Obfuscation from Low Noise Multilinear Maps | SpringerLink
Skip to main content
Springer Nature Link
Log in

Obfuscation from Low Noise Multilinear Maps

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2018 (INDOCRYPT 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11356))

Included in the following conference series:

Abstract

Multilinear maps enable homomorphic computation on encoded values and a public procedure to check if the computation on the encoded values results in a zero. Encodings in known candidate constructions of multilinear maps have a (growing) noise component, which is crucial for security. For example, noise in GGH13 multilinear maps grows with the number of levels that need to be supported and must remain below the maximal noise supported by the multilinear map for correctness. A smaller maximal noise, which must be supported, is desirable both for reasons of security and efficiency.

In this work, we put forward new candidate constructions of obfuscation for which the maximal supported noise is polynomial (in the security parameter). Our constructions are obtained by instantiating a modification of Lin’s obfuscation construction (EUROCRYPT 2016) with composite order variants of the GGH13 multilinear maps. For these schemes, we show that the maximal supported noise only needs to grow polynomially in the security parameter. We prove the security of these constructions in the weak multilinear map model that captures all known vulnerabilities of GGH13 maps. Finally, we investigate the security of the considered composite order variants of GGH13 multilinear maps from a cryptanalytic standpoint.

Research supported in part from DARPA/ARL SAFEWARE Award W911NF15C0210, AFOSR Award FA9550-15-1-0274, AFOSR YIP Award, DARPA and SPAWAR under contract N66001-15-C-4065, a Hellman Award and research grants by the Okawa Foundation, Visa Inc., and Center for Long-Term Cybersecurity (CLTC, UC Berkeley). The views expressed are those of the author and do not reflect the official policy or position of the funding agencies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Throughout this paper, we use multilinear maps to refer to private encoding multilinear maps. In other words, no public low-level encodings of zero are provided in our constructions.

  2. 2.

    By “fresh” encodings we mean that it is generated via the encoding procedure using the secret parameters and not produced as a result of homomorphic computations.

  3. 3.

    The reported noise is for the recommended version of the GGH multilinear maps [24, Sect. 6.4]. This recommendation was made in [25] with the goal of avoiding averaging attacks [20, 33, 45]. Similar recommendation is made in [3, Sect. 4.2].

  4. 4.

    Another exception is [37] which uses Reniy divergence to construct a map called GGHLite that supports more efficient concrete parameters than GGH.

  5. 5.

    Specifically, the subfield lattice attack is sub-exponential as soon as q is super-polynomial. Furthermore, using attack of [35] becomes polynomial for power-of-two cyclotomic fields when \(q = 2^{\varOmega (\sqrt{n \log \log n})}\). We note that the attack of [35] is much more general, but we are only concerned with these parameter choices.

  6. 6.

    In the first draft of [24], authors suggested a composite order variant of multilinear maps. However, in later versions they restricted their claims to the prime order construction. This was in light of the weak-discrete log attacks they found against their construction. However, these attacks worked only when public encodings of zero are provided and rendered assumptions such as subgroup hiding easy. In particular, all known attacks against composite order GGH maps use low level encodings of zero [25] or some specific high-level encodings of zero [15]. In light of the Miles et al. attacks [44] we envision more (potential) attacks but they are all captured by the weak multilinear map model.

  7. 7.

    We do not provide public encodings of zero in our constructions. Therefore, they are insufficient to instantiate the assumptions made by Gentry et al. [29, 30].

  8. 8.

    In the actual construction the structure of the elements of \(\mathbb {U}\) are much involved. But for simplicity here we just assume \(\mathbb {U}= [\ell ]\) that suffices to convey the main idea.

  9. 9.

    We use the notation \([\cdot ]_q\) to denote operations in \(R_q\).

  10. 10.

    Note that in the actual construction we use different restriction for multiplication due to difference in the structure of the straddling levels and the universe.

  11. 11.

    Notice that \(\varvec{g}/\varvec{z}_\mathbf{v }\) is in \({K}\). We generally use \(\varvec{{a}}/\varvec{{b}}\in {K}\) to denote “division” in the quotient field \({K}\) of \(R\) for \(\varvec{{a}},\varvec{{b}}\in R\). This is not to be confused with the notation \(\varvec{{a}}\cdot [\varvec{{b}}^{-1}]_q\in R\) which is a multiplication operation in \(R\) where the inverse \([\varvec{{b}}^{-1}]_q\) is in \(R_q\).

  12. 12.

    Notice that, the inverse is in \(R_q\) but the product is in \(R\).

  13. 13.

    There are some works e.g. [7, 11] that prove security of their constructions in slightly stronger models than the ideal graded encoding model which captures some attacks on multilinear maps.

  14. 14.

    \(\mathcal {C}^{\mathsf {PRF}_\psi }\) is a circuit for computing PRF with the key \(\psi \).

  15. 15.

    In the construction this is implemented by canceling out the PRF value by multiplying with an appropriate encoding that encodes a value which is \(0\,\mathsf {mod}\,\varvec{g}_2\) in the second slot.

  16. 16.

    We note that such a PRF can be computed using constant input types and constant type degree. See more details in Appendix G.2 of the full version [19].

  17. 17.

    The values of \(\mathbf e ^{t}\) is specified in the proof of Theorem G.20 of the full version [19], which is crucial for proving post zeroizing security, but does not affect the correctness of the obfuscator.

References

  1. Agrawal, S., Gentry, C., Halevi, S., Sahai, A.: Discrete Gaussian leftover hash lemma over infinite domains. Cryptology ePrint Archive, Report 2012/714 (2012)

    Google Scholar 

  2. Aharonov, D., Regev, O.: Lattice problems in Np cap coNp. J. ACM 52(5), 749–765 (2005)

    Article  MathSciNet  Google Scholar 

  3. Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_6

    Chapter  Google Scholar 

  4. Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_6

    Chapter  Google Scholar 

  5. Ananth, P.V., Gupta, D., Ishai, Y., Sahai, A.: Optimizing obfuscation: avoiding Barrington’s theorem. In: Ahn, G.-J., Yung, M., Li, N. (eds.) ACM CCS 14, pp. 646–658. ACM Press, November 2014

    Google Scholar 

  6. Applebaum, B., Brakerski, Z.: Obfuscating circuits via composite-order graded encoding. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 528–556. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_21

    Chapter  Google Scholar 

  7. Badrinarayanan, S., Miles, E., Sahai, A., Zhandry, M.: Post-zeroizing obfuscation: new mathematical tools, and the case of evasive circuits. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 764–791. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_27

    Chapter  Google Scholar 

  8. Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_13

    Chapter  Google Scholar 

  9. Boneh, D., Freeman, D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 1–16. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_1

    Chapter  Google Scholar 

  10. Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Cryptology ePrint Archive, Report 2002/080 (2002). http://eprint.iacr.org/2002/080

  11. Brakerski, Z., Dagmi, O.: Shorter circuit obfuscation in challenging security models. Cryptology ePrint Archive, Report 2016/418 (2016). http://eprint.iacr.org/2016/418

  12. Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_1

    Chapter  Google Scholar 

  13. Canetti, R., Lin, H., Tessaro, S., Vaikuntanathan, V.: Obfuscation of probabilistic circuits and applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 468–497. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_19

    Chapter  MATH  Google Scholar 

  14. Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_1

    Chapter  Google Scholar 

  15. Coron, J.-S., et al.: Zeroizing without low-level zeroes: new MMAP attacks and their limitations. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 247–266. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_12

    Chapter  Google Scholar 

  16. Coron, J.-S., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of GGH15 multilinear maps. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 607–628. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_21

    Chapter  Google Scholar 

  17. Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_26

    Chapter  Google Scholar 

  18. Coron, J.-S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 267–286. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_13

    Chapter  Google Scholar 

  19. Döttling, N., Garg, S., Gupta, D., Miao, P., Mukherjee, P.: Obfuscation from low noise multilinear maps. Cryptology ePrint Archive, Report 2016/599 (2016). http://eprint.iacr.org/2016/599

  20. Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 433–450. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_27

    Chapter  Google Scholar 

  21. Ducas, L., Pellet-Mary, A.: On the statistical leak of the GGH13 multilinear map and some variants. IACR Cryptology ePrint Archive, 2017:482 (2017). http://eprint.iacr.org/2017/482

  22. Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_13

    Chapter  Google Scholar 

  23. Sanjam Garg. Candidate Multilinear Maps. Association for Computing Machinery and Morgan & Claypool, New York, NY, USA (2015)

    Google Scholar 

  24. Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. Cryptology ePrint Archive, Report 2012/610 (2012). http://eprint.iacr.org/2012/610

  25. Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1

    Chapter  Google Scholar 

  26. Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013

    Google Scholar 

  27. Garg, S., Miles, E., Mukherjee, P., Sahai, A., Srinivasan, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 241–268. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_10

    Chapter  Google Scholar 

  28. Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_20

    Chapter  Google Scholar 

  29. Gentry, C., Lewko, A., Waters, B.: Witness encryption from instance independent assumptions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 426–443. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_24

    Chapter  Google Scholar 

  30. Gentry, C., Lewko, A.B., Sahai, A., Waters, B.: Indistinguishability obfuscation from the multilinear subgroup elimination assumption. In: Guruswami, V. (ed.) 56th FOCS, pp. 151–170. IEEE Computer Society Press, October 2015. https://doi.org/10.1109/FOCS.2015.19

  31. Gentry, C., Lewko, A.B., Waters, B.: Witness encryption from instance independent assumptions. Cryptology ePrint Archive, Report 2014/273 (2014). http://eprint.iacr.org/2014/273

  32. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)

    Google Scholar 

  33. Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_20

    Chapter  Google Scholar 

  34. Hu, Y., Jia, H.: Cryptanalysis of GGH map. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 537–565. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_21

    Chapter  Google Scholar 

  35. Kirchner, P., Fouque, P.-A.: Comparison between subfield and straightforward attacks on NTRU. IACR Cryptology ePrint Archive 2016:717 (2016)

    Google Scholar 

  36. Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: Shmoys, D.B. (ed.) 11th SODA, pp. 937–941. ACM-SIAM, January 2000

    Google Scholar 

  37. Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_14

    Chapter  Google Scholar 

  38. Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathe. Ann. 261(4), 515–534 (1982)

    Article  MathSciNet  Google Scholar 

  39. Lin, H.: Indistinguishability obfuscation from constant-degree graded encoding schemes. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 28–57. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_2

    Chapter  Google Scholar 

  40. Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_20

    Chapter  Google Scholar 

  41. Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 630–660. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_21

    Chapter  Google Scholar 

  42. Lin, H., Vaikuntanathan, V.: Indistinguishability obfuscation from DDH-like assumptions on constant-degree graded encodings. Cryptology ePrint Archive, Report 2016/795 (2016). http://eprint.iacr.org/2016/795

  43. Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th FOCS, pp. 372–381. IEEE Computer Society Press, October 2004

    Google Scholar 

  44. Miles, E., Sahai, A., Zhandry, M.: Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 629–658. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_22

    Chapter  Google Scholar 

  45. Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_17

    Chapter  Google Scholar 

  46. Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semantically-secure multilinear encodings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 500–517. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_28

    Chapter  Google Scholar 

  47. Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_5

    Chapter  Google Scholar 

  48. Regev, O.: New lattice-based cryptographic constructions. J. ACM 51(6), 899–942 (2004)

    Article  MathSciNet  Google Scholar 

  49. Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program., 181–191 (1993)

    Article  MathSciNet  Google Scholar 

  50. Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4

    Chapter  Google Scholar 

  51. Zimmerman, J.: How to obfuscate programs directly. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 439–467. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_15

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center of IT-Security, Privacy and Accountability, Saarbrücken, Germany

    Nico Döttling

  2. University of California, Berkeley, USA

    Sanjam Garg & Peihan Miao

  3. Microsoft Research India, Bengaluru, India

    Divya Gupta

  4. Visa Research, Palo Alto, USA

    Pratyay Mukherjee

Authors
  1. Nico Döttling
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sanjam Garg
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Divya Gupta
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peihan Miao
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Pratyay Mukherjee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pratyay Mukherjee .

Editor information

Editors and Affiliations

  1. Indian Statistical Institute, Kolkata, India

    Debrup Chakraborty

  2. Nagoya University, Nagoya, Japan

    Tetsu Iwata

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Döttling, N., Garg, S., Gupta, D., Miao, P., Mukherjee, P. (2018). Obfuscation from Low Noise Multilinear Maps. In: Chakraborty, D., Iwata, T. (eds) Progress in Cryptology – INDOCRYPT 2018. INDOCRYPT 2018. Lecture Notes in Computer Science(), vol 11356. Springer, Cham. https://doi.org/10.1007/978-3-030-05378-9_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05378-9_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05377-2

  • Online ISBN: 978-3-030-05378-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation