Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Transcription

1 Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014

2 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications, but not an application in itself More a technique than a single primitive Several different variants, all share the same core properties but differ in details Extension of bilinear maps [J00,SOK00,BF01] Bilinear maps are extensions of DL-based crypto

3 Starting Point: DL-based Crypto The DDH assumption is a gold mine -- Boneh 98 Why is it so useful? Can hide values a i in g a i Some tasks are still easy in this representation Compute any linear/affine function of the a i s Check if a i = 0 Other tasks are seemingly hard E.g., computing/checking quadratic functions (CDH/DDH)

4 Starting Point: DL-based Crypto To use DH, design applications where: legitimate parties only compute linear functions adversary needs to compute/check quadratics Some examples: DH key-exchange, ElGamal Encryption, Cramer-Shoup CCA-Secure Encryption, Naor-Reingold PRF, Efficient ZKPs,

5 Beyond DDH: Bilinear Maps In bilinear-map groups you can compute quadratic functions in the exponent But computing/checking cubics is hard Now the legitimate parties can do a lot more Leads to new capabilities Identity-based encryption (IBE) Predicate encryption (for simple predicates) Efficient non-interactive zero-knowledge proofs

6 Why Stop at Two? Can we find groups that would let us compute cubics but not 4th powers? Or in general, upto degree k but no more? Cryptographic multilinear maps (MMAPs) Even more useful than bilinear [BS 03] explored applications of MMAPs Also argued that they are unlikely to be constructed similarly to bilinear maps

7 The [GGH 13] Approach Construct MMAPs from HE techniques By modifying the an existing HE scheme Recall somewhat homomorphic enc.(swhe) Public-key encryption with usual (KeyGen,Enc,Dec) An additional procedure c Eval pk (P, c) P is a low-degree polynomial If c = (c 1,, c t ) encrypts a = (a 1,, a t ), then c encrypts a = P(a 1,, a t ) This looks a little like what we want

8 MMAPs vs. SWHE MMAPs Encoding e a = g a Computing low-deg polynomials of the e a s is easy Sharp threshold for easy vs. hard Can test for zero SWHE Encrypting c a = E(a) Computing low-deg polynomials of the c a s is easy? Fuzzy threshold for easy vs. hard? Cannot test anything But if you have skey you can recover a itself

9 Main Ingredient: Testing for Zero To be useful, must be able to test if two degree-k expressions are equal Using homomorphism, that s the same as testing if a degree-k expression equals zero Our approach: augment a SWHE scheme with a handicapped secret key Can test if a ciphertext decrypts to zero, but cannot decrypt arbitrary cipehrtexts Assuming that the plaintext-space is large Called a zero-test parameter

10 Goal: Graded Encoding Schemes Encoding values a in levels Level-0: analogous to plaintext a Level-1: analogous to g a Level-i: product of i level-1 encodings Can test for encoding of zero at level k

11 Graded Encoding Schemes Instance generation: pp, sp IGEN(1 λ, 1 k ) Plaintext space implicit in pp, Isomorphic to some Z p Secret-key encoding: e a SEnc(sp, a, i) e a is a level-i encoding of a SEnc is randomized Addition and multiplication e a+b e a e b, lvl e a+b = max lvl e a, lvl e b e a b e a e b, lvl e a b = lvl e a + lvl e b Zero-test: ztst e a = Yes/No, lvl e a = k

12 Bird-Eye View of [GGH 13] Start from the NTRU HE scheme NTRU ciphertexts naturally come in levels Modify NTRU to obscure the plaintext space Needed for security when publishing the handicapped secret key Publish a shifted level-k secret key Can identify level-k encryption of zero, not decrypt Another scheme along similar lines in [CLT 13]

13 Starting From NTRU Encryption All ops are in some polynomial rings R = Z[X]/F(X), R q = R/qR Secret key is z R q Plaintext elements from (e.g.) R 3 = R/3R Encryption of a R 3 is c a = a+3r c a z q = a (mod 3) For level-i ctxt, c a z i q z = a (mod 3) q R q, s.t.

14 Obscuring the Plaintext Space All ops are in some polynomial rings R = Z[X]/F(X), R q = R/qR Secret key is z R q Plaintext elements from R g = R/gR g R is a small, secret element Encryption of a R g is c a = a+gr c a z q = a (mod g) For level-i ctxt, c a z i q z = a (mod g) q R q, s.t.

15 Encoding and Homomorphism A level-i encoding of a is e = a /z i q such that a = a(mod g) and a q (say < q 1/8 ) Homomorphism is obvious c a ± c b q = a+b+gr z i all at the same level c a c b q = a b+gr z i+j lvl(c a b )=lvl(c a )+lvl(c b ) q = c a±b q = c a b As long as no wraparound in the numerator

16 Zero-Test Parameter Publish information to recognize a level-k encoding of zero, e = gr/z k q For small r But not nonzero encodings gr+a z i q Also not encodings e at levels > k

17 Zero-Test Parameter 1st idea: set p zt = z k /g q If e z k q = g r then e p zt q = r is small If e z k q = g r + a then e p zt q = r + a g q is big Because of the term a/g q

18 Zero-Test Parameter 1st idea: set p zt = z k /g q 2 Problem: p zt q enables tests at levels > k If e z 2k 1 = g r, q and e 0 z q = g r then p 2 zt e 0 e q = r r is small 2 p zt q enables zero-testing at level 2k 1

19 Zero-Test Parameter (2) Instead, set p zt = h z k /g q With h q Squaring p zt already yields a wraparound Zero-testing procedure: Check if p zt e q < q 3/4

20 Correctness of Zero-Testing If e z k q = rg then p zt e = hr (mod q) rg < q 1/8, since e is a valid encoding Hence also r < q 1/8+ε This assumes g 1 is small in the field of fractions Since h < q 1/2+ε then hr < q 3/4 e hz k g q = hr and hr < q 3/4, so the zero-test pass

21 Correctness of Zero-Testing (2) The converse is a bit more complicated: Let g, h be such that the two ideals gr, hr are co-prime Lemma: For a s.t. ah < q/2, let w = ah/g q. If w is small enough so that wg < q/2, then a gr i.e., a = gr for some r Proof: wg = ah over R (since both < q/2) and since h, g co-prime then g a.

22 Correctness of Zero-Testing (3) Lemma: For a s.t. ah < q/2, let w = ah/g q. If w is small enough so that wg < q/2, then a gr i.e., a = gr for some r Corollary: if a/z k is a valid level-k encoding ( ah < q/2) and it passes zero-test ( w is small), so it is an encoding of zero

23 Zero-Testing Invalid Encodings Easy to come up with an invalid encoding that passes the zero test. If we need security against malicious encodings, publish many p zt s For many different mid-size h es Check p zt e q < q 3/4 for all of them Can prove that whp over the h es, only valid zero-encodings pass this test.

24 Extracting Unique Representation e a, e a are two level-k encoding of same a We know that p zt e a e a q q 3/4 This means that p zt e a q p zt e a q Unless there is a wraparound, which is unlikely So MSB( p zt e a q ) = MSB( p zt e a q) Define Ext e a = MSB( p zt e a q ) For level-k encodings we get Ext e = Ext e iff e, e encode the same element Can be used to extract a shared key

25 Hardness Assumptions An über-assumption for graded-encodings: For a collection of encodings e 1,, e t (at any level) e i is an encoding of some plaintext a i and polynomial P(x 1,, x t ) of degree > k Computation: Hard to compute a level-k encoding of P(a 1,, a t ) when the a i are uniform Decision: Hard to distinguish if the a i are uniform, or chosen as a random root of P An even more general assumption in [PST 14] Dubbed Semantically-Secure Graded Encodings

26 Weak-DL Attacks in [GGH 13] über-assumption does not hold if application provides level-1 encodings of zero, one Given: Level-i encoding of 1 Level-i encoding of some a, and Many Level-j encoding of 0, with i + j k Can compute in the clear a a + gr I.e., a = a + gr for some r a is large, a q (so not a level-0 encoding) But enough to violate über-assumption

27 Dealing with Weak DL Attacks Many applications do not need low-level encodings of 0,1 Other applications only need to assume security of level-k encodings If i + j k, the attack does not apply Or use other MMAPs [CTL 13] seemingly not susceptible to weak-dl Can perhaps immunize [GGH 13] against it Using GGH-encoded matrices and their eigenvalues

28 A Few Words About Performance Currently mostly a plausibility argument Somewhat practical multilinearity for a small constant Best reported implementation in [CLT 13] 6-linear scheme with pp size ~ 2.5 GB, operations in less than one minute Quite aggressive choice of the security parameter Main road-block: obscured plaintext space Rules out all the optimizations that we have for FHE Leaves us with something similar to Gentry s original 2009 scheme

29 Some Variants Public encoding: (a, e a ) PEnc(pp) a is uniform, e a is a level-1 encoding of a Re-randomize: e a ReRand(pp, e a ) e a, e a encode the same element Distribution of e a depends on a, but not on e a To do either, provide in the public parameters level-1 encodings of zero, one Susceptible to weak-dl attack

30 More Variants An asymmetric variant Instead of levels 1,2,, k, encodings associated with subsets of k = {1,2,, k} Can only multiply encodings relative to disjoint subsets Zero-test for encodings relative to k itself

31 Summary MMAPs are similar to DL-based crypto Can compute polynomials in the exponent Polynomials of degree up to k But not degree k + 1 or more One difference: need sk to exponentiate Or use one of the variants

32 Backup Slides

33 Weak DL attack (1) Suppose we have many level-1 encodings of 0, e i = g r i z q, i = 1,, t, and an encoding of 1, d = f 1 z q, f 1 = 1(mod g) For every i let h i = e i d k 1 p zt q = hr i f 1 k 1 No mod-q in the last equality If the r i s are co-prime, can use GCD to get (a basis for) the ideal (hf 1 k 1 )

34 Weak DL attack (2) Replace d by d = d + c 1 = f 1 z q With f 1 = f 1 + gr 1 Repeat the above to get (a basis for) the ideal (hf 1 k 1 ) If f 1, f 1 are co-prime, can use GCD again to get (a basis for) the ideal (h) Hence also a basis for the inverse (h 1 )

35 Weak DL attack (3) By multiplying two encodings of zero by p zt and d k 2, we can get (a basis for) the ideals (hgf 1 k 2 ) and (hgf 1 k 2 ) Then using GCD also (hg) From (hg) and (h 1 ) we can get (g)

36 Weak DL attack (4) For an encoding e = a z t q, we want to recover some a = a (mod g ) Compute α = e d k t 1 e 1 p zt q = a f 1 k t 1 r 1 h β = d k 1 e 1 p zt q = f 1 k 1 r 1 h Knowing g, set a = αβ 1 (mod (g)) Correctness follows since f 1 = 1 (mod g )