1 / 51

Multilinear Maps From Ideal Lattices and Applications

Multilinear Maps From Ideal Lattices and Applications. Sanjam Garg (UCLA) Joint work with Craig Gentry (IBM) and Shai Halevi (IBM). Outline. Bilinear Maps: Recall and Applications Motivating Multilinear maps Our Results Definitions of Multi-linear Maps Classical Notion Our Notion

kalani
Download Presentation

Multilinear Maps From Ideal Lattices and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multilinear Maps From Ideal Latticesand Applications SanjamGarg(UCLA) Joint work with Craig Gentry (IBM) and ShaiHalevi (IBM)

  2. Outline • Bilinear Maps: Recall and Applications • Motivating Multilinear maps • Our Results • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

  3. Cryptographic Bilinear Maps(Weil and Tate Pairings) Recalling Bilinear Mapsand its Applications: Motivating Multilinear Maps

  4. Cryptographic Bilinear Maps • Bilinear maps are extremely useful in cryptography • lots of applications • As the name suggests allow pairing two things together

  5. Bilinear Maps – Definitions • Cryptographic bilinear map • Groups and of order with generators and a bilinear map such that • Instantiation: Weil or Tate pairings over elliptic curves. DDH is easy Given Given hard to get

  6. Bilinear Maps: ``Hard” Problems • 3-party Decisional Diffie-Hellman: Given hard to distinguish • Bilinear Diffie-Hellman: Given hard to distinguish from Random

  7. Application 1 Non-Interactive Key Agreement [DH76] • Easy Application: Tri-partite key agreement [Joux00]: • Alice, Bob, Carol generate and broadcast . • They each separately compute the key • What if we have more than 3-parties? [BS03]

  8. Application 2 Non-Interactive Zero Knowledge [BMF88] Witness for statement being true Common reference string : Statement : Proof: What if we had Bilinear maps from some other assumption? Prover Verifier Soundness: Statement is true Zero-knowledge: Nothing but truth revealed Only know constructions are from Bilinear Maps[GOS06] and Trapdoor permutation[FLS90] .

  9. Application 3 PKE with Enhanced Capabilities • Identity Based Encryption [Sha84] • Bonehand Franklin using bilinear maps [BF01] • More general notion – • Attribute Based Encryption [SW05]

  10. OR OR SK SK’ AND AND Chancellor Chancellor TAU Professor TAU Professor Application 3 Attribute-Based Encryption [SW05] What if we had multilinear maps?   MSK   PK   Key Authority   How general can this policy be? “Tel-Aviv University” “Professor” “Tel-Aviv University” “Grad-student” Bottom line: Very few policies such as formulas are known to be realizable.

  11. Other Applications • Traitor-Tracing (with small ciphertexts)[BSW06] • Efficient Signature Schemes [BLS04] • Efficient Broadcast Encryption • Attribute based signatures • Blind Signatures/Anonymous Credentials • Structure Preserving Signatures • And many more…. • There is a conference on Pairing based Cryptography • What if we had multilinear map? [BS03]

  12. Outline • Bilinear Maps: Recall and Applications • Motivating Multilinear maps • Our Results • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

  13. Our Results Candidate approximate Constructions of multi-linear maps • constructionsof multi-linear maps • Usethese to get • -party non-interactive Diffie Hellman • NIZKs from lattice assumptions • Attribute based encryption for general circuits[GGH12, SW12] • Witness Encryption [GGSW12] • Insufficient for [Rot12] counterexample • Every bit encryption remains secure even when encryption of the secret key is given out (Public parameters hide secrets)

  14. Application 4 Witness Encryption Witness for statement . Statement : Encrypter Encrypter Receiver Soundness: Statement is false Semantic Security

  15. Outline • Bilinear Maps: Recall and Applications • Motivating Multilinear maps • Our Results • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

  16. Cryptographic Multi-linear Maps Definitions: Classical notion and our Approximate variant

  17. Multilinear Maps: Classical Notion • Cryptographic n-multilinear map (for groups) • Groups of order with generators • Family of maps: , where • . • And at least the ``discrete log” problems in each is ``hard’’. • And hopefully the generalization of 3-party DH

  18. Getting to our Notion

  19. Bilinear Maps: Our visualization

  20. Bilinear Maps: Our visualization Sampling It was easy to sample uniformly from .

  21. Bilinear Maps: Our visualizationEquality Checking Trivial to check if two terms are the same.

  22. Bilinear Maps: Our visualizationAddition

  23. Bilinear Maps: Our visualizationMultiplication

  24. Bilinear Maps: Sets(Our Notion) Level-0 encodings

  25. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”.

  26. Bilinear Maps: Sampling(Our Notion) I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .

  27. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a u

  28. Bilinear Maps: Equality Checking(Our Notion) Check if two values come from the same set. It was trivial to check if two terms are the same.

  29. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a random Equality testing(): Output iffsuch that

  30. Bilinear Maps: Addition(Our Notion)

  31. Multilinear Maps: Our Notion • Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • We have and

  32. Bilinear Maps: Multiplication(Our Notion)

  33. Multilinear Maps: Our Notion • Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • Multiplication: There is an op such that: • such that • We have .

  34. Bilinear Maps: Noisy(Our Notion) All operations are required to work as long as ``noise’’ level remains small.

  35. Multilinear Maps: Our Notion Discrete Log: Given level- encoding of , hard to compute level-- encoding of . n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.

  36. Outline • Bilinear Maps: Recall and Applications • Motivating Multilinear maps • Our Results • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

  37. ``Noisy” Multilinear Maps (Kind of like NTRU-Based FHE, but with Equality Testing)

  38. Our Construction • We work in polynomial ring • E.g., ( is a power of two) • Also use • Public parameters hide a smalland a random (large) • defines a principal ideal over • The ``scalars” that we encode are cosets of (i.e., elements in the quotient ring ) • e.g., if is a prime, then we can represent these cosets using the integers

  39. Our Construction If , are both short then,has the form , where is still short and If , are both short then,has the form , where is still short and Multiplication Addition should have small coefficients • Smalldefines a principal ideal over • A random (large)

  40. Our Construction (in general) Sampling and equality check? • In general, ``level-k encoding” of a cosethas the form for a short • Addition: Add encodings • as long as || • Multi-linear: Multiply encodings • to get an encoding of the product at level • as long as • ``Somewhat homomorphic” encoding

  41. Sampling • Sampling: If (wider than smoothing parameter of but still smaller than ), then encodes a random coset. • Why should this work? • -- vector with tiny coefficients

  42. Encoding this random coset • Publish an encoding of 1: • Sampling: If (wide enough), then encodes a random coset. • Don’t know how to encode specific elements • Given this short , set • is a valid level- encoding of the coset • Translating from level to :

  43. Equality Checking • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = • Which is small if (or, )

  44. Re-randomizaton This re-randomization gets us statistically close to the actual distribution [AGHS12]. Need to re-randomize this as well. • And • But then • We need to re-randomize the encoding, to break these simple algebraic relations

  45. The Complete Encoding Scheme • Parameters: , , and • Encode a random element: • S • Re-randomize u (at level 1): • Zero Test: • Map to level(by multiplying by for appropriate j) • Check if is small

  46. Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric Statistical Zero-test security

  47. Security: Cryptanalysis

  48. Attacks , , and • Goal: To find or • Covering the basics (Not ``Trivially’’ broken) • Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computedcannot break the scheme • Similar in spirit to Generic Group model • Without the - essentially the NTRU problem

  49. Attacks But more cryptanalysis needs to be done! , , and • Goal: To find or • Algebraic and Lattice Attacks • Averaging attacks • Other attacks for Principal Ideals

  50. Summary Presented ``noisy” cryptographic multilinear map. Construction is similar to NTRU-based homomorphic encryption, but with an equality-testing parameter. Security is based on somewhat stronger computational assumptions than NTRU. But more cryptanalysis needs to be done! And more applications need to be found!

More Related