# Candidate Multilinear Maps - PowerPoint PPT Presentation

Candidate Multilinear Maps

1 / 52
Presentation Description

## Candidate Multilinear Maps

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Candidate Multilinear Maps Sanjam Garg(IBM) Based on joint works with Craig Gentry (IBM) and Shai Halevi (IBM)

2. Outline • Bilinear Maps: Recall • Intuitively: Multilinear Maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

3. Cryptographic Bilinear Maps(Weil and Tate Pairings) Recalling Bilinear Mapsand its Applications: Motivating Multilinear Maps

4. Cryptographic Bilinear Maps • Bilinear maps are extremely useful in cryptography • lots of applications [Joux00, BF01] • As the name suggests allow pairing two things together

5. Bilinear Maps – Definitions • Cryptographic bilinear map • Groups and of order with generators and a bilinear map such that • Instantiation: Weil or Tate pairings over elliptic curves. DDH is easy Given Given hard to get

6. Bilinear Maps: ``Hard” Problem • Bilinear Diffie-Hellman: Given hard to distinguish from Random Multilinear Maps [BS03] generalize this concept.

7. Our Multilinear Maps Candidate approximate Constructions of multi-linear maps • constructionsof multi-linear maps • Many exciting application

8. Application 1 Non-Interactive Key Agreement [DH76] • Extended to three parties by [Joux00] • Mmaps would give solution for more than 3-parties.[BS03] Alice Bob

9. Application 1 Non-Interactive Key Agreement [DH76] • Easy Application: Tri-partite key agreement [Joux00]: • Alice, Bob, Carol generate and broadcast . • They each separately compute the key • More than 3-parties– easy application. [GGH13]

10. Application 2 Software Obfuscation • Obfuscation aims to make computer programs “unintelligible” while preserving their functionality. O(P) P Bob Alice

11. Application 2 Indistinguishability Obfuscation [BGIRSVY01, GR07, GGHRSW13] Obfuscator Security : Can’t tell if = or As long as and Might seem useless: but actually is very useful…

12. Obfuscation + Mmaps Applications • Witness Encryption • Attribute Based Encryption [GGHSW13] • Functional Encryption [GGHRSW13, GJKS13, GGJS13,ABGSZ13,…] • Round Optimal Multiparty Secure computation [GGHR14] • Deniable Encryption [SW13] • Removing random oracles[HSW13a, FHPS13, HSW13b] • Broadcast Encryption and Traitor-Tracing [GGHRSW13, BZ13, ABGSZ13] • Impossibility results [BCPR13a,BP13,GK13,BCPR13b,KRW13,MO13,…] • Functional Witness Encryption [BCP13] • Mmaps optimizations and extensions [CLT13,GGH13b,…] • Obfuscation optimizations and extensions [BCP13, ABGSZ13, BR13, BGKPS13, PTS13,…] • Pick your favorite primitive incryptography • Can it be improved?

13. Outline • Bilinear Maps: Recall • And Multilinear maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

14. Cryptographic Multi-linear Maps Definitions: Classical notion and our Approximate variant

15. Multilinear Maps: Classical Notion • Cryptographic n-multilinear map (for groups) • Groups of order with generators • Family of maps: , where • . • And at least the ``discrete log” problems in each is ``hard’’. • And hopefully the generalization of Bilinear DH

16. Getting to our Notion

17. Bilinear Maps: Our visualization

18. Bilinear Maps: Our visualization Sampling It was easy to sample uniformly from .

19. Bilinear Maps: Our visualizationEquality Checking Trivial to check if two terms are the same.

21. Bilinear Maps: Our visualizationMultiplication

22. Bilinear Maps: Sets(Our Notion) Level-0 encodings

23. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”.

24. Bilinear Maps: Sampling(Our Notion) I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .

25. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a u

26. Bilinear Maps: Equality Checking(Our Notion) Check if two values come from the same set. It was trivial to check if two terms are the same.

27. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a random Equality testing(): Output iffsuch that

29. Multilinear Maps: Our Notion • Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • We have and

30. Bilinear Maps: Multiplication(Our Notion)

31. Multilinear Maps: Our Notion • Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • Multiplication: There is an op such that: • such that • We have .

32. Bilinear Maps: Noisy(Our Notion) All operations are required to work as long as ``noise’’ level remains small.

33. Multilinear Maps: Our Notion Discrete Log: Given level- encoding of , hard to compute level-- encoding of . n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.

34. Outline • Bilinear Maps: Recall • And Multilinear maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

35. ``Noisy” Multilinear Maps (Kind of like NTRU-Based FHE, but with Equality Testing)

36. Background • We work in polynomial ring • E.g., ( is a power of two) • Such is irreducible over • ,

37. Our Construction • The ``scalars” that we encode are cosets of (i.e., elements in the quotient ring ) • We work in polynomial ring • E.g., ( is a power of two) • Also use • Public parameters hide • a small • and a random invertible (large) • Let be the ideal generated by g, • also has lattice structure • is required to be • Small and invertible in • should be a large prime • is not too large

38. Our Construction If , are both short then,has the form , where is still short and If , are both short then,has the form , where is still short and Multiplication Addition should have small coefficients • Smalldefines a principal ideal over • A random (large)

39. Our Construction (in general) Sampling and equality check? • In general, ``level-k encoding” of a cosethas the form for a short • Addition: Add encodings • as long as || • Multi-linear: Multiply encodings • to get an encoding of the product at level • as long as • ``Somewhat homomorphic” encoding

40. Bilinear Maps: Sampling(Our Notion) I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .

41. Sampling • Sampling: Sample small , but larger than then encodes a random coset. • Why should this work? • -- vector with tiny coefficients

42. Encoding this random coset • Publish an encoding of 1: • Sampling: If (wide enough), then encodes a random coset. • Don’t know how to encode specific elements • Given this short , set • is a valid level- encoding of the coset • Translating from level to :

43. Equality Checking • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if )

44. EqualityChecking – Correctness I • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if ) • Correctness: if (or, ) • Problem: may not be small • Solution: is small, is same as in

45. EqualityChecking – Correctness II • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if ) • Correctness: if • Assume then both and are • Hence in Implies divides or .

46. Re-randomizaton This re-randomization gets us statistically close to the actual distribution [AGHS12,AR13]. Need to re-randomize this as well. • And • But then • We need to re-randomize the encoding, to break these simple algebraic relations

47. The Complete Encoding Scheme Re-randomization not needed for applications like obfuscation. • Parameters: , , and • Encode a random element: • S • Re-randomize u (at level 1): • Zero Test: • Map to level(by multiplying by for appropriate j) • Check if is small

48. Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric

49. Security: Cryptanalysis

50. Attacks , , and • Goal: To find or • Covering the basics (Not ``Trivially’’ broken) • Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computedcannot break the scheme • Similar in spirit to Generic Group model • Without the - essentially the NTRU problem