multilinear maps from ideal lattices and applications
DESCRIPTION
Multilinear Maps From Ideal Lattices and Applications. Sanjam Garg (UCLA) Joint work with Craig Gentry (IBM) and Shai Halevi (IBM). Outline. Bilinear Maps: Recall and Applications Motivating Multilinear maps Our Results Definitions of Multi-linear Maps Classical Notion Our Notion - PowerPoint PPT PresentationTRANSCRIPT
Multilinear Maps From Ideal Lattices and
ApplicationsSanjam Garg (UCLA)
Joint work with Craig Gentry (IBM) and Shai Halevi (IBM)
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
Cryptographic Bilinear Maps(Weil and Tate Pairings)Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps
Cryptographic Bilinear Maps Bilinear maps are extremely useful in cryptography
lots of applications
As the name suggests allow pairing two things together
Bilinear Maps – Definitions Cryptographic bilinear map
Groups and of order with generators and a bilinear map such that
Instantiation: Weil or Tate pairings over elliptic curves.
Given hard to get
DDH is easyGiven
Bilinear Maps: ``Hard” Problems 3-party Decisional Diffie-Hellman: Given hard to distinguish Bilinear Diffie-Hellman: Givenhard to distinguish from Random
Non-Interactive Key Agreement [DH76]
Easy Application: Tri-partite key agreement [Joux00]: Alice, Bob, Carol generate and broadcast . They each separately compute the key
What if we have more than 3-parties? [BS03]
𝑎 𝑏
𝑔1𝑎 𝑔1
𝑏
𝐾=𝑔1𝑎𝑏
Application 1
Prover Verifier
Non-Interactive Zero Knowledge [BMF88]
Soundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Common reference string :
Proof:
Witness for
statement being true
Statement :
Application 2
Only know constructions are from Bilinear Maps[GOS06] and Trapdoor permutation[FLS90] .
What if we had Bilinear maps from some other assumption?
PKE with Enhanced Capabilities Identity Based Encryption [Sha84] Boneh and Franklin using bilinear maps [BF01]
More general notion – Attribute Based Encryption [SW05]
Application 3
10
PKMSK
“Tel-Aviv University”“Professor”
“Tel-Aviv University”“Grad-student”
OR
Chancellor AND
TAU Professor
OR
ChancellorAND
TAU Professor
SK’SK
Key AuthorityAttribute-Based Encryption [SW05]
How general can this policy be?
Bottom line: Very few policies such as formulas are known to be realizable.
Application 3
What if we had multilinear maps?
Other Applications Traitor-Tracing (with small ciphertexts)[BSW06] Efficient Signature Schemes [BLS04] Efficient Broadcast Encryption Attribute based signatures Blind Signatures/Anonymous Credentials Structure Preserving Signatures And many more…. There is a conference on Pairing based Cryptography What if we had multilinear map? [BS03]
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
Our Results constructions of multi-
linear maps Use these to get
-party non-interactive Diffie Hellman NIZKs from lattice assumptions Attribute based encryption for general circuits
[GGH12, SW12] Witness Encryption [GGSW12]
Insufficient for [Rot12] counterexample Every bit encryption remains secure even when
encryption of the secret key is given out
Candidate approximateConstructions of multi-linear maps(Public parameters hide secrets)
Encrypter
Witness Encryption
Soundness:Statement is false Semantic Security
𝑐
Witness for statement . Statement :
𝑚 Encrypter Receiver
Application 4
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
Cryptographic Multi-linear MapsDefinitions: Classical notion and our Approximate variant
Multilinear Maps: Classical Notion Cryptographic n-multilinear map (for groups)
Groups of order with generators Family of maps:
, where
.
And at least the ``discrete log” problems in each is ``hard’’. And hopefully the generalization of 3-party DH
Getting to our Notion
Our visualization
of (traditional)
Bilinear Maps
Step by step I will make changes to get our notion of
Bilinear Maps
At each step provide
Extension to Multi-linear
Maps
Bilinear Maps: Our visualization𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Bilinear Maps: Our visualization Sampling𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
It was easy to sample uniformly from .
Bilinear Maps: Our visualizationEquality Checking
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Trivial to check if two terms are the same.
Bilinear Maps: Our visualizationAddition𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑔13
Bilinear Maps: Our visualizationMultiplication𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Bilinear Maps: Sets(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
Level-0 encodings
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”.
Bilinear Maps: Sampling(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a u
Bilinear Maps: Equality Checking(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was trivial to check if two terms are the same.
Check if two values come from the same set.
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that
Bilinear Maps: Addition(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
𝑔13 𝑆1
3
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that:
We have and
Bilinear Maps: Multiplication(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that: Multiplication: There is an op such that:
such that We have .
Bilinear Maps: Noisy(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
All operations are required to work as long as ``noise’’ level remains small.
Multilinear Maps: Our Notion
Discrete Log: Given level- encoding of , hard to compute level-- encoding of .
n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
(Kind of like NTRU-Based FHE, but with Equality Testing)
``Noisy” Multilinear Maps
Our Construction We work in polynomial ring
E.g., ( is a power of two) Also use
Public parameters hide a small and a random (large)
defines a principal ideal over The ``scalars” that we encode are cosets of
(i.e., elements in the quotient ring ) e.g., if is a prime, then we can represent these cosets using
the integers
Our Construction
𝑆01
𝑆02
𝑆0𝑝
𝑆0❑
⋮
𝑆11
𝑆12
𝑆1𝑝
𝑆1❑
⋮
𝑆21
𝑆22
𝑆2𝑝
𝑆2❑
⋮
1+𝐼2+𝐼
𝐼
Small defines a principal ideal over
A random (large)
[ 𝑐𝑧 ]𝑞
𝑐
[ 𝑐𝑧 2 ]𝑞
+ and ×
should have small coefficients
If , are both short then, has the form ,
where is still short and
If , are both short then,has the form ,
where is still short and Multiplication
Addition
Our Construction (in general)
In general, ``level-k encoding” of a coset has the form for a short
Addition: Add encodings as long as ||
Multi-linear: Multiply encodings to get an encoding of the product at level as long as
``Somewhat homomorphic” encoding
Sampling and equality check?
Sampling Sampling: If (wider than smoothing parameter of
but still smaller than ), then encodes a random coset.
Why should this work? -- vector with tiny coefficients
Encoding this random coset
Publish an encoding of 1:
Sampling: If (wide enough), then encodes a random coset.
Don’t know how to encode specific elements
Given this short , set is a valid level- encoding of the coset
Translating from level to :
Equality Checking Do encode the same coset?
Suffices to check - encodes . Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute = =
Which is small if (or, )
Re-randomizaton𝑆0
𝑠 𝑆0𝑡 𝑆0
𝑠𝑡 𝑆0𝑟
𝑐𝑠𝑐𝑡𝑐𝑠𝑡𝑐𝑟
And But then
We need to re-randomize the encoding, to break these simple algebraic relations
𝑢𝑠𝑢𝑡𝑢𝑠𝑡𝑢𝑟
𝑆1𝑠𝑡
𝑆1❑
𝑥0𝑥0′ 𝑥0
′ ′⋯⋯⋯
Need to re-randomize
this as well.
This re-randomization gets us statistically close to the actual distribution [AGHS12].
𝑆10
The Complete Encoding Scheme
Parameters: , , and Encode a random element:
S
Re-randomize u (at level 1):
Zero Test: Map to level(by multiplying by for appropriate j) Check if is small
Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric Statistical Zero-test security
Security: Cryptanalysis
Attacks, , and Goal: To find or Covering the basics (Not ``Trivially’’ broken)
Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme
Similar in spirit to Generic Group model Without the - essentially the NTRU problem
Attacks, , and Goal: To find or Algebraic and Lattice Attacks
Averaging attacks Other attacks for Principal Ideals
Summary Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based
homomorphic encryption, but with an equality-testing parameter.
Security is based on somewhat stronger computational assumptions than NTRU.
But more cryptanalysis needs to be done! And more applications need to be found!
??Thank You! Questions?