1 instead of n

◮ It will be full rank over Z whp ◮ but modulo v0 = αzt · x0 it will be a rank-n matrix!!

◮ Compute the determinant over Z: it will be a multiple of v0

61 / 68

attack! [MF15,CHL15]

◮ Similarly to last time, compute a determinant, but this time

with n + 1 [

0]1’s and n + 1 [ cj]1 instead of n

◮ It will be full rank over Z whp ◮ but modulo v0 = αzt · x0 it will be a rank-n matrix!!

◮ Compute the determinant over Z: it will be a multiple of v0 ◮ Repeat this and take the GCD to recover v0

◮ Then you can recover x0 ◮ and you can apply the classical Cheon et al. attack 61 / 68

• utline

◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zeroizing”, again and again ◮ Conclusion & open problems

62 / 68

conclusion: security landscape

◮ Zeroizing attacks are devastating for general-purpose

multilinear maps [GGH13,CLT13]

◮ Break many assumptions and schemes ◮ But not all (e.g. obfuscation is currently unaffected!)

◮ All attempts made public at strengthening these schemes are

broken!

◮ including the attempts at making “zero-testing” less linear [CLT15,GHL15]

◮ Similar situation for [GGH15] ◮ Break & Repair mode

◮ LOTS of room for more cryptanalysis and more theory 63 / 68

state-of-the-art of today afaik

◮ GGH13: weak distributions 0 × 0

◮ all fixes broken [GGHZ14,GHL15,Hal15,≥ 5 unpublished attempts] ◮ see Damien Stehlé’s talk ◮ Gu’s MMAP(s) [Gu15]: completely broken [PS15]

◮ CLT13: “too many” encodings of 0

◮ early fixes broken [GGHZ14,BWZ14] ◮ new CLT [CLT15] completely broken by [MF15,CHL15] (two weeks ago on

Eprint): thus weaker than [CLT13]

◮ GGH15: some “low-level” encodings of 0

64 / 68

• pen problems

65 / 68

• pen problems

Everything.

65 / 68

future(?) timeline

4

“slope of enlightenment” time visibility

66 / 68

future(?) timeline

5

“plateau of productivity” time visibility

66 / 68

“This is going to be a bumpy ride”

Shai Halevi

67 / 68

Questions?

https://www.cryptoexperts.com/tlepoint

68 / 68