A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University
Group Basics There are two kinds of people in this world. Those who like additive group notation, and those who like multiplicative group notation. inefficient: discrete log?? efficient: group operation identity test
Bilinear Groups efficient:
When Faced with a New Group Assumption: Is it secret? Is it safe? Is it useful? Is it needed?
Kinds of Assumptions Generic group models q-type assumptions static assumptions Variants: Symmetric/Asymetric Composite Order/ Prime Order Linear/ Bilinear/ MultiLinear
Kinds of Proof Techniques Brute Force Cancelation Encoding Dual System Deja Q basic generic group arguments BB IBE G06, W 05 W09, LW10, LOSTW10, CM14, W16
Billinear Diffie-Hellman Assumption Symmetric group: Given: Distinguish:
SXDH Assumption Asymmetric group: Given: Distinguish:
A Basic q-type Assumption Symmetric group: Given: Distinguish:
A Driving Example: IBE Decryption:
Arguing Generic Security Look at exponents you are given in G: Look at the blinding factor: All you can do is take linear combinations of degree at most 2
Proof Challenges Beyond Generic Security Hard Problem Simulator Attacker Simulator must balance two competing goals: answer attacker queries leverage attacker success
Arguing Selective Security - Embed the challenge as a function of known ID* Given: Distinguish: Choose then Simulator can produce key for any ID not equal to ID*!
How to Leverage a q-type Assumption [example from W05] What if we don t want to fix ID* ahead of time? Can t make Keys the simulator can make To partition small PP with parameter q: Use a q-size assumption!
Simulation Techniques Deja Q [CM13,W16] q-type Dual pairing vector spaces [OT08,OT09,] Composite Order Subgroup Decision SXDH/DLIN *These arrows are partial and not transitive!
Composite Order Bilinear Groups How the pairing operates: a c d E b f ab df
Subgroup Decision Assumptions in Composite Order Bilinear Groups Example: Given Distinguish from
Subgroup Decision in a Multilinear Group? Here s what it might look like in a 3-linear group: Given Distinguish from
Deja Q Basic Example r 1 a r 1 a r 1 a r 1 a 2 r 1 a 3 Subgroup decision r 1 a 2 r 1 a 2 r 1 a 3 r 1 a 3 r 1 a q r 1 a q r 1 a q
Deja Q Basic Example Mod p Mod q r 1 a r 1 a r 1 a 2 r 1 a 2 r 1 a 3 r 1 a 3 Chinese Remainder Theorem Mod p Mod q r 1 a t 1 b r 1 a 2 t 1 b 2 r 1 a 3 t 1 b 3 r 1 a q r 1 a q r 1 a q t 1 b q
Deja Q Basic Example Mod p Mod q Mod p Mod q r 1 a t 1 b 1 r 1 a 2 t 1 b 1 2 r 1 a 3 t 1 b 1 3 Subgroup Decision + Chinese Remainder Theorem r 1 a t 1 b 1 + t 2 b 2 r 1 a 2 t 1 b 12 + t 2 b 2 2 r 1 a 3 t 1 b 1 3 + t 2 b 2 3 r 1 a q t 1 b 1 q r 1 a q t 1 b 1 q + t 2 b 2 q
Deja Q Basic Example r 1 a Mod p Mod q t 1 b 1 + t 2 b 2 + + t q b q Subgroup Decision + Chinese Remainder Theorem Subgroup Decision + Chinese Remainder Theorem r 1 a 2 t 1 b 12 + t 2 b 2 2 + + t q b q 2 r 1 a 3 t 1 b 1 3 + t 2 b 2 3 + + t q b q 3 r 1 a q t 1 b 1 q + t 2 b 2 q + + t q b q q
Deja Q Basic Example b 1 b q b 1 q b q q t 1 t q = Uniformly random Mod q Full rank
Deja Q Basic Example r 1 a Mod p Mod q t 1 b 1 + t 2 b 2 + + t q b q z 1 r 1 a 2 t 1 b 12 + t 2 b 2 2 + + t q b q 2 r 1 a 3 t 1 b 1 3 + t 2 b 2 3 + + t q b q 3 Identically Distributed to z 2 z 3 z 3 r 1 a q t 1 b 1 q + t 2 b 2 q + + t q b q q z q
Dual Pairing Vector Spaces b 2 b 1 Emulates some features of composite order, asymmetric group: E r s t z rs tz
Emulating Subgroup Decision using SXDH Asymmetric group: Given: Distinguish:
Dual System Using Subgroup Assumptions for Functional Encryption [W09 + too many to cite*] Most Basic Template: PP: CT: SK: Unconstrained by PP! SF CT: SF SK:
Using Subgroup Assumptions for Obfuscation [GBSW 15] Reduction will isolate each input. Main idea: Have poly many parallel obfuscations, C 0 C 0 C 1 each responsible for a bucket of inputs Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed.
Ok, So what are these buckets really like? Matrix Branching Programs Simple example: [Barrington, Want implement: GGHRSW] F(x Oblivious 1 x 2 ) = XOR( Matrix x 1, xbranching 2 ) Program for F: n-bit input x=x 1 x 2 x n (e.g. n=3 here) 2k invertible matrices over Z N æ 1 0 ö æ M Evaluation 1,0 = ç on x: M 1,1 = ç è 0 1 ø è ì ï Õ = í M i,x(i mod n) 0 1 1 0 I if F(x) = 0 æ i=1...k 1 0 ö B if æ îï F(x) 0 =1 1 ö M Where 2,0 = ç B is fixed matrix M 2,1 = I ç over Z è 0 1 ø è 1 0 N ø ö ø M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 æ 0 1 ö B = ç è 1 0 ø [Barrington]: All log-depth (NC 1 ) circuits have poly-size Matrix Branching Programs M k, 0 M k, 1
Kilian Simulation Towards Obfuscation Oblivious Matrix Branching Program for F: n-bit input x=x 1 x 2 x n 2k invertible matrices over Z N Evaluation on x: ì ï Õ M i,x(i mod n) = í îï i=1...k (e.g. n=3 here) I if F(x) = 0 B if F(x) =1 Where B is fixed matrix I over Z N Kilian Randomization: Chose R 1,, R k-1 random over Z N Kilian shows that for each x, can statistically simulate M x matrices knowing only product. ~ ~ ~ M 1, 0 M 1, 1 ~ ~ M 2, 0 M 2, 1 ~ ~ M 3, 0 M 3, 1 ~ ~ M 4, 0 M 4, 1 ~ ~ M k, 0 M k, 1
Hybrids Intuition C 0 C 0 C 0 ~ M 1, 1 ~ M 1, 0 ~ M 1, 1 ~ ~ M 2, 0 M 2, 1 ~ ~ M 2, 0 M 2, 1 ~ M 2, 0 ~ ~ M 3, 0 M 3, 1 ~ ~ M 3, 0 M 3, 1 ~ M 3, 0 ~ ~ M 4, 0 M 4, 1 ~ ~ M 4, 0 M 4, 1 ~ M 4, 1 ~ ~ M k, 0 M k, 1 ~ ~ M k, 0 M k, 1 ~ M k, 0