Implementing Candidate Graded Encoding Schemes from Ideal...
Transcript of Implementing Candidate Graded Encoding Schemes from Ideal...
Implementing Candidate Graded EncodingSchemes from Ideal Lattices
Martin R. Albrecht 1, Catalin Cocis 2, Fabien Laguillaumie 3
and Adeline Langlois 4
1. Information Security Group, Royal Holloway, University of London2. Technical University of Cluj-Napoca
3. UCBL Lyon 1 (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL)4. EPFL, Lausanne, Switzerland and CNRS/IRISA, Rennes, France
December 3, 2015
Adeline Langlois Implementing GGH December 3, 2015 1/ 12
Cryptographic Multilinear MapsGroup of N > 2 parties want to communicate privately via cloud.Zq = Z/qZ with q prime, g public generator of Z×q
Choosex1 ∈ Zq y1 = gx1
Choosex2 ∈ Zq
y2 = gx2
Choosex3 ∈ Zq
y3 = gx3
ChoosexN ∈ ZqyN = gxN
Secret key (using e: "cryptographic multilinear map"):
K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN )x1
= e(y1, y3, . . . , yN )x2
I Security: Hardness of Multilinear Decisional DH problem,MDDH: For x1, . . . , xN , x′ ← U(Zq), distinguish between
(gx1 , . . . , gxN , e(g, . . . , g)x1···xN ) and (gx1 , . . . , gxN , e(g, . . . , g)x′).
Adeline Langlois Implementing GGH December 3, 2015 2/ 12
Cryptographic Multilinear MapsGroup of N > 2 parties want to communicate privately via cloud.Zq = Z/qZ with q prime, g public generator of Z×q
Choosex1 ∈ Zq y1 = gx1
Choosex2 ∈ Zq
y2 = gx2
Choosex3 ∈ Zq
y3 = gx3
ChoosexN ∈ ZqyN = gxN
Secret key (using e: "cryptographic multilinear map"):
K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN )x1
I Security: Hardness of Multilinear Decisional DH problem,MDDH: For x1, . . . , xN , x′ ← U(Zq), distinguish between
(gx1 , . . . , gxN , e(g, . . . , g)x1···xN ) and (gx1 , . . . , gxN , e(g, . . . , g)x′).
Adeline Langlois Implementing GGH December 3, 2015 2/ 12
Construction?
For N = 3 use bilinear mapse : G1 ×G2 → GT and g1 ∈ G1, g2 ∈ G2, gT ∈ GT generators.
I e(·, ·) is bilinear: e(gx1 , gy2 ) = e(g1, g2)xy,
I e(·, ·) is non-degenerate: e(g1, g2) generates GT ,I e(·, ·) efficiently computable and DLOG hard in all groups.
Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.
Adeline Langlois Implementing GGH December 3, 2015 3/ 12
Construction?
For N = 3 use bilinear mapse : G1 ×G2 → GT and g1 ∈ G1, g2 ∈ G2, gT ∈ GT generators.
I e(·, ·) is bilinear: e(gx1 , gy2 ) = e(g1, g2)xy,
I e(·, ·) is non-degenerate: e(g1, g2) generates GT ,I e(·, ·) efficiently computable and DLOG hard in all groups.
Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.
Adeline Langlois Implementing GGH December 3, 2015 3/ 12
Construction?
Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.
Approximation: Graded Encoding SchemeThink of
x as a “level-0” encoding of x,gx as a “level-1” encoding of y,
e(g, g)xy as a “level-2” encoding of xy,e(·, . . . , ·) as “multiplying” two elements at level i and j
to produce an element at level i+ j,gx · gy as “adding” two elements at the same level.
Adeline Langlois Implementing GGH December 3, 2015 3/ 12
Cryptographic Multilinear Maps – History
I 2000: 3-parties key agreement using pairings [Joux00]
I 2003: κ+ 1-parties using κ-linear maps [BonehSilverberg 2003]
What happenned in the last three years?
I 2012: First plausible realization [GargGentryHalevi 2013]I New applications: indistinguishablily obfuscation (iO)
I Attacked by [HuJia 2015]
I 2013: Variant over the integers [CoronLepointTibouchi 2013]
I Attacked by [CheonHanLeeRyuStehlé 2014]I Fixed in [CoronLepointTibouchi 2015]I Fix fully broken [CheonLeeRyu 2015] [MinaudFouque 2015]
I 2014: Graph-induced Mmaps [GentryGorbunovHalevi 2015]
I Recently attacked by [Coron 2015]
Adeline Langlois Implementing GGH December 3, 2015 4/ 12
Cryptographic Multilinear Maps – History
I 2000: 3-parties key agreement using pairings [Joux00]
I 2003: κ+ 1-parties using κ-linear maps [BonehSilverberg 2003]
What happenned in the last three years?
I 2012: First plausible realization [GargGentryHalevi 2013]I New applications: indistinguishablily obfuscation (iO)I Attacked by [HuJia 2015]
I 2013: Variant over the integers [CoronLepointTibouchi 2013]I Attacked by [CheonHanLeeRyuStehlé 2014]I Fixed in [CoronLepointTibouchi 2015]I Fix fully broken [CheonLeeRyu 2015] [MinaudFouque 2015]
I 2014: Graph-induced Mmaps [GentryGorbunovHalevi 2015]I Recently attacked by [Coron 2015]
Adeline Langlois Implementing GGH December 3, 2015 4/ 12
GGH13 graded encoding scheme
I In bilinear map (g and e public):anyone can "encode": given a secret x, compute gx,given gx1 , gx2 and secret x3, compute e(gx1 , gx2)x3 .
I In graded encoding schemes, two possible versions:
I A "secret key" version:Only the person who have the secret can encode,Application: indistinguishability obfuscation (iO).
I A "public key" version:Publish some public elements then anyone can encode,Possible application: multi-parties key exchange.
Adeline Langlois Implementing GGH December 3, 2015 5/ 12
GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q
I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .
I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .
I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,
Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h
gzκ · c/zκ]q = [h·c
g]q, small only if c ∈ (g).
Adeline Langlois Implementing GGH December 3, 2015 6/ 12
GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q
I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .
I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .
I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,
Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h
gzκ · c/zκ]q = [h·c
g]q, small only if c ∈ (g).
Adeline Langlois Implementing GGH December 3, 2015 6/ 12
GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q
I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .
I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .
I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,
Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h
gzκ · c/zκ]q = [h·c
g]q, small only if c ∈ (g).
Adeline Langlois Implementing GGH December 3, 2015 6/ 12
GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Public parameter: y level-1 encoding of 1,
I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q
To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.
I Level-1 encoding: [u′ +∑
j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I
∑j ρjxj is a discrete Gaussian and an encoding of zero.
Adeline Langlois Implementing GGH December 3, 2015 7/ 12
GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Public parameter: y level-1 encoding of 1,I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q = [e · y]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q = [e · yk]q
To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.
I Level-1 encoding: [u′ +∑
j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I
∑j ρjxj is a discrete Gaussian and an encoding of zero.
Adeline Langlois Implementing GGH December 3, 2015 7/ 12
GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity
I Public parameter: y level-1 encoding of 1,I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q = [e · y]q for z ← U(Rq) (secret).
I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q = [e · yk]q
To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.
I Level-1 encoding: [u′ +∑
j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I
∑j ρjxj is a discrete Gaussian and an encoding of zero.
Adeline Langlois Implementing GGH December 3, 2015 7/ 12
GGH: two versions
using
Secret key version
I z secret used to encode
I no need of re-randomizers
I zero-testing parameter public
I Main application:indistinguishable Obfuscation
What we implement
Public key version
I y public used to encode⇒ anyone can encode
I need of "re-randomizers":level-i encodings of zero
I zero-testing parameter public
I Used for N-party key exchange
All existing constructions arebroken
Adeline Langlois Implementing GGH December 3, 2015 8/ 12
GGH: two versions
using
Secret key version
I z secret used to encode
I no need of re-randomizers
I zero-testing parameter public
I Main application:indistinguishable Obfuscation
What we implement
Public key version
I y public used to encode⇒ anyone can encode
I need of "re-randomizers":level-i encodings of zero
I zero-testing parameter public
I Used for N-party key exchange
All existing constructions arebroken
Adeline Langlois Implementing GGH December 3, 2015 8/ 12
Could this be implemented?
I Original GGH construction:parameters too big: nothing can run in practice.
I GGHLite has nicer parameters but still some issues:[LangloisStehléSteinfeld 2014]
I (g) needs to be a prime ideal,I Very large parameters n and q,I No discrete gaussian sampling over arbitrary ideals publicly
available.
Adeline Langlois Implementing GGH December 3, 2015 9/ 12
Our work
First and efficient implementation of improved GGHscheme ("secret key version") publicly available
I We show that (g) does not need to be a prime ideal,
I We provide a better analysis of the scheme:I reduce bitsize of q by factor 4 (and then size of n),
I We give a strategy to choose efficient parameters,I based on lattice attacks.
Adeline Langlois Implementing GGH December 3, 2015 10/ 12
Our work
First and efficient implementation of improved GGHscheme ("secret key version") publicly available
In the scheme, all operations are in R = Z[x]/(xn + 1) or Rq
I Implementation in C relies on FLINT,with all steps in quasi-linear time,
I Re-implement most of the non-trivial operationsI Polynomial multiplication in Rq using NTT,I Computing norms in R,
I Implement operations not available in FLINTI Approximate inverse in K = Q[x]/(xn + 1),I Approximate square root in K,I Sampling from Discrete Gaussians on arbritrary ideals
(using [GPV08,DDLL13]).
I Implementation ready to be used for implementing iO.
Adeline Langlois Implementing GGH December 3, 2015 10/ 12
Some concrete results
λ κ λ′ n log q Setup Encode Mult ‖enc‖52 6 64.4 215 2117 114s 26s 0.05s 8.3MB52 52 62.7 218 19898 26695s 1016s 84.1s 621.8MB80 6 155.2 216 2289 415s 74s 0.13s 17.9MB80 19 80.4 217 7089 1821s 268s 3.07s 110.8MB80 38 80.3 218 14649 20381s 947s 16.21s 457.8MB
I κ is the multilinearity level,I λ′ expected security level based on best known attacks,I Setup: time for generating GGH instance,I Encode: time to reduce an element ∈ Zp with p = N (I) to a
small element in Z[X]/(xn + 1) modulo (g),I Mult lists the time to multiply κ elements.
Adeline Langlois Implementing GGH December 3, 2015 11/ 12
Conclusion
Implementing lattice-based schemes (in R = Z[x]/(xn + 1))Part of this implementation may be useful and will be soon beavailable independently.
Open problemsSecurity of graded encoding schemes:
I Attacking the "secret key" variant of GGH or CLT,I Constructing a secure variant.
https://bitbucket.org/malb/gghlite-flint
ThankYou
Adeline Langlois Implementing GGH December 3, 2015 12/ 12
Conclusion
Implementing lattice-based schemes (in R = Z[x]/(xn + 1))Part of this implementation may be useful and will be soon beavailable independently.
Open problemsSecurity of graded encoding schemes:
I Attacking the "secret key" variant of GGH or CLT,I Constructing a secure variant.
https://bitbucket.org/malb/gghlite-flint
ThankYouAdeline Langlois Implementing GGH December 3, 2015 12/ 12