Multilinear maps via secret ring

Transcription

1 Multilinear maps via secret rin Chunshen Gu School of Computer Enineerin, Jiansu University of Technoloy, China Abstract. Gar, Gentry and Halevi (GGH13) described the first candidate multilinear maps usin ideal lattices. However, Hu and Jia recently presented an efficient attack on the GGH13 map, which breaks the multipartite key exchane (MPKE) and witness encryption (WE) based on GGH13. In this work, we describe a new variant of GGH13 usin secret rin, which preserves the oriin functionality of GGH13. The security of our variant depends upon the followin new hardness problem. Given the determinant of the circular matrix of some element in a secret rin, the problem is to find this secret rin and reconstruct this element. Keywords: Multilinear maps, ideal lattices, multipartite key exchane, witness encryption, zeroizin attack 1 Introduction Gar, Gentry, and Halevi (GGH13) described the first candidate construction of multilinear maps from ideal lattices 16. Followin the framework of GGH13, Coron, Lepoint, and Tibouchi (CLT13) presented another candidate over the inteers usin Chinese remainder theorem 11. Gentry, Gorbunov and Halevi (GGH15) 19 constructed a raph-induced multilinear maps from lattices. To improve efficiency, Lanlois, Stehlé, and Steinfeld 34 also proposed a variant GGHLite of GGH13. While cryptoraphic multilinear maps have found extensive applications, includin witness encryption 23, eneral proram obfuscation 18,38, function encryption 18, and other applications 3,17,5,18, all known constructions of multilinear maps exist security problems 7,21,28,2,1,9,10. For the GGH13 map, Hu and Jia 28 recently described an efficient attack, which breaks the GGH13-based applications on multipartite key exchane (MPKE) and witness encryption (WE) based on the hardness of 3-exact cover problem. Cheon and Lee 8 proposed an attack for the GGH13 map by computin a basis of secret ideal lattice. To fix the GGH13 map, Gentry, Halevi and Lepoint 26 first described a variant of the GGH13 scheme 16, in which the linear zero-testin procedure from 16 is replaced by a uadratic (or hiherderee) procedure. However, Brakerski et al. 2 have showed that this variant of the GGH13 map fails to thwart zeroizin attacks. Then, Halevi 27 described a variant of GGH13 based on raph-induced constraints. But, Coron et al 9 proved that this variant is also insecure.

2 2 Chunshen Gu On the other hand, Gu (Gu map-1) 24 constructed a new multilinear map without encodins of zero, which is a variant of GGH13. Since no encodins of zero are iven in the public parameters, MPKE based on Gu map-1 30 successfully avoids the attack in 28. However, Gu map-1 cannot be used for the instance of witness encryption based on the hardness of 3-exact cover problem 29. This is because there is no randomizer in Gu map-1. But the instance of WE based on the hardness of 3-exact cover problem is a stron application of multilinear map. To support witness encryption, Gu (Gu map-2) 25 also suested another variant of GGH13 with encodins of zero by introducin random matrices. For the CLT13 map, Cheon, Han, Lee, Ryu, and Stehlé 7 broke CLT13 usin zeroizin attack introduced by Gar, Gentry, and Halevi. To fix the CLT13 scheme, Gar, Gentry, Halevi and Zhandry 20, and Boneh, Wu and Zimmerman 4 suested two candidate fixes of multilinear maps over the inteers. However, Coron, Lepoint, and Tibouchi showed that two candidate fixes of CLT13 can also be defeated usin extensions of the Cheon et al. s Attack 7. By modifyin zerotestin parameter, Coron, Lepoint and Tibouchi 13 proposed a new variant of CLT13. Unfortunately, this new version CLT15 is also broken by Cheon, Lee, and Ryu 10, and Minaud and Fouue 35. For the GGH15 map, Coron et al 9 recently 9 described an efficient attack of GGH15 by extendin the Cheon et al. s attack 7, which breaks the GGH15- based MPKE by eneratin an euivalent user private key. Althouh Gu map-2 has included encodins of zero, it uses the public rin R = Zx/ x n + 1. In fact, all computations in Gu map-2 are operated over Z, and no loner use R. In particular, The disclosure of this rin R may have security weaknesses. In this work, we will focus on the GGH13 variant based on secret rins. Concurrently, Halevi 27 have observed that this kind of secret rin may improve the security of the scheme. However, Halevi wrote in 27 It is not clear if there are very many different rins that have such nice eometry, and in particular it is not clear if hidin the rin is really possible. Note that nice eometry means to be able to encode arbitrary cosets as small matrices. Therefore, it can be said that this paper continues the work of 25 and 27. On one hand, we describe a new variant of the scheme in 25 by usin secret rins. On the other hand, we also partially answer the problems presented by Halevi in Our results The GGH13 map. The GGH13 map works in a polynomial rin R = Zx/ x n + 1, where n is a positive inteer. A random lare inteer, a secret short rin element R, and a secret random invertible element z R = R/R are chosen durin eneratin the public parameters of the GGH13 construction. A plaintext element e in R/R is encoded at level-k as c/z k, where c is a small element in the coset e I = e+r for some r R. Encodins at the same level can be added and subtracted as lon as the numerator of the sum of the encodins

3 Multilinear maps via secret rin 3 is not reduced modulo. Similarly, encodins at levels i, j can be multiplied so lon as the numerator of the product of the encodins is not reduced modulo. A zero-testin parameter p zt = hz κ / is presented to test for zero at a level-κ encodin. Given a level-κ encodin u = c/z κ, one computes v = u p zt and checks if the norm of v is smaller than to determine whether u is zero or not. Our construction. The basic idea of our construction is to use some secret rin R = Zx/ f with monic irreducible polynomial f, and transform GGH13 over R into its matrix version. Concretely speakin, our construction works in a polynomial rin R = Zx/ f, where f = x n + n/2 f ix i such that f i i=0 are small inteers. Similar to GGH13, we can enerate the public parameter as follows: First, we enerate the level-1 encodins y i = ai+ei z of some non-zero elements e i R and transform them into its matrix form Y i = TRot(y i )T 1 over Z n n, where T Z n n, and Rot(y i ) is a matrix whose j-th column is the vector of the coefficients of x j 1 y i mod f. Then, we enerate the zero-testin parameters correspondin to y i in matrix form P zt,i = TRot( zκ (b i+e i) )S, where T, S Z n n. Next, we enerate a list of level-1 encodins x i = ci z of 0 and transform them into its matrix form X i = TRot(x i )T 1 over Z n n. Finally, we sample another two matrics T 1 D Z k 1,σ, S n 1 D Z n k 2,σ with k 1, k 2 n, and set T = T 1 T 1, S = S 1 S 1. It is not difficult to verify that this construction supports addition and multiplication operations of encodins as lon as encodins in the operation satisfies the level constraints correspondin to operations. Moreover, iven a level-κ encodin U, we can compute V = T UP zt S and checks if the norm of V is smaller than to determine if U encodes zero, where P zt = d ip zt,i with i d i Z. Therefore, we have obtained a new variant of GGH13. To improve the efficiency of our scheme, we can replace Z in R with R θ = Zθ/ θ λ + 1, and set λ as the security parameter. In this case, we can take a constant n and a monic irreducible polynomial f with coefficients f i R θ such that f i O(λ). Furthermore, our construction supports all applications usin GGH13 as public tools of encodin since it includes encodins of zero in the public parameters. As a conseuence, our scheme can adaptively support the GGH13-based MPKE and WE that have been broken by Hu and Jia in Oranization We briefly recall some backround in Section 2. We describe our construction usin secret rin in Section 3. We describe new hardness assumption and analyze the security of our scheme in Section 4. We present MPKE and WE based on our construction in Section 5. Finally we draw some conclusions in Section 6.

4 4 Chunshen Gu 2 Preliminarie 2.1 Notations We denote Z, Q, R the rin of inteers, the field of rational numbers, and the field of real numbers. We take n as a positive inteer, and let n be the set {1, 2,..., n}. We use the absolute minimum residual system of modulo, namely a ( /2, /2. We denote vectors by lowercase bold letters, and matrices by uppercase bold letters, such as a, A. We write I as the identity matrix. We denote by a j the j-th element of a, and A i,j the element of the i-th row and j-th colomn of A. Notation a (resp. a ) denotes the Euclidean norm (resp. the infinity norm) of a. 2.2 Alebra We denote by Zx and Qx the sets of polynomials with inteer and rational coefficients respectively. A polynomial is monic if the coefficient of its hihest deree is one. A polynomial is irreducible if it cannot be represented as a product of lower deree polynomials. Let f Zx be a monic irreducible polynomial with deree n. Let R be the polynomial rin Zx/ f, and R = R/R. For a R, a denotes each coefficient a i ( /2, /2 of a. For simplicity, we identify deree-(n 1) polynomials with the correspondin n-dimensional vectors whose coordinates are correspondin to the coefficients of the polynomial. For example, we define the p-norm a p of a polynomial a Zx as the norm of the correspondin vector. When there is no ambiuity, we sometimes abuse a R and its correspondin vector a. In this paper, we need some definitions and lemma introduced by Lyubashevsky and Micciancio 33. Lemma 2.1 (Lemma 3.2, 33). Every ideal I of Zx/ f, where f is a monic, irreducible polynomial of deree n, is isomorphic to a full-rank lattice in Z n. We first recall the definition of the expansion factor of polynomials 33. Definition 2.2. Let f Zx be a monic irreducible polynomial of deree n. The expansion factor of f is defined as φ f = a max a Zx,de(a) 2(de(f) 1) mod f a. Lemma 2.3 (Theorem 3.5, 33). Given a monic polynomial f Zx: (1) If f = x n n/2 + f i x i, then φ f ( 2f 1 ) 3. i=0 (2) If f = x n + n 1 f i x i, then φ f ( 2f 1 ) n 1. i=0

5 Multilinear maps via secret rin Lattices An n-dimensional full-rank lattice L R n is the set of all inteer linear combinations n x ib i of n linearly independent vectors b i R n. If we arrane the vectors b i as the columns of matrix B R n n, then L = {Bx : x Z n }. We say that B spans L if B is a basis for L. Given a basis B of L, we define P (B) = {Bx x R n and x i 1/2, 1/2)} as the parallelization correspondin to B. Let det(b) denote the determinant of B. Given R, let I = be the principal ideal in R enerated by. We denote the Z-basis of I by Rot() = ( mod f, x mod f,..., x n 1 mod f). Namely, the i-th column of Rot() is the vector of the coefficients of x i 1 mod f. Given c R n, σ > 0, the Gaussian distribution of a lattice L is defined as D L,σ,c = ρ σ,c (x)/ρ σ,c (L) for x L, where ρ σ,c (x) = exp( π x c 2 /σ 2 ), ρ σ,c (L) = x L ρ σ,c(x). As shorthand, we will write D L,σ instead of D L,σ,0. We denote a Gaussian sample as x D L,σ (or d D I,σ ) over the lattice L (or I). Definition 2.4 (Smoothin parameter 36). For an n-dimensional lattice L, and positive real ɛ > 0, the smoothin parameter η ɛ (L) is defined to be the smallest s such that ρ 1/s (L \{0}) ɛ. Lemma 2.5 (Lemma ). For any n-dimensional lattice L and a neliible function ɛ(n), η ɛ (L) ω(lo n) λ n (L), where ω(lo n) is any superloarithmic function. Lemma 2.6 (Lemma ). For any n-dimensional lattice L, vector c R n, and reals 0 < ɛ < 1, s η ɛ (L), we have Pr { x c > s n} 1 + ɛ x D L,s,c 1 ɛ 2 n. 2.4 Multilinear Maps Definition 2.7 (Multilinear Map 3). For κ + 1 cyclic roups G 1,..., G κ, G T of the same order, a κ-multilinear map e : G 1... G κ G T has the followin properties: (1) Elements { j G j } j=1,...,κ, index j κ, and inteer a Z hold that e( 1,..., a j,..., κ ) = a e( 1,..., κ ) (2) Map e is non-deenerate in the followin sense: if elements { j G j } j=1,...,κ are enerators of their respective roups, then e( 1,..., κ ) is a enerator of G T. Definition 2.8 ( κ-graded Encodin System 16). A κ-raded encodin system over R is a set system of S = {S (a) j R : a R, j κ} with the followin properties: (1) For every index j κ, the sets S = {S (a) j R : a R} are disjoint. (2) Binary operations + and exist, such that every a 1, a 2, every index j κ, and every u 1 S (a1) j and u 2 S (a2) j hold that u 1 + u 2 S (a1+a2) j and

6 6 Chunshen Gu u 1 u 2 S (a1 a2) j, where a 1 + a 2 and a 1 a 2 are the addition and subtraction operations in R respectively. (3) Binary operation exists, such that every a 1, a 2, every index j 1, j 2 κ with j 1 +j 2 κ, and every u 1 S (a1) j 1 and u 2 S (a2) j 2 hold that u 1 u 2 S (a1 a2) j 1+j 2, where a 1 a 2 is the multiplication operation in R and j 1 + j 2 is the inteer addition. 3 Multilinear map via secret rin Settin the parameters. Let λ be the security parameter, κ the multilinearity level, n the dimension of elements of R. Concrete parameters are set as σ = λ, α = λ 2, n = λ 2, τ = 2n, β =, 2 12κ+1 λ 64κ+124, k 1, k 2 n such that k 1 k 2 < n. 3.1 Construction Instance eneration Par InstGen(1 λ, 1 κ ): (1) Choose a prime 2 16κλ n O(κ). (2) Choose a monic irreducible polynomial f(x) Zx such that f = x n + n/2 f ix i with f i < σ. Let R = Zx/ f, R = R/R, and K = Qx/ f. i=0 (3) Sample D R,σ so that is a prime element in R and 1 n, and a random element z R so that z 1 R. (4) Sample T, S Z n n so that T 1, S 1 Z n n. (5) Sample T 1 D Z k 1,σ, S n 1 D Z n k 2,σ, and set T = T 1 T 1, S = S 1 S 1. (6) For i τ, (6.1) sample elements a i, e i, c i D R,α, b i D R,β ; (6.2) set Y i = TRot( ai+ei z )T 1, X i = TRot( ci z )T 1 ; (6.3) set P zt,i = TRot( zκ (b i+e i) )S. (7) Output the public parameters Par = {, {Y i, X i, P zt,i } i τ, T, S }. Generatin level-t encodin U Enc(Par, t, d, r): Given d D Z τ,α and r D Z τ,α, enerate a level-t encodin τ U = d i (Y i ) t + τ r i (X i ) t. Addin encodins U Add(Par, t, U i,, U k ): k Given k level-t encodins U i, i k, their sum U = U i encodin. Multiplyin encodins U Mul(Par, 1, U 1,, U k ): k Given k level-1 encodins U i, i k, their product U = level-k encodin. Zero testin IsZero(Par, U, d): is a level-t U i is a

7 Given a level-κ encodin U = TRot( r+e z κ (1) we compute P zt = τ d ip zt,i, V = (2) we check whether V is short. That is, IsZero(Par, U, d) = Multilinear maps via secret rin 7 )T 1 and a vector d D Z τ,α, T U P zt S ; { 1, if V < 3/4 ; 0, otherwise. Extraction sk Ext(Par, U, d): Given a level-κ encodin U and a vector d D Z τ,α, (1) we compute P zt = τ d ip zt,i, V = T U P zt S ; (2) we collect (lo )/4 λ most-sinificant bits of each element of the k 1 k 2 - matrix V. That is, Ext(Par, U, d) = MSB(V). Remark 3.1. (1) Note that the above construction is similar to that in 25. The main difference is that this scheme uses some secret rin R = Zx/ f, whereas the scheme in 25 uses the public rin R = Zx/ x n + 1. As a result, this difference can lead to sinificant differences in their security. Concrete details are analyzed later. (2) It is easy to transform the above symmetric construction into an asymmetric variant by usin different elements z j and random matrices T j. 3.2 Correctness To prove the correctness, we first describe two simple lemmas. Lemma 3.2. If a, b R, then Rot(a)Rot(b) = Rot(ab mod f). Proof. We only need to show that the first column of Rot(a)Rot(b) is eual to the vector correspondin to the polynomial ab mod f. It is easy to verify that the first column of Rot(a)Rot(b) is correspondin to n 1 i=0 b i (ax i mod f) = (a n 1 i=0 b ix i ) mod f = ab mod f. Lemma 3.3. If a, b R, then Rot(a)Rot(b) = Rot(ab mod f). Proof. The proof is completely similar to that of Lemma 3.2. Lemma 3.4. The alorithm InstGen(1 λ, 1 κ ) runs in PPT. Proof. A prime element R can be enerated in PPT accordin to Landau s prime number theorem (Theorem 5.17, 15). It is easy to verify that all other operations can run in PPT. Lemma 3.5. The encodin U Enc(Par, t, d, r) is a level-t encodin.

8 8 Chunshen Gu Proof. By Y t i = T Rot( ai+ei z ) t T 1 and X t i = have τ U = d i Y t i + τ r i X t i = ( τ T Rot d ia i + τ r ic i + τ = T Rot ( a + e) T 1 z t z t T Rot( ci z )t T 1, we d ie t i ) T 1 where a i = ((a i + e i ) t e t i )/, c i = (c i) t /, a = τ d i a i + τ r ic i, and e = τ d i e t i. Lemma 3.6. U = Add(Par, t, U i,, U k ) is a level-t encodin. Proof. Given level-t encodins U i, i k. Let U i = T Rot ( r ) i +e i z T 1. t Then k U = U i = T Rot ( r + e) T 1 z t, where r = k r i and e = k e i. Lemma 3.7. U Mul(Par, 1, U 1,, U k ) is a level-k encodin. Proof. Given level-1 encodins U i, i k, let U i = T Rot ( r ) i +e i z T ) 1. Then, by Lemma 3.3 we have U = T Rot ( r + e) T 1 z k, where e = k e i, r = ( k (r i + e i ) e)/. Lemma 3.8. IsZero(Par, U, d) correctly determines whether U is a level-κ encodin of zero or not. Proof. By Lemma 2.3 and f = x n + n/2 f ix i, we have i=0 φ f = 2f 3 1 = (nσ) 3 = λ 9. Given P zt,i = TRot( zκ (b i+e i) )S and d D Z τ,α, we have P zt = τ d ip zt,i = TRot ( z κ (h + c) ) S, where h = τ d ib i, and c = τ d ie i. By b i D R,β, e i D R,α, and d D Z τ,α, we obtain h = τ d ib i τ d i b i 2n 2 αβ 2λ 7, c = τ d ie i τ d i e i 2n 2 α 2 2λ 8, h + c 2φ f h λ 9 2λ 7 nσ 2λ 18.

9 Without loss of enerality, we let U = Multilinear maps via secret rin 9 κ encodin. Accordin to U j = Enc(Par, 1, d j, r j ), we have τ U j = d j,i Y i + τ r j,i X i = j=1 U j T Rot (a (j) + e (j) z where a (j) = τ d j,ia i + τ r j,ic i, e (j) = τ d j,ie i. Similarly, by a i, e i, c i D R,α, and d j D Zτ,α, we have since U is a level-κ a (j) = τ d j,ia i + τ r j,ic i 2τ d j,i a i 4n 2 α 2. e (j) = τ d j,ie i τ d j,i e i 2n 2 α 2. So, we et κ j=1 ( ) κ a(j) + e (j) φ κ 1 f ( ) a (j) + e (j) j=1 φ κ 1 ( f max 2 a ) κ (j) φ f j κ φ κ 1 ( f 2 4n 2 α 2 nσ ) κ φ f φ 2κ 1 ( f 8n 2.5 α 2 σ ) κ 8 κ λ 16κ 4. ) T 1, We now analyze the encodin U encodes 0 or non-zero, respectively. For simplicity, we let U = T Rot ( a + e) T 1, where e = κ e (j), and a = κ ( ) a(j) + e (j) e. j=1 j=1 If U is a level-κ encodin of zero (i.e. e = 0), then, V = T U P zt S = T TRot( a z κ )T 1 T Rot ( z κ (h + c) ) S S = T 1 Rot ( a(h + c) ) S 1 z κ Since T 1 = S 1 n nσ λ 4, we obtain T 1 Rot ( a(h + c) ) S 1 T 1 Rot ( a(h + c) ) S 1 λ 8 a(h + c) λ 8 a h + c φ f λ 8 8 κ λ 16κ 4 2λ 18 λ 9 < 3/4

10 10 Chunshen Gu Thus, V is not reduced modulo. That is, V = V. If U is a level-κ encodin of non-zero, i.e. e 0 mod. Thus, V = T U P zt S = T 1 Rot( a + e z κ ) Rot ( z κ (h + c) ) S1 = T 1 Rot ( (a + e)(h + c) ) S1 = T 1 Rot ( a(h + c) ) S 1 + T 1 Rot ( e(h + c) ) S1 By Lemma 4 in 16, we have T 1 Rot ( e(h + c) ) S1. Aain usin T 1 Rot ( a(h + c) ) S 1 3/4, we have V. Lemma 3.9 Suppose that two level-κ encodins U 1, U 2 encode same plaintext, then Ext(Par, U 1, d) = Ext(Par, U 2, d). Proof. Assume that U i = T Rot( ui+e z )T 1 i 2. So, we have, κ V i = T U i P zt S = T 1 Rot( u i + e z κ ) Rot ( z κ (h + c) ) S1 = T 1 Rot ( (u i + e)(h + c) ) S1 = T 1 Rot ( u i (h + c) ) S 1 + T 1 Rot ( e(h + c) ) S1 For our parameters settin, T 1 Rot ( u i (h + c) ) S 1 3/4. When e 0 mod, by Lemma 4 in 16, we have T 1 Rot ( e(h + c) ) S1. Thus, Ext(Par, U 1, d) = Ext(Par, U 2, d) with overwhelmin probability. 3.3 Variant To improve the efficiency of our construction, we use polynomial rin instead of inteer rin. Concretely speakin, we let R θ = Zθ/ θ λ + 1, and R = R θ x/f, R = R/R. In this case, we can set n as a constant and f = x n + n 1 f i x i with coefficients f i R θ such that f i O(λ). It is easy to verify that this variant of our construction is still correct. i=0

11 Multilinear maps via secret rin 11 4 Security 4.1 Hardness assumption Consider the followin security experiment: (1) Par InstGen(1 λ, 1 κ ) (2) For j = 0 to κ: Sample d j D Z τ,α, r j D Z τ,α; τ Generate level-1 encodin U j = d j,iy i + τ k (3) Set U = U j and P zt = τ d 0,iP zt,i. j=1 (4) Set V c = V d = T U P zt S. (5) Sample s D Z τ,α, and set P zt,r = τ s ip zt,i. (6) Set V r = T U P zt,r S. j=1 r j,ix i Definition 4.1. (ext-gcdh/ext-gddh). Accordin to the security experiment, the ext-gcdh and ext-gddh are defined as follows: Level-κ extraction CDH (ext-gcdh): Given {Par, U 0,, U κ }, output a level-κ extraction encodin W Z k1 k2 such that Vc W 3/4. Level-κ extraction DDH (ext-gddh): Given {Par, U 0,, U κ, V}, distinuish between D ext GDDH = {Par, U 0,, U κ, V d }, D ext RAND = {Par, U 0,, U κ, V r } Cryptanalysis In this section, we first enerate easily computable uantities in our construction, then analyze possible attacks usin these uantities Easily computable uantities. Since T, S Z n n, we must compute V = T U P zt S to eliminate T, S, where U is a level-κ encodin, P zt = τ d ip zt,i with d Z τ. For simplicity, we write P zt = τ d ip zt,i = TRot ( z κ (h + c) ) S where h 1 = h + c. = TRot ( z κ h 1 ) S,

12 12 Chunshen Gu Let inteer t > 0, U i,j,t = X t iy κ t j be a level-κ encodin of zero. So, we have V i,j,t = T U i,j,t P zt S = T 1 Rot(c i ) t Rot(y j ) κ t Rot ( h 1 ) S1 = T 1 Rot ( c t i t 1 y κ t ) j h 1 S1 = T 1 Rot ( c t i t 1 y κ t j h 1 ) S1, where y j = a j + e j. The final euality is to use the fact that V i,j,t are not reduced modulo Attacks on secret rin Usin different level-κ encodins U i,j,t, we can enerate a list of V i,j,t that are not reduced modulo. Furthermore, we can keep some encodin in U i,j,t unchaned, and chane other encodins to produce (n n)-dimensional matrices in combination. In this way, we can compute the determinants of Rot(c i ), Rot(), Rot(y j ), Rot(h 1 ) by applyin GCD alorithm. 1. Attack of known rin We choose cyclotomic rins as known rins. Let f = x n + 1 be the public polynomial that is used to enerated the rin R, where n is power of 2. Let p = det(rot()). Since p is a prime, GCD(f, ) = x µ mod p. Usin the uantum alorithm 6, we may recover short enerator of. Without loss of enerality, let V i = T 1 Rot(r i )S 1 be a list of (n n)- dimensional matrices enerated by the public parameters. Assume that we obtain r i by the uantum alorithm 6, then we can compute V 1 V 1 2 = T 1 Rot(r 1 /r 2 )T 1 1. Since we have obtained r 1 /r 2, we can compute T 1 and S 1. As a conseuence, we can further find other secret parameters in our construction. Therefore, there may be security weaknesses in the constructions on public rins. Note that in fact, the uantum alorithm in 6 can only recover short enerator of r i, cannot uarantee this short enerator must be r i. In this case, the above attack may not be successful. 2. Attack of secret rin If we keep f secret and choose f = x n + n/2 f ix i with f i < σ, as far as i=0 we know, our construction did not find security weaknesses. Accordin to Landau s prime number theorem (Theorem 5.17, 15), the number of the irreducible polynomials f that satisfy constraints is exponential in n. For any irreducible polynomial f = x n + n/2 f ix i Zx, if there exists linear i=0 factor x µ in f over modulo p, then (p, µ) can enerate a principal ideal that has small enerator. However, iven p = det(rot()), we do not know how to effectively find or f. We conjecture that this problem is difficult.

13 Multilinear maps via secret rin Lattice reduction attack Given V i = T 1 Rot(r i )S 1, we can find T 1, S 1 by lattice reduction alorithms 14,32, and further obtain Rot(r i ) and f. However, when n is lare enouh, all known lattice reduction alorithms run in exponential time in λ Hu-Jia Attack. In this section, we show that the Hu-Jia attack 28 does not work for our construction. 1. Hu-Jia Attack Hu-Jia attack includes three steps. That is, Step 1 enerates an euivalent level-0 encodin for a level-1 encodin; Step 2 computes an euivalent level-0 encodin for the product of several level-0 encodins; Step 3 obtains the shared secret key of an euivalent product level-0 encodin by the modified encodin/decodin. The concrete details are as follows: Step 1: Generate an euivalent level-0 encodin for a level-1 encodin (1) Let par be the public parameters of the GGH13 map, i.e. par = {, y = 1 + a z, x 1 = c 1 z, x 2 = c 2 z We enerate special decodins {y (1), x (i), i = 1, 2}, where y (1) = p zt y κ 1 x 1 = h(1 + a)κ 1 c 1,, p zt = hz κ x (i) = p zt y κ 2 x i x 1 = h(1 + a)κ 2 (c i )c 1, i = 1, 2, }. where y (1), x (i) are not reduced modulo. (2) Given a level-1 encodin u, we have u = dy + r 1 x 1 + r 2 x 2, where d is secret level-0 encodin, and r 1, r 2 random noise elements. Compute special decodin v = p zt uy κ 2 x 1 = dy (1) + r 1 x (1) + r 2 x (2). Since v is not reduced modulo, we compute v mod y (1) = r 1 x (1) mod y (1) + r 2 x (2) mod y (1). (3) Given v mod y (1) and {x (1) mod y (1), x (2) mod y (1) }, we et v = v mod y (1) x (1), x (2) such that (v v ) mod y (1) = 0. Let v = r 1x (1) + r 2x (2). (4) Compute d (0) = (v v )/y (1) over K = RX/ x n + 1 such that the uotient d (0) R. By arranin, we obtain d (0) = v v y (1) = d + (r 1 r 1)c 1 + (r 1 r 2)c r

14 14 Chunshen Gu Aain since and 1 + r are co-prime, we et d d (0). Thus, d (0) is an euivalent level-0 encodin of d. Althouh d (0) is not small, Hu and Jia 28 controlled the size of d (0) by usin x (i). Step 2: Compute an euivalent product of several level-0 encodins Let d (k) be the level-0 encodin included by level-1 encodin u k, d (k,0) an e- uivalent encodin of d (k). Then κ+1 d (k,0) is an euivalent secret of κ+1 d (k) k=1 k=1 such that κ+1 d (k,0) κ+1 d (k). k=1 k=1 Step 3: Find the shared secret key of an euivalent product level-0 encodin Let η = κ+1 d (k,0). We compute η = y (1) η mod x (1), and η = yx 1 η. k=1 2. Non-applicabiltiy of Hu-Jia Attack (1) Let Par be the public parameters of our construction, i.e. Par = {, {Y i, X i, P zt,i } i τ, T, S } For convenience, we let P zt = TRot ( z κ h 1 ) S, y i = a i + e i, x j = c j. Similarly, we enerate special decodins S = {{Y (i) } i τ, {X (j) } j τ } as follows: Y (i) = T (Y κ 2 1 Y i X 1 ) P zt S = T 1Rot(y κ 2 1 y i c 1 h 1 )S 1, X (j) = T (Y κ 2 1 X j X 1 ) P zt S = T 1Rot(y κ 2 1 x j c 1 h 1 )S 1, where Y (i), X (j) are not reduced modulo. (2) Given a level-1 encodin U = τ d i Y i + τ r j X j, we compute j=1 special decodin V = T (UY κ 2 1 X 1 ) P zt S = τ d i Y (i) + τ j=1 r j X (j). Since V is not reduced modulo and V Z k1 k2, V belons to the space spanned by k = k 1 k 2 elements in S. On the one hand, we cannot efficiently find k elements in S such that V = τ1 d i t Y (it) + k τ 1 r j t X t=1 t=1 (jt), and d it, r jt are small inteers. In fact, there sometimes does not exist k elements in S satisfyin to the condition that d it, r jt are small inteers. On the other hand, we cannot efficiently solve V = τ 1 d i t Y (it) + t=1 k τ1 r j t X (jt) such that d it, r jt are small inteers if we choose k = 2τ t=1 elements in S to uarantee that there are small inteers d it, r jt. The inteers d it, r jt, are reuired to be small since V i = T 1 Rot(r i )S 1 cannot be directly multiplied to derive the product of some euivalent secret keys as that in 28. We need to use d it, r jt to enerate the zero-testin parameter P zt correspondin to the level-1 encodin U. In short, we cannot find an euivalent level-0 encodin encoded by U. Thus, the Hu-Jia attack is prevented in our construction.

15 Multilinear maps via secret rin 15 5 Applications In this section, we describe two applications usin our construction, the MPKE protocol and the instance of witness encryption. 5.1 MPKE protocol The MPKE protocol consists of Setup, Publish, and KeyGen as follows: Setup(1 λ, 1 N ): Output Par InstGen(1 λ, 1 κ ) as the public parameters. Publish(Par, j): The j-th party samples d j D Zτ,α, r j D Zτ,α, publishes the public key τ U j = and remains d j as the secret key. (d j,i Y i ) + τ (r j,i X i ) KenGen(Par, j, d j, {U k } k j ): The j-th party computes C j = U k, P zt = τ k j d j,ip zt,i, and extracts the common secret key sk j = Ext(Par, C j, d j ) = MSB ( T C j P zt S ). Theorem 5.1. Suppose the ext-gcdh/ext-gddh defined in Section 4.1 is hard, then our construction is one round multipartite Diffie-Hellman key exchane protocol. 5.2 Witness Encryption Construction Gar, Gentry, Sahai, and Waters 23 constructed an instance of witness encryption based on the NP-complete 3-exact cover problem and the GGH map. However, Hu and Jia 28 have broken the GGH-based WE. In this section, we present a new construction of WE based our new multilinear map. 3-Exact Cover Problem 22. Given a collection Set of subsets T 1, T 2,, T π of K = {1, 2,, K} such that K = 3ξ and T i = 3, find a 3-exact cover of K. For an instance of witness encryption, the public key is a collection Set and the public parameters Par in our construction, the secret key is a hidden 3-exact cover of K. Encrypt(1 λ, Par, M): (1) For k K, sample d k D Zτ,α, r k D Zτ,α and enerate level-1 τ ( ) encodins U k = dk,i Y i + r k,i X i. K (2) Compute U = and sk = Ext(Par, U, {1, 0,, 0}), and k=1 U k encrypt a messae M into ciphertext C. (3) For each subset T j = {j 1, j 2, j 3 }, sample r Tj D Zτ,α, and enerate a level-3 encodin U Tj = U j1 U j2 U j3 + τ. r T j,ix 3 i (4) Output the ciphertext C and all level-3 encodins E = (U Tj, T j Set). Decrypt(C, E, W ):

16 16 Chunshen Gu (1) Given C, E and a witness set W, compute U = Tj W U T j. (2) Generate sk = Ext(Par, U, {1, 0,, 0}), and decrypt C to a messae M. Similar to 23, the security of our construction depends on the hardness assumption of the Decision Graded Encodin No-Exact-Cover. Theorem 5.2. Suppose that the Decision Graded Encodin No-Exact-Cover is hard. Then our construction is a witness encryption scheme Hu-Jia Attacks. (1) The Hu-Jia attack 28 is prevented in our new construction. One cannot obtain an euivalent secret key accordin to the analysis in As a result, one cannot et an euivalent secret key usin a combined 3-exact cover. (2) The Hu-Jia attack 29 is thwarted in our new construction. Since Gu map uses hidden randomizers, in some sense one merely can enerate a deterministically level-3 encodin. As a result, one can compute U Tt = U Tj U Tk (U Tl ) 1 if T t = T j T k T l. Thus, one can enerate a combined 3-exact cover, and correctly compute a secret level-k encodin. However, since U Tj = U j1 U j2 U j3 + τ r T j,ix 3 i is a level-3 encodin in our new construction, one cannot obtain U Tt = U Tj U Tk (U Tl ) 1 when T t = T j T k T l. This is because our construction contains the level-1 encodins X i of zero. 6 Conclusions In this paper, we describe a new variant of GGH13 via secret rin, which supports all applications for public tools of encodin in GGH13, such MPKE and WE. However, the security of our construction depends upon new hardness assumption, which cannot be reduced to classical hardness problem, such as LWE or SVP. Acknowledments. This work was supported in part by the Natural Science Foundation of China under Grant References 1. M. Albrecht, S. Bai, and L. Ducas. A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encodin Schemes. CRYPTO 2016, LNCS 9814, pp Z. Brakerskiy, C. Gentry, S. Halevi, T. Lepoint, A. Sahai, M. Tibouchi. Cryptanalysis of the Quadratic Zero-Testin of GGH.

17 Multilinear maps via secret rin D. Boneh and A. Silverber. Applications of multilinear forms to cryptoraphy. Contemporary Mathematics, 324:71-90, D. Boneh, D. J. Wu, and J. Zimmerman. Immunizin multilinear maps aainst zeroizin attacks D. Boneh and M. Zhandry. Multiparty key exchane, efficient traitor tracin, and more from indistinuishability obfuscation. CRYPTO 2014, LNCS 8616, pp R. Cramer, L. Ducas, C. Peikert, and O. Reev. Recoverin Short Generators of Principal Ideals in Cyclotomic Rins, EUROCRYPT 2016, LNCS 9666, pp J. H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehle. Cryptanalysis of the Multilinear Map over the Inteers J. H. Cheon, C. Lee. Cryptanalysis of the multilinear map on the ideal lattices J. S. Coron, M. S. Lee, T. Lepoint, and M. Tibouchi. Cryptanalysis of GGH15 Multilinear Maps. CRYPTO 2016, LNCS 9815, pp J. H. Cheon, C. Lee, H. Ryu. Cryptanalysis of the New CLT Multilinear Maps J. S. Coron, T. Lepoint, and M. Tibouchi. Practical multilinear maps over the inteers. CRYPTO 2013, LNCS 8042, pp J. S. Coron, T. Lepoint, and M. Tibouchi. Cryptanalysis of two candidate fixes of multilinear maps over the inteers J. S. Coron, T. Lepoint, and M. Tibouchi. New Multilinear Maps over the Inteers Y. Chen and P. Q. Nuyen. BKZ 2.0 Better Lattice Security Estimates, ASI- ACRYPT 2011, LNCS 7073, pp S. Gar. Candidate Multilinear Maps PhD thesis. University of California, Los Aneles, S. Gar, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices. EUROCRYPT 2013, LNCS 7881, pp S. Gar, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinuishability obfuscation and functional encryption for all circuits. FOCS 2013, pp S. Gar, C. Gentry, S. Halevi, A. Sahai, and B. Waters. Attribute-based encryption for circuits from multilinear maps, CRYPTO (2) 2013, LNCS 8043, C. Gentry, S. Gorbunov, and S. Halevi. Graph-induced multilinear maps from lattices. TCC 2015, Part II, LNCS 9015, pp S. Gar, C. Gentry, S. Halevi, and M. Zhandry. Fully secure functional encryption without obfuscation C. Gentry, S. Halevi, H. K. Majiy, A. Sahaiz. Zeroizin without zeroes: Cryptanalyzin multilinear maps without encodins of zero O. Goldreich. Computational Complexity: a Conceptual Perspective. Cambride University Press, New York, NY, USA, 1 edition, S. Gar, C. Gentry, A. Sahai, and B. Waters. Witness encryption and its applications. STOC 2013, pp Chunshen Gu. Multilinear Maps Usin Ideal Lattices without Encodins of Zero Chunshen Gu. An Improved Multilinear Map and its Applications. International Journal of Information Technoloy and Web Enineerin, 2015, 10(3), pp S. Halevi. The state of cryptoraphic multilinear maps, Invited Talk of CRYPTO 2015.

18 18 Chunshen Gu 27. S. Halevi. Graded Encodin, Variations on a Scheme, Yupu Hu and Huiwen Jia. Cryptanalysis of GGH Map Yupu Hu and Huiwen Jia. A Comment on Gu Map Yupu Hu and Huiwen Jia. An Optimization of Gu Map J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: a rin based public key cryptosystem. ANTS 1998, LNCS 1423, pp H.W. Lenstra, A.K. Lenstra and L. Lovasz. Factorin polynomials with rational coefficients. Mathematische Annalen, 1982, 261(4): V. Lyubashevsky, D. Micciancio. Generalized Compact Knapsacks Are Collision Resistant, ICALP 2006: Automata, Lanuaes and Prorammin, LNCS 4052, pp The full version of this extended abstract appears in ECCC TR A. Lanlois, D. Stehl, and R. Steinfeld, GGHLite: More Efficient Multilinear Maps from Ideal Lattices, EUROCRYPT 2014, LNCS 8441, 2014, pp B. Minaud and P. Fouue. Cryptanalysis of the New Multilinear Map Over the inteers, Micciancio D and Reev O. Worst-case to averae-case reductions based on Gaussian measures. SIAM Journal on Computin, 2007, 37(1): D. Stehlé and R. Steinfeld. Makin NTRU as secure as worst-case problems over ideal lattices, EUROCRYPT 2011, LNCS 6632, pp J. Zimmerman. How to obfuscate prorams directly. EUROCRYPT 2015, Part II, LNCS 9057, pp