Multilinear maps via secret ring
Chunsheng Gu
School of Computer Engineering, Jiangsu University of Technology, China {chunsheng_gu}@163.com
Abstract. Garg, Gentry and Halevi (GGH13) described the first candi-date multilinear maps using ideal lattices. However, Hu and Jia recently presented an efficient attack on the GGH13 map, which breaks the mul-tipartite key exchange (MPKE) and witness encryption (WE) based on GGH13. In this work, we describe a new variant of GGH13 using secret ring, which preserves the origin functionality of GGH13. The security of our variant depends upon the following new hardness problem. Given the determinant of the circular matrix of some element in a secret ring, the problem is to find this secret ring and reconstruct this element.
Keywords: Multilinear maps, ideal lattices, multipartite key exchange, witness encryption, zeroizing attack
1
Introduction
Garg, Gentry, and Halevi (GGH13) described the first candidate construction of multilinear maps from ideal lattices [16]. Following the framework of GGH13, Coron, Lepoint, and Tibouchi (CLT13) presented another candidate over the integers using Chinese remainder theorem [11]. Gentry, Gorbunov and Halevi (GGH15) [19] constructed a graph-induced multilinear maps from lattices. To improve efficiency, Langlois, Stehl´e, and Steinfeld [34] also proposed a variant GGHLite of GGH13.
While cryptographic multilinear maps have found extensive applications, in-cluding witness encryption [23], general program obfuscation [18,38], function encryption [18], and other applications [3,17,5,18], all known constructions of multilinear maps exist security problems [7,21,28,2,1,9,10].
On the other hand, Gu (Gu map-1) [24] constructed a new multilinear map without encodings of zero, which is a variant of GGH13. Since no encodings of zero are given in the public parameters, MPKE based on Gu map-1 [30] suc-cessfully avoids the attack in [28]. However, Gu map-1 cannot be used for the instance of witness encryption based on the hardness of 3-exact cover problem [29]. This is because there is no randomizer in Gu map-1. But the instance of WE based on the hardness of 3-exact cover problem is a strong application of multilinear map. To support witness encryption, Gu (Gu map-2) [25] also sug-gested another variant of GGH13 with encodings of zero by introducing random matrices.
For the CLT13 map, Cheon, Han, Lee, Ryu, and Stehl´e [7] broke CLT13 using zeroizing attack introduced by Garg, Gentry, and Halevi. To fix the CLT13 scheme, Garg, Gentry, Halevi and Zhandry [20], and Boneh, Wu and Zimmerman [4] suggested two candidate fixes of multilinear maps over the integers. However, Coron, Lepoint, and Tibouchi showed that two candidate fixes of CLT13 can also be defeated using extensions of the Cheon et al.’s Attack [7]. By modifying zero-testing parameter, Coron, Lepoint and Tibouchi [13] proposed a new variant of CLT13. Unfortunately, this new version CLT15 is also broken by Cheon, Lee, and Ryu [10], and Minaud and Fouque [35].
For the GGH15 map, Coron et al [9] recently [9] described an efficient attack of GGH15 by extending the Cheon et al.’s attack [7], which breaks the GGH15-based MPKE by generating an equivalent user private key.
Although Gu map-2 has included encodings of zero, it uses the public ring R = Z[x]/hxn + 1i. In fact, all computations in Gu map-2 are operated over
Zq, and no longer useR. In particular, The disclosure of this ringR may have
security weaknesses. In this work, we will focus on the GGH13 variant based on secret rings.
Concurrently, Halevi [27] have observed that this kind of secret ring may improve the security of the scheme. However, Halevi wrote in [27] “It is not clear if there are very many different rings that have such ‘nice geometry’, and in particular it is not clear if hiding the ring is really possible.” Note that ‘nice geometry’ means to be able to encode arbitrary cosets as small matrices.
Therefore, it can be said that this paper continues the work of [25] and [27]. On one hand, we describe a new variant of the scheme in [25] by using secret rings. On the other hand, we also partially answer the problems presented by Halevi in [27].
1.1 Our results
The GGH13 map.The GGH13 map works in a polynomial ringR=Z[x]/hxn+ 1i, wheren is a positive integer. A random large integerq, a secret short ring element g ∈ R , and a secret random invertible element z ∈ Rq = R/qR are
chosen during generating the public parameters of the GGH13 construction. A plaintext elementeinR/gRis encoded at level-kas [c/zk]q , wherec is a small
element in the coseteI =e+rgfor somer∈R. Encodings at the same level can
is not reduced moduloq. Similarly, encodings at levelsi, jcan be multiplied so long as the numerator of the product of the encodings is not reduced moduloq. A zero-testing parameterpzt= [hzκ/g]q is presented to test for zero at a level-κ
encoding. Given a level-κencodingu= [c/zκ]q , one computesv= [u· pzt]q and
checks if the norm ofv is smaller thanqto determine whether uis zero or not.
Our construction.The basic idea of our construction is to use some secret ringR=Z[x]/hfiwith monic irreducible polynomialf, and transform GGH13 over R into its matrix version. Concretely speaking, our construction works in a polynomial ring R = Z[x]/hfi, where f = xn+ X
n/2
i=0fix
i such that |f i|
are small integers. Similar to GGH13, we can generate the public parameter as follows:
First, we generate the level-1 encodings yi = [aigz+ei]q of some non-zero
elementsei∈R and transform them into its matrix formYi= [TRot(yi)T−1]q
overZn×n
q , whereT∈Zqn×n, and Rot(yi) is a matrix whosej-th column is the
vector of the coefficients ofxj−1yi modf.
Then, we generate the zero-testing parameters corresponding toyiin matrix
formPzt,i = [TRot( zκ(b
ig+ei)
g )S]q, where T,S∈Z n×n q .
Next, we generate a list of level-1 encodingsxi= [cizg]q of “0” and transform
them into its matrix formXi = [TRot(xi)T−1]q overZnq×n.
Finally, we sample another two matricsT1←DZk1×n,σ,S1←D
Zn×k2,σ with
k1, k2∈[n], and setT∗=T1T−1,S∗=S−1S1.
It is not difficult to verify that this construction supports addition and mul-tiplication operations of encodings as long as encodings in the operation satisfies the level constraints corresponding to operations. Moreover, given a level-κ en-coding U, we can compute V = [T∗UPztS∗]q and checks if the norm of V is
smaller than q to determine ifU encodes zero, where Pzt =
X
idiPzt,i with
di∈Z. Therefore, we have obtained a new variant of GGH13.
To improve the efficiency of our scheme, we can replaceZ in R with Rθ =
Z[θ]/hθλ+ 1i, and setλas the security parameter. In this case, we can take a constant nand a monic irreducible polynomialf with coefficientsfi ∈Rθ such
that kfik ≤O(λ).
Furthermore, our construction supports all applications using GGH13 as pub-lic tools of encoding since it includes encodings of zero in the pubpub-lic parameters. As a consequence, our scheme can adaptively support the GGH13-based MPKE and WE that have been broken by Hu and Jia in [28].
1.2 Organization
2
Preliminarie
2.1 Notations
We denote Z,Q,R the ring of integers, the field of rational numbers, and the field of real numbers. We take n as a positive integer, and let [n] be the set
{1,2, ..., n}. We use the absolute minimum residual system of moduloq, namely [a]q ∈ (−q/2, q/2]. We denote vectors by lowercase bold letters, and matrices
by uppercase bold letters, such asa,A. We write Ias the identity matrix. We denote byajthej-th element ofa, andAi,jthe element of thei-th row andj-th
colomn ofA. Notationkak(resp.kak∞) denotes the Euclidean norm (resp. the
infinity norm) of a.
2.2 Algebra
We denote by Z[x] and Q[x] the sets of polynomials with integer and rational coefficients respectively. A polynomial is monic if the coefficient of its highest degree is one. A polynomial is irreducible if it cannot be represented as a product of lower degree polynomials. Let f ∈ Z[x] be a monic irreducible polynomial with degree n. Let R be the polynomial ring Z[x]/hfi, and Rq = R/qR. For
a∈Rq, [a]q denotes each coefficient [ai]q ∈(−q/2, q/2] of a. For simplicity, we
identify degree-(n−1) polynomials with the correspondingn-dimensional vectors whose coordinates are corresponding to the coefficients of the polynomial. For example, we define thep-normkakpof a polynomiala∈Z[x] as the norm of the corresponding vector. When there is no ambiguity, we sometimes abuse a∈R and its corresponding vectora.
In this paper, we need some definitions and lemma introduced by Lyuba-shevsky and Micciancio [33].
Lemma 2.1 (Lemma 3.2, [33]). Every idealI of Z[x]/hfi, where f is a monic, irreducible polynomial of degreen, is isomorphic to a full-rank lattice in Zn.
We first recall the definition of the expansion factor of polynomials [33].
Definition 2.2.Letf ∈Z[x] be a monic irreducible polynomial of degreen. The expansion factor off is defined as
φf = max
a∈Z[x],deg(a)≤2(deg(f)−1)
ka modfk∞
kak∞
.
Lemma 2.3 (Theorem 3.5, [33]).Given a monic polynomialf ∈Z[x]: (1) Iff =xn+
n/2 P
i=0
fixi, thenφf ≤(k2fk1)3.
(2) Iff =xn+nP−1
i=0
2.3 Lattices
An n-dimensional full-rank lattice L⊂ Rn is the set of all integer linear
com-binations Xn
i=1xibi ofn linearly independent vectors bi ∈R
n. If we arrange
the vectorsbi as the columns of matrixB∈Rn×n , thenL={Bx:x∈Zn} . We say that B spansL ifB is a basis for L. Given a basis B of L, we define P(B) ={Bx|x∈Rn andxi∈[−1/2,1/2)}as the parallelization corresponding
toB. Let det(B) denote the determinant ofB.
Giveng∈R, letI=hgibe the principal ideal inRgenerated byg. We denote theZ-basis ofI byRot(g) = (g modf, xg modf, ..., xn−1g modf). Namely, thei-th column ofRot(g) is the vector of the coefficients ofxi−1g modf.
Given c ∈ Rn , σ > 0, the Gaussian distribution of a lattice L is defined
as DL,σ,c =ρσ,c(x)/ρσ,c(L) for x ∈L , where ρσ,c(x) = exp(−πkx−ck2/σ2), ρσ,c(L) =
X
x∈Lρσ,c(x). As shorthand, we will write DL,σ instead of DL,σ,0.
We denote a Gaussian sample asx←DL,σ (ord←DI,σ) over the latticeL(or
I).
Definition 2.4 (Smoothing parameter [36]).For ann-dimensional
lat-tice L, and positive real >0, the smoothing parameterη(L) is defined to be
the smallestssuch thatρ1/s(L∗\{0})≤.
Lemma 2.5 (Lemma 3.3 [36]). For any n-dimensional lattice L and a
negligible function(n),η(L)≤
p
ω(logn)·λn(L), whereω(logn) is any
super-logarithmic function.
Lemma 2.6 (Lemma 4.4 [36]). For any n-dimensional lattice L, vector
c∈Rn, and reals 0< <1,s≥η(L), we have
Pr x←DL,s,c
{kx−ck> s√n} ≤ 1 +
1−·2
−n.
2.4 Multilinear Maps
Definition 2.7 (Multilinear Map [3]).Forκ+ 1 cyclic groupsG1, ..., Gκ, GT
of the same orderq, aκ-multilinear mape:G1×...×Gκ→GT has the following
properties:
(1) Elements{gj∈Gj}j=1,...,κ, indexj∈[κ] , and integera∈Zq hold that
e(g1, ..., a·gj, ..., gκ) =a·e(g1, ..., gκ)
(2) Mapeis non-degenerate in the following sense: if elements{gj∈Gj}j=1,...,κ
are generators of their respective groups, thene(g1, ..., gκ) is a generator ofGT .
Definition 2.8 (κ-Graded Encoding System [16]).Aκ-graded encoding system over R is a set system of S = {S(ja) ∈ R : a ∈ R, j ∈ [κ]} with the following properties:
(1) For every indexj∈[κ], the setsS ={Sj(a)∈R:a∈R} are disjoint. (2) Binary operations‘+’ and‘−’ exist, such that every a1, a2, every index j ∈[κ], and everyu1 ∈S(a1)
j andu2∈S
(a2)
j hold that u1+u2∈S
(a1+a2)
u1−u2∈S (a1−a2)
j , wherea1+a2anda1−a2are the addition and subtraction operations inR respectively.
(3) Binary operation ‘×’ exists, such that everya1, a2, every indexj1, j2∈[κ] withj1+j2≤κ, and everyu1∈S
(a1)
j1 andu2∈S
(a2)
j2 hold thatu1×u2∈S
(a1×a2)
j1+j2 ,
where a1×a2 is the multiplication operation in R and j1+j2 is the integer addition.
3
Multilinear map via secret ring
Setting the parameters. Letλbe the security parameter,κthe multilinearity level, nthe dimension of elements ofR. Concrete parameters are set asσ=λ, α =λ2, n =λ2, τ = 2n, β = √q, q ≥212κ+1λ64κ+124, k1, k2 ∈[n] such that k1k2< n.
3.1 Construction
Instance generationPar←InstGen(1λ,1κ):
(1) Choose a primeq≥216κλnO(κ).
(2) Choose a monic irreducible polynomialf(x)∈Z[x] such that f =xn+
Xn/2
i=0fix
i with|f
i|< σ. LetR=Z[x]/hfi, Rq =R/qR, andK=Q[x]/hfi. (3) Sampleg←DR,σ so thatg is a prime element inRandkg−1k ≤n, and
a random elementz←Rq so thatz−1∈Rq.
(4) SampleT,S∈Znq×n so thatT
−1
,S−1∈Znq×n.
(5) Sample T1 ← DZk1×n,σ, S1 ← DZn×k2,σ, and set T∗ = T1T−1, S∗ = S−1S1.
(6) Fori∈[τ],
(6.1) sample elementsai, ei, ci←DR,α, bi←DR,β;
(6.2) setYi = [TRot(aigz+ei)T−1]q,Xi= [TRot(czig)T−1]q;
(6.3) setPzt,i = [TRot(z
κ(b ig+ei)
g )S]q.
(7) Output the public parameters Par ={q,{Yi,Xi,Pzt,i}i∈[τ],T∗,S∗}.
Generating level-t encoding U←Enc(Par, t,d,r): Givend←DZτ,α andr←DZτ,α, generate a level-tencoding
U=h Xτ
i=1di·(Yi)
t+ Xτ
i=1ri·(Xi)
ti q
.
Adding encodings U←Add(Par, t,Ui,· · · ,Uk):
Givenklevel-tencodingsUi, i∈[k], their sumU=
h Xk i=1Ui
i
q
is a level-t encoding.
Multiplying encodings U←Mul(Par,1,U1,· · ·,Uk):
Given k level-1 encodings Ui, i ∈ [k], their product U =
h Yk i=1Ui
i
q
is a
level-kencoding.
Given a level-κencodingU=hTRot(rgz+κe)T
−1i
q
and a vectord←DZτ,α,
(1) we computePzt=
Xτ
i=1diPzt,i,V= h
T∗·U·Pzt·S∗
i
q;
(2) we check whetherkVkis short. That is,
IsZero(Par,U,d) = (
1, ifkVk< q3/4; 0, otherwise.
Extractionsk←Ext(Par,U,d):
Given a level-κencodingUand a vectord←DZτ,α,
(1) we computePzt=
Xτ
i=1diPzt,i,V= h
T∗·U·Pzt·S∗
i
q
;
(2) we collect (logq)/4−λmost-significant bits of each element of thek1×k2 -matrixV. That is,
Ext(Par,U,d) = MSB(V).
Remark 3.1.(1) Note that the above construction is similar to that in [25]. The main difference is that this scheme uses some secret ring R = Z[x]/hfi, whereas the scheme in [25] uses the public ring R=Z[x]/hxn+ 1i. As a result,
this difference can lead to significant differences in their security. Concrete details are analyzed later. (2) It is easy to transform the above symmetric construction into an asymmetric variant by using different elementszj and random matrices
Tj.
3.2 Correctness
To prove the correctness, we first describe two simple lemmas.
Lemma 3.2.Ifa, b∈R, thenRot(a)Rot(b) =Rot(ab modf).
Proof.We only need to show that the first column of Rot(a)Rot(b) is equal to the vector corresponding to the polynomialab modf.
It is easy to verify that the first column ofRot(a)Rot(b) is corresponding to Xn−1
i=0 bi·(ax
i modf) = (a· Xn−1
i=0 bix
i) mod f =ab modf.
Lemma 3.3.Ifa, b∈Rq, then [Rot(a)Rot(b)]q= [Rot(ab modf)]q.
Proof.The proof is completely similar to that of Lemma 3.2.
Lemma 3.4.The algorithm InstGen(1λ,1κ) runs in PPT.
Proof.A prime elementg∈Rcan be generated in PPT according to Landau’s prime number theorem (Theorem 5.17, [15]). It is easy to verify that all other operations can run in PPT.
Proof. By Yti = hT Rot(aig+ei
z ) tT−1i
q
and Xti = hT Rot(cig
z ) tT−1i
q
, we
have
U=h Xτ
i=1di·Y
t i+
Xτ
i=1ri·X
t i
i
q
=hTRot
Xτ
i=1dia
0
ig+
Xτ
i=1ric
0
ig+
Xτ
i=1die
t i
zt
T−1i
q
=hTRot ag+e zt
T−1i
q
where a0i = ((aig+ei)t−eti)/g, c
0
i = (cig)t/g, a=
Xτ
i=1di·a
0
i+
Xτ
i=1ric
0
i,
ande= Xτ
i=1di·e
t i.
Lemma 3.6. U= Add(Par, t,Ui,· · ·,Uk) is a level-tencoding.
Proof. Given level-t encodingsUi, i∈[k]. LetUi =
h
TRot r
0 ig+e
0 i
zt
T−1i
q.
Then
U=h Xk
i=1Ui i
q=
h
TRot rg+e
zt
T−1i
q,
wherer= Xk
i=1r
0
i ande=
Xk
i=1e
0
i.
Lemma 3.7. U←Mul(Par,1,U1,· · ·,Uk) is a level-k encoding.
Proof.Given level-1 encodings Ui, i∈[k], let Ui =
h
TRot r
0 ig+e
0 i
z
T−1)i
q
.
Then, by Lemma 3.3 we have
U=hTRot rg+e
zk
T−1i
q
,
wheree= Yk
i=1e
0
i,r= (
Yk
i=1(r
0
ig+e
0
i)−e)/g.
Lemma 3.8.IsZero(Par,U,d) correctly determines whetherU is a level-κ encoding of zero or not.
Proof.By Lemma 2.3 andf =xn+Xn/2
i=0fix
i, we have
φf =k2fk31= (nσ) 3=λ9. GivenPzt,i=
TRot(zκ(big+ei)
g )S
q andd←DZτ,α, we have
Pzt=
Xτ
i=1diPzt,i = h
TRot z
κ(hg+c)
g
Si
q,
whereh= Xτ
i=1dibi, andc= Xτ
i=1diei.
Bybi ←DR,β,ei←DR,α, and d←DZτ,α, we obtain
khk=kXτ
i=1dibik ≤τ|di|kbik ≤2n
2αβ≤2λ7√q,
kck=kXτ
i=1dieik ≤τ|di|keik ≤2n
2α2≤2λ8,
khg+ck ≤2φfkhkkgk ≤λ9·2λ7
√
Without loss of generality, we let U = h Yκ
j=1Uj i
q
since U is a level-κ encoding.
According toUj = Enc(Par,1,dj,rj), we have
Uj=
h Xτ
i=1dj,i·Yi+ Xτ
i=1rj,i·Xi i
q
=hTRot a(j)g+e(j) z
T−1i
q
,
wherea(j)= Xτ
i=1dj,iai+ Xτ
i=1rj,ici,e(j)= Xτ
i=1dj,iei. Similarly, byai, ei, ci←DR,α, anddj←DZτ,α, we have
ka(j)k=k Xτ
i=1dj,iai+ Xτ
i=1rj,icik ≤2τ|dj,i|kaik ≤4n 2α2.
ke(j)k=k Xτ
i=1dj,ieik ≤τ|dj,i|keik ≤2n 2α2.
So, we get
kYκ
j=1 a(j)g+e(j)
k ≤φκf−1Yκ
j=1k a(j)g+e(j)
k
≤φκf−1 max
j∈[κ]
2ka(j)kkgkφf
κ
k
≤φκf−1 2·4n2α2·√nσ·φf
κ
≤φ2fκ−1 8n2.5α2σκ
≤8κλ16κ−4.
We now analyze the encodingU encodes 0 or non-zero, respectively. For simplicity, we let
U=hTRot ag+e
zκ
T−1i
q
,
wheree= Yκ
j=1e(j), and a= Yκ
j=1 a(j)g+e(j)
−e. IfUis a level-κencoding of zero (i.e.e= 0), then,
V=hT∗·U·Pzt·S∗
i
q
=hT∗·TRot(ag zκ)T
−1
·TRot z
κ(hg+c)
g
S·S∗i
q
=hT1Rot a(hg+c)
S1 i
q
SincekT1k=kS1k ≤n
√
nσ≤λ4, we obtain
kT1Rot a(hg+c)
S1k ≤ kT1k · kRot a(hg+c)
k · kS1k
≤λ8· ka(hg+c)k ≤λ8· kak · khg+ck ·φf
Thus,Vis not reduced moduloq. That is, [V]q=V.
IfUis a level-κencoding of non-zero, i.e.e6= 0 modg. Thus,
V=hT∗·U·Pzt·S∗
i
q
=hT1Rot( ag+e
zκ )Rot
zκ(hg+c)
g
S1 i
q
=hT1Rot (ag+e)(hg+c) g
S1 i
q
=hT1Rot a(hg+c)
S1+T1Rot
e(hg+c) g
S1 i
q
By Lemma 4 in [16], we have
kT1Rot e(hg+c) g
S1k ≈q.
Again usingkT1Rot a(hg+c)
S1k ≤q3/4, we havekVk ≈q.
Lemma 3.9Suppose that two level-κencodingsU1,U2 encode same plain-text, then
Ext(Par,U1,d) = Ext(Par,U2,d).
Proof.Assume thatUi=
h
TRot(uig+e
zκ )T
−1i
q,i∈[2]. So, we have
Vi=
h
T∗·Ui·Pzt·S∗
i
q
=hT1Rot(uig+e zκ )Rot
zκ(hg+c)
g
S1 i
q
=hT1Rot
(uig+e)(hg+c)
g
S1 i
q
=hT1Rot ui(hg+c)S1+T1Rot
e(hg+c) g
S1 i
q
For our parameters setting, kT1Rot ui(hg+c)
S1k ≤ q3/4. When e 6= 0 modg, by Lemma 4 in [16], we have
kT1Rot e(hg+c) g
S1k ≈q.
Thus, Ext(Par,U1,d) = Ext(Par,U2,d) with overwhelming probability.
3.3 Variant
To improve the efficiency of our construction, we use polynomial ring instead of integer ring. Concretely speaking, we letRθ=Z[θ]/hθλ+ 1i, and R=Rθ[x]/f,
Rq =R/qR. In this case, we can setnas a constant andf =xn+ n−1
P
i=0
fixi with
coefficientsfi∈Rθsuch that kfik ≤O(λ).
4
Security
4.1 Hardness assumption
Consider the following security experiment: (1) Par←InstGen(1λ,1κ)
(2) Forj = 0 toκ:
Sample dj ←DZτ,α,rj ←DZτ,α;
Generate level-1 encoding Uj=
h Xτ
i=1dj,iYi+ Xτ
j=1rj,iXi i
q
.
(3) SetU=h Yk
j=1Uj i
q andPzt=
Xτ
i=1d0,iPzt,i. (4) SetVc =Vd=
h
T∗·U·Pzt·S∗
i
q.
(5) Samples←DZτ,α, and setPzt,r=
Xτ
i=1siPzt,i. (6) SetVr=
h
T∗·U·Pzt,r·S∗
i
q
.
Definition 4.1.(ext-GCDH/ext-GDDH). According to the security experi-ment, the ext-GCDH and ext-GDDH are defined as follows:
Level-κ extraction CDH (ext-GCDH): Given {Par,U0,· · ·,Uκ},
out-put a level-κextraction encodingW∈Zk1×k2
q such that
[Vc−W]q
≤q3/4.
Level-κ extraction DDH (ext-GDDH): Given {Par,U0,· · ·,Uκ,V},
distinguish between
Dext−GDDH ={Par,U0,· · ·,Uκ,Vd},
Dext−RAN D={Par,U0,· · ·,Uκ,Vr}.
4.2 Cryptanalysis
In this section, we first generate easily computable quantities in our construction, then analyze possible attacks using these quantities.
4.2.1 Easily computable quantities.
SinceT,S∈Znq×n, we must compute V=
T∗·U·Pzt·S∗q to eliminate
T,S, where Uis a level-κencoding,Pzt=
Xτ
i=1diPzt,i withd∈Z
τ.
For simplicity, we write
Pzt=
Xτ
i=1diPzt,i= h
TRot z
κ(hg+c)
g
Si
q
=hTRot z
κh
1 g
Si
q
,
Let integert >0,Ui,j,t=XtiY κ−t
j be a level-κencoding of zero. So, we have
Vi,j,t=
h
T∗·Ui,j,t·Pzt·S∗
i
q
=hT1·Rot(cig)t·Rot(yj)κ−t·Rot
h1 g
·S1 i
q
=hT1·Rot cti·gt−1·y κ−t j ·h1
·S1 i
q
=T1·Rot cti·g
t−1·yκ−t j ·h1
·S1,
whereyj=ajg+ej.
The final equality is to use the fact thatVi,j,t are not reduced moduloq.
4.2.2 Attacks on secret ring
Using different level-κencodingsUi,j,t, we can generate a list of Vi,j,tthat
are not reduced modulo q. Furthermore, we can keep some encoding in Ui,j,t
unchanged, and change other encodings to produce (n×n)-dimensional matrices in combination. In this way, we can compute the determinants ofRot(ci),Rot(g),
Rot(yj),Rot(h1) by applying GCD algorithm.
1. Attack of known ring
We choose cyclotomic rings as known rings. Letf = xn + 1 be the public polynomial that is used to generated the ring R, where n is power of 2. Let p = det(Rot(g)). Since p is a prime, GCD(f, g) = x−µ modp. Using the quantum algorithm [6], we may recover short generator ofhgi.
Without loss of generality, let Vi = T1Rot(ri)S1 be a list of (n×n )-dimensional matrices generated by the public parameters. Assume that we obtain riby the quantum algorithm [6], then we can computeV1V−21=T1Rot(r1/r2)T−11. Since we have obtained r1/r2, we can compute T1 and S1. As a consequence, we can further find other secret parameters in our construction. Therefore, there may be security weaknesses in the constructions on public rings.
Note that in fact, the quantum algorithm in [6] can only recover short gen-erator of ri, cannot guarantee this short generator must be ri. In this case, the
above attack may not be successful.
2. Attack of secret ring
If we keepf secret and choose f =xn+ Xn/2
i=0fix
i with|f
i|< σ, as far as
we know, our construction did not find security weaknesses.
According to Landau’s prime number theorem (Theorem 5.17, [15]), the num-ber of the irreducible polynomialsf that satisfy constraints is exponential inn. For any irreducible polynomialf =xn+Xn/2
i=0fix
i∈
3. Lattice reduction attack
GivenVi=T1Rot(ri)S1, we can findT1,S1by lattice reduction algorithms [14,32], and further obtainRot(ri) andf. However, whenn is large enough, all
known lattice reduction algorithms run in exponential time inλ.
4.2.3 Hu-Jia Attack.
In this section, we show that the Hu-Jia attack [28] does not work for our construction.
1. Hu-Jia Attack
Hu-Jia attack includes three steps. That is, Step 1 generates an equivalent level-0 encoding for a level-1 encoding; Step 2 computes an equivalent level-0 encoding for the product of several level-0 encodings; Step 3 obtains the shared secret key of an equivalent product level-0 encoding by the modified encod-ing/decoding. The concrete details are as follows:
Step 1: Generate an equivalent level-0 encoding for a level-1 encoding (1) Let par be the public parameters of the GGH13 map, i.e.
par =
q, y=1 +ag z
q, x1=
c1g z
q, x2=
c2g z
q, pzt=
hz
κ
g
q .
We generate special decodings{y(1), x(i), i= 1,2}, where
y(1) =
pztyκ−1x1q =h(1 +ag)κ−1c1,
x(i)=
pztyκ−2xix1
q =h(1 +ag) κ−2(c
ig)c1, i= 1,2,
wherey(1),x(i) are not reduced moduloq. (2) Given a level-1 encodingu, we haveu=
dy+r1x1+r2x2
q, wheredis
secret level-0 encoding, andr1, r2 random noise elements. Compute special decoding
v=
pztuyκ−2x1q =dy(1)+r1x(1)+r2x(2).
Sincevis not reduced moduloq, we compute
v mody(1)=r1x(1) mody(1)+r2x(2) mody(1).
(3) Given v mody(1) and {x(1) mody(1), x(2) mod y(1)}, we get v0 = v mody(1)∈ hx(1), x(2)isuch that (v−v0) mody(1)= 0. Letv0=r01x(1)+r20x(2). (4) Compute d(0) = (v −v0)/y(1) over K = R[X]/hxn+ 1i such that the quotientd(0)∈R. By arranging, we obtain
d(0)= v−v0
y(1) =d+
Again sincegand 1 +rgare co-prime, we getd−d(0)∈ hgi. Thus,d(0)is an equivalent level-0 encoding of d. Althoughkd(0)k is not small, Hu and Jia [28] controlled the size of d(0) by usingx(i)∈ hgi.
Step 2: Compute an equivalent product of several level-0 encodings Letd(k) be the level-0 encoding included by level-1 encodinguk,d(k,0) an e-quivalent encoding ofd(k). Then
Yκ+1
k=1d(k,0)is an equivalent secret of Yκ+1
k=1d(k) such that Yκ+1
k=1d(k,0)− Yκ+1
k=1d(k)∈ hgi.
Step 3: Find the shared secret key of an equivalent product level-0 encoding
Letη= Yκ+1
k=1d(k,0). We compute η
0=y
(1)η modx(1), andη00= [yx1η0]q.
2. Non-applicabiltiy of Hu-Jia Attack
(1) Let Par be the public parameters of our construction, i.e.
Par ={q,{Yi,Xi,Pzt,i}i∈[τ],T∗,S∗} For convenience, we letPzt=TRot z
κh
1
g
S
q,yi=aig+ei,xj=cjg.
Similarly, we generate special decodings S = {{Y(i)}i∈[τ],{X(j)}j∈[τ]} as follows:
Y(i)=
T∗·(Yκ1−2YiX1)·Pzt·S∗
q=T1Rot(y κ−2
1 yic1h1)S1,
X(j)=
T∗·(Yκ1−2XjX1)·Pzt·S∗
q =T1Rot(y κ−2
1 xjc1h1)S1,
whereY(i),X(j)are not reduced moduloq. (2) Given a level-1 encodingU= Xτ
i=1di·Yi+ Xτ
j=1rj·Xj
q, we compute
special decoding
V=
T∗·(UYκ1−2X1)·Pzt·S∗q =
Xτ
i=1di·Y(i)+ Xτ
j=1rj·X(j). SinceV is not reduced modulo q andV ∈Zk1×k2,V belongs to the space
spanned byk=k1×k2elements in S.
On the one hand, we cannot efficiently findkelements in S such that V= Xτ1
t=1dit·Y(it)+
Xk−τ1
t=1 rjt·X(jt), anddit,rjtare small integers. In fact, there sometimes does not existkelements in S satisfying to the condition thatdit,rjt
are small integers.
On the other hand, we cannot efficiently solve V = Xτ1
t=1dit ·Y(it)+
Xk−τ1
t=1 rjt ·X(jt) such that dit, rjt are small integers if we choose k = 2τ elements in S to guarantee that there are small integersdit, rjt.
The integersdit,rjt, are required to be small sinceVi=T1Rot(ri)S1cannot
be directly multiplied to derive the product of some equivalent secret keys as that in [28]. We need to use dit,rjt to generate the zero-testing parameterPzt
corresponding to the level-1 encodingU.
5
Applications
In this section, we describe two applications using our construction, the MPKE protocol and the instance of witness encryption.
5.1 MPKE protocol
The MPKE protocol consists of Setup, Publish, and KeyGen as follows:
Setup(1λ,1N):
Output Par←InstGen(1λ,1κ) as the public parameters.
Publish(Par, j):
Thej-th party samples dj ←DZτ,α, rj ←DZτ,α, publishes the public key
Uj =
h Xτ
i=1(dj,i·Yi) + Xτ
i=1(rj,i·Xi) i
q
and remainsdj as the secret key.
KenGen(Par, j,dj,{Uk}k6=j):
Thej-th party computes Cj =
Y
k6=jUk, Pzt =
Xτ
i=1dj,iPzt,i, and ex-tracts the common secret keyskj = Ext(Par,Cj,dj) = MSB [T∗·Cj·Pzt·S∗]q.
Theorem 5.1. Suppose the ext-GCDH/ext-GDDH defined in Section 4.1
is hard, then our construction is one round multipartite Diffie-Hellman key ex-change protocol.
5.2 Witness Encryption
5.2.1 Construction
Garg, Gentry, Sahai, and Waters [23] constructed an instance of witness encryption based on the NP-complete 3-exact cover problem and the GGH map. However, Hu and Jia [28] have broken the GGH-based WE. In this section, we present a new construction of WE based our new multilinear map.
3-Exact Cover Problem [22].Given a collection Set of subsetsT1, T2,· · ·, Tπ
of [K] = {1,2,· · · , K} such that K = 3ξ and |Ti|= 3, find a 3-exact cover of
[K]. For an instance of witness encryption, the public key is a collectionSetand the public parameters Par in our construction, the secret key is a hidden 3-exact cover of [K].
Encrypt(1λ,Par, M):
(1) For k ∈ [K], sample dk ← DZτ,α, rk ← DZτ,α and generate level-1
encodingsUk=
h Xτ
i=1 dk,iYi+rk,i·Xi i
q
.
(2) Compute U = h YK
k=1Uk i
q
and sk = Ext(Par,U,{1,0,· · · ,0}), and encrypt a messageM into ciphertextC.
(3) For each subset Tj ={j1, j2, j3}, sample rTj ← DZτ,α, and generate a
level-3 encodingUTj =
h
Uj1Uj2Uj3+
Xτ
i=1rTj,iX 3
i
i
q
.
(1) GivenC,E and a witness setW, computeU=h Y
Tj∈W UTj
i
q
.
(2) Generatesk = Ext(Par,U,{1,0,· · · ,0}), and decrypt C to a message M.
Similar to [23], the security of our construction depends on the hardness assumption of the Decision Graded Encoding No-Exact-Cover.
Theorem 5.2.Suppose that the Decision Graded Encoding No-Exact-Cover
is hard. Then our construction is a witness encryption scheme.
5.2.2 Hu-Jia Attacks.
(1) The Hu-Jia attack [28] is prevented in our new construction. One cannot obtain an equivalent secret key according to the analysis in 4.2.2. As a result, one cannot get an equivalent secret key using a combined 3-exact cover.
(2) The Hu-Jia attack [29] is thwarted in our new construction. Since Gu map-1 [24] uses hidden randomizers, in some sense one merely can generate a
deter-ministically level-3 encoding. As a result, one can computeUTt =
h
UTjUTk(UTl)
−1i
q
ifTt=Tj∪Tk−Tl. Thus, one can generate a combined 3-exact cover, and
cor-rectly compute a secret level-Kencoding. However, since UTj =
h
Uj1Uj2Uj3+
Xτ
i=1rTj,iX 3
i
i
q is a level-3 encoding in our new construction, one cannot
ob-tain UTt =
h
UTjUTk(UTl)
−1i
q when Tt = Tj ∪Tk−Tl. This is because our
construction contains the level-1 encodingsXi of zero.
6
Conclusions
In this paper, we describe a new variant of GGH13 via secret ring, which sup-ports all applications for public tools of encoding in GGH13, such MPKE and WE. However, the security of our construction depends upon new hardness as-sumption, which cannot be reduced to classical hardness problem, such as LWE or SVP.
Acknowledgments.This work was supported in part by the Natural Science
Foundation of China under Grant 61672270.
References
1. M. Albrecht, S. Bai, and L. Ducas. A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes. CRYPTO 2016, LNCS 9814, pp.153-178. http://eprint.iacr.org/2016/127.
3. D. Boneh and A. Silverberg. Applications of multilinear forms to cryptography. Contemporary Mathematics, 324:71-90, 2003.
4. D. Boneh, D. J. Wu, and J. Zimmerman. Immunizing multilinear maps against zeroizing attacks. http://eprint.iacr.org/2014/930.
5. D. Boneh and M. Zhandry. Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. CRYPTO 2014, LNCS 8616, pp. 480-499.
6. R. Cramer, L. Ducas, C. Peikert, and O. Regev. Recovering Short Generators of Principal Ideals in Cyclotomic Rings, EUROCRYPT 2016, LNCS 9666, pp. 559-585.
7. J. H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehle. Cryptanalysis of the Multilinear Map over the Integers. http://eprint.iacr.org/2014/906.
8. J. H. Cheon, C. Lee. Cryptanalysis of the multilinear map on the ideal lattices. http://eprint.iacr.org/2015/461.
9. J. S. Coron, M. S. Lee, T. Lepoint, and M. Tibouchi. Cryptanalysis of GGH15 Multilinear Maps. CRYPTO 2016, LNCS 9815, pp. 607-628.
10. J. H. Cheon, C. Lee, H. Ryu. Cryptanalysis of the New CLT Multilinear Maps. http://eprint.iacr.org/2015/934.
11. J. S. Coron, T. Lepoint, and M. Tibouchi. Practical multilinear maps over the integers. CRYPTO 2013, LNCS 8042, pp. 476-493.
12. J. S. Coron, T. Lepoint, and M. Tibouchi. Cryptanalysis of two candidate fixes of multilinear maps over the integers. http://eprint.iacr.org/2014/975.
13. J. S. Coron, T. Lepoint, and M. Tibouchi. New Multilinear Maps over the Integers. http://eprint.iacr.org/2015/162.
14. Y. Chen and P. Q. Nguyen. BKZ 2.0 Better Lattice Security Estimates, ASI-ACRYPT 2011, LNCS 7073, pp. 1-20.
15. S. Garg. Candidate Multilinear Maps [PhD thesis]. University of California, Los Angeles, 2013.
16. S. Garg, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices. EUROCRYPT 2013, LNCS 7881, pp. 1-17.
17. S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. FOCS 2013, pp.40-49.
18. S. Garg, C. Gentry, S. Halevi, A. Sahai, and B. Waters. Attribute-based encryption for circuits from multilinear maps, CRYPTO (2) 2013, LNCS 8043, 479-499. 19. C. Gentry, S. Gorbunov, and S. Halevi. Graph-induced multilinear maps from
lattices. TCC 2015, Part II, LNCS 9015, pp. 498-527.
20. S. Garg, C. Gentry, S. Halevi, and M. Zhandry. Fully secure functional encryption without obfuscation. http://eprint.iacr.org/2014/666.
21. C. Gentry, S. Halevi, H. K. Majiy, A. Sahaiz. Zeroizing without zeroes: Cryptana-lyzing multilinear maps without encodings of zero. http://eprint.iacr.org/2014/929. 22. O. Goldreich. Computational Complexity: a Conceptual Perspective. Cambridge
University Press, New York, NY, USA, 1 edition, 2008.
23. S. Garg, C. Gentry, A. Sahai, and B. Waters. Witness encryption and its applica-tions. STOC 2013, pp. 467-476.
24. Chunsheng Gu. Multilinear Maps Using Ideal Lattices without Encodings of Zero. http://eprint.iacr.org/2015/023.
25. Chunsheng Gu. An Improved Multilinear Map and its Applications. International Journal of Information Technology and Web Engineering, 2015, 10(3), pp. 64-81. 26. S. Halevi. The state of cryptographic multilinear maps, 2015. Invited Talk of
27. S. Halevi. Graded Encoding, Variations on a Scheme, http://eprint.iacr.org/2015/866.
28. Yupu Hu and Huiwen Jia. Cryptanalysis of GGH Map. http://eprint.iacr.org/2015/301.
29. Yupu Hu and Huiwen Jia. A Comment on Gu Map-1. http://eprint.iacr.org/2015/448.
30. Yupu Hu and Huiwen Jia. An Optimization of Gu Map-1. http://eprint.iacr.org/2015/453.
31. J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: a ring based public key cryp-tosystem. ANTS 1998, LNCS 1423, pp. 267-288.
32. H.W. Lenstra, A.K. Lenstra and L. Lovasz. Factoring polynomials with rational coefficients. Mathematische Annalen, 1982, 261(4): 515-534.
33. V. Lyubashevsky, D. Micciancio. Generalized Compact Knapsacks Are Collision Resistant, ICALP 2006: Automata, Languages and Programming, LNCS 4052, pp. 144-155. The full version of this extended abstract appears in ECCC TR05-142. 34. A. Langlois, D. Stehl, and R. Steinfeld, GGHLite: More Efficient Multilinear Maps
from Ideal Lattices, EUROCRYPT 2014, LNCS 8441, 2014, pp. 239-256.
35. B. Minaud and P. Fouque. Cryptanalysis of the New Multilinear Map Over the integers, http://eprint.iacr.org/2015/941.
36. Micciancio D and Regev O. Worst-case to average-case reductions based on Gaus-sian measures. SIAM Journal on Computing, 2007, 37(1): 267-302
37. D. Stehl´e and R. Steinfeld. Making NTRU as secure as worst-case problems over ideal lattices, EUROCRYPT 2011, LNCS 6632, pp. 27-47.
