Upload
kalani
View
41
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Multilinear Maps From Ideal Lattices and Applications. Sanjam Garg (UCLA) Joint work with Craig Gentry (IBM) and Shai Halevi (IBM). Outline. Bilinear Maps: Recall and Applications Motivating Multilinear maps Our Results Definitions of Multi-linear Maps Classical Notion Our Notion - PowerPoint PPT Presentation
Citation preview
Multilinear Maps From Ideal Lattices and
ApplicationsSanjam Garg (UCLA)
Joint work with Craig Gentry (IBM) and Shai Halevi (IBM)
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
Cryptographic Bilinear Maps(Weil and Tate Pairings)Recalling Bilinear Maps and its Applications: Motivating Multilinear Maps
Cryptographic Bilinear Maps Bilinear maps are extremely useful in cryptography
lots of applications
As the name suggests allow pairing two things together
Bilinear Maps – Definitions Cryptographic bilinear map
Groups and of order with generators and a bilinear map such that
Instantiation: Weil or Tate pairings over elliptic curves.
Given hard to get
DDH is easyGiven
Bilinear Maps: ``Hard” Problems 3-party Decisional Diffie-Hellman: Given hard to distinguish Bilinear Diffie-Hellman: Givenhard to distinguish from Random
Non-Interactive Key Agreement [DH76]
Easy Application: Tri-partite key agreement [Joux00]: Alice, Bob, Carol generate and broadcast . They each separately compute the key
What if we have more than 3-parties? [BS03]
𝑎 𝑏
𝑔1𝑎 𝑔1
𝑏
𝐾=𝑔1𝑎𝑏
Application 1
Prover Verifier
Non-Interactive Zero Knowledge [BMF88]
Soundness:Statement is true
Zero-knowledge:Nothing but truth revealed
Common reference string :
Proof:
Witness for
statement being true
Statement :
Application 2
Only know constructions are from Bilinear Maps[GOS06] and Trapdoor permutation[FLS90] .
What if we had Bilinear maps from some other assumption?
PKE with Enhanced Capabilities Identity Based Encryption [Sha84] Boneh and Franklin using bilinear maps [BF01]
More general notion – Attribute Based Encryption [SW05]
Application 3
10
PKMSK
“Tel-Aviv University”“Professor”
“Tel-Aviv University”“Grad-student”
OR
Chancellor AND
TAU Professor
OR
ChancellorAND
TAU Professor
SK’SK
Key AuthorityAttribute-Based Encryption [SW05]
How general can this policy be?
Bottom line: Very few policies such as formulas are known to be realizable.
Application 3
What if we had multilinear maps?
Other Applications Traitor-Tracing (with small ciphertexts)[BSW06] Efficient Signature Schemes [BLS04] Efficient Broadcast Encryption Attribute based signatures Blind Signatures/Anonymous Credentials Structure Preserving Signatures And many more…. There is a conference on Pairing based Cryptography What if we had multilinear map? [BS03]
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
Our Results constructions of multi-
linear maps Use these to get
-party non-interactive Diffie Hellman NIZKs from lattice assumptions Attribute based encryption for general circuits
[GGH12, SW12] Witness Encryption [GGSW12]
Insufficient for [Rot12] counterexample Every bit encryption remains secure even when
encryption of the secret key is given out
Candidate approximateConstructions of multi-linear maps(Public parameters hide secrets)
Encrypter
Witness Encryption
Soundness:Statement is false Semantic Security
𝑐
Witness for statement . Statement :
𝑚 Encrypter Receiver
Application 4
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
Cryptographic Multi-linear MapsDefinitions: Classical notion and our Approximate variant
Multilinear Maps: Classical Notion Cryptographic n-multilinear map (for groups)
Groups of order with generators Family of maps:
, where
.
And at least the ``discrete log” problems in each is ``hard’’. And hopefully the generalization of 3-party DH
Getting to our Notion
Our visualization
of (traditional)
Bilinear Maps
Step by step I will make changes to get our notion of
Bilinear Maps
At each step provide
Extension to Multi-linear
Maps
Bilinear Maps: Our visualization𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Bilinear Maps: Our visualization Sampling𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
It was easy to sample uniformly from .
Bilinear Maps: Our visualizationEquality Checking
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Trivial to check if two terms are the same.
Bilinear Maps: Our visualizationAddition𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑔13
Bilinear Maps: Our visualizationMultiplication𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
Bilinear Maps: Sets(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
Level-0 encodings
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”.
Bilinear Maps: Sampling(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was easy to sample uniformly from .
I should be efficient to sample such that for a uIt may not be uniform in or .
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a u
Bilinear Maps: Equality Checking(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
It was trivial to check if two terms are the same.
Check if two values come from the same set.
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that
Bilinear Maps: Addition(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
𝑔13 𝑆1
3
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that:
We have and
Bilinear Maps: Multiplication(Our Notion)𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
Multilinear Maps: Our Notion
Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of
”. Sampling: Output for a random Equality testing(): Output iff such that Addition/Subtraction: There are ops and such
that: Multiplication: There is an op such that:
such that We have .
Bilinear Maps: Noisy(Our Notion)
𝑍 𝑝
12⋮𝑝
𝐺1
𝑔11
𝑔12
⋮𝑔1𝑝
𝐺2
𝑔21
𝑔22
⋮𝑔2𝑝
𝑆01
𝑆02
𝑆0𝑝
𝑆11
𝑆12
𝑆1𝑝
𝑆21
𝑆22
𝑆2𝑝
𝑆0❑ 𝑆1
❑ 𝑆2❑
All operations are required to work as long as ``noise’’ level remains small.
Multilinear Maps: Our Notion
Discrete Log: Given level- encoding of , hard to compute level-- encoding of .
n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.
Outline Bilinear Maps: Recall and Applications
Motivating Multilinear maps
Our Results Definitions of Multi-linear Maps
Classical Notion Our Notion
Our Construction Security
(Kind of like NTRU-Based FHE, but with Equality Testing)
``Noisy” Multilinear Maps
Our Construction We work in polynomial ring
E.g., ( is a power of two) Also use
Public parameters hide a small and a random (large)
defines a principal ideal over The ``scalars” that we encode are cosets of
(i.e., elements in the quotient ring ) e.g., if is a prime, then we can represent these cosets using
the integers
Our Construction
𝑆01
𝑆02
𝑆0𝑝
𝑆0❑
⋮
𝑆11
𝑆12
𝑆1𝑝
𝑆1❑
⋮
𝑆21
𝑆22
𝑆2𝑝
𝑆2❑
⋮
1+𝐼2+𝐼
𝐼
Small defines a principal ideal over
A random (large)
[ 𝑐𝑧 ]𝑞
𝑐
[ 𝑐𝑧 2 ]𝑞
+ and ×
should have small coefficients
If , are both short then, has the form ,
where is still short and
If , are both short then,has the form ,
where is still short and Multiplication
Addition
Our Construction (in general)
In general, ``level-k encoding” of a coset has the form for a short
Addition: Add encodings as long as ||
Multi-linear: Multiply encodings to get an encoding of the product at level as long as
``Somewhat homomorphic” encoding
Sampling and equality check?
Sampling Sampling: If (wider than smoothing parameter of
but still smaller than ), then encodes a random coset.
Why should this work? -- vector with tiny coefficients
Encoding this random coset
Publish an encoding of 1:
Sampling: If (wide enough), then encodes a random coset.
Don’t know how to encode specific elements
Given this short , set is a valid level- encoding of the coset
Translating from level to :
Equality Checking Do encode the same coset?
Suffices to check - encodes . Publish a (level-k) zero-testing param
h is ``somewhat short” (e.g. of size ) To test, if encodes , compute = =
Which is small if (or, )
Re-randomizaton𝑆0
𝑠 𝑆0𝑡 𝑆0
𝑠𝑡 𝑆0𝑟
𝑐𝑠𝑐𝑡𝑐𝑠𝑡𝑐𝑟
And But then
We need to re-randomize the encoding, to break these simple algebraic relations
𝑢𝑠𝑢𝑡𝑢𝑠𝑡𝑢𝑟
𝑆1𝑠𝑡
𝑆1❑
𝑥0𝑥0′ 𝑥0
′ ′⋯⋯⋯
Need to re-randomize
this as well.
This re-randomization gets us statistically close to the actual distribution [AGHS12].
𝑆10
The Complete Encoding Scheme
Parameters: , , and Encode a random element:
S
Re-randomize u (at level 1):
Zero Test: Map to level(by multiplying by for appropriate j) Check if is small
Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric Statistical Zero-test security
Security: Cryptanalysis
Attacks, , and Goal: To find or Covering the basics (Not ``Trivially’’ broken)
Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computed cannot break the scheme
Similar in spirit to Generic Group model Without the - essentially the NTRU problem
Attacks, , and Goal: To find or Algebraic and Lattice Attacks
Averaging attacks Other attacks for Principal Ideals
Summary Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based
homomorphic encryption, but with an equality-testing parameter.
Security is based on somewhat stronger computational assumptions than NTRU.
But more cryptanalysis needs to be done! And more applications need to be found!
??Thank You! Questions?