Introduction to Cryptographic Multilinear Maps

Visions of Cryptography, Weizmann Inst.

1

Introduction to

Cryptographic Multilinear Maps

Sanjam Garg, Craig Gentry, Shai HaleviIBM T.J. Watson Research Center

Dec 2013


2

Multilinear Maps (MMAPs)A technical tool

◦Think “trapdoor-permutations” or “smooth-projective-hashing”, or “randomized-encoding”

◦More a technique than a single primitive Several different variants, all share the same core

properties but differ in details

Extension of bilinear maps [J00,SOK00,BF01]◦Bilinear maps are extensions of DL-based crypto◦Took the crypto world by storm in 2000, used in

dozens of applications, hundreds of papers◦Applications from IBE to NIZK and more

Dec 2013


3

DL/DDH and Bilinear MapsWhy is DDH such a “gold mine”?

◦You can take values and “hide them” in ◦Some tasks are still easy in this

representation Can compute any linear/affine function of the ’s,

and check if

◦Other tasks are seemingly hard E.g., computing/checking quadratic functions

Bilinear maps are similar: we can compute quadratics, while cubics seem hard

Turns out to be even more useful

Dec 2013


4

Why Stop at Two?Can we find groups that would let us

compute cubics but not 4th powers?◦Or in general, upto degree but no more?

Cryptographic multilinear maps (MMAPs)

◦Even more useful than bilinear[Boneh-Silverberg’03] explored some

applications of MMAPs◦Also argued that they are unlikely to be

constructed similarly to bilinear maps

Dec 2013


5

The [GGH’13] ApproachAn “approximate” cryptographic

MMAPs◦Degree- functions, zero-test are easy◦Some degree- functions seem hard◦Enabling many new applications

Built using “FHE techniques”◦From a variant of the NTRU HE scheme

Another construction in [CLT’13]◦Using a variant of “HE over integers”

instead◦All degree- functions seem hard

Dec 2013


6

This TalkAn overview of [GGH’13]

◦Some details◦Which degree- functions are

easy/hard Source- vs. target-group assumptions

Examples of using it:◦-partite key exchange [J00,BS03]◦Witness encryption [GGSW’13]◦Full domain hash [FHPS’13, HSW’13]◦Obfuscation(just a hint)

Dec 2013


7

THE [GGH’13] CONSTRUCTION

Dec 2013


8

“Somewhat Homomorphic” Encryption (SWHE) vs. MMAPs

MMAPs• “Encoding” Computing low-

deg polynomials of the ’s is easy

Sharp threshold for easy vs. hard

Can test for zero

SWHE• Encrypting Computing low-

deg polynomials of the ’s is easy

? Fuzzy threshold for easy vs. hard?Cannot test anything• But if you have

skey you can recover itself Dec 2013


9

Main Ingredient: Testing for ZeroTo be useful, we must be able to test

if two degree- expressions are equal◦Using homomorphism, that’s the same as

testing if a degree- expression equals zeroOur approach: augment a SWHE

scheme with a “handicapped” secret key◦Can test if a ciphertext decrypts to zero,

but cannot decrypt arbitrary cipehrtexts Assuming that the plaintext-space is large

◦Called a “zero-test parameter”

Dec 2013


10

A Few Words About LevelsA “level-” ciphertext encrypts a

degree- expression◦Fresh cipehrtexts, =Enc(), are at

level

Contemporary SWHE schemes are “naturally leveled”◦Often a ciphertext in these schemes

would be tagged with its levelDec 2013


11

A Few Words About Levels (2)A zero-test parameter that works for

all levels, would give a “black-box field”◦Could be useful, but it’s not MMAPs◦Also we don’t know how to get one

Our zero-test parameter only works for ciphertexts at one particular level ◦The zero-test level is a parameter, equal

to the multi-linearity degree that we want to implement

Dec 2013


12

‘s from some large finite field/ring

Our Goal (“approximate MMAPs”)-Graded Encoding SchemeKeyGen(): Generating public parametersEncode: level- encoding of plaintext ’s

◦Plaintext ’s themselves are considered “level-0”

◦Encoding can be randomizedArithmetic: addition & multiplication

Zero-test: does encode 0? ◦Only works for level- encoding

Dec 2013


13

Some VariationsCan extract “random canonical

representation”of from any level- encoding of

Can only encode random ’s, not specific onesKeyGen outputs a matching secret key

◦ Secret key may be needed for encodingEncoding can be re-randomizable

◦ Given any level- encoding of , output a random level- encoding of the same

More complicated level structure than just 0,1,2, …◦ E.g., levels are vectors, with partial ordering◦ Yields an extension of “asymmetric maps”Dec 2013


14

Overview of [GGH’13]Start from an NTRU-like SWHE

scheme◦Semantic-security under some

“reasonable assumptions”Add zero-test parameter

◦Some things that were hard now become easy

◦Other things are still seemingly hard But hardness assumptions are stronger,

uglier

◦Separating hard from easy is challenging

Dec 2013


15

Starting From NTRU-like SWHE

All ops are in some polynomial rings◦,

Secret key is ◦ is short , is random in ◦Plaintext elements are from

An encryption of is ◦ and

To decrypt set

In NTRU

Dec 2013


16

Homomorphic NTRULevel- encryption of is

◦ and To decrypt set Can add, multiply ciphertexts in

Because and

Because and

as long as numerator remains

Dec 2013


17

The Public KeyLet

To encrypt a small , choose small , set

If is Gaussian with suitable parameter then and is ~uniform mod ◦So we can encrypt random elements◦But not any pre-set element

Dec 2013


18

Zero-Test ParameterNeed to publish information to

help recognize elements of the form ◦But not of the form ◦Also not of the form for

First idea: publish ◦, with ◦But ,

and entails wraparound mod So typically

Dec 2013


19

Zero-Test Parameter (2)Main problem is that enables

also zero-testing at levels ◦E.g., ,

To counter this, set ◦With ◦Now squaring already yields

wraparoundZero-testing procedure:

◦Check if

Dec 2013


20

Correctness of Zero-TestingIf encodes zero at level then

(mod )◦We know that , since all valid

encodings have small numerators◦Hence also

This assumes is small in the field of fractions

◦Since then and so the zero-test pass

Dec 2013


21

Correctness of Zero-Testing (2)The converse is a bit more

complicated:Let be such that the two ideals

are co-primeLemma: Let be s.t. and let . If is small enough, , then

◦i.e., for some

Proof: over (since both ) and since co-prime then .

Dec 2013


22

Correctness of Zero-Testing (3)Lemma: Let be s.t. and let . If is small enough, , then

Corollary: if is a valid level- encoding ( and it passes zero-test ( is small), so it is an encoding of zero

Dec 2013


23

Security of Zero-TestingThis Zero-Test procedure provides

functionality, not security◦Easy to come up with an “invalid

encoding” that passes the zero test.If we need security, publish many

’sfor many different mid-size ’es◦Check for all of them◦Can prove that whp over the ’es,

only valid zero-encodings pass this test. Dec 2013


24

What’s HardSome degree- functions seem hard

to compute, or even testMultilinear-DDH (MDDH)For level- encoding of random

elements, ,and another level- encoding ,hard to distinguish from random

Dec 2013


25

What’s Not HardOther degree- functions are easy

Multilinear-DDHFor level- encoding of random

elements, ,and another level-1 encoding ,easy to decide if

Dec 2013


26

What’s the Difference?A “target group” problem includes some

elements encoded at the highest level ()◦Such problems are seemingly hard in these

encodings

A “source group” problem includes only elements encoded at levels ◦Include things like decision-linear

assumption◦These problems are easy, assuming that we

indeed provide the public-key elements

Dec 2013


27

Why the Difference?These encodings are subject to a

“weak discrete-logarithm” attacks. Given:◦Level- encoding of some , and ◦Level- encoding of 0 (e.g., ), with

Can compute “in the clear” ◦I.e., for some

is not small, so you cannot re-encode it at level and break MDDH or similar◦But if you have and , you can check

whether Dec 2013


28

Dealing with “Weak DL” AttacksSome applications only rely on “target

group” assumptions◦Those are not affected by the attack

More applications can get by without providing , so attack does not apply

Or use other MMAPs◦[CTL’13] seemingly not susceptible to weak-

DL◦Can perhaps “immunize” [GGH’13] against it

Using GGH-encoded matrices and their eigenvalues

Dec 2013


29

Computation ProblemsThe source/target distinction is about

decision problemsComputation problems have their own

issuesRoughly speaking, anything that

requires division is hard◦But division in the ring is easy: from we

can compute ◦ is unlikely to be a valid encoding, can

perhapsbe discarded using the “secure zero-test”

Dec 2013


30

APPLICATIONS OF MMAPS

Dec 2013


31

Application I:()-partite key exchangePublic parameters include draws small , , publishes the level-

encoding computes level- encoding of product

All parties have level- encodings of the same thing◦ Indistinguishable from encoding of a

random element, under MDDHHow to get a shared secret key out of

it?Dec 2013


32

Extracting Canonical RepresentationAll of encode the same thing

is small Roughly use MSBs of as a shared key

Public params also include◦Seed of strong randomness extractor◦Random element

Shared key computed as

◦Whp over , all ’s are equal◦ Indistinguishable to observer from random

bits

Dec 2013


33

Application II: Witness Encryption“Encryption without any key”

◦Relative to an arbitrary riddle◦Defined here relative to exact-cover (XC)

Use NP-hardness to get any NP statement

Message encrypted wrt to XC instance◦Encryptor need not know a solution, or

even if a solution existsAnyone with a solution can decryptSemantic-security if no solution exists

Dec 2013


34

Recall Exact CoverInstance: A universe and a

collection of subsets A solution: sub-collection of the

’s that forms a partition of , i.e., ◦Subsets are pairwise disjoint, and◦Their union is the entire .

Dec 2013


35

The [GGSW13] ConstructionOn an XC instance and

a message ◦Use -linear maps◦Choose random elements ◦For every subset , publish a level-

encoding of ◦Use a level- encoding of to encrypt,

by publishing the ciphertext

Dec 2013


36

The [GGSW] Construction (2)If is a solution, then multiplying the

corresponding ’s we get a level- encoding of U, then we can decrypt

Every non-solvable instance defines a computational problem◦Distinguish a level- encoding of from a

level- encoding of randomWe assume all these problems to be

hard◦Is this a reasonable assumption to make?

Dec 2013


37

Application III: Full-Domain HashConsider the following hash

function, level--encodings:◦Public version of Naor-Reingold PRF◦Let be random elements, and

publish their level- encoding ,

What can you do with it?

Dec 2013


38

BLS-type Signatures [HWS13]Use , publish also

◦ is the secret key

◦Level- encoding of an -productVerify using zero-test:

Can be aggregated, made identity-based

Dec 2013


39

“Programmable” Hash Functions [FHPS13]For any fixed “basis” (encoded at

level ), can generate a random as above with a trapdoor s.t.:◦Using we can find for any a

“representation of in this basis”

at level zero, at level

◦Roughly, for all but a random fraction of the ’es, we have

This is useful for “partition-type” proofs of security

Dec 2013


40

Obfuscation [GGHRSW13]Goal: take an arbitrary circuit and

“encrypt it”, so that:◦Can still evaluate the result on any input◦But “not much else”

Formulating “not much else” is hard◦ [BGIRSVY01] show that some natural

formulations cannot be met◦Also defined the weaker notion of

“indistinguishability Obfuscation” (iO):◦ If compute the same function, then

Dec 2013


41

iO for Begin with a corollary of

Barrington’s theorem, we can recognize via matrix multiplication:◦ represented by a sequence of

matrices of length ◦Input determines a sub-sequence◦ iff their product is the identity

Dec 2013


42

Obfuscating Randomize the matrices for

◦How to randomize is the hard part, need to counter several attacks

Provide level- encoding of matrices

To evaluate on ◦Choose a subset and multiply the

encoding◦Use zero-testing to check for identity

Dec 2013


43

SecurityMostly heuristic, but supported

by generic-group argumentsEvery pair of circuits defines a

decision problem◦We assume that they are all hard

These are all source-group assumptions◦Since the matrices are encoded at

level ◦But we are not giving , so the weak-

DL attack does not applyDec 2013


44

SummaryCan approximate cryptographic MMAPs

◦Using SWHE with “handicapped secret key”◦Known constructions from NTRU, “integer HE”◦Can we do the same thing from other

schemes?Enabling many new applications

◦But hardness assumptions are strong, “ugly”◦In desperate need of a coherent theory

Practical performance lacking◦Worse than the [Gen09] HE scheme

Dec 2013

Introduction to Cryptographic Multilinear Maps

Documents

Transcript of Introduction to Cryptographic Multilinear Maps