Cryptanalysis on the Multilinear Map over the Integers and its Related Problems ∗ Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu Seoul National University (SNU), South Korea fjhcheon, satanigh, cocomi11,
[email protected] Damien Stehl´e ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), France
[email protected] Abstract The CRT-ACD problem is to find the primes p1; : : : ; pn given polynomially many in- stances of CRT(p1;:::;pn)(r1; : : : ; rn) for small integers r1; : : : ; rn. The CRT-ACD problem is regarded as a hard problem, but its hardness is not proven yet. In this paper, we analyze the CRT-ACD problem when given one more input CRT(p1;:::;pn)(x0=p1; : : : ; x0=pn) for n Q x0 = pi and propose a polynomial-time algorithm for this problem by using products i=1 of the instances and auxiliary input. This algorithm yields a polynomial-time cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT): We show that by multiplying encodings of zero with zero-testing parameters properly in the CLT scheme, one can obtain a required input of our algorithm: products of CRT-ACD instances and auxiliary input. This leads to a total break: all the quantities that were supposed to be kept secret can be recovered in an efficient and public manner. We also introduce polynomial-time algorithms for the Subgroup Membership, Deci- sion Linear, and Graded External Diffie-Hellman problems, which are used as the base problems of several cryptographic schemes constructed on multilinear maps. Keywords: Multilinear maps, Graded encoding schemes, Decision linear problem, Sub- group membership problem, Graded external Diffie-Hellman problem.