multilinear maps from ideal lattices and applications
DESCRIPTION
Multilinear Maps From Ideal Lattices and Applications. Sanjam Garg (UCLA) Joint work with Craig Gentry (IBM) and Shai Halevi (IBM). Outline. Bilinear Maps: Recall and Applications Motivating Multilinear maps Our Results Definitions of Multi-linear Maps Classical Notion Our Notion - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/1.jpg)
Multilinear Maps From Ideal Lattices and
ApplicationsSanjam Garg (UCLA)
Joint work with Craig Gentry (IBM) and Shai Halevi (IBM)
![Page 2: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/2.jpg)
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
![Page 3: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/3.jpg)
Cryptographic Bilinear Maps(Weil and Tate Pairings)Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps
![Page 4: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/4.jpg)
Cryptographic Bilinear Maps Bilinear maps are extremely useful in cryptography
lots of applications
As the name suggests allow pairing two things together
![Page 5: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/5.jpg)
Bilinear Maps – Definitions Cryptographic bilinear map
Groups and of order with generators and a bilinear map such that
Instantiation: Weil or Tate pairings over elliptic curves.
Given hard to get
DDH is easyGiven
![Page 6: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/6.jpg)
Bilinear Maps: ``Hard” Problems 3-party Decisional Diffie-Hellman: Given hard to distinguish Bilinear Diffie-Hellman: Givenhard to distinguish from Random
![Page 7: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/7.jpg)
Non-Interactive Key Agreement [DH76]
Easy Application: Tri-partite key agreement [Joux00]: Alice, Bob, Carol generate and broadcast . They each separately compute the key
What if we have more than 3-parties? [BS03]
𝑎 𝑏
𝑔1𝑎 𝑔1
𝑏
𝐾=𝑔1𝑎𝑏
Application 1
![Page 8: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/8.jpg)
Prover Verifier
Non-Interactive Zero Knowledge [BMF88]
Soundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Common reference string :
Proof:
Witness for
statement being true
Statement :
Application 2
Only know constructions are from Bilinear Maps[GOS06] and Trapdoor permutation[FLS90] .
What if we had Bilinear maps from some other assumption?
![Page 9: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/9.jpg)
PKE with Enhanced Capabilities Identity Based Encryption [Sha84] Boneh and Franklin using bilinear maps [BF01]
More general notion – Attribute Based Encryption [SW05]
Application 3
![Page 10: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/10.jpg)
10
PKMSK
“Tel-Aviv University”“Professor”
“Tel-Aviv University”“Grad-student”
OR
Chancellor AND
TAU Professor
OR
ChancellorAND
TAU Professor
SK’SK
Key AuthorityAttribute-Based Encryption [SW05]
How general can this policy be?
Bottom line: Very few policies such as formulas are known to be realizable.
Application 3
What if we had multilinear maps?
![Page 11: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/11.jpg)
Other Applications Traitor-Tracing (with small ciphertexts)[BSW06] Efficient Signature Schemes [BLS04] Efficient Broadcast Encryption Attribute based signatures Blind Signatures/Anonymous Credentials Structure Preserving Signatures And many more…. There is a conference on Pairing based Cryptography What if we had multilinear map? [BS03]
![Page 12: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/12.jpg)
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
![Page 13: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/13.jpg)
Our Results constructions of multi-
linear maps Use these to get
-party non-interactive Diffie Hellman NIZKs from lattice assumptions Attribute based encryption for general circuits
[GGH12, SW12] Witness Encryption [GGSW12]
Insufficient for [Rot12] counterexample Every bit encryption remains secure even when
encryption of the secret key is given out
Candidate approximateConstructions of multi-linear maps(Public parameters hide secrets)
![Page 14: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/14.jpg)
Encrypter
Witness Encryption
Soundness:Statement is false Semantic Security
𝑐
Witness for statement . Statement :
𝑚 Encrypter Receiver
Application 4
![Page 15: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/15.jpg)
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
![Page 16: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/16.jpg)
Cryptographic Multi-linear MapsDefinitions: Classical notion and our Approximate variant
![Page 17: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/17.jpg)
Multilinear Maps: Classical Notion Cryptographic n-multilinear map (for groups)
Groups of order with generators Family of maps:
, where
.
And at least the ``discrete log” problems in each is ``hard’’. And hopefully the generalization of 3-party DH
![Page 18: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/18.jpg)
Getting to our Notion
Our visualization
of (traditional)
Bilinear Maps
Step by step I will make changes to get our notion of
Bilinear Maps
At each step provide
Extension to Multi-linear
Maps
![Page 19: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/19.jpg)
Bilinear Maps: Our visualization𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
![Page 20: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/20.jpg)
Bilinear Maps: Our visualization Sampling𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
It was easy to sample uniformly from .
![Page 21: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/21.jpg)
Bilinear Maps: Our visualizationEquality Checking
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Trivial to check if two terms are the same.
![Page 22: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/22.jpg)
Bilinear Maps: Our visualizationAddition𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑔13
![Page 23: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/23.jpg)
Bilinear Maps: Our visualizationMultiplication𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
![Page 24: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/24.jpg)
Bilinear Maps: Sets(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
Level-0 encodings
![Page 25: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/25.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”.
![Page 26: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/26.jpg)
Bilinear Maps: Sampling(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
![Page 27: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/27.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a u
![Page 28: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/28.jpg)
Bilinear Maps: Equality Checking(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was trivial to check if two terms are the same.
Check if two values come from the same set.
![Page 29: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/29.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that
![Page 30: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/30.jpg)
Bilinear Maps: Addition(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
𝑔13 𝑆1
3
![Page 31: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/31.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that:
We have and
![Page 32: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/32.jpg)
Bilinear Maps: Multiplication(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
![Page 33: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/33.jpg)
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that: Multiplication: There is an op such that:
such that We have .
![Page 34: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/34.jpg)
Bilinear Maps: Noisy(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
All operations are required to work as long as ``noise’’ level remains small.
![Page 35: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/35.jpg)
Multilinear Maps: Our Notion
Discrete Log: Given level- encoding of , hard to compute level-- encoding of .
n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.
![Page 36: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/36.jpg)
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
![Page 37: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/37.jpg)
(Kind of like NTRU-Based FHE, but with Equality Testing)
``Noisy” Multilinear Maps
![Page 38: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/38.jpg)
Our Construction We work in polynomial ring
E.g., ( is a power of two) Also use
Public parameters hide a small and a random (large)
defines a principal ideal over The ``scalars” that we encode are cosets of
(i.e., elements in the quotient ring ) e.g., if is a prime, then we can represent these cosets using
the integers
![Page 39: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/39.jpg)
Our Construction
𝑆01
𝑆02
𝑆0𝑝
𝑆0❑
⋮
𝑆11
𝑆12
𝑆1𝑝
𝑆1❑
⋮
𝑆21
𝑆22
𝑆2𝑝
𝑆2❑
⋮
1+𝐼2+𝐼
𝐼
Small defines a principal ideal over
A random (large)
[ 𝑐𝑧 ]𝑞
𝑐
[ 𝑐𝑧 2 ]𝑞
+ and ×
should have small coefficients
If , are both short then, has the form ,
where is still short and
If , are both short then,has the form ,
where is still short and Multiplication
Addition
![Page 40: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/40.jpg)
Our Construction (in general)
In general, ``level-k encoding” of a coset has the form for a short
Addition: Add encodings as long as ||
Multi-linear: Multiply encodings to get an encoding of the product at level as long as
``Somewhat homomorphic” encoding
Sampling and equality check?
![Page 41: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/41.jpg)
Sampling Sampling: If (wider than smoothing parameter of
but still smaller than ), then encodes a random coset.
Why should this work? -- vector with tiny coefficients
![Page 42: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/42.jpg)
Encoding this random coset
Publish an encoding of 1:
Sampling: If (wide enough), then encodes a random coset.
Don’t know how to encode specific elements
Given this short , set is a valid level- encoding of the coset
Translating from level to :
![Page 43: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/43.jpg)
Equality Checking Do encode the same coset?
Suffices to check - encodes . Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute = =
Which is small if (or, )
![Page 44: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/44.jpg)
Re-randomizaton𝑆0
𝑠 𝑆0𝑡 𝑆0
𝑠𝑡 𝑆0𝑟
𝑐𝑠𝑐𝑡𝑐𝑠𝑡𝑐𝑟
And But then
We need to re-randomize the encoding, to break these simple algebraic relations
𝑢𝑠𝑢𝑡𝑢𝑠𝑡𝑢𝑟
𝑆1𝑠𝑡
𝑆1❑
𝑥0𝑥0′ 𝑥0
′ ′⋯⋯⋯
Need to re-randomize
this as well.
This re-randomization gets us statistically close to the actual distribution [AGHS12].
𝑆10
![Page 45: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/45.jpg)
The Complete Encoding Scheme
Parameters: , , and Encode a random element:
S
Re-randomize u (at level 1):
Zero Test: Map to level(by multiplying by for appropriate j) Check if is small
![Page 46: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/46.jpg)
Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric Statistical Zero-test security
![Page 47: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/47.jpg)
Security: Cryptanalysis
![Page 48: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/48.jpg)
Attacks, , and Goal: To find or Covering the basics (Not ``Trivially’’ broken)
Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme
Similar in spirit to Generic Group model Without the - essentially the NTRU problem
![Page 49: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/49.jpg)
Attacks, , and Goal: To find or Algebraic and Lattice Attacks
Averaging attacks Other attacks for Principal Ideals
![Page 50: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/50.jpg)
Summary Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based
homomorphic encryption, but with an equality-testing parameter.
Security is based on somewhat stronger computational assumptions than NTRU.
But more cryptanalysis needs to be done! And more applications need to be found!
![Page 51: Multilinear Maps From Ideal Lattices and Applications](https://reader036.vdocuments.site/reader036/viewer/2022062812/5681637f550346895dd4602f/html5/thumbnails/51.jpg)
??Thank You! Questions?