Post on 31-Dec-2015
description
Visions of Cryptography, Weizmann Inst.
1
Introduction to
Cryptographic Multilinear Maps
Sanjam Garg, Craig Gentry, Shai HaleviIBM T.J. Watson Research Center
Dec 2013
Visions of Cryptography, Weizmann Inst.
2
Multilinear Maps (MMAPs)A technical tool
◦Think “trapdoor-permutations” or “smooth-projective-hashing”, or “randomized-encoding”
◦More a technique than a single primitive Several different variants, all share the same core
properties but differ in details
Extension of bilinear maps [J00,SOK00,BF01]◦Bilinear maps are extensions of DL-based crypto◦Took the crypto world by storm in 2000, used in
dozens of applications, hundreds of papers◦Applications from IBE to NIZK and more
Dec 2013
Visions of Cryptography, Weizmann Inst.
3
DL/DDH and Bilinear MapsWhy is DDH such a “gold mine”?
◦You can take values and “hide them” in ◦Some tasks are still easy in this
representation Can compute any linear/affine function of the ’s,
and check if
◦Other tasks are seemingly hard E.g., computing/checking quadratic functions
Bilinear maps are similar: we can compute quadratics, while cubics seem hard
Turns out to be even more useful
Dec 2013
Visions of Cryptography, Weizmann Inst.
4
Why Stop at Two?Can we find groups that would let us
compute cubics but not 4th powers?◦Or in general, upto degree but no more?
Cryptographic multilinear maps (MMAPs)
◦Even more useful than bilinear[Boneh-Silverberg’03] explored some
applications of MMAPs◦Also argued that they are unlikely to be
constructed similarly to bilinear maps
Dec 2013
Visions of Cryptography, Weizmann Inst.
5
The [GGH’13] ApproachAn “approximate” cryptographic
MMAPs◦Degree- functions, zero-test are easy◦Some degree- functions seem hard◦Enabling many new applications
Built using “FHE techniques”◦From a variant of the NTRU HE scheme
Another construction in [CLT’13]◦Using a variant of “HE over integers”
instead◦All degree- functions seem hard
Dec 2013
Visions of Cryptography, Weizmann Inst.
6
This TalkAn overview of [GGH’13]
◦Some details◦Which degree- functions are
easy/hard Source- vs. target-group assumptions
Examples of using it:◦-partite key exchange [J00,BS03]◦Witness encryption [GGSW’13]◦Full domain hash [FHPS’13, HSW’13]◦Obfuscation(just a hint)
Dec 2013
Visions of Cryptography, Weizmann Inst.
7
THE [GGH’13] CONSTRUCTION
Dec 2013
Visions of Cryptography, Weizmann Inst.
8
“Somewhat Homomorphic” Encryption (SWHE) vs. MMAPs
MMAPs• “Encoding” Computing low-
deg polynomials of the ’s is easy
Sharp threshold for easy vs. hard
Can test for zero
SWHE• Encrypting Computing low-
deg polynomials of the ’s is easy
? Fuzzy threshold for easy vs. hard?Cannot test anything• But if you have
skey you can recover itself Dec 2013
Visions of Cryptography, Weizmann Inst.
9
Main Ingredient: Testing for ZeroTo be useful, we must be able to test
if two degree- expressions are equal◦Using homomorphism, that’s the same as
testing if a degree- expression equals zeroOur approach: augment a SWHE
scheme with a “handicapped” secret key◦Can test if a ciphertext decrypts to zero,
but cannot decrypt arbitrary cipehrtexts Assuming that the plaintext-space is large
◦Called a “zero-test parameter”
Dec 2013
Visions of Cryptography, Weizmann Inst.
10
A Few Words About LevelsA “level-” ciphertext encrypts a
degree- expression◦Fresh cipehrtexts, =Enc(), are at
level
Contemporary SWHE schemes are “naturally leveled”◦Often a ciphertext in these schemes
would be tagged with its levelDec 2013
Visions of Cryptography, Weizmann Inst.
11
A Few Words About Levels (2)A zero-test parameter that works for
all levels, would give a “black-box field”◦Could be useful, but it’s not MMAPs◦Also we don’t know how to get one
Our zero-test parameter only works for ciphertexts at one particular level ◦The zero-test level is a parameter, equal
to the multi-linearity degree that we want to implement
Dec 2013
Visions of Cryptography, Weizmann Inst.
12
‘s from some large finite field/ring
Our Goal (“approximate MMAPs”)-Graded Encoding SchemeKeyGen(): Generating public parametersEncode: level- encoding of plaintext ’s
◦Plaintext ’s themselves are considered “level-0”
◦Encoding can be randomizedArithmetic: addition & multiplication
Zero-test: does encode 0? ◦Only works for level- encoding
Dec 2013
Visions of Cryptography, Weizmann Inst.
13
Some VariationsCan extract “random canonical
representation”of from any level- encoding of
Can only encode random ’s, not specific onesKeyGen outputs a matching secret key
◦ Secret key may be needed for encodingEncoding can be re-randomizable
◦ Given any level- encoding of , output a random level- encoding of the same
More complicated level structure than just 0,1,2, …◦ E.g., levels are vectors, with partial ordering◦ Yields an extension of “asymmetric maps”Dec 2013
Visions of Cryptography, Weizmann Inst.
14
Overview of [GGH’13]Start from an NTRU-like SWHE
scheme◦Semantic-security under some
“reasonable assumptions”Add zero-test parameter
◦Some things that were hard now become easy
◦Other things are still seemingly hard But hardness assumptions are stronger,
uglier
◦Separating hard from easy is challenging
Dec 2013
Visions of Cryptography, Weizmann Inst.
15
Starting From NTRU-like SWHE
All ops are in some polynomial rings◦,
Secret key is ◦ is short , is random in ◦Plaintext elements are from
An encryption of is ◦ and
To decrypt set
In NTRU
Dec 2013
Visions of Cryptography, Weizmann Inst.
16
Homomorphic NTRULevel- encryption of is
◦ and To decrypt set Can add, multiply ciphertexts in
Because and
Because and
as long as numerator remains
Dec 2013
Visions of Cryptography, Weizmann Inst.
17
The Public KeyLet
To encrypt a small , choose small , set
If is Gaussian with suitable parameter then and is ~uniform mod ◦So we can encrypt random elements◦But not any pre-set element
Dec 2013
Visions of Cryptography, Weizmann Inst.
18
Zero-Test ParameterNeed to publish information to
help recognize elements of the form ◦But not of the form ◦Also not of the form for
First idea: publish ◦, with ◦But ,
and entails wraparound mod So typically
Dec 2013
Visions of Cryptography, Weizmann Inst.
19
Zero-Test Parameter (2)Main problem is that enables
also zero-testing at levels ◦E.g., ,
To counter this, set ◦With ◦Now squaring already yields
wraparoundZero-testing procedure:
◦Check if
Dec 2013
Visions of Cryptography, Weizmann Inst.
20
Correctness of Zero-TestingIf encodes zero at level then
(mod )◦We know that , since all valid
encodings have small numerators◦Hence also
This assumes is small in the field of fractions
◦Since then and so the zero-test pass
Dec 2013
Visions of Cryptography, Weizmann Inst.
21
Correctness of Zero-Testing (2)The converse is a bit more
complicated:Let be such that the two ideals
are co-primeLemma: Let be s.t. and let . If is small enough, , then
◦i.e., for some
Proof: over (since both ) and since co-prime then .
Dec 2013
Visions of Cryptography, Weizmann Inst.
22
Correctness of Zero-Testing (3)Lemma: Let be s.t. and let . If is small enough, , then
Corollary: if is a valid level- encoding ( and it passes zero-test ( is small), so it is an encoding of zero
Dec 2013
Visions of Cryptography, Weizmann Inst.
23
Security of Zero-TestingThis Zero-Test procedure provides
functionality, not security◦Easy to come up with an “invalid
encoding” that passes the zero test.If we need security, publish many
’sfor many different mid-size ’es◦Check for all of them◦Can prove that whp over the ’es,
only valid zero-encodings pass this test. Dec 2013
Visions of Cryptography, Weizmann Inst.
24
What’s HardSome degree- functions seem hard
to compute, or even testMultilinear-DDH (MDDH)For level- encoding of random
elements, ,and another level- encoding ,hard to distinguish from random
Dec 2013
Visions of Cryptography, Weizmann Inst.
25
What’s Not HardOther degree- functions are easy
Multilinear-DDHFor level- encoding of random
elements, ,and another level-1 encoding ,easy to decide if
Dec 2013
Visions of Cryptography, Weizmann Inst.
26
What’s the Difference?A “target group” problem includes some
elements encoded at the highest level ()◦Such problems are seemingly hard in these
encodings
A “source group” problem includes only elements encoded at levels ◦Include things like decision-linear
assumption◦These problems are easy, assuming that we
indeed provide the public-key elements
Dec 2013
Visions of Cryptography, Weizmann Inst.
27
Why the Difference?These encodings are subject to a
“weak discrete-logarithm” attacks. Given:◦Level- encoding of some , and ◦Level- encoding of 0 (e.g., ), with
Can compute “in the clear” ◦I.e., for some
is not small, so you cannot re-encode it at level and break MDDH or similar◦But if you have and , you can check
whether Dec 2013
Visions of Cryptography, Weizmann Inst.
28
Dealing with “Weak DL” AttacksSome applications only rely on “target
group” assumptions◦Those are not affected by the attack
More applications can get by without providing , so attack does not apply
Or use other MMAPs◦[CTL’13] seemingly not susceptible to weak-
DL◦Can perhaps “immunize” [GGH’13] against it
Using GGH-encoded matrices and their eigenvalues
Dec 2013
Visions of Cryptography, Weizmann Inst.
29
Computation ProblemsThe source/target distinction is about
decision problemsComputation problems have their own
issuesRoughly speaking, anything that
requires division is hard◦But division in the ring is easy: from we
can compute ◦ is unlikely to be a valid encoding, can
perhapsbe discarded using the “secure zero-test”
Dec 2013
Visions of Cryptography, Weizmann Inst.
30
APPLICATIONS OF MMAPS
Dec 2013
Visions of Cryptography, Weizmann Inst.
31
Application I:()-partite key exchangePublic parameters include draws small , , publishes the level-
encoding computes level- encoding of product
All parties have level- encodings of the same thing◦ Indistinguishable from encoding of a
random element, under MDDHHow to get a shared secret key out of
it?Dec 2013
Visions of Cryptography, Weizmann Inst.
32
Extracting Canonical RepresentationAll of encode the same thing
is small Roughly use MSBs of as a shared key
Public params also include◦Seed of strong randomness extractor◦Random element
Shared key computed as
◦Whp over , all ’s are equal◦ Indistinguishable to observer from random
bits
Dec 2013
Visions of Cryptography, Weizmann Inst.
33
Application II: Witness Encryption“Encryption without any key”
◦Relative to an arbitrary riddle◦Defined here relative to exact-cover (XC)
Use NP-hardness to get any NP statement
Message encrypted wrt to XC instance◦Encryptor need not know a solution, or
even if a solution existsAnyone with a solution can decryptSemantic-security if no solution exists
Dec 2013
Visions of Cryptography, Weizmann Inst.
34
Recall Exact CoverInstance: A universe and a
collection of subsets A solution: sub-collection of the
’s that forms a partition of , i.e., ◦Subsets are pairwise disjoint, and◦Their union is the entire .
Dec 2013
Visions of Cryptography, Weizmann Inst.
35
The [GGSW13] ConstructionOn an XC instance and
a message ◦Use -linear maps◦Choose random elements ◦For every subset , publish a level-
encoding of ◦Use a level- encoding of to encrypt,
by publishing the ciphertext
Dec 2013
Visions of Cryptography, Weizmann Inst.
36
The [GGSW] Construction (2)If is a solution, then multiplying the
corresponding ’s we get a level- encoding of U, then we can decrypt
Every non-solvable instance defines a computational problem◦Distinguish a level- encoding of from a
level- encoding of randomWe assume all these problems to be
hard◦Is this a reasonable assumption to make?
Dec 2013
Visions of Cryptography, Weizmann Inst.
37
Application III: Full-Domain HashConsider the following hash
function, level--encodings:◦Public version of Naor-Reingold PRF◦Let be random elements, and
publish their level- encoding ,
What can you do with it?
Dec 2013
Visions of Cryptography, Weizmann Inst.
38
BLS-type Signatures [HWS13]Use , publish also
◦ is the secret key
◦Level- encoding of an -productVerify using zero-test:
Can be aggregated, made identity-based
Dec 2013
Visions of Cryptography, Weizmann Inst.
39
“Programmable” Hash Functions [FHPS13]For any fixed “basis” (encoded at
level ), can generate a random as above with a trapdoor s.t.:◦Using we can find for any a
“representation of in this basis”
at level zero, at level
◦Roughly, for all but a random fraction of the ’es, we have
This is useful for “partition-type” proofs of security
Dec 2013
Visions of Cryptography, Weizmann Inst.
40
Obfuscation [GGHRSW13]Goal: take an arbitrary circuit and
“encrypt it”, so that:◦Can still evaluate the result on any input◦But “not much else”
Formulating “not much else” is hard◦ [BGIRSVY01] show that some natural
formulations cannot be met◦Also defined the weaker notion of
“indistinguishability Obfuscation” (iO):◦ If compute the same function, then
Dec 2013
Visions of Cryptography, Weizmann Inst.
41
iO for Begin with a corollary of
Barrington’s theorem, we can recognize via matrix multiplication:◦ represented by a sequence of
matrices of length ◦Input determines a sub-sequence◦ iff their product is the identity
Dec 2013
Visions of Cryptography, Weizmann Inst.
42
Obfuscating Randomize the matrices for
◦How to randomize is the hard part, need to counter several attacks
Provide level- encoding of matrices
To evaluate on ◦Choose a subset and multiply the
encoding◦Use zero-testing to check for identity
Dec 2013
Visions of Cryptography, Weizmann Inst.
43
SecurityMostly heuristic, but supported
by generic-group argumentsEvery pair of circuits defines a
decision problem◦We assume that they are all hard
These are all source-group assumptions◦Since the matrices are encoded at
level ◦But we are not giving , so the weak-
DL attack does not applyDec 2013
Visions of Cryptography, Weizmann Inst.
44
SummaryCan approximate cryptographic MMAPs
◦Using SWHE with “handicapped secret key”◦Known constructions from NTRU, “integer HE”◦Can we do the same thing from other
schemes?Enabling many new applications
◦But hardness assumptions are strong, “ugly”◦In desperate need of a coherent theory
Practical performance lacking◦Worse than the [Gen09] HE scheme
Dec 2013