Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

Size: px

Start display at page:

Download "Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015"

Gervase Mills
5 years ago
Views:

1 Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015

2 2 / 30 Timeline: The Hype Cycle of Multilinear Maps

3 Timeline visibility time 2 / 30

4 Timeline visibility time 2 / 30 1 technology trigger

5 Timeline visibility time second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]

6 Timeline visibility time 2 peak of inflated expectations second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]

7 Timeline visibility time io second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]

8 Timeline visibility time 3 trough of disillusionment second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]

9 Timeline visibility time break of (G)DDH in GGH [HJ15] break of previous fixes and extensions [CGHLMMRST15] tentatives fixes for CLT [BWZ14,GGHZ14] break of CLT [CHLRS15] weak DL [GGH13] second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]

10 Today visibility time 3 / 30

11 Today visibility time slope of enlightenment 4 3 / 30

12 Today visibility time Graph induced [GGH15] New multilinear maps over integers [CLT15] 3 / 30

13 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] 4 / 30

14 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction 4 / 30

15 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction Composite-order maps (different from [GGH13,GGH15]) 4 / 30

16 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction Composite-order maps (different from [GGH13,GGH15]) Follow [GGH13] recipe Level by multiplicative mask Zero-testing by multiplication and shortness 4 / 30

17 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction Composite-order maps (different from [GGH13,GGH15]) Follow [GGH13] recipe Level by multiplicative mask Zero-testing by multiplication and shortness Similar to FHE schemes based on Approximate-GCD 4 / 30

[GGH13,GGH15]) Follow [GGH13] recipe Level by multiplicative mask Zero-testing by

18 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction Composite-order maps (different from [GGH13,GGH15]) Follow [GGH13] recipe Level by multiplicative mask Zero-testing by multiplication and shortness Similar to FHE schemes based on Approximate-GCD Useful for many applications... 4 / 30

19 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data... but we do not want the same information from the result than with HE 5 / 30

20 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data encode a into [a] encrypt a into [a] = Enc(a)... but we do not want the same information from the result than with HE 5 / 30

21 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data encode a into [a] encrypt a into [a] = Enc(a) in both cases, computing low-degree polys of [a i ] s is possible, up to a degree k... but we do not want the same information from the result than with HE 5 / 30

22 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data encode a into [a] encrypt a into [a] = Enc(a) in both cases, computing low-degree polys of [a i ] s is possible, up to a degree k... but we do not want the same information from the result than with HE MMAPS can test if it is zero, at level k (and hard to compute at degree > k) 5 / 30

23 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data encode a into [a] encrypt a into [a] = Enc(a) in both cases, computing low-degree polys of [a i ] s is possible, up to a degree k... but we do not want the same information from the result than with HE MMAPS can test if it is zero, at level k (and hard to compute at degree > k) 5 / 30 SHWE no information on a from the result, except with secret key

24 6 / 30 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14]

25 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key prime p 6 / 30

26 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key prime p Public key x 0 = q 0 p for very large (hard to factor) q 0 6 / 30

27 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key prime p Public key x 0 = q 0 p for very large (hard to factor) q 0 Ciphertext of m c = q p + g r + m for q [0, q 0 ) and r χ small 6 / 30

28 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key prime p Public key x 0 = q 0 p for very large (hard to factor) q 0 Ciphertext of m c = CRT q0,p( q, g r + m ) for q [0, q 0 ) and r χ small 6 / 30

29 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key primes p 1,..., p n Public key x 0 = q 0 p 1 p n for very large (hard to factor) q 0 Ciphertext of m c = CRT q0,p 1,...,p n ( q, g 1 r 1 + m 1,..., g n r n + m n ) for q [0, q 0 ) and r 1,..., r n χ small 6 / 30

30 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key primes p 1,..., p n Public key x 0 = q 0 p 1 p n for very large (hard to factor) q 0 Ciphertext of m c = CRT q0,p 1,...,p n ( q, g 1 r 1 + m 1,..., g n r n + m n ) for q [0, q 0 ) and r 1,..., r n χ small + 6 / 30

31 Adding Sharp Levels Using multiplicative mask [GGH13,CLT13] 7 / 30

32 Adding Sharp Levels Using multiplicative mask [GGH13,CLT13] Let z [0, x 0 ) be a random (invertible) multiplicative mask 7 / 30

33 Adding Sharp Levels Using multiplicative mask [GGH13,CLT13] Let z [0, x 0 ) be a random (invertible) multiplicative mask Encoding of m Z g1 Z gn at level j: [ m] j = c/z j mod x 0 = CRT q,p 1,...,p n (q, r 1 g 1 + m 1,..., r n g n + m n ) z j mod x 0 7 / 30

34 Adding Sharp Levels Using multiplicative mask [GGH13,CLT13] Let z [0, x 0 ) be a random (invertible) multiplicative mask Encoding of m Z g1 Z gn at level j: [ m] j = c/z j mod x 0 = CRT q,p 1,...,p n (q, r 1 g 1 + m 1,..., r n g n + m n ) z j mod x 0 7 / 30 Operations over Z x0 : Addition [ m] j + [ m ] j [ m + m ] j Multiplication [ m] j1 [ m ] j2 [ m m ] j1 +j 2

35 Main Ingredient: Testing for Zero Using the shortness of the noise [GGH13,CLT13] 8 / 30

36 Main Ingredient: Testing for Zero Using the shortness of the noise [GGH13,CLT13] How to test whether two degree-k encodings are equal? [ m] k [ l] k (i.e. m = l) [ m l] k [ 0] k 8 / 30

37 Main Ingredient: Testing for Zero Using the shortness of the noise [GGH13,CLT13] How to test whether two degree-k encodings are equal? [ m] k [ l] k (i.e. m = l) [ m l] k [ 0] k What is an encoding of m = 0? [ 0] k = CRT q,p 1,...,p n (q, r 1 g 1,..., r n g n ) z k mod x 0 8 / 30

38 Main Ingredient: Testing for Zero Using the shortness of the noise [GGH13,CLT13] How to test whether two degree-k encodings are equal? [ m] k [ l] k (i.e. m = l) [ m l] k [ 0] k What is an encoding of m = 0? [ 0] k = CRT q,p 1,...,p n (q, r 1 g 1,..., r n g n ) z k mod x 0 8 / 30 Idea of [GGH13]: multiply by an element which will cancel z k and when the r i s are small (r i g i p i ), yield something small compared to x 0.

39 9 / 30 Simplifications for Zero-Testing

40 Simplifications for Zero-Testing [ 0] k = i g i r i (p i 1 /z k mod p i ) p i + ( p j ) q mod x 0 where p i = j i p j 9 / 30

41 Simplifications for Zero-Testing [ 0] k = i g i r i (p i 1 /z k mod p i ) p i + ( p j ) q mod x 0 where p i = j i p j The random value q makes difficult to obtain something small... except if we are working modulo p j 9 / 30

42 Simplifications for Zero-Testing [ 0] k = i g i r i (p i 1 /z k mod p i ) p i + ( p j ) q mod x 0 where p i = j i p j The random value q makes difficult to obtain something small... except if we are working modulo p j 9 / 30 In the following x 0 = p j, and [ m] j = c/z j mod x 0 = CRT p 1,...,p n (r 1 g 1 + m 1,..., r n g n + m n ) z j mod x 0

43 Zero-Testing Procedure Multiply by the public element (where h i p i ) p zt = i h i (g 1 i z k mod p i ) p i mod x 0 10 / 30

44 Zero-Testing Procedure Multiply by the public element (where h i p i ) p zt = i h i (g 1 i z k mod p i ) p i mod x 0 [ m] k = c/z k mod x 0 = CRT p 1,...,p n (r 1 g 1 + m 1,..., r n g n + m n ) z k mod x 0 therefore [ m] k p zt = i (r i + m i g 1 i ) h i p i mod x 0 10 / 30

45 Zero-Testing Procedure Multiply by the public element (where h i p i ) p zt = i h i (g 1 i z k mod p i ) p i mod x 0 [ m] k = c/z k mod x 0 = CRT p 1,...,p n (r 1 g 1 + m 1,..., r n g n + m n ) z k mod x 0 therefore [ m] k p zt = i (r i + m i g 1 i ) h i p i mod x 0 We have (we prove equivalence whp when many p zt s are given) m = 0 [ m] k p zt mod x 0 x 0 10 / 30

46 11 / 30 Hardness Assumptions

47 Hardness Assumptions GDDH: Given (k + 1) elements [ m i ] 1 whether m k+1 i=1 m i. and [ m ] k, determine 11 / 30

48 Hardness Assumptions GDDH: Given (k + 1) elements [ m i ] 1 whether m k+1 i=1 m i. and [ m ] k, determine At the heart of the multipartite key echange protocol 11 / 30

49 Hardness Assumptions GDDH: Given (k + 1) elements [ m i ] 1 whether m k+1 i=1 m i. and [ m ] k, determine At the heart of the multipartite key echange protocol Assumed to be hard (no reduction to Approx.-GCD) 11 / 30

50 Hardness Assumptions GDDH: Given (k + 1) elements [ m i ] 1 whether m k+1 i=1 m i. and [ m ] k, determine At the heart of the multipartite key echange protocol Assumed to be hard (no reduction to Approx.-GCD) Asymptotic parameters obtained from numerous attacks orthogonal lattice attack on encodings GCD attack on zero-testing hidden subset sum attack on zero-testing attacks on the inverse zero-testing matrix brute-force on the noises, / 30

51 But... Zeroizing Attack Eurocrypt 2015 best paper [CHLRS15] 12 / 30

52 13 / 30 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure

53 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure [ 0] k p zt = i r i (h i p i ) Z 13 / 30

54 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure [ 0] k 2 [ b] 1 [ c] 1 p zt = i r i ˆb i ĉ i (h i p i ) Z 13 / 30

55 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure [ 0] k 2 [ b] 1 [ c] 1 p zt = i r i ˆb i ĉ i (h i p i ) Z r i ˆb i (h i p i ) ĉ i 13 / 30

56 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure [ 0] k 2 [ b] 1 [ c] 1 p zt = i r i ˆb i ĉ i (h i p i ) Z r i ˆbi (h i p i ) ĉ i 13 / 30

57 The Zeroizing Attack on CLT13 Inversion over Q Let s do it with many [ 0] k 2, [ c] 1 and two targets [ b] 1, [ b ] 1 14 / 30

58 The Zeroizing Attack on CLT13 Inversion over Q Let s do it with many [ 0] k 2, [ c] 1 and two targets [ b] 1, [ b ] 1 r i ˆbi (h i p i ) ĉ i r i ˆb i (h i p i ) ĉ i 14 / 30

59 The Zeroizing Attack on CLT13 Inversion over Q Let s do it with many [ 0] k 2, [ c] 1 and two targets [ b] 1, [ b ] 1 r i ˆbi (h i p i ) ĉ i (ĉ i ) 1 1 ˆb i (h i p i ) (r 1 i ) 14 / 30

60 The Zeroizing Attack on CLT13 Inversion over Q Let s do it with many [ 0] k 2, [ c] 1 and two targets [ b] 1, [ b ] 1 r i ˆbi (h i p i ) ĉ i (ĉ i ) 1 1 ˆb i (h i p i ) (r 1 i ) = r i ˆbi /ˆb i (r i ) 1 14 / 30

61 The Zeroizing Attack on CLT13 Computing eigenvalues Consider the target encodings [ b] 1 = CRT pi (ˆb i )/z, [ b ] 1 = CRT pi (ˆb i)/z r i ˆb i /ˆb i (r i ) 1 15 / 30

62 The Zeroizing Attack on CLT13 Computing eigenvalues Consider the target encodings [ b] 1 = CRT pi (ˆb i )/z, [ b ] 1 = CRT pi (ˆb i)/z r i ˆb i /ˆb i (r i ) 1 Compute the eigenvalues β i /β i = ˆb i /ˆb i 15 / 30

63 The Zeroizing Attack on CLT13 Computing eigenvalues Consider the target encodings [ b] 1 = CRT pi (ˆb i )/z, [ b ] 1 = CRT pi (ˆb i)/z r i ˆb i /ˆb i (r i ) 1 Compute the eigenvalues β i /β i = ˆb i /ˆb i We have that p i (β i [ b] 1 β i [ b ] 1 ) 15 / 30

64 The Zeroizing Attack on CLT13 Computing eigenvalues Consider the target encodings [ b] 1 = CRT pi (ˆb i )/z, [ b ] 1 = CRT pi (ˆb i)/z r i ˆb i /ˆb i (r i ) 1 15 / 30 Compute the eigenvalues β i /β i = ˆb i /ˆb i We have that p i (β i [ b] 1 β i [ b ] 1 ) Compute p i = gcd(β i [ b] 1 β i [ b ] 1, x 0 )

65 16 / 30 Generalizing the Zeroizing Attack on CLT13 Zeroizing without low-level zeroes [CGHLMMRST15]

66 Generalizing the Zeroizing Attack on CLT13 Zeroizing without low-level zeroes [CGHLMMRST15] Breaks early tentative fixes [BWZ14,GGHZ14] using zero-testing as a black-box 16 / 30

67 Generalizing the Zeroizing Attack on CLT13 Zeroizing without low-level zeroes [CGHLMMRST15] Breaks early tentative fixes [BWZ14,GGHZ14] using zero-testing as a black-box Don t need [ 0] k 2 [ b] 1 [ c] 1 but [ a] k 2 [ b] 1 [ c] 1 [ 0] k 16 / 30

68 Generalizing the Zeroizing Attack on CLT13 Zeroizing without low-level zeroes [CGHLMMRST15] Breaks early tentative fixes [BWZ14,GGHZ14] using zero-testing as a black-box Don t need [ 0] k 2 [ b] 1 [ c] 1 but [ a] k 2 [ b] 1 [ c] 1 [ 0] k Can be diagonal per block. Instead of computing eigenvalues use characteristic polynomial. r i ˆbi (h i p i ) ĉ i 16 / 30

69 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] 17 / 30

70 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] The encodings look like DGHV ciphertexts 17 / 30

71 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] The encodings look like DGHV ciphertexts Even without the randomness q, their form should not be an issue 17 / 30

72 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] The encodings look like DGHV ciphertexts Even without the randomness q, their form should not be an issue In [CoronL.Tibouchi15], we revisit the zero-testing procedure itself 17 / 30

73 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] The encodings look like DGHV ciphertexts Even without the randomness q, their form should not be an issue In [CoronL.Tibouchi15], we revisit the zero-testing procedure itself In a nutshell: the zero-testing is done modulo a new prime modulus N; x 0 is no longer public. 17 / 30

74 18 / 30 Inherent randomness in current encodings

75 Inherent randomness in current encodings Current form of encodings [ m] k = CRT pi (m i + g i r i )/z k mod x 0 18 / 30

76 Inherent randomness in current encodings Current form of encodings [ m] k = CRT pi (m i + g i r i )/z k mod x 0 [ m] k = i (m i g 1 i + r i mod p i ) u i + a x 0 over Z with u i = (g i p i 1 z k mod p i )p i. 18 / 30

77 Inherent randomness in current encodings Current form of encodings [ m] k = CRT pi (m i + g i r i )/z k mod x 0 [ m] k = i (m i g 1 i + r i mod p i ) u i + a x 0 over Z with u i = (g i p i 1 z k mod p i )p i. 18 / 30 The element a is highly non-linear in the r i s The element a is different from the random q we had before when adapting DGHV ( m = 0 a is small)

78 New Zero-Test Parameter Pick a random, large prime N x 0. We want to generate a new zero-test value α zt such that [ m] k α zt mod N N m = 0 19 / 30

79 New Zero-Test Parameter Pick a random, large prime N x 0. We want to generate a new zero-test value α zt such that In particular, we have [ m] k α zt mod N = i [ m] k α zt mod N N m = 0 (m i g 1 i + r i mod p i ) (u i α zt ) + a x 0 α zt mod N 19 / 30

80 New Zero-Test Parameter Pick a random, large prime N x 0. We want to generate a new zero-test value α zt such that In particular, we have [ m] k α zt mod N = i [ m] k α zt mod N N m = 0 (m i g 1 i + r i mod p i ) (u i α zt ) + a x 0 α zt mod N 19 / 30 so we want α zt u i mod N N and α zt x 0 mod N N

81 How To Generate α zt? Given N, the generation of α zt Z N such that for all i, u i α zt mod N and x 0 α zt mod N are small is not obvious. 20 / 30

82 How To Generate α zt? Given N, the generation of α zt Z N such that for all i, u i α zt mod N and x 0 α zt mod N are small is not obvious. The problem amounts to finding a relatively short vector in a lattice 1 u 1 u n x 0 N... N N 20 / 30

83 How To Generate α zt? Given N, the generation of α zt Z N such that for all i, u i α zt mod N and x 0 α zt mod N are small is not obvious. The problem amounts to finding a relatively short vector in a lattice 1 u 1 u n x 0 N... N N Use LLL? (we can tolerate an exponential approx. factor over SVP), but typically n / 30

84 21 / 30 How To Generate α zt? Using the structure of the u i s

85 How To Generate α zt? Using the structure of the u i s Remember that N x 0 and u i = (g i p i 1 z k mod p i )p i 21 / 30

86 How To Generate α zt? Using the structure of the u i s Remember that N x 0 and u i = (g i p i 1 z k mod p i )p i First note that p 1 j u i mod N is small for all i j 21 / 30

87 How To Generate α zt? Using the structure of the u i s Remember that N x 0 and u i = (g i p i 1 z k mod p i )p i First note that p 1 j u i mod N is small for all i j Only p 1 j u j mod N is not a priori small 21 / 30

88 How To Generate α zt? Using the structure of the u i s Remember that N x 0 and u i = (g i p i 1 z k mod p i )p i First note that p 1 j u i mod N is small for all i j Only p 1 j u j mod N is not a priori small Let us find α j such that α j p 1 j u j mod N is small As before it amounts to finding a short vector in ( ) N/B p 1 j u j N 21 / 30

89 How To Generate α zt? Using the structure of the u i s ( N/B p 1 j N u j ) 22 / 30

90 How To Generate α zt? Using the structure of the u i s ( N/B p 1 j N We chose B such that LLL finds a short vector u j (α j N/B, β j ) where α j p j and β j = α j p 1 j u j mod N N/ p j. ) 22 / 30

91 How To Generate α zt? Using the structure of the u i s ( N/B p 1 j N We chose B such that LLL finds a short vector u j (α j N/B, β j ) where α j p j and β j = α j p 1 j u j mod N N/ p j. New zero-testing element: ) α zt = j h j α j p 1 j mod N 22 / 30

92 How To Generate α zt? Using the structure of the u i s New zero-testing element (sizes to keep in mind N x 0 p j, α j p j ): α zt = j h j α j p 1 j mod N When applied on an encoding [ m] k : [ m] k α zt mod N = i (m i g 1 i + r i mod p i ) (u i α zt ) + a x 0 α zt mod N 23 / 30

93 How To Generate α zt? Using the structure of the u i s New zero-testing element (sizes to keep in mind N x 0 p j, α j p j ): α zt = j h j α j p 1 j mod N When applied on an encoding [ m] k : [ m] k α zt mod N = i (m i g 1 i + r i mod p i ) (h i β i + j i h j α j u i /p j ) + a x 0 α zt mod N 23 / 30

94 24 / 30 An Important Caveat Cannot work directly modulo x 0

95 An Important Caveat Cannot work directly modulo x 0 x 0 cannot be made public, contrary to [CLT13] 24 / 30

96 An Important Caveat Cannot work directly modulo x 0 x 0 cannot be made public, contrary to [CLT13] However, define v 0 = x 0 α zt mod N, and ([ 0] k α zt mod N) mod v 0 = ( i r i (h i β i + j i h j α j u i /p j ) + a v 0 Z) mod v 0 = i r i (h i β i + j i h j α j u i /p j ) mod v 0 24 / 30

97 An Important Caveat Cannot work directly modulo x 0 x 0 cannot be made public, contrary to [CLT13] However, define v 0 = x 0 α zt mod N, and ([ 0] k α zt mod N) mod v 0 = ( i r i (h i β i + j i h j α j u i /p j ) + a v 0 Z) mod v 0 = i r i (h i β i + j i h j α j u i /p j ) mod v 0 We can apply Cheon et al. attack modulo v 0 24 / 30

98 25 / 30 An Important Caveat A Ladder of encodings

99 An Important Caveat A Ladder of encodings Making x 0 secret is somewhat inconvenient: when we add or multiply encodings, we cannot reduce them modulo x 0 anymore to keep them of the same size 25 / 30

100 An Important Caveat A Ladder of encodings Making x 0 secret is somewhat inconvenient: when we add or multiply encodings, we cannot reduce them modulo x 0 anymore to keep them of the same size Solution (taken from [DGHV10]): publish a ladder of encodings of 0 of increasing size 25 / 30 encodings X (j) i = (CRT pi (r i g i )/z j mod x 0 ) + q i x 0 with q i [0, 2 i ) for i = 1,..., log(x 0 ) do the operation over Z, and remove X (j) i for decreasing i s

101 26 / 30 Concrete Attempt

102 Concrete Attempt Consider u = [ 0] k 2 [ b] 1 [ c] 1 26 / 30

103 Concrete Attempt Consider u = [ 0] k 2 [ b] 1 [ c] 1 Apply the ladder to reduce its size to the size of x 0 : u = u + s i X (k) i 26 / 30

104 Concrete Attempt Consider u = [ 0] k 2 [ b] 1 [ c] 1 Apply the ladder to reduce its size to the size of x 0 : u = u + s i X (k) i Write u over Z: u = i (r i ˆb i ĉ i + s i r X,i,k ) u i a x 0 26 / 30

105 Concrete Attempt Consider u = [ 0] k 2 [ b] 1 [ c] 1 Apply the ladder to reduce its size to the size of x 0 : u = u + s i X (k) i Write u over Z: u = i (r i ˆb i ĉ i + s i r X,i,k ) u i a x 0 All s i s and a come up in the way of Cheon et al. attack 26 / 30

106 27 / 30 Proof-of-concept Implementation Instantiation λ κ n η ρ γ = n η pp size Small MB Medium MB Large GB Extra GB Setup Publish KeyGen 5.9 s 0.10 s 0.17 s 36 s 0.33 s 1.06 s 583 s 2.05 s 6.17 s 4528 s 7.8 s 23.9 s

107 28 / 30 Conclusion

108 Conclusion The CLT scheme has many interesting features: composite order maps, assumed hardness of GDDH but also of DLIN & SubM 28 / 30

109 Conclusion The CLT scheme has many interesting features: composite order maps, assumed hardness of GDDH but also of DLIN & SubM Concrete targets to attack in practice if desired Same efficiency as original CLT13 28 / 30

110 Conclusion The CLT scheme has many interesting features: composite order maps, assumed hardness of GDDH but also of DLIN & SubM Concrete targets to attack in practice if desired Same efficiency as original CLT13 Open problems for CLT15: Analyze the reparation Improve the efficiency Adapt the technique to [GGH13]? 28 / 30

111 29 / 30 Thank You Questions & Discussion

112 Discussion 1. Design public encoding space / inversion 2. Attacks 3. Assumptions what sort of assumptions can be made? base multilinear maps on well-known problems 4. Applications something that look different from obfuscation what can you do with a small number of levels? relation between 2-multilinear maps / pairings in applications 30 / 30

On Kilian s Randomization of Multilinear Map Encodings

On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions