Implementing Candidate Graded EncodingSchemes from Ideal Lattices

Martin R. Albrecht 1, Catalin Cocis 2, Fabien Laguillaumie 3

and Adeline Langlois 4

1. Information Security Group, Royal Holloway, University of London2. Technical University of Cluj-Napoca

3. UCBL Lyon 1 (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL)4. EPFL, Lausanne, Switzerland and CNRS/IRISA, Rennes, France

December 3, 2015

Adeline Langlois Implementing GGH December 3, 2015 1/ 12

Cryptographic Multilinear MapsGroup of N > 2 parties want to communicate privately via cloud.Zq = Z/qZ with q prime, g public generator of Z×q

Choosex1 ∈ Zq y1 = gx1

Choosex2 ∈ Zq

y2 = gx2

Choosex3 ∈ Zq

y3 = gx3

ChoosexN ∈ ZqyN = gxN

Secret key (using e: "cryptographic multilinear map"):

K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN )x1

= e(y1, y3, . . . , yN )x2

I Security: Hardness of Multilinear Decisional DH problem,MDDH: For x1, . . . , xN , x′ ← U(Zq), distinguish between

(gx1 , . . . , gxN , e(g, . . . , g)x1···xN ) and (gx1 , . . . , gxN , e(g, . . . , g)x′).

Adeline Langlois Implementing GGH December 3, 2015 2/ 12

Cryptographic Multilinear MapsGroup of N > 2 parties want to communicate privately via cloud.Zq = Z/qZ with q prime, g public generator of Z×q

Choosex1 ∈ Zq y1 = gx1

Choosex2 ∈ Zq

y2 = gx2

Choosex3 ∈ Zq

y3 = gx3

ChoosexN ∈ ZqyN = gxN

Secret key (using e: "cryptographic multilinear map"):

K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN )x1

I Security: Hardness of Multilinear Decisional DH problem,MDDH: For x1, . . . , xN , x′ ← U(Zq), distinguish between

(gx1 , . . . , gxN , e(g, . . . , g)x1···xN ) and (gx1 , . . . , gxN , e(g, . . . , g)x′).

Adeline Langlois Implementing GGH December 3, 2015 2/ 12

Construction?

For N = 3 use bilinear mapse : G1 ×G2 → GT and g1 ∈ G1, g2 ∈ G2, gT ∈ GT generators.

I e(·, ·) is bilinear: e(gx1 , gy2 ) = e(g1, g2)xy,

I e(·, ·) is non-degenerate: e(g1, g2) generates GT ,I e(·, ·) efficiently computable and DLOG hard in all groups.

Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.

Adeline Langlois Implementing GGH December 3, 2015 3/ 12

Construction?

For N = 3 use bilinear mapse : G1 ×G2 → GT and g1 ∈ G1, g2 ∈ G2, gT ∈ GT generators.

I e(·, ·) is bilinear: e(gx1 , gy2 ) = e(g1, g2)xy,

I e(·, ·) is non-degenerate: e(g1, g2) generates GT ,I e(·, ·) efficiently computable and DLOG hard in all groups.

Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.

Adeline Langlois Implementing GGH December 3, 2015 3/ 12

Construction?

Ideal construction of cryptographic multilinear map (extend thisto κ elements) does not exist.

Approximation: Graded Encoding SchemeThink of

x as a “level-0” encoding of x,gx as a “level-1” encoding of y,

e(g, g)xy as a “level-2” encoding of xy,e(·, . . . , ·) as “multiplying” two elements at level i and j

to produce an element at level i+ j,gx · gy as “adding” two elements at the same level.

Adeline Langlois Implementing GGH December 3, 2015 3/ 12

Cryptographic Multilinear Maps – History

I 2000: 3-parties key agreement using pairings [Joux00]

I 2003: κ+ 1-parties using κ-linear maps [BonehSilverberg 2003]

What happenned in the last three years?

I 2012: First plausible realization [GargGentryHalevi 2013]I New applications: indistinguishablily obfuscation (iO)

I Attacked by [HuJia 2015]

I 2013: Variant over the integers [CoronLepointTibouchi 2013]

I Attacked by [CheonHanLeeRyuStehlé 2014]I Fixed in [CoronLepointTibouchi 2015]I Fix fully broken [CheonLeeRyu 2015] [MinaudFouque 2015]

I 2014: Graph-induced Mmaps [GentryGorbunovHalevi 2015]

I Recently attacked by [Coron 2015]

Adeline Langlois Implementing GGH December 3, 2015 4/ 12

Cryptographic Multilinear Maps – History

I 2000: 3-parties key agreement using pairings [Joux00]

I 2003: κ+ 1-parties using κ-linear maps [BonehSilverberg 2003]

What happenned in the last three years?

I 2012: First plausible realization [GargGentryHalevi 2013]I New applications: indistinguishablily obfuscation (iO)I Attacked by [HuJia 2015]

I 2013: Variant over the integers [CoronLepointTibouchi 2013]I Attacked by [CheonHanLeeRyuStehlé 2014]I Fixed in [CoronLepointTibouchi 2015]I Fix fully broken [CheonLeeRyu 2015] [MinaudFouque 2015]

I 2014: Graph-induced Mmaps [GentryGorbunovHalevi 2015]I Recently attacked by [Coron 2015]

Adeline Langlois Implementing GGH December 3, 2015 4/ 12

GGH13 graded encoding scheme

I In bilinear map (g and e public):anyone can "encode": given a secret x, compute gx,given gx1 , gx2 and secret x3, compute e(gx1 , gx2)x3 .

I In graded encoding schemes, two possible versions:

I A "secret key" version:Only the person who have the secret can encode,Application: indistinguishability obfuscation (iO).

I A "public key" version:Publish some public elements then anyone can encode,Possible application: multi-parties key exchange.

Adeline Langlois Implementing GGH December 3, 2015 5/ 12

GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity

I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).

I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q

I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .

I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .

I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,

Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h

gzκ · c/zκ]q = [h·c

g]q, small only if c ∈ (g).

Adeline Langlois Implementing GGH December 3, 2015 6/ 12

GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity

I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).

I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q

I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .

I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .

I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,

Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h

gzκ · c/zκ]q = [h·c

g]q, small only if c ∈ (g).

Adeline Langlois Implementing GGH December 3, 2015 6/ 12

GGH: two versions - "secret key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity

I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).

I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q

I Adding encodings add: Given u1 = [c1/zk]q and u2 = [c2/zk]q :I u = [u1 + u2]q = [(c1 + c2)/zk]q is a level-k encoding of [c1 + c2]g .

I Multiplying enc mult: Given u1 = [c1/zk1 ]q , u2 = [c2/zk2 ]q :I u = [u1 · u2]q = [(c1 · c2)/zk1+k2 ]q : level-(k1 + k2) enc of [c1 · c2]g .

I Zero-testing isZero: public parameter: pzt = [hgzκ]q with "small" h,

Given u = [c/zκ]q , return 1 if ‖[pzt · u]q‖∞ ≤ q3/4.I [pzt · u]q = [h

gzκ · c/zκ]q = [h·c

g]q, small only if c ∈ (g).

Adeline Langlois Implementing GGH December 3, 2015 6/ 12

GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity

I Public parameter: y level-1 encoding of 1,

I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q for z ← U(Rq) (secret).

I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q

To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.

I Level-1 encoding: [u′ +∑

j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I

∑j ρjxj is a discrete Gaussian and an encoding of zero.

Adeline Langlois Implementing GGH December 3, 2015 7/ 12

GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity

I Public parameter: y level-1 encoding of 1,I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q = [e · y]q for z ← U(Rq) (secret).

I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q = [e · yk]q

To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.

I Level-1 encoding: [u′ +∑

j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I

∑j ρjxj is a discrete Gaussian and an encoding of zero.

Adeline Langlois Implementing GGH December 3, 2015 7/ 12

GGH: two versions - "public key version"I = (g) prime ideal over R(= Z[x]/(xn + 1)) with small g (secret),REnc = Rq and RPlain = R/(g), κ is the degree of multilinearity

I Public parameter: y level-1 encoding of 1,I Plaintext: e element of R/(g),I Level-1 encoding: [c/z]q = [e · y]q for z ← U(Rq) (secret).

I where c is a small coset representative of e+ (g),I Level-k encoding: [c/zk]q = [e · yk]q

To ensure security ⇒ need randomization of the encodingsI Public parameters {xj}j∈[mr] level-1 encodings of zero.

I Level-1 encoding: [u′ +∑

j ρjxj ]q,I where ρj is sampled from a discrete Gaussian over Z,I

∑j ρjxj is a discrete Gaussian and an encoding of zero.

Adeline Langlois Implementing GGH December 3, 2015 7/ 12

GGH: two versions

using

Secret key version

I z secret used to encode

I no need of re-randomizers

I zero-testing parameter public

I Main application:indistinguishable Obfuscation

What we implement

Public key version

I y public used to encode⇒ anyone can encode

I need of "re-randomizers":level-i encodings of zero

I zero-testing parameter public

I Used for N-party key exchange

All existing constructions arebroken

Adeline Langlois Implementing GGH December 3, 2015 8/ 12

GGH: two versions

using

Secret key version

I z secret used to encode

I no need of re-randomizers

I zero-testing parameter public

I Main application:indistinguishable Obfuscation

What we implement

Public key version

I y public used to encode⇒ anyone can encode

I need of "re-randomizers":level-i encodings of zero

I zero-testing parameter public

I Used for N-party key exchange

All existing constructions arebroken

Adeline Langlois Implementing GGH December 3, 2015 8/ 12

Could this be implemented?

I Original GGH construction:parameters too big: nothing can run in practice.

I GGHLite has nicer parameters but still some issues:[LangloisStehléSteinfeld 2014]

I (g) needs to be a prime ideal,I Very large parameters n and q,I No discrete gaussian sampling over arbitrary ideals publicly

available.

Adeline Langlois Implementing GGH December 3, 2015 9/ 12

Our work

First and efficient implementation of improved GGHscheme ("secret key version") publicly available

I We show that (g) does not need to be a prime ideal,

I We provide a better analysis of the scheme:I reduce bitsize of q by factor 4 (and then size of n),

I We give a strategy to choose efficient parameters,I based on lattice attacks.

Adeline Langlois Implementing GGH December 3, 2015 10/ 12

Our work

First and efficient implementation of improved GGHscheme ("secret key version") publicly available

In the scheme, all operations are in R = Z[x]/(xn + 1) or Rq

I Implementation in C relies on FLINT,with all steps in quasi-linear time,

I Re-implement most of the non-trivial operationsI Polynomial multiplication in Rq using NTT,I Computing norms in R,

I Implement operations not available in FLINTI Approximate inverse in K = Q[x]/(xn + 1),I Approximate square root in K,I Sampling from Discrete Gaussians on arbritrary ideals

(using [GPV08,DDLL13]).

I Implementation ready to be used for implementing iO.

Adeline Langlois Implementing GGH December 3, 2015 10/ 12

Some concrete results

λ κ λ′ n log q Setup Encode Mult ‖enc‖52 6 64.4 215 2117 114s 26s 0.05s 8.3MB52 52 62.7 218 19898 26695s 1016s 84.1s 621.8MB80 6 155.2 216 2289 415s 74s 0.13s 17.9MB80 19 80.4 217 7089 1821s 268s 3.07s 110.8MB80 38 80.3 218 14649 20381s 947s 16.21s 457.8MB

I κ is the multilinearity level,I λ′ expected security level based on best known attacks,I Setup: time for generating GGH instance,I Encode: time to reduce an element ∈ Zp with p = N (I) to a

small element in Z[X]/(xn + 1) modulo (g),I Mult lists the time to multiply κ elements.

Adeline Langlois Implementing GGH December 3, 2015 11/ 12

Conclusion

Implementing lattice-based schemes (in R = Z[x]/(xn + 1))Part of this implementation may be useful and will be soon beavailable independently.

Open problemsSecurity of graded encoding schemes:

I Attacking the "secret key" variant of GGH or CLT,I Constructing a secure variant.

https://bitbucket.org/malb/gghlite-flint

ThankYou

Adeline Langlois Implementing GGH December 3, 2015 12/ 12

Conclusion

Implementing lattice-based schemes (in R = Z[x]/(xn + 1))Part of this implementation may be useful and will be soon beavailable independently.

Open problemsSecurity of graded encoding schemes:

I Attacking the "secret key" variant of GGH or CLT,I Constructing a secure variant.

https://bitbucket.org/malb/gghlite-flint

ThankYouAdeline Langlois Implementing GGH December 3, 2015 12/ 12