Multilinear Maps in Cryptography

Travis Scholl November 20, 2018

Abstract Multilinear maps is a new hot topic in cryptography because they offer a significant number of applications. The main open problem in this area is constructing a secure and efficiently computable multilinear map. In this talk, we introduce cryptographic multilinear maps, go through several applications, and then discuss some possible obstructions to constructing one. The main reference for this talk is the paper “Applications of Mul- tilinear Forms to Cryptography” by Dan Boneh and Alice Silverberg.

Contents

1 Introduction 1

2 Applications 2 2.1 Key Escrow ...... 2 2.2 n + 1 Key Exchange ...... 3 2.3 n-bit Unique Signature Scheme ...... 3 2.4 ID Based Encryption ...... 4 2.5 Broadcast Encryption ...... 4 2.6 Indistinguishability Obfuscation ...... 5

3 Results 5 3.1 Weil Pairing ...... 5 3.2 Negative Results ...... 6 3.2.1 Tensor Products ...... 6 3.2.2 Galois Equivariance ...... 6

1 Introduction

We will introduce the idea of a cryptographic multilinear map. Let G1, G2 denote cyclic groups with prime order `. Let

e : G1 × · · · × G1 → G2.

1 be a non-degenerate multilinear map. Here non-degenerate means that if g is a generator for G1, then e(g, . . . , g) is a generator for G2, and multilinear means a1 an a1···an that e(g1 , . . . , gn ) = e(g1, . . . , gn) . Definition 1. We say e is a cryptographic multilinear map if the following hold:

1. We can efficiently compute products and inverses in G1 and G2. 2. We can efficiently compute the map e.

3. The DLP in G1 is difficult. Remark 2. We will avoid most subtleties when actually writing elements, which have to be represented by bit strings.

Remark 3. In order for the DLP to be hard in G1, it must necessarily be hard in G2 since we can always map the problem to G2 via e:

e(g, . . . , g, ga) = e(g, . . . , g)a.

Open Problem 4. Construct a cryptographic multilinear map with n > 2.

2 Applications

We will now look at some applications of multilinear maps. Fix a public generator g for G1. Recall the standard Diffie-Hellman key exchange:

Alice Bob Choose a secret a ∈ Z b ∈ Z Publish ga gb Compute (gb)a = gab (ga)b = gab

The security of this protocol is based on the Diffie-Hellman problem: Given ga find a.

2.1 Key Escrow Idea: The government wants to read everyone’s messages.

Alice Bob Government Choose a secret a ∈ Z b ∈ Z c ∈ Z Publish ga gb gc Compute e(gc, gb)a e(gc, ga)b e(ga, gb)c

The shared key is e(g, g)abc. The security of this protocol is based on the multlinear Diffie-Hellman prob- lem: Given ga, gb, gc find e(g, g, g)abc.

2 2.2 n + 1 Key Exchange Idea: n + 1 Alices want to come up with a shared key. Remark 5. A tripartite key exchange using the Weil pairing was first given by [Jou04].

Alicei Choose a secret ai ∈ Z Publish gai a a
ai Compute e g 1 ,..., gcai ,...,g n+1

The shared key is e(g, . . . , g)a1···an+1 . The security of this protocol is based on the multilinear Diffie-Hellman prob- lem: Given ga1 ,...,g an+1 find e(g, . . . , g)a1···an+1 .

2.3 n-bit Unique Signature Scheme n Idea: We want to sign n-bit messages M = m1 ··· mn ∈ {0, 1} . To sign M we do the following:

1. Pick random a1, . . . , an, b1, . . . , bn ∈ Z.

2. Publish V = (ga1 , . . . , gan , gb1 , . . . , gbn ).

3. The signature is S = gc1···cn where ( ai if mi = 1 ci = bi if mi = 0.

4. To verify a signature S, compare e(gc1 , . . . , gcn ) and e(g, . . . , g, S).

Remark 6. The signature is very short, it is a single group element. However, the public verifying key is 2n · poly(log `). The proof of security uses the generalized multilinear Diffie-Hellman prob- Q c c ...c lem: Given access to g i∈I i for any proper subset I ( {1, . . . , n}, find g 1 n . For more details, see the references in [BS03] This scheme also has a nice uniqueness property. Lemma 7. For a fixed message M and public key V , there is a unique signature S that works.

a a Proof. e(g, . . . , g, g ) = e(g, . . . , g) so we must have a ≡ c1 ··· cn mod `.

3 2.4 ID Based Encryption Idea: Alice should be able to send Bob an encrypted message using nothing but his public ID. This system requires a trusted third party to give out keys. Setup: The government chooses c ∈ Z and publishes gc. They also publish a hash function H : {IDs} → G1. A user’s public key is H(ID) and their private key is H(ID)c. A user can only get their private by authenticating with the government. For Alice to send message to Bob, she:

1. Compute the hash of Bob’s ID: hB.

2. Pick random r ∈ Z. c r 3. Encrypt their message with e(hB, g ) . 4. Send the encrypted message and gr. For Bob to read the message, he:

c 1. Authenticates with the government to get his secret key hB. c r 2. Decrypts the message with e(hB,g ). Remark 8. This system also has escrow because the government can compute r c e(hB,g ) . The security of this system is again based on the multilinear Diffie-Hellman problem.

2.5 Broadcast Encryption

Idea: Alice wants to send a message to a certain subset of Bobs B1,...,Bn. For example, Alice may be starting a cable company and wants only Bobs who pay to receive channels. Setup: Alice chooses secret a ∈ Z and some random g1, . . . , gn ∈ G1. Then a Alice gives Bi the key hi = gi . Now to send to a subset S ⊆ {B1,...,Bn}, she encrypts it with K = a e(x1, . . . , xn) where ( gi if Bi ∈ S xi = g if Bi ∈/ S.

For decryption, Bob i computes K = e(x1, . . . , xi1 ,h i,x i, . . . , xn). The security of this protocol is again based on the generalized multilinear Diffie-Hellman problem. Remark 9. The key size here is independent of n. However, everyone involved needs to know the set S, which is of size n. The security of this system relies on the difficulty of the inverse multilinear Diffie-Hellman problem: given ga, find e(g, . . . , g)1/a.

4 2.6 Indistinguishability Obfuscation Idea: We want an obfuscator O which takes a program P to a functionally equivalent program O(P ) such that if P1 and P2 are functionally equivalent programs, then it is computationally infeasible to distinguish O(P1) from O(P2). There are reasons people want to do this: https://simons.berkeley.edu/ talks/craig-gentry-2015-05-20a [GGH+16]. It turns out most programs (e.g. circuits) can be modeled by “oblivious (b) matrix products”. We can think of a program P as a set of matrices Mi with 1 ≤ i ≤ k and b ∈ {0, 1}. Then for any k-bits x = x1 ··· xk,

(x1) (xk) P (x) = 0 ⇔ M1 ··· Mk = I. We can obfuscate the matrices by encoding the entries by α 7→ gα. Now we can still evaluate the product using multilinear maps. For example, we can test if x2 + x + 1 = 0 without knowing x as follows. First suppose we know gx, then compute

2 e(gx, gx)e(gx, g)e(g, g) = e(g, g)x +x+1.

The left side is 1 if and only if x2 + x + 1 = 0. Generalizing this extensively we can obfuscate matrix multiplication. Remark 10. It’s actually much more complicated and I don’t fully understand how this all works together.

3 Results 3.1 Weil Pairing We can construct a cryptographic bilinear map using the Weil pairing on an elliptic curve. ∼ Let E/Fp be an elliptic curve. Recall that E[`] := E(Fp)[`] = Z/`Z × Z/`Z. Definition 11. The Weil pairing is a non-degenerate alternating bilinear form

e : E[`] × E[`] → µ`(Fp). Remark 12. Up to scaling, there is only one non-degenerate alternating bilinear form on E[`]2, namely the determinate.

Definition 13. The Weil pairing is the pairing on E[`] given by

f (Q) e(P,Q) = P fQ(P ) where fP is a function on E such that div fP = `[P ] − `[O], and fQ is similar.

5 Remark 14. In order to fit into our framework, we actually need to modify e because otherwise e(P,P ) = 1. We do this by defininge ˆ(P,Q) = e(P, ϕ(Q)) where ϕ ∈ End E such that ϕ(P ) and P are Z/`Z-independent. This may mean that ϕ is not defined over Fp. Remark 15. There is an efficient algorithm to evaluate the Weil pairing due to Victor Miller.

Definition 16. The smallest k such that µ`(Fp) ⊆ Fpk is called the embedding degree of `. It is equivalently the multiplicative order of p mod `. It is important for pairing based crypto to find curves where the embedding degree is not too large. For a random curve, it is on the order of ` (most elements of Z/`Z have large order).

Example 17. Suppose E/Fp is supersingular and p is large. Then #E(Fp) = 2 × p + 1 | p − 1 = #Fp2 . Therefore the embedding degree of any ` is 2. If the embedding degree is small enough and p is large enough, then this gives us a cryptographic bilinear map.

3.2 Negative Results 3.2.1 Tensor Products One way to build a multilinear map is to take tensor powers of the Weil pairing. Recall that Z/aZ ⊗ Z/bZ =∼ Z/ gcd(a, b)Z given by m ⊗ n 7→ mn, so we have a map

k ⊗k ∼ (G1 × G1) → G2 = G2 by sending (g1, h1, . . . , gk, hk) 7→ e(g1, h1) ⊗ · · · ⊗ e(gk, hk). ⊗k This may seem great, but look at what the isomorphism G2 → G2 is in mul- tiplicative notation: (ga1 , . . . , gan ) 7→ ga1···an , which is exactly the multilinear Diffie-Hellman problem. So we need this iso- morphism to be difficult to compute.

3.2.2 Galois Equivariance Most natural multilinear maps coming from geometry are Galois equivariant. Let A/Fq be an abelian variety of dimension g. Then A[`] is an Z/`Z-vector space of dimension 2g. There is one non-degenerate alternating multilinear form f (determined up to scaling) on A[`], the determinant. Fix a basis P1,...,P2g P for A[`] and let ζ = f(P1,...,P2g). If Qi = ai,jPj then

det(ai,j ) f(Q1,...,Q2g) = ζ .

6 Let σ denote the qth power Frobenius in Gal(Fq/Fq). So f is Galois equiv- ariant if and only if

q f(σ(P1), . . . , σ(P2g)) = σ(ζ) = ζ .

Recall that the characteristic polynomial of the Frobenius acting on A[`] is a Weil polynomial with constant term qg (this is a Corollary of the Weil g conjectures, proven by Deligne). So the left side is ζ(q ). The right hand side is ζq. Assuming ` - q, this shows that f is Galois equivariant if and only if ` | qg−1 − 1.

Notice that the right hand side is independent of `, inparticular this shows that if g > 1, then there is no “compatible system” of f that is Galois equivari- ant.

References

[BF01] Dan Boneh and Matt Franklin. Identity-based encryption from the Weil pairing. In Advances in cryptology—CRYPTO 2001 (Santa Barbara, CA), volume 2139 of Lecture Notes in Comput. Sci., pages 213–229. Springer, Berlin, 2001.

[BS03] Dan Boneh and Alice Silverberg. Applications of multilinear forms to cryptography. In Topics in algebraic and noncommutative geometry (Luminy/Annapolis, MD, 2001), volume 324 of Contemp. Math., pages 71–90. Amer. Math. Soc., Providence, RI, 2003.

[GGH+16] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfusca- tion and functional encryption for all circuits. SIAM J. Comput., 45(3):882–929, 2016. [Jou04] Antoine Joux. A one round protocol for tripartite Diffie-Hellman. J. Cryptology, 17(4):263–276, 2004.

7