530 likes | 847 Vues
Candidate Multilinear Maps. Sanjam Garg (IBM) Based on joint works with Craig Gentry (IBM) and Shai Halevi (IBM). Outline. Bilinear Maps: Recall Intuitively: Multilinear Maps Our Results and Applications Definitions of Multi-linear Maps Classical Notion Our Notion Our Construction
E N D
Candidate Multilinear Maps Sanjam Garg(IBM) Based on joint works with Craig Gentry (IBM) and Shai Halevi (IBM)
Outline • Bilinear Maps: Recall • Intuitively: Multilinear Maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security
Cryptographic Bilinear Maps(Weil and Tate Pairings) Recalling Bilinear Mapsand its Applications: Motivating Multilinear Maps
Cryptographic Bilinear Maps • Bilinear maps are extremely useful in cryptography • lots of applications [Joux00, BF01] • As the name suggests allow pairing two things together
Bilinear Maps – Definitions • Cryptographic bilinear map • Groups and of order with generators and a bilinear map such that • Instantiation: Weil or Tate pairings over elliptic curves. DDH is easy Given Given hard to get
Bilinear Maps: ``Hard” Problem • Bilinear Diffie-Hellman: Given hard to distinguish from Random Multilinear Maps [BS03] generalize this concept.
Our Multilinear Maps Candidate approximate Constructions of multi-linear maps • constructionsof multi-linear maps • Many exciting application
Application 1 Non-Interactive Key Agreement [DH76] • Extended to three parties by [Joux00] • Mmaps would give solution for more than 3-parties.[BS03] Alice Bob
Application 1 Non-Interactive Key Agreement [DH76] • Easy Application: Tri-partite key agreement [Joux00]: • Alice, Bob, Carol generate and broadcast . • They each separately compute the key • More than 3-parties– easy application. [GGH13]
Application 2 Software Obfuscation • Obfuscation aims to make computer programs “unintelligible” while preserving their functionality. O(P) P Bob Alice
Application 2 Indistinguishability Obfuscation [BGIRSVY01, GR07, GGHRSW13] Obfuscator Security : Can’t tell if = or As long as and Might seem useless: but actually is very useful…
Obfuscation + Mmaps Applications • Witness Encryption • Attribute Based Encryption [GGHSW13] • Functional Encryption [GGHRSW13, GJKS13, GGJS13,ABGSZ13,…] • Round Optimal Multiparty Secure computation [GGHR14] • Deniable Encryption [SW13] • Removing random oracles[HSW13a, FHPS13, HSW13b] • Broadcast Encryption and Traitor-Tracing [GGHRSW13, BZ13, ABGSZ13] • Impossibility results [BCPR13a,BP13,GK13,BCPR13b,KRW13,MO13,…] • Functional Witness Encryption [BCP13] • Mmaps optimizations and extensions [CLT13,GGH13b,…] • Obfuscation optimizations and extensions [BCP13, ABGSZ13, BR13, BGKPS13, PTS13,…] • Pick your favorite primitive incryptography • Can it be improved?
Outline • Bilinear Maps: Recall • And Multilinear maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security
Cryptographic Multi-linear Maps Definitions: Classical notion and our Approximate variant
Multilinear Maps: Classical Notion • Cryptographic n-multilinear map (for groups) • Groups of order with generators • Family of maps: , where • . • And at least the ``discrete log” problems in each is ``hard’’. • And hopefully the generalization of Bilinear DH
Bilinear Maps: Our visualization Sampling It was easy to sample uniformly from .
Bilinear Maps: Our visualizationEquality Checking Trivial to check if two terms are the same.
Bilinear Maps: Sets(Our Notion) Level-0 encodings
Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”.
Bilinear Maps: Sampling(Our Notion) I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .
Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a u
Bilinear Maps: Equality Checking(Our Notion) Check if two values come from the same set. It was trivial to check if two terms are the same.
Multilinear Maps: Our Notion Finite ring and sets ``level- encodings” Each set is partitioned into for each : ``level- encodings of ”. Sampling: Output for a random Equality testing(): Output iffsuch that
Multilinear Maps: Our Notion • Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • We have and
Multilinear Maps: Our Notion • Finite ring and sets ``level- encodings” • Each set is partitioned into for each : ``level- encodings of ”. • Sampling: Output for a random • Equality testing(): Output iffsuch that • Addition/Subtraction: There are ops and such that: • Multiplication: There is an op such that: • such that • We have .
Bilinear Maps: Noisy(Our Notion) All operations are required to work as long as ``noise’’ level remains small.
Multilinear Maps: Our Notion Discrete Log: Given level- encoding of , hard to compute level-- encoding of . n-Multilinear DDH: Given level- encodings of and a level-n encoding T distinguish whether T encodes or not.
Outline • Bilinear Maps: Recall • And Multilinear maps • Our Results and Applications • Definitions of Multi-linear Maps • Classical Notion • Our Notion • Our Construction • Security
``Noisy” Multilinear Maps (Kind of like NTRU-Based FHE, but with Equality Testing)
Background • We work in polynomial ring • E.g., ( is a power of two) • Such is irreducible over • ,
Our Construction • The ``scalars” that we encode are cosets of (i.e., elements in the quotient ring ) • We work in polynomial ring • E.g., ( is a power of two) • Also use • Public parameters hide • a small • and a random invertible (large) • Let be the ideal generated by g, • also has lattice structure • is required to be • Small and invertible in • should be a large prime • is not too large
Our Construction If , are both short then,has the form , where is still short and If , are both short then,has the form , where is still short and Multiplication Addition should have small coefficients • Smalldefines a principal ideal over • A random (large)
Our Construction (in general) Sampling and equality check? • In general, ``level-k encoding” of a cosethas the form for a short • Addition: Add encodings • as long as || • Multi-linear: Multiply encodings • to get an encoding of the product at level • as long as • ``Somewhat homomorphic” encoding
Bilinear Maps: Sampling(Our Notion) I should be efficient to sample such that for a uIt may not be uniform in or . It was easy to sample uniformly from .
Sampling • Sampling: Sample small , but larger than then encodes a random coset. • Why should this work? • -- vector with tiny coefficients
Encoding this random coset • Publish an encoding of 1: • Sampling: If (wide enough), then encodes a random coset. • Don’t know how to encode specific elements • Given this short , set • is a valid level- encoding of the coset • Translating from level to :
Equality Checking • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if )
EqualityChecking – Correctness I • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if ) • Correctness: if (or, ) • Problem: may not be small • Solution: is small, is same as in
EqualityChecking – Correctness II • Do encode the same coset? • Suffices to check -encodes . • Publish a (level-k) zero-testing param • h is ``somewhat short” (e.g. of size ) • To test, if encodes , compute • = = (output yes if ) • Correctness: if • Assume then both and are • Hence in Implies divides or .
Re-randomizaton This re-randomization gets us statistically close to the actual distribution [AGHS12,AR13]. Need to re-randomize this as well. • And • But then • We need to re-randomize the encoding, to break these simple algebraic relations
The Complete Encoding Scheme Re-randomization not needed for applications like obfuscation. • Parameters: , , and • Encode a random element: • S • Re-randomize u (at level 1): • Zero Test: • Map to level(by multiplying by for appropriate j) • Check if is small
Variants Asymmetric variants (many zi’s), XDH analog , , Partially symmetric and partially asymmetric
Attacks , , and • Goal: To find or • Covering the basics (Not ``Trivially’’ broken) • Adversary that only (iteratively) adds, subtracts, multiplies, or divides pairs of elements that it has already computedcannot break the scheme • Similar in spirit to Generic Group model • Without the - essentially the NTRU problem