the clt multilinear map
play

The CLT Multilinear Map From DGHV to Zeroizing Tancrde Lepoint - PowerPoint PPT Presentation

Feb 15, 2023 •370 likes •2.01k views

The CLT Multilinear Map From DGHV to Zeroizing Tancrde Lepoint Paris - October 14-15, 2015 School on FHE and MMAPs outline Introduction & timeline Syntax of MMAPs Interlude: HE over Z The CLT13 Candidate

  1. numerical example ◮ p = 541 , q 0 = 809 ⇒ x 0 = 437669 ◮ noise size: ρ = 4 Encryption : ◮ c 1 = 737 · 541 + 2 · 6 + 1 = 398730 ◮ c 2 = 368 · 541 + 2 · 9 + 0 = 199106 Addition and Multiplication : ◮ c 3 = c 1 + c 2 mod x 0 = ( 398730 + 199106 ) mod 437669 = 160167 ◮ c 4 = c 1 · c 2 mod x 0 = ( 398730 · 199106 ) mod 437669 = 317801 18 / 68

  2. numerical example ◮ p = 541 , q 0 = 809 ⇒ x 0 = 437669 ◮ noise size: ρ = 4 Encryption : ◮ c 1 = 737 · 541 + 2 · 6 + 1 = 398730 ◮ c 2 = 368 · 541 + 2 · 9 + 0 = 199106 Addition and Multiplication : ◮ c 3 = c 1 + c 2 mod x 0 = ( 398730 + 199106 ) mod 437669 = 160167 ◮ c 4 = c 1 · c 2 mod x 0 = ( 398730 · 199106 ) mod 437669 = 317801 Decryption : ◮ c 3 mod p = 160167 mod 541 = 31 = 2 · 15 + 1 = 2 · 15 + ( 1 XOR 0 ) ◮ c 4 mod p = 317801 mod 541 = 234 = 2 · 117 + 0 = 2 · 117 + ( 1 AND 0 ) 18 / 68

  3. semantic security Consider D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } Security of the scheme based on: (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D , decide whether z is uniformly generated in [ 0 , x 0 ) or in D 19 / 68

  4. semantic security Consider D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } Security of the scheme based on: (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Semantic security of the scheme: ◮ Recall that c = q · p + 2 r + m ◮ Assume gcd ( 2 , q 0 ) = 1 , � � c = 2 · ( q / 2 mod q 0 ) · p + r + m mod ( q 0 · p ) � �� � indistinguishable from uniform mod x 0 19 / 68

  5. semantic security Consider D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } Security of the scheme based on: (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Semantic security of the scheme: ◮ Recall that c = q · p + 2 r + m ◮ Assume gcd ( 2 , q 0 ) = 1 , � � c = 2 · ( q / 2 mod q 0 ) · p + r + m mod ( q 0 · p ) � �� � indistinguishable from uniform mod x 0 ◮ Therefore ciphertext of m indistinguishable from uniform 19 / 68

  6. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ w 1 w 2 w 3 · · · w ℓ 20 / 68

  7. batching (1) ◮ In one ciphertext, encode ℓ plaintexts ◮ Addition and Multiplication: in parallel u 1 u 2 u 3 u 1 u 2 u 3 u 4 · · · · · · u ℓ u ℓ over the ℓ slots π u 2 u ℓ · · · u 3 · · · u 1 u 4 · · · ◮ Permutations between the slots (algebraic structure) 20 / 68

  8. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ ◮ Permutations between the slots (algebraic w 1 w 2 w 3 · · · w ℓ structure) 20 / 68

  9. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ ◮ Permutations between the slots (algebraic w 1 w 2 w 3 · · · w ℓ structure) ◮ Public element x 0 = q 0 · p ◮ Ciphertext of m ∈ { 0 , 1 } : c = q · p + 2 r + m 20 / 68

  10. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ ◮ Permutations between the slots (algebraic w 1 w 2 w 3 · · · w ℓ structure) ◮ Public element x 0 = q 0 · p ◮ Ciphertext of m ∈ { 0 , 1 } : c = q · p + 2 r + m ◮ c mod p = 2 r + m c mod q 0 = · p + 2 r + m mod q 0 q ; ���� uniform in [ 0 , q 0 ) 20 / 68

  11. batching (1) ◮ In one ciphertext, encode ℓ plaintexts u 1 u 2 u 3 · · · u ℓ ◮ Addition and Multiplication: in parallel over the ℓ slots + × v 1 v 2 v 3 · · · v ℓ ◮ Permutations between the slots (algebraic w 1 w 2 w 3 · · · w ℓ structure) ◮ Public element x 0 = q 0 · p ◮ Ciphertext of m ∈ { 0 , 1 } : c = q · p + 2 r + m ◮ c mod p = 2 r + m c mod q 0 = · p + 2 r + m mod q 0 q ; ���� uniform in [ 0 , q 0 ) ◮ We can write � � q ′ , 2 r + m c = CRT q 0 , p 20 / 68

  12. batching (2): extend using the Chinese Remainder Theorem � � q ′ , 2 r + m c = CRT q 0 , p ◮ Gener alization to several slots is easy! m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n 21 / 68

  13. batching (2): extend using the Chinese Remainder Theorem � � q ′ , 2 r + m c = CRT q 0 , p ◮ Gener alization to several slots is easy! m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n ◮ Decryption: m i = ( c mod p i ) mod 2 21 / 68

  14. batching (2): extend using the Chinese Remainder Theorem � � q ′ , 2 r + m c = CRT q 0 , p ◮ Gener alization to several slots is easy! m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n ◮ Decryption: m i = ( c mod p i ) mod 2 ◮ Thanks to the structure of the CRT : ◮ Addition : the addition is performed modulo each p i similarly to DGHV ◮ Multiplication : the multiplication is performed modulo each p i similarly to DGHV 21 / 68

  15. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D 22 / 68

  16. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n 22 / 68

  17. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD 22 / 68

  18. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem 22 / 68

  19. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote D i the distribution of elements of the form CRT q 0 , p 1 ,..., p n ( q , ∗ , . . . , ∗ , r i , . . . , r n ) � �� � n − i random 22 / 68

  20. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote D i the distribution of elements of the form CRT q 0 , p 1 ,..., p n ( q , ∗ , . . . , ∗ , r i , . . . , r n ) � �� � n − i random ◮ ∃ j 0 s.t. A has advantage ≥ ǫ/ n to distinguish D j 0 − 1 and D j 0 22 / 68

  21. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem ◮ Denote D i the distribution of elements of the form CRT q 0 , p 1 ,..., p n ( q , ∗ , . . . , ∗ , r i , . . . , r n ) � �� � n − i random ◮ ∃ j 0 s.t. A has advantage ≥ ǫ/ n to distinguish D j 0 − 1 and D j 0 ◮ With proba 1 / n , you can place p at the position j 0 (generate the n − 1 other p i ’s yourself), and you use the challenge z for this slot 22 / 68

  22. security of the batch scheme (Error-Free) Decisional Approximate-GCD Given x 0 = q 0 · p and polynomially many x i ∈ D = { q · p + r : q ← [ 0 , q 0 ) , r ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D Sketch: (Error-Free) ℓ -Decisional Approximate-GCD Given x 0 = q 0 · p 1 · · · p n and polynomially many x i ∈ D n = { CRT q 0 , p i ( q , . . . , r i , . . . ) : q ← [ 0 , q 0 ) , r i ← [ 0 , 2 ρ ) } , decide whether z is uniformly generated in [ 0 , x 0 ) or in D n ◮ For n = 1 , the above problem is the (Error-Free) Decisional Approximate-GCD ◮ Let A be an adversary having adv. ǫ to solve this latter problem Security based on same problem as before! ◮ Denote D i the distribution of elements of the form CRT q 0 , p 1 ,..., p n ( q , ∗ , . . . , ∗ , r i , . . . , r n ) � �� � n − i random ◮ ∃ j 0 s.t. A has advantage ≥ ǫ/ n to distinguish D j 0 − 1 and D j 0 ◮ With proba 1 / n , you can place p at the position j 0 (generate the n − 1 other p i ’s yourself), and you use the challenge z for this slot 22 / 68

  23. advantages of the batch variant ◮ Par allelization: u 1 u 2 u 3 · · · u ℓ + × v 1 v 2 v 3 · · · v ℓ w 1 w 2 w 3 w ℓ · · · ◮ Use the fact that q ≫ p to pack elements ◮ (Also asymptotic reduction of overhead per gate with permutations) [CCKLLTY13] With essentially same complexity costs and same security , operations over ℓ ≥ 1 bits! 23 / 68

  24. outline ◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zer oizing”, again and again ◮ Conclusion & open problems 24 / 68

  25. from HE to MMAPs ◮ Large plaintext space ◮ Add the “tags ” ◮ We will get it via some multiplicative masks ◮ Add a zero-testing procedure ◮ The secret key will be the p i ’s and the secret mask: we will mix them together 25 / 68

  26. extend to larger plaintext ring m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n ◮ what is the problem? (hint: multiplication) 26 / 68

  27. extend to larger plaintext ring m = ( m 1 , . . . , m n ) ∈ { 0 , 1 } n : ◮ Ciphertext of � � � q ′ , 2 r 1 + m 1 , . . . , 2 r n + m n c = CRT q 0 , p 1 ,..., p n ◮ what is the problem? (hint: multiplication) ◮ Ciphertext of � m = ( m 1 , . . . , m n ) ∈ Z g 1 × · · · × Z g n : � � q ′ , g 1 · r 1 + m 1 , . . . , g n · r n + m n c = CRT q 0 , p 1 ,..., p n 26 / 68

  28. tags=levels using a random mask ◮ Let z ← [ 0 , x 0 ) be a random (invertible) multiplicative mask 27 / 68

  29. tags=levels using a random mask ◮ Let z ← [ 0 , x 0 ) be a random (invertible) multiplicative mask ◮ Encoding of � m ∈ Z g 1 × · · · × Z g n at level j : m ] j = c / z j mod x 0 [ � = CRT q , p 1 ,..., p n ( q ′ , r 1 · g 1 + m 1 , . . . , r n · g n + m n ) mod x 0 z j 27 / 68

  30. tags=levels using a random mask ◮ Let z ← [ 0 , x 0 ) be a random (invertible) multiplicative mask ◮ Encoding of � m ∈ Z g 1 × · · · × Z g n at level j : m ] j = c / z j mod x 0 [ � = CRT q , p 1 ,..., p n ( q ′ , r 1 · g 1 + m 1 , . . . , r n · g n + m n ) mod x 0 z j ◮ Operations over Z x 0 : m ′ ] j m ′ ] j [ � m ] j + [ � ≃ [ � m + � Addition m ′ ] j 2 m ′ ] j 1 + j 2 [ � m ] j 1 × [ � ≃ [ � m · � Multiplication 27 / 68

  31. main ingredient: zero testing ◮ How to test whether two degree- κ encodings are equal? m ] κ ≃ [ � m = � m − � ℓ ] κ ≃ [ � [ � ℓ ] κ (i.e. � ℓ ) ⇐ ⇒ [ � 0 ] κ 28 / 68

  32. main ingredient: zero testing ◮ How to test whether two degree- κ encodings are equal? m ] κ ≃ [ � m = � m − � ℓ ] κ ≃ [ � [ � ℓ ] κ (i.e. � ℓ ) ⇐ ⇒ [ � 0 ] κ m = � ◮ What is an encoding of � 0 at the top-level? 0 ] κ = CRT q , p 1 ,..., p n ( q ′ , r 1 · g 1 , . . . , r n · g n ) [ � mod x 0 z κ 28 / 68

  33. main ingredient: zero testing ◮ How to test whether two degree- κ encodings are equal? m ] κ ≃ [ � m = � m − � ℓ ] κ ≃ [ � [ � ℓ ] κ (i.e. � ℓ ) ⇐ ⇒ [ � 0 ] κ m = � ◮ What is an encoding of � 0 at the top-level? 0 ] κ = CRT q , p 1 ,..., p n ( q ′ , r 1 · g 1 , . . . , r n · g n ) [ � mod x 0 z κ ◮ Idea of [GGH13]: multiply by an element which will cancel z κ and when the r i ’s are small ( r i g i ≪ p i ), yield something small compared to x 0 . 28 / 68

  34. main ingredient: zero testing (ctnd.) ◮ let’s rewrite [ � 0 ] κ : � � − 1 / z κ mod p i ) · p ∗ p j ) · q ′′ mod x 0 [ � g i r i · ( p ∗ 0 ] κ = i + ( i i i = � where p ∗ j � = i p j 29 / 68

  35. main ingredient: zero testing (ctnd.) ◮ let’s rewrite [ � 0 ] κ : � � − 1 / z κ mod p i ) · p ∗ p j ) · q ′′ mod x 0 [ � g i r i · ( p ∗ 0 ] κ = i + ( i i i = � where p ∗ j � = i p j ◮ The random value q ′′ makes difficult to obtain something small... except if we are working modulo � p j 29 / 68

  36. main ingredient: zero testing (ctnd.) ◮ let’s rewrite [ � 0 ] κ : � � − 1 / z κ mod p i ) · p ∗ p j ) · q ′′ mod x 0 [ � g i r i · ( p ∗ 0 ] κ = i + ( i i i = � where p ∗ j � = i p j ◮ The random value q ′′ makes difficult to obtain something small... except if we are working modulo � p j ◮ In the following x 0 = � p j , and m ] j = CRT p 1 ,..., p n ( r 1 · g 1 + m 1 , . . . , r n · g n + m n ) [ � mod x 0 z j 29 / 68

  37. main ingredient: zero testing (ctnd.) ◮ now � − 1 / z κ mod p i ) · p ∗ [ � g i r i · ( p ∗ 0 ] κ = i mod x 0 i i i = � where p ∗ j � = i p j 30 / 68

  38. main ingredient: zero testing (ctnd.) ◮ now � − 1 / z κ mod p i ) · p ∗ [ � g i r i · ( p ∗ 0 ] κ = i mod x 0 i i i = � where p ∗ j � = i p j ◮ Multiply by the public element (where h i ≪ p i ) � z κ mod p i ) · p ∗ h i · ( g − 1 p zt = i mod x 0 i i 30 / 68

  39. main ingredient: zero testing (ctnd.) ◮ now � − 1 / z κ mod p i ) · p ∗ [ � g i r i · ( p ∗ 0 ] κ = i mod x 0 i i i = � where p ∗ j � = i p j ◮ Multiply by the public element (where h i ≪ p i ) � z κ mod p i ) · p ∗ h i · ( g − 1 p zt = i mod x 0 i i ◮ We have (we prove equivalence whp when many p zt ’s are given) � m = � r i · ( h i p ∗ � 0 ⇒ | [ � m ] κ · p zt mod x 0 | = | i ) | ≪ x 0 i 30 / 68

  40. Partial Conclusion ◮ Second candidate multilinear map ◮ Hardness assumptions: ◮ GDDH ◮ but also DLIN, SubM, etc. ◮ Composite-order multilinear maps ◮ Used in multiple schemes and obfuscation candidates 31 / 68

  41. outline ◮ Introduction & timeline ◮ Syntax of MMAPs ◮ Interlude: HE over Z ◮ The CLT13 Candidate ◮ “Zer oizing”, again and again ◮ Conclusion & open problems 32 / 68

  42. CLT13 properties ◮ Encoding is related to a numerator u ∼ ( e 1 , . . . , e n ) ◮ e i = g i · r i + m i ◮ Finding the e i ’s means breaking the scheme ◮ An encoding of 0 is u ∼ ( g 1 r 1 , . . . , g n r n ) ◮ Adding / multiplying encodings operate on the numerators over Z (not modulo x 0 ) u 1 + u 2 ∼ ( e 1 i + e 2 i ) i , u 1 · u 2 ∼ ( e 1 i · e 2 i ) i ◮ Zero-testing top-level encodings u ∼ ( g 1 r 1 , . . . , g n r n ) we get ztst ( u ) = � i r i · ( h i p ∗ i ) over Z (no mod q ) 33 / 68

  43. public procedures ◮ Sample : subset-sum of publicly available random level- 0 encodings � [ u i ] 0 = [ u ] 0 i ∈ S 34 / 68

  44. public procedures ◮ Sample : subset-sum of publicly available random level- 0 encodings � [ u i ] 0 = [ u ] 0 i ∈ S ◮ Encode at level 1 : multiply by a level- 1 encoding of � 1 [ u ] 0 · [ � 1 ] 1 = [ u ] 1 34 / 68

  45. public procedures ◮ Sample : subset-sum of publicly available random level- 0 encodings � [ u i ] 0 = [ u ] 0 i ∈ S ◮ Encode at level 1 : multiply by a level- 1 encoding of � 1 [ u ] 0 · [ � 1 ] 1 = [ u ] 1 ◮ reRandomization : add a subset-sum of level- 1 encodings of 0 to drown the noise obtained by sampling/encoding � [ u ] 1 + [ 0 i ] 1 i ∈ S 34 / 68

  46. public extraction ◮ Extraction : extract the λ most significant bits of ext ([ � m ] κ ) = MSB λ ( p zt · [ � m ] κ mod x 0 ) � n � � ( r i + m i · g − 1 mod p i ) · ( h i p ∗ = MSB λ i ) i i = 1 � n � � ( m i · g − 1 mod p i ) · ( h i p ∗ = MSB λ i ) i i = 1 ◮ for � m 1 = � m 2 , we will have ext ([ � m 1 ] κ ) == ext ([ � m 2 ] κ ) 35 / 68

  47. Diffie-Hellman Key Exchange ◮ Setup : For N participants, initialization of a N − 1 -multilinear map 36 / 68

  48. Diffie-Hellman Key Exchange ◮ Setup : For N participants, initialization of a N − 1 -multilinear map ◮ Publish : Use the public params, sample a level- 0 encoding c i , and publish c ′ i = reRand ( enc ( c i , 1 )) 36 / 68

  49. Diffie-Hellman Key Exchange ◮ Setup : For N participants, initialization of a N − 1 -multilinear map ◮ Publish : Use the public params, sample a level- 0 encoding c i , and publish c ′ i = reRand ( enc ( c i , 1 )) c i = c i · � j � = i c ′ ◮ KeyGen : Compute ˜ j , and get the shared key s = ext (˜ c i ) 36 / 68

  50. main security assumption m i ] 1 and [ � m ′ ] κ , de- GDDH: Given ( κ + 1 ) elements [ � m ′ ≃ � κ + 1 termine whether � i = 1 � m i . 37 / 68

  51. main security assumption m i ] 1 and [ � m ′ ] κ , de- GDDH: Given ( κ + 1 ) elements [ � m ′ ≃ � κ + 1 termine whether � i = 1 � m i . ◮ At the heart of the multipartite key echange protocol 37 / 68

  52. main security assumption m i ] 1 and [ � m ′ ] κ , de- GDDH: Given ( κ + 1 ) elements [ � m ′ ≃ � κ + 1 termine whether � i = 1 � m i . ◮ At the heart of the multipartite key echange protocol ◮ Assumed to be hard (but no reduction to Approx.-GCD) 37 / 68

  53. main security assumption m i ] 1 and [ � m ′ ] κ , de- GDDH: Given ( κ + 1 ) elements [ � m ′ ≃ � κ + 1 termine whether � i = 1 � m i . ◮ At the heart of the multipartite key echange protocol ◮ Assumed to be hard (but no reduction to Approx.-GCD) ◮ Asymptotic parameters determined from several attacks: ◮ orthogonal lattice attack on encodings ◮ GCD attack on zero-testing ◮ hidden subset sum attack on zero-testing ◮ attacks on the inverse zero-testing matrix ◮ brute-force on the noises, . . . 37 / 68

  54. zeroizing attack [CheonHanLeeRyuStehlé’15] 38 / 68

  55. exploiting the linearity of the zero-testing 39 / 68

  56. exploiting the linearity of the zero-testing 0 ] κ · p zt = � i r i · ( h i · p ∗ [ � i ) ∈ Z 39 / 68

  57. exploiting the linearity of the zero-testing c ] 1 · p zt = � i r i · ˆ [ � 0 ] κ − 2 · [ � c i · ( h i · p ∗ b i · ˆ b ] 1 · [ � i ) ∈ Z 39 / 68

  58. exploiting the linearity of the zero-testing c ] 1 · p zt = � i r i · ˆ [ � 0 ] κ − 2 · [ � c i · ( h i · p ∗ b i · ˆ b ] 1 · [ � i ) ∈ Z r i ˆ c i ˆ b i · ( h i · p ∗ i ) 39 / 68

  59. exploiting the linearity of the zero-testing c ] 1 · p zt = � i r i · ˆ [ � 0 ] κ − 2 · [ � c i · ( h i · p ∗ b i · ˆ b ] 1 · [ � i ) ∈ Z r i ˆ c i ˆ b i · ( h i · p ∗ i ) 39 / 68

  60. inversion over Q c ] 1 and two targets [ � b ] 1 , [ � ◮ Let’s do it with many [ � b ′ ] 1 0 ] κ − 2 , [ � 40 / 68

  61. inversion over Q c ] 1 and two targets [ � b ] 1 , [ � ◮ Let’s do it with many [ � b ′ ] 1 0 ] κ − 2 , [ � r i r i ˆ ˆ c i c i ˆ ˆ b i · ( h i · p ∗ b ′ i · ( h i · p ∗ i ) i ) 40 / 68

  62. inversion over Q c ] 1 and two targets [ � b ] 1 , [ � ◮ Let’s do it with many [ � b ′ ] 1 0 ] κ − 2 , [ � 1 c i ) − 1 ( r − 1 r i ˆ (ˆ ) c i ˆ b i · ( h i · p ∗ i i ) ˆ b ′ i · ( h i · p ∗ i ) 40 / 68

Recommend

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa Research) Crypto Innovation School Shanghai 2019 1 What are multilinear maps? 2 3 Cool. So what are the multilinear maps in cryptography? 4

2.17k views • 147 slides
Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The

Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The

Multilinear Maps over the Integers From Design to Security Tancrde Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 Timeline: The Hype Cycle of Multilinear Maps 2 / 30 visibility Timeline time 2 / 30

1.61k views • 112 slides
Algebraic models for multilinear dependence Jason Morton Stanford University February 21, 2009

Algebraic models for multilinear dependence Jason Morton Stanford University February 21, 2009

Algebraic models for multilinear dependence Jason Morton Stanford University February 21, 2009 NSF Tensor Workshop Joint work with Lek-Heng Lim of U.C. Berkeley J. Morton (Stanford) Algebraic models for multilinear dependence 2/21/09 NSF

504 views • 37 slides
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton

Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton

Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan , Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai,

762 views • 49 slides
The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem

The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem

. . . . . . . . . . . . . . . . The endpoint multilinear Kakeya theorem via the BorsukUlam/LusternikSchnirelmann theorem After L. Guth, A. Carbery, I. Valdimarsson Pavel Zorin-Kranich University of Bonn Kopp, October 2017

327 views • 20 slides
Oscillatory 1 Philip T. Gressman, University of Pennsylvania multilinear Joint work with

Oscillatory 1 Philip T. Gressman, University of Pennsylvania multilinear Joint work with

Oscillatory 1 Philip T. Gressman, University of Pennsylvania multilinear Joint work with Ellen Urheim Radon-like transforms In honor of the 90th birthday of Guido Weiss 2 Problem Statement This falls within the framework of Christ,

425 views • 10 slides
Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps Liang Feng Zhang, Reihaneh Safavi-Naini Institute for Security, Privacy and Information Assurance Department of Computer Science University of

197 views • 19 slides
Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee,

Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee,

Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 1 / 26 Jung Hee Cheon 1 , Pierre-Alain Fouque 2 , 3 , Changmin Lee 1 , Brice Minaud 2 , Hansol

456 views • 28 slides
Numerical methods for the best low multilinear rank approximation of higher-order tensors M.

Numerical methods for the best low multilinear rank approximation of higher-order tensors M.

Introduction Some applications Algorithms Local minima Numerical methods for the best low multilinear rank approximation of higher-order tensors M. Ishteva 1 .-A. Absil 1 S. Van Huffel 2 L. De Lathauwer 2 , 3 P 1 Department of Mathematical

461 views • 45 slides
More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School

Introduction GGH Construction GGHLite Conclusions More Efficient Cryptographic Multilinear Maps from Ideal Lattices Ron Steinfeld Clayton School of IT Monash University, Australia (Based on joint work with A. Langlois and D. Stehl e, ENS

706 views • 39 slides
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and

A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and

A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group notation, and those who like

657 views • 31 slides
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13,

649 views • 39 slides
Nonconcentration, L p -Improving Estimates, and Multilinear Kakeya Philip T. Gressman Department

Nonconcentration, L p -Improving Estimates, and Multilinear Kakeya Philip T. Gressman Department

Nonconcentration, L p -Improving Estimates, and Multilinear Kakeya Philip T. Gressman Department of Mathematics University of Pennsylvania 13 May 2019 Madison Lectures in Fourier Analysis N-C, L p , and M-K Philip T. Gressman 0 / 23 0. The

256 views • 24 slides
Multilinear Algebra Based Fitting of a Sum of Exponentials to Oversampled Data Lieven De

Multilinear Algebra Based Fitting of a Sum of Exponentials to Oversampled Data Lieven De

Multilinear Algebra Based Fitting of a Sum of Exponentials to Oversampled Data Lieven De Lathauwer Jean-Michel Papy Sabine Van Huffel K.U.Leuven FMTC /K.U.Leuven K.U.Leuven Catholic University of Leuven Flanders

398 views • 35 slides
The multilinear actor-network-apparatus A play of lines beyond the black box What is the

The multilinear actor-network-apparatus A play of lines beyond the black box What is the

The multilinear actor-network-apparatus A play of lines beyond the black box What is the apparatus? A formation, tangle, network...: The apparatus is the system of relations which can be established between elements in a thoroughly

700 views • 16 slides
A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer

A Near-Optimal Depth-Hierarchy Theorem for Small-Depth Multilinear Circuits Nutan Limaye Compuer Science and Engineering Department, Indian Institute of Technology, Bombay, (IITB) India. Joint work with Suryajith Chillara, Christian Engels,

2.53k views • 191 slides
Programmable Hash Functions in the Multilinear Setting Eduarda S. V. Freire, Dennis Hofheinz,

Programmable Hash Functions in the Multilinear Setting Eduarda S. V. Freire, Dennis Hofheinz,

Programmable Hash Functions in the Multilinear Setting Eduarda S. V. Freire, Dennis Hofheinz, Kenneth G. Paterson and Christoph Striecks CRYPTO 2013 - Santa Barbara, CA, U.S.A. August 20, 2013 Programmable Hash Functions (PHFs) Part 1

545 views • 38 slides
Weighted boundedness of multilinear maximal function using Dirac deltas Abhishek Ghosh (Joint

Weighted boundedness of multilinear maximal function using Dirac deltas Abhishek Ghosh (Joint

Weighted boundedness of multilinear maximal function using Dirac deltas Abhishek Ghosh (Joint work with Prof. Saurabh Shrivastava and Kalachand Shuin) Indian Institute of Technology Kanpur, India May 20-24, 2019 Abhishek Ghosh (Joint work with

387 views • 36 slides
Multilinear tools through filters on groups Joshua Maglione jmaglione@math.uni-bielefeld.de

Multilinear tools through filters on groups Joshua Maglione jmaglione@math.uni-bielefeld.de

Multilinear tools through filters on groups Joshua Maglione jmaglione@math.uni-bielefeld.de Universit at Bielefeld Fakult at f ur Mathematik What is intrinsic to a group? Main question: What structure is intrinsic to a group G ? A

366 views • 24 slides
An identity having b-generalized skew derivations on multilinear polynomials BALCHAND PRAJAPATI

An identity having b-generalized skew derivations on multilinear polynomials BALCHAND PRAJAPATI

An identity having b-generalized skew derivations on multilinear polynomials BALCHAND PRAJAPATI INDIA September, 2019 Balchand Prajapati www.aud.ac.in An identity having b-generalized skew derivations E. C. Posner, 1957 Thm 1 In a prime ring

404 views • 15 slides
Multilinear Algebra and Tensor Decomposition Qibin Zhao Tensor Learning Unit RIKEN AIP

Multilinear Algebra and Tensor Decomposition Qibin Zhao Tensor Learning Unit RIKEN AIP

Multilinear Algebra and Tensor Decomposition Qibin Zhao Tensor Learning Unit RIKEN AIP 2018-6-2 @ Waseda University Self-Introduction 2009, Ph.D. in Computer Science, Shanghai Jiao Tong University 2009 - 2017, RIKEN Brain Science

938 views • 57 slides
Cumulant Signal Processing, Tensors and some Recurring Problems Phil Regalia Department of

Cumulant Signal Processing, Tensors and some Recurring Problems Phil Regalia Department of

Multilinear Product An Easy Problem Symmetric Case Rank r Approximation Displacement Structure Cumulant Signal Processing, Tensors and some Recurring Problems Phil Regalia Department of Electrical Engineering and Computer Science

569 views • 29 slides
role of tensors in numerical mathematics Lek-Heng Lim University of Chicago February 2, 2015

role of tensors in numerical mathematics Lek-Heng Lim University of Chicago February 2, 2015

role of tensors in numerical mathematics Lek-Heng Lim University of Chicago February 2, 2015 thanks: NSF DMS 1209136, DMS 1057064, AFOSR FA9550-13-1-0133 what is a tensor? a tensor is a multilinear functional f : V 1 V d

748 views • 51 slides
Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Multilinear Maps and Their Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over a public channel: Public group , generator , order (Potential) Hard Problems in Groups Discrete Log (DL):

621 views • 60 slides

More recommend