The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1 , Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada a la Criptografía Asiacrypt 2016, Hanoi, 8 Dec 2016 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Outline Introduction 1 The Kernel Matrix Diffie-Hellman Assumption 2 Hardness of the KerDH Assumption 3 The Case ℓ > k + 1 4 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Additive (Implicit) Notation Given a group G of prime order q and a generator g ∈ G : g x → [ x ] [ 1 ] g → 1 → [ 0 ] g x g y → [ x ][ y ] = [ x + y ] [ x ] y = [ xy ] ( g x ) y → ( g x 1 , . . . , g x n ) → [ x 1 , . . . , x n ] g x 11 · · · g x 1 m x 11 · · · x 1 m . . . . . . . . . . → . . g x n 1 · · · g x nm x n 1 · · · x nm Given a (symmetric) bilinear map e : G × G → G T : e ( g x , g y ) = g xy → e ([ x ] , [ y ]) = [ xy ] T T C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Subspace Membership Problems For a ( k , ℓ ) -collection of vector subspaces of dimension k , S = { S i } i ∈I , of the vector space Z ℓ q , where 0 < k < ℓ Definition (Subspace Membership Problem) Given G and g , tell apart D real = ([ S ] , [ z ]) for random S ← S and z ← S D random = ([ S ] , [ z ]) for random S ← S and z ← Z ℓ q C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Subspace Membership Problems For a ( k , ℓ ) -collection of vector subspaces of dimension k , S = { S i } i ∈I , of the vector space Z ℓ q , where 0 < k < ℓ Definition (Subspace Membership Problem) Given G and g , tell apart D real = ([ S ] , [ z ]) for random S ← S and z ← S D random = ([ S ] , [ z ]) for random S ← S and z ← Z ℓ q Typically, S = Span A , where A ∈ Z ℓ × k and rank A = k . q C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Subspace Membership Problems � 1 � DDH: A ( a ) = a ← Z q a � w � 1 � � � z 1 � z = ( w ) = vs. z = a aw z 2 0 a 1 2-Lin: A ( a 1 , a 2 ) = 0 a 2 a 1 , a 2 ← Z q 1 1 � w 1 � a 1 0 a 1 w 1 z 1 vs. z = 0 z = a 2 = a 2 w 2 z 2 w 2 1 1 w 1 + w 2 z 3 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Subspace Membership Problems � 1 � DDH: A ( a ) = a ← Z q a � w � 1 � � � z 1 � z = ( w ) = vs. z = a aw z 2 “Matrix distributions” 0 a 1 2-Lin: A ( a 1 , a 2 ) = 0 a 2 a 1 , a 2 ← Z q 1 1 � w 1 � a 1 0 a 1 w 1 z 1 vs. z = 0 z = a 2 = a 2 w 2 z 2 w 2 1 1 w 1 + w 2 z 3 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Distributions Given 1 ≤ k < ℓ , Definition (Polynomial Matrix Distribution) A ← D f ℓ, k , where A ∈ Z ℓ × k , rank A = k and A is sampled q according to A = f ( a 1 , . . . , a d ) , where a 1 , . . . , a d ← Z q and f is a polynomial map of constant degree. C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Distributions Given 1 ≤ k < ℓ , Definition (Polynomial Matrix Distribution) A ← D f ℓ, k , where A ∈ Z ℓ × k , rank A = k and A is sampled q according to A = f ( a 1 , . . . , a d ) , where a 1 , . . . , a d ← Z q and f is a polynomial map of constant degree. We also tolerate Pr ( rank A < k ) ∈ negl . We focus on the case ℓ = k + 1, and deg f = 1 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Distributions Given 1 ≤ k < ℓ , Definition (Polynomial Matrix Distribution) A ← D f ℓ, k , where A ∈ Z ℓ × k , rank A = k and A is sampled q according to A = f ( a 1 , . . . , a d ) , where a 1 , . . . , a d ← Z q and f is a polynomial map of constant degree. We also tolerate Pr ( rank A < k ) ∈ negl . We focus on the case ℓ = k + 1, and deg f = 1 � 1 � 0 a 1 E.g. A ( a ) = A ( a 1 , a 2 ) = 0 a 2 a 1 1 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Decision Diffie-Hellman (MDDH) Problems Definition ( D A ℓ, k -MDDH Problem [EHKRV13]) Tell apart the two probability distributions D real = ( G , q , g , [ A ( t )] , [ A ( t ) w ]) , t ← Z d q , w ← Z k q D random = ( G , q , g , [ A ( t )] , [ z ]) , t ← Z d q , z ← Z ℓ q The D A ℓ, k -MDDH Assumption states that the above problem is hard, w.r.t. and instance generator ( q , G , g ) ← I C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Decision Diffie-Hellman (MDDH) Problems Definition ( D A ℓ, k -MDDH Problem [EHKRV13]) Tell apart the two probability distributions D real = ( G , q , g , [ A ( t )] , [ A ( t ) w ]) , t ← Z d q , w ← Z k q D random = ( G , q , g , [ A ( t )] , [ z ]) , t ← Z d q , z ← Z ℓ q The D A ℓ, k -MDDH Assumption states that the above problem is hard, w.r.t. and instance generator ( q , G , g ) ← I Generic hardness depends on the degree and irreducibility of the determinant polynomial d ( t , z ) = det ( A ( t ) � z ) C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Known Instances 0 0 t 1 · · · . ... . t 1 , 1 · · · t 1 , k 0 . t 2 . . ... . . . ... ... A k -Unif = A k -Lin = . . . . 0 t k + 1 , 1 · · · t k + 1 , k 0 · · · 0 t k 1 1 · · · 1 0 · · · 0 0 · · · 0 t 1 t . . ... ... . . 1 t 2 . 1 t . ... ... ... ... A k -Casc = A k -SCasc = 0 0 0 0 . . ... ... . . . 1 . 1 t k t 0 · · · 0 1 0 · · · 0 1 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Applications Some known applications: Public key encryption Hash Proof systems Pseudorandom functions Non-interactive Zero-Knowledge proofs (Groth-Sahai) Efficient Proofs for CRS-Dependent Languages Key idea: Most constructions based on DDH or 2-Lin are actually valid for any MDDH problem We can obtain more compact instances more secure instances (secure even when an efficient multilinear map is available) C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Outline Introduction 1 The Kernel Matrix Diffie-Hellman Assumption 2 Hardness of the KerDH Assumption 3 The Case ℓ > k + 1 4 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,. . . ). C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,. . . ). (Flexible) computational problems: Capture forgery adversarial capabilities. E.g. breaking unforgeability of a digital signature soundness of a ZK argument binding property of a commitment . . . C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,. . . ). (Flexible) computational problems: Capture forgery adversarial capabilities. E.g. breaking unforgeability of a digital signature soundness of a ZK argument binding property of a commitment . . . We unify some existing flexible computational problems in the literature in a single framework. C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Introduction Kernel MDH Hardness ℓ > k + 1 The Kernel Matrix Diffie-Hellman Assumption For a ( r , ℓ ) -collection of vector subspaces of dimension r , S = { S i } i ∈I , of the vector space Z ℓ q , where 0 < r < ℓ Definition (Subspace Sampling Problem) Given G , g and [ S ] , find [ x ] where x is a nonzero vector in S Typically S = ker A ⊤ , where A ∈ Z ℓ × k , rank A = k and r = ℓ − k . q C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption
Recommend
More recommend