Multilinear maps from lattices Constructions, attacks, and applications
Yilei Chen (Visa Research)
Crypto Innovation School Shanghai
2019 1 What are multilinear maps?
2 3 Cool. So what are the multilinear maps in cryptography?
4 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard
5 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard
> Bilinear maps from Weil pairing over elliptic curve groups [ Miller 86 ] How to compute Weil pairing [ Sakai, Ohgishi, Kasahara 00 ] Identity-based key-exchange [ Joux 00 ] Three-party non-interactive key exchange [ Boneh, Franklin 02 ] Identity-base key exchange gS1, gS2 → gS1S2
6 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard
> Bilinear maps from Weil pairing over elliptic curve groups [ Miller 86 ] How to compute Weil pairing [ Sakai, Ohgishi, Kasahara 00 ] Identity-based key-exchange [ Joux 00 ] Three-party non-interactive key exchange [ Boneh, Franklin 02 ] Identity-base key exchange gS1, gS2 → gS1S2
> Multilinear maps: motivated in [ Boneh, Silverberg 03 ] with the potential applications of constructing unique signature, broadcast encryption, etc. gS1, gS2, gS3, ... → g∏S 7 Multilinear maps in Cryptography Where to find multilinear maps.
gS1, gS2, gS3, ... → g∏S
8 Multilinear maps in Cryptography Where to find multilinear maps.
gS1, gS2, gS3, ... → g∏S
“If an n-multilinear map is computable, it is reasonable to expect it to come from geometry, as is the case for Weil and Tate pairings when n = 2.”
– Boneh, Silverberg, 2003
9 Multilinear maps in Cryptography Where to find multilinear maps.
gS1, gS2, gS3, ... → g∏S
“If an n-multilinear map is computable, it is reasonable to expect it to come from geometry, as is the case for Weil and Tate pairings when n = 2.”
– Boneh, Silverberg, 2003
*New: Trilinear maps from abelian varieties [ Huang 2018 ], requires further investigation.
10 What are multilinear maps? Why from lattices?
11 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S
Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE
12 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S
Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE
Think of as homomorphic encryption + public zero-test i.e. being able to distinguish g0 versus gnon-zero
13 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S
Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE
Think of as homomorphic encryption + public zero-test i.e. being able to distinguish g0 versus gnon-zero
Coron, Lepoint, Tibouchi [ CLT 13 ]: modifying the FHE based on approximate gcd
Gentry, Gorbunov, Halevi [ GGH 15 ]: from non-standard use of the GSW FHE
14 Multilinear maps: Private constrained PRFs applications and security
Witness encryption Multiparty key agreement
Multilinear maps Indistinguishability obfuscation
Lockable obfuscation Deniable encryption (Compute-then-Compare obf.) Broadcast encryption
15 Multilinear maps: applications and security
Multilinear maps Indistinguishability obfuscation
[Garg, Gentry, Halevi, Raykova, Sahai, Waters 13]
16 Indistinguishability obfuscation
Defined by [ Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang 01 ]
iO[ F0 ] ≈ iO[ F1 ]
if F0 and F1 have identical functionality
adv
17 Indistinguishability obfuscation
Defined by [ Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang 01 ]
iO[ F0 ] ≈ iO[ F1 ]
if F0 and F1 have identical functionality
Candidate constructions: [Garg, Gentry, Halevi, Raykova, Sahai, Waters 13], [Barak, Garg, Kalai, Paneth, Sahai 14], [Brakerski, Rothblum 14], [ Zimmerman 15], [Applebaum, Brakerski 15], [Ananth, Jain 15], [Bitansky, Vaikuntanathan ‘15], [Gentry, Gorbunov, Halevi 15], [Lin 16], …
Cryptanalyses: [Cheon, Han, Lee, Ryu, Stehle 15], [Coron et al. 15], [Hu, Jia 16], [Miles, Sahai, Zhandry 16], [Chen, Gentry, Halevi 17], [Coron, Lee, Lepoint, Tibouchi 17], [Chen, Vaikuntanathan, Wee 18], ... 18 Multilinear maps: Private constrained PRFs applications and security
Witness encryption Multiparty key agreement
Multilinear maps Indistinguishability obfuscation
Lockable obfuscation Deniable encryption (Compute-then-Compare obf.) Broadcast encryption
19 Multilinear maps: Private constrained PRFs applications and security
Witness encryption Multiparty key agreement
Multilinear maps Indistinguishability obfuscation
Lockable obfuscation (Compute-then-Compare obf.)
Reduction from LWE; Candidates exists; Broken 20 Plan of today:
1. Introduction 2. The GGH15 construction: functionality and security overview 3. Applications Open problems will be mentioned throughout the talk Bonus: interesting missing topics in the previous talks
21 Recall Learning with Errors Uniform Small Unspecified [ Regev 05 ]
A Y = s x A + E mod q Secret Public matrix noise/error