On the Statistical Leak of the GGH13 Multilinear Map and Some Variants

Abstract

At EUROCRYPT 2013, Garg, Gentry and Halevi proposed a candidate construction (later referred as GGH13) of cryptographic multilinear map (MMap). Despite weaknesses uncovered by Hu and Jia (EUROCRYPT 2016), this candidate is still used for designing obfuscators.

The naive version of the GGH13 scheme was deemed susceptible to averaging attacks, i.e., it could suffer from a statistical leak (yet no precise attack was described). A variant was therefore devised, but it remains heuristic. Recently, to obtain MMaps with low noise and modulus, two variants of this countermeasure were developed by Döttling et al. (EPRINT:2016/599).

In this work, we propose a systematic study of this statistical leakage for all these GGH13 variants. In particular, we confirm the weakness of the naive version of GGH13. We also show that, among the two variants proposed by Döttling et al., the so-called conservative method is not so effective: it leaks the same value as the unprotected method. Luckily, the leakage is more noisy than in the unprotected method, making the straightforward attack unsuccessful. Additionally, we note that all the other methods also leak values correlated with secrets.

As a conclusion, we propose yet another countermeasure, for which this leakage is made unrelated to all secrets. On our way, we also make explicit and tighten the hidden exponents in the size of the parameters, as an effort to assess and improve the efficiency of MMaps.

1 Introduction

Since their introduction in cryptographic constructions by Joux in 2000 [25], cryptographic bilinear maps, as provided by pairings on elliptic curves, have enabled the construction of more and more advanced cryptographic protocols, starting with the Identity-Based Encryption scheme of Boneh and Franklin [8]. More abstractly, a group equipped with an efficient bilinear map, and on which some discrete-logarithm like problems are hard (such as the bilinear Diffie-Hellmann problem), provides foundation for a whole branch of cryptography. A natural open question is whether it can be generalized to degrees higher than 2 while ensuring hardness of generalizations of the Diffie-Hellmann problem. Such hypothetical objects are referred to as Cryptographic Multilinear Maps (or, for short, MMaps).

In 2013, Garg, Gentry and Halevi [17] proposed a candidate construction for MMaps related to ideal-lattices, yet without a clearly identified underlying hard lattice problem. It differs from the pairing case in the sense that elements in the low-level groups have no canonical representation, and that the representation is noisy. Yet, these differences are not too problematic on the functionality front.

On the security front, it rapidly turned out that this construction was insecure, at least in its original set-up. In particular, the natural one-round k-partite protocol based on this MMap was broken by the zeroizing attack of Hu and Jia [24]: this construction fails to securely mimic the tripartite protocol of [25]. More generally, the mere knowledge of a non-trivial representative of 0 tends to make constructions based on this MMap insecure. Orthogonally, it has been discovered that solving over-stretched versions of the NTRU problem (whose intractability is necessary for the security of the GGH MMap) was significantly easier than previously thought, due to the presence of an unusually dense sublattice [1, 12, 26], yet this can be compensated at the cost of increasing parameters. Also, due to recent algorithms for the Principal Ideal Problem [6, 7] and Short generator recovery [10, 14], the GGH MMap can be broken¹ in quantum polynomial time, and classical subexponential time \(\exp (\tilde{O}(\sqrt{ n}))\), where n is the dimension of the used ring.

Nevertheless, this candidate MMap was still considered in a weaker form,² to attempt realizing indistinguishability obfuscation (or, for short, iO). Several iO candidates were broken by attacks that managed to build low-level encodings of zero even if no such encodings were directly given (this is referred to as zeroizing attacks, see e.g. [11, 13]). To try to capture and prevent such attacks, a Weak MMap model was devised in [18, 34].

Some iO constructions come with a security proof based on assumptions in the standard model [2, 29, 30], but cannot be securely instantiated with the GGH13 MMap as they require low-level encodings of 0. Others are proved secure in a non-standard model (the Generic MMap model [4, 9] or the Weak MMap Model [15, 18]). These models remain not fully satisfactory, as they imply Virtual-Black-Box Obfuscation [9, 18], a provably impossible primitive [5]. The latest candidate of Lin and Tessaro [31] did escape these pitfalls by relying on pairings, but it required special Pseudo-Random Generators that were rapidly proved not to exist [3, 32].

Statistical leaks in lattice-based cryptography. Early signature schemes based on lattices [21,22,23] suffered from statistical leaks, which led to devastating attacks [20, 35]. Those leaks can be fixed in a provably secure way using a Gaussian Sampling algorithm from Klein [27], as proven in [19]: the samples available to the adversary are made statistically independent from the secret key.

Similar leaks are a worry in the original construction of [17], and therefore, a candidate countermeasure was developed, making use of Klein’s sampling procedure. Nevertheless, no formal statement was made on what this countermeasure prevents: the countermeasure is heuristic. This particular countermeasure turned out to be a difficulty when considering variants of the original scheme, as done in [15]. This candidate obfuscator aims at reaching polynomially small errors and modulus (in order to improve both efficiency and security of the GGH map, especially in the light of the dense sublattice attacks [1, 12, 26]) and hence cannot use the original sampling methods from [17]. Two modified versions of [17] are then proposed in [15], a so-called conservative one, leading to quite efficient parameters, and a so-called aggressive one.

Ideally, one wishes to make provable statements about those four variants, as done in other contexts [19]. Unfortunately, in the context of MMaps, it is not even clear what the statement should exactly be. The next best guarantee is a precise understanding of what can be done from a cryptanalytic point of view, as initiated in [17].

The analysis of the leak of [17] focuses on the covariance of products of encodings of zero. One can (informally) argue that this analysis captures all the information of the leakage. Indeed, up to discretization, such a product is the product of several centered Gaussian distributions (non necessary spherical), and such a distribution is fully identified by its covariance. The countermeasure proposed in Sect. 6.4 of [17] attempts to make this covariance proportional to the identity matrix (and therefore unrelated to all secrets) by sampling each element of the product according to a spherical distribution, that is a distribution whose covariance is proportional to the identity matrix. As we shall see, this attempt is unsuccessful, as one of the factors of the product (namely, the one related to the zero-testing parameter) is fixed. Obtaining several independent multiples of it, with covariance proportional to the identity matrix, then reveals an approximation of this factor.

Contributions. Our main contribution is to give a systematic study of the statistical leakage in the GGH13 scheme and its variants, in a simple framework we define. We first suggest a common formalism that encompasses all the variants at hand, by parametrising the sampling procedure for encodings by an arbitrary covariance matrix. Following the nomenclature of [15, 17], except for the second one that had no clear name, we consider:

1. 1.

   The simplistic method: the GGH MMap without countermeasure [17, Sect. 4.1]. This method was only given for simplicity of exposition and was already highly suspected to be insecure;

2. 2.

   The exponential method:³ the GGH MMap with countermeasure [17, Sect. 6.4];

3. 3.

   The conservative method, proposed in [15]—which we partly revisit to tackle some of its limitations;

4. 4.

   The aggressive method, proposed in [15]—we note that this method is specific to the iO construction of [15], and is not applicable to all constructions over the GGH MMap.

In order to formalize our study of the leakage, we propose a simple setting of the GGH multilinear map. Indeed, due to the attacks in presence of encodings of zero, the exact set-up for the analysis of the leakage in [17] is not relevant anymore. We adjust their setting to not provide low-level encodings of zero directly. Still, some relations between encodings are needed for the MMaps to be non-trivial; to ensure that those relations do not allow zeroizing attacks, we provide a security proof in the weak multilinear map model of [15, 18, 34]. For ease of exposure, we restrict ourselves to degree \(\kappa =2\), yet our analysis easily extends to higher degrees.

Using this framework, we are able to analyse a particular averaging attack against the GGH multilinear map. On the one hand, our analysis shows that Method 3 leads to the same leakage as Method 1. We also prove that with Method 1, a polynomial-time attack can be mounted using the leakage. Interestingly, it does not require the Gentry-Szydlo algorithm [20], unlike the approach discussed in [17, Sects. 6.3.2 and 7.6]. Nevertheless, we did not manage to extend the attack to Method 3: while the same quantity is statistically leaked, the number of samples remains too low for the attack to go through completely. On the other hand, we show that the statistical leakage of Method 4 is similar to the one of Method 2: perhaps surprisingly the aggressive method seems more secure than the conservative one.

Finally, having built a better understanding of which information is leaked, we devise a countermeasure that we deem more adequate than all the above:

1. 5.

   The compensation method.

This method is arguably simpler, and provides better parameters. More importantly, applying the same leakage attack than above, one only obtains a distribution whose covariance is independent of all secrets. We wish to clarify that this is in no way a formal statement of security. The statistical attacks considered in this work are set up in a minimalistic setting, and extensions could exist beyond this minimalistic setting. For example, one could explore what can be done by varying the zero-tested polynomial, or by keeping certain encodings fixed between several successful zero-tests.

As a secondary contribution, we also make explicit and tighten many hidden constants present in the previous constructions, in an effort to evaluate and improve the efficiency of GGH13-like MMaps.

Impact. This result may be useful in pursuit of an underlying hard problem on which one could based the GGH multilinear map. Indeed, we show here that it is possible to recover some information about secret elements, for all the previously proposed sampling methods. Hence, an underlying hard problem (or the security reduction) should capture this leak. This enables us to get a bit more insight into what could be (or could not be) an underlying hard problem for the GGH map. In that regard, finding such a hard underlying problem could be easier with our new method, since one specific leak has been sealed. Again, we do not claim that no other leaks exist.

Further, our analysis shows that the weak multilinear map model does not capture averaging attacks. This is not surprising, as the weak multilinear map model only allows to evaluate polynomials in the post-zero-test values, while we need to average on them for this attack. But proving that averaging cannot be achieved by evaluating polynomials is not so immediate. Interestingly, our results prove it. Indeed, using averaging techniques, we were able to mount a polynomial time attack against our setting when using the simplistic sampling method (Method 1), but we also proved that in the weak multilinear map model, no polynomial time attacks could be mounted. This proves that the weak multilinear map model does not capture averaging attacks.⁴

Finally, our new method severely decreases the length of encodings in the GGH13 multilinear map, which substentially contribute to their practical feasibility.

Outline of the article. In Sect. 2, we recall some mathematical background about cyclotomic number fields and statistics. We also describe the GGH multilinear map and detail the size of its parameters. In Sect. 3, we describe different sampling methods for the GGH multilinear map, which come from [15, 17], using a common formalism so as to factor the later analysis. We describe our simple setting and analyse the leakage in Sect. 4. The security proof of this simple setting in the weak multilinear map model can be found in the full version of this article [16]. Finally, we discuss the design of sampling methods in Sect. 5, and propose a design we deem more rational.

2 Preliminaries

2.1 Mathematical Background

Rings. We denote by R the ring of integers \(\mathbb {Z}[X]/(X^n+1)\) for some n which is a power of 2 and \(K = \mathbb {Q}[X]/(X^n+1)\) its fraction field. We denote by \(\sigma _j : K \rightarrow \mathbb {C}\), with \(1 \le j \le n\), the complex embeddings of K in \(\mathbb {C}\). We also denote \(K_\mathbb {R}= \mathbb {R}[X]/(X^n+1)\) the topological closure of K. For \(x \in K_\mathbb {R}\), we denote \(x_i \in \mathbb {R}\) its \(i\text {-th}\) coefficient, so that \(x = \sum _{i=0}^{n-1} x_i X^i\). For \(g \in K\) (or even \(K_\mathbb {R}\)) we denote gR the ideal generated by g: \(gR = \{gx | x \in R\}\). The complex conjugation over R and K is denoted \(\bar{\cdot }\). It is the automorphism of R sending X to \(X^{-1}\). We denote S the subring of \(K_\mathbb {R}\) of symmetric elements, that is \(S = \{x \in K_\mathbb {R}| x = \bar{x}\}\). We set \(S^+\) the subset of symmetric positive elements of S, defined by \(S^+ = \{x \bar{x} | x \in K_\mathbb {R}\}\). Alternatively, S is the completion of the real subfield of K, and \(S^+\) is (the completion of) the set of elements of K whose embeddings are all non-negative real numbers. Note that \(S^+\) is closed under addition, multiplication, division, but not under subtraction. The elements of \(S^+\) also admit one and exactly one square root (resp. k-th root) in \(S^+\), which we denote \(\sqrt{ \cdot }\) (resp. \(\root k \of {\cdot }\)) . Finally, we call \(x \bar{ x} \in S^+\) the autocorrelation⁵ of \(x \in K_\mathbb {R}\), and denote it A(x). For \(\varSigma \in S^+\) it holds that \(A(\sqrt{\varSigma }) = \varSigma \). We also define equivalence over \(S^+\) up to scaling by reals, and write \(x \sim y\) for invertible elements \(x,y \in S^+\) if \(x = \alpha y\) for some positive real \(\alpha > 0\). Let q be a prime congruent to 1 modulo 2n. We denote by \(R_q\) the quotient ring R/(qR). For \(x \in R\), we denote by \([x]_q\) (or [x] when there is no ambiguity) the coset of the element x in \(R_q\). We will often lift back elements from \(R_q\) to R, in which case we may implicitly mean that we choose the representative with coefficients in the range \([-q/2, q/2]\). To avoid confusion, we will always write \(x^{-1}\) for the inversion in \(R_q\), and keep the fraction symbols 1/x and \(\frac{1}{x}\) for inversion in K and \(K_\mathbb {R}\).

Geometry. Because we work in the ring \(\mathbb {Z}[X]/(X^n+1)\), the canonical geometry of the coefficients embeddings is equivalent, up to scaling, to the geometry of the Minkowski embeddings. We stick with the former, following the literature on multilinear maps. More precisely, the inner product of two elements \(x,y \in K\) is defined by \(\langle x, y \rangle = \sum x_i y_i\). The Euclidean norm (or \(\ell _2\)-norm) is defined by \(\Vert x\Vert = \sqrt{\langle x, x\rangle }\). The \(\ell _\infty \)-norm is noted \( \Vert x\Vert _\infty = \max |x_i|\).

We recall the following inequalities:

$$\begin{aligned} \Vert xy\Vert&\le \sqrt{ n} \cdot \Vert x\Vert \cdot \Vert y\Vert \end{aligned}$$

(1)

$$\begin{aligned} \Vert x\Vert _\infty&\le \Vert x\Vert \le \sqrt{ n} \cdot \Vert x\Vert _\infty \end{aligned}$$

(2)

$$\begin{aligned} \Vert x\Vert ^2&\le \Vert x\bar{x}\Vert _{\infty } \end{aligned}$$

(3)

$$\begin{aligned} \Vert \bar{x}\Vert&= \Vert x \Vert \text { and } \Vert \bar{ x}\Vert _{\infty } = \Vert x \Vert _{\infty }. \end{aligned}$$

(4)

Statistics. We denote by \(\hbox {Pr}[E]\) the probability of an event E. For a random variable x over \(K_\mathbb {R}\), we denote by \(\mathbb {E}[x]\) the expectation of x, and by \(\mathbb {V}[x] = \mathbb {E}[x \bar{x}] - \mathbb {E}[x]\mathbb {E}[\bar{ x}]\) its variance. It should be noted that \(\mathbb {V}[x] \in S^+\) for any random variable x over \(K_\mathbb {R}\). A random variable x is said centered if \(\mathbb {E}[x] = 0\), and isotropic if \(\mathbb {V}[x] \sim 1\). We recall Hoeffding’s inequality.

Theorem 1

(Hoeffding’s inequality). Let \(Y_1, \cdots , Y_m\) be independent random variables in \(\mathbb {R}\) with the same mean \(\mu \in \mathbb {R}\) and such that \(|Y_i| \le B\) for all i’s. Then for all \(t > 0\),

$$\begin{aligned} \hbox {Pr}\left[ \left| \frac{1}{m}\sum _{i = 1}^m Y_i - \mu \right| \ge t \right] < 2e^{-\frac{mt^2}{2B^2}}. \end{aligned}$$

Hoeffding’s inequality, as given above, applies to random variables in \(\mathbb {R}\). In this article, we will be interested in random variables in R. We will then see our elements in R as vectors in \(\mathbb {R}^n\) and apply Hoeffding’s inequality coefficient-wise.

Corollary 1

(Hoeffding’s inequality in R). Let \(Y_1, \cdots , Y_m\) be independent random variables in R with the same mean \(\mu \in K_\mathbb {R}\) and such that \(\Vert Y_i\Vert _{\infty } \le B\) for all i’s. Let \(\varepsilon > 0\), then

$$\begin{aligned} \hbox {Pr}\left[ \left\| \frac{1}{m}\sum _{i = 1}^m Y_i - \mu \right\| _{\infty } \ge B\sqrt{\frac{2(\ln n-\ln \varepsilon )}{m}} \right] < 2 \varepsilon . \end{aligned}$$

Proof

For \(1 \le i \le m\) and \(0 \le j \le n-1\), define \(Y_{i,j}\) to be the j-th coefficient of the variable \(Y_i \in R\) and \(\mu _j\) to be the j-th coefficient of \(\mu \). For a fixed j, the variables \(Y_{i,j}\) (where only i varies) are independent random variables in \(\mathbb {R}\) of mean \(\mu _j\). Moreover, as \(\Vert Y_i\Vert _\infty \le B\) for all i’s, the coefficients \(Y_{i,j}\) are also bounded by B. We can then apply Hoeffding’s inequality (Theorem 1) to them. We obtain

$$\begin{aligned}&\hbox {Pr}\left[ \left\| \frac{1}{m}\sum _{i = 1}^m Y_i - \mu \right\| _{\infty } \ge B\sqrt{\frac{2(\ln n-\ln \varepsilon )}{m}} \right] \\&= \hbox {Pr}\left[ \exists j:\ \left| \frac{1}{m}\sum _{i = 1}^m Y_{i,j} - \mu _{j} \right| \ge B\sqrt{\frac{2(\ln n-\ln \varepsilon )}{m}} \right] \\&\le \sum _{j = 0}^{n-1} \hbox {Pr}\left[ \left| \frac{1}{m}\sum _{i = 1}^m Y_{i,j} - \mu _{j} \right| \ge B\sqrt{\frac{2(\ln n-\ln \varepsilon )}{m}} \right] \\&< \sum _{j = 0}^{n-1} 2e^{-\frac{2m B^2 (\ln n-\ln \varepsilon )}{2 B^2 m}} = \sum _{j = 0}^{n-1} 2\frac{\varepsilon }{n} = 2\varepsilon . \\ \end{aligned}$$

We used the union bound and Hoeffding’s inequality with \(t = B\sqrt{\frac{2(\ln n-\ln \varepsilon )}{m}}\).    \(\square \)

Discrete Gaussians. For \(\varSigma \in S^+\) and \(x_0 \in K_\mathbb {R}\), we define the Gaussian weight function on \(K_\mathbb {R}\) as

$$\begin{aligned} \rho _{\sqrt{\varSigma }, x_0} :x \mapsto \exp \left( -\frac{1}{2}\left\| \frac{x-x_0}{\sqrt{\varSigma }}\right\| ^2 \right) . \end{aligned}$$

For any shifted ideal \(I + c\), \(I \subset K\), \(c \in K_\mathbb {R}\), we define the discrete Gaussian distribution over \(I+c\) of parameter \(\sqrt{\varSigma }\), centered in \(x_0\) by:

$$\begin{aligned} \forall x \in I+c,\; D_{I+c,\sqrt{\varSigma }, x_0} (x) = \frac{\rho _{\sqrt{\varSigma }, x_0}(x)}{\rho _{\sqrt{\varSigma },x_0}(I + c)}. \end{aligned}$$

For concision, we write \(D_{I+c,\sqrt{\varSigma }}\) instead of \(D_{I+c,\sqrt{\varSigma }, 0}\) and \(\rho _{\sqrt{\varSigma }}\) instead of \(\rho _{\sqrt{\varSigma }, 0}\).

Theorem 2

(Reformulation of [19, Theorem 4.1.]). There exists a PPT algorithm that given \(g \in R\), \(c \in K_\mathbb {R}\) and a parameter \(\varSigma \) such that \(\Vert g / \sqrt{\varSigma }\Vert \le o(1/ \sqrt{\log n})\), outputs x from a distribution negligibly close to \(D_{gR+c,\sqrt{\varSigma }}\).

This reformulation simply relies on the identity \(D_{gR+c, \sqrt{\varSigma }} = \frac{\sqrt{\varSigma }}{\sigma }\cdot D_{(gR+c) / \sqrt{\varSigma }, \sigma } \). We also recall that, above the smoothing parameter [33], a discrete Gaussian resembles the continuous Gaussian, in particular it is almost centered at 0, and of variance almost \(\varSigma \).

Lemma 1

For any \(g \in K\), \(\varSigma \in S^+\), \(c \in K_\mathbb {R}\) such that \(\Vert g / \sqrt{\varSigma }\Vert \le o(1/\sqrt{\log n})\), if \(x \leftarrow D_{gR+c,\sqrt{\varSigma }}\), then \(\Vert \mathbb {\mathbb {E}}[x]\Vert \le \varepsilon \cdot \Vert \sqrt{\varSigma } \Vert \) and \(\Vert \mathbb {\mathbb {V}}[x] - \varSigma \Vert \le \varepsilon \cdot \Vert \varSigma \Vert \) for some negligible function \(\varepsilon (n)\).

The proof of this result, using [33, Lemma 4.2], can be found in the full version [16].

2.2 The GGH13 Multilinear Map

We describe in this section the GGH13 multilinear map [17], in its asymmetric setting. The GGH13 multilinear map encodes elements of a ring of integers R, modulo a secret small element \(g \in R\). More concretely, an authority generates the following parameters:

• an integer n which is a power of 2 (serving as the security parameter).

• a (small) element g in R. We denote by \(I=gR\) the ideal generated by g in R.

• a (large) positive integer q such that \(q \equiv 1 \mod 2n\). Originally, q was chosen exponentially large in n [17], but variants were proposed for polynomially sized q [15, 28].

• \(\ell \) invertible elements \([z_i] \in R^\times _q\), for \(1 \le i \le \ell \), chosen uniformly at random in \(R^\times _q\).

• a zero-testing parameter \([p_{zt}] = [h z^*g^{-1}]\) where \([z^*] = [\prod _{1 \le i \le \ell } z_i]\) and h is a random element in R, generated according to a Gaussian distribution of standard deviation approximately \(\sqrt{q}\).

We detail in Sect. 2.2 the size of the parameters described above (we will choose them to ensure the correctness of the scheme). The elements n, q and \(p_{zt}\) are public while the parameters h, g and the \(z_i\)’s are kept secret.

Encoding of an element. The GGH13 multilinear map allows to encode cosets of the form \(a + I\) for some element a in R. Let \(\varvec{v} \in \{0,1\}^{\ell }\) be a vector of size \(\ell \). An encoding of the coset \(a + I\) at level \(\varvec{v}\) is an element of \(R_q\) of the form

$$\begin{aligned} u = \left[ (a+rg) \cdot z_{\varvec{v}}^{-1} \right] \end{aligned}$$

where \([z_{\varvec{v}}] = [\prod _{i, \varvec{v} [i] = 1} z_i]\) and \(a+rg\) is a small element in the coset \(a+I\). We call \(\varvec{v}\) the level of the encoding.⁶ We abuse notation by saying that u is an encoding of a (instead of an encoding of the coset \(a+I\)).

An encoding generated by the authority is called a fresh encoding, by opposition to encodings that are obtained by adding or multiplying other encodings. The precise distribution of \(a+rg\) for a fresh encoding will be a discrete Gaussian distribution over the coset \(a+I\), but not necessarily a spherical one: \(a+rg \leftarrow D_{a + I, \sqrt{\varSigma _{\varvec{v}}}}\). The shape \(\varSigma _{\varvec{v}}\) of this Gaussian is essentially what distinguishes the variants that we will discuss in Sect. 3.

Adding and multiplying encodings. If \(u_1\) and \(u_2\) are two encodings of elements \(a_1\) and \(a_2\) at the same level \(\varvec{v}\) then \(u_1+u_2\) is an encoding of \(a_1 + a_2\) at level \(\varvec{v}\).

If \(u_1\) and \(u_2\) are two encodings of elements \(a_1\) and \(a_2\) at levels \(\varvec{v}\) and \(\varvec{w}\) with \(\varvec{v} [i] \cdot \varvec{w} [i] = 0\) for all \(1 \le i \le \ell \), then \(u_1 \cdot u_2\) is an encoding of \(a_1 \cdot a_2\) at level \(\varvec{v} + \varvec{w}\) (where the addition is the usual addition on vectors of size \(\ell \)).

Zero-testing. We denote by \(\varvec{v^*} = (1, \dots , 1)\) the maximum level of an encoding. The zero testing parameter allows us to test if an encoding u at level \(\varvec{v^*}\) is an encoding of zero, by computing

$$ [w] = [u \cdot p_{zt}].$$

If w is small compared to q (the literature usually requires its coefficients to be less than \(q^{3/4}\)), then u is an encoding of zero. Otherwise, it is not.

Size of the parameters and correctness. We define Q such that \(q = n^Q\) and L such that \(\ell = n^L\) (the elements Q and L are not necessarily integers). The bounds below on the size of g and h come from [17]. The secret generator g is sampled so that:

$$\begin{aligned} \Vert g \Vert = O(n), \quad \Vert 1/g \Vert = O(n^2). \end{aligned}$$

(5)

Remark

There seems to be some inconsistencies in [17] about the size of g, which is on page 10 sampled with width \(\sigma = \tilde{O}(\sqrt{n})\), while on page 13 the width \(\sigma \) is set to \(\sqrt{n \lambda }\) to ensure the smoothing condition \(\sigma \ge \eta _{2^{-\lambda }}(\mathbb Z^n)\) (where \(\lambda = O(n)\) denote the security parameter). Yet, according to [33, Lemma 3.3], it holds that \(\eta _{2^{-\lambda }}(\mathbb Z^n) \le O(\sqrt{\lambda } + \log n)\), so \(\sigma = O(\sqrt{n})\) is sufficient, and we do have \(\Vert g\Vert \le O(n)\) with overwhelming probability by [33, Lemma 4.4].

The numerator \(c=a+rg\) of a fresh encoding of \(a+I\) at level \(\varvec{v}\) is sampled such that

$$\begin{aligned} \Vert c \Vert = \varTheta (n^{\gamma + \eta \cdot \Vert \varvec{v}\Vert _1 + \nu L}), \end{aligned}$$

(6)

where \(\gamma , \eta \) and \(\nu \) are positive reals, and depend on the sampling method, such as the ones proposed in [15] (depending on the method, \(\eta \) and \(\nu \) may be zero). We describe later the different sampling methods and the values of \(\gamma \), \(\eta \) and \(\nu \) associated to each method. When we do not need to focus on the dependence on \(\Vert \varvec{v}\Vert _1\) and L, we just call \(E := \varTheta (n^{\gamma + \eta \cdot \Vert \varvec{v}\Vert _1 + \nu L})\) the bound above. For each sampling method described below, we choose this bound to be as small as possible under the specific constraints that will arise with the sampling method.

The mildly large element h is sampled so that

$$\begin{aligned} \Vert h\Vert = \varTheta ( \sqrt{nq}). \end{aligned}$$

(7)

Remark

In the second variant proposed in [17, Sect. 6.4] to try to prevent averaging attacks, the authors generate h according to a non spherical Gaussian distribution. However, as h is sampled only once, its distribution does not matter for the attack we analyze in this article. This is why we only specify here the size of h, and not its distribution.

We now give a condition on the modulus q to ensure correctness of the GGH13 multilinear map. This condition will depend on the number \(\kappa \) of fresh encodings that we have to multiply in order to obtain a top level encoding. A natural upper bound for \(\kappa \) is \(\ell \), the number of levels of the multilinear map. However, in the following, we will be interested in cases where we are provided with fresh encodings at a somewhat high level and we only need to multiply a small number of them (much smaller than \(\ell \)) to obtain a top level encoding. Choosing a small degree \(\kappa \) is motivated by the fact that we want to obtain a small modulus q. We will see below that q should be at least exponential in \(\kappa \). Hence, in order to achieve a polynomial modulus q, it should be that \(\kappa \) is at most logarithmic in the security parameter (while \(\ell \) can be much larger). In the simple setting we describe in Sect. 4.1, we choose \(\kappa = 2\), which enables q to be polynomial (if we use the good sampling methods).

Correctness of zero-testing a homogeneous polynomial of degree \(\kappa \), whose absolute sum of the coefficients is bounded by \(n^B\) and evaluated in fresh encodings, is guaranteed if \(n^B \cdot \Vert \frac{h}{g} \prod _{i = 1}^\kappa c_i\Vert \le q^{3/4}\). It is then sufficient to have

$$\begin{aligned} B + \frac{\kappa +1}{2} + \frac{Q+1}{2} + 2 + \kappa (\gamma + \nu L) + \eta \ell \le \frac{3}{4} Q. \end{aligned}$$

(8)

The term \(\frac{\kappa +1}{2}\) appears from applying inequality (1) \(\kappa + 1\) times. One should also note that \(\sum _{i = 1}^\kappa \Vert \varvec{v}_i\Vert _1 = \Vert \varvec{v^*}\Vert _1 = \ell \), because we can only zero test at level \(\varvec{v^*}\) (where \(\varvec{v}_i\) is the level of encoding \(c_i\)). More compactly, correctness holds if:

$$\begin{aligned} B + 3 +\kappa (1/2 + \gamma + \nu L) + \eta \ell \le Q/4. \end{aligned}$$

(9)

In our simple setting of the GGH multilinear map defined in Sect. 4.1, we will only query the zero-testing procedure on encodings of this form, with \(\kappa = 2\) and \(B = \log (m)/\log (n)\), for some constant m we will define later. Hence, taking \(4 + 2\gamma + 2\nu L + \eta \ell + \log (m)/\log (n) \le Q/4\) will be sufficient in our setting to ensure correctness of the zero-testing procedure.

Remark

We note that the bound \(q^{3/4}\) for positive zero-tests is somewhat arbitrary and could very well be replaced by q/4, allowing to square-root the parameter q. Indeed, the probability of a false positive during zero-testing would remain as small as \(2^{-n}\). This would have a serious impact on concrete efficiency and security.

3 Sampling Methods

We describe in this section different sampling methods that can be used to generate the fresh encodings of the GGH multilinear map and we give the values of \(\gamma \), \(\eta \) and \(\nu \) that correspond to these methods. As said above, we will be interested in cases where (at least some of) the fresh encodings have a somewhat high degree and we just have to multiply a constant number of them (say 2) to obtain an encoding at maximal level \(\varvec{v}^*\). We denote by \(\mathcal {A}\) the set of “atoms”, that is the set of levels \(\varvec{v} \in \{0,1\}^\ell \) at which we want to encode fresh encodings. In our simple setting of the GGH multilinear map (see Sect. 4.1 for a full description of our setting), we will chose \(\mathcal {A}\) to be the set of levels \(\varvec{v} \in \{0,1\}^\ell \) that have weight exactly 1 or \(\ell -1\), where the weight of \(\varvec{v}\) is the number of its non-zero coefficients. For all \(\varvec{v} \in \mathcal {A}\), we denote by \(\tilde{\varvec{v}} = \varvec{v^*} -\varvec{v}\) the complement of \(\varvec{v}\). We note that \(\mathcal {A}\) is closed by complement.

In all the following sampling methods except the first one, one chooses a representative \(z_{\varvec{v}} \in R\) of \([z_{\varvec{v}}] \in R_q\) for all \(\varvec{v} \in \mathcal {A}\). This representative will not necessarily be the canonical one, with coefficients in \([-q/2, q/2]\). Then, we will take \(\varSigma _{\varvec{v}} = \sigma _{\varvec{v}}^2 z_{\varvec{v}}\bar{z_{\varvec{v}}}\), with \(\sigma _{\varvec{v}} = \varTheta (n^2 \Vert 1/z_{\varvec{v}}\Vert )\). Using Inequalities (3) and (4), we can see that \(\Vert 1/\sqrt{\varSigma _{\varvec{v}}} \Vert \le 1/\sigma _{\varvec{v}} \cdot n^{1/4}\cdot \Vert 1/z_{\varvec{v}}\Vert \). Hence, with our choice of \(\sigma _{\varvec{v}}\) and the fact that \(\Vert g \Vert = O(n)\), we obtain

$$\begin{aligned} \left\| \frac{g}{\sqrt{\varSigma _{\varvec{v}}}}\right\| \le \sqrt{n} \cdot \Vert g\Vert \cdot \left\| \frac{1}{\sqrt{\varSigma _{\varvec{v}}}} \right\| = O\left( \frac{1}{n^{1/4}}\right) = o\left( \frac{1}{\sqrt{\log n}}\right) . \end{aligned}$$

We can therefore apply Theorem 2 to sample the numerators of fresh encodings at level \(\varvec{v}\), according to a Gaussian distribution of parameter \(\varSigma _{\varvec{v}}\). Using tail-cut of Gaussian distributions, we have that if c is the numerator of a fresh encoding, then \(\Vert c \Vert \le n \Vert \sqrt{\varSigma _{\varvec{v}} }\Vert \le n^{1.5} \sigma _{\varvec{v}} \Vert z_{\varvec{v}}\Vert \) with overwhelming probability. This means that we can take

$$\begin{aligned} E \le \varTheta (n^{3.5} \cdot \Vert 1/z_{\varvec{v}}\Vert \cdot \Vert z_{\varvec{v}}\Vert ). \end{aligned}$$

(10)

Hence, in the following methods (except the simplistic one), we will focus on the size of \(\Vert 1/z_{\varvec{v}}\Vert \cdot \Vert z_{\varvec{v}}\Vert \) to get a bound on the value of E.

Remark

Inequality (10) above is not tight. We could at least improve it to \(E \le \varTheta (n^{3+\varepsilon }\cdot \Vert 1/z_{\varvec{v}}\Vert \cdot \Vert z_{\varvec{v}}\Vert )\) for any \(\varepsilon > 0\), by taking \(\sigma _{\varvec{v}} = \varTheta (n^{1.75+\varepsilon } \Vert 1/z_{\varvec{v}}\Vert )\) (it still satisfies the condition of Theorem 2) and by noticing that \(\Vert c \Vert \le n \Vert \sqrt{\varSigma _{\varvec{v}} }\Vert \le n^{1.25} \sigma _{\varvec{v}} \Vert z_{\varvec{v}}\Vert \) for the numerator of a fresh encoding. This ensures statistical closeness to the desired distribution up to \(\exp (-n^{2\varepsilon })\). Considering that there are already classical attacks in time \(\exp (\tilde{O}(\sqrt{n}))\) (namely, using [6, 14] to recover h from the ideal hR), one may just choose \(\varepsilon = 1/4\).

3.1 The Simplistic Method

The simplistic method consists in always choosing \(\varSigma _{\varvec{v}} \sim 1\), independently of \(\varvec{v}\) and \(z_{\varvec{v}}\). This is done by applying Klein’s algorithm [27], and requires for correctness [19, Theorem 4.1] that \(\varSigma _{\varvec{v}} = \sigma ^2\) for a positive scalar \(\sigma \in \mathbb {R}\), where \(\sigma \ge \Vert g\Vert \cdot \omega (\sqrt{\log n})\). So by taking \(\sigma = \varTheta (n^{1+\varepsilon })\) with \(\varepsilon > 0\), one may have \(E = \varTheta (\sqrt{n}\sigma ) = \varTheta (n^{1.5+\varepsilon })\), that is \(\gamma = 1.5+\varepsilon \) and \(\eta = \nu = 0\).

This method was deemed subject to averaging attacks and hence less secure than the following one in [17], but the authors claim that their attack attempts failed because all recovered elements were larger that \(\sqrt{q}\), and that averaging attacks would need super-polynomially many elements.⁷ We make explicit an attack, and will show that this attack is possible even for exponential q, as long as \(E^\kappa \) remains polynomial: in other words, the presence of the mildly large factor h (of size \(\sqrt{q}\)) can be circumvented.

3.2 The Exponential Method

We present here the countermeasure of [17, Sect. 6.4], generalized to multi-dimensional universe, as done in [15, Sect. 2.1]. For \(1 \le i \le \ell \), set \(z_i\) to be the canonical representative of \([z_i]\) in R (with coefficients in the range \([-q/2, q/2]\)). Using rejection sampling when choosing \(z_i\), assume that \(\Vert z_i\Vert \cdot \Vert 1/z_i\Vert \le Z\); this is efficient for Z as small as \(n^{5/2}\) using [15], and can even be improved to \(Z = n^{3/2}\) using Lemma 3 below and its corollary.

For \(\varvec{v}\) in \(\mathcal {A}\), set \(z_{\varvec{v}} = \prod z_i^{v_i}\) over R. Recall that Inequality (10) gives us: \(E \le \varTheta (n^{3.5} \Vert 1/z_{\varvec{v}}\Vert \cdot \Vert z_{\varvec{v}}\Vert )\). But we have \(\Vert z_{\varvec{v}}\Vert \le n^{(\Vert v\Vert _1-1)/2} \prod _{i \in \varvec{v}} \Vert z_i\Vert \) and \(\Vert 1/z_{\varvec{v}}\Vert \le n^{(\Vert v\Vert _1-1)/2} \prod _{i \in \varvec{v}} \Vert 1/z_i\Vert \). Hence we can take

$$E = \varTheta (n^{2.5+\Vert v\Vert _1} \cdot Z^{\Vert v\Vert _1}) = \varTheta (n^{2.5 + 2.5 \Vert v\Vert _1}).$$

This means that we have \(\gamma = 2.5, \eta = 2.5\) and \(\nu = 0\).

Correctness is guaranteed for \(q \ge n^{\varOmega (\ell )}\) (because \(\eta \ne 0\)), and because \(\ell \) is much larger than the constant degree \(\kappa \) in [15], this is not a satisfying solution, as we aim at decreasing q to polynomial. Two alternatives (conservative and aggressive) are therefore developed in [15].

3.3 The Conservative Method [15]

The first alternative suggested is to do as above, but reducing the \(z_{\varvec{v}}\) modulo q, that is, set \(z_{\varvec{v}}\) to be the representative of \([\prod z_i^{v_i}]\) with coefficients in \([-q/2,q/2]\). One then ensures, by rejection of all the \(z_i\)’s together, that \(\Vert z_{\varvec{v}}\Vert \cdot \Vert 1/z_{\varvec{v}}\Vert \le n^{2.5}\) for all \(\varvec{v} \in \mathcal {A}\). This leads to \(E = \varTheta ( n^{3.5} \cdot n^{2.5}) = \varTheta (n^6)\) (i.e., \(\gamma = 6,\ \eta = \nu = 0\)) and therefore allows correctness for q as small as \(n^{O(\kappa )}\), which is polynomial for constant degree \(\kappa \).

Using [15, Lemma 8] restated below, the authors conclude that this method is quite inefficient because for the above bound to hold simultaneously for all \(\varvec{v} \in \mathcal {A}\) with good probability, n must increase together with \(\ell \). Indeed, using Lemma 2, we can bound the probability that one of the \(z_{\varvec{v}}\) does not satisfy \(\Vert z_{\varvec{v}}\Vert \cdot \Vert 1/z_{\varvec{v}}\Vert \le n^{2.5}\) by \(2 |\mathcal {A}|/n = 4\ell /n\). So if we want this probability to be small (say less than 1/2) in order for the sampling procedure to be efficient, we should increase n with \(\ell \).

Lemma 2

(Lemma 8 from [15]). Let [z] be chosen uniformly at random in \(R_q\) and z be its canonical representative in R (i.e., with coefficients in \([-q/2, q/2]\)). Then it holds that

$$\begin{aligned} \hbox {Pr}\left[ \left\| 1/z\right\| \ge n^2/q \right] \le 2/n. \end{aligned}$$

In the following section, we revisit the conservative method by generalizing this lemma.

3.4 The Conservative Method Revisited

In the following lemma, we introduce an extra degree of freedom c compared to the lemma of [15], but also improve the upper bound from \(O(n^{1-c})\) to \(O(n^{1-2c})\).

Lemma 3

Let [z] be chosen uniformly at random in \(R_q\) and z be its representative with coefficients between \(-q/2\) and q/2. Then, for any \(c \ge 1\), it holds that

$$\begin{aligned} \hbox {Pr}\left[ z=0 \vee \Vert 1/z\Vert \ge n^c/q \right] \le 4/n^{2c-1}. \end{aligned}$$

Corollary 2

Let [z] be chosen uniformly at random in \(R^\times _q\) and z be its representative with coefficients between \(-q/2\) and q/2. Then, for any \(c \ge 1\), it holds that

$$ \hbox {Pr}\left[ \Vert 1/z\Vert \ge n^c/q \right] \le 8/n^{2c-1}.$$

We can use this corollary to compute the probability that one of the \(z_{\varvec{v}}\) does not satisfy \(\Vert 1/z_{\varvec{v}}\Vert \le n^c/q\) when the \([z_i]\)’s are independent and chosen uniformly at random in \(R_q^\times \). Indeed, the \([z_{\varvec{v}}]\)’s are uniform in \(R_q^\times \) because they are a product of uniform invertible elements, and, by union bound, we have

$$\begin{aligned} \hbox {Pr}\left[ \exists \varvec{v} \in \mathcal {A}\text { s.t. } \Vert 1/z_{\varvec{v}}\Vert> n^c/q \right]&\le \sum _{\varvec{v} \in \mathcal {A}} \hbox {Pr}\left[ \Vert 1/z_{\varvec{v}}\Vert > n^c/q \right] \\&\le \frac{8|\mathcal {A}|}{n^{2c-1}}. \end{aligned}$$

If we want this probability to be less than 1/2, in order to re-sample all the \(z_i\)’s only twice on average, we should take

$$\begin{aligned} |\mathcal {A}| \le \frac{n^{2c-1}}{16}. \end{aligned}$$

(11)

But we also have \(\Vert z_{\varvec{v}}\Vert \le \sqrt{n} \Vert z_{\varvec{v}}\Vert _{\infty } \le \sqrt{n}q\), hence \(\Vert 1/z_{\varvec{v}}\Vert \cdot \Vert z_{\varvec{v}}\Vert \le n^{c+0.5}\). In order to minimize E, we wish to minimize c, under (11). By taking the minimal value of c that satisfies this constraint, and recalling that \(|\mathcal {A}| = 2\ell \), we obtain

$$\begin{aligned} E = \varTheta (n^{4.5 + L/2}). \end{aligned}$$

This means that \(\gamma = 4.5,\, \nu = 0.5\) and \(\eta = 0\). This conservative method revisited is the same as the original one, except that we improve on the encodings size bound E.⁸ In the following, we will then only focus on the conservative method revisited and not on the original one.

Proof

(Proof of Lemma 3). The proof of this lemma uses the same ideas as the one of [36, Lemma 4.1], but here, the element z is sampled uniformly modulo q instead of according to a Gaussian distribution. Let [z] be chosen uniformly at random in \(R_q\) and z be its representative with coefficients between \(-q/2\) and q/2. Recall that we denote \(\sigma _j : K \rightarrow \mathbb {C}\) the complex embeddings of K in \(\mathbb {C}\), with \(1 \le j \le n\). We know that the size of z is related to the size of its embeddings. Hence, if we have an upper bound on the \(|\sigma _j(1/z)|\), we also have an upper bound on \(\Vert 1/z \Vert \). Moreover, the \(\sigma _j\)’s are morphisms, so \(\sigma _j(1/z) = 1/\sigma _j(z)\), and it suffices to have a lower bound on \(|\sigma _j(z)|\).

Let \(j \in \{1, \cdots , n\}\), there exists a primitive 2n-th root of unity \(\zeta \) such that

$$ \sigma _j(z) = \sum _{i = 0}^{n-1} a_i \zeta ^i,$$

where the \(a_i\)’s are the coefficients of z, and so are sampled uniformly and independently between \(-q/2\) and q/2. As \(\zeta \) is a primitive \(2^k\)-th root of unity for some k, there exists \(i_0\) such that \(\zeta ^{i_0} = I\), where I is a complex square root of \(-1\). So we can write

$$\begin{aligned} \sigma _j(z) = a_0 + I a_{i_0} + \tilde{z}, \end{aligned}$$

for some \(\tilde{z} \in \mathbb {C}\) that is independent of \(a_0\) and \(a_{i_0}\). Now, we have that

$$\begin{aligned} \hbox {Pr}\left[ |\sigma _j(z)| < \frac{q}{n^c} \right]&= \hbox {Pr}\left[ a_0 + I a_{i_0} \in B(-\tilde{z},\frac{q}{n^c}) \right] \\&\le \frac{\text {Vol}(B(-\tilde{z},\frac{q}{n^c}))}{q^2} \\&\le \frac{4}{n^{2c}}, \end{aligned}$$

where \(B(-\tilde{z},q/n^c)\) is the ball centered in \(-\tilde{z}\) of radius \(q/n^c\). A union bound yields that

$$\begin{aligned} \hbox {Pr}\left[ \exists j,\ |\sigma _j(z)| < \frac{q}{n^c} \right] \le n \cdot \frac{4}{n^{2c}} = \frac{4}{n^{2c-1}}. \end{aligned}$$

Which in turns implies

$$\begin{aligned} \hbox {Pr}\left[ \forall j,\ \left| \sigma _j\left( \frac{1}{z}\right) \right| \le \frac{n^c}{q} \right] \ge 1- \frac{4}{n^{2c-1}}. \end{aligned}$$

To complete the proof, we use the fact that for cyclotomic fields of power-of-two order, we have \(\Vert 1/z\Vert \le \max _j(|\sigma _j(1/z)|)\). This gives the desired result.    \(\square \)

Proof

(Proof of Corollary 2). First, note that sampling [z] uniformly in \(R^\times _q\) is the same as sampling [z] uniformly in \(R_q\) and re-sampling it until [z] is invertible. We denote by \(U(R_q)\) (resp. \(U(R^{\times }_q)\)) the uniform distribution in \(R_q\) (resp. \(R^{\times }_q\)). We then have that

But using the definition of conditional probabilities, we can rewrite

The numerator of this fraction is less than \(\Pr _{[z] \leftarrow U(R_q)}[\Vert 1/z\Vert \ge n^c/q ]\), which is less than \(\frac{4}{n^{2c-1}}\) using Lemma 3. And at least half of the elements of \(R_q\) are invertible (if q is prime, we can even say that the proportion of non invertible elements is at most n/q, because \(q \equiv 1 \mod 2n\)). Hence, \(\Pr _{[z] \leftarrow U(R_q)} [[z] \in R^\times _q] \ge 1/2\) and we obtain the desired result

   \(\square \)

3.5 The Aggressive Method

This aggressive method was proposed by Döttling et al. in [15] in order to instantiate the GGH multilinear map for their obfuscator. This method cannot be used for any set of atoms \(\mathcal {A}\), as it relies on the fact that the levels at which we encode fresh encodings have a specific structure. Indeed, for each \(\varvec{v} \in \mathcal {A}\), we have either \([z_{\varvec{v}}] = [z_i]\) for some \(i \in \{1, \cdots , \ell \}\) or \([z_{\varvec{v}}] = [z^* \cdot z_i^{-1}]\). Using this remark, the secret \([z_i]\)’s are generated in the following way.

For i from 1 to \(\ell \) do:

• sample a uniformly random invertible element \([z_i]\) in \(R_q\). Let \(z_i\) be the representative of \([z_i]\) in R with coefficients between \(-q/2\) and q/2, and \(\widetilde{z_i}\) be the representative of \([z_i^{-1}]\) in R with coefficients between \(-q/2\) and q/2.

• until both following conditions are satisfied, re-sample \([z_i]\) :

  $$\begin{aligned} \Vert 1/z_i \Vert&\le n^{3}/q \end{aligned}$$

  (12)
  $$\begin{aligned} \Vert 1/\widetilde{z_i} \Vert&\le n/q. \end{aligned}$$

  (13)

• if \(i = \ell \), we also re-sample \([z_i]\) until this third condition is met

  $$\begin{aligned} \Vert 1/z^* \Vert&\le n/q, \end{aligned}$$

  (14)

  where \(z^*\) is the representative of \([\prod _{1 \le i \le \ell } z_i]\) with its coefficients between \(-q/2\) and q/2.

Remark

As we sample the \([z_i]\)’s from \(i = 1\) to \(\ell \), when we generate \([z_{\ell }]\) all other \([z_i]\)’s are already fixed, so we can define \([z^*]\).

Note that with this method, we re-sample each \(z_i\) an expected constant number of times, independently of \(\ell \). Indeed, all \([z_i]\)’s for \(i \le \ell -1\) are sampled independently. And the two conditions we want are satisfied except with probability at most \(\frac{8}{n}\) for each condition (using Corollary 2 with \([z_i]\) and \([z_i^{-1}]\) that are uniform in \(R^\times _q\) and with \(c = 3\) or \(c = 1\)). So, applying a union bound, the probability that we have to re-sample \([z_i]\) is at most \(\frac{16}{n}\), which is less than 1/2 if \(n \ge 32\). The idea is the same for \([z_\ell ]\) except that we also want \(\Vert 1/z^* \Vert \) to be small. But all \([z_i]\) for \(i < \ell \) are already fixed, so \([z^*]\) only depends on \([z_\ell ]\) and is uniform in \(R^\times _q\). Hence this last condition is also satisfied except with probability \(\frac{8}{n}\) from Corollary 2. And the probability that the three conditions are met for \([z_\ell ]\) is at least 1/2 as long as \(n \ge 48\).

To conclude, if \(n \ge 48\), the procedure described above will sample each \([z_i]\) at most twice in average, independently of the choice of \(\ell \). So we can choose \(\ell \) arbitrarily large and the sampling procedure will take time \(O(\ell ) \cdot \hbox {poly}(n)\).

It remains to choose our representative \(z_{\varvec{v}}\in R\) of \([z_{\varvec{v}}] \in R_q\) and to get a bound on \(\Vert 1/ z_{\varvec{v}}\Vert \cdot \Vert z_{\varvec{v}}\Vert \) for all \(\varvec{v} \in \mathcal {A}\), in order to get the value of E. We will show that \(\Vert z_{\varvec{v}}\Vert \cdot \Vert 1/z_{\varvec{v}}\Vert \le n^{4}\) for some choice of the representative \(z_{\varvec{v}}\) we detail below.

First case. If \(\varvec{v}\) has weight 1, that is \([z_{\varvec{v}}] = [z_i]\) for some i, then we take \({z_{\varvec{v}}= z_i}\). With our choice of \([z_i]\), we have that \(\Vert 1/ z_{\varvec{v}}\Vert \le n^3/q\). And as \(\Vert z_{\varvec{v}}\Vert \) has its coefficients between \(-q/2\) and q / 2 we have that \(\Vert z_{\varvec{v}}\Vert \le \sqrt{n}q\) and hence \(\Vert z_{\varvec{v}}\Vert \cdot \Vert 1/z_{\varvec{v}}\Vert \le n^{3.5} \le n^4\).

Second case. If \(\varvec{v}\) has weight \(\ell -1\), then there exists \(i \in \{1, \cdots , \ell \}\) such that \([z_{\varvec{v}}] = [z^* \cdot z_i^{-1}]\). We choose as a representative of \([z_{\varvec{v}}]\) the element \(z_{\varvec{v}}= z^* \cdot \widetilde{z_i} \in R\), with \(z^*\) and \(\widetilde{z_i}\) as above (with coefficients between \(-q/2\) and q/2). We then have

$$\Vert 1/z_{\varvec{v}}\Vert = \Vert 1/z^* \cdot 1/\widetilde{z_i} \Vert \le \sqrt{n} \cdot \Vert 1/z^*\Vert \cdot \Vert 1/\widetilde{z_i} \Vert \le n^{2.5}/q^2.$$

Further, we have that \(\Vert z_{\varvec{v}}\Vert = \Vert z^* \cdot \widetilde{z_i} \Vert \le \sqrt{ n} \cdot \sqrt{ n} q \cdot \sqrt{ n} q = n^{1.5}q^2\). This finally gives us

$$\begin{aligned} \Vert z_{\varvec{v}}\Vert \cdot \Vert 1/z_{\varvec{v}}\Vert \le n^4. \end{aligned}$$

To conclude, this method gives us

$$\begin{aligned} E = \varTheta ( n^{7.5}). \end{aligned}$$

This means that \(\gamma = 7.5\) and both \(\eta \) and \(\nu \) are zero.

Remark

For all methods with \(\varSigma _{\varvec{v}} \sim z_{\varvec{v}}\bar{z_{\varvec{v}}}\) (i.e., all methods except the simplistic one), if \(c \leftarrow D_{I+a, \sqrt{\varSigma _{\varvec{v}}}}\) is sampled using a Gaussian distribution of standard deviation \(\sqrt{\varSigma _{\varvec{v}}}\), we can rewrite \(c = c^* z_{\varvec{v}}\) with \(c^* \leftarrow D_{\frac{I+a}{z_{\varvec{v}}}, \sigma _{\varvec{v}}}\) for some \(\sigma _{\varvec{v}} \in \mathbb {R}\). Note that \(c^*\) is now a following a spherical Gaussian distribution but its support depends on \(z_{\varvec{v}}\). In addition to this remark, one can observe that in all the methods described above, there exists a real \(\sigma \) such that \(\sigma _{\varvec{v}} \sigma _{\varvec{\tilde{v}}} = \sigma \) for all \(\varvec{v} \in \mathcal {A}\) (in fact, \(\sigma _{\varvec{v}}\) only depends on the weight of \(\varvec{v}\) in all the methods above). This means that for every fresh encodings \([c_{\varvec{v}} z_{\varvec{v}}^{-1}]\) and \([c_{\tilde{\varvec{v}}} z_{\tilde{\varvec{v}}}^{-1}]\) at level \(\varvec{v}\) and \(\tilde{ \varvec{v}}\) generated independently, we have an element \(c^* \in K\), following an isotropic distribution⁹ of variance \(\sigma ^2\) such that \(c_{\varvec{v}}c_{\tilde{\varvec{v}}} = c^* z_{\varvec{v}}z_{\tilde{\varvec{v}}}\) in R. Again, we note that the support of \(c^*\) depends on \(z_{\varvec{v}}\) and \(z_{\tilde{\varvec{v}}}\), but as \(\sigma \) is larger than the smoothing parameter, this has no influence on the variance of \(c^*\) (by Lemma 1).

A summary of the different values of \(\gamma \), \(\eta \) and \(\nu \) for the different sampling methods can be found in Table 1.

4 Averaging Attack

4.1 Our Simple Setting of the GGH Multilinear Map

To study the leakage of the GGH multilinear map, we need to make reasonable assumptions on what is given to the adversary. It has been shown in [24] that knowing low level encodings of zero for the GGH13 multilinear map leads to zeroizing attacks that completely break the scheme. So our setting should not provide any, yet we will provide enough information for some zero-tests to pass. To this end, we will prove our setting to be secure in the weak multilinear map model, which supposedly prevents zeroizing attacks.

This setting is inspired by the use of multilinear maps in current candidate obfuscator constructions, and more precisely the low noise candidate obfuscator of [15]. Yet, for easier analysis, we tailored this setting to the bare minimum. We will assume the degree of the multilinear map to be exactly \(\kappa = 2\), and will provide the attacker with elements that pass zero-test under a known polynomial. The restriction \(\kappa = 2\) can easily be lifted but it would make the exposition of the model and the analysis of the leakage less readable.

More precisely, we fix a number \(m > 1\) of monomials, and consider the homogeneous degree-2 polynomial:

$$\begin{aligned} H(x_1,y_1, \dots , x_m, y_m) = \sum x_i y_i. \end{aligned}$$

Recall that we chose the set of “atoms” \(\mathcal {A}\) to be the set of levels \(\varvec{v} \in \{0,1\}^\ell \) that have weight exactly 1 or \(\ell -1\), where the weight of \(\varvec{v}\) is the number of its non-zero coefficients. For all \(\varvec{v} \in \mathcal {A}\), we let \(\tilde{\varvec{v}} = \varvec{v^*} -\varvec{v}\) (we say that \(\varvec{\varvec{\tilde{v}}}\) is the complement of \(\varvec{v}\)). We assume that for each \(\varvec{v} \in \mathcal {A}\) of weight 1, the authority reveals encodings \(u_{\varvec{v}, 1}, \dots , u_{\varvec{v}, m}\) at level \(\varvec{v}\) of random values \(a_{\varvec{v}, 1}, \dots , a_{\varvec{v}, m}\) modulo I, and encodings \(u_{\varvec{\tilde{v}}, 1}, \dots , u_{\varvec{\tilde{v}}, m}\) at level \(\varvec{\tilde{v}}\) of random values \(a_{\varvec{\tilde{v}}, 1}, \dots , a_{\varvec{\tilde{v}}, m}\) modulo I, under the only constraint that

$$\begin{aligned} H(a_{\varvec{v}, 1},a_{\varvec{\tilde{v}}, 1}, \dots , a_{\varvec{v}, m}, a_{\varvec{\tilde{v}}, m}) = 0 \bmod I. \end{aligned}$$

We remark that generating almost uniform values \(a_{\cdot , \cdot }\) under the constraint above is easily done, by choosing all but one of them at random, and setting the last one to

$$\begin{aligned} a_{\varvec{\tilde{v}}, m} = - a_{\varvec{v}, m}^{-1} \sum _{i=1}^{m-1} a_{\varvec{v}, i} a_{\varvec{\tilde{v}}, i} \bmod I. \end{aligned}$$

In the weak multilinear map model [15, 18, 34], we can prove that an attacker that has access to this simple setting of the GGH multilinear map cannot recover a multiple of the secret element g, except with negligible probability. The definition of the weak multilinear map model and the proof that an attacker cannot recover a multiple of g can be found in the full version [16].¹⁰ This weak multilinear-map model was used to prove security of candidate obfuscators in [15, 18], as it is supposed to capture zeroizing attacks, like the ones of [11, 34]. In the weak multilinear map model, recovering a multiple of g is considered to be a successful attack. This is what motivates our proof that no polynomial time adversary can recover a multiple of g in our simple setting, under this model.

4.2 Analysis of the Leaked Value

We describe in this section the information we can recover using averaging attacks, depending on the sampling method. We will see that depending on the sampling method, we can recover an approximation of \(A(z^*h/g)\), or an approximation of A(h/g) or even the exact value of A(h/g). In order to unify notation, we introduce the leakage \(\mathfrak {L}\), which will refer to \(A(z^*h/g)\) or A(h/g) depending the method. We explain below what is the value of \(\mathfrak {L}\) for the different methods, and how we can recover an approximation of it. In the case of the simplistic method, we also explain how we can recover the exact value of \(\mathfrak {L}\) from its approximation and how to use it to create a zero-testing parameter at level \(2\varvec{v}^*\).

Statistical leakage. Let \(\varvec{v} \in \mathcal {A}\) be of weight 1. We denote by \([u_{\varvec{v}}]\) the encoding \([ H(u_{\varvec{v}, 1},u_{\varvec{\tilde{v}}, 1}, \dots , u_{\varvec{v}, m}, u_{\varvec{\tilde{v}}, m})]\). Recall that we have \([u_{i,\varvec{v}}] = [c_{i, \varvec{v}} z_{\varvec{v}}^{-1}]\), where \(c_{i, \varvec{v}} = a_{i,{\varvec{v}}} + r_{i,\varvec{v}}g\) for some \(r_{i, \varvec{v}} \in R\). So using the definition of H and the fact that \([u_{\varvec{v}}]\) passes the zero test, we can rewrite

$$\begin{aligned}{}[u_{\varvec{v}} p_{zt}]&= [ H(c_{\varvec{v}, 1},c_{\varvec{\tilde{v}}, 1}, \dots , c_{\varvec{v}, m}, c_{\varvec{\tilde{v}}, m}) (z_{\varvec{v}}z_{\tilde{\varvec{v}}})^{-1} \cdot z^* hg^{-1} ] \\&= [ H(c_{\varvec{v}, 1},c_{\varvec{\tilde{v}}, 1}, \dots , c_{\varvec{v}, m}, c_{\varvec{\tilde{v}}, m}) \cdot hg^{-1} ] \\&= H(c_{\varvec{v}, 1},c_{\varvec{\tilde{v}}, 1}, \dots , c_{\varvec{v}, m}, c_{\varvec{\tilde{v}}, m}) \cdot h/g. \end{aligned}$$

Note that the product of the last line is in R, as it is a product of small elements compared to q. Also, the first term is a small multiple of g so we can divide by g. We denote by \(w_{\varvec{v}} \in R\) the value above (i.e., the representative of \([u_{\varvec{v}} p_{zt}]\) with coefficients in \([-q/2, q/2]\)). The term h/g of the product is fixed, but the first factor \(H(c_{\varvec{v}, 1},c_{\varvec{\tilde{v}}, 1}, \dots , c_{\varvec{v}, m}, c_{\varvec{\tilde{v}}, m})\) depends on \(\varvec{v}\): we can average over it. We now analyze this first factor, depending on the method we choose for generating the fresh encodings of the GGH map. We will denote by \(Y_{\varvec{v}}\) the random variable \(H(c_{\varvec{v}, 1},c_{\varvec{\tilde{v}}, 1}, \dots , c_{\varvec{v}, m}, c_{\varvec{\tilde{v}}, m})\).

By definition of the polynomial H, we know that \(Y_{\varvec{v}} = \sum c_{i,\varvec{v}} c_{i, \varvec{\tilde{v}}}\). Moreover, all the \(c_{i,\varvec{v}}\) are independent when i or \({\varvec{v}}\) vary. So the \(c_{i,{\varvec{v}}}c_{i,\tilde{{\varvec{v}}}}\) are centered random variables of variance \(\varSigma _{\varvec{v}} \varSigma _{\tilde{\varvec{v}}}\) (observe that the variance of a product of independent centered variables is the product of their variances) and \(Y_{\varvec{v}}\) is a centered random variable of variance \(m \varSigma _{\varvec{v}} \varSigma _{\tilde{\varvec{v}}}\) (recall that H is a sum of m monomials). We now consider several cases, depending on the choice of \(\varSigma _{\varvec{v}}\).

Case 1 (the simplistic method). In this case, we have \(\varSigma _{\varvec{v}} = \sigma ^2\) for all \(\varvec{v} \in \mathcal {A}\), for some \(\sigma \in \mathbb {R}\). This means that the \(Y_{\varvec{v}}\) are centered isotropic random variables with the same variance. Let us call \(\mu := \mathbb {E}[A(Y_{\varvec{v}})] = m\sigma ^2 \in \mathbb {R}^+\) this variance. If we compute the empirical mean of the \(A(Y_{\varvec{v}})\), this will converge to \(\mu \) and we can bound the speed of convergence using Hoeffding’s inequality. Going back to the variables \(w_{\varvec{v}} = Y_{\varvec{v}} \cdot h/g\), we have that \(\mathbb {E}\left[ A(w_{\varvec{v}})\right] = \mu \cdot A(h/g)\) for some \(\mu \) in \(\mathbb {R}^+\). Furthermore, all the \(A(w_{\varvec{v}})\), with \(\varvec{v}\) of weight 1, are independent variables with the same mean, so we can apply Hoeffding’s inequality.

Case 2 (the conservative method). In this case, we chose \(\varSigma _{\varvec{v}} \sim z_{\varvec{v}}z_{\tilde{\varvec{v}}}\). We do not know the variance of the \(Y_{\varvec{v}}\) (because the \(z_{\varvec{v}}\) are secret) but we will be able to circumvent this difficulty, by averaging over the \(z_{\varvec{v}}\)’s.

First, using the remark we made at the end of Sect. 3, we have that \(Y_{\varvec{v}} = \sum c_{i,\varvec{v}} c_{i, \varvec{\tilde{v}}} = \sum c^*_{i, \varvec{v}} z_{\varvec{v}}z_{\tilde{\varvec{v}}}\), with the \(c^*_{i, \varvec{v}}\) being independent centered isotropic random variables with the same variance \(\sigma ^2 \in \mathbb {R}^+\). Hence, we can rewrite \(Y_{\varvec{v}} = X_{\varvec{v}} z_{\varvec{v}}z_{\tilde{\varvec{v}}}\) with \(X_{\varvec{v}}\) a centered isotropic variable of variance \(m\sigma ^2\) (which is independent of \(\varvec{v}\)). Unlike the previous case, we now have some \(z_{\varvec{v}}z_{\tilde{\varvec{v}}}\) that contribute in \(Y_v\). However, we will be able to remove them again by averaging.

Indeed, even if all the \(z_{\varvec{v}}\) satisfy \([z_{\varvec{v}}z_{\tilde{\varvec{v}}}] = [z^*]\) in \(R_q\), this is not the case in R, and that individually each \(z_{\varvec{v}}\) is essentially¹¹ uniform in the hypercube \([-q/2, q/2]^n\), in particular it is isotropic. For our analysis, let us treat the \(z_{\varvec{v}}z_{\tilde{\varvec{v}}}\) as random variables in R, that are isotropic and independent when \(\varvec{v}\) varies. The isotropy follows from the fact that the two factors are isotropic. The independence assumption is technically incorrect, yet as the only dependence are of arithmetic nature over \(R_q\) and that the elements in question are large, one does not expect the correlation to be geometrically visible.

We will call \(\mu _z := \mathbb {E}\left[ A(z_{\varvec{v}}z_{\tilde{\varvec{v}}})\right] \) their variance. Recall that as the \(z_{\varvec{v}}z_{\tilde{\varvec{v}}}\) are isotropic, \(\mu _z\) is in \(\mathbb {R}^+\). While the independence assumption may be technically incorrect, experiments confirm that the empirical mean \(\mathbb {E}\left[ A(z_{\varvec{v}}z_{\tilde{\varvec{v}}})\right] \) does indeed converge to some \(\mu _z \in \mathbb {R}^+\) as the number of sample grows, and more precisely it seems to converge as \(\mu _z \cdot (1 + \varepsilon )\) where \(\varepsilon \in K_\mathbb {R}\) satisfies \(\Vert \varepsilon \Vert _\infty = \tilde{O}(\sqrt{1 / |\mathcal A|})\), as predicted by the Hoeffding bound (results of the experiments are given in the full version [16]).

Assuming that the \(X_{\varvec{v}}\) are independent of the \(z_{\varvec{v}}z_{\tilde{\varvec{v}}}\),¹² we finally obtain

$$\begin{aligned} \mathbb {E}[A(Y_{\varvec{v}})] = \mathbb {E}[A(X_{\varvec{v}})] \mathbb {E}[A(z_{\varvec{v}}z_{\tilde{\varvec{v}}})] = m \sigma ^2 \mu _z. \end{aligned}$$

We denote by \(\mu = m \sigma ^2 \mu _z\) this value. As in the previous case, the variables \( A(w_{\varvec{v}})\) are independent (when \(\varvec{v}\) has weight 1) and have the same mean

$$\begin{aligned} \mathbb {E}\left[ A(w_{\varvec{v}})\right] = \mu \cdot A(h/g), \end{aligned}$$

with \(\mu \in \mathbb {R}^+\).

Case 3 (the exponential and aggressive methods). In these methods, we can again write \(Y_{\varvec{v}} = X_{\varvec{v}} z_{\varvec{v}}z_{\tilde{\varvec{v}}}\) with \(X_{\varvec{v}}\) a centered isotropic variable of variance \(m\sigma ^2\) for some \(\sigma \in \mathbb {R}^+\), independent of \(\varvec{v}\). However, unlike the previous case, the \(z_{\varvec{v}}z_{\tilde{\varvec{v}}}\) are not isotropic variables anymore and therefore the z’s do not “average-out”.

In the exponential method, the identity \(z_{\varvec{v}} z_{\varvec{\tilde{v}}} = z^*\) holds over R (where \(z^* = \prod _i z_i \in R\) is a representative of \([z^*]\)), hence, \(z_{\varvec{v}} z_{\varvec{\tilde{v}}}\) is constant when \(\varvec{v}\) varies, and we have

$$\begin{aligned} \mathbb {E}\left[ A(w_{\varvec{v}})\right] = \mu \cdot A(h z^*/g), \end{aligned}$$

for some scalar \(\mu \in \mathbb {R}^+\).

In the aggressive method, we have \(z_{\varvec{v}} z_{\varvec{\tilde{v}}} = z^* \cdot \widetilde{z_i} \cdot z_i\) for some \(1 \le i \le \ell \), with \(z^*\) the representative of \([z^*]\), \(z_i\) the representative of \([z_i]\) and \(\widetilde{z_i}\) the representative of \([z_i^{-1}]\) with coefficients in \([-q/2,q/2]\). The element \(z^*\) is fixed, but, as in the conservative case, we can see the \(\widetilde{z_i} \cdot z_i\) as isotropic variables. Assuming they are independent, we then have \(\mathbb {E}\left[ A(z_{\varvec{v}} z_{\varvec{\tilde{v}}}) \right] = \mu _z A(z^*)\) for some scalar \(\mu _z \in \mathbb {R}^+\). And we again have

$$\begin{aligned} \mathbb {E}\left[ A(w_{\varvec{v}})\right] = \mu \cdot A(h z^*/g), \end{aligned}$$

for some scalar \(\mu \in \mathbb {R}^+\).

Conclusion on the average. To conclude, we have argued that in all methods,

$$\mathbb {E}\left[ A(w_{\varvec{v}})\right] = \mu \cdot \mathfrak {L}$$

for some scalar \(\mu \in \mathbb {R}^+\), where the leaked variable \(\mathfrak {L}\) depends on the sampling method in the following way:

• \(\mathfrak {L}= A(h/g)\) for the simplistic and the conservative methods.

• \(\mathfrak {L}= A(h z^*/g)\) for the exponential and the aggressive methods.

Now, using the fact that the random variables \(A(w_{\varvec{v}})\) are independent for different \(\varvec{v} \in \mathcal {A}\) of weight 1, we can compute their empirical mean and Hoeffding’s inequality will allow us to bound the distance to the theoretical mean. In the following we assume that we know \(\mu \).¹³

Relative error of the leakage. Compute

$$\begin{aligned} W = \frac{2}{|\mathcal {A}|} \sum _{\begin{array}{c} {\varvec{v}} \in \mathcal {A}\\ {\varvec{v}} \text { of weight 1} \end{array}} A(w_{\varvec{v}}) \end{aligned}$$

the empirical mean of the random variables \(A(w_{\varvec{v}})\). This is an approximation of \({\mu \cdot \mathfrak {L}}\). We know that the coefficients of the random variable \(w_{\varvec{v}}\) are less than q, so the coefficients of \(A(w_ {\varvec{v}})\) are less that \(nq^2\). By applying Hoeffding’s inequality in R (Corollary 1) with \(\varepsilon = 1/n\), \(B = nq^2\) and \(m = |\mathcal {A}|/2\), we have that \(\Vert W-\mu \cdot \mathfrak {L}\Vert _{\infty } < \frac{nq^2\sqrt{8\ln n}}{\sqrt{|\mathcal {A}|}}\) (except with probability at most 2/n). As the coefficients of \(\mu \mathfrak {L}\) are of the order of \(nq^2\), we have a relative error \(\delta < \sqrt{8\ln n/|\mathcal {A}|}\) for each coefficient of \(\mu \mathfrak {L}\). As \(\mu \) is known, this means that we know \(\mathfrak {L}\) with a relative error at most \(\sqrt{8\ln n/|\mathcal {A}|}\).¹⁴

Unfortunately, we cannot directly recover the exact value of \(\mathfrak {L}\) because its coefficients are not integers. When \(\mathfrak {L}= A(h z^*/g)\), i.e., for the exponential and aggressive methods, we do not know how to use this approximation of \(\mathfrak {L}\) to recover the exact value of \(\mathfrak {L}\).¹⁵ When \(\mathfrak {L}= A(h /g)\), i.e., for the simplistic and conservatives methods, we can circumvent this difficulty. The idea is to transform our approximation of \(\mathfrak {L}\) into an approximation of an element \(r \in R\), with coefficients that are integers of logarithmic bit-size. Indeed, if we have an approximation of r with error less that 1/2 we can round its coefficients and recover the exact value of r. And we can get such an approximation using a polynomial number of samples because the coefficients we want to recover have logarithmic bit-size. This is what we explain in next subsection. Unfortunately, we will see that for the conservative method, the number of samples we need to be able to round r to its exact value is not compatible with the constraint we had on \(|\mathcal {A}|\) for being able to generate the \(z_{\varvec{v}}\).

From the leakage to a complete attack against the GGH map. In this section, we explain how we can recover the exact value of A(h / g), when \(\mathfrak {L}= A(h/g)\) and we have enough samples. We then show how we can use this exact value to construct a zero-testing parameter at level \(2\varvec{v}^*\).

Recovering \(\mathfrak {L}\) exactly when \(\mathfrak {L}= A(h/g)\). In the following, we assume that we have an approximation of A(h/g) with relative error \(\delta < \sqrt{8\ln n/|\mathcal {A}|}\) and we want to recover the exact value of A(h/g). Let u be any encoding at level \(\varvec{v^*}\) that passes the zero test (we can take u to be one of the \([u_{\varvec{v}}] = [H(u_{\varvec{v}, 1},u_{\varvec{\tilde{v}}, 1}, \dots , u_{\varvec{v}, m}, u_{\varvec{\tilde{v}}, m})]\)). We have that \([u\cdot p_{zt}] = c \cdot h/g \in R\) for some small multiple c of g. In particular, the coefficients of c are somehow small¹⁶ and are integers. Using our approximation W of \(\mu \cdot A(h/g)\) with relative error \(\delta \) plus the fact that we know \(\mu \) and \(c \cdot h/g\), we can recover an approximation of A(c) with relative error at most \(\delta \cdot n^2\) by computing \(A(c \cdot h/g) \cdot \mu \cdot W^{-1}\).

The coefficients of A(c) are integers and are less than \(m^2n^2E^4\). Indeed, \(c = H(c_{\varvec{v}, 1},c_{\varvec{\tilde{v}}, 1}, \dots , c_{\varvec{v}, m}, c_{\varvec{\tilde{v}}, m})\) for some \(\varvec{v}\) and we have \(\Vert c_{\varvec{v}, i}\Vert \le E\) for all \(\varvec{v}\)’s and i’s. So we know that \(\Vert c\Vert \le mn^{1/2}E^2\) and we get the desired bound on \(\Vert A(c)\Vert _{\infty }\). Hence, if we have an approximation of the coefficients of A(c) with relative error at most \(\frac{1}{2m^2n^2E^4}\), the absolute error is less that 1/2 and we can round the coefficients to recover A(c) exactly. We can then recover A(h/g) exactly by computing \(A(c \cdot h/g)/A(c)\).

Putting together the conditions we got on the parameters, we have \(\delta < \sqrt{\frac{8 \ln n}{|\mathcal {A}|}}\) and we want \(\delta \cdot n^2 < \frac{1}{2m^2n^2E^4}\) to be able to recover A(c). This is satisfied if \(\sqrt{\frac{8 \ln n}{|\mathcal {A}|}} < \frac{1}{2m^2n^4E^4}\), i.e., \(|\mathcal {A}| > 32E^8m^4n^8 \ln n \).

To conclude, if \(|\mathcal {A}| > 32E^8m^4n^8 \ln n \), we can recover \(A(g/h) \in K\) exactly.¹⁷ In Sect. 4.3, we compare this constraint to the ones we had for the samplings methods. We will see that for the simplistic method, our constraints are compatible, so we can perform the attack. But this is not the case with the conservative method.

Using A(h/g) to create a zero testing parameter at a forbidden level. We present here a possible way of using the recovered value A(h/g). Note that in current obfuscation model (for instance the weak multilinear map model of [18] or [15]), recovering A(h/g) is already considered as a success for the attacker. Indeed, its denominator is a multiple of \(A(g) = g \bar{g}\) so in particular we have recovered a multiple of g, which is considered as a success of the attacker in these models.¹⁸ Moreover, even if we do not consider that recovering a multiple of g is bad news, we present here a way of using A(h/g) to create a zero-testing parameter at a higher level than \(\varvec{v^*}\) (here we create a zero-testing parameter at level \(2\varvec{v^*}\)).

First, note that the complex conjugation \(\bar{\cdot }\) in R is compatible with \(R_q\). Indeed, let \(c,r \in R\), we have \(\overline{c+qr} = \overline{c} + \overline{qr} = \overline{c} + q\overline{r}\) (because \(\bar{\cdot }\) is \(\mathbb {R}\)-linear). So \(\overline{c+qr} \equiv \overline{c}\bmod q\) and we can define the operation \(\bar{\cdot }\) in \(R_q\) by \(\overline{[r]} = [\overline{r}]\). We will use this to construct our zero-testing parameter. Let again [u] be an encoding of zero at level \(\varvec{v^*}\) and write \([u] = [c\cdot (z^*)^{-1}]\) where c is a small multiple of g. Compute

$$\begin{aligned} p_{zt}'&= [\overline{u} \cdot p_{zt}^2 \cdot \overline{p_{zt}} \cdot A(h/g)^{-1}] \\&= \left[ \frac{\overline{c}}{\bar{z^*}} \cdot \frac{(z^*)^2h^2}{g^2} \cdot \frac{\bar{z^*}\overline{h}}{\overline{g}} \cdot \frac{g \overline{g}}{h \overline{h}} \right] \\&= \left[ \frac{(z^*)^2 \cdot (h \bar{c})}{g}\right] . \end{aligned}$$

As \(h \bar{c}\) is small compared to q, this is likely to give us a zero-testing parameter at level \(2\varvec{v^*}\). To be sure that we can indeed zero-test at level \(2\varvec{v^*}\), we should check that the noise obtained at that level, when multiplied by \(h \bar{c}\), does not become larger than q.

A sufficient condition for this attack to succeed is that

$$\begin{aligned} B + 3 + 3\kappa (1/2 + \gamma + \nu L) + \eta \ell \le Q/4 \end{aligned}$$

(15)

which is a variation on Inequality (9) where \(\kappa \) has been replaced by \(3\kappa \).

Note that the typical choice of q in [15, 17] includes quite some extra margin compared to our condition (9). But even if q is chosen tightly following Inequality (9), it is not clear that the attack is prevented. Indeed, these conditions (9) and (15) are derived from the worst case inequality (1) (\(\Vert xy\Vert \le \sqrt{ n} \cdot \Vert x\Vert \cdot \Vert y\Vert \)), and may therefore be far from tight in the average case. In fact, \(\Vert xy\Vert / (\Vert x\Vert \cdot \Vert y\Vert )\) can be arbitrarily small for well chosen x and y.

Determining whether there exist parameters that guarantee that legitimate zero-tests at level \(\varvec{v^*}\) almost always succeed while fraudulent zero-tests at level \(\varvec{2v^*}\) almost always fail would require a quite refined analysis of the distributions at hand, which is beyond the scope of this work. Indeed, we find it preferable to block this type of attacks by more robust means.

4.3 Noise Analysis of the Leakage

We sum up in this section the leakage that we can obtain and with which precision, depending on the sampling methods presented in Sect. 3.

The simplistic method. In this method, we have \(\mathfrak {L}= A(h/g)\). Recall that in this case, we can recover the exact value of \(\mathfrak {L}\) if \(\ell > 16E^8m^4n^8 \ln n\) (using the fact that \(|\mathcal {A}| = 2\ell \)). But in this method, we had \(E = O(n^{1.5+\varepsilon })\), for any \({\varepsilon > 0}\). Hence, taking \(\ell = \varTheta (n^{20+8\varepsilon }m^4\ln n)\) satisfies the conditions for generating the parameters plus our condition \(\ell > 16E^8m^4n^8 \ln n\). To conclude, when using the simplistic method with some choice of the parameters, we can recover the exact value A(h/g) and use it to construct a forbidden zero-testing parameter at level \(2\varvec{v}^*\). Note that recovering A(h/g) also means that we recovered a multiple of g. However, we proved that in the weak multilinear map model, no polynomial time attacker could recover a multiple of g. This proves that the averaging attack described above is not captured by the weak multilinear map model.

Remark

For this sampling method, as \(\varSigma _{\varvec{v}} \sim 1\), we do not need to average over the \({\varvec{v}}\), so we could also have \(\ell = 2\) as long as we have enough samples for each \({\varvec{v}}\).

The exponential method. In this method, we have \(\mathfrak {L}= A(z^*h/g)\). We can recover an approximation of \(\mu \mathfrak {L}\) with relative error at most \(\sqrt{\frac{8 \ln n}{|\mathcal {A}|}}\). We do not know if it is possible to recover \(\mathfrak {L}\) exactly.

The conservative method revisited. In this method, we have \(\mathfrak {L}= A(h/g)\), we can recover an approximation of \(\mu \mathfrak {L}\) with relative error at most \(\sqrt{\frac{8 \ln n}{|\mathcal {A}|}}\) according to our heuristic analysis. While the independence condition between the \(A(z_{\varvec{v}}z_{\tilde{\varvec{v}}})\) for applying Hoeffding’s bound may not be satisfied, we show that this rate of convergence seems correct in practice (see the experiments in the full version [16]).

Recall that if \(\ell > 16E^8m^4n^8 \ln n\), then we can recover A(h/g) exactly. But for the sampling method to work, we need to take \(E = \varTheta (n^{4.5}\sqrt{\ell })\). Hence, the condition \(\ell > 16E^8m^4n^8 \ln n\) can be rewritten

$$\begin{aligned} \ell > \varTheta (n^{44}\ell ^{4}m^4\ln n). \end{aligned}$$

This condition cannot be satisfied, so we cannot have enough samples for our attack when using this sampling method. And all we get is an approximation of \(\mu A(h/g)\). Nevertheless, the only thing that prevents the full attack is the size of the parameters we have to choose in order to be able to generate the fresh encodings.

The aggressive method. In this method, we have \(\mathfrak {L}= A(z^*h/g)\). We can recover an approximation of \(\mu \mathfrak {L}\) with relative error at most \(\sqrt{\frac{8 \ln n}{|\mathcal {A}|}}\). We do not know if it is possible to recover \(\mathfrak {L}\) exactly.

4.4 Conclusion

We give in Table 1 a summary of the parameters used for the different sampling methods, and of the resulting leakage. The column’constraints’ specifies possible constraints on the parameters or on the atoms set \(\mathcal {A}\), that arise when using this sampling method. Recall that due to the correctness bound (9), there is always a constraint on the modulus q, so we do not mention it in the column ‘constraints’. This constraint on q can be obtained from the columns \(\gamma \), \(\eta \) and \(\nu \), using the formula \(\log q \ge 4\log (n) (3 + \kappa /2 + \kappa \gamma + \kappa \nu L + \eta \ell ) + 4\log (m)\).

Table 1. Summary of the leakage analysis, depending on the sampling method. This includes our new method, sketched in Sect. 5. We recall that, according to correctness bound (9), the modulus q must satisfy \(\log q \ge 4\log (n) (3 + \kappa /2 + \kappa \gamma + \kappa \nu L + \eta \ell ) + 4\log (m)\).

We have seen that the leakage obtained in the conservative method is the same as the one of the unprotected scheme (the simplistic method). However, in the case of the conservative method, the number of available samples is not sufficient to complete the attack, as it is the case in the simplistic method. This limitation on the number of samples comes from some constraints in the sampling procedure and seems a bit accidental, we do not find this version of the countermeasure fully satisfactory.

We can also question the security of the other methods (exponential and aggressive), which leak an approximation of \(A(hz^*/g)\), related to secret values. More precisely, one could wonder whether this noisy leakage could be combined with the knowledge of \(p_{zt}= [h z^*g^{-1}]\) to mount an attack. As this problem does not look like any traditional (ideal) lattice problem, we fail to conclude beyond reasonable doubt that it should be intractable. We would find it more rational to make the leakage unrelated to secret parameters. In the following section, we propose such a design, which is simple, and leads to better parameters.

5 The Compensation Method

In this section, we propose a new sampling method which is designed so that the leakage \(\mathfrak {L}\) that an attacker can recover by using the averaging attack described above, reveals no information about secret parameters of the GGH map. Nevertheless, we note that even if the attack described above does not apply directly to this method, other averaging attacks may be able to leak secret information. An idea could be to fix some encodings and average over the others.

Discussion on design. We have seen that choosing different covariance parameters \(\varSigma _{\varvec{v}}\) at different levels \(\varvec{v}\) can in fact make the leak worse, as the attacker can choose to average them out. We also remark that the parameters \([z_{\varvec{v}}]\) can be publicly re-randomized without affecting anything else, in particular without affecting the covariance \(\varSigma _{\varvec{v}}\) of the numerator of the encodings. Indeed, we can choose random invertible elements \([\hat{z}_i] \in R_q^\times \), and apply the following transformation to all encodings \(e_{\varvec{v}}\) at level \(\varvec{v}\), as well as to the zero-testing parameter \([p_{zt}]\):

$$\begin{aligned}{}[e_{\varvec{v}}] \mapsto \left[ \prod _{i \in \varvec{v}} \hat{z}^{-1}_i \right] \cdot [e_{\varvec{v}}], \quad [p_{zt}] \mapsto \left[ \prod _{i \in \varvec{v}^\star } \hat{z}_i \right] [p_{zt}]. \end{aligned}$$

This means that the relation between the covariance \(\varSigma _{\varvec{v}}\) and the denominators \(z_{\varvec{v}}\) can be publicly undone while maintaining functionality.

The compensation method. We therefore proceed to set \(\varSigma _{\varvec{v}} = \varSigma \) for all levels \(\varvec{v}\), and to choose \(\varSigma \) independently of the \(z_{\mathbf {v}}\). Doing so, we observe that the leakage \(\mathfrak L\) will generically be:

$$\begin{aligned} \mathfrak {L} \sim \varSigma ^\kappa \cdot A(h/g). \end{aligned}$$

(16)

We then choose \(\varSigma \sim {A(g/h)}^{1/\kappa }\), ensuring \( \mathfrak L \sim 1\): the leakage is made constant, unrelated to any secret. We insist nevertheless that, as the previous methods, this method comes with no formal security argument. We also warn that we have not thoroughly explored more general leakage attacks, varying the zero-tested polynomials or keeping some encodings fixed.

It remains to see how short one can efficiently sample encodings following this choice. To get tighter bounds, we look at the conditioning number (or distortion) \(\delta (\sqrt{ \varSigma }) = \frac{\max (\sigma _i(\sqrt{ \varSigma }))}{\min (\sigma _i(\sqrt{ \varSigma }))}\), where \(\sigma _i\) runs over all embeddings. One easily verifies the following properties:

$$\begin{aligned} \delta (A(x))&= \delta (x)^2 \end{aligned}$$

(17)

$$\begin{aligned} \delta (x^k)&= \delta (x)^{|k|} \quad \text { for any } k \in \mathbb {R}, \end{aligned}$$

(18)

$$\begin{aligned} \delta (xy)&\le \delta (x)\delta (y). \end{aligned}$$

(19)

If a variable \(x \in K_{\mathbb {R}}\) has independent continuous Gaussian coefficients of parameter 1, then its embeddings are (complex) Gaussian variables of parameter \(\varTheta (\sqrt{ n})\), and it holds with constant probability that

$$\begin{aligned} \forall i,\quad \varOmega (1) \le |\sigma _i(x)| \le O(\sqrt{n \log n}). \end{aligned}$$

(20)

Indeed, the right inequality follows from classic tail bounds on Gaussian. For the left inequality, consider that \(|\sigma _i(x)| \ge \max (|\mathfrak {R}(\sigma _i(x))|, |\mathfrak {I}(\sigma _i(x))|)\), where both the real and imaginary parts are independent Gaussian of parameter \(\varTheta (\sqrt{ n})\): each part will be smaller than \(\varTheta (1)\) with probability at most \(1/\sqrt{2n}\). By independence, \(|\sigma _i(x)| \le \varTheta (1)\) holds with probability at most 1/2n for each i, and one may conclude by the union bound.

By scaling (and plausibly ignoring discreteness issues since g and h are sampled above the smoothing parameter of \(\mathbb {Z}^n\)) we can therefore assume, using rejection sampling over h and g, that \(\delta (g), \delta (h) \le O(\sqrt{n \log n})\) , and therefore

$$\begin{aligned} \delta (\sqrt{ \varSigma }) = \delta (A(g/h))^{1/{2\kappa }} \le (\delta (g)\delta (h))^{1/\kappa } \le O(n \log n)^{1/\kappa }.\end{aligned}$$

This allows us to scale \(\varSigma \) so that:

• \(\Vert g / \sqrt{\varSigma }\Vert \le o(1/\sqrt{\log n})\), so that we can sample efficiently via Theorem 2.

• \(E = \sqrt{ n} \cdot \Vert \sqrt{ \varSigma } \Vert \le \sqrt{ n} \cdot \Vert g\Vert \cdot \delta (\sqrt{ \varSigma }) \cdot \omega (\sqrt{\log n}) = O(n^{1.5 + 1/\kappa + \varepsilon })\): the size of the numerators of the encodings is barely worse than in the simplistic method, and significantly better than in all other methods.