the kernel matrix diffie hellman assumption
play

The Kernel Matrix Diffie-Hellman Assumption Carla Rfols 1 , Paz - PowerPoint PPT Presentation

The Kernel Matrix Diffie-Hellman Assumption Carla Rfols 1 , Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politcnica de Catalunya (UPC) Spain Matemtica Aplicada a la Criptografa Asiacrypt 2016,


  1. The Kernel Matrix Diffie-Hellman Assumption Carla Ràfols 1 , Paz Morillo 2 and Jorge L. Villar 2 1 Universitat Pompeu Fabra (UPF) Spain 2 Universitat Politècnica de Catalunya (UPC) Spain Matemática Aplicada a la Criptografía Asiacrypt 2016, Hanoi, 8 Dec 2016 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  2. Introduction Kernel MDH Hardness ℓ > k + 1 Outline Introduction 1 The Kernel Matrix Diffie-Hellman Assumption 2 Hardness of the KerDH Assumption 3 The Case ℓ > k + 1 4 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  3. Introduction Kernel MDH Hardness ℓ > k + 1 Additive (Implicit) Notation Given a group G of prime order q and a generator g ∈ G : g x → [ x ] [ 1 ] g → 1 → [ 0 ] g x g y → [ x ][ y ] = [ x + y ] [ x ] y = [ xy ] ( g x ) y → ( g x 1 , . . . , g x n ) → [ x 1 , . . . , x n ]     g x 11 · · · g x 1 m x 11 · · · x 1 m . . . . . .    . .  . . → . . g x n 1 · · · g x nm x n 1 · · · x nm Given a (symmetric) bilinear map e : G × G → G T : e ( g x , g y ) = g xy → e ([ x ] , [ y ]) = [ xy ] T T C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  4. Introduction Kernel MDH Hardness ℓ > k + 1 Subspace Membership Problems For a ( k , ℓ ) -collection of vector subspaces of dimension k , S = { S i } i ∈I , of the vector space Z ℓ q , where 0 < k < ℓ Definition (Subspace Membership Problem) Given G and g , tell apart D real = ([ S ] , [ z ]) for random S ← S and z ← S D random = ([ S ] , [ z ]) for random S ← S and z ← Z ℓ q C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  5. Introduction Kernel MDH Hardness ℓ > k + 1 Subspace Membership Problems For a ( k , ℓ ) -collection of vector subspaces of dimension k , S = { S i } i ∈I , of the vector space Z ℓ q , where 0 < k < ℓ Definition (Subspace Membership Problem) Given G and g , tell apart D real = ([ S ] , [ z ]) for random S ← S and z ← S D random = ([ S ] , [ z ]) for random S ← S and z ← Z ℓ q Typically, S = Span A , where A ∈ Z ℓ × k and rank A = k . q C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  6. Introduction Kernel MDH Hardness ℓ > k + 1 Subspace Membership Problems � 1 � DDH: A ( a ) = a ← Z q a � w � 1 � � � z 1 � z = ( w ) = vs. z = a aw z 2   0 a 1   2-Lin: A ( a 1 , a 2 ) = 0 a 2 a 1 , a 2 ← Z q 1 1       � w 1 � a 1 0 a 1 w 1 z 1  vs. z =      0 z = a 2 = a 2 w 2 z 2 w 2 1 1 w 1 + w 2 z 3 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  7. Introduction Kernel MDH Hardness ℓ > k + 1 Subspace Membership Problems � 1 � DDH: A ( a ) = a ← Z q a � w � 1 � � � z 1 � z = ( w ) = vs. z = a aw z 2 “Matrix distributions”   0 a 1   2-Lin: A ( a 1 , a 2 ) = 0 a 2 a 1 , a 2 ← Z q 1 1       � w 1 � a 1 0 a 1 w 1 z 1  vs. z =      0 z = a 2 = a 2 w 2 z 2 w 2 1 1 w 1 + w 2 z 3 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  8. Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Distributions Given 1 ≤ k < ℓ , Definition (Polynomial Matrix Distribution) A ← D f ℓ, k , where A ∈ Z ℓ × k , rank A = k and A is sampled q according to A = f ( a 1 , . . . , a d ) , where a 1 , . . . , a d ← Z q and f is a polynomial map of constant degree. C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  9. Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Distributions Given 1 ≤ k < ℓ , Definition (Polynomial Matrix Distribution) A ← D f ℓ, k , where A ∈ Z ℓ × k , rank A = k and A is sampled q according to A = f ( a 1 , . . . , a d ) , where a 1 , . . . , a d ← Z q and f is a polynomial map of constant degree. We also tolerate Pr ( rank A < k ) ∈ negl . We focus on the case ℓ = k + 1, and deg f = 1 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  10. Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Distributions Given 1 ≤ k < ℓ , Definition (Polynomial Matrix Distribution) A ← D f ℓ, k , where A ∈ Z ℓ × k , rank A = k and A is sampled q according to A = f ( a 1 , . . . , a d ) , where a 1 , . . . , a d ← Z q and f is a polynomial map of constant degree. We also tolerate Pr ( rank A < k ) ∈ negl . We focus on the case ℓ = k + 1, and deg f = 1   � 1 � 0 a 1   E.g. A ( a ) = A ( a 1 , a 2 ) = 0 a 2 a 1 1 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  11. Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Decision Diffie-Hellman (MDDH) Problems Definition ( D A ℓ, k -MDDH Problem [EHKRV13]) Tell apart the two probability distributions D real = ( G , q , g , [ A ( t )] , [ A ( t ) w ]) , t ← Z d q , w ← Z k q D random = ( G , q , g , [ A ( t )] , [ z ]) , t ← Z d q , z ← Z ℓ q The D A ℓ, k -MDDH Assumption states that the above problem is hard, w.r.t. and instance generator ( q , G , g ) ← I C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  12. Introduction Kernel MDH Hardness ℓ > k + 1 Matrix Decision Diffie-Hellman (MDDH) Problems Definition ( D A ℓ, k -MDDH Problem [EHKRV13]) Tell apart the two probability distributions D real = ( G , q , g , [ A ( t )] , [ A ( t ) w ]) , t ← Z d q , w ← Z k q D random = ( G , q , g , [ A ( t )] , [ z ]) , t ← Z d q , z ← Z ℓ q The D A ℓ, k -MDDH Assumption states that the above problem is hard, w.r.t. and instance generator ( q , G , g ) ← I Generic hardness depends on the degree and irreducibility of the determinant polynomial d ( t , z ) = det ( A ( t ) � z ) C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  13. Introduction Kernel MDH Hardness ℓ > k + 1 Known Instances   0 0 t 1 · · ·     . ... . t 1 , 1 · · · t 1 , k   0 . t 2    . .  ...  .  . . ... ... A k -Unif = A k -Lin =   . . .   . 0   t k + 1 , 1 · · · t k + 1 , k   0 · · · 0 t k 1 1 · · · 1     0 · · · 0 0 · · · 0 t 1 t . . ... ...     . . 1 t 2 . 1 t .         ... ... ... ... A k -Casc = A k -SCasc =     0 0 0 0     . . ... ... . .     . 1 . 1 t k t 0 · · · 0 1 0 · · · 0 1 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  14. Introduction Kernel MDH Hardness ℓ > k + 1 Applications Some known applications: Public key encryption Hash Proof systems Pseudorandom functions Non-interactive Zero-Knowledge proofs (Groth-Sahai) Efficient Proofs for CRS-Dependent Languages Key idea: Most constructions based on DDH or 2-Lin are actually valid for any MDDH problem We can obtain more compact instances more secure instances (secure even when an efficient multilinear map is available) C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  15. Introduction Kernel MDH Hardness ℓ > k + 1 Outline Introduction 1 The Kernel Matrix Diffie-Hellman Assumption 2 Hardness of the KerDH Assumption 3 The Case ℓ > k + 1 4 C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  16. Introduction Kernel MDH Hardness ℓ > k + 1 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,. . . ). C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  17. Introduction Kernel MDH Hardness ℓ > k + 1 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,. . . ). (Flexible) computational problems: Capture forgery adversarial capabilities. E.g. breaking unforgeability of a digital signature soundness of a ZK argument binding property of a commitment . . . C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  18. Introduction Kernel MDH Hardness ℓ > k + 1 Flexible Computational Matrix Problems Decision problems: natural model for indistinguishability adversarial capabilities (IND-CPA, pseudorandomness,. . . ). (Flexible) computational problems: Capture forgery adversarial capabilities. E.g. breaking unforgeability of a digital signature soundness of a ZK argument binding property of a commitment . . . We unify some existing flexible computational problems in the literature in a single framework. C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

  19. Introduction Kernel MDH Hardness ℓ > k + 1 The Kernel Matrix Diffie-Hellman Assumption For a ( r , ℓ ) -collection of vector subspaces of dimension r , S = { S i } i ∈I , of the vector space Z ℓ q , where 0 < r < ℓ Definition (Subspace Sampling Problem) Given G , g and [ S ] , find [ x ] where x is a nonzero vector in S Typically S = ker A ⊤ , where A ∈ Z ℓ × k , rank A = k and r = ℓ − k . q C. Ràfols, P . Morillo and J. L. Villar The Kernel MDH Assumption

Recommend


More recommend