Multilinear Maps Using Ideal Lattices without Encodings of Zero Gu Chunsheng School of Computer Engineering, Jiangsu University of Technology, Changzhou 213001, China E-mail: chunsheng_gu@163.com May 26, 2015 Abstract. Garg, Gentry and Halevi (GGH) described the first candidate multilinear maps using ideal lattices. However, Hu and Jia recently presented an efficient attack for two applications based on the GGH map, multipartite Diffie-Hellman key exchange and an instance of witness encryption using 3-exact cover problem. In this paper, we describe a modification construction of multilinear maps from ideal lattices without encodings of zero by introducing random matrices to avoid the zeroing attack problem. The security of our construction depends upon new hardness assumption, which is seemingly closely related to hardness problems of lattices. Furthermore, we present multipartite Diffie-Hellman key exchange protocol using our construction, and an instance of witness encryption using 3-exact cover problem based on a variant of our construction. Keywords. Multilinear maps, Ideal lattices, Multipartite Diffie-Hellman key exchange, Witness Encryption, Zeroizing attack 1 Introduction Boneh and Silverberg [BS03] first introduced the notion of multilinear maps, which is an extension of bilinear maps. There exist many applications on bilinear maps, such as [SOK00, Jou00, BF03, Sma03] and multilinear maps [BS03, RS09, PTT10, Rot13]. However, different from bilinear maps, which come from pairing of elliptic curves, constructing multilinear maps is a long-standing open problem. Recently, Garg, Gentry, and Halevi (GGH) described the first plausible construction of multilinear maps that use ideal lattices [GGH13]. Their multilinear maps, whose encodings were randomized with noise and bounded with a fixed maximum degree, were different from the ideal multilinear maps defined by Boneh and Silverberg. To improve the efficiency of GGH, Langlois, Stehlé and Steinfeld[LSS14] constructed GGHLite, in which the re-randomization process of GGH was reanalyzed by applying the Rényi divergence. However, Hu and Jia [HJ15a] recently presented an efficient attack on GGH map, which breaks two applications, multipartite key exchange (MPKE) and witness encryption (WE) based on 3-exact cover problem. Following the GGH’s framework, Coron, Lepoint, and Tibouchi [CLT13] (CLT) described a relatively practical construction that works over integers instead of ideal lattices, and is implemented using heuristic optimization techniques. However, Cheon, Han, Lee, Ryu, and Stehle had broken the CLT construction using level-1 encodings of zero. To avoid this zeroizing attack for CLT, Garg, Gentry, Halevi and Zhandry [GGH+14], and Boneh, Wu and Zimmerman [BWZ14] proposed two candidate fixes of multilinear maps over the integers. However, Coron, Lepoint, and Tibouchi showed that two candidate fixes of CLT can be defeated in polynomial time using extensions of the Cheon et al.’s attack. Currently, Coron, Lepoint and Tibouchi [CLT15] proposed a new construction of multilinear map over the integers by modifying zero-testing parameter. Recently, Gentry, Gorbunov and Halevi [GGH14] described a construction of graph-induced multilinear maps from lattices using approximate eigenvector [GSW13b], which encodes LWE samples in short square matices of higher dimensions. However, the security of the construction [GGH14] is also not reduced to LWE. Moreover, the efficiency of the constructions based on LWE is lower than previous schemes. Since the GGH construction is more efficient than other schemes, we will focus on the improvement of GGH in this paper. We first recall the GGH construction of multilinear maps. GGH works in the polynomial rings R [ x]/ x n 1 and Rq R / qR . GGH chooses a secret short g R , and a secret random element z Rq . I g R is the principal ideal generated by g . Plaintexts are cosets 1 of R / I . To encode a coset eI e I , set c / z q with short c eI as the encoding of eI . Because g, z are hidden in GGH, the public parameters of GGH gave the encoding y of the coset 1 I . So, the encoding of eI is computed as encoding scheme, that is, e is a level- 0 encoding, e y q . The GGH construction is a graded e y q a level-1 encoding, and e y i q a level- i encoding. It is easy to verify that encodings can both be added and multiplied if the numerator norm remains smaller than q . For a level- encoding u , the GGH can determine whether u is the encoding of zero using the zero-testing parameter p zt . This defines a degree- multilinear map for level- 1 encodings. Our results. Our main contribution is to describe a construction of multilinear maps using ideal lattices without encoding of zero. Our construction improves GGH in two aspects. First, we modify the zero-testing parameter of GGH. The public parameters of our construction only give some pairs of the encoding of non-zero element and the zero-testing parameter corresponding to this non-zero element. Second, we multiply short matrices on both sides of the public parameters. Unlike the GGH construction, our construction does not give level-1 encodings of “ 1 ” and “ 0 ”, and cannot generate level- 1 of given level- 0 encoding. Our construction only generates a level- 1 encoding for a hidden level- 0 encoding, and the encoding in a sense is a deterministic encoding without re-randomization process. Our second contribution is to describe an asymmetric variant of our symmetric version. In our symmetric construction, one can still compute hidden level- encoding of zero element even if our public parameters do not give level- 1 encodings of zero elements. This is because one can obtain level- encoding of zero by cross-multiplying pairs of the encodings and the zero-testing parameters in the public parameters. To avoid this case, our asymmetric variant will not support multiplying the encoding by the zero-testing parameter with the same index set. Thus, one cannot generate a nontrivial level- j encoding of zero in our asymmetric version, where j 1 . Namely, unlike GGH, there exist no easily computable quantities in our asymmetric construction. Our third contribution is to describe the commutative variant and simplified variant of our constructions. To guarantee the security of our construction, we must make sure that the dimension of matrix in our construction is large enough. As a result, our construction is less practical than previous schemes. So, one must use matrices of small dimension, and large degree polynomial ring to improve the efficiency of our constructions. Furthermore, in the simplified variant, we really thwart the zeroing attack problem in the GGH construction if every party in MPKE does not cooperate. Our forth contribution is to present a construction of multilinear map using random matrix. In the construction, one can generate feasible level encoding with known level- 0 encoding. This solves a drawback of the first construction, which can only generate a level- 1 encoding of a hidden level- 0 encoding. Moreover, this variant seemly supports the subgroup membership problem and the decisional linear problem. Our final contribution is to describe two applications, one-round multipartite Diffie-Hellman key exchange protocol and witness encryption based 3-exact cover problem. Organization. We recall some background on multilinear maps in Section 2. In Section 3, we describe our symmetric construction, and in Section 4 we provide asymmetric construction. In Section 5, we construct the commutative variant of our constructions. In Section 6, we describe a simplified asymmetric variant. In Section 7, we describe a construction of multilinear maps using random matrix. In Section 8, we optimize and implement one round multipartite Diffie-Hellman key exchange protocol. In Section 9, we describe an instance of witness encryption using a variant of our multilinear map. Finally, we draw conclusion and open problem for this paper. 2 2 Preliminaries 2.1 Notations We denote , , the ring of integers, the field of rational numbers, and the field of real numbers. We take n as a positive integer and a power of 2. Notation n denotes the set {1, 2, , n} , and a q the absolute minimum residual system a q a mod q (q / 2, q / 2] . Vectors and matrices are denoted in bold, such as a, b, c and A, B, C . Let I be the identity matrix. The j -th entry of a is denoted as a j , the element of the i -th row and j -th colomn of A is denoted as Ai , j (or A[i, j ] ). Notation a ( a for short) denotes the infinity norm of a . The polynomial ring [ X ]/ x 1 is denoted by R , and q [ X ]/ x n 1 by Rq . n The elements in R and Rq are denoted in bold as well. Similarly, notation a q denotes each entry (or each coefficient) ai ( p / 2, p / 2] of a . 2.2 Lattices and Ideal Lattices An n -dimension full-rank lattice L n n is the set of all integer linear combinations x b i of n linearly independent vectors bi n . If we arrange the vectors b i as the i 1 i columns of matrix B n n , then L Bz : z Z n . We say that B spans L if B is a basis for L . Given a basis B of L , we define P (B) {Bz | z , i : 1/ 2 zi 1/ 2} n as the parallelization corresponding to B . Let det(B) denote the determinant of B . Given g R , let I g be the principal ideal in R generated by g , whose -basis is Rot (g ) (g, x g,..., x n 1 g) . Given c , 0 , the Gaussian distribution of a lattice L is defined as x L , n DL , ,c ,c (x) / ,c ( L) , where ,c (x) exp( x c / 2 ) , ,c ( L) xL ,c (x) . 2 In the following, we will write Dn , ,0 as Dn , . We denote a Gaussian sample as x DL , (or d DI , ) over the lattice L (or ideal lattice I ). 2.3 Multilinear Maps Definition 2.1 (Multilinear Map [BS03]). For order q , a 1 cyclic groups G1 ,..., G , GT of the same -multilinear map e : G1 G GT has the following properties: (1) Elements g j Gj j 1,..., , index j , and integer a q hold that e( g1 ,, a g j ,, g ) a e( g1 , , g ) (2) Map e is non-degenerate in the following sense: if elements g j Gj j 1,..., are generators of their respective groups, then e( g1 , , g ) is a generator of GT . Definition 2.2 ( -Graded Encoding System [GGH13]). A 3 -graded encoding system over R ( ) is a set system of S S j R : R, j with the following properties: (1) For every index j , the sets S ( ) j : R are disjoint. (2) Binary operations ‘ ’ and ‘ ’ exist, such that every every u1 S (1 ) j and u2 S ( 2 ) j hold that u1 u2 S 1 , 2 , every index j , and (1 2 ) j (1 2 ) and u1 u2 S j , where 1 2 and 1 2 are the addition and subtraction operations in R respectively. (3) Binary operation ‘ ’ exists, such that every 1 , 2 , every index j1 , j2 with j1 j2 , and every u1 S (j11 ) and u2 S (j2 2 ) hold that u1 u2 S (j11j2 2 ) , where 1 2 is the multiplication operation in R and j1 j2 is the integer addition. 3 Construction of symmetric multilinear maps In this section, we first describe the symmetric construction of multilinear maps. Then we give new hardness assumption and some known cryptanalysis for our construction. Setting the parameters. Because our construction uses the GGH construction as the basic component, our parameter setting is set as that of GGH to conveniently describe and compare. Let be the security parameter, the multilinearity level, n the dimension of elements of R . Concrete parameters are set as ( 2 ) , n , n1.5 , 2 , q 28 nO ( ) , n O O(n 2 ) . 3.1 Construction The starting point of our construction is to remove level- 1 encodings of zero in the public parameters. We modify the zero-testing parameter of GGH so that the public parameters in our construction only include some pairs of the level- 1 encoding of non-zero element and the zero-testing parameter corresponding to this non-zero element. Moreover, we multiply both sides of these encodings and zero-testing parameters by random short matrices. Our construction is as follows: Instance generation: (par0 ) InstGen 0 (1 ,1 ) . 8 (1) Choose a prime q 2 n O ( ) ; (2) Choose an element g Dn , in R so that g 1 n2 ; (3) Choose elements ai , ei Dn , ' , bi Dn , q , i in R ; (4) Choose a random element z Rq so that z Rq ; -1 1 1 nn (5) Choose two matrices T Dnn , and S Dnn , so that T , S q ; (6) Set Yi TRot ( z (bi g ei ) ai g ei 1 )S , i ; )T and Pzt ,i TRot ( g z q q (7) Output the public parameters par0 q, Yi , Pzt,i , i . According to [GGH13], g R, z Rq , ai , b i , ei R can be efficiently sampled. It is easy to see that T, S 1 n n can be sampled. This is because that if det(T), det(S) are not divisible by 1 q , then T , S nqn . Without loss of generality, assume that det(T), det(S) are uniform over q . Thus, the probability that T, S are invertible is about 1 O (1/q ) . 4 Generating level- 1 encoding: U enc0 (par0 ,1, d) . Given a random vector d D , * , then U hidden level-0 encoding e= i 1 i 1 (di Yi ) is the level-1 encoding of q ( d i ei ) . Because both sides of Yi are multiplied by matrices T, T the scalar di can be commutative with T to obtain di Rot ( 1 respectively, Yi multiplied by ai g ei ) . Thus, we have z di (ai g ei ) 1 ag e 1 U i 1 (di Yi ) TRot ( i 1 )T TRot ( )T q z z q q , where a= i 1 (di ai ) and e= i 1 (d i ei ) . That is, U is the level- 1 encoding of hidden plaintext element e . In our construction, one cannot directly generate the level- 1 encoding of a given level- 0 encoding since one does not know the level- 0 encoding ei encoded by Yi . Although one can obtain a level- j encoding U j ( Yi ) , one cannot know the level- 0 element (ei ) j j encoded by U j . This point is different from the GGH construction. In the following Remark 3.1 (4), we will discuss how to generate a level- j encoding. Adding encodings: U add 0 (par0 , j , U1 , , U m ) . Given m level- j encodings U l , their sum U = U l is a level- j encoding. q r g e 1 Because the level- j encoding U l is the form of U l TRot ( l j l )T , their sum z q m l 1 m (rl g el ) 1 rg e U = l 1 U l TRot ( l 1 j )T TRot ( j )T1 q z z q q m encoding, where r= m is a level- j r and e= l 1 el . m l 1 l Multiplying encodings: U mul0 (par0 ,1, U1 , , U ) . Given level- 1 encodings U j , their product U = j 1 U j is a level- encoding. q rj g e j z Because the level- 1 encoding U j is the form of U j TRot ( of level-1 encodings is: U = j 1 U j q r j g e j 1 )T j 1 TRot ( z q (r j g e j ) 1 , j 1 TRot ( )T z q rg e TRot ( )T1 z q 5 )T1 , the product q where e= e , r ( j 1 (r j g e j ) e) / g . j 1 j We use T T I in third equation, and denote the level- encoding U as the standard form in the final equation. 1 Zero testing: isZero 0 (par0 , U ) . To determine whether rg e U TRot ( )T1 is a level- z q encoding of zero, V = U Pzt q is computed in nqn and checked whether V is short: 1 if U P q 3/4 zt q isZero0 (par0 , U) 0 otherwise , Pzt i 1 ri Pzt,i and b= i 1 (ri bi ) and where r D , . Since z (bg c) Pzt i 1 ri Pzt,i TRot ( )S g q , where c= i 1 (ri ei ) . If U is a level- encoding of zero, namely e 0 mod I , then we have rg z (bg c) )S TRot (r (bg c))S q . V = U Pzt q TRot ( )T1 TRot ( z g q For our choice of parameter, rg e rg q1/8 and T V is not reduced modulo q , that is V q V . Thus, we have S n . Moreover, V TRot (r (bg c))S q TRot (r (bg c))S n 2 T Rot (r (bg c)) S n3 n Rot (r ) Rot (bg c) n . n 4 2 rg g 1 Rot (bg c) n 4 2 q1/8 poly (n) q1/ 2 poly (n) q 3/4 If U is a level- encoding of non-zero element, namely e 0 mod I . Then, we have rg e z (bg c) rg e V = U Pzt q TRot ( )T 1 TRot ( )S TRot ( (bg c))S . z g g q q By Lemma 4 in [GGH13], we have rg e Rot ( g ) q . Thus, V q . q Extraction: sk ext 0 (par0 , U ) . Given a level- encoding U , U is multiplied by Pzt i 1 wi Pzt,i , where w D , and (log q ) / 4 most-significant bits of each of the n n entries of ext 0 (par0 , U ) Extract(msb( U Pzt q )) . 6 U Pzt q is collected: Because z (bg c) Pzt i 1 wi Pzt,i TRot ( )S , g q where b= i 1 wi bi and rg e c= i 1 wi ei . Assume U = TRot ( )T1 such that rg e q1/8 , then we have z q V U Pzt q rg e 1 z (bg c) TRot ( )T TRot ( )S z g q (rg e)(bg c) TRot ( )S g q . e TRot (r (bg c))S q TRot ( (bg c))S g q For our parameter setting, TRot (r (bg c))S q q 3/ 4 . By Lemma 4 in [GGH13], we have e Rot ( (bg c)) q for e 0 mod I . Therefore, the extraction algorithm can correctly work. g Remark 3.1 (1) For our construction, different from the GGH construction, one cannot directly generate level-1 encoding of a given level- 0 encoding, and can only generate level-1 encoding of hidden level- 0 encoding e= i 1 (di ei ) . Moreover, in a sense the level-1 encoding of our construction is deterministic, and it is no longer random and without re-randomization process. However, we do not also find the necessity generating given level- 0 encoding or knowing concrete level- 0 encoding in our construction. (2) Choose O ( n ) is to erase the structure of input encoding applying re-randomization process in [GGH13]. Although our construction is deterministic, the process generating level-1 encoding of hidden level-0 encoding is same as the re-randomization process of the GGH construction. The cost using large is that the public parameter size of our construction is bigger a 2 n factor than that of GGH. We notice that > n 2 is the lowest requirement, otherwise attacker can directly solve d applying linear equation system. (3) When constructing multipartite key exchange using our symmetric construction, every participant can compute the zero testing parameter corresponding to the hidden e= i 1 encoded by U i 1 ( d i ei ) (di Yi ) , that is, the zero testing parameter corresponding to level- 0 q encoding e is Pzt = i 1 di Pzt,i q z ( i 1 di bi g i 1 di ei ) )S . = TRot ( g q z (bg e) )S = TRot ( g q (4) The public parameters in the above construction only contain level-1 encoding Yi of 7 non-zero element ei and its corresponding zero testing parameter Pzt,i , so level-1 encoding of usable hidden level- 0 plaintext can be generated using the public parameter. If level- j encoding of usable hidden level- 0 is required, then the public parameters must contain level- j encoding a ge Y j ,i TRot ( j ,i j j,i )T1 of non-zero element e j ,i and its corresponding zero testing z q parameter Pzt , j ,i z (b j ,i g e j,i ) )S . TRot ( g q In this case, given d D , * , U j i 1 d i Y j ,i is level- j encoding of hidden level- 0 plaintext w j i 1 di e j ,i . Notice that q for a given d , hidden plaintexts w j i 1 di e j ,i are not same for different j ’s. (5) Pzt,i , i or their combination Pzt can be used as zero testing parameter. In addition, the zero testing parameter generated by random combination of Pzt,i can thwart invalid encoding attack for only one zero testing parameter. (6) The matrices T , S in our construction are to thwart adversary not only generating less than level- k encoding of zero from the public parameter, but also getting the basis of the secret principal ideal lattices in our construction. This is because Pzt,i cannot directly be multiplied. For arbitrary i, j , we have P Pzt,i Pzt,j z (b j g e j ) z (bi g ei ) )S TRot ( )S . TRot ( g g q q z (b j g e j ) z (bi g ei ) TRot ( )S TRot ( )S g g q Since matrix multiplication does not support commutative rule, the second numerator z in P cannot be canceled by multiplying a level- 2 encoding. Therefore, we may sample b i Dn , ' nO ( ) to decrease by half the size of the public parameter. Moreover, using z guarantees that Pzt,i can only be used as the zero-testing for a level- encoding. and set q 2 4 n n (7) One can choose T, S q 1 1 n n so that T , S q , t , s Dn , ' . One sets a g ei 1 z (bi g ei ) t* tT T1 , s* = S 1s , Yi TRot ( i )T and Pzt ,i TRot ( )S . Now, g z q q the zero-testing and extraction algorithm are modified as follows: * * 3/4 1 if t U Pzt s q q ; isZero 0 (par0 , U ) 0 otherwise ext 0 (par0 , U ) Extract(msb( t * U Pzt s* )) . q To improve efficiency, one can also use p zt ,i Pzt ,i s instead of Pzt ,i in the public q parameters. 3.2 Security * Similar as the previous constructions [GGH13, CLT13, LSS14], the security of our construction cannot be reduced to classic hardness assumptions. In [GGH13], the security of GGH is defined as 8 the hardness assumptions of graded computational Diffie-Hellman (GCDH) and graded decisional Diffie-Hellman (GDDH). That is, given the public parameters and 1 level- 1 encodings of random elements, it is unfeasible to generate a level- encoding of their product or distinguish it from random elements. Langlois, Stehlé and Steinfeld[9] introduced the hardness assumptions ext-GCDH/ext-GDD, which is variant of GCDH/GDDH defined in [GGH13]. The security of our construction relies on new hardness assumption ext-GCDH/ext-GDDH. In the following, we adaptively define the ext-GCDH/ext-GDDH in [LSS14] to our construction. Consider the following security experiment: (1) par0 InstGen 0 (1 ,1 ) (2) For j 0 to : Sample r j , w j D , * ; Generate level-1 encoding of hidden d j j 1 (3) Compute U * i 1 w j ,i ei : U j i 1 w j ,i Yi . q Uj . q (4) Compute VC VD U Pzt , where Pzt q * (5) Compute VR U Pzt _ rand , where Pzt _ rand q * i 1 w0,i Pzt ,i . q r Pzt ,i . q i 1 0,i Definition 3.2 (ext-GCDH/ext-GDDH). According to the above experiment, the ext-GCDH and ext-GDDH are defined as follows: Level- extraction CDH (ext-GCDH): Given par0 , U 0 , , U , output a level- extraction n n encoding W q such that VC W q q 3/ 4 . par0 , U 0 ,, U , V , distinguish Dext RAND par0 , U 0 , , U , VR . Level- extraction DDH (ext-GDDH): Given Dext GDDH par0 , U 0 , , U , VD and between In our construction, the ext-GCDH is harder than the ext-GDDH. This is because given V Dext GDDH , Dext RAND , one can compute W using the oracle of solving ext-GCDH, and further determine V . It is easy to verify that breaking our construction is harder than breaking the GGH construction. If there exists an algorithm A which breaks our construction, then there exists an algorithm B using A , which breaks the GGH construction. This is because one can sample the matrices T, S , generate the public parameters of our construction using the instance generation, and call A to solve the corresponding problem. In the following, we will show that the matrices of both sides of the public parameters cannot be removed only using arithmetic operations. Lemma 3.3 Given the public parameters par0 q, Yi , Pzt,i , i of our symmetric construction, using arithmetic operations cannot remove the matrices, which are multiplied on both sides of Yi , Pzt,i . Proof. (1) By the instance generation algorithm InstGen 0 (1 ,1 ) , both sides of Yi , Pzt,i are multiplied by matrices T , T 1 and X1 T1X S , X 2 T2 X S 2 with X , X ' 1 1 ' 2 and T , S , respectively. (2) Assume X1 , X 2 Yi , Pzt,i , i ' 1 ' 2 generated by some principal ideal lattices. It is obvious that both sides of the results X1 X 2 , X1 X 2 have the matrices if addition or 9 subtraction operations can be supported. For multiplication, the left and right sides of X1 X 2 will 1 1 have T1 and S 2 respectively. Similarly, both sides of X 2 X1 , X1 ( X 2 ) , ( X1 ) X 2 also have random matrices. (3) Using recursive method, we show that arbitrary arithmetic operations over Yi , Pzt,i cannot remove the matrices of both sides of generating result. □ 3.3 Cryptanalysis In this subsection, we describe easily computable quantities in our construction, and then analyze possible attacks for our construction using these quantities. Easily computable quantities. Because Yi , Pzt,i encode the same level-0 encoding ei , for arbitrary i, j , t with i j , one can compute Vi , j ,t as follows: Vi , j ,t Yt 1 (Yi Pzt,j Y j Pzt,i ) q a g e j z (bi g ei ) . a g et 1 a g ei z (b j g e j ) )) ( Rot ( i ) Rot ( j ))S T( Rot ( t z z g z g q T( Rot (at g et )) 1 Rot (ai b j g ai e j b j ei a j bi g a j ei bi e j )S q According to our parameter setting, it is easy to see that Vi , j ,t is not reduced modulo q , nn using different combinations namely Vi , j ,t Vi , j ,t . Thus, one can obtain many Vi , j ,t q i, j , t . These Vi , j ,t ’s have the form Vi , j ,t T( Rot (ri , j ,t g ei , j ,t ))S . Compute the norm of ideal. By computing the determinant det(Vi , j ,t ) of Vi , j ,t , one can obtain the norm of the ideal at g et using GCD algorithm. When knowing the norm p , one factors x 1 n at g et n i 1 ( x i ) mod p , and solves the generator of the principal ideal lattice generated by two element ( p, i ) . If at g et can be solved, then our construction is broken. This is because given a1g e1 and a 2 g e 2 , one solves the matrix T by Vi , j ,1 (Vi , j ,2 ) 1 T((a1g e1 )(a 2 g e 2 ) 1 )T 1 . Using the same method, one also obtains S . However, there currently exists no efficient algorithm which solves short generator of principal ideal lattice for large enough n . Eigenvalue attack [CHL+14]. Because Vi , j ,t T( Rot (ri , j ,t g ei , j ,t ))S TEi , j ,t S , one can generate Vi , j ,t (Vi ', j ',t ' ) 1 TEi , j ,t (Ei ', j ',t ' ) 1 T 1 However, the matrices Ei , j ,t (Ei ', j ',t ' ) 1 and (Vi ', j ',t ' ) 1 Vi , j ,t S 1 (Ei ', j ',t ' ) 1 Ei , j ,t S . 1 and (Ei ', j ',t ' ) Ei , j ,t are not diagonal. Therefore, the attack in [CHL+14] cannot work for this case. Lattice reduction attack. Given Vi , j ,t , one can obtain the bases of the lattices generated by T and S . However, at present there exists no efficient algorithm, which computes T and S for large dimension n . Without loss of generality, assume that T' T C1 and S' C2 S are the bases of the lattices generated by T and S , where C1 , C2 are unimodular matrices, one can 1 compute ( Vi , j ,t )' (T' ) Vi , j ,t (S' ) 1 remove the matrices (C1 ) , (C2 ) 1 1 (C1 ) 1 ( Rot (ri , j ,t g ei , j ,t ))(C2 ) 1 . However, one cannot of both sides of ( Vi , j ,t )' . Thus, one cannot get the principal ideal ri , j ,t g ei , j ,t in Vi , j ,t . 10 i 1 Lattice reduction attack for level-1 encoding. Because U (di Yi ) , then the q i 1 entry U j ,t di Yi , j ,t , j , t n . Thus, U j ,t , Yi , j ,t , q consist of a generalizing subset q sum problem. However, for large there exist no efficient algorithm, which solves this generalizing subset sum problem. Moreover, it is easy to verify that one cannot also use linear 2 equation system to solve d i , i since n . 4 Construction of asymmetric multilinear maps Although our symmetric construction does not give level- 1 encoding of zero, one can also generate level- encodings of zero by using the public parameters. In this section, we describe a construction of asymmetric multilinear maps to avoid any non-zero level encoding of zero. 4.1 Construction In our symmetric construction, the level- encodings of zero is generated by cross-multiplying the level- 1 encoding and the zero-testing parameter in the public parameters. If in a scheme, its level- 1 encoding cannot multiply by the zero-testing parameter belonging to same group, then the level- encodings of zero cannot be generated. Therefore, the starting point of our work is to construct an asymmetric version, which assigns “index set” to the encodings and the zero-testing parameters in the public parameter. As a result, an encoding and a zero-testing parameter cannot be multiplied if their “index sets” are identical. Our asymmetric construction is as follows: Instance generation: (par1 ) InstGen1 (1 ,1 ) 8 (1) Choose a prime q 2 n O ( ) ; (2) Choose g Dn , such that g 1 n2 ; (3) Choose a j ,i , e j ,i Dn , ' , b j ,i Dn , q , j , i ; (4) Choose random elements z j Rq , j such that z j Rq ; 1 (5) Choose matrices S j Dnn , , j {0,1,..., } such that S j q , j ; 1 (6) Set z j ( * t 1 n n z t ) / z j , j , and Tj S j , j {0,1,..., 1} , T (S ) 1 . For j , i , set Y j,i z*j (b j,i g e j,i ) 1 a j ,i g e j,i 1 )Tj , P j,i Tj 1 Rot ( Tj 1 Rot ( ) Tj . g zj q q (7) Output the public parameter par1 q, Y j,i , P j,i , j , i . j : U j enc1 (par1 , j , d) . index- j encoding of hidden e j = i 1 ( di e j,i ) Generating encodings with index Given d D , * , an is computed as a g e j 1 )Tj , where a j i 1 (di a j ,i ) . U j i 1 (di Y j,i ) Tj 1 Rot ( j q zj q Adding encodings with index S j t \ j : U S add1 (par1 , U S ,1 , , U S , m ) . l 1 Given m encodings U S ,l , l m with index S , their sum U S = encoding with index S . Multiplying encodings: U S mul1 (par1 , S , U j 1 , , U j t ) . 1 11 1 m U S ,l is an q t Given U j encodings j S j1 t \ j1 for , their product U S = U j1 1 U j1 t is an encoding with index S j1 t \ j1 . q Zero testing: isZero1 (par1 , U S ) . For simplicity, we assume S 1 . To determine whether U S with index S is an encoding of zero, V = U S P n n q is computed in q and checked whether V is short: 1 if U P q 3/4 S q isZero1 (par1 , U S ) , 0 otherwise where P r P ,i and r D , . i 1 i a jg e j zj For j S 1 , assume U j Tj 1 Rot ( )Tj 1 , then we have q 1 ag e U S = j 1 U j = T1 Rot ( * )(T 1 ) 1 , q z q where e = 1 j 1 e j , a ( j 1 (a j g e j ) e) / g . 1 z* (bg c) P i 1 ri P ,i T 1 Rot ( )(T ) 1 g q Since , where c = i 1 ri e ,i , b i 1 ri b ,i , then we have V = U S P q z* (bg c) ag e T0 Rot ( * )(T 1 ) 1 T 1 Rot ( )T z g q . ag e (bg c))(T ) 1 T0 Rot ( g q ag e S 0 Rot ( (bg c))S g q If U S is an encoding of zero, namely e 0 mod I , then V is not reduced modulo q and ag e ) q by Lemma 4 in [GGH13]. V is small. Otherwise, e 0 mod I , and Rot ( g q Hence, P is a zero testing parameter of U S with index S 1 . For S j ,1 j , one can determine whether U S is an encoding of zero. Without loss of generality, assume U S1 is an arbitrary encoding with index S1 \ j 1 , and P j 1 i 1 ri P j 1,i is a random zero-testing parameter for US . Then V = U S P j 1 U S1 is computed and checked V q 3/4 . q Similarly, for other index S j1 t \ j1 , S , one can determine whether U S is an 12 encoding of zero by using Pt , t j1 . Extraction: sk ext1 (par1 , U S1 , U S2 ) . Let S1 1,..., j 1 , S 2 j 1,..., . Given index- S1 encoding U S1 and index- S 2 encoding U S2 , V U S1 P j U S2 q is computed, where P j r P j,i , r D , i 1 i and (log q ) / 4 most-significant bits of each entry of the n n -matrix V is collected: ext1 (par1 , U S1 , U S2 ) Extract(msb( U S1 P j U S2 )) . q Remark 4.1 (1) Because both sides of them are multiplied by random matrices in our asymmetric construction, the encodings that have same index can be added, and the encodings that have adjacent index can be multiplied. (2) One cannot generate any level non-trivial encoding of zero using the public parameter in our construction. Although Y j,i , P j,i encode the same coset of R / I , they cannot be cross-multiplied since Y j,i P j,i - Y j,i P j,i is not an encoding of zero. (3) When 1 2 2 1 constructing one-round multipartite Diffie-Hellman key exchange using our asymmetric scheme, the j -th party generates an index- j encoding U j i 1 (d j,i Y j,i ) and the corresponding q zero-testing parameter P j i1 d j ,i Tj 1Rot ( z*j (b j ,i g e j,i ) g )(Tj ) 1 . Given U1 ,..., U , q the j -th party computes V U1 U j 1 P j U j 1 U q and extracts the common bit string by using Extract(msb(V )) . 4.2 Security Currently, we cannot also reduce the security of our asymmetric construction to classical hardness assumptions. The security of our construction relies on new hardness assumption. Consider the following security experiment: (1) par1 InstGen1 (1 ,1 ) . (2) For j 1 to : Sample r j , w j D , * ; Generate j -index encoding of hidden d j i 1 w j ,i e j ,i : U j i 1 w j ,i Y j,i . q (3) Set U 1 1 j 1 U j . q (4) Set VC VD U 1P , where P q (5) Set VR U 1P _ r , where P _ r q i 1 w ,i P ,i . q r P ,i . q i 1 ,i Definition 4.2 (ext-GCDH/ext-GDDH). According to the above experiment, the ext-GCDH and ext-GDDH are defined as follows: Extraction GCDH (ext-GCDH): Given W nqn such that VC W q Extraction (ext-GDDH): GDDH par , U ,, U , output an extraction encoding 1 1 q 3/ 4 . Given par , U ,, U , V 1 13 1 , distinguish between Dext GDDH par1 , U1 , , U , VD and Dext RAND par1 , U1 , , U , VR . 5 Commutative Variant In our symmetric/asymmetric construction, the dimension n requires to be large enough to guarantee security and n is the lowest requirement to avoid algebraic equation attack. As a result, the public parameter size of our construction is larger than that of GGH. To decrease the public parameter size, we use polynomial ring instead of the ring of integers. Moreover, we will also use polynomial drowning method of Rényi divergence which is used in the security analysis of [LLS14]. y m y m We use R [ y ]/ y 1 and Rq q [ y ]/ y 1 instead of and q for 2 our symmetric/asymmetric constructions. It is easy to verify that our constructions are still correct under this case. O (1) Let be the security parameter, m and n constant number (e.g. n 2, 4,8 ), and n 2 1 . Let R yx R y [ x]/ x n 1 and Rqyx q [ y ][ x]/ y m 1 x n 1 . In this denote the infinity norm of v ( a1 ,..., a n ) for a R . yx section, we let a For completeness, we adaptively describe the commutative variant of the symmetric construction in Section 3.1 as follows: Instance generation: (par2 ) InstGen 2 (1 ,1 ) . 8 (1) Pick a prime q 2 n O ( ) ; (2) Choose g Dnm , over R 1 yx 1 such that g n2 , where g [ y ][ x]/ y 1 x 1 ; m n (3) Choose ai , b i , ei Dnm , * , i over R ; yx (4) Choose randomly z Rq over Rq yx such that z Rq ; -1 y n n (5) Choose matrices T Dnnm , ' , S Dnnm , ' over ( R ) (6) For i , set Yi TRot ( y n n over ( Rq ) y 1 y n n so that T ( Rq ) ; z (bi g ei ) ai g ei 1 )S )T and Pzt ,i TRot y ( g z q q ; (7) Output the public parameter par2 q, Yi , Pzt,i , i . Generating level- 1 encoding: U enc 2 (par2 ,1, di ) . Given i 1 elements di Dm , * , then U hidden level-0 encoding e= i 1 (di Yi ) is a level-1 encoding of q (di ei ) . Adding encodings: U add 2 (par2 , j , U1 , , U m ) . Given m level- j encodings U l , their sum U = m l 1 U l is a level- j encoding. q Multiplying encodings: U mul 2 (par2 ,1, U1 , , U ) . Given level-1 encodings U j , their product U = j 1 U j is a level- encoding. Zero testing: isZero 2 (par2 , U ) . 14 q rg e U TRot ( )T1 is a level- z q To determine whether encoding of zero, V = U Pzt q is computed in ( Rqy ) nn and checked whether V is short: 1 if U P q 3/4 zt q , isZero 2 (par2 , U) 0 otherwise where Pzt r Pzt,i , ri Dm , . i 1 i Extraction: sk ext 2 (par2 , di , U ) . Given a level- encoding U , U is multiplied by Pzt i 1 (di Pzt,i ) and (log q) / 4 most-significant bits of each coefficient of each entry in U Pzt q is collected: ext 2 (par2 , di , U) Extract(msb( U Pzt q )) . Similarly, we can construct the commutative variant of our asymmetric multilinear maps in Section 4.1. 6 Simplified variant of asymmetric construction In this section, we give a simplified variant of our asymmetric multilinear maps using polynomial ring, instead of the ring of integers, to reduce the public parameter size. In fact, our simplified variant sets S i I for our asymmetric construction in Section 4.1. Our simplified asymmetric construction is an asymmetric variant in [GGH13]. In a sense, our asymmetric simplified variant is an extension of the multilinear Jigsaw puzzles [GGH+13a]. The main difference is that our construction modifies the zero-testing parameter, which also encodes the hidden plaintext encoded by the level- 1 encoding. Hence, in our construction, one can generate level- 1 encoding of hidden plaintext, which can be used according to the corresponding zero-testing parameter. Moreover, the aim setting b j ,i Dn , q is to guarantee that one cannot generate any level nontrivial encoding of zero for our asymmetric simplified variant. When implementing, we use polynomial drowning method of Rényi divergence which is used in the security analysis of [LLS14] and set =2 , to reduce the public parameter size. For completeness, we give our simplified variant as follows: Instance generation: (par3 ) InstGen 3 (1 ,1 ) 8 (1) Choose a prime q 2 n O ( ) ; (2) Choose g Dn , such that g 1 n2 ; (3) Choose a j ,i , e j ,i Dn , ' , b j ,i Dn , q , j , i ; (4) Choose random element z j Rq , j such that z j Rq ; 1 (5) Set z j ( * t 1 z t ) / z j , j . For j , i , a j ,i g e j,i z*j (b j,i g e j,i ) , p ; j,i g zj q q set y j,i (6) Output the public parameter par3 q, y j,i , p j,i , j , i . Generating encodings: u i enc3 (par3 , j , d) . 15 Given d i Dn , * , i , an index- j encoding of hidden e j = i 1 (di e j,i ) is a g e j (di y j,i ) j , where a j i 1 (d i a j ,i ) . q z j q Adding encodings: u S add 3 (par3 , u S ,1 , , u S ,m ) . computed as u j i 1 l 1 Given m encodings u S ,l , l m with index S , their sum u S = m u S ,l is q an index- S encoding. Multiplying encodings: u S1 S2 mul3 (par3 , u S1 , u S2 ) . encodings u S1 , u S2 Given with index S1 , S 2 , S1 S 2 , their product u S1 S2 = u S1 u S2 is an encoding with index S S1 S2 . q Zero testing: isZero3 (par3 , u S ) . Assume S 1 . To determine whether u S with index S is an encoding of zero, v = u S p is computed in Rq and checked whether q v is short: 1 if u p q 3/4 S q , isZero3 (par3 , u S ) 0 otherwise where p r p ,i with ri Dn , . i 1 i Extraction: sk ext 3 (par3 , u S ) . Given an encoding u S with index S [1, 1] , u S is multiplied by a zero-testing parameter p with p r p ,i , ri Dn , , and (log q) / 4 most-significant i 1 i bits of each coefficient of u S p q is collected: ext 3 (par3 , u S ) Extract(msb( u S p )) . q The correctness of the simplified variant follows from the correctness of the asymmetric construction in the Section 4. In the following we show that the simplified variant is optimal. Lemma 6.1 Suppose that every party does not cooperate in the MPKE protocol based on the simplified asymmetric variant, then one cannot generate a quantity that is not reduced modulo q from the public parameters. Proof. Since every party does not cooperate, then the j -th party has merely a list of y j,i , p j,i for index j . Because y j,i , p j,i encode the same coset e'j ,i e j,i I of R / I , thus u y j,i1 p j,i2 y j,i2 p j,i1 q z*j (a j ,i1 b j,i2 g a j ,i1 e j,i2 b j,i2 e j,i1 a j ,i2 b j,i1 g a j ,i2 e j,i1 b j,i1 e j,i2 ) . zj q z* b j j z j q 16 z*j bt ,t j . g q To cancel the denominator z j of u , one must multiply u by some pt However, by b j ,i Dn , we know q b j q and bt q . Thus, v u u' pt q must be reduced modulo q , where u' is an arbitrary rational function of y j,i , p j,i . On the other hand, since y j ,i , y j ,i with different index encode the different hidden coset 1 2 e'j1 ,i e j1 ,i I , e'j2 ,i e j2 ,i I , one cannot obtain an encoding of zero using arithmetic operations for them. Similarly, one cannot obtain a zero-testing encoded zero from p j ,i , p j ,i .□ 1 2 Lemma 6.2 Given the public parameters of any multilinear map with noise, one can always generate a quantity that is not reduced modulo q from the public parameters. Proof. Given the public parameters of any multilinear map with noise, one can simulate the MPKE protocol to generate 1 encodings u i with corresponding level- 0 ai . Then, encodings a1 i 2 ui 1 a 1 i 1 ui and have same 0 level- encoding. Namely, a1 i 2 ui a 1 i 1 ui is a level- encoding of zero. Thus, using zero-testing parameter, one 1 can obtain a quantity that is not reduced modulo q . □ Therefore, for our simplified variant, one can only compute a easily quantity that does not include the factor of the secret element g . As a result, one cannot generate a basis of g . 7 Multilinear map using random matrix For the above constructions, one can only use plaintext element of level- 1 encoding, which is hidden in zero-testing parameter. In the following, we improve the construction in Section 3 by modifying zero-testing parameter. In this new construction, one can generate usable level- 0 encoding of arbitrary feasible level encoding. To improve security, we use two countermeasures in our construction. (1) g is set as the product of m coprime elements; (2) plaintext is graded by using f . In fact, we currently do not find feasible attacks for our construction when m 1 , f 1 . It is easy to verify that the countermeasures can also be used in the above constructions. Setting the parameters. Let be the security parameter, the multilinearity level, n the dimension of elements of R . Concrete parameters are set as n , n1.5 , 2 , ( 2 ) , O(n 2 ) . q 216 nO ( ) , m 2 , n O 7.1 Construction Instance generation: (par4 ) InstGen 4 (1 ,1 ) . 16 n O ( ) ; (2) Choose elements f Dn , ' , g j Dn , (1) Choose a prime q 2 , h j Dn , q , j m in R , and set g j 1 g j so that g j ’s are coprime and g j 1 n ; m (3) Choose elements ai , b i , ei Dn , ' , i in R ; (4) Choose a random element z Rq so that z Rq ; -1 1 1 n n (5) Choose two matrices T, S Dnn , so that T , S q ; 17 (6) Set Yi TRot ( ai g ei f 1 )T , Xi S 1 Rot (bi g ei )S , i ; q z q (7) Set Pzt TRot ( z m j 1 h j g j 1 )S ; q (8) Output the public parameters par4 q, Yi , Xi i , Pzt . It is easy to prove that InstGen 4 (1 ,1 ) runs in polynomial time. Generating level- t encoding: U enc 4 (par4 , t , d) . Given a random vector d D , * , then U level- 0 encoding E= i 1 i 1 di (Yi )t is a level- t encoding of q d i ( X i )t . q ai g ei f t 1 ai' g (ei )t f t 1 ) T TRot ( )T , we have Since ( Yi ) TRot ( z zt q q t U i 1 di (Yi )t q d a' g i 1 di (ei )t f t 1 i 1 i i TRot ( )T , zt q ag ef t 1 TRot ( )T zt q where a= i 1 di ai' and e= i 1 d i (ei )t . Since ( Xi ) S Rot (b i g ei ) S S Rot (b i g (ei ) )S , we have q q t 1 1 t ' t E= i 1 di ( Xi )t S 1 Rot ( i 1 di bi' g i 1 di (ei )t )S S 1 Rot (bg e)S , q q q where b= i 1 di bi' and e= i 1 di (ei )t . Thus, U is a level- t encoding of the level- 0 encoding E . Adding encodings: U add 4 (par4 , t , U1 , , U k ) . Given k level- t encodings U l , their sum U = k l 1 U l is a level- t encoding. q rl'g el' f t 1 )T , their sum Because the level- t encoding U l is the form of U l TRot ( zt q m (rl'g el' f t ) 1 rg ef t 1 l U = l 1 U l TRot ( 1 t )T TRot ( )T t q z z q q m encoding, where r= is a level- t r and e= l 1 el' . m ' l 1 l m Multiplying encodings: U mul 4 (par4 ,1, U1 , , U k ) . Given k level- 1 encodings U l , their product U = k l 1 U l is a level- k encoding. q rl'g el' f 1 )T , the product Because the level- 1 encoding U l is the form of U l TRot ( z q 18 of k level-1 encodings is: k U = l 1 U l q k r 'g el' f 1 l 1 TRot ( l )T z q k (r 'g el' f ) 1 , j 1 l TRot ( )T zk q rg ef k 1 TRot ( )T zk q where e= e' , r ( l 1 (rl'g el' ) e) / g . l 1 l k k Zero testing: isZero 4 (par4 , U, R ) . Given a level- encoding U TRot ( rg ef 1 )T and a level- 0 encoding z q R i 1 ri Xi , to determine whether U is a level- encoding of zero, V = U Pzt R q q n n is computed in q and checked whether V is short: 1 if U P R q 3/4 zt q . isZero 4 (par4 , U) 0 otherwise If U is a level- encoding of zero, namely e 0 mod g j . By g j ’s are coprime, we obtain e r'g . So, we have V U Pzt R q m rg r'gf 1 TRot ( )T TRot (z j 1 h j g j 1 )S i 1 ri Xi z q m TRot ((rg r'f g)( j 1 h j g j 1 )( i 1 ri bi g ri ei ))S q . m TRot ((r r'f )( j 1 h j g / g j )(b'g e' ))S q For our choice of parameter, r r'f q1/8 , b'g e' nO (1) and T Moreover, V is not reduced modulo q , that is V q V . So, 19 S n . m V TRot ((r r'f )( j 1 h j g / g j )(b'g e' ))S q TRot ((r r'f )( j 1 h j g / g j )(b'g e' ))S m n3 T Rot ((r r'f ) j 1 h j g / g j ) Rot (b'g e' ) S m n 4 n Rot (r r'f ) Rot ( j 1 h j g / g j ) nO (1) n . m nO (1) 2 q1/8 m Rot (h j g / g j ) nO (1) 2 q1/8 poly (n) q1/2 poly (n) q 3/4 If U is a level- encoding of non-zero element, namely j m , e 0 mod g j . Thus, we have V = U Pzt R q m rg ef 1 )T TRot (z j 1 h j g j 1 )S i 1 ri Xi TRot ( z q . m TRot (rg ef ) Rot ( j 1 h j g j 1 ) Rot (b'g e' )S q m m h j ef (b'g e' ) TRot (rg(b'g e' ) j 1 h j g j 1 )S TRot ( j 1 )S gj q By Lemma 4 in [GGH13], we have TRot ( m j 1 h j ef (b'g e' ) gj )S q . Thus, V q . Extraction: sk ext 4 (par4 , U, R ) . Given a level- encoding U and a level- 0 encoding R i 1 ri Xi , U is q multiplied by Pzt R , and (log q ) / 4 most-significant bits of each of the n n entries of U Pzt R q is collected: ext 4 (par, U, R ) Extract 4 (msb( U Pzt R q )) . Assume rg ef 1 U TRot ( )T z q , R S 1 Rot (b'g e' )S such that rg ef q1/8 , b'g e' nO (1) . So, we have V = U Pzt R q m m h j ef (b'g e' ) 1 TRot (rg(b'g e' ) j 1 h j g j )S TRot ( j 1 )S gj q m m h j ef (b'g e' ) 1 TRot (rg (b'g e' ) j 1 h j g j )S TRot ( j 1 )S q gj q q 20 . TRot (rg (b'g e' ) m h j g j 1 )S q 3/4 . By Lemma 4 in j 1 q For our parameter setting, m h j ef (b'g e' ) )S q when j m , e 0 mod g j . [GGH13], we have TRot ( j 1 gj q Thus, the extraction algorithm can correctly work. Remark 7.1 (1) We can transform the above n n -dimensional matrix in the final result into k1 k2 -dimensional matrix to damage the structure of the principal ideal lattice problem. One n n randomly chooses T, S q with k1 k2 n . Then 1 1 nn such that T , S q , and T1 Dk1n , , S1 Dnk2 , one T* T1T1 , S* = S 1S1 , computes and output par4 q, Yi , Xi i , Pzt , T* , S* . Now, we modify the zero-testing and extraction algorithm as follows: 1 if T* U P R S* q 3/4 zt q ; isZero 4 (par4 , U, R ) 0 otherwise ext 4 (par4 , U, R ) Extract(msb( T* U Pzt R S* )) . q By cross-multiplication, we can get that V T U Pzt R S T1 Rot (r )S1 is not * * q reduced modulo q . It is easy to see that the integer Vi , j f ti ,s j ( Rot (r )) t i Rot (r ) s j is a function defined by vectors t i , s j , where t i is the i -th row of T1 , and s j is the j -th column of S1 . Even if Vi , j is not reduced modulo q , one cannot find usable quantities from some integers Vi , j since t i , s j , r all are unknown. (2) From (1), we know V T1 Rot (r )S1 have removed the structure of the principal ideal lattice problem. Thus, we conjecture that the SubM problem is hard in our encoding scheme. For the SubM problem, let R j R / g j R , G R1 Rm , and G1 0 R2 Rm . Let Zi (1) be level-1 encodings of elements from G , and Z i be level-1 encodings of elements from G1 . When generating encoding U enc(par, t , d, r ) , we replace Yi with Zi or Z i . The (1) subgroup membership problem is to distinguish between U enc(par, t , d, r ) using Zi and U1 enc(par, t , d1 , r1 ) using Zi(1) . By the above analysis, V ( ) has erased the structure of principal ideal lattice problem. That is, one cannot distinguish between U and U1 . Based on same reason, we conjecture that the DLIN problem is hard in our encoding scheme. w w and their encodings For the DLIN problem, given a matrix of elements A (ai , j ) R matrix T (enc(par, t , ai , j , r )) , the DLIN problem is to distinguish between rank w and rank w 1 matrices A . (3) Notice that one can remove R from the zero-testing and extraction algorithm above. Using R is to define the security of our construction and present one round multipartite Diffie-Hellman key exchange in the following. 7.2 Security We first consider the following security experiment: 21 (1) par4 InstGen 4 (1 ,1 ) : (2) For l 0 to Sample rl , dl D , * ; Generate level-1 encoding of El (3) Set U j 1 i 1 dl ,i Xi : U l i 1 dl ,i Yi . q q Uj . q (4) Set VC VD U Pzt E0 q . (5) Set VR U Pzt R 0 q , where R 0 r Xi . q i 1 0,i Definition 7.2 (ext-GCDH/ext-GDDH). According to the above experiment, the ext-GCDH and ext-GDDH are defined as follows: Level- extraction CDH (ext-GCDH): Given par4 , U 0 , , U , output a level- extraction n n encoding W q such that VC W q q 3/ 4 . par4 , U 0 ,, U , V , distinguish Dext RAND par4 , U 0 , , U , VR . Level- extraction DDH (ext-GDDH): Given Dext GDDH par4 , U 0 , , U , VD and between 7.3 Cryptanalysis We describe easily computable quantities for the construction of multilinear map using random matrix, and analyze possible attacks using these quantities. Easily computable quantities. While Yi , Xi encode same level-0 encoding ei , they are multiplied by the matrices T, S . One must use zero-testing parameter Pzt to obtain non-reduced quantities. For arbitrary i, j , t with i j , one can compute Vi , j ,t as follows: Vi , j ,t Yt 1 (Yi Pzt X j Y j Pzt Xi ) q m TRot ((at g et f ) 1 l 1 hl g l1 ((ai g ei f )(b j g e j ) (a j g e j f )(bi g ei )))S , q m TRot ((at g et f ) 1 l 1 hl g l' (ai b j g ai e j b j ei f a j b i g a j ei bi e j f )S q TRot ((at g et f ) 1 i , j )S where g l g / g l , i , j ' m l 1 q hl g l' (ai b j g ai e j b j ei f a j bi g a j ei b i e j f . By the parameter setting, it is easy to see that Vi , j ,t is not reduced modulo q , namely Vi , j ,t Vi , j ,t . q Similarly, one can compute 22 Vi , j ,t1 ,t2 Yt1 k1 Yt2 1 k1 (Yi Pzt X j Y j Pzt Xi ) . q TRot ((at1 g et1 f ) k1 (at2 g et2 f ) 1 k1 i , j )S So, one can obtain many non-reduced matrices Vi , j ,t1 ,t2 n n q using different combinations i, j , t1 , t2 . Compute the norm of ideal. By computing the determinant det(Vi , j ,t1 ,t2 ) of Vi , j ,t1 ,t2 , one can obtain the norm p of ideal at g et f using GCD algorithm. When knowing the norm p , one factors x 1 n lattice a t g et f n i 1 ( x i ) mod p , and solves a short generator of the principal ideal generated by two elements ( p, i ) . If at g et f can be solved, then our construction is broken. Given a1g e1f and a 2 g e 2f , one can solve the matrix T by Vi , j ,1 (Vi , j ,2 ) 1 T((a1g e1f )(a 2 g e 2f ) 1 )T1 . Using same method, one can also get S . However, there currently exists no efficient algorithm which solves short generator of principal ideal lattice for large enough n . Notably, the easily computable quantities above cannot be computed if we use the variant in Remark 7.1. 8 One round multipartite Diffie-Hellman key exchange In this section, we first describe the construction of one round multipartite Diffie-Hellman key exchange protocol using commutative variant and asymmetric variant of ideal lattices. Then we optimize and implement one round multipartite Diffie-Hellman key exchange protocol. 8.1 Construction 8.1.1 Construction based on commutative variant We describe the construction of one round multipartite Diffie-Hellman key exchange using our symmetric commutative variant as follows: Setup(1 ,1N ) . Output (par2 ) InstGen 2 (1 ,1 ) as the public parameters. Let N 1 , par3 q, Yi , Pzt,i , i Publish(par2 , p zt , j ) . The j -th party samples d j ,i Dm , * , i , computes and publishes U j i 1 (d j,i Yi ) . q KeyGen(par2 , j , d j ,i , U k k j ) . The j -th party computes C j k j U k and extracts the common secret key sk ext(par2 , d j ,i , C j ) Extract(msb( C j ( i 1 d j ,i Pzt,i ) )) . q Theorem 8.1 Suppose the ext-GCDH/ext-GDDH defined in Section 3.2 is hard, then our construction is one round multipartite Diffie-Hellman key exchange protocol. Proof. The proof is similar as Theorem 2 in [GGH13].□ 8.1.2 Construction based on simplified asymmetric variant We describe the construction of one round multipartite Diffie-Hellman key exchange using our simplified asymmetric variant as follows: 23 Setup(1 ,1N ) . Output (par3 ) InstGen 3 (1 ,1 ) as the public parameters. Let N , par3 q, y j,i , p j,i , j , i Publish(par2 , j ) . The j -th party samples d j ,i Dn , * , i , computes and publishes u j i 1 (d j,i y j,i ) . q KeyGen(par3 , j , d j ,i , uk k j ) . The j -th party computes u S j k j uk , S j j and extracts the common secret key sk ext(par3 , d j ,i , u S j ) . Theorem 8.2 Suppose the ext-GCDH/ext-GDDH defined in Section 4.2 is hard, then our construction is one round multipartite Diffie-Hellman key exchange protocol. Proof. The proof is similar as Theorem 2 in GGH13.□ 8.2 Implementation 8.2.1 Implement the construction based on the commutative variant We implement our one round multipartite Diffie-Hellman key exchange protocol using NTL [Sho09]. Setting parameters. Let be the security parameter, m O ( ) , n 2, 4 , 5,17 , N 1 7 R y [ y ]/ y m 1 , R yx R y [ x]/ x n 1 , yx m n Rq q [ y ][ x]/ y 1 x 1 . When setting concrete parameters, the coefficients . Let g j , ai , j , bi , j , ei , j R y in g, ai , bi , ei R yx are satisfied to g j ai , j bi , j ei , j 1 , y n n the entry of the matrices S, T ( R ) is satisfied to y invertible over Rq . Random sampling d j ( R ) parameters, we first is satisfied to d j ,i 1 . After sampling these V = T( Rot (g i 1 d j ,i ai ) 1 )S compute Si , j Ti , j 3 , and S, T are over ( R y ) n n and l q1 , q1 max Vi , j | i, j n , then set l , (20 25) as the bit length of modulo q . When extracting common bits, we only extract one bit from each coefficient. As a result, the 20 probability that the common bits for all parties are inconsistent is about O (2 ) . Table 1: The parameters of implementing the protocol based on the commutative variant n m l |q| pk size Setup Publish Key generation Security time time time estimation 2 128 5 70 20 90 167KB 18.1s 0.1s 0.17s 50 2 256 5 79 21 100 342KB 84.2s 0.2s 0.33s 60 2 512 5 88 22 110 709KB 263.1s 0.4s 2.86s 70 2 1024 5 97 23 120 1518KB 1520.5s 1.0s 11.5s 80 4 64 17 70 20 90 972KB 20.9s 0.2s 0.21s 50 4 128 17 79 21 100 2198KB 100.4s 0.4s 1.23s 60 4 256 17 88 22 110 4814KB 330.5s 1.0s 5.87s 70 4 512 17 97 23 120 10325KB 1650.5s 2.0s 92.8s 80 24 Remark 8.3. (1) All algorithms run over single processor (Intel Xeon E5620 4-core CPU, 2.4GHz). 1 1 1 In setup stage, solving g , z , T is the most cost time computation. (2) Notation q denotes the bit length of q . (3) Security estimation is the time computing approximate short vector of a lattice using BKZ [CN11]. 8.2.2 Implement the construction based on the simplified asymmetric variant Setting parameters. Let be the security parameter, n O( ) , 2 , N 7 . Let R R[ x]/ x 1 , Rq q [ x]/ x n 1 . When choosing the parameters, their coefficients n g j , ai , j , bi , j , ei , j R in g, ai , bi , ei R are satisfied to Random sampling d j ( R ) compute v = (g i 1 d j ,i ai ) g j ai , j b i , j ei , j 1 . is satisfied to d j ,i 1 . After choosing these parameters, we first R over and l q1 , q1 max v i | i n , then set l , (20 30) as the bit length of modulo q . When extracting common bits, we only extract one bit from each coefficient. As a result, the probability that the common bits for all parties 20 are inconsistent is about O (2 ) . Table 2: The parameters of implementing the protocol based on the simplified asymmetric variant l 256 73 512 n Key generation Security time estimation 0.05s 0.3s 50 228.1s 0.10s 1.1s 60 1.0MB 1750.8s 0.30s 2.8s 70 2.1MB 15682.6s 0.65s 5.8s 80 |q| pk size Setup time Publish time 20 93 210KB 17.1s 84 21 105 469KB 1024 92 23 115 2048 103 23 126 z*j b j Remark 8.4. Because u = y j,i p j,i y j,i p j,i by Lemma 6.1, u must be 1 2 2 1 q z j q z*j z *t r multiplied by some pt , t j to remove z j . Assume v' = u pt . Under this case, zj * * one requires to multiply two times for almost every index encoding to cancel numerator z j z t . By our parameter setting, we have (g i 1 d j ,i ai ) 2 q . Thus, setting bi , j 1 , one cannot still obtain a nontrivial quantity which is not reduced modulo q . 9 Witness Encryption Garg, Gentry, Sahai, and Waters [GGSW13] constructed an instance of witness encryption based on the NP-complete 3-exact cover problem and the GGH map. However, Hu and Jia [HJ15a] have broken the GGH-based WE. Furthermore, one cannot construct a witness encryption scheme by directly using our construction according to a comment [HJ15b]. Thus, in this section, we present an instance of WE based on a variant of our multilinear map. Different from that in [GGSW13], the ciphertext in our scheme does not include encodings of zero. 9.1 Construction 3-Exact Cover Problem [GGH13, Gol08] Given a collection Set of subsets T1 , T2 ,..., T 25 of K 1, 2,..., K such that K 3 and Ti 3 , find a 3-exact cover of K . For an instance of witness encryption, the public key is a collection Set , and the secret key is a hidden 3-exact cover of K . Encrypt (1 , par, M ) : (1) The algorithm generates Yi TRot ( and X j TRot ( ai g ei 1 hz )T , Pzt TRot ( )S , i , g z q q )T1 , j , where g Dn , , z Rq , ai , ei Dn , ' , i , z q c jg c j Dn , ' , j , T Dnn , , and S Dnn , . (2) For k K , sample d k DZ , , rk D , * and generate level- 1 encodings U k i 1 d k ,i Yi j 1 (rk,j X j ) . q (3) Compute U U k and sk Ext(Pzt , U) Extract(msb(UPzt ) , and encrypt q a message M into ciphertext C , where I is the identity matrix. (4) For each element Ti i1 , i2 , i3 , sample rTi D , * , and generate a level- 3 encoding K k 1 3 UTi U i1 U i2 U i3 j 1 rTi ,j ( X j ) . Let E UTi , Ti Set . q (5) Output the ciphertext CT (q, C , E , Pzt ) . Decrypt (CT ,W ) : U . Ti W Ti q (2) Generate sk Ext(Pzt , U ) Extract(msb(UPzt ) , and decrypt C to a message M . (1) Given CT and a witness set W , compute U Similar to [GGSW13], the security of our construction depends on the hardness assumption of the Decision Graded Encoding No-Exact-Cover. Theorem 9.1 Suppose that the Decision Graded Encoding No-Exact-Cover is hard. Then our construction is a witness encryption scheme. It is easy to verify that the Hu-Jia attacks [HJ15a, HJ15b] are prevented in our new construction. 10 Conclusion and open problem In this paper, we describe an improved construction of multilinear maps from ideal lattices, multiplying by matrices the level-1 encoding of non-zero element. The security of our construction depends upon new hardness assumption, which is seemly closely related to hardness problems of lattices. We also describe an asymmetric construction to avoid any nontrivial encoding of “0”. Furthermore, we describe one-round multipartite Diffie-Hellman key exchange protocol and an instance of witness encryption using our construction and the variant. The security of all current schemes relies on hardness assumption, which cannot be reduced to classical hardness problem. An open problem is to reduce the security of our construction of multilinear maps to classical hardness problem. References [BF03] D. Boneh and M. K. Franklin. Identity-based encryption from the Weil pairing, SIAM 26 Journal on Computing, 32(3):586–615, 2003. [BGG+14] D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, V. Nikolaenko, G. Segev, V. Vaikuntanathan, and D. Vinayagamurthy. Fully keyhomomorphic encryption, arithmetic circuit abe and compact garbled circuits. EUROCRYPT 2014, LNCS 8441, pp. 533-556. [BR14] Z. Brakerski and G. N. Rothblum. Virtual black-box obfuscation for all circuits via generic graded encoding. TCC 2014, LNCS 8349, pp. 1-25. [BS03] D. Boneh and A. Silverberg. Applications of multilinear forms to cryptography. Contemporary Mathematics, 324:71–90, 2003. [BWZ14] D. Boneh, D. J. Wu, and J. Zimmerman. Immunizing multilinear maps against zeroizing attacks. http://eprint.iacr.org/2014/930. [BZ14]D. Boneh and M. Zhandry. Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. CRYPTO 2014, LNCS 8616, pp. 480-499. [CHL+14] J. H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehle. Cryptanalysis of the Multilinear Map over the Integers. http://eprint.iacr.org/2014/906. [CN11] Y. Chen and P. Q. Nguyen. BKZ 2.0 Better Lattice Security Estimates, ASIACRYPT 2011, LNCS 7073, pp. 1–20. [CLT13] J. S. Coron, T. Lepoint, and M. Tibouchi. Practical multilinear maps over the integers. CRYPTO 2013, LNCS 8042, pp. 476–493. [CLT14] J. S. Coron, T. Lepoint, and M. Tibouchi. Cryptanalysis of two candidate fixes of multilinear maps over the integers. http://eprint.iacr.org/2014/975. [CLT15] J. S. Coron, T. Lepoint, and M. Tibouchi. New Multilinear Maps over the Integers. http://eprint.iacr.org/2015/162. [GGH13] S. Garg, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices. EUROCRYPT 2013, LNCS 7881, pp. 1–17. [GGH14] C. Gentry, S. Gorbunov, S. Halevi. Graph-induced Multilinear Maps from Lattices. http://eprint.iacr.org/2014/645. [GGH+13a] S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. FOCS 2013, pp.40-49. [GGH+13b] S. Garg, C. Gentry, S. Halevi, A. Sahai, and B. Waters. Attribute-based encryption for circuits from multilinear maps, CRYPTO (2) 2013, LNCS 8043, 479-499. [GGH+14] S. Garg, C. Gentry, S. Halevi, and M. Zhandry. Fully secure functional encryption without obfuscation. http://eprint.iacr.org/2014/666. [GHM+14] C. Gentry, S. Halevi, H. K. Majiy, A. Sahaiz. Zeroizing without zeroes: Cryptanalyzing multilinear maps without encodings of zero. http://eprint.iacr.org/2014/929. [GSW13a] S. Garg, C. Gentry, A. Sahai, and B. Waters. Witness encryption and its applications. STOC 2013, pp. 467-476. [GSW13b] C. Gentry, A. Sahai and B. Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. CRYPTO (1) 2013, LNCS 8042, pp. 75-92. [HAO14] R. Hiromasa, M. Abe and T. Okamoto. Multilinear Maps on LWE. SCIS 2014, pp. 1-8. [HIL+99] J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM Journal on Computing, 1999, 28(4):1364-1396. [HJ15a] Yupu Hu and Huiwen Jia. Cryptanalysis of GGH Map. http://eprint.iacr.org/2015/301. [HJ15b] Yupu Hu and Huiwen Jia. A Comment on Gu Map-1. http://eprint.iacr.org/2015/448. [HPS98] J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: a ring based public key cryptosystem. 27 ANTS 1998, LNCS 1423, pp. 267-288. [Jou00] A. Joux. A one round protocol for tripartite Diffie-Hellman. ANTS 2000, LNCS 1838, pp. 385–394. [LSS14] A. Langlois, D. Stehlé, and R. Steinfeld, GGHLite: More Efficient Multilinear Maps from Ideal Lattices, EUROCRYPT 2014, LNCS 8441, 2014, pp. 239–256. [PTT10] C. Papamanthou, R. Tamassia, and N. Triandopoulos. Optimal authenticated data structures with multilinear forms. Pairing 2010, LNCS 6487, pp. 246–264. [Rot13] R. Rothblum. On the circular security of bit-encryption. TCC 2013, LNCS 7785, 2013, pp. 579–598. [RS09] M. Rückert and D. Schröder. Aggregate and verifiably encrypted signatures from multilinear maps without random oracles. ISA 2009, LNCS 5576, pp. 750–759. [Sho09] V. Shoup. NTL: A Library for doing Number Theory. http://shoup.net/ntl/, Version 5.5.2, 2009. 2009.08.14. [Sma03] Smart, N.P. An identity based authenticated key agreement protocol based on the Weil pairing, Electronics Letters, 38(13), pp. 630-632, 2002. [SOK00] R. Sakai, K. Ohgishi and M. Kasahara. Cryptosystems based on pairing, the 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, 2000. [SS11] D. Stehlé and R. Steinfeld. Making NTRU as secure as worst-case problems over ideal lattices, EUROCRYPT 2011, LNCS 6632, pp. 27–47. 28
© Copyright 2024 Paperzz