Beruflich Dokumente
Kultur Dokumente
Dec 2013
A technical tool
Think trapdoor-permutations or smoothprojective-hashing, or randomized-encoding More a technique than a single primitive
Several different variants, all share the same core properties but differ in details
Bilinear maps are similar: we can compute quadratics, while cubics seem hard
Turns out to be even more useful
Dec 2013 Visions of Cryptography, Weizmann Inst. 3
Can we find groups that would let us compute cubics but not 4th powers?
Or in general, upto degree but no more?
This Talk
An overview of [GGH13]
Some details Which degree-( + 1) functions are easy/hard
Source- vs. target-group assumptions
Dec 2013
MMAPs Encoding = Computing low-deg polynomials of the s is easy Sharp threshold for easy vs. hard Can test for zero
A zero-test parameter that works for all levels, would give a black-box field
Could be useful, but its not MMAPs Also we dont know how to get one
Our zero-test parameter only works for ciphertexts at one particular level
The zero-test level is a parameter, equal to the multi-linearity degree that we want to implement
Dec 2013 Visions of Cryptography, Weizmann Inst. 11
Some Variations
Can extract random canonical representation of from any level- encoding of Can only encode random s, not specific ones KeyGen outputs a matching secret key
Overview of [GGH13]
Dec 2013
14
Secret key is ,
In NTRU = 3
An encryption of is = /
| | and = ( )
To decrypt set
Dec 2013
15
Homomorphic NTRU
Level- encryption of is
()
| | and = ( )
Because | + | and + = + ( )
() +
= +
(+)
Because | | and = ( )
16
Let 0 =
(1) 0
||, | + 1|
1 =
(1) 1
+1
To encrypt a small , choose small , set + + () = + = If is Gaussian with suitable parameter then || and is ~uniform mod
So we can encrypt random elements But not any pre-set element
Dec 2013 Visions of Cryptography, Weizmann Inst. 17
Zero-Test Parameter
= , with ||
= , | |
Correctness of Zero-Testing
Proof: = over (since both < /2) and since , co-prime then |.
Dec 2013 Visions of Cryptography, Weizmann Inst. 21
Dec 2013
22
Security of Zero-Testing
Whats Hard
Some degree- + 1 functions seem hard to compute, or even test Multilinear-DDH (MDDH) For + 1 level-1 encoding of random (1) (1) elements, 0 , , ,
() ,
(1) ,
A target group problem includes some elements encoded at the highest level ()
Such problems are seemingly hard in these encodings
is not small, so you cannot re-encode it at level 1 and break MDDH or similar
But if you have , 0 , , and , you can check whether = 0 mod
Dec 2013 Visions of Cryptography, Weizmann Inst.
27
More applications can get by without providing 0 , 1 , so attack does not apply Or use other MMAPs
[CTL13] seemingly not susceptible to weak-DL Can perhaps immunize [GGH13] against it
Using GGH-encoded matrices and their eigenvalues
Dec 2013 Visions of Cryptography, Weizmann Inst. 28
Computation Problems
The source/target distinction is about decision problems Computation problems have their own issues Roughly speaking, anything that requires division is hard
()
()
is unlikely to be a valid encoding, can perhaps be discarded using the secure zero-test
Dec 2013 Visions of Cryptography, Weizmann Inst. 29
APPLICATIONS OF MMAPS
Dec 2013
30
is small ,
as a shared key
Whp over , all s are equal Indistinguishable to observer from random bits
Dec 2013 Visions of Cryptography, Weizmann Inst. 32
Subsets are pairwise disjoint, and Their union is the entire [].
Dec 2013
34
()
1 2, 2
(1) ,
(1)
= = 0 ()
Level- encoding of an ( + 1)-product
1 =? =
For any fixed basis 1 , , , (encoded at level 1), can generate a random as above with a trapdoor s.t.:
Using we can find for any a representation of () in this basis
= 1 + at level zero, at level 1
Obfuscation [GGHRSW13]
iO for
Begin with a corollary of Barringtons theorem, we can recognize L 1 via matrix multiplication:
represented by a sequence of matrices of length exp Input determines a sub-sequence iff their product is the identity
Dec 2013
41
Obfuscating
Choose a subset and multiply the encoding Use zero-testing to check for identity
Dec 2013
42
Security
Mostly heuristic, but supported by generic-group arguments Every pair of circuits 1 , 2 , defines a decision problem
Summary