GGHLite: More Efficient Multilinear Maps from Ideal Lattices

Size: px

Start display at page:

Download "GGHLite: More Efficient Multilinear Maps from Ideal Lattices"

Jason Parks
5 years ago
Views:

1 GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9

2 Our main result Decrease size of public parameters from O(λ 5 log λ) to O(λ log λ) Lower size of parameters and finer security analysis A more efficient cryptographic multilinear maps, obtained by formalizing, simplifying and improving the re-randomization process in the GGH construction. For each encoding Garg, Gentry and Halevi 3 Adeline Langlois GGHLite May, 4 / 9

3 Outline Introduction Cryptographic multilinear maps Graded encoding scheme GGH Preliminaries The GGH scheme Hardness assumption: GDDH Our contributions: GGHLite Improving the re-randomization Reduction from cgcdh to GCDH New LHL over rings Parameters and applications Adeline Langlois GGHLite May, 4 3/ 9

4 Plan Introduction Cryptographic multilinear maps Graded encoding scheme GGH Preliminaries The GGH scheme Hardness assumption: GDDH Our contributions: GGHLite Improving the re-randomization Reduction from cgcdh to GCDH New LHL over rings Parameters and applications Adeline Langlois GGHLite May, 4 4/ 9

5 Diffie-Hellman Key Exchange (976) Choose x U(Z q ) y = g x y = g x Choose x U(Z q ) Alice Bob Agreed secret key: K = g xx = y x = y x Security: Decisional Diffie-Hellman problem, DDH: For x, x, x 3 U(Z q), distinguish between (g x, g x, g x x ) and (g x, g x, g x 3 ). Adeline Langlois GGHLite May, 4 5/ 9

6 Cryptographic Multilinear Maps st Century variant Group of N > parties want to communicate privately via cloud. Choose x Z q Choose x 3 Z q y = g x Choose x Z q y = g x y 3 = g x 3 y N = g x N Choose x N Z q Secret key K = e(g,..., g) x x N = e(y, y 3,..., y N ) x. Security: Hardness of Multilinear Decisional DH problem, MDDH: For x,..., x N, x U(Z q), distinguish between (g x,..., g x N, e(g,..., g) x x N ) and (g x,..., g x N, e(g,..., g) x ). Adeline Langlois GGHLite May, 4 6/ 9

7 Cryptographic Multilinear Maps History : Applications for elliptic curves pairings ( = ): : 3-party non-interactive key agreement [Joux], -: Identity-Based Encryption (IBE) [SakaiOhgishiKasahara,BonehFranklin], -3: lots of others. : Applications for -linear maps [BonehSilverberg3] ( + )-party non-interactive key agreement, and others... [GargGentryHalevi3] First plausible realization for >, via ideal lattices, Applications: -3: Functional Encryption for arbitrary functions, 3: Program obfuscation notions for arbitrary functions. 3: Variant over the integers [CoronLepointTibouchi3] 4: GGHLite More efficient variant of GGH (this talk). Adeline Langlois GGHLite May, 4 7/ 9

8 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding level- level- level- Adeline Langlois GGHLite May, 4 8/ 9

9 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding level- encode at level- level- level- Adeline Langlois GGHLite May, 4 8/ 9

10 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding level- encode at level- level- level- Adeline Langlois GGHLite May, 4 8/ 9

11 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding level- level- encode at any level level- Adeline Langlois GGHLite May, 4 8/ 9

12 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding Addition S (α+α) i level- + S (α +α ) level- level- Adeline Langlois GGHLite May, 4 8/ 9

13 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding Multiplication S (α α) i +i level- level- S (α α) with i + i level- Adeline Langlois GGHLite May, 4 8/ 9

14 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding Multiplication S (α α) i +i level- level- S (α α) 3 with i + i level- Adeline Langlois GGHLite May, 4 8/ 9

15 -Graded encoding scheme key exchange A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding S (α) level- S (α) level- S (α) α = α i level- S (α) S (α) (using extraction) Adeline Langlois GGHLite May, 4 8/ 9

16 Plan Introduction Cryptographic multilinear maps Graded encoding scheme GGH Preliminaries The GGH scheme Hardness assumption: GDDH Our contributions: GGHLite Improving the re-randomization Reduction from cgcdh to GCDH New LHL over rings Parameters and applications Adeline Langlois GGHLite May, 4 9/ 9

17 Notations Polynomial Ring: R = Z[x]/ x n + for n power of, R is isomorphic to the ring of integers of K = Q[e iπ/n ]: K Q[x]/ x n +, O K Z[x]/ x n +. Rich algebraic structure (great for design and proofs). Let q and Z q = Z/qZ. We let R Enc = Z q [x]/ x n +, Arithmetic in R q costs Õ(n log q). Rq is isomorphic to O K /(q). Adeline Langlois GGHLite May, 4 / 9

18 Lattices b b Lattice { i n x ib i : x i Z}, for some lin. indep. b i R n. Adeline Langlois GGHLite May, 4 / 9

19 Lattices λ λ Minimum: λ (Λ) = min( b : b Λ \ ) γ-svp Find b Λ with: < b γ λ (Λ). Lattice { i n x ib i : x i Z}, for some lin. indep. b i R n. No known sub-exp. algorithm for γ = poly(n), Not even quantumly, Seems harder than Int-Fac and DLog. Adeline Langlois GGHLite May, 4 / 9

20 Discrete Gaussian on lattices For a n-dimensional lattice Λ, a non-singular matrix S R n n : x Λ : D Λ,S,c [x] exp ( π S (x c) ). Example: if Λ = Z and S = s Adeline Langlois GGHLite May, 4 / 9

21 Discrete Gaussian on lattices For a n-dimensional lattice Λ, a non-singular matrix S Rn n : x Λ : DΛ,S,c [x] exp πks (x c)k. I small size (depending on S), I sum is still Gaussian. Adeline Langlois GGHLite May, 4 / 9

22 GGH: High Level Description g principal ideal over R(= Z[x]/ x n + ) with small g (secret), R Enc = R q R Plain = R/ g Plaintext: e element of R/ g, Level- encoding: [c/z] q for z U(R q) (secret). where c is a small coset representative of e + g, Level-k encoding: [c/z k ] q Adeline Langlois GGHLite May, 4 3/ 9

23 GGH: High Level Description g principal ideal over R(= Z[x]/ x n + ) with small g (secret), R Enc = R q R Plain = R/ g Plaintext: e element of R/ g, Level- encoding: [c/z] q for z U(R q) (secret). where c is a small coset representative of e + g, Level-k encoding: [c/z k ] q Adding add: Given level-k u = [c /z k ] q and u = [c /z k ] q: Return u = [u + u ] q, a level-k encoding of [c + c ] g. u = [u + u ] q = [(c + c )/z k ] q Multiplying mult: Given level-k encoding u = [c /z k ] q, level-k encoding u = [c /z k ] q: Return u = [u u ] q, a level-(k + k ) encoding of [c c ] g. u = [u u ] q = [(c c )/z k +k ] q Adeline Langlois GGHLite May, 4 3/ 9

24 GGH: High Level Description g principal ideal over R(= Z[x]/ x n + ) with small g (secret), R Enc = R q R Plain = R/ g Public parameter: y level- encoding of, Plaintext: e element of R/ g, Level- encoding: [c/z] q = [e y] q for z U(R q) (secret). where c is a small coset representative of e + g, Level-k encoding: [c/z k ] q = [e y k ] q Adeline Langlois GGHLite May, 4 3/ 9

25 GGH: randomization To ensure security need randomization of the Public parameters {x j } j [mr] level- of zero. Plaintext: e element of R/ g, Level- encoding: [u + j ρ jx j ] q = [(c + gr)/z] q, where ρ j is sampled from a discrete Gaussian over Z, q c + gr. Encoding of zero Adeline Langlois GGHLite May, 4 4/ 9

26 GGH: randomization To ensure security need randomization of the Public parameters {x j } j [mr] level- of zero. Plaintext: e element of R/ g, Level- encoding: [u + j ρ jx j ] q = [(c + gr)/z] q, where ρ j is sampled from a discrete Gaussian over Z, q c + gr. Encoding of zero Discrete Gaussian over Z Adeline Langlois GGHLite May, 4 4/ 9

27 GGH Instance generation InstGen( λ, ): Sample g D R,σ. Sample z U(R q). Sample a level- encoding of : set y = [a z ] q with a D + g,σ. For i, sample m r level-i of : (x (i) j ) j m r. Return public parameters par = (n, q, y, {x (i) j } j m r,i ). Level-k encoding enc k (par, e): Given e R/ g : Encode e at level k: Compute u = [e y k ] q (u = [c /z k ] q). Re-randomize: Sample ρ j χ k for j m r and return [ u = u + [ ] m r j= ρ j x(k) j = c + ] j ρ j b (k) j q z k q Extraction at level Adeline Langlois GGHLite May, 4 5/ 9

28 Which security? Ext Graded Decisional Diffie-Hellman Ext-GDDH: Given + level- encoding u i of plaintexts e i, distinguish between the extraction of a level- encoding of the product of the e i and the extraction of level- encoding of a random element. To ensure security need randomization of the Without re-randomization, e can be efficiently recovered from u = [e y] q and y (by computing [u y ] q ). Re-randomization can prevent this attack. With which parameters? This work: understand the security of the re-randomization and propose efficient GGH variant achieving this security. Adeline Langlois GGHLite May, 4 6/ 9

29 Plan Introduction Cryptographic multilinear maps Graded encoding scheme GGH Preliminaries The GGH scheme Hardness assumption: GDDH Our contributions: GGHLite Improving the re-randomization Reduction from cgcdh to GCDH New LHL over rings Parameters and applications Adeline Langlois GGHLite May, 4 7/ 9

30 GGHLite: Our contribution We improve encoding re-randomization in GGH m r level- of : {x j } j mr, To randomize u = [e y] q, output u = [u + j ρ jx j ] q, Randomizers ρ j s are sampled from D Z,σ j ρ jx j Gaussian. Adeline Langlois GGHLite May, 4 8/ 9

31 GGHLite: Our contribution We improve encoding re-randomization in GGH m r level- of : {x j } j mr, To randomize u = [e y] q, output u = [u + j ρ jx j ] q, Randomizers ρ j s are sampled from D Z,σ j ρ jx j Gaussian. Question : What does it mean to prevent correlation attack? Question : How large σ should be? Question : Why are the ρ j integers? Adeline Langlois GGHLite May, 4 8/ 9

32 GGHLite: Formalizing Re-randomization Security Informal requirement: Prevent correlation of statistical properties of re-randomized encoding with encoded element. Formal requirement: Breaking Ext-GCDH problem is as hard as breaking canonical Ext-GCDH problem. We define: GCDH: B has columns the b j s canonical GCDH: Given u i = [(c i + m r j= ρ j,i b j )z ] q Given u i = [ c i z ] q = [ c i z ] q = Enc (e i ) with c i D g +ei,σ B T, compute the extraction of a level encoding of the product c c +. c i D g +ei,σ B T,c i small centre c i. c i D g +ei,σ B T, zero centre. Adeline Langlois GGHLite May, 4 9/ 9

33 GGHLite: First Main Ingredient Question : How large σ should be? In GGH: Exponential drowning suffices: σ / c λ, Makes distribution of u (almost) independent of u, But incurs severe efficiency penalty. Need q λ, Security deteriorates exponentially with log q, Need quadratic dimension: n λ. GGHLite first ingredient: We show that polynomial drowning is sufficient for security, our analysis only seems to apply to computational GDH problem. We use Rényi Divergence in place of Statistical Distance in analysing re-randomized distribution vs. canonical one. Adeline Langlois GGHLite May, 4 / 9

34 GGHLite Re-randomization Security: First Ingredient Distribution of c i (with u i = [c i /z] q ): Ext-GCDH D D g +ei,σ B T,c i small centre c i. can-ext-gcdh D D g +ei,σ B T, zero centre. GGH strong requirement based on statistical distance (SD): (D, D ) def = x D (x) D (x), Adversary A Ext-GCDH with success ε A canext-gcdh with success ε ε ε (D, D ), To handle ε = λ, need (D, D ) < λ. Consequently, need σ = c i Ω(λ) (exponential drowning). Adeline Langlois GGHLite May, 4 / 9

35 GGHLite Re-randomization Security: First Ingredient Distribution of c i (with u i = [c i /z] q ): Ext-GCDH D D g +ei,σ B T,c i small centre c i. can-ext-gcdh D D g +ei,σ B T, zero centre. GGHLite weak requirement based on Rényi divergence (RD): R(D D ) def = x D (x) D (x), Adversary A Ext-GCDH with success ε A canext-gcdh with success ε ε ε R(D D ), Useful even if ε < R(D, D ) use R(D D ) poly(λ). For R(D D ) poly(λ), can use σ = O( ). c i log λ Adeline Langlois GGHLite May, 4 / 9

36 First Result about Re-Randomization Question : What does it mean to prevent this attack? Question : How large σ should be? canonical Ext-GCDH, Reduction from canonical Ext-GCDH to Ext-GCDH using Rényi divergence, No more exponential drowning, Value of σ : from Õ(n5.5 ) to Õ(λ λn 4.5 ). Adeline Langlois GGHLite May, 4 / 9

37 First Result about Re-Randomization Question : What does it mean to prevent this attack? Question : How large σ should be? canonical Ext-GCDH, Reduction from canonical Ext-GCDH to Ext-GCDH using Rényi divergence, No more exponential drowning, Value of σ : from Õ(n5.5 ) to Õ(λ λn 4.5 ). Question : Why are the ρ j integers? Adeline Langlois GGHLite May, 4 / 9

38 GGHLite: Second Main Ingredient Question : Why are the ρ j integers? In GGH construction: Needs m r = Ω(n log n) of, Uses rational integer Gaussian randomizers (ρ j Z), Uses a discrete Gaussian Leftover Hash Lemma (LHL) to show j m r ρ j b j distribution is close to a discrete Gaussian on g. GGHLite second ingredient: m r = of are sufficient Uses Gaussian randomizers over full ring (ρ j R), New algebraic variant of discrete Gaussian LHL over R: j m r ρ j b j distribution is close to a discrete Gaussian on g. Adeline Langlois GGHLite May, 4 3/ 9

39 GGHLite Re-randomization Security: Second Ingredient Distribution of c i (with u i = [c i /z] q ): D in Ext-GCDH problem: D g +ei,σ B T,c small centre c i i. [(c i + ρ b + ρ b )/z] q with ρ i D R,σ. How do we show ρ b + ρ b D g,σ B T,? (B = g [t, t ] R ) Step : Show T R = [t, t ] R = R, except for proba C <. Probability that two random algebraic integers are co-prime, Step : Study the orthogonal module lattice A T = {v R : T v = }. Bound the minima λ n(a T ) of the lattice, Apply known results [AGHS] on smoothing of Gaussians modulo a lattice. Adeline Langlois GGHLite May, 4 4/ 9

40 Second Result about Re-Randomization Question : What does it mean to prevent this attack? Question : How large σ should be? canonical Ext-GCDH, Reduction from canonical Ext-GCDH to Ext-GCDH using Rényi divergence, No more exponential drowning, Value of σ : from Õ(λ n 4.5 (λ + log )) to Õ(n4.5 log ). Question : Why are the ρ j integers? New algebraic variant of discrete Gaussian LHL over R, Number of re-randomizers: from Ω(n log n) to. Adeline Langlois GGHLite May, 4 5/ 9

41 GGHLite: Asymptotic Parameters For level: Parameter GGHLite GGH m r Ω(n log n) σ Õ(n 5.5 ) Õ( λ λn 4.5 ) q Õ((n.5 ) 8 ) Õ(( λ λ.5 n 8.5 ) 8 ) n O(λ log λ) O(λ ) enc O( λ log λ) O( λ 3 ) par O( 3 λ log λ) O( 4 λ 5 log λ) Adeline Langlois GGHLite May, 4 6/ 9

42 Adapting Applications of GGH to GGHLite Applications often need semantic security: no partial information on key leaks. GGH security analysis: Extraction Graded DDH problem Given u = Enc (c ),..., u N = Enc (c N ), Distinguish between the distributions where c is uniform in R/ g. v D = Ext(Enc N (c c N )) and v R = Ext(Enc N (c c c N )). GGHLite security analysis only to Extraction Graded Computational DH problem (Ext-GCDH). Adeline Langlois GGHLite May, 4 7/ 9

43 Adapting Applications of GGH to GGHLite Question: How to adapt GGH applications to rely on Ext-GCDH rather than GDDH? Answer: Replace K = ext(v) in original protocol by K = H(ext(v)) in modified protocol, where H( ) is a cryptographic hash function. If H( ) is modelled as a Random Oracle Model, then security of modified protocol relies on Ext-GCDH our GGHLite analysis applies. Adeline Langlois GGHLite May, 4 8/ 9

44 Conclusion GGHLite: a more efficient variant of GGH graded encoding scheme. Open Problems: Can our Rényi divergence analysis be applied to the Decision Graded Diffie Hellman problem? Understand the complexity of canonical Ext-GCDH problem provable relation to standard lattice problems? Understand relation between GGH/GGHLite and more recent Jigsaw puzzle variants (obfuscation). Concrete computational / space efficiency of GGHLite based on best known attacks? Adeline Langlois GGHLite May, 4 9/ 9

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois 1, Damien Stehlé 1, Ron Steinfeld 2 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENS de Lyon, INRIA, UCBL), 46 Allée d Italie,