Presentation Description

234 Views

Download Presentation
## Candidate Multilinear Maps

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Candidate Multilinear Maps**Sanjam Garg(IBM) Based on joint works with Craig Gentry (IBM) and Shai Halevi (IBM)**Outline**• Bilinear Maps: Recall • Intuitively: Multilinear Maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security**Cryptographic Bilinear Maps(Weil and Tate Pairings)**Recalling Bilinear Mapsand its Applications: Motivating Multilinear Maps**Cryptographic Bilinear Maps**• Bilinear maps are extremely useful in cryptography • lots of applications [Joux00, BF01] • As the name suggests allow pairing two things together**Bilinear Maps – Definitions**• Cryptographic bilinear map • Groups and of order with generators and a bilinear map such that • Instantiation: Weil or Tate pairings over elliptic curves. DDH is easy Given Given hard to get**Bilinear Maps: ``Hard” Problem**• Bilinear Diffie-Hellman: Given hard to distinguish from Random Multilinear Maps [BS03] generalize this concept.**Our Multilinear Maps**Candidate approximate Constructions of multi-linear maps • constructionsof multi-linear maps • Many exciting application**Application 1**Non-Interactive Key Agreement [DH76] • Extended to three parties by [Joux00] • Mmaps would give solution for more than 3-parties.[BS03] Alice Bob**Application 1**Non-Interactive Key Agreement [DH76] • Easy Application: Tri-partite key agreement [Joux00]: • Alice, Bob, Carol generate and broadcast . • They each separately compute the key • More than 3-parties– easy application. [GGH13]**Application 2**Software Obfuscation • Obfuscation aims to make computer programs “unintelligible” while preserving their functionality. O(P) P Bob Alice**Application 2**Indistinguishability Obfuscation [BGIRSVY01, GR07, GGHRSW13] Obfuscator Security : Can’t tell if = or As long as and Might seem useless: but actually is very useful…**Obfuscation + Mmaps Applications**• Witness Encryption • Attribute Based Encryption [GGHSW13] • Functional Encryption [GGHRSW13, GJKS13, GGJS13,ABGSZ13,…] • Round Optimal Multiparty Secure computation [GGHR14] • Deniable Encryption [SW13] • Removing random oracles[HSW13a, FHPS13, HSW13b] • Broadcast Encryption and Traitor-Tracing [GGHRSW13, BZ13, ABGSZ13] • Impossibility results [BCPR13a,BP13,GK13,BCPR13b,KRW13,MO13,…] • Functional Witness Encryption [BCP13] • Mmaps optimizations and extensions [CLT13,GGH13b,…] • Obfuscation optimizations and extensions [BCP13, ABGSZ13, BR13, BGKPS13, PTS13,…] • Pick your favorite primitive incryptography • Can it be improved?**Outline**• Bilinear Maps: Recall • And Multilinear maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security**Cryptographic Multi-linear Maps**Definitions: Classical notion and our Approximate variant**Multilinear Maps: Classical Notion**• Cryptographic n-multilinear map (for groups) • Groups of order with generators • Family of maps: , where • . • And at least the ``discrete log” problems in each is ``hard’’. • And hopefully the generalization of Bilinear DH**Bilinear Maps: Our visualization Sampling**It was easy to sample uniformly from .**Bilinear Maps: Our visualizationEquality Checking**Trivial to check if two terms are the same.**Bilinear Maps: Sets(Our Notion)**Level-0 encodings**Multilinear Maps: Our Notion**Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”.**Bilinear Maps: Sampling(Our Notion)**I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .**Multilinear Maps: Our Notion**Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a u**Bilinear Maps: Equality Checking(Our Notion)**Check if two values come from the same set. It was trivial to check if two terms are the same.**Multilinear Maps: Our Notion**Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a random Equality testing(): Output iffsuch that**Multilinear Maps: Our Notion**• Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • We have and**Multilinear Maps: Our Notion**• Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • Multiplication: There is an op such that: • such that • We have .**Bilinear Maps: Noisy(Our Notion)**All operations are required to work as long as ``noise’’ level remains small.**Multilinear Maps: Our Notion**Discrete Log: Given level- encoding of , hard to compute level-- encoding of . n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.**Outline**• Bilinear Maps: Recall • And Multilinear maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security**``Noisy” Multilinear Maps**(Kind of like NTRU-Based FHE, but with Equality Testing)**Background**• We work in polynomial ring • E.g., ( is a power of two) • Such is irreducible over • ,**Our Construction**• The ``scalars” that we encode are cosets of (i.e., elements in the quotient ring ) • We work in polynomial ring • E.g., ( is a power of two) • Also use • Public parameters hide • a small • and a random invertible (large) • Let be the ideal generated by g, • also has lattice structure • is required to be • Small and invertible in • should be a large prime • is not too large**Our Construction**If , are both short then,has the form , where is still short and If , are both short then,has the form , where is still short and Multiplication Addition should have small coefficients • Smalldefines a principal ideal over • A random (large)**Our Construction (in general)**Sampling and equality check? • In general, ``level-k encoding” of a cosethas the form for a short • Addition: Add encodings • as long as || • Multi-linear: Multiply encodings • to get an encoding of the product at level • as long as • ``Somewhat homomorphic” encoding**Bilinear Maps: Sampling(Our Notion)**I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .**Sampling**• Sampling: Sample small , but larger than then encodes a random coset. • Why should this work? • -- vector with tiny coefficients**Encoding this random coset**• Publish an encoding of 1: • Sampling: If (wide enough), then encodes a random coset. • Don’t know how to encode specific elements • Given this short , set • is a valid level- encoding of the coset • Translating from level to :**Equality Checking**• Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if )**EqualityChecking – Correctness I**• Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if ) • Correctness: if (or, ) • Problem: may not be small • Solution: is small, is same as in**EqualityChecking – Correctness II**• Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if ) • Correctness: if • Assume then both and are • Hence in Implies divides or .**Re-randomizaton**This re-randomization gets us statistically close to the actual distribution [AGHS12,AR13]. Need to re-randomize this as well. • And • But then • We need to re-randomize the encoding, to break these simple algebraic relations**The Complete Encoding Scheme**Re-randomization not needed for applications like obfuscation. • Parameters: , , and • Encode a random element: • S • Re-randomize u (at level 1): • Zero Test: • Map to level(by multiplying by for appropriate j) • Check if is small**Variants**Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric**Attacks**, , and • Goal: To find or • Covering the basics (Not ``Trivially’’ broken) • Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computedcannot break the scheme • Similar in spirit to Generic Group model • Without the - essentially the NTRU problem