Multilinear maps from lattices Constructions, attacks, and applications
Yilei Chen (Visa Research)
Crypto Innovation School Shanghai
2019 1 What are multilinear maps?
2 3 Cool. So what are the multilinear maps in cryptography?
4 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard
5 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard
> Bilinear maps from Weil pairing over elliptic curve groups [ Miller 86 ] How to compute Weil pairing [ Sakai, Ohgishi, Kasahara 00 ] Identity-based key-exchange [ Joux 00 ] Three-party non-interactive key exchange [ Boneh, Franklin 02 ] Identity-base key exchange gS1, gS2 → gS1S2
6 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard
> Bilinear maps from Weil pairing over elliptic curve groups [ Miller 86 ] How to compute Weil pairing [ Sakai, Ohgishi, Kasahara 00 ] Identity-based key-exchange [ Joux 00 ] Three-party non-interactive key exchange [ Boneh, Franklin 02 ] Identity-base key exchange gS1, gS2 → gS1S2
> Multilinear maps: motivated in [ Boneh, Silverberg 03 ] with the potential applications of constructing unique signature, broadcast encryption, etc. gS1, gS2, gS3, ... → g∏S 7 Multilinear maps in Cryptography Where to find multilinear maps.
gS1, gS2, gS3, ... → g∏S
8 Multilinear maps in Cryptography Where to find multilinear maps.
gS1, gS2, gS3, ... → g∏S
“If an n-multilinear map is computable, it is reasonable to expect it to come from geometry, as is the case for Weil and Tate pairings when n = 2.”
– Boneh, Silverberg, 2003
9 Multilinear maps in Cryptography Where to find multilinear maps.
gS1, gS2, gS3, ... → g∏S
“If an n-multilinear map is computable, it is reasonable to expect it to come from geometry, as is the case for Weil and Tate pairings when n = 2.”
– Boneh, Silverberg, 2003
*New: Trilinear maps from abelian varieties [ Huang 2018 ], requires further investigation.
10 What are multilinear maps? Why from lattices?
11 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S
Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE
12 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S
Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE
Think of as homomorphic encryption + public zero-test i.e. being able to distinguish g0 versus gnon-zero
13 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S
Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE
Think of as homomorphic encryption + public zero-test i.e. being able to distinguish g0 versus gnon-zero
Coron, Lepoint, Tibouchi [ CLT 13 ]: modifying the FHE based on approximate gcd
Gentry, Gorbunov, Halevi [ GGH 15 ]: from non-standard use of the GSW FHE
14 Multilinear maps: Private constrained PRFs applications and security
Witness encryption Multiparty key agreement
Multilinear maps Indistinguishability obfuscation
Lockable obfuscation Deniable encryption (Compute-then-Compare obf.) Broadcast encryption
15 Multilinear maps: applications and security
Multilinear maps Indistinguishability obfuscation
[Garg, Gentry, Halevi, Raykova, Sahai, Waters 13]
16 Indistinguishability obfuscation
Defined by [ Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang 01 ]
iO[ F0 ] ≈ iO[ F1 ]
if F0 and F1 have identical functionality
adv
17 Indistinguishability obfuscation
Defined by [ Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang 01 ]
iO[ F0 ] ≈ iO[ F1 ]
if F0 and F1 have identical functionality
Candidate constructions: [Garg, Gentry, Halevi, Raykova, Sahai, Waters 13], [Barak, Garg, Kalai, Paneth, Sahai 14], [Brakerski, Rothblum 14], [ Zimmerman 15], [Applebaum, Brakerski 15], [Ananth, Jain 15], [Bitansky, Vaikuntanathan ‘15], [Gentry, Gorbunov, Halevi 15], [Lin 16], …
Cryptanalyses: [Cheon, Han, Lee, Ryu, Stehle 15], [Coron et al. 15], [Hu, Jia 16], [Miles, Sahai, Zhandry 16], [Chen, Gentry, Halevi 17], [Coron, Lee, Lepoint, Tibouchi 17], [Chen, Vaikuntanathan, Wee 18], ... 18 Multilinear maps: Private constrained PRFs applications and security
Witness encryption Multiparty key agreement
Multilinear maps Indistinguishability obfuscation
Lockable obfuscation Deniable encryption (Compute-then-Compare obf.) Broadcast encryption
19 Multilinear maps: Private constrained PRFs applications and security
Witness encryption Multiparty key agreement
Multilinear maps Indistinguishability obfuscation
Lockable obfuscation (Compute-then-Compare obf.)
Reduction from LWE; Candidates exists; Broken 20 Plan of today:
1. Introduction 2. The GGH15 construction: functionality and security overview 3. Applications Open problems will be mentioned throughout the talk Bonus: interesting missing topics in the previous talks
21 Recall Learning with Errors Uniform Small Unspecified [ Regev 05 ]
A Y = s x A + E mod q Secret Public matrix noise/error
�×� � ∈ �� (m > n log q) Search LWE: Given �, � = �� + �, find S.
Decisional LWE: Given A, distinguish Y from random. 22 Recall Learning with Errors Uniform Small Unspecified [ Regev 05 ] A Y = s x A + E mod q Secret Public matrix noise/error
�×� � ∈ �� (m > n log q) Search LWE: Given �, � = �� + �, find S.
Decisional LWE: Given A, distinguish Y from random. 23 Recall Learning with Errors Uniform Small Unspecified [ Regev 05 ] A Y = s x A + E mod q Secret Public matrix noise/error
Entries of S from the error distribution As hard as normal LWE [ Applebaum, Cash, Peikert, Sahai 09 ]
24 GGH15 > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] in a nutshell g, gS1, gS2, gS3, ... → g∏S
> (Ring)LWE analogy:
A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
25 GGH15 > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] in a nutshell g, gS1, gS2, gS3, ... → g∏S
> (Ring)LWE analogy:
A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
How to put them together?
26 GGH15 > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] in a nutshell g, gS1, gS2, gS3, ... → g∏S
> (Ring)LWE analogy:
A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
Idea: using lattice trapdoor sampling to chain them together
27 GGH15 > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] in a nutshell g, gS1, gS2, gS3, ... → g∏S
> (Ring)LWE analogy:
A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
Idea: using lattice trapdoor sampling to chain them together
GGH15: “the blockchain in multilinear maps”
(also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16]) 28 Recall lattice trapdoor A The trapdoor for [ Ajtai 99 ], [ Alwen, Peikert 09 ], [ Micciancio, Peikert 12 ] can be used to solve SIS and LWE.
29 Recall lattice trapdoor A The trapdoor for [ Ajtai 99 ], [ Alwen, Peikert 09 ], [ Micciancio, Peikert 12 ] can be used to solve SIS and LWE.
Given an image Y , find a short vector D s.t.
A x D = Y mod q
30 Lattice trapdoor T is short and full rank in Z [Ajtai 99]
A x T = 0 mod q
31 Lattice trapdoor T is short and full rank in Z [Ajtai 99]
A x T = 0 mod q
Example of solving LWE given T: Given A, y = sA+E mod q Compute yT mod q = (sA+E)T = ET, note that ET is small. Then E can be obtained by multiplying ��� on the right. 32 (Bonus) Trapdoor from [Micciancio, Peikert 12]
�×�� Let � = log� �. � ∈ �
1, b, … bk-1 k-1 Gadget = … … = �� ⊗ 1, b, … b G 1, b, … bk-1
“Power-of-b” matrix
The kernel-lattice of G has an easily computable short basis. Solving SIS for the public matrix G is easy. (Bonus) Trapdoor from [Micciancio, Peikert 12] R A __ = G mod q I Trapdoor for A where A = [ A’ | G – A’R ]
�×�� �×�(���) Let � = log� �. We have � ∈ � , � ∈ � For random images, there is a way to sample Preimage sampling the preimage without revealing the trapdoor. [GPV 08]
35 For random images, there is a way to sample Preimage sampling the preimage without revealing the trapdoor. [GPV 08]
Real: A U D s.t. A x D = U mod q
36 For random images, there is a way to sample Preimage sampling the preimage without revealing the trapdoor. [GPV 08]
Real: A U D s.t. A x D = U mod q
≈ statistical
Simulated: A D U s.t. A x D = U mod q
37 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])
A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q
38 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])
A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q
Di is sampled using the trapdoor of Ai-1
39 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])
A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q
Di is sampled using the trapdoor of Ai-1
= mod q A0 D1 S1A1+E1
A1 D2 = S 2 A 2 +E 2 mod q 40 Zoom in the most S is the eigenvalue of D important relation of this talk
D x Ai-1 i = Si Ai + E mod q
Di is sampled using the trapdoor of Ai-1
41 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])
A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q
Di is sampled using the trapdoor of Ai-1
Publish A0 , D1 , D2 as the encodings of S1 , S2
42 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q
> GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16])
A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q
Di is sampled using the trapdoor of Ai-1
Publish A0 , D1 , D2 as the encodings of S1 , S2
Eval = A0 D1 D2 = (S1A1+E1)D2 = S1S2A2 + S1E2 + E1D2 mod q
functionality small 43 A toy example of GGH15 eval D1,1 D2,1 D3,1 D4,1 A0 D1,0 D2,0 D3,0 D4,0
Eval(0110)
= A0D1,0D2,1D3,1D4,0
D x Ai-1 i, b = Si, b Ai + E mod q
44 A toy example of GGH15 eval D D D S1,1 + E1,1 2,1 3,1 4,1 A1 ( S1,0 + E1,0 ) D2,0 D3,0 D4,0
Eval(0110)
= A0D1,0D2,1D3,1D4,0
= (s1,0A1+E1,0)D2,1D3,1D4,0
D x Ai-1 i, b = Si, b Ai + E mod q
45 D D D S1,1 2,1 3,1 4,1 A1 S1,0 D2,0 D3,0 D4,0
Eval(0110) + “small”
= A0D1,0D2,1D3,1D4,0
= (s1,0A1+E1,0)D2,1D3,1D4,0
= s1,0A1D2,1D3,1D4,0 + “small” A toy example of GGH15 eval
46 D D S1,1 S2,1 + E2,1 3,1 4,1 A2 S1,0 ( S2,0 + E2,0 ) D3,0 D4,0
Eval(0110) + “small”
= A0D1,0D2,1D3,1D4,0
= (s1,0A1+E1,0)D2,1D3,1D4,0
= s1,0A1D2,1D3,1D4,0 + “small” = s1,0(s2,1A2+E2,1)D3,1D4,0 + “small” A toy example of GGH15 eval
47 S1,1 S2,1 D3,1 D4,1 A2 S1,0 S2,0 D3,0 D4,0
Eval(0110) + “still small”
= A0D1,0D2,1D3,1D4,0
= (s1,0A1+E1,0)D2,1D3,1D4,0
= s1,0A1D2,1D3,1D4,0 + “small” = s1,0(s2,1A2+E2,1)D3,1D4,0 + “small” A toy example = s1,0s2,1A2D3,1D4,0 + “still small” of GGH15 eval
48 S1,1 S2,1 S3,1 S4,1 A4 S1,0 S2,0 S3,0 S4,0
+ “still small” Eval(0110)
= A0D1,0D2,1D3,1D4,0
= (s1,0A1+E1,0)D2,1D3,1D4,0
= s1,0A1D2,1D3,1D4,0 + “small” = s1,0(s2,1A2+E2,1)D3,1D4,0 + “small” A toy example = s1,0s2,1A2D3,1D4,0 + “still small” of GGH15 eval = s1,0s2,1s3,1A3D4,0 + “still smallish”
= s1,0s2,1s3,1s4,0A4 + “small” 49 S1,1 S2,1 S3,1 S4,1 A4 S1,0 S2,0 S3,0 S4,0 + “small”
Evaluate
D1,1 D2,1 D3,1 D4,1 A A toy example 0 of GGH15 eval D1,0 D2,0 D3,0 D4,0 50 D1,1 D2,1 D3,1 D4,1 Functionality A0 D1,0 D2,0 D3,0 D4,0
A0, S1A1+E1,..., SkAk+Ek → ∏SAk+E mod q
Functionality: evaluate and test whether ∏S is zero or not. (Designing GGH15 applications: put structures in Si, b)
51 D1,1 D2,1 D3,1 D4,1 Functionality A0 and Security D1,0 D2,0 D3,0 D4,0
A0, S1A1+E1,..., SkAk+Ek → ∏SAk+E mod q
Functionality: evaluate and test whether ∏S is zero or not. (Designing GGH15 applications: put structures in Si, b)
Security (intuitively): hides Si, b for all i, b 52 S Functionality & Security D = A +E A0 1,1 S 1 toy examples
A S 0 D1,0 = A1 +E
∏SA +E 2 S A1 D = A2 F(00) = 0 2,1 S +E F(01) = 1 F(10) = 1 A1 D = A2 +E F(11) = 1 2,0 S 53 S Functionality & Security D = A +E A0 1,1 S 1 toy examples
S A0 = A +E D1,0 S 1
S A D A2 1 2,1 = S +E Claim: this construction hides all the structures in the S matrices. S A = A2 1 D2,0 S +E
54 Recall decisional LWE A , S x A + E
≈ computational A , U Permutation - LWE: A(1) S A(1) + E A(2) S x A(2) , A(3) S A(3) ≈ computational A(1) A(2) , U A(3) 55 S Functionality & Security D = A +E A0 1,1 S 1 toy examples
S A0 = A +E D1,0 S 1
S A D A2 1 2,1 = S +E Claim: this construction hides all the structures in the S matrices. S A = A2 1 D2,0 S +E
56 S Functionality & Security D = A +E A0 1,1 S 1 toy examples
S A0 = A +E D1,0 S 1
A1 D2,1 = U2,1
= A1 D2,0 U2,0 Permutation LWE 57 S Functionality & Security D = A +E A0 1,1 S 1 toy examples
S A0 = A +E D1,0 S 1
A1 D2,1 = U2,1
= Turn off the trapdoor A1 D2,0 U2,0 using GPV 58 Functionality & Security D = U A0 1,1 1,1 toy examples
A 0 D1,0 = U1,0
A1 D2,1 = U2,1
= A1 D2,0 U2,0 Permutation LWE 59 Functionality & Security D = U A0 1,1 1,1 toy examples
A 0 D1,0 = U1,0
A1 D2,1 = U2,1
= Turn off the trapdoor A1 D2,0 U2,0 using GPV 60 Ok, looks simple. Are there insecure examples?
61 For example, let S2 = 0 in Insecurity A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q example
= mod q A0 D1 S1A1+E1
A1 D2 = E 2 mod q 62 For example, let S2 = 0 in Insecurity A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q example
D2 becomes a “weak trapdoor” of A1, then S1 is in danger
= mod q A0 D1 S1A1+E1
A1 D2 = E 2 mod q 63 For example, let S2 = 0 in Insecurity A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q example
D2 becomes a “weak trapdoor” of A1, then S1 is in danger
Eval = A0 D1 D2 = (S1A1+E1)D2 = S1E2 + E1D2 mod q
Recover S1E2 + E1D2 over integers, can do many things.
= mod q A0 D1 S1A1+E1
A1 D2 = E 2 mod q 64 Plan of today:
1. Introduction 2. The GGH15 construction: functionality and security overview 3. Applications Open problems will be mentioned throughout the talk
65 Private constrained PRFs [ Canetti, Chen 17 ]
Witness encryption [ Chen, Vaikuntanathan, Wee 18 ] Multiparty key agreement
Multilinear maps Indistinguishability obfuscation
Lockable obfuscation Deniable encryption (Compute-then-Compare obf.) Broadcast encryption
Reduction from LWE; Candidates exists; Broken 66 What are private constrained PRFs?
67 Private constrained Pseudorandom Function in 3 slides
68 Private constrained Pseudorandom Function in 3 slides
PRF A truly random function
adv
With oracle access to either left or right 69 Private constrained Pseudorandom Function in 3 slides
original key Privately modified key
adv
either the original key or the modified one Private key owner
70 What are private constrained PRFs? Fine, so why is it useful?
71 Hide the program in the constraint
Reminiscent of obfuscation ... Theorem [ Canetti Chen 17 ]: Two-key PCPRF (for a circuit class C) implies obfuscation (for C)
Construction:
Obf = ( K[C], K[Original] )
Obfuscation Eval(x): check consistency Eval( K[C], x) =? Eval( K[Original], x) C
Z 73 Jumping ahead, if you publish two constrained keys, there is an attack …
In the rest of the talk, we will focus on:
1-key secure PCPRFs.
74 Decrypt and eval
1-key PCPRF => Reusable Garbled Circuits Theorem [ Canetti Chen 17 ] 1-key PCPRF implies 1-key private-key functional encryption (reusable garbled circuits).
Construction: from normal encryption Sym and PCPRF F
Enc(m;r): ct = EncSym.K(m;r); tag = F[K](ct) FSK[Sym.K, F.K, C]: constrained key for the “decryption and eval” functionality C(DecSym.K( . ))
Eval: compute F[C(DecSym.K( . ))](ct), and compare with tag Applications of PCPRFs: *Obfuscation Reusable garbled circuits Privately-detectable watermarking Maybe more …
77 What are private constrained PRFs? Why is it useful? How to construct?
78 Step 1: We need a PRF. Step 2: Add a constraint privately.
79 [ Banerjee, Peikert, Rosen ’12 ] Subset-product & rounding
s1,1 s2,1 ... sn,1 Key: A mod q s1,0 s2,0 ... sn,0
Eval: F(x) = { ∏si,xi A }2
si,b are LWE secrets from low-norm distributions
80 Rounding: {t}p: Zq -> Zp
Compute t*p/q, then round to the nearest integer
In this talk, p=2, q/p>exp(L), q/p ∼ super-polynomial
q
Amount of noise 81 [ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness Uniform Small Unspecified
A is public, Si,xi are secret
S1,1 S2,1 S3,1 S4,1 A mod q S1,0 S2,0 S3,0 S4,0
F(x) = { ∏si,xi A }2
Main observation: After rounding, can inject noises without changing functionality whp.
82 [ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness Uniform Small Unspecified
A is public, Si,xi are secret
S1,1 S2,1 S3,1 S4,1 A mod q S1,0 S2,0 S3,0 S4,0
F(0110) F(x) = { ∏si,xi A }2 = { s1,0s2,1s3,1s4,0 A }2
83 [ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness Uniform Small Unspecified
A is public, Si,xi are secret
S1,1 S2,1 S3,1 S4,1 A mod q S1,0 S2,0 S3,0 S4,0
F(0110) F(x) = { ∏si,xi A }2 = { s1,0s2,1s3,1s4,0 A }2 ≈s { s1,0s2,1s3,1(s4,0 A+E4,0) }2
84 [ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness Uniform Small Unspecified
A is public, Si,xi are secret
S1,1 S2,1 S3,1 S4,1 A mod q S1,0 S2,0 S3,0 S4,0
F(0110) F(x) = { ∏si,xi A }2 = { s1,0s2,1s3,1s4,0 A }2 ≈s { s1,0s2,1s3,1(s4,0 A+E4,0) }2 ≈c { s1,0s2,1s3,1Y***0 }2
85 [ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness Uniform Small Unspecified
A is public, Si,xi are secret
S1,1 S2,1 S3,1 S4,1 A mod q S1,0 S2,0 S3,0 S4,0
F(0110) F(x) = { ∏si,xi A }2 = { s1,0s2,1s3,1s4,0 A }2 ≈s { s1,0s2,1s3,1(s4,0 A+E4,0) }2 ≈c { s1,0s2,1s3,1Y***0 }2 ≈s { s1,0s2,1(s3,1Y***0+E3,1) }2
86 [ Banerjee, Peikert, Rosen 12 ] Proof of pseudorandomness Uniform Small Unspecified
A is public, Si,xi are secret
S1,1 S2,1 S3,1 S4,1 A mod q S1,0 S2,0 S3,0 S4,0
F(0110) F(x) = { ∏si,xi A }2 = { s1,0s2,1s3,1s4,0 A }2 ≈s { s1,0s2,1s3,1(s4,0 A+E4,0) }2 ≈c { s1,0s2,1s3,1Y***0 }2 ≈s { s1,0s2,1(s3,1Y***0+E3,1) }2 ≈c { s1,0s2,1Y**10 }2
≈ … ≈ { Y0110 }2 87 [ Banerjee, Peikert, Rosen ’12 ] Subset-product & rounding
s1,1 s2,1 ... sn,1 Key: A mod q s1,0 s2,0 ... sn,0
Eval: F(x) = { ∏si,xi A }2
Exercise: show that taking matrix subset-product without rounding does not give a PRF.
88 [ Banerjee, Peikert, Rosen ’12 ] Subset-product & rounding
s1,1 s2,1 ... sn,1 Key: A mod q s1,0 s2,0 ... sn,0
Eval: F(x) = { ∏si,xi A }2
Open problem: prove or disprove that when q is a polynomial, the construction is a PRF.
89 s1,1 s2,1 ... sn,1 Key: A mod q s1,0 s2,0 ... sn,0
Eval: F(x) = { ∏si,xi A }2
What we need in addition to build a Private Constrained PRF:
+ Embed structures in the secret terms to perform functionality (Barrington’s theorem) + A proper public mode of the function (GGH15 encoding)
90 Imagine the GGH15 S1,1 S2,1 S3,1 S4,1 encoding of the PRF A4 S1,0 S2,0 S3,0 S4,0 + “small”
Evaluate
D1,1 D2,1 D3,1 D4,1 A0 D1,0 D2,0 D3,0 D4,0 91 Barrington’s theorem (used to embed a circuit into the key)
92 93 (Bonus) Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate
1 P Q P-1 Q-1
0 I I I I
Input wire 1 Input wire 2 Input wire 1 Input wire 2 94 (Bonus) Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 0 and 0
1
0 I I I I
Input wire 1 Input wire 2 Input wire 1 Input wire 2 95 (Bonus) Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 0 and 1
1 Q Q-1
0 I I
Input wire 1 Input wire 2 Input wire 1 Input wire 2 96 (Bonus) Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 1 and 0
1 P P-1
0 I I
Input wire 1 Input wire 2 Input wire 1 Input wire 2 97 (Bonus) Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 1 and 1 PQP-1Q-1 = C ≠ I
1 P Q P-1 Q-1
0
Input wire 1 Input wire 2 Input wire 1 Input wire 2 Representation of the constraint predicate: branching program
1 B1,1 B2,1 B3,1 ... BL,1
0 B1,0 B2,0 B3,0 ... BL,0 Steps 1 2 3 ... L Eval: ∏Bz(i),x_z(i) = I or C Input z(1) z(2) z(3) ... z(L)
98 We set the secrets like:
S S1,1 S2,1 S3,1 S4,1 S A4 S S S S S 1,0 2,0 3,0 4,0 S S
Representation of secrets (to be encoded by GGH15): Bi,b⊗si,b
S S S S e.g. I ⊗ s = S P ⊗ s = S S S 99 S S PCPRF for NC1 constraints (permutation branching programs)
100 PCPRFs for Branching programs from GGH15
Master public key: A0 … AL (L = #steps in BP)
Master secret key: trapdoors of A1 … AL, s1,0 , s1,1, ..., sL,0, sL,1
Constrained key gen: let Si,b:=Bi,b⊗si,b, sample GGH15 encodings for Si,b
Eval: F(x) = { A0 ∏Di,x_z(i) }2 , then pick the first row S A(1) S x A(2) +E S A(3) Constrained key:
D1,1 D2,1 D3,1 D4,1
A’0
D1,0 D2,0 D3,0 D4,0
1 2 1 2 101 PCPRFs for Branching programs from GGH15
Master public key: A0 … AL (L = #steps in BP)
Master secret key: trapdoors of A1 … AL, s1,0 , s1,1, ..., sL,0, sL,1
Constrained key gen: let Si,b:=Bi,b⊗si,b, sample GGH15 encodings for Si,b
Eval: F(x) = { A0 ∏Di,x_z(i) }2 , then pick the first row Functionality check: When C(x)=1: F(x) = { A0 ∏Di,x_z(i) }2 = { ( I⊗∏si,x_z(i) ) AL + small noise }2 ≈s{ ( I⊗∏si,x_z(i) ) AL }2 When C(x)=0: F(x) = { A0 ∏Di,x_z(i) }2 = { ( C⊗∏si,x_z(i) ) AL + small noise }2
≈s{ ( C⊗∏si,x_z(i) ) AL }2 102 PCPRFs for Branching programs from GGH15 Uniform Small Unspecified Example: C(x)=0 iff x1=x2=1 query x=11 si,xi are secret, Ai , Di,xi are public
D1,1 D2,1 D3,1 D4,1 { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 A0
D1,0 D2,0 D3,0 D4,0 Real
How to show that the branching program is hidden by GGH15 encoding?
103 PCPRFs for Branching programs from GGH15 Uniform Small Unspecified Example: C(x)=0 iff x1=x2=1 query x=11 si,xi are secret, Ai , Di,xi are public
D1,1 D2,1 D3,1 D4,1 { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 A0
D1,0 D2,0 D3,0 D4,0 Real
D1,1 D2,1 D3,1 D4,1 A0 { Uniform }2 D D D D 1,0 2,0 3,0 4,0 Simulator
104 PCPRFs for Branching programs from GGH15 Uniform Small Unspecified Example: C(x)=0 iff x1=x2=1 query x=11 si,xi are secret, Ai , Di,xi are public
D1,1 D2,1 D3,1 D4,1
A0 A1 A2 A3 A4 Real D1,0 D2,0 D3,0 D4,0
Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2
105 PCPRFs for Branching programs from GGH15 Uniform Small Unspecified Example: C(x)=0 iff x1=x2=1 query x=11 si,xi are secret, Ai , Di,xi are public
-1 D1,1 D2,1 D3,1 D4,1 Y4,1= (Q ⊗s4,1)A4+E4,1
A0 A1 A2 A3 A4
D1,0 D2,0 D3,0 D4,0 Y4,0= (I⊗s4,0)A4+E4,0
Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 -1 ≈s { (Q⊗(s1,1s2,1s3,1))((Q ⊗s4,1)A4+E4,1 ) }2
106 re-express PCPRFs for Branching programs from GGH15 Uniform Small Unspecified Example: C(x)=0 iff x1=x2=1 query x=11 si,xi are secret, Ai , Di,xi are public
D1,1 D2,1 D3,1 D4,1 U4,1
A0 A1 A2 A3 A4
D1,0 D2,0 D3,0 D4,0 U4,0
Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2
≈s { (Q⊗(s1,1s2,1s3,1))U4,1 }2
107 Perm-LWE PCPRFs for Branching programs from GGH15 Uniform Small Unspecified Example: C(x)=0 iff x1=x2=1 query x=11 si,xi are secret, Ai , Di,xi are public
D1,1 D2,1 D3,1 D4,1
A0 A1 A2 A3 A4
D1,0 D2,0 D3,0 D4,0
Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 -1 ≈s { (Q⊗(s1,1s2,1s3,1))((Q ⊗s4,1)A4+E4,1 ) }2
≈c { (Q⊗(s1,1s2,1s3,1))A3D4,1 }2
108 GPV PCPRFs for Branching programs from GGH15 Uniform Small Unspecified Example: C(x)=0 iff x1=x2=1 query x=11 si,xi are secret, Ai , Di,xi are public
Y = (P-1⊗s )A +E D1,1 D2,1 D3,1 3,1 3,1 3 3,1 D4,1
A0 A1 A2 A3 A4
D1,0 D2,0 D3,0 D4,0 Y3,0= (I⊗s3,0)A3+E3,0 Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 -1 ≈s { (Q⊗(s1,1s2,1s3,1))((Q ⊗s4,1)A4+E4,1 ) }2
≈c { (Q⊗(s1,1s2,1s3,1))A3D4,1 }2 -1 ≈s { (QP⊗(s1,1s2,1))((P ⊗s3,1)A3+E3,1 )D4,1 }2
109 re-express PCPRFs for Branching programs from GGH15 Uniform Small Unspecified Example: C(x)=0 iff x1=x2=1 query x=11 si,xi are secret, Ai , Di,xi are public
D1,1 D2,1 D3,1 D4,1
A0 A1 A2 A3 A4
D1,0 D2,0 D3,0 D4,0
Eval(11) = { I⊗(s1,1s2,1s3,1s4,1 )A4 }2 -1 ≈s { (Q⊗(s1,1s2,1s3,1))((Q ⊗s4,1)A4+E4,1 ) }2
≈c { (Q⊗(s1,1s2,1s3,1))A3D4,1 }2 -1 ≈s { (QP⊗(s1,1s2,1))((P ⊗s3,1)A3+E3,1 )D4,1 }2
≈c { (QP⊗(s1,1s2,1))A2D3,1D4,1 }2 -1 ≈c … ≈c { C A0∏Dz(x),x_z(x)}2 110 Takeaway from the PCPRF construction:
It is safe to use GGH15 to encode permutation matrices and make it useful. S A(1) S x A(2) S A(3)
D1,1 D2,1 D3,1 D4,1
A’0
D1,0 D2,0 D3,0 D4,0
1 2 1 2 111 Genealogy of Lattices-based PRFs [BPR12] -- the first lattice-based PRF [BLMR13] -- key homomorphic *[BP14] -- better key homomorphic, embed a tree *[BFPPS15] -- [BP14] is puncturable *[BV15] -- embed a circuit, constrained for P *[BKM17] -- puncture privately, built from [BV15] [CC17] -- constrained privately for NC1, influenced by GGH15 mmaps *[BTVW17] -- constrained privately for all P, built from [BV15] *[PS18] -- constrained and program privately for all P, built from [BV15] [CVW18] -- constrained privately for BP, influenced by GGH15 mmaps
* uses gadget matrix G, adapted from the lattices-based FHE, ABE, PE
Question: Is there a transformation between Dual-Regev-based homomorphic schemes and GGH15-based ones? 112 Multilinear maps: Private constrained PRFs applications with reductions from LWE
*Hash functions for Fiat-Shamir (exercise) GGH15 Multilinear maps
Traitor tracing Lockable obfuscation (Compute-then-Compare obf.)
113 Open problem: use the S1,1 S2,1 S3,1 S4,1 PCPRF construction as A4 a hash function: prove S1,0 S2,0 S3,0 S4,0 more properties. + “small”
Evaluate
D1,1 D2,1 D3,1 D4,1 A0 D1,0 D2,0 D3,0 D4,0 114 Application 1: Private constrained PRF from GGH15 encoding 1. PRF from lattices 2. Constrained PRF 3. Private constrained PRF with a reduction from LWE Mainly based on [ Canetti, Chen 17 ]
Application 2: Witness encryption 1. A candidate construction (without reduction from anything) 2. The proof techniques we developed. Mainly based on [ Chen, Vaikuntanathan, Wee 18 ]
115 WitnessEnc( x, m ) -> CT, x = instance, m = message Decryption( CT, w ), w = witness Functionality: if x = SAT -----> can use the witness to decrypt the msg. Security: if x = UNSAT ------> msg is hidden.
WitnessEnc( x = “GapSVP is in BQP”, msg = 100 Bitcoins)
116 > Current status of witness encryption: there are several candidates (more-or-less based on multilinear maps); none of them are based on established cryptographic assumptions.
> [Garg et al. 13] candidate witness encryption based on GGH13.
> Broken by [Hu, Jia 16]
> [Gentry, Lewko, Waters 14 ] from multilinear subgroup decision assumption (which is open)
Do we have secure Witness encryption?
117 When witness encryption meets multilinear maps ...
[ Gentry, Lewko, Waters 14 ] witness encryption from “mmaps subgroup decision assumption”
118 [ Gentry, Lewko, Waters 14 ] gives a simple encoding of CNF. Example: encoding a point function C(x) = 0 iff x = 100
0 S S 1 S S S S S S
S S S
0 S 0 S
S S 0
1 2 3 In general: Any CNF => diagonal matrix read-once branching programs 119 [ Gentry, Lewko, Waters 14 ] gives a simple encoding of CNF. A strawman implementation of GLW14 in GGH15
A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
S’
0 The CNF slots are all on the diagonal Mh,1 Ⓧ S’h,1 = …
S’
CNF slots msg 120 So far: A witness encryption with special structure that uses GGH15 + diagonal / low-rank matrix branching program.
Q: Can we show anything secure for low-rank BP + GGH15?
A: Yes! … In some limited cases
121 As secure as LWE: When there is one “slot” that is always random in all the matrices.
A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
Anything Anything
S11 Sh1
The “always random” slot 122 Where can the special type of BP be useful?
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
Anything Anything
S11 Sh1
The “always random” slot 123 Where can the special type of BP be useful? We don’t know how to build a witness encryption or iO from this type of BP :(
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
Anything Anything
S11 Sh1
The “always random” slot 124 Where can the special type of BP be useful? We don’t know how to build a witness encryption or iO from this type of BP :( We can simplify the private constrained PRF, Lockable obfuscation :)
E.g. Instantiate the private puncturable PRF from [Boneh, Lewi, Wu 17] described under the multilinear subgroup decision assumption:
125 Where can the special type of BP be useful? We don’t know how to build a witness encryption or iO from this type of BP :( We can simplify the private constrained PRF, Lockable obfuscation :)
E.g. Instantiate the private puncturable PRF from [Boneh, Lewi, Wu 17] described under the multilinear subgroup decision assumption:
A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
s The “puncturable” slot s
S11 Sh1 The “always random” slot 126 0 S S 1 S S 0 S S S
S 0 S
0 S S S
S S 0
1 2 3 Open problem: prove or disprove that the structures are hidden when the evaluation is big for ALL inputs => witness encryption 127 How to prove security for GGH15 + low-rank BPs? Semantic security:
A0 D1,0 = S1,0A1+E1,0, …, Ah-1 Dh,0 = Sh,0Ah+Eh,0 mod q
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q ≈ computational
A0 D1,0 = S1,0UA1,01+E1,0, …, Ah-1 Dh,0 = Sh,0UAhh,0+Eh,0 mod q A D = S A +E , …, A D = S A +E mod q 0 1,1 1,1U1,11 1,1 h-1 h,1 h,1Uhh,1 h,1
“A” matrices: using trapdoors; not using trapdoors 128 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
Ah-1(1) Yh-1(1) 0 Ah(1) x D = = +E Ah-1(2) h,1 Yh-1(2) S Ah(2)
129 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
Ah-1(1) Yh-1(1) 0 Ah(1) x D = = +E Ah-1(2) h,1 Yh-1(2) S Ah(2)
Observation: Yh-1(1) is not random The problem: How to close the trapdoor of Ah-1 ?
130 Lattice trapdoor Lemma 1:
Z is arbitrary A(1) Z x = U is uniform A(2) D U A trapdoor is used
131 Lattice trapdoor Lemma 1:
Z is arbitrary A(1) Z x = U is uniform A(2) D U A trapdoor is used
A(1) Z ≈ statistical x = A(2) D U close the trapdoor of A(2) 132 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
Ah-1(1) Yh-1(1) 0 Ah(1) x D = = +E Ah-1(2) h,1 Yh-1(2) S Ah(2)
Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back
133 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
Ah-1(1) Yh-1(1) 0 Ah(1) x D = = +E Ah-1(2) h,1 Yh-1(2) S Ah(2)
Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back
134 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q …
A0(1) Y1(1) 0 A1(1) x D = = +E A0(2) 1,1 Y1(2) S A1(2)
Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back
135 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q …
A0(1) Y1(1) 0 A1(1) x D = = +E A0(2) 1,1 Y1(2) S A1(2)
Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back Problem: Now how to deal with the upper matrices?
136 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q …
x = = +E A0(1) D Y1(1) 0 A1(1) A0(2) 1,1 Y1(2) S A1(2)
Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back Problem: Now how to deal with the upper matrices?
Solution: In the real construction, give out A0(1) + A0(2). 137 Lattice trapdoor Lemma 2:
A D = Z +E
For any Z, for a uniformly random A, D is the preimage of Z+E.
138 Lattice trapdoor Lemma 2:
You cannot A D = Z +E see A & Z+E
For any Z, for a uniformly random A, D is the preimage of Z+E.
If A & Z+ E is hidden, 139 Lattice trapdoor Lemma 2:
You cannot A D = Z +E see A & Z+E
≈ computational A D = Z +E
For any Z, for a uniformly random A, D is the preimage of Z+E.
If A & Z+ E is hidden, then D is indistinguishable from random Gaussian. 140 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
x = = +E A0(1) D Y1(1) 0 A1(1) A0(2) 1,1 Y1(2) S A1(2)
Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back Problem: Now how to deal with the upper matrices?
Solution: In the real construction, give out A0(1) + A0(2), + Lemma 2 141 For possibly low-rank secret matrices: helpful to separate the matrices into (1) and (2)
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
x = = +E A0(1) D Y1(1) 0 A1(1) A0(2) 1,1 Y1(2) S A1(2)
Use Lemma 1 + use S as public matrix: can close the lower trapdoor all the way back Problem: Now how to deal with the upper matrices?
Solution: In the real construction, give out A0(1) + A0(2), + Lemma 2 142 Replay: the proof for GGH15 + low-rank BP
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q …
A0(1) Y1(1) 0 A1(1) x D = = +E A0(2) 1,1 Y1(2) S A1(2)
First use the lower level random matrices to come left (need new lemma 1)
143 Replay: the proof for GGH15 + low-rank BP
A0 D1,1 = S1,1A1+E1,1, …, Ah-1 Dh,1 = Sh,1Ah+Eh,1 mod q
x = = +E A0(1) D Y1(1) 0 A1(1) A0(2) 1,1 Y1(2) S A1(2)
First use the lower level random matrices to come left (need new lemma 1)
Then use the upper level “hidden A at the left” to go right (need new lemma 2) 144 Private constrained PRFs Summary [ Canetti, Chen 17 ]
Witness encryption [ Chen, Vaikuntanathan, Wee 18 ] Multiparty key agreement
Multilinear maps Indistinguishability obfuscation
Lockable obfuscation Deniable encryption (Compute-then-Compare obf.) Broadcast encryption
Reduction from LWE; Candidates exists; Broken 145 Future directions
> Identifying more safe/insecure modes for GGH15, GGH13, CLT13, analysis with new concrete assumptions/conjectured hard problems. > One of the concrete direction: Build applications from multilinear maps with “slots” => instantiate using GGH15 with diagonal matrices, see if there is a chance of proving from LWE.
146 THANKS FOR YOUR TIME
THE END
Crypto Innovation School Shanghai
2019 147