Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa Research) Crypto Innovation School Shanghai 2019 1 What are multilinear maps? 2 3 Cool. So what are the multilinear maps in cryptography? 4 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard 5 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard > Bilinear maps from Weil pairing over elliptic curve groups [ Miller 86 ] How to compute Weil pairing [ Sakai, Ohgishi, Kasahara 00 ] Identity-based key-exchange [ Joux 00 ] Three-party non-interactive key exchange [ Boneh, Franklin 02 ] Identity-base key exchange gS1, gS2 → gS1S2 6 > Discrete-log problem [ Diffie, Hellman 76 ] Multilinear maps in Cryptography Given g, gS mod q, finding s is hard > Bilinear maps from Weil pairing over elliptic curve groups [ Miller 86 ] How to compute Weil pairing [ Sakai, Ohgishi, Kasahara 00 ] Identity-based key-exchange [ Joux 00 ] Three-party non-interactive key exchange [ Boneh, Franklin 02 ] Identity-base key exchange gS1, gS2 → gS1S2 > Multilinear maps: motivated in [ Boneh, Silverberg 03 ] with the potential applications of constructing unique signature, broadcast encryption, etc. gS1, gS2, gS3, ... → g∏S 7 Multilinear maps in Cryptography Where to find multilinear maps. gS1, gS2, gS3, ... → g∏S 8 Multilinear maps in Cryptography Where to find multilinear maps. gS1, gS2, gS3, ... → g∏S “If an n-multilinear map is computable, it is reasonable to expect it to come from geometry, as is the case for Weil and Tate pairings when n = 2.” – Boneh, Silverberg, 2003 9 Multilinear maps in Cryptography Where to find multilinear maps. gS1, gS2, gS3, ... → g∏S “If an n-multilinear map is computable, it is reasonable to expect it to come from geometry, as is the case for Weil and Tate pairings when n = 2.” – Boneh, Silverberg, 2003 *New: Trilinear maps from abelian varieties [ Huang 2018 ], requires further investigation. 10 What are multilinear maps? Why from lattices? 11 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE 12 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE Think of as homomorphic encryption + public zero-test i.e. being able to distinguish g0 versus gnon-zero 13 Multilinear maps > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] since 2013 g, gS1, gS2, gS3, ... → g∏S Garg, Gentry, Halevi [ GGH 13 ] propose a candidate by modifying the NTRU-based FHE Think of as homomorphic encryption + public zero-test i.e. being able to distinguish g0 versus gnon-zero Coron, Lepoint, Tibouchi [ CLT 13 ]: modifying the FHE based on approximate gcd Gentry, Gorbunov, Halevi [ GGH 15 ]: from non-standard use of the GSW FHE 14 Multilinear maps: Private constrained PRFs applications and security Witness encryption Multiparty key agreement Multilinear maps Indistinguishability obfuscation Lockable obfuscation Deniable encryption (Compute-then-Compare obf.) Broadcast encryption 15 Multilinear maps: applications and security Multilinear maps Indistinguishability obfuscation [Garg, Gentry, Halevi, Raykova, Sahai, Waters 13] 16 Indistinguishability obfuscation Defined by [ Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang 01 ] iO[ F0 ] ≈ iO[ F1 ] if F0 and F1 have identical functionality adv 17 Indistinguishability obfuscation Defined by [ Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, Yang 01 ] iO[ F0 ] ≈ iO[ F1 ] if F0 and F1 have identical functionality Candidate constructions: [Garg, Gentry, Halevi, Raykova, Sahai, Waters 13], [Barak, Garg, Kalai, Paneth, Sahai 14], [Brakerski, Rothblum 14], [ Zimmerman 15], [Applebaum, Brakerski 15], [Ananth, Jain 15], [Bitansky, Vaikuntanathan ‘15], [Gentry, Gorbunov, Halevi 15], [Lin 16], … Cryptanalyses: [Cheon, Han, Lee, Ryu, Stehle 15], [Coron et al. 15], [Hu, Jia 16], [Miles, Sahai, Zhandry 16], [Chen, Gentry, Halevi 17], [Coron, Lee, Lepoint, Tibouchi 17], [Chen, Vaikuntanathan, Wee 18], ... 18 Multilinear maps: Private constrained PRFs applications and security Witness encryption Multiparty key agreement Multilinear maps Indistinguishability obfuscation Lockable obfuscation Deniable encryption (Compute-then-Compare obf.) Broadcast encryption 19 Multilinear maps: Private constrained PRFs applications and security Witness encryption Multiparty key agreement Multilinear maps Indistinguishability obfuscation Lockable obfuscation (Compute-then-Compare obf.) Reduction from LWE; Candidates exists; Broken 20 Plan of today: 1. Introduction 2. The GGH15 construction: functionality and security overview 3. Applications Open problems will be mentioned throughout the talk Bonus: interesting missing topics in the previous talks 21 Recall Learning with Errors Uniform Small Unspecified [ Regev 05 ] A Y = s x A + E mod q Secret Public matrix noise/error %×' � ∈ �$ (m > n log q) Search LWE: Given �, � = �� + �, find S. Decisional LWE: Given A, distinguish Y from random. 22 Recall Learning with Errors Uniform Small Unspecified [ Regev 05 ] A Y = s x A + E mod q Secret Public matrix noise/error %×' � ∈ �$ (m > n log q) Search LWE: Given �, � = �� + �, find S. Decisional LWE: Given A, distinguish Y from random. 23 Recall Learning with Errors Uniform Small Unspecified [ Regev 05 ] A Y = s x A + E mod q Secret Public matrix noise/error Entries of S from the error distribution As hard as normal LWE [ Applebaum, Cash, Peikert, Sahai 09 ] 24 GGH15 > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] in a nutshell g, gS1, gS2, gS3, ... → g∏S > (Ring)LWE analogy: A, S1A+E1,..., SkA+Ek → ∏SA+E mod q 25 GGH15 > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] in a nutshell g, gS1, gS2, gS3, ... → g∏S > (Ring)LWE analogy: A, S1A+E1,..., SkA+Ek → ∏SA+E mod q How to put them together? 26 GGH15 > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] in a nutshell g, gS1, gS2, gS3, ... → g∏S > (Ring)LWE analogy: A, S1A+E1,..., SkA+Ek → ∏SA+E mod q Idea: using lattice trapdoor sampling to chain them together 27 GGH15 > Multilinear maps: motivated in [ Boneh, Silverberg 2003 ] in a nutshell g, gS1, gS2, gS3, ... → g∏S > (Ring)LWE analogy: A, S1A+E1,..., SkA+Ek → ∏SA+E mod q Idea: using lattice trapdoor sampling to chain them together GGH15: “the blockchain in multilinear maps” (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16]) 28 Recall lattice trapdoor A The trapdoor for [ Ajtai 99 ], [ Alwen, Peikert 09 ], [ Micciancio, Peikert 12 ] can be used to solve SIS and LWE. 29 Recall lattice trapdoor A The trapdoor for [ Ajtai 99 ], [ Alwen, Peikert 09 ], [ Micciancio, Peikert 12 ] can be used to solve SIS and LWE. Given an image Y , find a short vector D s.t. A x D = Y mod q 30 Lattice trapdoor T is short and full rank in Z [Ajtai 99] A x T = 0 mod q 31 Lattice trapdoor T is short and full rank in Z [Ajtai 99] A x T = 0 mod q Example of solving LWE given T: Given A, y = sA+E mod q Compute yT mod q = (sA+E)T = ET, note that ET is small. Then E can be obtained by multiplying �/0 on the right. 32 (Bonus) Trapdoor from [Micciancio, Peikert 12] %×%: Let � = log7 �. � ∈ � 1, b, … bk-1 k-1 Gadget = … … = �% ⊗ 1, b, … b G 1, b, … bk-1 “Power-of-b” matrix The kernel-lattice of G has an easily computable short basis. Solving SIS for the public matrix G is easy. (Bonus) Trapdoor from [Micciancio, Peikert 12] R A __ = G mod q I Trapdoor for A where A = [ A’ | G – A’R ] %×%: %×%(<=:) Let � = log7 �. We have � ∈ � , � ∈ � For random images, there is a way to sample Preimage sampling the preimage without revealing the trapdoor. [GPV 08] 35 For random images, there is a way to sample Preimage sampling the preimage without revealing the trapdoor. [GPV 08] Real: A U D s.t. A x D = U mod q 36 For random images, there is a way to sample Preimage sampling the preimage without revealing the trapdoor. [GPV 08] Real: A U D s.t. A x D = U mod q ≈ statistical Simulated: A D U s.t. A x D = U mod q 37 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q > GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16]) A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q 38 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q > GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16]) A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q Di is sampled using the trapdoor of Ai-1 39 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q > GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16]) A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q Di is sampled using the trapdoor of Ai-1 = mod q A0 D1 S1A1+E1 A1 D2 = S 2 A 2 +E 2 mod q 40 Zoom in the most S is the eigenvalue of D important relation of this talk D x Ai-1 i = Si Ai + E mod q Di is sampled using the trapdoor of Ai-1 41 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q > GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters 16], [ Alamati-Peikert 16]) A0 D1 = S1A1+E1, A1 D2 = S2A2+E2 mod q Di is sampled using the trapdoor of Ai-1 Publish A0 , D1 , D2 as the encodings of S1 , S2 42 > (Ring)LWE analogy: GGH15 in a nutshell A, S1A+E1,..., SkA+Ek → ∏SA+E mod q > GGH15: (also appear as “cascaded LWE” in [ Koppula-Waters