1 / 52

Candidate Multilinear Maps

Candidate Multilinear Maps. Sanjam Garg (IBM) Based on joint works with Craig Gentry (IBM) and Shai Halevi (IBM). Outline. Bilinear Maps: Recall Intuitively: Multilinear Maps Our Results and Applications Definitions of Multi-linear Maps Classical Notion Our Notion Our Construction

limei
Télécharger la présentation

Candidate Multilinear Maps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Candidate Multilinear Maps Sanjam Garg(IBM) Based on joint works with Craig Gentry (IBM) and Shai Halevi (IBM)

  2. Outline • Bilinear Maps: Recall • Intuitively: Multilinear Maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

  3. Cryptographic Bilinear Maps(Weil and Tate Pairings) Recalling Bilinear Mapsand its Applications: Motivating Multilinear Maps

  4. Cryptographic Bilinear Maps • Bilinear maps are extremely useful in cryptography • lots of applications [Joux00, BF01] • As the name suggests allow pairing two things together

  5. Bilinear Maps – Definitions • Cryptographic bilinear map • Groups and of order with generators and a bilinear map such that • Instantiation: Weil or Tate pairings over elliptic curves. DDH is easy Given Given hard to get

  6. Bilinear Maps: ``Hard” Problem • Bilinear Diffie-Hellman: Given hard to distinguish from Random Multilinear Maps [BS03] generalize this concept.

  7. Our Multilinear Maps Candidate approximate Constructions of multi-linear maps • constructionsof multi-linear maps • Many exciting application

  8. Application 1 Non-Interactive Key Agreement [DH76] • Extended to three parties by [Joux00] • Mmaps would give solution for more than 3-parties.[BS03] Alice Bob

  9. Application 1 Non-Interactive Key Agreement [DH76] • Easy Application: Tri-partite key agreement [Joux00]: • Alice, Bob, Carol generate and broadcast . • They each separately compute the key • More than 3-parties– easy application. [GGH13]

  10. Application 2 Software Obfuscation • Obfuscation aims to make computer programs “unintelligible” while preserving their functionality. O(P) P Bob Alice

  11. Application 2 Indistinguishability Obfuscation [BGIRSVY01, GR07, GGHRSW13] Obfuscator Security : Can’t tell if = or As long as and Might seem useless: but actually is very useful…

  12. Obfuscation + Mmaps Applications • Witness Encryption • Attribute Based Encryption [GGHSW13] • Functional Encryption [GGHRSW13, GJKS13, GGJS13,ABGSZ13,…] • Round Optimal Multiparty Secure computation [GGHR14] • Deniable Encryption [SW13] • Removing random oracles[HSW13a, FHPS13, HSW13b] • Broadcast Encryption and Traitor-Tracing [GGHRSW13, BZ13, ABGSZ13] • Impossibility results [BCPR13a,BP13,GK13,BCPR13b,KRW13,MO13,…] • Functional Witness Encryption [BCP13] • Mmaps optimizations and extensions [CLT13,GGH13b,…] • Obfuscation optimizations and extensions [BCP13, ABGSZ13, BR13, BGKPS13, PTS13,…] • Pick your favorite primitive incryptography • Can it be improved?

  13. Outline • Bilinear Maps: Recall • And Multilinear maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

  14. Cryptographic Multi-linear Maps Definitions: Classical notion and our Approximate variant

  15. Multilinear Maps: Classical Notion • Cryptographic n-multilinear map (for groups) • Groups of order with generators • Family of maps: , where • . • And at least the ``discrete log” problems in each is ``hard’’. • And hopefully the generalization of Bilinear DH

  16. Getting to our Notion

  17. Bilinear Maps: Our visualization

  18. Bilinear Maps: Our visualization Sampling It was easy to sample uniformly from .

  19. Bilinear Maps: Our visualizationEquality Checking Trivial to check if two terms are the same.

  20. Bilinear Maps: Our visualizationAddition

  21. Bilinear Maps: Our visualizationMultiplication

  22. Bilinear Maps: Sets(Our Notion) Level-0 encodings

  23. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”.

  24. Bilinear Maps: Sampling(Our Notion) I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .

  25. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a u

  26. Bilinear Maps: Equality Checking(Our Notion) Check if two values come from the same set. It was trivial to check if two terms are the same.

  27. Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a random Equality testing(): Output iffsuch that

  28. Bilinear Maps: Addition(Our Notion)

  29. Multilinear Maps: Our Notion • Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • We have and

  30. Bilinear Maps: Multiplication(Our Notion)

  31. Multilinear Maps: Our Notion • Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • Multiplication: There is an op such that: • such that • We have .

  32. Bilinear Maps: Noisy(Our Notion) All operations are required to work as long as ``noise’’ level remains small.

  33. Multilinear Maps: Our Notion Discrete Log: Given level- encoding of , hard to compute level-- encoding of . n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.

  34. Outline • Bilinear Maps: Recall • And Multilinear maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security

  35. ``Noisy” Multilinear Maps (Kind of like NTRU-Based FHE, but with Equality Testing)

  36. Background • We work in polynomial ring • E.g., ( is a power of two) • Such is irreducible over • ,

  37. Our Construction • The ``scalars” that we encode are cosets of (i.e., elements in the quotient ring ) • We work in polynomial ring • E.g., ( is a power of two) • Also use • Public parameters hide • a small • and a random invertible (large) • Let be the ideal generated by g, • also has lattice structure • is required to be • Small and invertible in • should be a large prime • is not too large

  38. Our Construction If , are both short then,has the form , where is still short and If , are both short then,has the form , where is still short and Multiplication Addition should have small coefficients • Smalldefines a principal ideal over • A random (large)

  39. Our Construction (in general) Sampling and equality check? • In general, ``level-k encoding” of a cosethas the form for a short • Addition: Add encodings • as long as || • Multi-linear: Multiply encodings • to get an encoding of the product at level • as long as • ``Somewhat homomorphic” encoding

  40. Bilinear Maps: Sampling(Our Notion) I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .

  41. Sampling • Sampling: Sample small , but larger than then encodes a random coset. • Why should this work? • -- vector with tiny coefficients

  42. Encoding this random coset • Publish an encoding of 1: • Sampling: If (wide enough), then encodes a random coset. • Don’t know how to encode specific elements • Given this short , set • is a valid level- encoding of the coset • Translating from level to :

  43. Equality Checking • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if )

  44. EqualityChecking – Correctness I • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if ) • Correctness: if (or, ) • Problem: may not be small • Solution: is small, is same as in

  45. EqualityChecking – Correctness II • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if ) • Correctness: if • Assume then both and are • Hence in Implies divides or .

  46. Re-randomizaton This re-randomization gets us statistically close to the actual distribution [AGHS12,AR13]. Need to re-randomize this as well. • And • But then • We need to re-randomize the encoding, to break these simple algebraic relations

  47. The Complete Encoding Scheme Re-randomization not needed for applications like obfuscation. • Parameters: , , and • Encode a random element: • S • Re-randomize u (at level 1): • Zero Test: • Map to level(by multiplying by for appropriate j) • Check if is small

  48. Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric

  49. Security: Cryptanalysis

  50. Attacks , , and • Goal: To find or • Covering the basics (Not ``Trivially’’ broken) • Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computedcannot break the scheme • Similar in spirit to Generic Group model • Without the - essentially the NTRU problem

More Related