candidate multilinear maps
DESCRIPTION
Candidate Multilinear Maps. Sanjam Garg (IBM) Based on joint works with Craig Gentry (IBM) and Shai Halevi (IBM). Outline. Bilinear Maps: Recall Intuitively: Multilinear Maps Our Results and Applications Definitions of Multi-linear Maps Classical Notion Our Notion Our Construction - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/1.jpg)
Candidate Multilinear Maps
Sanjam Garg (IBM)Based on joint works with
Craig Gentry (IBM) and Shai Halevi (IBM)
![Page 2: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/2.jpg)
Outline Bilinear Maps: Recall
Intuitively: Multilinear Maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
![Page 3: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/3.jpg)
Cryptographic Bilinear Maps(Weil and Tate Pairings)Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps
![Page 4: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/4.jpg)
Cryptographic Bilinear Maps Bilinear maps are extremely useful in cryptography
lots of applications [Joux00, BF01]
As the name suggests allow pairing two things together
![Page 5: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/5.jpg)
Bilinear Maps – Definitions Cryptographic bilinear map
Groups and of order with generators and a bilinear map such that
Instantiation: Weil or Tate pairings over elliptic curves.
Given hard to get
DDH is easyGiven
![Page 6: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/6.jpg)
Bilinear Maps: ``Hard” Problem Bilinear Diffie-Hellman: Givenhard to distinguish from Random
Multilinear Maps [BS03] generalize this concept.
![Page 7: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/7.jpg)
Our Multilinear Maps constructions of multi-
linear maps Many exciting application
Candidate approximateConstructions of multi-linear maps
![Page 8: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/8.jpg)
Non-Interactive Key Agreement [DH76]
𝑃 𝐾𝑎 𝑃 𝐾𝑏
Alice Bob
𝐾 𝑎 ,𝑏
Extended to three parties by [Joux00] Mmaps would give solution for more than 3-
parties. [BS03]
Application 1
![Page 9: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/9.jpg)
Non-Interactive Key Agreement [DH76]
Easy Application: Tri-partite key agreement [Joux00]: Alice, Bob, Carol generate and broadcast . They each separately compute the key
More than 3-parties – easy application. [GGH13]
𝑎 𝑏
𝑔1𝑎 𝑔1
𝑏
𝐾=𝑔1𝑎𝑏
Application 1
![Page 10: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/10.jpg)
10
Software Obfuscation
O(P)
P
• Obfuscation aims to make computer programs “unintelligible” while preserving their functionality.
Alice Bob
Application 2
![Page 11: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/11.jpg)
Indistinguishability Obfuscation [BGIRSVY01, GR07, GGHRSW13]
Obfuscator
𝑂 (𝐶 )𝐶
Security : Can’t tell if = or As long as and
Might seem useless: but actually is very useful…
Application 2
![Page 12: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/12.jpg)
Obfuscation + Mmaps Applications Witness Encryption Attribute Based Encryption [GGHSW13] Functional Encryption [GGHRSW13, GJKS13, GGJS13, ABGSZ13,…] Round Optimal Multiparty Secure computation [GGHR14] Deniable Encryption [SW13] Removing random oracles [HSW13a, FHPS13, HSW13b] Broadcast Encryption and Traitor-Tracing [GGHRSW13, BZ13, ABGSZ13] Impossibility results [BCPR13a,BP13,GK13,BCPR13b,KRW13,MO13,…] Functional Witness Encryption [BCP13] Mmaps optimizations and extensions [CLT13,GGH13b,…] Obfuscation optimizations and extensions [BCP13, ABGSZ13, BR13,
BGKPS13, PTS13,…] Pick your favorite primitive in cryptography
Can it be improved?
![Page 13: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/13.jpg)
Outline Bilinear Maps: Recall
And Multilinear maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
![Page 14: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/14.jpg)
Cryptographic Multi-linear MapsDefinitions: Classical notion and our Approximate variant
![Page 15: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/15.jpg)
Multilinear Maps: Classical Notion Cryptographic n-multilinear map (for groups)
Groups of order with generators Family of maps:
, where
.
And at least the ``discrete log” problems in each is ``hard’’. And hopefully the generalization of Bilinear DH
![Page 16: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/16.jpg)
Getting to our Notion
Our visualization
of (traditional)
Bilinear Maps
Step by step I will make changes to get our notion of
Bilinear Maps
At each step provide
Extension to Multi-linear
Maps
![Page 17: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/17.jpg)
Bilinear Maps: Our visualization𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
![Page 18: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/18.jpg)
Bilinear Maps: Our visualization Sampling𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
It was easy to sample uniformly from .
![Page 19: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/19.jpg)
Bilinear Maps: Our visualizationEquality Checking
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Trivial to check if two terms are the same.
![Page 20: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/20.jpg)
Bilinear Maps: Our visualizationAddition𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑔13
![Page 21: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/21.jpg)
Bilinear Maps: Our visualizationMultiplication𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
![Page 22: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/22.jpg)
Bilinear Maps: Sets(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
Level-0 encodings
![Page 23: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/23.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”.
![Page 24: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/24.jpg)
Bilinear Maps: Sampling(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
![Page 25: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/25.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a u
![Page 26: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/26.jpg)
Bilinear Maps: Equality Checking(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was trivial to check if two terms are the same.
Check if two values come from the same set.
![Page 27: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/27.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that
![Page 28: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/28.jpg)
Bilinear Maps: Addition(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
𝑔13 𝑆1
3
![Page 29: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/29.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that:
We have and
![Page 30: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/30.jpg)
Bilinear Maps: Multiplication(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
![Page 31: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/31.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that: Multiplication: There is an op such that:
such that We have .
![Page 32: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/32.jpg)
Bilinear Maps: Noisy(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
All operations are required to work as long as ``noise’’ level remains small.
![Page 33: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/33.jpg)
Multilinear Maps: Our Notion
Discrete Log: Given level- encoding of , hard to compute level-- encoding of .
n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.
![Page 34: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/34.jpg)
Outline Bilinear Maps: Recall
And Multilinear maps Our Results and Applications
Definitions of Multi-linear Maps Classical Notion Our Notion
Our Construction Security
![Page 35: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/35.jpg)
(Kind of like NTRU-Based FHE, but with Equality Testing)
``Noisy” Multilinear Maps
![Page 36: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/36.jpg)
Background We work in polynomial ring
E.g., ( is a power of two)
Such is irreducible over
,
![Page 37: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/37.jpg)
Our Construction We work in polynomial ring
E.g., ( is a power of two) Also use
Public parameters hide a small and a random invertible (large)
Let be the ideal generated by g, also has lattice structure
is required to be Small and invertible in should be a large prime is not too large
The ``scalars” that we encode are cosets of (i.e., elements in the quotient ring )
![Page 38: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/38.jpg)
Our Construction
𝑆01
𝑆02
𝑆0𝑝
𝑆0❑
⋮
𝑆11
𝑆12
𝑆1𝑝
𝑆1❑
⋮
𝑆21
𝑆22
𝑆2𝑝
𝑆2❑
⋮
1+𝐼2+𝐼
𝐼
Small defines a principal ideal over
A random (large)
[ 𝑐𝑧 ]𝑞
𝑐
[ 𝑐𝑧 2 ]𝑞
+ and ×
should have small coefficients
If , are both short then, has the form ,
where is still short and
If , are both short then,has the form ,
where is still short and Multiplication
Addition
![Page 39: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/39.jpg)
Our Construction (in general)
In general, ``level-k encoding” of a coset has the form for a short
Addition: Add encodings as long as ||
Multi-linear: Multiply encodings to get an encoding of the product at level as long as
``Somewhat homomorphic” encoding
Sampling and equality check?
![Page 40: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/40.jpg)
Bilinear Maps: Sampling(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
![Page 41: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/41.jpg)
Sampling Sampling: Sample small , but larger than then
encodes a random coset. Why should this work? -- vector with tiny coefficients
![Page 42: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/42.jpg)
Encoding this random coset
Publish an encoding of 1:
Sampling: If (wide enough), then encodes a random coset.
Don’t know how to encode specific elements
Given this short , set is a valid level- encoding of the coset
Translating from level to :
![Page 43: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/43.jpg)
Equality Checking Do encode the same coset?
Suffices to check - encodes . Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute
= = (output yes if )
![Page 44: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/44.jpg)
Equality Checking – Correctness I
Do encode the same coset? Suffices to check - encodes .
Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute
= = (output yes if ) Correctness: if (or, ) Problem: may not be small Solution: is small, is same as in
![Page 45: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/45.jpg)
Equality Checking – Correctness II
Do encode the same coset? Suffices to check - encodes .
Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute
= = (output yes if ) Correctness: if Assume then both and are Hence in Implies divides or .
![Page 46: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/46.jpg)
Re-randomizaton𝑆0
𝑠 𝑆0𝑡 𝑆0
𝑠𝑡 𝑆0𝑟
𝑐𝑠𝑐𝑡𝑐𝑠𝑡𝑐𝑟
And But then
We need to re-randomize the encoding, to break these simple algebraic relations
𝑢𝑠𝑢𝑡𝑢𝑠𝑡𝑢𝑟
𝑆1𝑠𝑡
𝑆1❑
𝑥0𝑥0′ 𝑥0
′ ′⋯⋯⋯
Need to re-randomize
this as well.
This re-randomization gets us statistically close to the actual distribution [AGHS12,AR13].
𝑆10
![Page 47: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/47.jpg)
The Complete Encoding Scheme
Parameters: , , and Encode a random element:
S
Re-randomize u (at level 1):
Zero Test: Map to level(by multiplying by for appropriate j) Check if is small
Re-randomization not needed for applications like
obfuscation.
![Page 48: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/48.jpg)
Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric
![Page 49: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/49.jpg)
Security: Cryptanalysis
![Page 50: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/50.jpg)
Attacks, , and Goal: To find or Covering the basics (Not ``Trivially’’ broken)
Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme
Similar in spirit to Generic Group model Without the - essentially the NTRU problem
![Page 51: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/51.jpg)
Summary Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based
homomorphic encryption, but with an equality-testing parameter.
Security is based on somewhat stronger computational assumptions than NTRU.
But more cryptanalysis needs to be done!
![Page 52: Candidate Multilinear Maps](https://reader035.vdocuments.site/reader035/viewer/2022062520/568162ba550346895dd3454c/html5/thumbnails/52.jpg)
??Thank You! Questions?