multilinear maps from ideal lattices and applications

Multilinear Maps From Ideal Lattices and

ApplicationsSanjam Garg (UCLA)

Joint work with Craig Gentry (IBM) and Shai Halevi (IBM)

Outline Bilinear Maps: Recall and Applications

Motivating Multilinear maps

Our Results Definitions of Multi-linear Maps

Classical Notion Our Notion

Our Construction Security

Cryptographic Bilinear Maps(Weil and Tate Pairings)Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps

Cryptographic Bilinear Maps Bilinear maps are extremely useful in cryptography

lots of applications

As the name suggests allow pairing two things together

Bilinear Maps – Definitions Cryptographic bilinear map

Groups and of order with generators and a bilinear map such that

Instantiation: Weil or Tate pairings over elliptic curves.

Given hard to get

DDH is easyGiven

Bilinear Maps: ``Hard” Problems 3-party Decisional Diffie-Hellman: Given hard to distinguish Bilinear Diffie-Hellman: Givenhard to distinguish from Random

Non-Interactive Key Agreement [DH76]

Easy Application: Tri-partite key agreement [Joux00]: Alice, Bob, Carol generate and broadcast . They each separately compute the key

What if we have more than 3-parties? [BS03]

𝑎 𝑏

𝑔1𝑎 𝑔1

𝑏

𝐾=𝑔1𝑎𝑏

Application 1

Prover Verifier

Non-Interactive Zero Knowledge [BMF88]

Soundness:Statement is true

Zero-knowledge:Nothing but truth revealed

Common reference string :

Proof:

Witness for

statement being true

Statement :

Application 2

Only know constructions are from Bilinear Maps[GOS06] and Trapdoor permutation[FLS90] .

What if we had Bilinear maps from some other assumption?

PKE with Enhanced Capabilities Identity Based Encryption [Sha84] Boneh and Franklin using bilinear maps [BF01]

More general notion – Attribute Based Encryption [SW05]

Application 3

10

PKMSK

“Tel-Aviv University”“Professor”

“Tel-Aviv University”“Grad-student”

OR

Chancellor AND

TAU Professor

OR

ChancellorAND

TAU Professor

SK’SK

Key AuthorityAttribute-Based Encryption [SW05]

How general can this policy be?

Bottom line: Very few policies such as formulas are known to be realizable.

Application 3

What if we had multilinear maps?

Other Applications Traitor-Tracing (with small ciphertexts)[BSW06] Efficient Signature Schemes [BLS04] Efficient Broadcast Encryption Attribute based signatures Blind Signatures/Anonymous Credentials Structure Preserving Signatures And many more…. There is a conference on Pairing based Cryptography What if we had multilinear map? [BS03]

Our Results constructions of multi-

linear maps Use these to get

-party non-interactive Diffie Hellman NIZKs from lattice assumptions Attribute based encryption for general circuits

[GGH12, SW12] Witness Encryption [GGSW12]

Insufficient for [Rot12] counterexample Every bit encryption remains secure even when

encryption of the secret key is given out

Candidate approximateConstructions of multi-linear maps(Public parameters hide secrets)

Encrypter

Witness Encryption

Soundness:Statement is false Semantic Security

𝑐

Witness for statement . Statement :

𝑚 Encrypter Receiver

Application 4

Cryptographic Multi-linear MapsDefinitions: Classical notion and our Approximate variant

Multilinear Maps: Classical Notion Cryptographic n-multilinear map (for groups)

Groups of order with generators Family of maps:

, where

.

And at least the ``discrete log” problems in each is ``hard’’. And hopefully the generalization of 3-party DH

Getting to our Notion

Our visualization

of (traditional)

Bilinear Maps

Step by step I will make changes to get our notion of

Bilinear Maps

At each step provide

Extension to Multi-linear

Maps

Bilinear Maps: Our visualization𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

Bilinear Maps: Our visualization Sampling𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

It was easy to sample uniformly from .

Bilinear Maps: Our visualizationEquality Checking

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

Trivial to check if two terms are the same.

Bilinear Maps: Our visualizationAddition𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑔13

Bilinear Maps: Our visualizationMultiplication𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

Bilinear Maps: Sets(Our Notion)

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

Level-0 encodings

Multilinear Maps: Our Notion

Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of

”.

Bilinear Maps: Sampling(Our Notion)𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

It was easy to sample uniformly from .

I should be efficient to sample such that for a uIt may not be uniform in or .



”. Sampling: Output for a u

Bilinear Maps: Equality Checking(Our Notion)

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

It was trivial to check if two terms are the same.

Check if two values come from the same set.



”. Sampling: Output for a random Equality testing(): Output iff such that

Bilinear Maps: Addition(Our Notion)

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

𝑔13 𝑆1

3



”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such

that:

We have and

Bilinear Maps: Multiplication(Our Notion)𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑



”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such

that: Multiplication: There is an op such that:

such that We have .

Bilinear Maps: Noisy(Our Notion)

𝑍 𝑝

12⋮𝑝

𝐺1

𝑔11

𝑔12

⋮𝑔1𝑝

𝐺2

𝑔21

𝑔22

⋮𝑔2𝑝

𝑆01

𝑆02

𝑆0𝑝

𝑆11

𝑆12

𝑆1𝑝

𝑆21

𝑆22

𝑆2𝑝

𝑆0❑ 𝑆1

❑ 𝑆2❑

All operations are required to work as long as ``noise’’ level remains small.


Discrete Log: Given level- encoding of , hard to compute level-- encoding of .

n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.

(Kind of like NTRU-Based FHE, but with Equality Testing)

``Noisy” Multilinear Maps

Our Construction We work in polynomial ring

E.g., ( is a power of two) Also use

Public parameters hide a small and a random (large)

defines a principal ideal over The ``scalars” that we encode are cosets of

(i.e., elements in the quotient ring ) e.g., if is a prime, then we can represent these cosets using

the integers

Our Construction

𝑆01

𝑆02

𝑆0𝑝

𝑆0❑

⋮

𝑆11

𝑆12

𝑆1𝑝

𝑆1❑

⋮

𝑆21

𝑆22

𝑆2𝑝

𝑆2❑

⋮

1+𝐼2+𝐼

𝐼

Small defines a principal ideal over

A random (large)

[ 𝑐𝑧 ]𝑞

𝑐

[ 𝑐𝑧 2 ]𝑞

+ and ×

should have small coefficients

If , are both short then, has the form ,

where is still short and

If , are both short then,has the form ,

where is still short and Multiplication

Addition

Our Construction (in general)

In general, ``level-k encoding” of a coset has the form for a short

Addition: Add encodings as long as ||

Multi-linear: Multiply encodings to get an encoding of the product at level as long as

``Somewhat homomorphic” encoding

Sampling and equality check?

Sampling Sampling: If (wider than smoothing parameter of

but still smaller than ), then encodes a random coset.

Why should this work? -- vector with tiny coefficients

Encoding this random coset

Publish an encoding of 1:

Sampling: If (wide enough), then encodes a random coset.

Don’t know how to encode specific elements

Given this short , set is a valid level- encoding of the coset

Translating from level to :

Equality Checking Do encode the same coset?

Suffices to check - encodes . Publish a (level-k) zero-testing param

h is ``somewhat short” (e.g. of size ) To test, if encodes , compute = =

Which is small if (or, )

Re-randomizaton𝑆0

𝑠 𝑆0𝑡 𝑆0

𝑠𝑡 𝑆0𝑟

𝑐𝑠𝑐𝑡𝑐𝑠𝑡𝑐𝑟

And But then

We need to re-randomize the encoding, to break these simple algebraic relations

𝑢𝑠𝑢𝑡𝑢𝑠𝑡𝑢𝑟

𝑆1𝑠𝑡

𝑆1❑

𝑥0𝑥0′ 𝑥0

′ ′⋯⋯⋯

Need to re-randomize

this as well.

This re-randomization gets us statistically close to the actual distribution [AGHS12].

𝑆10

The Complete Encoding Scheme

Parameters: , , and Encode a random element:

S

Re-randomize u (at level 1):

Zero Test: Map to level(by multiplying by for appropriate j) Check if is small

Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric Statistical Zero-test security

Security: Cryptanalysis

Attacks, , and Goal: To find or Covering the basics (Not ``Trivially’’ broken)

Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme

Similar in spirit to Generic Group model Without the - essentially the NTRU problem

Attacks, , and Goal: To find or Algebraic and Lattice Attacks

Averaging attacks Other attacks for Principal Ideals

Summary Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based

homomorphic encryption, but with an equality-testing parameter.

Security is based on somewhat stronger computational assumptions than NTRU.

But more cryptanalysis needs to be done! And more applications need to be found!

??Thank You! Questions?

multilinear maps from ideal lattices and applications

Documents

notion25bilinear maps

visualizationbilinear

notionbilinear maps

bs03outlinebilinear

encodings multilinear

bilinear maps bf01

bilinear mapsgos06

pairing based cryptographywhat