The Kernel Matrix Diffie-Hellman Assumption

Size: px

Start display at page:

Download "The Kernel Matrix Diffie-Hellman Assumption"

Randolph Morris
5 years ago
Views:

1 The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada a la Criptografía Asiacrypt 2016, Hanoi, 8 Dec 2016

2 Outline 1 Introduction 2 The Kernel Matrix Diffie-Hellman Assumption 3 Hardness of the KerDH Assumption 4 The Case l > k + 1

3 Additive (Implicit) Notation Given a group G of prime order q and a generator g G: g x [x] g [1] 1 [0] g x g y [x][y] = [x + y] (g x ) y [x] y = [xy] (g x 1,..., g xn ) [x 1,..., x n ] g x 11 g x 1m x 11 x 1m.... g x n1 g xnm x n1 x nm Given a (symmetric) bilinear map e : G G G T : e(g x, g y ) = g xy T e([x], [y]) = [xy] T

4 Subspace Membership Problems For a (k, l)-collection of vector subspaces of dimension k, S = {S i } i I, of the vector space Z l q, where 0 < k < l Definition (Subspace Membership Problem) Given G and g, tell apart D real = ([S], [z]) for random S S and z S D random = ([S], [z]) for random S S and z Z l q

5 Subspace Membership Problems For a (k, l)-collection of vector subspaces of dimension k, S = {S i } i I, of the vector space Z l q, where 0 < k < l Definition (Subspace Membership Problem) Given G and g, tell apart D real = ([S], [z]) for random S S and z S D random = ([S], [z]) for random S S and z Z l q Typically, S = Span A, where A Z l k q and rank A = k.

6 Subspace Membership Problems DDH: A(a) = z = ( ) 1 (w) = a ( ) 1 a ( w aw ) a Z q vs. z = ( z1 z 2 ) a Lin: A(a 1, a 2 ) = 0 a 2 a 1, a 2 Z q 1 1 a 1 0 ( ) a 1 w 1 z = 0 a 2 w1 = a w 2 w 2 vs. z = w 1 + w 2 z 1 z 2 z 3

7 Subspace Membership Problems DDH: A(a) = z = ( ) 1 (w) = a ( ) 1 a ( w aw ) a Z q vs. z = ( z1 z 2 ) a Lin: A(a 1, a 2 ) = 0 a 2 a 1, a 2 Z q 1 1 a 1 0 ( ) a 1 w 1 z = 0 a 2 w1 = a w 2 w 2 vs. z = w 1 + w 2 Matrix distributions z 1 z 2 z 3

8 Matrix Distributions Given 1 k < l, Definition (Polynomial Matrix Distribution) A Dl,k f, where A Zl k q, rank A = k and A is sampled according to A = f (a 1,..., a d ), where a 1,..., a d Z q and f is a polynomial map of constant degree.

9 Matrix Distributions Given 1 k < l, Definition (Polynomial Matrix Distribution) A Dl,k f, where A Zl k q, rank A = k and A is sampled according to A = f (a 1,..., a d ), where a 1,..., a d Z q and f is a polynomial map of constant degree. We also tolerate Pr(rank A < k) negl. We focus on the case l = k + 1, and deg f = 1

10 Matrix Distributions Given 1 k < l, Definition (Polynomial Matrix Distribution) A Dl,k f, where A Zl k q, rank A = k and A is sampled according to A = f (a 1,..., a d ), where a 1,..., a d Z q and f is a polynomial map of constant degree. We also tolerate Pr(rank A < k) negl. We focus on the case l = k + 1, and deg f = 1 E.g. A(a) = ( ) 1 a a 1 0 A(a 1, a 2 ) = 0 a 2 1 1

11 Matrix Decision Diffie-Hellman (MDDH) Problems Definition (Dl,k A -MDDH Problem [EHKRV13]) Tell apart the two probability distributions D real = (G, q, g, [A(t)], [A(t)w]), t Z d q, w Z k q D random = (G, q, g, [A(t)], [z]), t Z d q, z Z l q The Dl,k A -MDDH Assumption states that the above problem is hard, w.r.t. and instance generator (q, G, g) I

12 Matrix Decision Diffie-Hellman (MDDH) Problems Definition (Dl,k A -MDDH Problem [EHKRV13]) Tell apart the two probability distributions D real = (G, q, g, [A(t)], [A(t)w]), t Z d q, w Z k q D random = (G, q, g, [A(t)], [z]), t Z d q, z Z l q The Dl,k A -MDDH Assumption states that the above problem is hard, w.r.t. and instance generator (q, G, g) I Generic hardness depends on the degree and irreducibility of the determinant polynomial d(t, z) = det(a(t) z)

13 Known Instances t t 1,1 t 1,k. A k-unif = t A k-lin = t k+1,1 t k+1,k 0 0 t k t t.. 2. A k-casc = tk t t... A k-scasc = t 0 0 1

14 Applications Some known applications: Public key encryption Hash Proof systems Pseudorandom functions Non-interactive Zero-Knowledge proofs (Groth-Sahai) Efficient Proofs for CRS-Dependent Languages Key idea: Most constructions based on DDH or 2-Lin are actually valid for any MDDH problem We can obtain more compact instances more secure instances (secure even when an efficient multilinear map is available)

15 Outline 1 Introduction 2 The Kernel Matrix Diffie-Hellman Assumption 3 Hardness of the KerDH Assumption 4 The Case l > k + 1

16 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,... ).

17 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,... ). (Flexible) computational problems: Capture forgery adversarial capabilities. E.g. breaking unforgeability of a digital signature soundness of a ZK argument binding property of a commitment...

18 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,... ). (Flexible) computational problems: Capture forgery adversarial capabilities. E.g. breaking unforgeability of a digital signature soundness of a ZK argument binding property of a commitment... We unify some existing flexible computational problems in the literature in a single framework.

19 The Kernel Matrix Diffie-Hellman Assumption For a (r, l)-collection of vector subspaces of dimension r, S = {S i } i I, of the vector space Z l q, where 0 < r < l Definition (Subspace Sampling Problem) Given G, g and [S], find [x] where x is a nonzero vector in S Typically S = ker A, where A Z l k q, rank A = k and r = l k.

20 The Kernel Matrix Diffie-Hellman Assumption For a (r, l)-collection of vector subspaces of dimension r, S = {S i } i I, of the vector space Z l q, where 0 < r < l Definition (Subspace Sampling Problem) Given G, g and [S], find [x] where x is a nonzero vector in S Typically S = ker A, where A Z l k q, rank A = k and r = l k. Definition (Dl,k A -KerMDH Problem) Given [A], where A D l,k find a nonzero vector [x] such that x A = 0. The Dl,k A -KerDH Assumption states that the above problem is hard, w.r.t. and instance generator (q, G, g) I

21 KerMDH Examples DDH Kernel: A(a) = ( ) 1 a a Z q Given [A], find [x 1, x 2 ] [0] such that ( ) ( ) 1 x1 x 2 = x a 1 + ax 2 = 0 a Lin Kernel: A(a 1, a 2 ) = 0 a a 1, a 2 Z q Given [A], find [x 1, x 2, x 3 ] [0] such that ( ) a 1 0 x1 x 2 x 3 0 a 2 = ( ) a 1 x 1 + x 3 a 2 x 2 + x 3 = 0 1 1

22 KerMDH Examples DDH Kernel: A(a) = ( ) 1 a a Z q Given [A], find [x 1, x 2 ] [0] such that ( ) ( ) 1 x1 x 2 = x a 1 + ax 2 = 0 a Lin Kernel: A(a 1, a 2 ) = 0 a Just Take [x 1, x 2 ] = [ a, 1]! a 1, a 2 Z q Given [A], find [x 1, x 2, x 3 ] [0] such that ( ) a 1 0 x1 x 2 x 3 0 a 2 = ( ) a 1 x 1 + x 3 a 2 x 2 + x 3 = 0 1 1

23 KerMDH Examples DDH Kernel: A(a) = ( ) 1 a a Z q Given [A], find [x 1, x 2 ] [0] such that ( ) ( ) 1 x1 x 2 = x a 1 + ax 2 = 0 a Lin Kernel: A(a 1, a 2 ) = 0 a Just Take [x 1, x 2 ] = [ a, 1]! a 1, a 2 Z q Given [A], find [x 1, x 2, x 3 ] [0] such that ( ) a 1 0 x1 x 2 x 3 0 a 2 = ( ) a 1 x 1 + x 3 a 2 x 2 + x 3 = [x 1, x 2, x 3 ] = [ a 2 λ, a 1 λ, a 1 a 2 λ] for some λ. Hard to compute from [a 1 ], [a 2 ]!

24 More Examples Lemma (KerMDH vs. MDDH) In pairing groups, D A l,k -MDDH DA l,k -KerDH D real : x Aw = 0 x (Aw) = 0 e([x ], [Aw]) = [0] T D random : z Z l q x z 0 e([x ], [Aw]) [0] T w.o.p.

25 More Examples Lemma (KerMDH vs. MDDH) In pairing groups, D A l,k -MDDH DA l,k -KerDH D real : x Aw = 0 x (Aw) = 0 e([x ], [Aw]) = [0] T D random : z Z l q x z 0 e([x ], [Aw]) [0] T w.o.p. All hard MDDH instances define hard KerMDH instances: k-unif, k-lin, k-casc, k-scasc,...

26 The KerMDH Family KerMDH integrates some previously known assumptions: Find-Rep [Brands93] Simultaneous Double Pairing [AFGHO10] Triple Pairing [Groth10] Simultaneous Pairing [GL07] 1-Flexible Diffie-Hellman [LV08] 1-Flexible Square Diffie-Hellman [LPV05]

27 The KerMDH Family KerMDH integrates some previously known assumptions: Find-Rep [Brands93] Simultaneous Double Pairing [AFGHO10] Triple Pairing [Groth10] Simultaneous Pairing [GL07] 1-Flexible Diffie-Hellman [LV08] 1-Flexible Square Diffie-Hellman [LPV05] Applications: Homomorphic Signatures [LPJY13] Quasi-Adaptive NIZK [KW15] Trapdoor Commitments to Group Elements Structure Preserving Signatures [KPW15],...

28 The power of KerMDH Designated-verifier proof of membership: Given [x] and [M], prove that x = Mw for some w. Designated verifier keys: Secret K, public [M K ]. Proof: [π] such that π = x K. ([π ] = [w M K ] fulfils the equation)

29 The power of KerMDH Designated-verifier proof of membership: Given [x] and [M], prove that x = Mw for some w. Designated verifier keys: Secret K, public [M K ]. Proof: [π] such that π = x K. ([π ] = [w M K ] fulfils the equation) Using D l,k -KerDH, Publicly verifiable proof: Public parameters: [M], [M K ], [A], [KA], A D l,k. Proof: [π] such that e([π ], [A]) = e([x ], [KA]). π A = x KA (π x K )A = 0 π = x K or D l,k -KerDH is easy.

30 Outline 1 Introduction 2 The Kernel Matrix Diffie-Hellman Assumption 3 Hardness of the KerDH Assumption 4 The Case l > k + 1

31 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model

32 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model Algebraic Reductions: If B = LAR then D B l,k -KerDH DA l,k -KerDH

33 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model Algebraic Reductions: If B = LAR then D B l,k -KerDH DA l,k -KerDH Increasing Hardness: For the typical families of hard D l,k of increasing size D A k+1 -KerDH DA k -KerDH D A k+1 -KerDH DA k -KerDH

34 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model Algebraic Reductions: If B = LAR then D B l,k -KerDH DA l,k -KerDH Increasing Hardness: For the typical families of hard D l,k of increasing size D A k+1 -KerDH DA k -KerDH D A k+1 -KerDH DA k -KerDH Explicit Reductions

35 Hardness of KerDH Hard instances: D l,k hard for k > 1, implies that D l,k -KerDH is hard in the generic k-linear group model Algebraic Reductions: If B = LAR then D B l,k -KerDH DA l,k -KerDH Increasing Hardness: For the typical families of hard D l,k of increasing size D A k+1 -KerDH DA k -KerDH D A k+1 -KerDH DA k -KerDH Black-Box Separation Explicit Reductions

36 Families with Increasing Hardness [EHKRV13] D 1 -MDDH D 2 -MDDH D 3 -MDDH D 4 -MDDH / / / / D 2 -KerDH D 3 -KerDH D 4 -KerDH / / / [This work] Valid for all families: k-unif, k-lin, k-casc, k-scasc.

37 Black-Box Separations BB P 1 P 2 means that a reduction R solves P 1 using any possible oracle solving P 2.

38 Black-Box Separations BB P 1 P 2 means that a reduction R solves P 1 using any possible oracle solving P 2. Black-box reductions between flexible problems are hard to find (or they are very natural) (R must work for all possible solutions of P 2.)

39 Black-Box Separations BB P 1 P 2 means that a reduction R solves P 1 using any possible oracle solving P 2. Black-box reductions between flexible problems are hard to find (or they are very natural) (R must work for all possible solutions of P 2.) Black-box separation means that every BB reduction fails for some oracle for P 2.

40 Black-Box Separations BB P 1 P 2 means that a reduction R solves P 1 using any possible oracle solving P 2. Black-box reductions between flexible problems are hard to find (or they are very natural) (R must work for all possible solutions of P 2.) Black-box separation means that every BB reduction fails for some oracle for P 2. We impose some extra requirements to R: It is generic (it works on the generic k-linear group model), It makes a constant number of calls Q to the P 2 oracle.

41 BB Separation: Reduction Splitting D l,k -KerDH R D l, k-kerdh for k > k $ [A] R 0 s R 1 [v] = [u + η(w)] O Q 1 queries [w] [ker Ã ] [Ã] O last query

42 BB Separation: Reduction Splitting D l,k -KerDH R D l, k-kerdh for k > k $ [A] R 0 s R 1 [v] = [u + η(w)] O Q 1 queries [w] [ker Ã ] [Ã] O last query Generic model: η is linear and it only depends on $. dim Im(η) < k

43 BB Separation: Query Supression Definition (k-elusiveness) A (r, l)-collection of vector subspaces S is k-elusive if given any k-vector subspace F, Pr[S F {0} : S S] negl

44 BB Separation: Query Supression Definition (k-elusiveness) A (r, l)-collection of vector subspaces S is k-elusive if given any k-vector subspace F, Pr[S F {0} : S S] negl Lemma For any hard matrix distribution D l,k, the collection of subspaces {ker A } A Dl,k is k-elusive.

45 BB Separation: Query Supression Definition (k-elusiveness) A (r, l)-collection of vector subspaces S is k-elusive if given any k-vector subspace F, Pr[S F {0} : S S] negl Lemma For any hard matrix distribution D l,k, the collection of subspaces {ker A } A Dl,k is k-elusive. We prove the last oracle call does not help the reduction. By induction, if R exists then D l,k -KerDH can be solved directly (e.g. Q = 0). Larger Kernel Problems are strictly harder!

46 Outline 1 Introduction 2 The Kernel Matrix Diffie-Hellman Assumption 3 Hardness of the KerDH Assumption 4 The Case l > k + 1

47 A New Matrix Distribution With l > k + 1 (k, d)-circ: A compact hard matrix distribution with l > k + 1 t 1 0. t 1. t d... A (k, d)-circ = 1 t d t td 0 1

48 A New Matrix Distribution With l > k + 1 (k, d)-circ: A compact hard matrix distribution with l > k + 1 t 1 0. t 1. t d... A (k, d)-circ = 1 t d t td 0 1 Optimal representation size for hard (k + d) k polynomial matrix distributions of degree 1 Application: Compact public key structure preserving commitments to vectors (see paper)

49 Generic Hardness of (k, d)-circ A(t) has a constant nonzero k-minor (The easy case of the Determinant Criterion for l > k + 1 in [Herold2014])

50 Generic Hardness of (k, d)-circ A(t) has a constant nonzero k-minor (The easy case of the Determinant Criterion for l > k + 1 in [Herold2014]) The principal ideal (d) used in the case l = k + 1 is replaced by the ideal I generated by all the (k + 1)-minors of (A(t) z).

51 Generic Hardness of (k, d)-circ A(t) has a constant nonzero k-minor (The easy case of the Determinant Criterion for l > k + 1 in [Herold2014]) The principal ideal (d) used in the case l = k + 1 is replaced by the ideal I generated by all the (k + 1)-minors of (A(t) z). Only polynomials p in I can be used successfully by a solver of (k, d)-circ-mddh.

52 Generic Hardness of (k, d)-circ A(t) has a constant nonzero k-minor (The easy case of the Determinant Criterion for l > k + 1 in [Herold2014]) The principal ideal (d) used in the case l = k + 1 is replaced by the ideal I generated by all the (k + 1)-minors of (A(t) z). Only polynomials p in I can be used successfully by a solver of (k, d)-circ-mddh. We prove that the set of (k + 1)-minors of (A(t) z) for (k, d)-circ is a Gröbner basis of I, and all minors have total degree k + 1. Then, no nonzero polynomial of degree k exist in I.

53 Optimal Compactness of (k, d)-circ Theorem Any hard polynomial matrix distribution Dl,k A least l k parameters. of degree 1, has at

54 Optimal Compactness of (k, d)-circ Theorem Any hard polynomial matrix distribution Dl,k A least l k parameters. of degree 1, has at If d < l k: apply gaussian row elimination with scalar coefficients to the matrix A(t) Dl,k f to put at least l (d + 1) k zeros in the first column. There exists an invertible matrix L GL l (Z q ) such that LA(t) has an identically zero k-minor. LA(t) defines an easy MDDH problem. Therefore, D l,k -MDDH is also easy.

55 The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1, Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada a la Criptografía Asiacrypt 2016, Hanoi, 8 Dec 2016 The End!

Disjunctions for Hash Proof Systems: New Constructions and Applications

Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by