A Comment on Gu Map-1

Similar documents
Cryptanalysis of GGH15 Multilinear Maps

Open problems in lattice-based cryptography

Extractable Witness Encryption and Timed-Release Encryption from Bitcoin

Practical Fully Homomorphic Encryption without Noise Reduction

Ideal Lattices and NTRU

Some security bounds for the DGHV scheme

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Multikey Homomorphic Encryption from NTRU

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Cryptology. Scribe: Fabrice Mouhartem M2IF

Fully Homomorphic Encryption and Bootstrapping

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Differing-Inputs Obfuscation and Applications

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Function-Hiding Inner Product Encryption

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Quantum-resistant cryptography

Non-Interactive Secure Multiparty Computation

Fully Homomorphic Encryption - Part II

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption

Classical hardness of the Learning with Errors problem

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Cryptanalysis of branching program obfuscators

Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

6.892 Computing on Encrypted Data October 28, Lecture 7

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

4-3 A Survey on Oblivious Transfer Protocols

Gentry s SWHE Scheme

Multi-key fully homomorphic encryption report

On Kilian s Randomization of Multilinear Map Encodings

Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings

Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Verifiable Delegation of Polynomials

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Partially homomorphic encryption schemes over finite fields

An Efficient Broadcast Attack against NTRU

CPSC 467b: Cryptography and Computer Security

Offline Witness Encryption

Lattice-Based Non-Interactive Arugment Systems

A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code

From Minicrypt to Obfustopia via Private-Key Functional Encryption

Lattice Cryptography

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

A new attack on RSA with a composed decryption exponent

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption

Computers and Mathematics with Applications

A Full Homomorphic Message Authenticator with Improved Efficiency

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Classical hardness of Learning with Errors

1 Number Theory Basics

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Private Puncturable PRFs from Standard Lattice Assumptions

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13

Solving LWE with BKW

Chosen-Ciphertext Secure RSA-type Cryptosystems

An improved compression technique for signatures based on learning with errors

An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

f (x) f (x) easy easy

Lecture 2: Program Obfuscation - II April 1, 2009

On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input

Masao KASAHARA. Graduate School of Osaka Gakuin University

Multilinear maps via secret ring

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Faster Fully Homomorphic Encryption

Adaptively Secure Constrained Pseudorandom Functions

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System

Zero-Knowledge Proofs with Witness Elimination

Secure and Practical Identity-Based Encryption

Obfuscation without Multilinear Maps

CIS 551 / TCOM 401 Computer and Network Security

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

Polynomial Functional Encryption Scheme with Linear Ciphertext Size

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero

Chosen-Ciphertext Attacks on Optimized NTRU

An improved compression technique for signatures based on learning with errors

Riding on Asymmetry: Efficient ABE for Branching Programs

Revisiting Lattice Attacks on overstretched NTRU parameters

A New Functional Encryption for Multidimensional Range Query

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

An Unconditionally Secure Protocol for Multi-Party Set Intersection

A simple lattice based PKE scheme

AES side channel attacks protection using random isomorphisms

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

Recent Advances in Identity-based Encryption Pairing-free Constructions

An Overview of Homomorphic Encryption

Transcription:

A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices for constructing the trapdoors, while the novelty is that no encodings of zero are given. In this short paper we show that Gu map-1 cannot be used for the instance of witness encryption (WE) based on the hardness of 3-exact cover problem. That is, if Gu map-1 is used for such instance, we can break it by soving a combined 3-exact cover problem. The reason is just that no encodings of zero are given. Keywords: Multilinear maps, GGH map, Gu map-1, Multi-party key exchange (MPKE), Witness encryption (WE), Lattice based cryptography. 1 Introduction: Background and Our Comment Multilinear map is a novel primitive. It is the solution of a long-standing open problem 1, and has many novel cryptographic applications, such as multi-party key exchange (MPKE) 2, witness encryption (WE) 3 9, obfuscation 7 10, and so on. It also has several advantages in traditional cryptographic area 3, such as IBE, ABE, broadcasting Encryption, and so on. The first and the major candidate of multilinear map is GGH map 2, 11. We presented efficient attack on GGH map for given encodings of zero 12, therefore we broke GGH multiparty key exchange (MPKE) and GGH instance of witness encryption (WE) based on the hardness of 3-exact cover problem. Gu map-1 13 is a modified version of GGH map. It uses same ideal lattices for constructing the trapdoors, while the novelty is that no encodings of zero are given. This novelty makes it successfully form MPKE scheme, and avoid our attack. In this short paper we show that Gu map-1 cannot be used for the instance of witness encryption (WE) based on the hardness of 3-exact cover problem. That is, if Gu map-1 is used for such instance, we can break it by solving a combined 3-exact cover problem. The reason is just that no encodings of zero are given. In other words, the reason is that there is no randomizer. The instance of WE based on the hardness of 3-exact cover problem is a strong application of multilinear map, and it has strong reuirement. The work was supported in part by Natural Science Foundation of China under Grant 60833008

2 Yupu Hu and Huiwen Jia 2 Gu Map-1 2.1 Setting Parameters We define the integers by Z. We specify that n-dimensional vectors of Z n are row vectors. We consider the 2n th cyclotomic polynomial ring R = ZX/(X n + 1), and identify an element u R with the coefficient vector of the degree-(n 1) integer polynomial that represents u. In this way, R is identified with the integer lattice Z n. We also consider the ring R = R/R = Z X/(X n + 1) for a (large enough) integer. Obviously, addition in these rings is done component-wise in their coefficients, and multiplication is polynomial multiplication modulo the ring polynomial X n +1. For u R, we denote Rot(u) = u 0 u 1 u n 1 u n 1 u 0 u n 2....... u 1 u 2 u 0 Z n n. Because Gu map-1 scheme uses the GGH construction 2, 11 as the basic component, parameter setting is set as that of GGH to conveniently describe and compare. Let λ be the security parameter, K the multilinearity level, n the dimension of elements of R. Concrete parameters are set as σ = λn, σ = λn 1.5, σ = 2 λ, 2 8Kλ n O(K), n Õ(Kλ2 ), τ = O(n 2 ). 2.2 Instance Generation (1) Choose a prime 2 8Kλ n O(K). (2) Choose an element g D Zn,σ in R so that g 1 n 2. In other words, g is very small. (3) Choose elements a i, e i D Zn,σ, b i D Zn,, i = 1,, τ in R. In other words, a i, e i are very small, while b i is somewhat small. (4) Choose a random element z R. In other words, z R is never small. (5) Choose two matrices T, S D Z n n,σ. In other words, T and S are very small. (6) Set Y i = T Rot ( a ig+e i z ) T, P zt,i = T Rot ( z K (b i g+e i ) g ) S, i = 1,, τ. (7) Output the public parameters {, {Y i, P zt,i }, i = 1,, τ}. (8) Generating level-1 encodings. A user generates his secret d D Z n,σ in R, then publishes U = i=1 d iy i = T Rot ( τ i=1 di(aig+ei) ) z T. U is level-1 encoding of the secret d. (9) Generating level-k decoding factors. After the user generating his secret d, he secretly computes V = i=1 d ip zt,i = T Rot ( z K τ i=1 d i(b i g+e i )) g S. V is level-k decoding factor of the secret d. 2.3 An Application: Multi-party Key Exchange (MPKE) Suppose that K+1 users want to generate a common shared key by public discussion. To do so, each user k generates his secret d k D Zτ,σ in R, publishes level- 1 encoding U k = i=1 d k,iy i = T Rot ( τ i=1 d k,i(a i g+e i )) z T, and secretly

A Comment on Gu Map-1 3 computes level-k decoding factor V k = i=1 d k,ip zt,i = T Rot ( z K τ k = 1,, K + 1. Then each user k can compute common shared key, which is high-order bits of V k j k U j. i=1 d k,i(b i g+e i ) g ) S, 3 Another Application: the Instance of Witness Encryption (WE) Based on the Hardness of 3-Exact Cover Problem 3.1 3-Exact Cover Problem Let K be a multiple of 3. A subset of {1,, K} including 3 elements is called a piece. K/3 pieces without intersection are called a 3-exact cover of {1,, K}. 3-exact cover problem is, for given O(K 2 ) pieces, to find a 3-exact cover of {1,, K}. 3.2 Gu Instance of WE Based on the Hardness of 3-Exact Cover Problem Let K be a multiple of 3. The public key includes the public parameters {, {Y i, P zt,i }, i = 1,, τ} and a group of O(K 2 ) pieces, while the secret key is EC, a 3-exact cover of {1,, K} hidden into this group. Encryption (1) The encrypter generates the d k D Zτ,σ in R. Then he computes level- 1 encoding of d k : U k i=1 d k,iy i = T Rot ( τ i=1 d k,i(a i g+e i )) z T, k = 1,, K + 1. Then he can compute encryption key, which is high-order bits K of k=1 U kp zt,1. (2) The encrypter uses this encryption key and any encryption algorithm, to encrypt his plaintext M into ciphertext C. (3) The encrypter hides encryption key into pieces. For each piece {i 1, i 2, i 3 }, he computes level-3 encoding of {d i1, d i2, d i3 }, which we denote U {i1,i 2,i 3 }. (4) The encrypter publishes all level-3 encodings. Therefore the final ciphertext is C and all U {i1,i 2,i 3 }. Decryption The decrypter is anyone who knows the hidden 3-exact cover of {1,, K}, EC. On receiving C and all U {i1,i 2,i 3}, he computes {i1,i2,i3} EC U {i 1,i 2,i 3}P zt,1. Then encryption key is its high-order bits, and he can decrypt C into the plaintext M.

4 Yupu Hu and Huiwen Jia 3.3 A Note For GGH map, U {i1,i 2,i 3} = U i1 U i2 U i3 +e {i1,i 2,i 3}, where e {i 1,i 2,i 3} is a radomizer, which is an encoding of zero. However, for Gu map-1 we cannot obtain such radomizer, so that we can only have U {i1,i 2,i 3 } = U i1 U i2 U i3. 4 Breaking the Instance by Solving a Combined 3-Exact Cover Problem Suppose {i 1, i 2, i 3 } is not from the group of O(K 2 ) public pieces. If {i 1, i 2, i 3 } = {j 1, j 2, j 3 } {k 1, k 2, k 3 } {l 1, l 2, l 3 }, where {j 1, j 2, j 3 }, {k 1, k 2, k 3 } and {l 1, l 2, l 3 } are from the group of O(K 2 ) public pieces, we call {i 1, i 2, i 3 } a combined piece. In this case we can compute U {i1,i 2,i 3 } = (U j1 U j2 U j3 )(U k1 U k2 U k3 )(U l1 U l2 U l3 ) 1. If {i 1, i 2, i 3 } = {j 1, j 2, j 3 } {k 1, k 2, k 3 } {l 1, l 2, l 3 } where {j 1, j 2, j 3 }, {k 1, k 2, k 3 } and {l 1, l 2, l 3 } are combined pieces, we call {i 1, i 2, i 3 } a second order combined pieces. In this case we can also compute U {i1,i 2,i 3 }. According such procedure, we can compute U {i1,i 2,i 3 } for any subset {i 1, i 2, i 3 }. We can randomly construct a 3-exact cover, EC, which is composed of pieces and combined pieces and second order combined pieces an so on. So that encryption key is high order bits of {i1,i2,i3} EC U {i 1,i 2,i 3}P zt,1. 5 Our Comment It may be argued that Gu map-1 uses hidden randomizers. But we hope that, for 1 l K, a level-l encoding of {d 1,, d l } is the sum of a randomizer and the product of level-1 encodings of d 1,, d l. This is a necessary condition of several important applications of multilinear map. However Gu map-1 does not satisfy this condition. Besides, Gu map-2 14 does not either. References 1. Boneh, D., Silverberg, A.: Applications of Multilinear Forms to Cryptography. Contemporary Mathematics. 324, 71 90 (2003) 2. Garg, S., Gentry, C., Halevi, S.: Candidate Multilinear Maps from Ideal Lattices. In: Johansson, T., Nguyen, P.Q. (ed.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 181 184. Springer, Heidelberg (2013) 3. Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness Encryption and its Applications. In: STOC (2013) 4. Gentry, C., Lewko, A., Waters, B.: Witness Encryption from Instance Independent Assumptions. In: Garay, J.A., Gennaro, R. (ed.) CRYPTO 2014. LNCS, vol. 8616, pp. 426 443. Springer, Heidelberg (2014)

A Comment on Gu Map-1 5 5. Arita, S., Handa, S.: Two Applications of Multilinear Maps: Group Key Exchange and Witness Encryption. In: Proceedings of the 2nd ACM workshop on ASIA public-key cryptography(asiapkc 14). ACM, New York, NY, USA, pp. 13 22 (2014) 6. Bellare, M., Hoang V.T.: Adaptive Witness Encryption and Asymmetric Password- Based Cryptography. Cryptology eprint Archive, Report 2013/704 (2013) 7. Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. In: FOCS (2013) 8. Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to Run Turing Machines on Encrypted Data. In: Canetti, R., Garay, J.A. (ed.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536 553. Springer, Heidelberg (2013) 9. Garg, S., Gentry, C., Halevi, S., Wichs, D.: On the Implausibility of Differing- Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input. In: Garay, J.A., Gennaro, R. (ed.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 518 535. Springer, Heidelberg (2014) 10. Boyle, E., Chung, K.-M., Pass, R.: On Extractability (a.k.a. Differing-Input) Obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 52 73. Springer, Heidelberg (2014) 11. Langlois, A., Stehlé, D., Steinfeld, R.: GGHLiteMore Efficient Multilinear Maps from Ideal Lattices. In: Nguyen, P.Q., Oswald, E. (ed.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239 256. Springer, Heidelberg (2014) 12. Hu, Y., Jia, H.: Cryptanalysis of GGH Map. Cryptology eprint Archive, Report 2015/301 (2015) 13. Gu, C.: Multilinear Maps Using Ideal Lattices without Encodings of Zero. Cryptology eprint Archive, Report 2015/023 (2015) 14. Gu, C.: Ideal Multilinear Maps Based on Ideal Lattices. Cryptology eprint Archive, Report 2015/269 (2015)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback