implementing candidate graded encoding schemes from ideal...
TRANSCRIPT
Implementing Candidate Graded EncodingSchemes from Ideal Lattices
Martin R. Albrecht 1, Catalin Cocis 2, Fabien Laguillaumie 3
and Adeline Langlois 4
1. Information Security Group, Royal Holloway, University of London2. Technical University of Cluj-Napoca
3. UCBL Lyon 1 (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL)4. EPFL, Lausanne, Switzerland and CNRS/IRISA, Rennes, France
December 3, 2015
Adeline Langlois Implementing GGH December 3, 2015 1/ 12
Cryptographic Multilinear MapsGroup of N > 2 parties want to communicate privately via cloud.Zq = Z/qZ with q prime, g public generator of Z×q
Choosex1 ∈ Zq y1 = gx1
Choosex2 ∈ Zq
y2 = gx2
Choosex3 ∈ Zq
y3 = gx3
ChoosexN ∈ ZqyN = gxN
Secret key (using e: "cryptographic multilinear map"):
K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN )x1
= e(y1, y3, . . . , yN )x2
I Security: Hardness of Multilinear Decisional DH problem,MDDH: For x1, . . . , xN , x′ ← U(Zq), distinguish between
(gx1 , . . . , gxN , e(g, . . . , g)x1···xN ) and (gx1 , . . . , gxN , e(g, . . . , g)x′).
Adeline Langlois Implementing GGH December 3, 2015 2/ 12
Cryptographic Multilinear MapsGroup of N > 2 parties want to communicate privately via cloud.Zq = Z/qZ with q prime, g public generator of Z×q
Choosex1 ∈ Zq y1 = gx1
Choosex2 ∈ Zq
y2 = gx2
Choosex3 ∈ Zq
y3 = gx3
ChoosexN ∈ ZqyN = gxN
Secret key (using e: "cryptographic multilinear map"):
K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN )x1
I Security: Hardness of Multilinear Decisional DH problem,MDDH: For x1, . . . , xN , x′ ← U(Zq), distinguish between
(gx1 , . . . , gxN , e(g, . . . , g)x1···xN ) and (gx1 , . . . , gxN , e(g, . . . , g)x′).
Adeline Langlois Implementing GGH December 3, 2015 2/ 12
Construction?
For N = 3 use bilinear mapse : G1 ×G2 → GT and g1 ∈ G1, g2 ∈ G2, gT ∈ GT generators.
I e(·, ·) is bilinear: e(gx1 , gy2 ) = e(g1, g2)xy,
I e(·, ·) is non-degenerate: e(g1, g2) generates GT ,I e(·, ·) efficiently computable and DLOG hard in all groups.
Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.
Adeline Langlois Implementing GGH December 3, 2015 3/ 12
Construction?
For N = 3 use bilinear mapse : G1 ×G2 → GT and g1 ∈ G1, g2 ∈ G2, gT ∈ GT generators.
I e(·, ·) is bilinear: e(gx1 , gy2 ) = e(g1, g2)xy,
I e(·, ·) is non-degenerate: e(g1, g2) generates GT ,I e(·, ·) efficiently computable and DLOG hard in all groups.
Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.
Adeline Langlois Implementing GGH December 3, 2015 3/ 12
Construction?
Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.
Approximation: Graded Encoding SchemeThink of
x as a “level-0” encoding of x,gx as a “level-1” encoding of y,
e(g, g)xy as a “level-2” encoding of xy,e(·, . . . , ·) as “multiplying” two elements at level i and j
to produce an element at level i+ j,gx · gy as “adding” two elements at the same level.
Adeline Langlois Implementing GGH December 3, 2015 3/ 12
Cryptographic Multilinear Maps – History
I 2000: 3-parties key agreement using pairings [Joux00]
I 2003: κ+ 1-parties using κ-linear maps [BonehSilverberg 2003]
What happenned in the last three years?
I 2012: First plausible realization [GargGentryHalevi 2013]I New applications: indistinguishablily obfuscation (iO)
I Attacked by [HuJia 2015]
I 2013: Variant over the integers [CoronLepointTibouchi 2013]
I Attacked by [CheonHanLeeRyuStehlé 2014]I Fixed in [CoronLepointTibouchi 2015]I Fix fully broken [CheonLeeRyu 2015] [MinaudFouque 2015]
I 2014: Graph-induced Mmaps [GentryGorbunovHalevi 2015]
I Recently attacked by [Coron 2015]
Adeline Langlois Implementing GGH December 3, 2015 4/ 12
Cryptographic Multilinear Maps – History
I 2000: 3-parties key agreement using pairings [Joux00]
I 2003: κ+ 1-parties using κ-linear maps [BonehSilverberg 2003]
What happenned in the last three years?
I 2012: First plausible realization [GargGentryHalevi 2013]I New applications: indistinguishablily obfuscation (iO)I Attacked by [HuJia 2015]
I 2013: Variant over the integers [CoronLepointTibouchi 2013]I Attacked by [CheonHanLeeRyuStehlé 2014]I Fixed in [CoronLepointTibouchi 2015]I Fix fully broken [CheonLeeRyu 2015] [MinaudFouque 2015]
I 2014: Graph-induced Mmaps [GentryGorbunovHalevi 2015]I Recently attacked by [Coron 2015]
Adeline Langlois Implementing GGH December 3, 2015 4/ 12
GGH13 graded encoding scheme
I In bilinear map (g and e public):anyone can "encode": given a secret x, compute gx,given gx1 , gx2 and secret x3, compute e(gx1 , gx2)x3 .
I In graded encoding schemes, two possible versions:
I A "secret key" version:Only the person who have the secret can encode,Application: indistinguishability obfuscation (iO).
I A "public key" version:Publish some public elements then anyone can encode,Possible application: multi-parties key exchange.
Adeline Langlois Implementing GGH December 3, 2015 5/ 12
GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q
I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .
I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .
I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,
Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h
gzκ · c/zκ]q = [h·c
g]q, small only if c ∈ (g).
Adeline Langlois Implementing GGH December 3, 2015 6/ 12
GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q
I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .
I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .
I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,
Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h
gzκ · c/zκ]q = [h·c
g]q, small only if c ∈ (g).
Adeline Langlois Implementing GGH December 3, 2015 6/ 12
GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q
I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .
I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .
I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,
Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h
gzκ · c/zκ]q = [h·c
g]q, small only if c ∈ (g).
Adeline Langlois Implementing GGH December 3, 2015 6/ 12
GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Public parameter: y level-1 encoding of 1,
I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q
To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.
I Level-1 encoding: [u′ +∑
j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I
∑j ρjxj is a discrete Gaussian and an encoding of zero.
Adeline Langlois Implementing GGH December 3, 2015 7/ 12
GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Public parameter: y level-1 encoding of 1,I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q = [e · y]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q = [e · yk]q
To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.
I Level-1 encoding: [u′ +∑
j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I
∑j ρjxj is a discrete Gaussian and an encoding of zero.
Adeline Langlois Implementing GGH December 3, 2015 7/ 12
GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Public parameter: y level-1 encoding of 1,I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q = [e · y]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q = [e · yk]q
To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.
I Level-1 encoding: [u′ +∑
j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I
∑j ρjxj is a discrete Gaussian and an encoding of zero.
Adeline Langlois Implementing GGH December 3, 2015 7/ 12
GGH: two versions
using
Secret key version
I z secret used to encode
I no need of re-randomizers
I zero-testing parameter public
I Main application:indistinguishable Obfuscation
What we implement
Public key version
I y public used to encode⇒ anyone can encode
I need of "re-randomizers":level-i encodings of zero
I zero-testing parameter public
I Used for N-party key exchange
All existing constructions arebroken
Adeline Langlois Implementing GGH December 3, 2015 8/ 12
GGH: two versions
using
Secret key version
I z secret used to encode
I no need of re-randomizers
I zero-testing parameter public
I Main application:indistinguishable Obfuscation
What we implement
Public key version
I y public used to encode⇒ anyone can encode
I need of "re-randomizers":level-i encodings of zero
I zero-testing parameter public
I Used for N-party key exchange
All existing constructions arebroken
Adeline Langlois Implementing GGH December 3, 2015 8/ 12
Could this be implemented?
I Original GGH construction:parameters too big: nothing can run in practice.
I GGHLite has nicer parameters but still some issues:[LangloisStehléSteinfeld 2014]
I (g) needs to be a prime ideal,I Very large parameters n and q,I No discrete gaussian sampling over arbitrary ideals publicly
available.
Adeline Langlois Implementing GGH December 3, 2015 9/ 12
Our work
First and efficient implementation of improved GGHscheme ("secret key version") publicly available
I We show that (g) does not need to be a prime ideal,
I We provide a better analysis of the scheme:I reduce bitsize of q by factor 4 (and then size of n),
I We give a strategy to choose efficient parameters,I based on lattice attacks.
Adeline Langlois Implementing GGH December 3, 2015 10/ 12
Our work
First and efficient implementation of improved GGHscheme ("secret key version") publicly available
In the scheme, all operations are in R = Z[x]/(xn + 1) or Rq
I Implementation in C relies on FLINT,with all steps in quasi-linear time,
I Re-implement most of the non-trivial operationsI Polynomial multiplication in Rq using NTT,I Computing norms in R,
I Implement operations not available in FLINTI Approximate inverse in K = Q[x]/(xn + 1),I Approximate square root in K,I Sampling from Discrete Gaussians on arbritrary ideals
(using [GPV08,DDLL13]).
I Implementation ready to be used for implementing iO.
Adeline Langlois Implementing GGH December 3, 2015 10/ 12
Some concrete results
λ κ λ′ n log q Setup Encode Mult ‖enc‖52 6 64.4 215 2117 114s 26s 0.05s 8.3MB52 52 62.7 218 19898 26695s 1016s 84.1s 621.8MB80 6 155.2 216 2289 415s 74s 0.13s 17.9MB80 19 80.4 217 7089 1821s 268s 3.07s 110.8MB80 38 80.3 218 14649 20381s 947s 16.21s 457.8MB
I κ is the multilinearity level,I λ′ expected security level based on best known attacks,I Setup: time for generating GGH instance,I Encode: time to reduce an element ∈ Zp with p = N (I) to a
small element in Z[X]/(xn + 1) modulo (g),I Mult lists the time to multiply κ elements.
Adeline Langlois Implementing GGH December 3, 2015 11/ 12
Conclusion
Implementing lattice-based schemes (in R = Z[x]/(xn + 1))Part of this implementation may be useful and will be soon beavailable independently.
Open problemsSecurity of graded encoding schemes:
I Attacking the "secret key" variant of GGH or CLT,I Constructing a secure variant.
https://bitbucket.org/malb/gghlite-flint
ThankYou
Adeline Langlois Implementing GGH December 3, 2015 12/ 12
Conclusion
Implementing lattice-based schemes (in R = Z[x]/(xn + 1))Part of this implementation may be useful and will be soon beavailable independently.
Open problemsSecurity of graded encoding schemes:
I Attacking the "secret key" variant of GGH or CLT,I Constructing a secure variant.
https://bitbucket.org/malb/gghlite-flint
ThankYouAdeline Langlois Implementing GGH December 3, 2015 12/ 12