GGH15 Beyond Permutation Branching Programs: Proofs, Attacks, and Candidates

Chen, Yilei; Vaikuntanathan, Vinod; Wee, Hoeteck

doi:10.1007/978-3-319-96881-0_20

Yilei Chen¹⁵,
Vinod Vaikuntanathan¹⁶ &
Hoeteck Wee¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10992))

Included in the following conference series:

Annual International Cryptology Conference

2729 Accesses
48 Citations

Abstract

We carry out a systematic study of the GGH15 graded encoding scheme used with general branching programs. This is motivated by the fact that general branching programs are more efficient than permutation branching programs and also substantially more expressive in the read-once setting. Our main results are as follows:

Proofs. We present new constructions of private constrained PRFs and lockable obfuscation, for constraints (resp. functions to be obfuscated) that are computable by general branching programs. Our constructions are secure under LWE with subexponential approximation factors. Previous constructions of this kind crucially rely on the permutation structure of the underlying branching programs. Using general branching programs allows us to obtain more efficient constructions for certain classes of constraints (resp. functions), while posing new challenges in the proof, which we overcome using new proof techniques.
Attacks. We extend the previous attacks on indistinguishability obfuscation (iO) candidates that use GGH15 encodings. The new attack simply uses the rank of a matrix as the distinguisher, so we call it a “rank attack”. The rank attack breaks, among others, the iO candidate for general read-once branching programs by Halevi, Halevi, Shoup and Stephens-Davidowitz (CCS 2017).
Candidate Witness Encryption and iO. Drawing upon insights from our proofs and attacks, we present simple candidates for witness encryption and iO that resist the existing attacks, using GGH15 encodings. Our candidate for witness encryption crucially exploits the fact that formulas in conjunctive normal form (CNFs) can be represented by general, read-once branching programs.

You have full access to this open access chapter, Download conference paper PDF

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding

Matrix PRFs: Constructions, Attacks, and Applications to Obfuscation

Post-zeroizing Obfuscation: New Mathematical Tools, and the Case of Evasive Circuits

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Graph-induced graded encodings – henceforth called GGH15 encodings – were put forth by Gentry, Gorbunov and Halevi [23] as a candidate instantiation of (approximate) cryptographic multilinear maps [8, 20], with the hope that these encodings could in turn be used to build advanced cryptographic primitives whose security is related to the hardness of the learning with errors (LWE) problem [36]. In addition, following [20, 21], the same work presented candidate constructions of multi-party key exchange and indistinguishability obfuscation (iO) starting from these graded encoding schemes.

In the last few years, a very fruitful line of works has shed a great deal of insight into the use of GGH15 encodings in two complementary settings: constructing security reductions from LWE (partially validating the intuition in GGH15), and demonstrating efficient attacks. The former include constructions of private constrained pseudorandom functions (PRFs) [13], lockable obfuscation (aka obfuscating the “compute-then-compare” functionality) [26, 38] and encryption schemes that constitute counter-examples for circular security [27, 30]. The latter include efficient attacks [15, 17] on the key exchange and iO candidates described in [23]. One of the key distinctions between the two settings is whether an adversary can obtain encodings of zero from honest evaluations. For all the applications that can be based on LWE, the adversary cannot trivially obtain encodings of zero; whereas the attacks apply only to settings where the adversary can trivially obtain encodings of zero. There is much grey area in between, where we neither know how to obtain encodings of zero nor are we able to prove security based on LWE (e.g., in the setting of witness encryption).

This work. In this work, we explore the use of GGH15 encodings together with general (non-permutation) matrix branching programs. In particular, we present (i) new constructions of private constrained PRFs and lockable obfuscation from LWE, (ii) new attacks on iO candidates, and (iii) new candidates for iO and witness encryption that resist our new attacks as well as prior attacks. At the core of these results are new techniques and insights into the use of GGH15 encodings for a larger class of branching programs.

Most of the prior constructions and candidates for the primitives we consider follow the template laid out in [21]: start with the class of NC$^1$ circuits, represented using permutation branching programs, which are specified by a collection of permutation matrices $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$. Computation in such a program proceeds by taking a subset product of these matrices, where the choice of the subset is dictated by the input but the order in which the matrices are multiplied is oblivious to the input. To cryptographically “protect” this computation, we will first pre-process and randomize $\{\mathbf {M}_{i,b}\}$ to obtain a new collection of matrices $\{ \mathbf {\hat{S}} _{i,b}\}$, and then encode the latter using graded encodings. Functionality (e.g. evaluation in lockable obfuscation and iO) relies on the fact that we can check whether some subset product of the $ \mathbf {\hat{S}} _{i,b}$’s is zero (or the identity matrix) using the underlying graded encodings. Any security proof or attack would of course depend on the class of matrices $\mathbf {M}_{i,b}$’s we start out with, and how the $ \mathbf {\hat{S}} _{i,b}$’s are derived.

Beyond permutation matrices. From a feasibility point of view, working with permutation matrices is without loss of generality. We know that any NC$^1$ circuit (or even a logspace computation) can be represented as a permutation matrix branching program [5]. Moreover, any general branching program, where the underlying matrices are possibly low-rank, can be converted to a permutation branching program with a polynomial blow-up in the number and dimensions of these matrices. Nonetheless, there are advantages to working with more general, not necessarily permutation or full-rank, branching programs:

The first is concrete efficiency. For instance, representing equality or point functions on $\ell $-bit string would use $O(\ell ^2)$ constant-width matrices with permutation branching programs, but just $2\ell $ width-one matrices (i.e. entries) with general branching programs.
The second is that in the read-once setting, general branching programs are more expressive than permutation branching programs. The restriction to read-once branching programs is useful in applications such as iO and witness encryption, as they allow us to disregard “multiplicative bundling” factors that protect against mixed-input attacks, which in turn yields much more efficient constructions. This was shown in a recent work of Halevi, Halevi, Shoup and Stephens-Davidowitz (HHSS) [29], which presented an iO candidate for read-once branching programs based on GGH15 encodings. Their candidate is designed for general read-once branching programs, as read-once permutation branching programs only capture an extremely limited class of functions.

This raises the natural question of the security of GGH15-based constructions when applied to general (non-permutation, possibly low-rank) matrix branching programs, as is exactly the focus of this work. Indeed, the afore-mentioned proof techniques and attacks break down in this setting. In particular, the HHSS iO candidate appears to resist the existing attacks in [15, 17], thanks in part to the use of low-rank matrices (cf. [29, Sect. 1.2]).

We proceed to describe our results and techniques in more detail.

1.1 Our Results I: New Cryptographic Constructions from LWE

We present new constructions of private constrained PRFs and lockable obfuscation that work directly with general matrix branching programs. As with prior works, our constructions are secure under the LWE assumption with subexponential approximation factors. Our result generalizes the previous constructions in [13, 26, 38] which only work for permutation branching programs, and yields improved concrete efficiency for several interesting classes of functions that can be represented more efficiently using general branching programs, as described next.

Lockable obfuscation [26, 38] refers to the average-case secure virtual black-box (VBB) obfuscation for a class of functionalities $\mathbf {C}[f,y]$ which, on input x, output 1 if $f(x) = y$ and 0 otherwise. The average-case refers (only) to a uniformly random choice of y (more generally, y with sufficient min-entropy). For lockable obfuscation, we obtain improved constructions for a class of “compute” functions where each output bit is computed using a general branching program applied to the input x (whereas [26, 38] require permutation branching programs). To illustrate the efficiency gain, consider the case where each output bit of the underlying function f computes a disjunction or conjunction of the $\ell $ input bits. In this case, we achieve up to a quadratic gain in efficiency due to our support for general branching programs. This class generalizes the distributional conjunction obfuscator studied in [10, 12, 38].
Private puncturable PRFs are an important special case of constrained PRFs, with many applications such as 2-server private information retrieval (PIR) [6]. We obtain a very simple private puncturable PRF with a quadratic efficiency improvement over the recent GGH15-based construction of Canetti and Chen [13]. Nonetheless, our construction is admittedly less efficient –for most settings of parameters– than the more complex constructions in [6, 11] that combines techniques from both fully-homomorphic and attribute-based encryption.

Next, we provide a very brief overview of our techniques, and defer a more detailed technical overview to Sect. 2.

New constructions and proof techniques. A GGH15 encoding of a low-norm matrix $ \mathbf {\hat{S}} $ w.r.t. two matrices $\mathbf {A}_0$ and $\mathbf {A}_1$ is defined to be along the edge $\mathbf {A}_0 \mapsto \mathbf {A}_1$ and is computed as

$$ \mathbf {D} \leftarrow \mathbf {A}_0^{-1}( \mathbf {\hat{S}} \mathbf {A}_1 + \mathbf {E})$$

where for all $ \mathbf {A} $, $ \mathbf {Y} $ with proper dimensions, the notation $ \mathbf {D} \leftarrow \mathbf {A}^{-1}( \mathbf {Y})$ means that $ \mathbf {D} $ is a random low-norm matrix such that $\mathbf {A}\mathbf {D}= \mathbf {Y}\bmod q$.

The constructions in [13, 26, 27, 38] encode any permutation matrix $\mathbf {M}\in \{0,1\}^{w \times w}$ as a GGH15 encoding of $ \mathbf {\hat{S}} = \mathbf {M}\otimes \mathbf {S}$ , i.e.

$$\mathbf {A}_0^{-1}((\mathbf {M}\otimes \mathbf {S}) \mathbf {A}_1 + \mathbf {E})$$

for a random low-norm $\mathbf {S}$. The crux of the analysis is to show that $\mathbf {M}$ is hidden under the LWE assumption, namely: for any permutation matrix $\mathbf {M}\in \{0,1\}^{w \times w}$,

$$\begin{aligned} (\mathbf {A}_0, \mathbf {A}_0^{-1}((\mathbf {M}\otimes \mathbf {S}) \mathbf {A}_1 + \mathbf {E})) \approx _c (\mathbf {A}_0, \mathbf {V}) \end{aligned}$$

(1)

where $\mathbf {A}_0,\mathbf {A}_1$ are uniformly random over $\mathbb {Z}_q$, $\mathbf {S},\mathbf {V},\mathbf {E}$ are random low-norm matrices, $\approx _c$ stands for computational indistinguishable. The proof of (1) follows quite readily from the fact that given any permutation matrix $\mathbf {M}\in \{0,1\}^{w \times w}$, we have:

$$\begin{aligned} (\mathbf {A}, (\mathbf {M}\otimes \mathbf {S}) \mathbf {A}+ \mathbf {E}) \approx _c (\mathbf {A}, \mathbf {U}) \end{aligned}$$

under the LWE assumption, where $\mathbf {U}$ is uniformly random.

However, this statement is false for arbitrary matrices $\mathbf {M}$, take for instance $\mathbf {M}= \mathbf {0} ^{w \times w}$, the all-0 matrix. Indeed, the reader can easily come up with rank-$(w-1)$ matrices $\mathbf {M}$ for which Eq. (1) fails to hold.

In our construction, we encode an arbitrary matrix $\mathbf {M}$ as a GGH15 encoding of

$$ \mathbf {\hat{S}} = \begin{pmatrix}\mathbf {M}\otimes \mathbf {S}&{} \\ &{} \mathbf {S}\end{pmatrix}$$

That is, we append $\mathbf {S}$ along the diagonal. We then establish the following analogue of (1) under the LWE assumption: for any arbitrary $\mathbf {M}\in \{0,1\}^{w \times w}$,

$$\begin{aligned} \left( \mathbf {J} \mathbf {A}_0, \mathbf {A}_0^{-1}\left( \begin{pmatrix}\mathbf {M}\otimes \mathbf {S}&{} \\ &{} \mathbf {S}\end{pmatrix}\mathbf {A}_1 + \mathbf {E}\right) \right) \approx _c \Bigl ( \mathbf {J} \mathbf {A}_0, \mathbf {V}\Bigr ) \end{aligned}$$

(2)

where $ \mathbf {J} $ is any matrix of the form $[\star \mid \mathbf {I}]$, and $\mathbf {A}_0,\mathbf {A}_1,\mathbf {S},\mathbf {V},\mathbf {E}$ are distributed as in (1). This statement is qualitatively incomparable with (1): it is stronger in that it works for arbitrary $\mathbf {M}$, but weaker in that the distinguisher only sees partial information about $\mathbf {A}_0$.

Proving the statement in (2) requires a new proof strategy where we will treat $\mathbf {S}$ (instead of $\mathbf {A}_0,\mathbf {A}_1$) as a public matrix known to the distinguisher. In particular, we start with taking the bottom part of $\mathbf {A}_1$ as the LWE secret, in conjunction with the public $ \mathbf {S} $ in the bottom-right diagonal; then use an extension of the trapdoor sampling lemma by Gentry et al. [25] to produce an “oblique” (while statistically indistinguishable) preimage sample using only the trapdoor of the top part of $\mathbf {A}_0$; finally argue that the “oblique” sample is computationally indistinguishable from random Gaussian using the top part of $\mathbf {A}_0$ as the LWE secret. Walking through these steps requires new techniques on analyzing the trapdoor sampling detailed in Sect. 4. We refer the readers to Sects. 2.2 and 5.3 for further explanation of the proof techniques.

Next, we show that the weaker guarantee in (2) (in that the distinguisher gets $ \mathbf {J} \mathbf {A}_0$ instead of $\mathbf {A}_0$) is sufficient for constructions of constrained PRFs and lockable obfuscation based on GGH15 encodings; this yields new constructions that are directly applicable to general, non-permutation matrix branching programs.

1.2 Our Results II: New Attacks on iO Candidates

Next, we turn our attention to iO, where adversaries can obtain encodings of zero through honest evaluations. Concretely, we focus on iO candidates that follow the [21] template described earlier in the introduction: start with a branching program $\{\mathbf {M}_{i,b}\}$, pre-process and randomize $\{\mathbf {M}_{i,b}\}$ to obtain a matrices $\{ \mathbf {\hat{S}} _{i,b}\}$, and encode the latter using GGH15 encodings.

We present an attack that run in time $\mathsf {size}^{O(c)}$ for general read-c branching programs of size $\mathsf {size}$. In particular, we have a polynomial-time attack when c is constant, as is the case for the iO candidate in [29] which corresponds to $c=1$. Our attack covers various “safeguards” in the literature, such as Kilian-style randomization, multiplicative bundling, and diagonal padding.

Attack overview. Our attack is remarkably simple, and proceeds in two steps:

1.
Compute a matrix $\mathbf {V}$ whose (i, j)’th entry correspond to an iO evaluation on input $x^{(i)} \mid y^{(j)}$ that yields an encoding of zero. The dimensions of $\mathbf {V}$ and the number of evaluations is polynomial in $\mathsf {size}^c$.
2.
Output the rank of $\mathbf {V}$ (over $\mathbb {Z}$). More precisely, check if $\mathsf {rank}(\mathbf {V})$ is above some threshold.

Step 1 was used in the attack of Coron et al. [17] and Chen et al. [15], both originated from the zeroizing attack of Cheon et al. [16] on CLT13 [19]. The novelty of our analysis lies in showing that $\mathsf {rank}(\mathbf {V})$ leaks information about the $ \mathbf {\hat{S}} _{i,b}$’s and thus the plaintext branching program matrices $\mathbf {M}_{i,b}$’s. So we call the attack a “rank attack”.

Our attack improves upon the previous attack of Chen et al. [15] on GGH15-based iO candidates in several ways: (i) we have a classical as opposed to a quantum attack, and (ii) it is applicable to a larger class of branching programs, i.e. branching programs that are not necessarily input-partitioned or using permutation matrices.

Why the rank-attack works? To get a taste of the rank-attack, let’s consider an oversimplified description of the iO candidates based on GGH15 encodings. Let $\{ \mathbf {\hat{S}} _{i,b}\}$ be the randomization of plaintext matrices $\{\mathbf {M}_{i,b}\}$. Then the obfuscated code is the GGH15 encodings of the $ \mathbf {\hat{S}} _{i,b}$ matrices

$$\mathbf {A}_0, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [h], b \in \{0,1\}} \text { where }\mathbf {D}_{i,b} \leftarrow \mathbf {A} _{i-1}^{-1}\left( \mathbf {\hat{S}} _{i,b} \mathbf {A} _i+ \mathbf {E} _{i,b} \right) $$

Evaluation proceeds by first computing the product of $\mathbf {A}_0$ with the subset product of the $\mathbf {D}_{i,b}$ matrices. As an example, for the obfuscation of a 3-step branching program that computes all-0 functionality, the evaluation on input $x = 000$ gives

$$\begin{aligned} \mathsf {Eval}(x) = \mathbf {A} _0 \cdot \mathbf {D} _{1,0}\cdot \mathbf {D} _{2,0}\cdot \mathbf {D} _{3,0} = \mathbf {\hat{S}} _{1,0} \mathbf {\hat{S}} _{2,0} \mathbf {E} _{3,0}+ \mathbf {\hat{S}} _{1,0} \mathbf {E} _{2,0} \mathbf {D} _{3,0}+ \mathbf {E} _{1,0} \mathbf {D} _{2,0} \mathbf {D} _{3,0} \end{aligned}$$

(3)

To give a sense of why computing the rank is useful in an attack, we make a further simplification, that suppose we manage to learn the monomial

$$\begin{aligned} \mathbf {\hat{S}} _{1,0} \mathbf {E}_{2,0} \mathbf {D}_{3,0} \in \mathbb {Z}^{t \times m}. \end{aligned}$$

W.h.p., the Gaussians $\mathbf {E}_{2,0},\mathbf {D}_{3,0}$ and therefore its product $\mathbf {E}_{2,0} \mathbf {D}_{3,0}$ are full rank (over $\mathbb {Z}$), so the rank of this term is that of $ \mathbf {\hat{S}} _{1,0}$, which leaks some information about the rank of $\mathbf {M}_{1,0}$. Note that learning the rank of $\mathbf {M}_{1,0}$ leaks no useful information for permutation branching programs, but is sufficient to break iO for general branching programs.

In actuality, a single evaluation corresponding to an encoding of zero only provides a single value in $\mathbb {Z}$, which is a sum of products of the form above, multiplied by some left and right bookend vectors. To extract the important information out of the summation of random-looking terms, we will first form a matrix $ \mathbf {V} $ of evaluations on appropriately chosen inputs. The matrix $ \mathbf {V} $ has the property that it factors into the product of two matrices $\mathbf {V}= \mathbf {X}\cdot \mathbf {Y}$. We proceed analogously to the toy example in two steps with $\mathbf {X},\mathbf {Y}$ playing the roles of $ \mathbf {\hat{S}} _{1,0}$ and $\mathbf {E}_{2,0} \cdot \mathbf {D}_{3,0}$:

1.
argue that $\mathbf {Y}$ is non-singular over $\mathbb {Q}$ so that $\mathsf {rank}( \mathbf {V} ) = \mathsf {rank}( \mathbf {X} )$, and
2.
argue that $\mathsf {rank}( \mathbf {X} )$ leaks information about the underlying branching program.

So far we have described what the analysis looks like for the read-once branching programs (i.e. $c=1$). For the case of $c > 1$, the analysis has the flavor of converting the obfuscated code of a read-c branching program into the read-once setting, using the “tensor switching lemmas” from previous attacks [4, 18] on iO candidates that use GGH13 and CLT13.

The code that demonstrates the attack as a proof-of-concept is available at https://github.com/wildstrawberry/cryptanalysesBPobfuscators.

1.3 Our Results III: New Candidates

Given the insights from our proofs and attacks, we present simple candidates for witness encryption and iO based on GGH15 encodings. Our witness encryption candidate relies on the observation from [24] that to build witness encryption for general NP relations, it suffices to build witness encryption for CNF formulas, and that we can represent CNF formulas using general, read-once branching programs. The ciphertext corresponding to a formula ${\varPsi }$ and a message $\mu \in \{0,1\}$ is of the form described in (2), namely

$$\begin{aligned} \mathbf {J} \mathbf {A}_0, \left\{ \mathbf {A}_{i-1}^{-1}\left( \begin{pmatrix}\mathbf {M}_{i,b} \otimes \mathbf {S}_{i,b} &{} \\ &{} \mu \mathbf {S}_{i,b}\end{pmatrix}\mathbf {A}_i + \mathbf {E}_{i,b}\right) \right\} \end{aligned}$$

where $ \mathbf {J} $ is a specific matrix of the form $[\star \mid \mathbf {I}]$ and the $\mathbf {M}_{i,b}$’s are the read-once branching program representing $\varPsi $.

Starting from the witness encryption candidate, we also present an iO candidate for NC$^1$ circuits that appear to resist our rank attack as well as all prior attacks. In order to thwart the rank attack, our iO candidate necessarily reads each input bit $\omega (1)$ times. To then prevent mixed-input attacks, we rely on an extension of multiplicative bundling factors used in prior works that uses matrices instead of scalars.

We stress that an important design goal in these candidates is simplicity so as to facilitate the security analysis. We believe and anticipate that any attacks or partial security analysis for these candidates (perhaps in some weak idealized model cf. [22]) would enhance our understanding of witness encryption and obfuscation.

1.4 Discussion and Open Problems

Perspective. The proposal of candidate multilinear maps [20] from lattice-type assumptions in 2013 has triggered a major paradigm shift in cryptography and enabled numerous cryptographic applications, most notably indistinguishability obfuscation [21]. Among the three multilinear maps candidates [19, 20, 23], GGH15 is the only one that has served as a basis for new cryptographic applications based on established lattice problems, as demonstrated in e.g. [13, 26, 27, 38]. We believe that extending the safe settings of GGH15 (where security can be based on the LWE assumption), as explored in this work through the generalized GGH15 framework as well as both proofs and attacks, will pave the way towards new cryptographic constructions.

Open problems. We conclude with a number of open problems:

Study the security of our candidate for witness encryption, either prove security under instance-independent assumptions, or find a direct attack on the scheme. For the former (i.e., prove security), the only proof strategy in the existing literature is to build and prove a so-called positional witness encryption scheme [24], for which the security definition allows the adversary to obtain encodings of zeroes. Unfortunately, the natural extensions of our candidate witness encryption scheme to a positional variant are susceptible to the rank attack in the presence of encodings of zeroes. For the latter (i.e., directly attack the scheme), all existing attack strategies on GGH15 encodings as used in our candidate require encodings of zeroes, which are not readily available in the witness encryption setting.
Find a polynomial-time attack for iO candidates for branching programs where every input repeats $c = O(\lambda )$ time where $\lambda $ is the security parameter. The analysis of known attacks, including our rank attack, yields running times that grow exponentially with c. There are possibilities that the analysis is not tight and the rank attack or prior attacks could in fact succeed with a smaller running time. However we have not detected such a phenomenon with experiments for small c.
Note that all our candidate constructions are of the form: $\mathbf {A}_J, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$ and evaluation/decryption proceeds by first computing $\mathbf {A}_J \mathbf {D}_{\mathbf x'} := \mathbf {A}_J \prod _{i=1}^h \mathbf {D}_{i,x'_i}$ for some $\mathbf x' \in \{0,1\}^h$. Consider the following restricted class of adversaries that only gets oracle access to $\mathbf x' \mapsto \mathbf {A}_J \mathbf {D}_{\mathbf x'}$ instead of $\mathbf {A}_j, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$. Note that our rank attack as well as various mixed-input and zeroizing attacks can all be implemented using this restricted adversaries. Can we prove (or break) security of our witness encryption or iO candidates against this restricted class of adversaries under some reasonable instance-independent assumptions?

Independent work. Variants of our new lemmas related to lattice preimage sampling in Sect. 4 were presented in an independent work of Goyal, Koppula and Waters [28], for different purposes from ours. In [28], the lemmas were used as intermediate building blocks en route a collusion resistant traitor tracing scheme based on the LWE assumption.

1.5 Reader’s Guide

The rest of the article is organized as follows. Section 2 provides a more detailed overview of our techniques. Section 4 provides new lemmas related to lattice preimage sampling. Section 5 gives a formal construction of the generalized-GGH15 encoding, the security notions, and the main technical proof that suffices for the applications. Due to the page limitation we leave the applications, the attacks, and the witness encryption and iO candidates in the full version available at https://eprint.iacr.org/2018/360.

2 Technical Overview

In this section, we present a more detailed overview of our techniques. We briefly describe the notation used in this overview and the paper, and refer the reader to Sect. 3 for more details. We use boldface upper-case and lower-case letters for matrices and vectors respectively. Given a bit-string $\mathbf x\in \{0,1\}^h$, we use $\mathbf {M}_\mathbf x$ to denote matrix subset product $\prod _{i=1}^h \mathbf {M}_{i,x_i}$. Given matrices $\mathbf {A},\mathbf {B}$, we use $\mathbf {A}^{-1}(\mathbf {B})$ to denote a random low-norm Gaussian $\mathbf {D}$ satisfying $\mathbf {A}\mathbf {D}= \mathbf {B}\bmod q$. Two probability distributions are connected by $\approx _s$ or $\approx _c$ if they are statistically close or computationally indistinguishable.

2.1 Generalized GGH15 Encodings

In this work, we think of GGH15 as encoding two collections of matrices, one collection is arbitrary and the other one is random, and computing some function $\gamma $ of a subset product of these matrices; we refer to this as (generalized) $\gamma $-GGH15 encodings.^{Footnote 1} That is, the $\gamma $-GGH15 encoding takes as input two collections of matrices $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}, \left\{ \mathbf {S}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}$, an additional matrix $\mathbf {A}_\ell $, and the output is a collection of matrices

$$\mathbf {A}_0, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}$$

such that for all $\mathbf x\in \{0,1\}^\ell $, we have

$$\mathbf {A}_0 \cdot \mathbf {D}_\mathbf x\approx \gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_\ell $$

where $ \mathbf {M} _ \mathbf {x} , \mathbf {D} _ \mathbf {x} , \mathbf {S} _ \mathbf {x} $ denotes subset-product of matrices as defined earlier. Here,

$$\mathbf {M}_{i,b} \in \{0,1\}^{w \times w}, \mathbf {S}_{i,b} \in \mathbb {Z}^{n \times n}, \mathbf {A}_0,\mathbf {A}_\ell \in \mathbb {Z}_q^{\gamma (w,n) \times m}, \mathbf {D}_{i,b} \in \mathbb {Z}^{m \times m}.$$

Intuitively, we also want to hide the $\mathbf {M}_{i,b}$’s, which we will come back to after describing the choices for $\gamma $ and the construction.

Choices for $\gamma $. There are several instantiations for $\gamma $ in the literature [12, 13, 21, 23, 26, 29, 38]:

$$ \gamma _\times (\mathbf {M},\mathbf {S}) = \mathbf {M}\mathbf {S}, \; \gamma _{\otimes }(\mathbf {M},\mathbf {S}) := \mathbf {M}\otimes \mathbf {S},\; \gamma _{\text {diag}}(\mathbf {M},\mathbf {S}) := \begin{pmatrix}\mathbf {M}&{}\\ {} &{}\mathbf {S}\end{pmatrix} $$

where the first $\gamma _\times $ requires working with rings so that multiplication commutes. More generally, for the construction, we require that $\gamma $ be multiplicatively homomorphic, so that

$$ \gamma (\mathbf {M},\mathbf {S}) \gamma (\mathbf {M}',\mathbf {S}') = \gamma (\mathbf {M}\mathbf {M}', \mathbf {S}\mathbf {S}') $$

as is clearly satisfied by the three instantiations above.

The $\gamma $-GGH15 construction. We briefly describe the construction of $\gamma $-GGH15 encodings implicit in [23], from the view-point of “cascaded cancellations” [2, 27, 30]. The starting point of the construction is to expand $\gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_\ell $ using multiplicative homomorphism as a matrix product

$$\gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_\ell = \prod _{i=1}^\ell \gamma (\mathbf {M}_{i,x_i}, \mathbf {S}_{i,x_i}) \cdot \mathbf {A}_\ell $$

Next, it randomizes the product by sampling random (wide, rectangular) matrices $\mathbf {A}_0,\ldots ,\mathbf {A}_{\ell -1}$ over $\mathbb {Z}_q$ along with their trapdoors, and rewrites the product as a series of “cascaded cancellations”:

$$\gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_\ell = \mathbf {A}_0 \cdot \prod _{i=1}^\ell \mathbf {A}_{i-1}^{-1}(\gamma (\mathbf {M}_{i,x_i}, \mathbf {S}_{i,x_i}) \mathbf {A}_i)$$

where $\mathbf {A}_{i-1}^{-1}(\cdot )$ denotes random low-norm Gaussian pre-images as defined earlier.^{Footnote 2}

For functionality, it suffices to define $\mathbf {D}_{i,b}$ to be $\mathbf {A}_{i-1}^{-1}(\gamma (\mathbf {M}_{i,b}, \mathbf {S}_{i,b}) \mathbf {A}_i)$, but that would not be sufficient to hide the underlying $\mathbf {M}_{i,b}$’s. Instead, the construction introduces additional error terms $ \left\{ \mathbf {E}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}$, and defines^{Footnote 3}

$$\mathbf {D}_{i,b} \leftarrow \mathbf {A}_{i-1}^{-1}(\gamma (\mathbf {M}_{i,b}, \mathbf {S}_{i,b}) \mathbf {A}_i + \mathbf {E}_{i,b})$$

Observe that for all $\mathbf x\in \{0,1\}^\ell $, we have

$$\mathbf {A}_0 \cdot \mathbf {D}_\mathbf x\approx \gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_\ell $$

where $\approx $ refers to an additive error term that depends on $\mid \mathbf {D}_{i,b} \mid , \mid \mathbf {E}_{i,b} \mid , \mid \gamma (\mathbf {M}_{i,b},\mathbf {S}_{i,b}) \mid $, which we require to be small.

Semantic security. Following [13, 26, 27, 38], we consider the following notion of semantic security for $\gamma $-GGH15 encodings, namely that

(semantic security.) The output $(\mathbf {A}_0, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}})$ computationally hides $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}$. We only require that security holds “on average” over random $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}},\mathbf {A}_\ell $.

Prior works [13, 26, 38] showed that the $\gamma _{\otimes }$-GGH15 encodings achieve semantic security if we restrict the $\mathbf {M}_{i,b}$’s to be permutation matrices. That is,

Informal Lemma. Under the LWE assumption, we have that for all permutation matrices $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}$,
$$\begin{aligned} (\mathbf {A}_0, \left\{ \mathbf {D}_{i,0},\mathbf {D}_{i,1} \right\} _{i \in [\ell ]} ) \approx _c (\mathbf {A}_0, \left\{ \mathbf {V}_{i,0},\mathbf {V}_{i,1} \right\} _{i \in [\ell ]} ) \end{aligned}$$
(4)
where $\mathbf {D}_{i,b} \leftarrow \mathbf {A}_{i-1}^{-1}((\mathbf {M}_{i,b} \otimes \mathbf {S}_{i,b}) \mathbf {A}_i + \mathbf {E}_{i,b})$, and $\mathbf {V}_{i,0},\mathbf {V}_{i,1}$ are random low-norm Gaussians.

As mentioned earlier in the introduction, the proof of security crucially relies on the fact that any permutation matrix $\mathbf {M}$, LWE tells us that $(\mathbf {A}, (\mathbf {M}\otimes \mathbf {S}) \mathbf {A}+ \mathbf {E}) \approx _c (\mathbf {A}, \mathbf {U})$, where $ \mathbf {U} $ is uniformly random. We sketch the proof of the semantic security of $\gamma _{\otimes }$-GGH15 for $\ell =1$, which extends readily to larger $\ell $ (here the major changes in the hybrid arguments are highlighted with boxes):

$$\begin{aligned}&\Bigl (\mathbf {A}_0, \{\mathbf {A}_0^{-1}((\mathbf {M}_{1,b} \otimes \mathbf {S}_{1,b}) \mathbf {A}_1 + \mathbf {E}_{1,b})\}_{b \in \{0,1\}} \Bigr )\\ \approx _c&\Bigl (\mathbf {A}_0, \{\mathbf {A}_0^{-1}(\boxed {\mathbf {U}_{1,b})}\}_{b \in \{0,1\}} \Bigr ) \quad \quad \text {// LWE}\\ \approx _s&\Bigl (\mathbf {A}_0, \{\boxed {\mathbf {V}_{1,b}}\}_{b \in \{0,1\}} \Bigr ) \quad \quad \text {// GPV} \end{aligned}$$

2.2 This Work: Semantic Security for Arbitrary Matrices

Without further modifications, $\gamma $-GGH15 encoding does not achieve semantic security for arbitrary matrices. Concretely, given $\mathbf {A}_0, \mathbf {D}_{1,0}$, we can compute

$$\mathbf {A}_0 \cdot \mathbf {D}_{1,0} = \gamma (\mathbf {M}_{1,0},\mathbf {S}_{1,0}) \mathbf {A}_1 + \mathbf {E}_{1,0}$$

which might leak information about the structure of $\mathbf {M}_{1,0}$. In particular, we can distinguish between $\mathbf {M}_{1,0}$ being $\mathbf {I}^{w \times w}$ versus $ \mathbf {0} ^{w \times w}$ for all of $\gamma _\times ,\gamma _{\otimes },\gamma _{\text {diag}}$.

The key to our new cryptographic constructions for general branching programs is a new technical lemma asserting semantic security for $\gamma _{\text {diag}}$-GGH15 encodings with arbitrary matrices where we replace $\mathbf {A}_0$ with $ \mathbf {J} \mathbf {A}_0$ for some wide bookend matrix $ \mathbf {J} $ that statistically “loses” information about $\mathbf {A}_0$:

New Lemma, Informal. Under the LWE assumption, we have that for all matrices $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}$ over $\mathbb {Z}$,
$$\begin{aligned} ( \mathbf {J} \mathbf {A}_0,(\mathbf {D}_{i,0},\mathbf {D}_{i,1})_{i \in \ell }) \approx _c ( \mathbf {J} \mathbf {A}_0,(\mathbf {V}_{i,0},\mathbf {V}_{i,1})_{i \in \ell }) \end{aligned}$$
(5)
where $ \mathbf {J} $ is any matrix of the form $[\star \mid \mathbf {I}]$, $\mathbf {D}_{i,b} \leftarrow \mathbf {A}_{i-1}^{-1}(\begin{pmatrix}\mathbf {M}_{i,b}&{}\\ {} &{} \mathbf {S}_{i,b}\end{pmatrix} \mathbf {A}_i + \mathbf {E}_{i,b})$, and $\mathbf {V}_{i,0},\mathbf {V}_{i,1}$ are random low-norm Gaussians.

New proof technique. We prove a stronger statement for the semantic security of $\gamma _{\text {diag}}$-GGH15, namely the semantic security holds even given $\mathbf {S}_{1,0},\mathbf {S}_{1,1},\ldots ,\mathbf {S}_{\ell ,0},\mathbf {S}_{\ell ,1}$ (but not $\mathbf {A}_1,\ldots ,\mathbf {A}_\ell $). Our proof departs significantly from the prior analysis – in particular, we will treat $\mathbf {A}_1,\ldots ,\mathbf {A}_\ell $ as LWE secrets. Let $\overline{\mathbf {A}}_i,\underline{\mathbf {A}}_i$ denote the top and bottom parts of $\mathbf {A}$, and define $\overline{\mathbf {E}}_{i,b},\underline{\mathbf {E}}_{i,b}$ analogously. This means that

$$\mathbf {A}_{i-1}^{-1}(\gamma _{\text {diag}}(\mathbf {M}_{i,b},\mathbf {S}_{i,b}) \mathbf {A} _i + \mathbf {E}_{i,b}) = \mathbf {A}_{i-1}^{-1}\begin{pmatrix}\mathbf {M}_{i,b} \overline{\mathbf {A}}_i + \overline{\mathbf {E}}_{i,b}\\ \mathbf {S}_{i,b} \underline{\mathbf {A}}_i + \underline{\mathbf {E}}_{i,b}\end{pmatrix}$$

We will use $\mathbf {A}_1,\ldots ,\mathbf {A}_\ell $ as LWE secrets in the following order: $\underline{\mathbf {A}}_\ell ,\ldots ,\underline{\mathbf {A}}_1,{}\overline{\mathbf {A}}_0,\ldots ,\overline{\mathbf {A}}_{\ell -1}$. We sketch the proof for $\ell =1$ (and it extends readily to larger $\ell $):

$$\begin{aligned}&\Bigl ( \mathbf {J} \mathbf {A}_0, \{ \mathbf {A}_{0}^{-1}\begin{pmatrix}\mathbf {M}_{1,b} \overline{\mathbf {A}}_{1} + \overline{\mathbf {E}}_{1,b}\\ \mathbf {S}_{1,b} \underline{\mathbf {A}}_{1} + \underline{\mathbf {E}}_{1,b}\end{pmatrix}\}_{b \in \{0,1\}} \Bigr )\\ \approx _c&\Bigl ( \mathbf {J} \mathbf {A}_0, \{\boxed { \overline{\mathbf {A}}_{0}^{-1}\begin{pmatrix}\mathbf {M}_{1,b} \overline{\mathbf {A}}_{1} + \overline{\mathbf {E}}_{1,b}\end{pmatrix}}\}_{b \in \{0,1\}} \Bigr )\\ \approx _s&\Bigl (\boxed { \mathbf {U} _0}, \{ \overline{\mathbf {A}}_{0}^{-1}\begin{pmatrix}\mathbf {M}_{1,b} \overline{\mathbf {A}}_{1} + \overline{\mathbf {E}}_{1,b}\end{pmatrix}\}_{b \in \{0,1\}} \Bigr )\\ \approx _c&\Bigl ( \mathbf {U} _0, \{\boxed {\mathbf {V}_{1,b}}\}_{b \in \{0,1\}} \Bigr ) \end{aligned}$$

where the notations and analysis of hybrid arguments are as follows

The first $\approx _c$ follow from a more general statement, namely for all i and for any $\mathbf {Z}_{i,b}$, we have
$$ \Bigl \{ \mathbf {A}_{i-1}^{-1}\begin{pmatrix}\mathbf {Z}_{i,b}\\ \mathbf {S}_{i,b} \underline{\mathbf {A}}_i + \underline{\mathbf {E}}_{i,b}\end{pmatrix} \Bigr \}_{b \in \{0,1\}} \approx _c \Bigl \{ \overline{\mathbf {A}}_{i-1}^{-1}\begin{pmatrix}\mathbf {Z}_{i,b}\end{pmatrix} \Bigr \}_{b \in \{0,1\}} $$
even if the distinguisher gets $\mathbf {A}_{i-1},\mathbf {S}_{i,b},\mathbf {Z}_{i,b}$. The proof of this statement follows by first applying LWE with $\underline{\mathbf {A}}_i$ as the secret^{Footnote 4} to deduce that
$$\{\mathbf {S}_{i,b}, \mathbf {S}_{i,b} \underline{\mathbf {A}}_i + \underline{\mathbf {E}}_{i,b}\}_{b \in \{0,1\}} \approx _c \{\mathbf {S}_{i,b}, \mathbf {U}_{i,b}\}_{b \in \{0,1\}}$$
where the $\mathbf {U}_{i,b}$ matrices are uniformly random over $\mathbb {Z}_q$, followed by a new statistical lemma about trapdoor sampling which tells us that for all but negligibly many $\mathbf {A}_{i-1}$, we have that for all $\mathbf {Z}_{i,b}$,
$$\mathbf {A}_{i-1}^{-1}\begin{pmatrix}\mathbf {Z}_{i,b}\\ \mathbf {U}_{i,b}\end{pmatrix} \approx _s \overline{\mathbf {A}}_{i-1}^{-1}\begin{pmatrix}\mathbf {Z}_{i,b}\end{pmatrix}$$
The $\approx _s$ follows from the structure of $ \mathbf {J} $, which implies $(\overline{\mathbf {A}}_0, \mathbf {J} \mathbf {A}_0) \approx _s (\overline{\mathbf {A}}_0, \mathbf {U} _0)$, where $ \mathbf {U} _0$ is a uniformly random matrix.
The final $\approx _c$ follows from a more general statement, which says that under the LWE assumption, we have that for any $\mathbf {Z}$,
$$\mathbf {A}^{-1}(\mathbf {Z}+ \mathbf {E}) \approx _c \mathbf {A}^{-1}(\mathbf {U})$$
where the distributions are over random choices of $\mathbf {A},\mathbf {E},\mathbf {U}$, provided $\mathbf {A}$ is hidden from the distinguisher. The proof uses the Bonsai technique [14]. Suppose $\mathbf {A}$ is of the form $[\mathbf {A}_1 \mid \mathbf {A}_2 ]$ where $ \mathbf {A} _1$ is uniformly random, $\mathbf {A}_2$ sampled with a trapdoor. Then, we have via the Bonsai technique [14]:
$$\mathbf {A}^{-1}(\mathbf {Z}+\mathbf {E}) \approx _s {-\mathbf {V}\atopwithdelims ()\mathbf {A}_2^{-1}(\mathbf {A}_1 \mathbf {V}+ \mathbf {E}+ \mathbf {Z})}$$
where $\mathbf {V}$ is a random low-norm Gaussian. We then apply the LWE assumption to $(\mathbf {V}, \mathbf {A}_1 \mathbf {V}+ \mathbf {E})$ with $\mathbf {A}_1$ as the LWE secret. Once we replace $\mathbf {A}_1 \mathbf {V}+ \mathbf {E}$ with a uniformly random matrix, the rest of the proof follows readily from the standard GPV lemma.

Extension: combining $\gamma _{\otimes },\gamma _{diag}$. For the applications to private constrained PRFs and lockable obfuscation, we will rely on $\gamma _{\otimes \text {diag}}$-GGH15 encodings, where

$$\gamma _{\otimes \text {diag}}(\mathbf {M},\mathbf {S}) := \begin{pmatrix}\mathbf {M}\otimes \mathbf {S}&{}\\ {} &{}\mathbf {S}\end{pmatrix}$$

We observe that our proof of semantic security for $\gamma _{\text {diag}}$ also implies semantic security for $\gamma _{\otimes \text {diag}}$, where we give out $ \mathbf {J} \mathbf {A}_0$ instead of $\mathbf {A}_0$. This follows from the fact that our proof for $\gamma _{\text {diag}}$ goes through even if the $\mathbf {M}_{i,b}$’s depend on the $\mathbf {S}_{i,b}$’s, since we treat the latter as public matrices when we invoke the LWE assumption.

2.3 New Cryptographic Constructions from LWE

Using $\gamma _{\otimes \text {diag}}$-GGH15 encodings and the proof that semantic security of $\gamma _{\otimes \text {diag}}$ holds for arbitrary $ \mathbf {M} $ matrices, we are ready to construct private constrained PRFs and lockable obfuscation where the constraint/function can be recognized by arbitrary matrix branching programs. Here we briefly explain the private constrained PRF construction as an example.

Before that we recall some terminologies for matrix branching programs. In the overview, we focus on read-once matrix branching programs for notational simplicity, although our scheme works for general matrix branching programs with any input pattern and matrix pattern (possibly low-rank matrices). A (read-once) matrix branching program for a function $f_\varGamma : \{0,1\}^\ell \rightarrow \{0,1\}$ is specified by $\varGamma := \left\{ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}},\mathbf {P}_0,\mathbf {P}_1 \right\} $ such that for all $\mathbf x\in \{0,1\}^\ell $,

$$\begin{aligned} \mathbf {M}_\mathbf x= \prod _{i=1}^\ell \mathbf {M}_{i,x_i} = \mathbf {P}_{f_\varGamma (x)} \end{aligned}$$

We will work with families of branching programs $\{ \varGamma \}$, which share the same $\mathbf {P}_0,\mathbf {P}_1$.

Private constrained PRFs. We proceed to provide an overview of our construction of private constrained PRFs using $\gamma _{\otimes \text {diag}}$-GGH15 encodings. As a quick overview of a private constrained PRF, a private constrained PRF allows the PRF master secret key holder to derive a constrained key given a constraint predicate C. The constrained key is required to randomize the output on every input x s.t. $C(x) = 0$, preserve the output on every input x s.t. $C(x) = 1$. In addition, the constraint C is required to be hidden given the description of the constrained key.

Let $ \mathbf {e} _i\in \{0,1\}^{1\times w}$ denotes the unit vector with the $i^{th}$ coordinate being 1, the rest being 0. Consider a class of constraints recognizable by branching programs

$$\varGamma _C := \left\{ \left\{ \mathbf {M} _{i,b}\in \{0,1\}^{w\times w} \right\} _{i\in [\ell ], b\in \{0,1\}}, \mathbf {P}_0,\mathbf {P}_1 \right\} , $$

where the target matrices $\mathbf {P}_0,\mathbf {P}_1$ satisfy $ \mathbf {e} _1 \mathbf {P}_0 = \mathbf {e} _1$, $ \mathbf {e} _1 \mathbf {P}_1 = \mathbf {0} ^{1\times w} $.

We use $\gamma _{\otimes \text {diag}}$ to encode $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}$, which means for $i = 0, ..., \ell $, $\mathbf {A}_i \in \mathbb {Z}_q^{(nw+n) \times m}$. Denote $\underline{\mathbf {A}}_0$ as the bottom n rows of $\mathbf {A}_i$, $\overline{\mathbf {A}}_i$ as the top nw rows of $\mathbf {A}_i$. Inside $\overline{\mathbf {A}}_i$ let $\overline{\mathbf {A}}^{(j)}_i$ denote the $(j-1)n^{th}$ to $jn^{th}$ rows of $\overline{\mathbf {A}}_i$, for $j\in [w]$.

Define the output of the normal PRF evaluation as

$$\mathbf x\mapsto \left\lfloor \mathbf {S}_\mathbf x\underline{\mathbf {A}}_\ell \right\rceil _p$$

where $\left\lfloor \;\cdot \; \right\rceil _p$ denotes the rounding-to-$\mathbb {Z}_p$ operation used in previous LWE-based PRFs, which we suppress in the rest of this overview for notational simplicity.

We set $ \mathbf {J} := ( \mathbf {e} _1 \otimes \mathbf {I}\mid \mathbf {I})$ so that $ \mathbf {J} \cdot \mathbf {A}_0 = \overline{\mathbf {A}}^{(1)}_0 + \underline{\mathbf {A}}_0$, then

$$\begin{aligned} \mathbf {J} \cdot \gamma _{\otimes \text {diag}}(\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_\ell = \left( ( \mathbf {e} _1\cdot \mathbf {M}_\mathbf x) \otimes \mathbf {S}_\mathbf x\right) \cdot \overline{\mathbf {A}}_\ell + \mathbf {S}_\mathbf x\underline{\mathbf {A}}_\ell = {\left\{ \begin{array}{ll} \mathbf {S}_\mathbf x\underline{\mathbf {A}}_\ell &{}\text{ if } f_\varGamma (\mathbf x) = 1\\ \mathbf {S}_\mathbf x\overline{\mathbf {A}}^{(1)}_\ell + \mathbf {S}_\mathbf x\underline{\mathbf {A}}_\ell &{}\text{ if } f_\varGamma (\mathbf x) = 0 \end{array}\right. } \end{aligned}$$

Given $\varGamma $, the constrained key is constructed as

$$\overline{\mathbf {A}}^{(1)}_0 + \underline{\mathbf {A}}_0,(\mathbf {D}_{i,0},\mathbf {D}_{i,0})_{i \in [\ell ]}$$

where $(\mathbf {A}_0, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}) \leftarrow \text{ GGHEnc }_{\otimes \text {diag}} ( \left\{ \mathbf {M}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}, \left\{ \mathbf {S}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}, \mathbf {A} _\ell )$.

The constrained evaluation on an input $\mathbf x$ gives

$$(\overline{\mathbf {A}}^{(1)}_0 + \underline{\mathbf {A}}_0) \cdot \mathbf {D}_\mathbf x\approx \mathbf {J} \cdot \gamma _{\otimes \text {diag}}(\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_\ell $$

which equals to $\mathbf {S}_\mathbf x\underline{\mathbf {A}}_\ell $ if $f_\varGamma (\mathbf x) = 1$, $\mathbf {S}_\mathbf x\overline{\mathbf {A}}^{(1)}_\ell + \mathbf {S}_\mathbf x\underline{\mathbf {A}}_\ell $ if $f_\varGamma (\mathbf x) = 0$.

A special case: private puncturable PRFs. A private puncturable PRF can be obtained by simply using branching program with $1\times 1$ matrices (i.e. let $w=1$). The punctured key at $\mathbf x^*$ is given by

$$\overline{\mathbf {A}}_0 + \underline{\mathbf {A}}_0, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}}$$

where

$$\mathbf {D}_{i,x^*_i} \leftarrow \mathbf {A}_{i-1}^{-1}\left( \begin{pmatrix}\mathbf {S}_{i,x^*_i}&{}\\ {} &{}\mathbf {S}_{i,x^*_i}\end{pmatrix}\mathbf {A}_i + \mathbf {E}_{i,x^*_i}\right) , \mathbf {D}_{i,1-x^*_i} \leftarrow \mathbf {A}_{i-1}^{-1}\left( \begin{pmatrix} \mathbf {0} &{}\\ {} &{}\mathbf {S}_{i,1-x^*}\end{pmatrix}\mathbf {A}_i + \mathbf {E}_{i,1-x^*_i}\right) . $$

The construction extends naturally to allow us to puncture at sets of points specified by a wildcard pattern $\{0,1,\star \}^\ell $.

Security. In the security proof, we will use the fact that whenever $f_\varGamma (\mathbf x) = 0$, constrained evaluation outputs $\boxed {\mathbf {S}_\mathbf x\overline{\mathbf {A}}^{(1)}_\ell } + \mathbf {S}_\mathbf x\underline{\mathbf {A}}_\ell $, so that the normal PRF output is masked by the boxed term. More formally, in the security game, the adversary gets a constrained key for $\varGamma _C$, and oracle access to a PRF evaluation oracle $\mathsf {Eval}$. We consider the following sequence of games:

Replace the output of the $\mathsf {Eval}$ oracle by
$$(\overline{\mathbf {A}}^{(1)}_0 + \underline{\mathbf {A}}_0) \cdot \mathbf {D}_\mathbf x- \mathbf {S}_\mathbf x\cdot \overline{\mathbf {A}}^{(1)}_\ell $$
This is statistically indistinguishable from the real game, since $(\overline{\mathbf {A}}^{(1)}_0 + \underline{\mathbf {A}}_0) \cdot \mathbf {D}_\mathbf x\approx \mathbf {S}_\mathbf x\cdot \overline{\mathbf {A}}^{(1)}_\ell + \mathbf {S}_\mathbf x\cdot \underline{\mathbf {A}}_\ell $, and the approximation disappears w.h.p. after rounding.
Apply semantic security to replace $(\mathbf {D}_{i,0},\mathbf {D}_{i,0})_{i \in [\ell ]}$ with random. Here, we require that semantic security holds even if the distinguisher gets $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}},\overline{\mathbf {A}}_\ell $, where the latter are needed in order to compute $\mathbf {S}_\mathbf x\cdot \overline{\mathbf {A}}^{(1)}_\ell $. This implies constraint-hiding.
Now, we can apply the BLMR analysis to deduce pseudorandomness of $\mathbf {S}_\mathbf x\cdot \overline{\mathbf {A}}^{(1)}_\ell $, where we treat $\overline{\mathbf {A}}^{(1)}_\ell $ as the seed of the BLMR PRF [7]. This implies pseudorandomness of the output of the $\mathsf {Eval}$ oracle.

3 Preliminaries

Notations and terminology. In cryptography, the security parameter (denoted as $\lambda $) is a variable that is used to parameterize the computational complexity of the cryptographic algorithm or protocol, and the adversary’s probability of breaking security. An algorithm is “efficient” if it runs in (probabilistic) polynomial time over $\lambda $.

When a variable v is drawn randomly from the set S we denote as $v{\mathop {\leftarrow }\limits ^{\$}}S$ or $v\leftarrow U(S)$, sometimes abbreviated as v when the context is clear. We use $\approx _s$ and $\approx _c$ as the abbreviation for statistically close and computationally indistinguishable.

Let $\mathbb {R}, \mathbb {Z}, \mathbb {N}$ be the set of real numbers, integers and positive integers. Denote $\mathbb {Z}/(q\mathbb {Z})$ by $\mathbb {Z}_q$. The rounding operation $\left\lfloor a \right\rceil _p: \mathbb {Z}_q \rightarrow \mathbb {Z}_p$ is defined as multiplying a by $p{\slash }q$ and rounding the result to the nearest integer.

For $n\in \mathbb {N}$, $[n] := \left\{ 1, ..., n \right\} $. A vector in $\mathbb {R}^n$ (represented in column form by default) is written as a bold lower-case letter, e.g. $ \mathbf {v} $. For a vector $ \mathbf {v} $, the $i^{th}$ component of $ \mathbf {v} $ will be denoted by $v_i$. A matrix is written as a bold capital letter, e.g. $ \mathbf {A} $. The $i^{th}$ column vector of $ \mathbf {A} $ is denoted $ \mathbf {a} _i$. In this article we frequently meet the situation where a matrix $ \mathbf {A} $ is partitioned into two pieces, one stacking over the other. We denote it as $\mathbf {A}= {\overline{\mathbf {A}}\atopwithdelims ()\underline{\mathbf {A}}}$. The partition is not necessarily even. We will explicitly mention the dimension when needed.

The length of a vector is the $\ell _p$-norm $\Vert \mathbf {v} \Vert _p = (\sum v_i^p)^{1/p}$. The length of a matrix is the norm of its longest column: $\Vert \mathbf {A} \Vert _p = \max _i \Vert \mathbf {a} _i\Vert _p$. By default we use $\ell _2$-norm unless explicitly mentioned. When a vector or matrix is called “small”, we refer to its norm.

Subset products (of matrices) appear frequently in this article. For a given $h\in \mathbb {N}$, a bit-string $ \mathbf {v} \in \{0,1\}^h$, we use $ \mathbf {X} _{ \mathbf {v} }$ to denote $\prod _{i\in [h]} \mathbf {X} _{i,v_{i}}$ (it is implicit that $ \left\{ \mathbf {X} _{i, b} \right\} _{i\in [h], b\in \{0,1\}}$ are well-defined).

The tensor product (Kronecker product) for matrices $ \mathbf {A} \in \mathbb {R}^{\ell \times m}$, $ \mathbf {B} \in \mathbb {R}^{n\times p}$ is defined as

$$\begin{aligned} \mathbf {A} \otimes \mathbf {B} = \begin{bmatrix} a_{1,1} \mathbf {B} ,&\ldots ,&a_{1,m} \mathbf {B} \\ \ldots ,&\ldots ,&\ldots \\ a_{\ell ,1} \mathbf {B} ,&\ldots ,&a_{\ell ,m} \mathbf {B} \end{bmatrix}\in \mathbb {R}^{\ell n\times mp}. \end{aligned}$$

(6)

The rank of the resultant matrix satisfies $\mathsf {rank}( \mathbf {A} \otimes \mathbf {B} ) = \mathsf {rank}( \mathbf {A} ) \cdot \mathsf {rank}( \mathbf {B} )$.

For matrices $ \mathbf {A} \in \mathbb {R}^{\ell \times m}$, $ \mathbf {B} \in \mathbb {R}^{n\times p}$, $ \mathbf {C} \in \mathbb {R}^{m\times u}$, $ \mathbf {D} \in \mathbb {R}^{p\times v}$,

$$\begin{aligned} ( \mathbf {A} \mathbf {C} ) \otimes ( \mathbf {B} \mathbf {D} ) = ( \mathbf {A} \otimes \mathbf {B} )\cdot ( \mathbf {C} \otimes \mathbf {D} ). \end{aligned}$$

(7)

Lemma 3.1

(Leftover hash lemma). Let $\mathcal {H} = \left\{ h: \mathcal {X}\rightarrow \mathcal {Y} \right\} $ be a 2-universal hash function family. Then for any random variable $X\in \mathcal {X}$, for $\epsilon >0$ s.t. $\log (|\mathcal {Y}|) \le H_\infty (X) - 2\log (1/\epsilon )$, the distributions

$$\begin{aligned} (h, h(X)) \text { and } (h, U(\mathcal {Y})) \end{aligned}$$

are $\epsilon $-statistically close.

3.1 Lattices Background

Smoothing parameter. We recall the definition of smoothing parameter and some useful facts.

Definition 3.2

(Smoothing parameter [32]). For any n-dimensional lattice $\varLambda $ and positive real $\epsilon > 0$, the smoothing parameter $\eta _\epsilon (\varLambda )$ is the smallest real $\sigma > 0$ such that $\rho _{1/\sigma }(\varLambda ^*\setminus \{ \mathbf {0} \}) \le \epsilon $.

Lemma 3.3

(Smoothing parameter bound from [25]). For any n-dimensional lattice $\varLambda ( \mathbf {B} )$ and for any $\omega ( \sqrt{\log n})$ function, there is a negligible $\epsilon (n)$ for which

$$ \eta _\epsilon (\varLambda )\le \Vert \tilde{ \mathbf {B} }\Vert \cdot \omega ( \sqrt{\log n} ) $$

Lemma 3.4

(Smooth over the cosets [25]). Let $\varLambda $, $\varLambda '$ be n-dimensional lattices s.t. $\varLambda '\subseteq \varLambda $. Then for any $\epsilon >0$, $\sigma >\eta _\epsilon (\varLambda ')$, and $ \mathbf {c} \in \mathbb {R}^n$, we have

$$ \varDelta ( D_{\varLambda , \sigma , \mathbf {c} } \bmod \varLambda ',~U(\varLambda \bmod \varLambda '))<2\epsilon $$

Lemma 3.5

([32, 35]). Let $ \mathbf {B} $ be a basis of an n-dimensional lattice $\varLambda $, and let $\sigma \ge \Vert \tilde{ \mathbf {B} }\Vert \cdot \omega ( \log n)$, then $\Pr _{ \mathbf {x} \leftarrow D_{\varLambda , \sigma }}[ \Vert \mathbf {x} \Vert \ge \sigma \cdot \sqrt{n} \vee \mathbf {x} = \mathbf {0} ]\le \mathop {{\text {negl}}}(n)$.

Lemma 3.6

([9, 25]). There is a p.p.t. algorithm that, given a basis $ \mathbf {B} $ of an n-dimensional lattice $\varLambda ( \mathbf {B} )$, $ \mathbf {c} \in \mathbb {R}^n$, $\sigma \ge \Vert \tilde{ \mathbf {B} }\Vert \cdot \sqrt{\ln (2n + 4)/\pi }$, outputs a sample from $D_{\varLambda ,\sigma , \mathbf {c} }$.

Learning with errors. We recall the learning with errors problem.

Definition 3.7

(Decisional learning with errors (LWE) [37]). For $n, m\in \mathbb {N}$ and modulus $q \ge 2$, distributions for secret vectors, public matrices, and error vectors $\theta , \pi , \chi \subseteq \mathbb {Z}_q$. An LWE sample is obtained from sampling $ \mathbf {s} \leftarrow \theta ^n$, $ \mathbf {A} \leftarrow \pi ^{n\times m}$, $ \mathbf {e} \leftarrow \chi ^m$, and outputting $( \mathbf {A} , \mathbf {s} ^T \mathbf {A} + \mathbf {e} ^T \mod q)$.

We say that an algorithm solves $\mathsf {LWE}_{n, m, q, \theta , \pi , \chi }$ if it distinguishes the LWE sample from a random sample distributed as $\pi ^{n\times m} \times U(\mathbb {Z}^{1\times m}_q)$ with probability bigger than 1/2 plus non-negligible.

Lemma 3.8

(Regularity of Ajtai function [37]). Fix a constant $c>1$, let $m \ge c n \log q$. Then for all but $q^{\frac{-(c-1)n}{4}}$ fraction of $ \mathbf {A} \in \mathbb {Z}^{n\times m}_q$, the statistical distance between a random subset-sum of the columns of $ \mathbf {A} $ and uniform over $\mathbb {Z}_q^n$ is less than $q^{\frac{-(c-1)n}{4}}$.

Lemma 3.9

(Standard form [9, 33, 34, 37]). Given $n\in \mathbb {N}$, for any $m = \mathop {{\text {poly}}}(n)$, $q\le 2^{\mathop {{\text {poly}}}(n)}$. Let $\theta = \pi = U(\mathbb {Z}_q)$, $\chi = D_{\mathbb {Z}, \sigma }$ where $\sigma \ge 2\sqrt{n}$. If there exists an efficient (possibly quantum) algorithm that breaks $\mathsf {LWE}_{n, m, q, \theta , \pi , \chi }$, then there exists an efficient (possibly quantum) algorithm for approximating $\mathsf {SIVP}$ and $\mathsf {Gap}\mathsf {SVP}$ in the $\ell _2$ norm, in the worst case, to within $\tilde{O}(nq/\sigma )$ factors.

We drop the subscripts of $\mathsf {LWE}$ when referring to standard form of LWE with the parameters specified in Lemma 3.9. In this article we frequently use the following variant of LWE that is implied by the standard form.

Lemma 3.10

(LWE with small public matrices [7]). For $n, m, q, \sigma $ chosen as was in Lemma 3.9, $\mathsf {LWE}_{n',m,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$ is as hard as $\mathsf {LWE}_{n,m,q,U(\mathbb {Z}_q),U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma }}$ for $n'\ge 2\cdot n\log q$.

Trapdoor and preimage sampling. Given $ \mathbf {A} \in \mathbb {Z}^{n\times m}_q$, denote the kernel lattice of $ \mathbf {A} $ as

$$\begin{aligned} \varLambda ^\bot ( \mathbf { \mathbf {A} } ):= \left\{ \mathbf {c} \in \mathbb {Z}^{m}: \mathbf {A} \cdot \mathbf {c} = 0^n \pmod q \right\} . \end{aligned}$$

Given any $ \mathbf {y} \in \mathbb {Z}_q^n$, $\sigma >0$, we use $ \mathbf {A} ^{-1}( \mathbf {y} , \sigma )$ to denote the distribution of a vector $ \mathbf {d} $ sampled from $D_{\mathbb {Z}^m,\sigma }$ conditioned on $ \mathbf {A} \mathbf {d} = \mathbf {y} \pmod q$. We sometimes suppress $\sigma $ when the context is clear.

Lemma 3.11

([1, 3, 31]). There is a p.p.t. algorithm $\mathsf {Trap}\mathsf {Sam}(1^n, 1^m, q)$ that, given the modulus $q\ge 2$, dimensions n, m such that $m \ge 2n\log q$, outputs $ \mathbf {A} \approx _s U(\mathbb {Z}^{n\times m}_q)$ with a trapdoor $\tau $.

Following Lemmas 3.6 and 3.11,

Lemma 3.12

There is a p.p.t. algorithm that for $\sigma \ge 2\sqrt{n\log q}$, given $( \mathbf {A} , \tau )\leftarrow \mathsf {Trap}\mathsf {Sam}(1^n, 1^m, q)$, $ \mathbf {y} \in \mathbb {Z}_q^n$, outputs a sample from $ \mathbf {A} ^{-1}( \mathbf {y} , \sigma )$.

Lemma 3.13

([25]). For all but negligible probability over $( \mathbf {A} , \tau )\leftarrow \mathsf {Trap}\mathsf {Sam}(1^n, 1^m, q)$, for sufficiently large $\sigma \ge 2\sqrt{n\log q}$, the following distributions are efficiently samplable and statistically close:

$$ \left\{ \mathbf {A} , \mathbf {x} , \mathbf {y} : \mathbf {y} \leftarrow U(\mathbb {Z}^n_q), \mathbf {x} \leftarrow \mathbf {A} ^{-1}( \mathbf {y} , \sigma ) \right\} \approx _s \left\{ \mathbf {A} , \mathbf {x} , \mathbf {y} : \mathbf {x} \leftarrow D_{\mathbb {Z}^{m}, \sigma }, \mathbf {y} = \mathbf {A} \mathbf {x} \right\} . $$

Lemma 3.14

(Bonsai technique [14]). Let $n, m, m_1, m_2, q\in \mathbb {N}, \sigma \in \mathbb {R}$ satisfy $m = m_1 + m_2$, $m_2 \ge 2n\log q$, $\sigma > 2\sqrt{n\log q}$. For any $ \mathbf {y} \in \mathbb {Z}_q^n$, the following two distributions are efficiently samplable and statistically close.

1.
Let $( \mathbf {A} , \tau )\leftarrow \mathsf {Trap}\mathsf {Sam}(1^n, 1^m, q)$, $ \mathbf {d} \leftarrow \mathbf {A} ^{-1}( \mathbf {y} , \sigma )$. Output $( \mathbf {A} , \mathbf {d} )$.
2.
Let $ \mathbf {A} _1\leftarrow U(\mathbb {Z}_q^{n\times m_1})$, $( \mathbf {A} _2, \tau _2)\leftarrow \mathsf {Trap}\mathsf {Sam}(1^n, 1^{m_2}, q)$; $ \mathbf {d} _1\leftarrow D_{\mathbb {Z}^{m_1}, \sigma }$, $ \mathbf {d} _2 \leftarrow \mathbf {A} _2^{-1}( \mathbf {y} - \mathbf {A} _1\cdot \mathbf {d} _1, \sigma )$. Let $ \mathbf {A} = [ \mathbf {A} _1, \mathbf {A} _2 ]$, $ \mathbf {d} = [ \mathbf {d} _1^T, \mathbf {d} _2^T]^T$. Output $( \mathbf {A} , \mathbf {d} )$.

4 New Lemmas on Preimage Sampling

In this section, we present new lemmas related to lattice preimage sampling. These lemmas are essential to the proof of semantic security for non-permutation branching programs, as outlined in Sect. 2.2.

The first is a statistical lemma which states that for all but negligibly many matrix $ \mathbf {A} $ (with proper dimensions), for any matrix $\mathbf {Z}$, the following two distributions are statistically indistinguishable:

$$\begin{aligned} \big ( \mathbf {A} , \mathbf {A}^{-1}{\mathbf {Z}\atopwithdelims ()\mathbf {U}}\big ) \approx _s \big ( \mathbf {A} , \overline{\mathbf {A}}^{-1}(\mathbf {Z})\big ) \end{aligned}$$

where the distributions are over random choices of a matrix $\mathbf {U}$ and probability distributions $\mathbf {A}^{-1}(\cdot )$ and $\overline{\mathbf {A}}^{-1}(\cdot )$. This is in essence an extension of the trapdoor sampling lemma from Gentry, Peikert and Vaikuntanathan [25].

The second is a computational lemma which states that for any matrix $\mathbf {Z}$, the following two distributions are computationally indistinguishable:

$$\mathbf {A}^{-1}(\mathbf {Z}+ \mathbf {E}) \approx _c \mathbf {A}^{-1}(\mathbf {U})$$

where the distributions are over random private choices of $\mathbf {A}, \mathbf {E}$ and $\mathbf {U}$ and the coins of $\mathbf {A}^{-1}(\cdot )$. The computational indistinguishability relies on the hardness of the decisional learning with errors (LWE) problem.

4.1 The Statistical Lemma

We prove the above statistical lemma for vectors; the setting for matrices follow readily via a hybrid argument.

Lemma 4.1

Let $\epsilon >0$. Given $\sigma \in R^+$, $n', n, m, q\in \mathbb {N}$. For all but a $q^{-2n'}$ fraction of $\overline{\mathbf {A}}\in \mathbb {Z}_q^{n'\times m}$, all but a $q^{-2n}$ fraction of $\underline{\mathbf {A}}\in \mathbb {Z}_q^{n\times m}$, let $\mathbf {A}:= {\overline{\mathbf {A}}\atopwithdelims ()\underline{\mathbf {A}}}$. For $\sigma >\eta _\epsilon (\varLambda ^\bot ( \mathbf {A} ))$, $m\ge 9(n'+n)\log q$. For a fixed $ \mathbf {z} \in \mathbb {Z}^{n'}_q$, for $ \mathbf {u} \leftarrow U(\mathbb {Z}^n_q)$, we have

$$ \mathbf {A}^{-1}( { \mathbf {z} \atopwithdelims () \mathbf {u} }, \sigma ) \text { and } \overline{\mathbf {A}}^{-1}( \mathbf {z} , \sigma ) $$

are $2\epsilon $-statistically close.

Proof

We need two lemmas to assist the proof of Lemma 4.1.

Lemma 4.2

Let $c>9$. For $n', n, m, q\in \mathbb {N}$ such that $m\ge c(n'+n)\log q$. For all but $q^{-2n'}$ fraction of $\overline{\mathbf {A}}\in \mathbb {Z}_q^{n'\times m}$, all but $q^{-2n}$ fraction of $\underline{\mathbf {A}}\in \mathbb {Z}_q^{n\times m}$, we have $ \left\{ \underline{\mathbf {A}}\cdot \mathbf {x} \mid \mathbf {x} \in \{0,1\}^m \cap \varLambda ^\bot ( \mathbf {\overline{\mathbf {A}}} ) \right\} = \mathbb {Z}^n_q$.

Proof

From Lemma 3.8, we have for all but $q^{-2n'}$ fraction of $\overline{\mathbf {A}}\in \mathbb {Z}_q^{n'\times m}$

$$\begin{aligned} \left| \Pr _{ \mathbf {x} \in \{0,1\}^m}[ \overline{\mathbf {A}}\cdot \mathbf {x} = 0^{n'} ] - q^{-n'} \right| < 2 q^{-2n'} \Rightarrow \Pr _{ \mathbf {x} \in \{0,1\}^m}[ \overline{\mathbf {A}}\cdot \mathbf {x} = 0^{n'} ] > 0.99 \cdot q^{-n'} \end{aligned}$$

(8)

Let $ \mathbf {x} \leftarrow U(\{0,1\}^m \cap \varLambda ^\bot ( \mathbf {\overline{\mathbf {A}}} ))$, we have $H_\infty ( \mathbf {x} )>m-2n'\log q$. For $\delta >0$, by setting $m \ge n \log q + 2 n' \log q + 2 \log (1/\delta )$, we have that for $\underline{\mathbf {A}}\leftarrow U(\mathbb {Z}_q^{n\times m})$,

$$( \underline{\mathbf {A}}, \underline{\mathbf {A}}\cdot \mathbf {x} ) \text { and } (\underline{\mathbf {A}}, U(\mathbb {Z}_q^n) )$$

are $\delta $-statistically close following leftover hash lemma (cf. Lemma 3.1).

Then Lemma 4.2 follows by setting $\delta = q^{-4n}$ and take a union bound for $\underline{\mathbf {A}}$.

Lemma 4.3

For $n', n, m, q\in \mathbb {N}$, $\sigma >0$. $\overline{\mathbf {A}}\in \mathbb {Z}^{n'\times m}_q$, $\underline{\mathbf {A}}\in \mathbb {Z}^{n\times m}_q$. Assuming the columns of $\mathbf {A}:= {\overline{\mathbf {A}}\atopwithdelims ()\underline{\mathbf {A}}}$ generate $\mathbb {Z}_q^{n'+n}$. For any vectors $ \mathbf {u} \in \mathbb {Z}^{n}_q$, $ \mathbf {z} \in \mathbb {Z}^{n'}_q$, and $ \mathbf {c} \in \mathbb {Z}^m$ where $\mathbf {A}\cdot \mathbf {c} = { \mathbf {z} \atopwithdelims () \mathbf {u} } \mod q$. The conditional distribution D of $ \mathbf {x} \leftarrow \mathbf {c} + D_{\varLambda ^\bot ( \mathbf {\overline{\mathbf {A}}} ), \sigma , - \mathbf {c} }$ given $\underline{\mathbf {A}} \mathbf {x} = \mathbf {u} \mod q$ is exactly $ \mathbf {c} + D_{\varLambda ^\bot ( \mathbf {A} ), \sigma , - \mathbf {c} }$.

Proof

Observe that the support of D is $ \mathbf {c} +\varLambda ^\bot ( \mathbf {A} )$. We compute the distribution D: for all $ \mathbf {x} \in \mathbf {c} +\varLambda ^\bot ( \mathbf {A} )$,

$$\begin{aligned} D( \mathbf {x} ) = \frac{ \rho _{\sigma }( \mathbf {x} ) }{ \rho _{\sigma }( \mathbf {c} +\varLambda ^\bot ( \mathbf {A} ) ) } = \frac{ \rho _{\sigma ,- \mathbf {c} }( \mathbf {x} - \mathbf {c} ) }{ \rho _{\sigma ,- \mathbf {c} }(\varLambda ^\bot ( \mathbf {A} )) } = D_{\varLambda ^\bot ( \mathbf {A} ), \sigma , - \mathbf {c} }( \mathbf {x} - \mathbf {c} ). \end{aligned}$$

(9)

Finally from Lemma 3.4, let $\varLambda = \varLambda ^\bot ( \mathbf {\overline{\mathbf {A}}} )$, $\varLambda ' = \varLambda ^\bot ( \mathbf {A} )$, we have $\varLambda '\subseteq \varLambda $. Since $\sigma >\eta _\epsilon (\varLambda ')$, $D_{ \varLambda ^\bot ( \mathbf {\overline{\mathbf {A}}} ), \sigma , - \mathbf {c} }$ is $2\epsilon $-statistically close to uniform over the cosets of the quotient group $(\varLambda ^\bot ( \mathbf {\overline{\mathbf {A}}} ) / \varLambda ^\bot ( \mathbf {A} ))$. The rest of the proof of Lemma 4.1 follows Lemma 4.3 and Lemma 4.2.

4.2 The Computational Lemma

Lemma 4.4

Given $n, m, k, q\in \mathbb {N}, \sigma \in \mathbb {R}$ such that $n, m, k\in \mathop {{\text {poly}}}(\lambda )$, $m\ge 4n\log q$, $\sigma \ge 2\sqrt{n\log q}$. For arbitrary matrix $ \mathbf {Z} \in \mathbb {Z}^{n\times k}_q$, the following two distributions are computationally indistinguishable assuming $\mathsf {LWE}_{m,k,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$.

Distribution 1. :: Let $ \mathbf {A} , \tau \leftarrow \mathsf {Trap}\mathsf {Sam}(1^n, 1^m, q)$, $ \mathbf {E} \leftarrow D^{n\times k}_{\mathbb {Z}, \sigma }$. Sample $ \mathbf {D} \leftarrow \mathbf {A} ^{-1}( \mathbf {Z} + \mathbf {E} , \sigma )$ using $\tau $. Output $ \mathbf {D} $.
Distribution 2. :: Sample $ \mathbf {D} = D^{m\times k}_{\mathbb {Z}, \sigma }$. Output $ \mathbf {D} $.

Proof

We prove a stronger statement where the computational indistinguishability holds even when $ \mathbf {Z} $ is given to the adversary. The proof uses the Bonsai technique [14]. Let $m = m_1 + m_2$ such that $m_1, m_2 \ge 2n\log q$. We introduce 2 intermediate distributions,

Distribution 1.1. :: Let $ \mathbf {A} _1\leftarrow U(\mathbb {Z}_q^{n\times m_1})$, $( \mathbf {A} _2, \tau _2)\leftarrow \mathsf {Trap}\mathsf {Sam}(1^n, 1^{m_2}, q)$. Sample $ \mathbf {D} _1 \leftarrow D^{m_1\times k}_{\mathbb {Z}, \sigma }$. Let $ \mathbf {E} \leftarrow D^{n\times k}_{\mathbb {Z}, \sigma }$, sample $ \mathbf {D} _2 \leftarrow \mathbf {A} _2^{-1}(( - \mathbf {A} _1\cdot \mathbf {D} _1+ \mathbf {E} + \mathbf {Z} ), \sigma )$ using $\tau _2$. Let $ \mathbf {D} := { \mathbf {D} _1 \atopwithdelims () \mathbf {D} _2 }$. Output $ \mathbf {D} $.
Distribution 1.2. :: Let $ \mathbf {A} _1\leftarrow U(\mathbb {Z}_q^{n\times m_1})$, $( \mathbf {A} _2, \tau _2)\leftarrow \mathsf {Trap}\mathsf {Sam}(1^n, 1^{m_2}, q)$. Sample $ \mathbf {D} _1 \leftarrow D^{m_1\times k}_{\mathbb {Z}, \sigma }$. Let $ \mathbf {U} \leftarrow U(\mathbb {Z}_q^{n\times k})$, sample $ \mathbf {D} _2 \leftarrow \mathbf {A} _2^{-1}(( \mathbf {U} + \mathbf {Z} ), \sigma )$ using $\tau _2$. Let $ \mathbf {D} := { \mathbf {D} _1 \atopwithdelims () \mathbf {D} _2 }$. Output $ \mathbf {D} $.

Then Distributions 1 and 1.1 are statistically close following Lemma 3.14. Distributions 2 and 1.2 are statistically close following Lemma 3.13.

It remains to prove that Distribution $1{.}1\approx _c$ Distribution 1.2 assuming $\mathsf {LWE}_{m_1,k,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$. This follows by taking $( \mathbf {D} _1, - \mathbf {A} _1\cdot \mathbf {D} _1 + \mathbf {E} )$ as the LWE sample, where $ \mathbf {A} _1$ is the concatenation of n independent uniform secret vectors, $ \mathbf {D} _1$ is the low-norm public matrix and $ \mathbf {E} $ is the error matrix.

Formally, suppose there exists a p.p.t. distinguisher A for Distribution 1.1 and Distribution 1.2, we build a distinguisher $A'$ for $\mathsf {LWE}_{m_1,k,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$. Given the challenge sample $( \mathbf {D} _1, \mathbf {Y} _1)$, $A'$ runs $( \mathbf {A} _2, \tau _2)\leftarrow \mathsf {Trap}\mathsf {Sam}(1^n, 1^{m_2}, q)$, samples $ \mathbf {D} _2 \leftarrow \mathbf {A} _2^{-1}(( \mathbf {Y} _1+ \mathbf {Z} ), \sigma )$ using $\tau _2$, send $ \mathbf {D} := { \mathbf {D} _1 \atopwithdelims () \mathbf {D} _2 }$ to the adversary A. If A says it is from Distribution 1.1, then $A'$ chooses “LWE”; if A says Distribution 1.2, then $A'$ chooses “random”. The success probability of $A'$ is same to the success probability of A.

5 Generalized GGH15 Encodings

We present the abstraction of generalized GGH15 encodings. The abstraction includes a construction framework and definitions of security notions.

5.1 The Construction Framework

We begin with a description of the construction:

Construction 5.1

(${\gamma }$-GGH15 Encodings). The randomized algorithm $\mathsf {ggh{.}encode}$ takes the following inputs

Parameters^{Footnote 5} $1^\lambda $, $h,n,m,q,t,w\in \mathbb {N}$, $\sigma \in \mathbb {R}^*$ and the description of a distribution $\chi $ over $\mathbb {Z}$.
A function $\gamma : \mathbb {Z}^{w \times w} \times \mathbb {Z}^{n \times n} \rightarrow \mathbb {Z}^{t \times t}$.
Matrices $ \left\{ \mathbf {M}_{i,b} \in \mathbb {Z}^{w \times w}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}, \left\{ \mathbf {S}_{i,b}\in \mathbb {Z}^{n \times n}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$.
A matrix $\mathbf {A}_h \in \mathbb {Z}_q^{t \times m}$.

It generates the output as follows

Samples $ \left\{ \mathbf {A} _{i}, \tau _i \leftarrow \mathsf {Trap}\mathsf {Sam}(1^t, 1^m, q) \right\} _{i\in \left\{ 0,1,...,h-1 \right\} }$.
Samples $ \left\{ \mathbf {E} _{i,b}\leftarrow \chi ^{t\times m} \right\} _{i \in [h], b \in \{0,1\}}$.
For $i\in [h], b\in \{0,1\}$, let $ \mathbf {\hat{S}} _{i,b} := \gamma (\mathbf {M}_{i,b},\mathbf {S}_{i,b}) $, then samples
$$\begin{aligned} \mathbf {D}_{i,b} \leftarrow \mathbf {A}_{i-1}^{-1}( \mathbf {\hat{S}} _{i,b} \cdot \mathbf {A} _{i}+ \mathbf {E} _{i,b}, \sigma ) \end{aligned}$$
using $\tau _{i-1}$.
Outputs $ \mathbf {A} _0$, $ \left\{ \mathbf {D} _{i,b} \right\} _{i\in [h], b\in \{0,1\}}$.

We require $\gamma $ to be multiplicatively homomorphic:

$$ \gamma (\mathbf {M},\mathbf {S})\cdot \gamma (\mathbf {M}',\mathbf {S}') = \gamma (\mathbf {M}\cdot \mathbf {M}', \mathbf {S}\cdot \mathbf {S}') $$

Remark 5.2

(Comparison with GGH15). The goal of the original GGH15 graded encodings in [23] was to emulate the functionality provided by multi-linear maps with respect to some underlying directed acyclic graph. The basic unit of the construction is an encoding of a low-norm matrix $ \mathbf {\hat{S}} $ along $\mathbf {A}_0 \mapsto \mathbf {A}_1$ given by $\mathbf {A}_0^{-1}( \mathbf {\hat{S}} \mathbf {A}_1 + \mathbf {E})$, where $ \mathbf {\hat{S}} $ must be drawn from some high-entropy distribution to achieve any meaningful notion of security.

Following [13, 26, 27, 38], we think of $ \mathbf {\hat{S}} $ as being deterministically derived from an arbitrary low-norm matrix $\mathbf {M}$ and a random low-norm matrix $\mathbf {S}$ via some fixed function $\gamma $ given by $\gamma : (\mathbf {M},\mathbf {S}) \mapsto \mathbf {M}\otimes \mathbf {S}$ in the afore-mentioned constructions. Here, we make $\gamma $ an explicit parameter to the construction, so that we obtain a family of constructions parameterized by $\gamma $, which we refer to as the “$\gamma $-GGH15 encodings”.

Looking ahead to Sect. 5.2, another advantage of decoupling $ \mathbf {\hat{S}} $ into $\mathbf {M}$ and $\mathbf {S}$ is that we can now require semantic security for arbitrary inputs $\mathbf {M}$ and random choices of $\mathbf {S}$ (more precisely, arbitrary $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$ and random $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$), as considered in [38]. Moreover, this notion of semantic security can be achieved under the LWE assumption for some specific $\gamma $ and classes of matrices $\mathbf {M}$. Here, we make explicit the idea that semantic security should be defined with respect to some fixed auxiliary function $\mathsf {aux}$ of the matrices $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}},\mathbf {A}_0,\ldots ,\mathbf {A}_h$.

Functionality. The next lemma captures the functionality provided by the construction, namely that for all $\mathbf x\in \{0,1\}^h$,

$$\begin{aligned} \mathbf {A}_0 \cdot \mathbf {D}_\mathbf x\approx \gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_h \end{aligned}$$

Lemma 5.3

(Functionality of $\gamma $-GGH15 encodings). Suppose $\gamma $ is multiplicatively homomorphic. For all inputs to the Construction 5.1 s.t. $\sigma >\varOmega (\sqrt{t\log q})$, $m>\varOmega (t\log q)$, $\Vert \chi \Vert \le \sigma $; we have for all $\mathbf x\in \{0,1\}^h$, with all but negligible probability over the randomness in Construction 5.1,

$$\begin{aligned} \Vert \mathbf {A}_0 \cdot \mathbf {D}_\mathbf x- \gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_h\Vert _\infty \le h\cdot \left( m \sigma \cdot \max _{i,b}{\Vert \gamma (\mathbf {M}_{i,b},\mathbf {S}_{i,b}) \Vert } \right) ^h . \end{aligned}$$

Proof

Recall $ \mathbf {\hat{S}} _{i,b} = \gamma (\mathbf {M}_{i,b},\mathbf {S}_{i,b})$. It is straight-forward to prove by induction that for all $h'=0,1,\ldots ,h$:

$$\begin{aligned} \mathbf {A}_0 \cdot \prod _{k=1}^{h'} \mathbf {D}_{k, x_k} = \left( \prod _{i=1}^{h'} \mathbf {\hat{S}} _{i,x_i} \right) \mathbf {A} _{h'} + \sum _{j=1}^{h'}\left( \left( \prod _{i=1}^{j-1} \mathbf {\hat{S}} _{i,x_i}\right) \cdot \mathbf {E} _{j, x_j} \cdot \prod _{k=j+1}^{h} \mathbf {D}_{k, x_k} \right) \end{aligned}$$

(10)

The base case $h'=0$ holds trivially. The inductive step uses the fact that for all $h'=1,\ldots ,h$:

$$\mathbf {A}_{h'-1} \cdot \mathbf {D}_{h',x_{h'}} = \mathbf {\hat{S}} _{h',x_{h'}} \cdot \mathbf {A}_{h'} + \mathbf {E} _{h',x_{h'}}$$

From the homomorphic property of $\gamma $ we can deduce that

$$\prod _{i=1}^{h} \mathbf {\hat{S}} _{i,x_i} = \prod _{i=1}^{h} \gamma (\mathbf {M}_{i,x_i},\mathbf {S}_{i,x_i}) = \gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x)$$

Finally, we bound the error term as follows:

$$\begin{aligned} \Vert \mathbf {A}_0 \cdot \mathbf {D}_\mathbf x- \gamma (\mathbf {M}_\mathbf x,\mathbf {S}_\mathbf x) \cdot \mathbf {A}_h\Vert _\infty= & {} \left\| \sum _{j=1}^{h}\left( \prod _{i=1}^{j-1}( \mathbf {\hat{S}} _{i, x_i} )\cdot \mathbf {E} _{j, x_j} \cdot \prod _{k=j+1}^{h} \mathbf {D}_{k, x_k} \right) \right\| _\infty \\\le & {} h \cdot \sqrt{t}\cdot \sigma \cdot \left( \sqrt{t}\cdot \max _{i,b}{\Vert \gamma (\mathbf {M}_{i,b},\mathbf {S}_{i,b}) \Vert } \cdot \sigma \cdot \sqrt{m} \right) ^{h-1} \\\le & {} h \cdot \left( \max _{i,b}{\Vert \gamma (\mathbf {M}_{i,b},\mathbf {S}_{i,b}) \Vert } \cdot \sigma \cdot m \right) ^{h} \end{aligned}$$

Looking ahead, in the applications we will set the parameters to ensure that the threshold $B:=h\cdot (m \sigma \cdot \max _{i,b}{\Vert \gamma (\mathbf {M}_{i,b},\mathbf {S}_{i,b}) \Vert } )^h$ is relatively small compared to the modulus q.

Remark 5.4

(Dimensions of $\mathbf {A}_h$). The construction and many analyses in this article can be obviously generalized to the cases where the dimensions of matrices are more flexible. As an example, the matrix $\mathbf {A}_h$ can be chosen from $\mathbb {Z}_q^{t}$ instead of $\mathbb {Z}_q^{t \times m}$ (as a result, $ \mathbf {D} _{h,0}$, $ \mathbf {D} _{h,1}$ are from $\mathbb {Z}^{m}$ instead of $\mathbb {Z}^{m\times m}$). This change maintains necessary functionalities, reduce the size of the construction, and is (more importantly) necessary for one of the proofs in the paper. For the ease of presentation we keep all the $ \mathbf {A} $ matrices with the same dimension, all the $ \mathbf {D} $ matrices with the same dimension, and mention the exceptions as they arise.

Interesting $\gamma $ functions. We are interested in the following 3 $\gamma $ functions:

$\gamma _{\otimes }: \{0,1\}^{w\times w} \times \mathbb {Z}^{n\times n} \rightarrow \mathbb {Z}^{(wn) \times (wn)}$, $ \mathbf {M} , \mathbf {S} \mapsto \mathbf {M} \otimes \mathbf {S} $.

$\gamma _{\otimes }$ with permutation matrices $ \mathbf {M} $ was introduced and studied in [13, 26, 27, 38].
$\gamma _{\text {diag}}: \mathbb {Z}^{w\times w} \times \mathbb {Z}^{n\times n} \rightarrow \mathbb {Z}^{(w+n) \times (w+n)}$, $ \mathbf {M} , \mathbf {S} \mapsto \begin{pmatrix}\mathbf {M}&{}\\ {} &{}\mathbf {S}\end{pmatrix}$.

$\gamma _{\text {diag}}$ is implicit in the constructions in [21, 29] and is central to the security analysis in this work.
$\gamma _{\otimes \text {diag}}: \{0,1\}^{w\times w} \times \mathbb {Z}^{n\times n} \rightarrow \mathbb {Z}^{(wn+n) \times (wn+n)}$, $ \mathbf {M} , \mathbf {S} \mapsto \begin{pmatrix}\mathbf {M}\otimes \mathbf {S}&{}\\ {} &{}\mathbf {S}\end{pmatrix}$.

We introduce $\gamma _{\otimes \text {diag}}$ in this work, which would be central to the applications in this paper.

Note that all of the three $\gamma $ functions are multiplicatively homomorphic and norm-preserving.

5.2 Security Notions

Intuitively, semantic security says that for all $\mathbf {M}$, the output of the $\gamma $-GGH15 encodings

$$\mathbf {A}_0, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$$

hides $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$, for random choices of $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$ and $\mathbf {A}_0,\ldots ,\mathbf {A}_h$. We consider a more general notion parameterized by some fixed function $\mathsf {aux}$ of $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}},\mathbf {A}_0,\ldots ,\mathbf {A}_h$, and we require that $\mathsf {aux}, \left\{ \mathbf {D}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$ hides $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$.

Definition 5.5

(Semantic security with auxiliary input). We say that the $\gamma $-GGH15 encodings satisfies semantic security with auxiliary input $\mathsf {aux}$ for a family of matrices $\mathcal {M} \subseteq \mathbb {Z}^{w \times w}$ if for all $ \left\{ \mathbf {M}_{i,b} \in \mathcal {M} \right\} _{i \in [h], b \in \{0,1\}}$, we have

$$ \mathsf {aux}, \left\{ \mathbf {D} _{i,b} \right\} _{i \in [h], b \in \{0,1\}} \approx _c \mathsf {aux}, \left\{ {(D_{\mathbb {Z}, \sigma }^{m\times m})}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$$

where

$$\begin{aligned} \mathbf {S} _{i,b}\leftarrow D^{n\times n}_{\mathbb {Z}, \sigma }, \mathbf {A}_h \leftarrow U(\mathbb {Z}_q^{t\times m}), \left\{ \mathbf {D} _{i,b} \right\} \leftarrow \mathsf {ggh{.}encode}(\gamma , \left\{ \mathbf {M}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}, \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}, \mathbf {A}_h) \end{aligned}$$

and $\mathsf {aux}$ is a fixed function of $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}},\mathbf {A}_0,\ldots ,\mathbf {A}_h$.

Remark 5.6

($\gamma _\otimes $-GGH encodings with permutation matrices). Canetti and Chen [13] (also, [26, 38]) showed that the $\gamma _\otimes $-GGH15 encoding satisfies semantic security with auxiliary input $(\mathbf {A}_0,\mathbf {A}_1,\ldots ,\mathbf {A}_h)$ for the family of permutation matrices in $\{0,1\}^{w \times w}$.

We can prove that the $\gamma _\otimes $-GGH15 encoding satisfies semantic security with auxiliary input $(\mathbf {A}_0, \left\{ \mathbf {S}_{i,b} \right\} _{i \in [\ell ], b \in \{0,1\}})$ for the family of permutation matrices in $\{0,1\}^{w \times w}$, by using the LWE assumption with the $\mathbf {S}_{i,b}$ as the public matrices. Such a proof requires a multiplicative blow-up (of roughly $O(\log q)$) in the dimensions of the $\mathbf {S}_{i,b}$ matrices. One of the advantages of using the $\mathbf {S}$ matrices as the public matrices is that we can use the same $\mathbf {S}_0,\mathbf {S}_1$ across all the h levels, similar to the PRF construction in [7].

5.3 Semantic Security for $\gamma _{\text {diag}}$-GGH15 and $\gamma _{\otimes \text {diag}}$-GGH15 Encodings

In this section, we prove semantic security of the $\gamma _{\text {diag}}$-GGH15 and $\gamma _{\otimes \text {diag}}$-GGH15 encodings in Construction 5.1 under the LWE assumption, where

$$\gamma _{\text {diag}}(\mathbf {M},\mathbf {S}) = \begin{pmatrix}\mathbf {M}&{} \\ &{} \mathbf {S}\end{pmatrix}, \; \gamma _{\otimes \text {diag}}(\mathbf {M},\mathbf {S}) = \begin{pmatrix}\mathbf {M}\otimes \mathbf {S}&{} \\ &{} \mathbf {S}\end{pmatrix}.$$

In fact, we show that this holds given auxiliary input about $\mathbf {A}_0$ and $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$.

$\mathbf {S}$-dependent security. Concretely, we will derive semantic security of $\gamma _{\otimes \text {diag}}$ from that of $\gamma _{\text {diag}}$ by showing that the construction $\gamma _{\text {diag}}$ satisfies a stronger notion of $\mathbf {S}$-dependent security where the matrices $ \left\{ \mathbf {M}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$ may depend on $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$:

Definition 5.7

($\mathbf {S}$-dependent semantic security with auxiliary input). We say that the $\gamma $-GGH15 encodings satisfies $\mathbf {S}$-dependent semantic security with auxiliary input $\mathsf {aux}$ for a family of matrices $\mathcal {M} \subseteq \mathbb {Z}^{w \times w}$ if for every polynomial-size circuit $f : (\mathbb {Z}^{n \times n})^{2h} \rightarrow \mathcal {M}^{2h}$, we have

$$ \mathsf {aux}, \left\{ \mathbf {D} _{i,b} \right\} _{i \in [h], b \in \{0,1\}} \approx _c \mathsf {aux}, \left\{ {(D_{\mathbb {Z}, \sigma }^{m\times m})}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}$$

where

$$\begin{aligned} \mathbf {S} _{i,b}\leftarrow D^{n\times n}_{\mathbb {Z}, \sigma }, \mathbf {A}_h \leftarrow U(\mathbb {Z}_q^{t\times m}), \left\{ \mathbf {M}_{i,b} \right\} _{i \in [h], b \in \{0,1\}} = f( \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}), \\ \left\{ \mathbf {D} _{i,b} \right\} \leftarrow \mathsf {ggh{.}encode}(\gamma , \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}, \left\{ \mathbf {M}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}, \mathbf {A}_h) \end{aligned}$$

and $\mathsf {aux}$ is a fixed function of $ \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}},\mathbf {A}_0,\ldots ,\mathbf {A}_h$.

Theorem 5.8

($\mathbf {S}$-dependent semantic security of $\gamma _{\mathbf {diag}}$). Assuming $\mathsf {LWE}_{n,2m,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$, the $\gamma _{\text {diag}}$-GGH15 encodings in Construction 5.1 satisfies $\mathbf {S}$-dependent semantic security for $\mathcal {M} = \mathbb {Z}^{w \times w}$ with auxiliary input

$$\begin{aligned} \mathsf {aux}= \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}, \mathbf {J} \cdot \mathbf {A}_0, \overline{\mathbf {A}}_h \end{aligned}$$

where $\overline{\mathbf {A}}_h \in \mathbb {Z}_q^{w \times m}$ is the top w rows of $\mathbf {A}_h$ and $ \mathbf {J} \in \{0,1\}^{n \times (t-n)} \mid \mathbf {I} ^{n\times n}$.

Remark 5.9

(Necessity of $ \mathbf {J} \mathbf {A}_0$). Ideally, we would liked to have shown that semantic security holds with auxiliary input $\mathbf {A}_0$ (as opposed to $ \mathbf {J} \mathbf {A}_0$). However, such a statement is false for general $\mathcal {M} \in \mathbb {Z}^{w \times w}$. Concretely, given $\mathbf {A}_0, \mathbf {D}_{1,0}$, we can compute $\mathbf {A}_0 \cdot \mathbf {D}_{1,0}$ which leaks information about the structure of $\mathbf {M}_{1,0}$. In particular, we can distinguish between $\begin{pmatrix}1 &{} 0\\ 0 &{} 1\end{pmatrix}$ and $\begin{pmatrix}0 &{} 1\\ 0 &{} 1\end{pmatrix}$.

As an immediate corollary, we then have:

Corollary 5.10

(semantic security of $\gamma _{\otimes \mathbf {diag}}$). Assuming $\mathsf {LWE}_{n,2m,q, U(\mathbb {Z}_q)}$, ${D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$, the $\gamma _{\otimes \text {diag}}$-GGH15 encodings in Construction 5.1 satisfies semantic security for $\mathcal {M} = \mathbb {Z}^{w \times w}$ with auxiliary input

$$\begin{aligned} \mathsf {aux}= \left\{ \mathbf {S}_{i,b} \right\} _{i \in [h], b \in \{0,1\}}, \mathbf {J} \cdot \mathbf {A}_0, \overline{\mathbf {A}}_h \end{aligned}$$

where $\overline{\mathbf {A}}_h \in \mathbb {Z}_q^{wn \times m}$ is the top wn rows of $\mathbf {A}_h$ and $ \mathbf {J} \in \{0,1\}^{n \times (t-n)} \mid \mathbf {I} ^{n\times n}$.

5.4 Proof of the Main Theorem

Proof

(Proof of Theorem 5.8 ). For $t, n, w\in \mathbb {N}$ such that $t = w + n$. For any matrix $ \mathbf {X} \in \mathbb {Z}^{t\times *}$, let $ \mathbf {X} = \begin{pmatrix} \overline{\mathbf {X}}\\ \underline{\mathbf {X}}\end{pmatrix}$, where $\overline{\mathbf {X}}\in \mathbb {Z}^{w\times *}$, $\underline{\mathbf {X}}\in \mathbb {Z}^{n\times *}$. For the sake of completeness we spell out the details of the real and simulated distributions which will be proven indistinguishable.

The real and simulated distributions. In the real distribution the adversary is given

$$ \mathbf {J} \cdot \mathbf {A} _0, \left\{ \boxed { \mathbf {D} _{i,b}}, \mathbf {S} _{i,b}, \mathbf {M} _{i,b} \right\} _{i\in [h],b\in \{0,1\}}, \overline{\mathbf {A}}_{h} $$

where

$ \left\{ \mathbf {A} _{i}, \tau _i \leftarrow \mathsf {Trap}\mathsf {Sam}(1^t, 1^m, q) \right\} _{i \in \left\{ 0,1,\ldots ,h-1 \right\} }, \mathbf {A}_h \leftarrow U(\mathbb {Z}_q^{t\times m})$
$ \mathbf {S} _{i,b}\leftarrow D^{n\times n}_{\mathbb {Z}, \sigma }, \left\{ \mathbf {M} _{i,b} \right\} _{i \in [h], b \in \{0,1\}} \leftarrow f( \left\{ \mathbf {S} _{i,b} \right\} _{i\in [h], b\in \{0,1\}})$
$\mathbf {D}_{i,b} \leftarrow \mathbf {A}_{i-1}^{-1}\begin{pmatrix}\mathbf {M}_{i,b} \overline{\mathbf {A}}_i + \overline{\mathbf {E}}_{i,b}\\ \mathbf {S}_{i,b} \underline{\mathbf {A}}_i + \underline{\mathbf {E}}_{i,b}\end{pmatrix}, \mathbf {E}_{i,b} \leftarrow \chi ^{t \times m}$

The simulated distribution is generated in the same way except that the adversary is given

$$\begin{aligned} \mathbf {J} \cdot \mathbf {A} _0, \left\{ \boxed { \mathbf {V}_{i,b} }, \mathbf {S} _{i,b}, \mathbf {M} _{i,b} \right\} _{i\in [h],b\in \{0,1\}}, \overline{\mathbf {A}}_{h} \end{aligned}$$

where $ \mathbf {V} _{i,b} \leftarrow D_{\mathbb {Z}, \sigma }^{m\times m}$.

To show that the real distribution is computationally indistinguishable from the simulated one, we introduce the following intermediate distributions.

Distributions 1.i, for $i\in \left\{ h+1, h, ..., 1 \right\} $. Let Distribution $1{.}(h+1)$ be identical to the real distribution. For $i = h$ down to 1, let Distributions 1.i be the same to Distributions $1{.}(i+1)$, except that $ \mathbf {A} _{i-1}$, $ \mathbf {D} _{i,0}$, $ \mathbf {D} _{i,1}$ are sampled differently. Let $(\overline{\mathbf {A}}_{i-1}, \tau _{i-1}) \leftarrow \mathsf {Trap}\mathsf {Sam}(1^w, 1^m, q)$, $\underline{\mathbf {A}}_{i-1}\leftarrow U(\mathbb {Z}_q^{n\times m})$. Sample $\mathbf {D}_{i,b} \leftarrow \overline{\mathbf {A}}_{i-1}^{-1}( (\mathbf {M}_{i,b} \overline{\mathbf {A}}_i + \overline{\mathbf {E}}_{i,b}), \sigma )$ using $\tau _{i-1}$, $b\in \{0,1\}$.

Distributions 2.0. Distribution 2.0 is sampled identically to Distribution 1.1, except that $ \mathbf {J} \cdot \mathbf {A} _0$ is replaced with a uniformly random matrix $ \mathbf {U} {\mathop {\leftarrow }\limits ^{\$}}\mathbb {Z}^{n\times m}$. Since $ \mathbf {J} \in \{0,1\}^{n \times (t-n)} \mid \mathbf {I} ^{n\times n}$, $ \mathbf {U} \approx _s \mathbf {J} \cdot \mathbf {A} _0$ for $ \mathbf {A} _0, \tau _0 \leftarrow \mathsf {Trap}\mathsf {Sam}(1^t, 1^m, q)$ due to Lemma 3.11.

Distributions 2.j, for $j\in \left\{ 1, ..., h \right\} $. For $j = 1, 2, ..., h$, let Distributions 2.j be the same to Distributions $2{.}(j-1)$, except that $ \mathbf {D} _{j,0}$, $ \mathbf {D} _{j,1}$ are sampled simply from $D^{m\times m}_{\mathbb {Z}, \sigma }$. Note that Distribution 2.h is identical to the simulated distribution, except that in Distribution 2.h, $ \mathbf {U} {\mathop {\leftarrow }\limits ^{\$}}\mathbb {Z}^{n\times m}$ is in the place where $ \mathbf {J} \cdot \mathbf {A} _0$ is in the simulated distribution, so they are statistically close again due to Lemma 3.11.

The sequence. We will show that:

$$ \text{ Real } = 1{.}(h+1) \approx _c 1{.}h \approx _c \cdots \approx _c 1{.}1 \approx _s 2{.}0 \approx _c 2{.}1 \approx _c \cdots \approx _c 2{.}h \approx _s \text{ Simulated } $$

In particular, the $\approx _c$’s will rely on the LWE assumption, using $\mathbf {A}_1,\ldots ,\mathbf {A}_\ell $ as LWE secrets in the following order: $\underline{\mathbf {A}}_\ell ,\ldots ,\underline{\mathbf {A}}_1,\overline{\mathbf {A}}_0,\ldots ,\overline{\mathbf {A}}_{\ell -1}$.

Lemma 5.11

For $i\in [h]$, Distribution $1{.}(i+1) \approx _c$ Distribution 1.i assuming $\mathsf {LWE}_{n,2n,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$.

Roughly speaking, we will show that for all $i \in [h]$,

$$ \left\{ \mathbf {A}_{i-1}^{-1}\begin{pmatrix}\mathbf {M}_{i,b} \overline{\mathbf {A}}_i + \overline{\mathbf {E}}_{i,b}\\ \mathbf {S}_{i,b} \underline{\mathbf {A}}_i + \underline{\mathbf {E}}_{i,b}\end{pmatrix} \right\} _{b \in \{0,1\}} \approx _c \left\{ \overline{\mathbf {A}}_{i-1}^{-1}(\mathbf {M}_{i,b} \overline{\mathbf {A}}_i + \overline{\mathbf {E}}_{i,b}) \right\} _{b \in \{0,1\}} $$

where the distinguisher is also given $\mathbf {A}_{i-1}, \tau _{i-1}, \mathbf {S}_{i,0}, \mathbf {S}_{i,1}, \mathbf {M}_{i,0}, \mathbf {M}_{i,1}, \overline{\mathbf {A}}_i$, but not $\underline{\mathbf {A}}_i$, so that we can treat $\underline{\mathbf {A}}_i$ as a LWE secret, cf. Lemma 4.4.

Proof

We introduce an intermediate distribution $1{.}i^*$, which is generated in the same way as Distributions $1{.}(i+1)$, except that $ \mathbf {D} _{i,0}$, $ \mathbf {D} _{i,1}$ are sampled as:

$$ \mathbf {D}_{i,b} \leftarrow \mathbf {A} _{i-1}^{-1}\left( \begin{pmatrix}\mathbf {M}_{i,b} \overline{\mathbf {A}}_i + \overline{\mathbf {E}}_{i,b}\\ \mathbf {U}_{i,b}\end{pmatrix}, \sigma \right) , b\in \{0,1\}. $$

where $(\mathbf {U}_{i,0},\mathbf {U}_{i,1})\leftarrow U(\mathbb {Z}_q^{n\times m}\times \mathbb {Z}_q^{n\times m})$.

The intermediate distribution $1{.}i^*$ is statistically close to Distribution 1.i due to Lemma 4.1. It remains to prove that $1{.}i^*$ is computationally indistinguishable from Distribution $1{.}(i+1)$. This follows Lemma 3.10, by treating $\underline{\mathbf {A}}_i$ as the LWE secret, and $\mathbf {S}_{i,0},\mathbf {S}_{i,1}$ as the public matrices.

Formally, if there’s an adversary A that distinguishes Distributions $1{.}(i+1)$ and $1{.}i^*$, we build a distinguisher $A'$ for $\mathsf {LWE}_{n,2n,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$ as follows. Once given the LWE challenge

$$\begin{aligned} \mathbf {S}_{i,0}, \mathbf {S}_{i,1}, \underline{\mathbf {Y}}_{i,0}, \underline{\mathbf {Y}}_{i,1} \end{aligned}$$

where $\mathbf {S}_{i,0}, \mathbf {S}_{i,1}$ are the low-norm public matrices, $\underline{\mathbf {Y}}_{i,0}, \underline{\mathbf {Y}}_{i,1}$ are either the $\mathsf {LWE}_{n,2n,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$ samples with the common secret $\underline{\mathbf {A}}_{i}\leftarrow U(\mathbb {Z}_q^{n\times m})$, or independent uniform samples from $\mathbb {Z}_q^{n\times m} \times \mathbb {Z}_q^{n\times m}$. The LWE distinguisher $A'$ proceeds as follows:

1.
Sample $ \left\{ \mathbf {S}_{k,b}\leftarrow D^{n\times n}_{\mathbb {Z}, \sigma } \right\} _{k\in [h], k\ne i, b\in \{0,1\}}$.
2.
For $k\in [h], b\in \{0,1\}$, compute $ \mathbf {M} _{k,b}\in \mathbb {Z}^{w\times w}$ using $f( \left\{ \mathbf {S} _{k,b} \right\} _{k\in [h], b\in \{0,1\}} )$.
3.
For $k\in \left\{ 0,1,...,i-1 \right\} $, sample $ \mathbf {A} _{k}, \tau _k \leftarrow \mathsf {Trap}\mathsf {Sam}(1^t, 1^m, q)$. For $k\in \left\{ i, i+1, ..., h-1 \right\} $, sample $\overline{\mathbf {A}}_{k}, \bar{\tau }_k \leftarrow \mathsf {Trap}\mathsf {Sam}(1^w, 1^m, q)$. Sample $\overline{\mathbf {A}}_h\leftarrow U(\mathbb {Z}_q^{t\times m})$.
4.
For $k\in [h], b\in \{0,1\}$, samples
$$ \mathbf {D} _{k,b} \leftarrow {\left\{ \begin{array}{ll} \mathbf {A}_{k-1}^{-1}{\mathbf {M}_{k,b} \overline{\mathbf {A}}_k + \overline{\mathbf {E}}_{k,b} \atopwithdelims ()\mathbf {S}_{k,b}\underline{\mathbf {A}}_k + \underline{\mathbf {E}}_{k,b}} &{}\text{ using } \tau _{k-1} \text{ if } k \le i-1\\ \mathbf {A}_{i-1}^{-1}{\mathbf {M}_{i,b} \overline{\mathbf {A}}_i + \overline{\mathbf {E}}_{i,b} \atopwithdelims ()\underline{\mathbf {Y}}_{i,b}} &{}\text{ using } \tau _{i-1} \text{ if } k = i\\ \overline{\mathbf {A}}_{k-1}^{-1}(\mathbf {M}_{k,b} \overline{\mathbf {A}}_k + \overline{\mathbf {E}}_{k,b}) &{}\text{ using } \bar{\tau }_{k-1} \text{ if } k \ge i+1 \end{array}\right. } $$
with standard deviation $\sigma $.

The LWE distinguisher $A'$ then sends

$$ \mathbf {J} \cdot \mathbf {A} _0, \left\{ \boxed { \mathbf {D} _{k,b}}, \mathbf {S} _{k,b}, \mathbf {M} _{k,b} \right\} _{k\in [h],b\in \{0,1\}}, \overline{\mathbf {A}}_{h} . $$

to the adversary A. If A says it is Distribution $1{.}(i+1)$, it corresponds to the LWE samples with low-norm public matrices; if A says Distribution $1{.}i^*$, it corresponds to the uniform distribution.

Lemma 5.12

For $j\in [h]$, Distribution $2{.}(j-1) \approx _c$ Distributions 2.j assuming $\mathsf {LWE}_{m,2m,q,U(\mathbb {Z}_q),D_{\mathbb {Z}, \sigma },D_{\mathbb {Z}, \sigma }}$.

Roughly speaking, we will show that for all $j \in [h]$,

$$ \left\{ \overline{\mathbf {A}}_{j-1}^{-1}(\mathbf {M}_{j,b} \overline{\mathbf {A}}_j + \overline{\mathbf {E}}_{j,b}) \right\} _{b \in \{0,1\}} \approx _c \left\{ D^{m \times m}_{\mathbb {Z},\sigma } \right\} _{b \in \{0,1\}} $$

where the distinguisher is also given $\mathbf {M}_{j,0}, \mathbf {M}_{j,1}, \overline{\mathbf {A}}_j$, but not $\overline{\mathbf {A}}_{j-1}$, so as to trigger Lemma 4.4.

Proof

For $j\in [h]$, suppose there exists an adversary A that distinguishes Distributions $2{.}(j-1)$ and 2.j, we build a distinguisher $A'$ for Distributions 1 and 2 in Lemma 4.4 as follows. Given challenging samples

$$\begin{aligned} \mathbf {D} _{j,0} \mid \mathbf {D} _{j,1} \in \mathbb {Z}^{m\times 2m} \end{aligned}$$

either obtained from $\overline{\mathbf {A}}_{j-1}^{-1}( \left[ \mathbf {M} _{j,0}\overline{\mathbf {A}}_j + \overline{\mathbf {E}}_{j,0} \mid \mathbf {M} _{j,1}\overline{\mathbf {A}}_j + \overline{\mathbf {E}}_{j,1} \right] )$ which corresponds to Distribution 1 in Lemma 4.4 (by treating $\left[ \mathbf {M} _{j,0}\overline{\mathbf {A}}_j \mid \mathbf {M} _{j,1}\overline{\mathbf {A}}_j \right] $ as the arbitrary matrix $ \mathbf {Z} $); or from $D_{\mathbb {Z}, \sigma }^{m\times 2m}$ which corresponds to Distribution 2 in Lemma 4.4. The distinguisher $A'$ proceeds as follows:

1.
For $k\in [h], b\in \{0,1\}$, sample $\mathbf {S}_{k,b}\leftarrow D^{n\times n}_{\mathbb {Z}, \sigma }$.
2.
For $k\in [h], b\in \{0,1\}$, compute $ \mathbf {M} _{k,b}\in \mathbb {Z}^{w\times w}$ using $f( \left\{ \mathbf {S} _{k,b} \right\} _{k\in [h], b\in \{0,1\}} )$.
3.
For $k\in \left\{ j, j+1, ..., h-1 \right\} $, sample $\overline{\mathbf {A}}_{k}, \bar{\tau }_k \leftarrow \mathsf {Trap}\mathsf {Sam}(1^w, 1^m, q)$. Sample $\overline{\mathbf {A}}_h\leftarrow U(\mathbb {Z}_q^{t\times m})$.
4.
For $k\in \left\{ 1, 2, ..., j-1, j+1, ..., h \right\} , b\in \{0,1\}$, samples
$$ \mathbf {D} _{k,b} \leftarrow {\left\{ \begin{array}{ll} D_{\mathbb {Z}, \sigma }^{m\times m} \text{ if } k \le j-1 \\ \overline{\mathbf {A}}_{k-1}^{-1}( \mathbf {M}_{k,b} \overline{\mathbf {A}}_k + \overline{\mathbf {E}}_{k,b}, \sigma ) \text{ using } \bar{\tau }_{k-1} \text{ if } k \ge j+1 \end{array}\right. }. $$
5.
Sample $ \mathbf {U} \leftarrow U(\mathbb {Z}_q^{n\times m})$.

$A'$ then sends

$$ \mathbf {U} , \left\{ \boxed { \mathbf {D} _{k,b}}, \mathbf {S} _{k,b}, \mathbf {M} _{k,b} \right\} _{k\in [h],b\in \{0,1\}}, \overline{\mathbf {A}}_{h}. $$

to the adversary A. Note that $A'$ correctly produce the output without $\overline{\mathbf {A}}_{j-1}$. So if A determines that the samples are from Distribution $2{.}(j-1)$, $A'$ chooses Distribution 1 in Lemma 4.4; if A determines that the samples are from Distribution 2.j, $A'$ chooses Distribution 2 in Lemma 4.4.

Theorem 5.8 follows from Lemmas 5.11 and 5.12.

Notes

1.
See Remark 5.2 for a comparison with the original GGH15 encodings.
2.
A reader who is familiar with Kilian’s randomization for branching programs should notice the similarity. In Kilian’s randomization, we randomize the product
$$\mathbf {M}_\mathbf x= \prod _{i=1}^\ell \mathbf {R}_{i-1}^{-1} \mathbf {M}_{i,x_i} \mathbf {R}_i$$
by picking random invertible matrices $\mathbf {R}_1,\ldots ,\mathbf {R}_{\ell -1}$ along with $\mathbf {R}_0 = \mathbf {R}_\ell = \mathbf {I}$. Here, we replace the square matrices $\mathbf {R}_i$’s with wide rectangular matrices $\mathbf {A}_i$’s, and change from left-multiplying $\mathbf {R}_{i-1}^{-1}$ to sampling a random Gaussian preimage of $\mathbf {A}_{i-1}$.
3.
In the GGH15 terminology, $\mathbf {D}_{i,b}$ would be an encoding of $\gamma (\mathbf {M}_{i,b},\mathbf {S}_{i,b})$ relative to the path $i-1 \mapsto i$.
4.
Here, we could have used $\mathbf {S}_{i,0},\mathbf {S}_{i,1}$ as the LWE secrets and $\underline{\mathbf {A}}_i$ as the public matrix; however, this strategy would break down when $\mathbf {M}_{i,b}$ depends on $\mathbf {S}_{i,b}$, which is needed in the applications.
5.
In the rest of the presentation, these parameters are omitted in the input of $\mathsf {ggh{.}encode}$.

References

Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1
Chapter Google Scholar
Alamati, N., Peikert, C.: Three’s compromised too: circular insecurity for any cycle length from (ring-)LWE. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 659–680. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_23
Chapter Google Scholar
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)
Article MathSciNet Google Scholar
Apon, D., Döttling, N., Garg, S., Mukherjee, P.: Cryptanalysis of indistinguishability obfuscations of circuits over GGH13. In: ICALP, volume 80 of LIPIcs, pp. 38:1–38:16. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2017)
Google Scholar
Mix Barrington, D.A.: Bounded-width polynomial-size branching programs recognize exactly those languages in nc$^1$. In: Hartmanis, J. (ed.) STOC, pp. 1–5. ACM (1986)
Google Scholar
Boneh, D., Kim, S., Montgomery, H.W.: Private puncturable PRFs from standard lattice assumptions. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 415–445. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_15
Chapter Google Scholar
Boneh, D., Lewi, K., Montgomery, H.W., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_23
Chapter Google Scholar
Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324(1), 71–90 (2003)
Article MathSciNet Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 575–584. ACM (2013)
Google Scholar
Brakerski, Z., Rothblum, G.N.: Obfuscating conjunctions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 416–434. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_24
Chapter Google Scholar
Brakerski, Z., Tsabary, R., Vaikuntanathan, V., Wee, H.: Private constrained PRFs (and more) from LWE. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 264–302. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_10
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V., Wee, H., Wichs, D.: Obfuscating conjunctions under entropic ring LWE. In: ITCS, pp. 147–156. ACM (2016)
Google Scholar
Canetti, R., Chen, Y.: Constraint-hiding constrained PRFs for NC$^1$ from LWE. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 446–476. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_16
Chapter Google Scholar
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012)
Article MathSciNet Google Scholar
Chen, Y., Gentry, C., Halevi, S.: Cryptanalyses of candidate branching program obfuscators. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 278–307. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_10
Chapter Google Scholar
Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_1
Chapter Google Scholar
Coron, J.-S., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of GGH15 multilinear maps. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 607–628. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_21
Chapter Google Scholar
Coron, J.-S., Lee, M.S., Lepoint, T., Tibouchi, M.: Zeroizing attacks on indistinguishability obfuscation over CLT13. In: Fehr, S. (ed.) PKC 2017, Part I. LNCS, vol. 10174, pp. 41–58. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_3
Chapter Google Scholar
Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_26
Chapter Google Scholar
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Chapter Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)
Google Scholar
Garg, S., Miles, E., Mukherjee, P., Sahai, A., Srinivasan, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part B2. LNCS, vol. 9986, pp. 241–268. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_10
Chapter Google Scholar
Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_20
Chapter Google Scholar
Gentry, C., Lewko, A.B., Waters, B.: Witness encryption from instance independent assumptions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 426–443. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_24
Chapter Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)
Google Scholar
Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: FOCS, pp. 612–621 (2017)
Google Scholar
Goyal, R., Koppula, V., Waters, B.: Separating semantic and circular security for symmetric-key bit encryption from the learning with errors assumption. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 528–557. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_18
Chapter Google Scholar
Goyal, R., Koppula, V., Waters, B.: Collusion resistant traitor tracing from learning with errors. In: STOC (2018)
Google Scholar
Halevi, S., Halevi, T., Shoup, V., Stephens-Davidowitz, N.: Implementing BP-obfuscation using graph-induced encoding. In: ACM CCS, pp. 783–798 (2017)
Google Scholar
Koppula, V., Waters, B.: Circular security separations for arbitrary length cycles from LWE. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 681–700. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_24
Chapter Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. SIAM J. Comput. 37(1), 267–302 (2007)
Article MathSciNet Google Scholar
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC, pp. 333–342 (2009)
Google Scholar
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: STOC, pp. 461–473. ACM (2017)
Google Scholar
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Chapter Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93. ACM (2005)
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)
Article MathSciNet Google Scholar
Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: FOCS, pp. 600–611 (2017)
Google Scholar

Download references

Acknowledgments

Y.C. is supported by the NSF MACS project. Part of this work was done while visiting ENS. V.V. is supported in part by NSF Grants CNS-1350619 and CNS-1414119, Alfred P. Sloan Research Fellowship, Microsoft Faculty Fellowship, the NEC Corporation and a Steven and Renee Finn Career Development Chair from MIT. This work was also sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236. H.W. is supported by ERC Project aSCEND (H2020 639554). Part of this work was done while visiting CQT.

Author information

Authors and Affiliations

Boston University, Boston, USA
Yilei Chen
MIT, Cambridge, USA
Vinod Vaikuntanathan
CNRS and ENS, PSL, Paris, France
Hoeteck Wee

Authors

Yilei Chen
View author publications
You can also search for this author in PubMed Google Scholar
Vinod Vaikuntanathan
View author publications
You can also search for this author in PubMed Google Scholar
Hoeteck Wee
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yilei Chen .

Editor information

Editors and Affiliations

The University of Texas at Austin, Austin, Texas, USA
Hovav Shacham
Georgia Institute of Technology, Atlanta, Georgia, USA
Alexandra Boldyreva

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Chen, Y., Vaikuntanathan, V., Wee, H. (2018). GGH15 Beyond Permutation Branching Programs: Proofs, Attacks, and Candidates. In: Shacham, H., Boldyreva, A. (eds) Advances in Cryptology – CRYPTO 2018. CRYPTO 2018. Lecture Notes in Computer Science(), vol 10992. Springer, Cham. https://doi.org/10.1007/978-3-319-96881-0_20

Download citation

DOI: https://doi.org/10.1007/978-3-319-96881-0_20
Published: 24 July 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-96880-3
Online ISBN: 978-3-319-96881-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

GGH15 Beyond Permutation Branching Programs: Proofs, Attacks, and Candidates

Abstract

Similar content being viewed by others

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding

Matrix PRFs: Constructions, Attacks, and Applications to Obfuscation

Post-zeroizing Obfuscation: New Mathematical Tools, and the Case of Evasive Circuits

Keywords

1 Introduction

1.1 Our Results I: New Cryptographic Constructions from LWE

1.2 Our Results II: New Attacks on iO Candidates

1.3 Our Results III: New Candidates

1.4 Discussion and Open Problems

1.5 Reader’s Guide

2 Technical Overview

2.1 Generalized GGH15 Encodings

2.2 This Work: Semantic Security for Arbitrary Matrices

2.3 New Cryptographic Constructions from LWE

3 Preliminaries

Lemma 3.1

3.1 Lattices Background

Definition 3.2

Lemma 3.3

Lemma 3.4

Lemma 3.5

Lemma 3.6

Definition 3.7

Lemma 3.8

Lemma 3.9

Lemma 3.10

Lemma 3.11

Lemma 3.12

Lemma 3.13

Lemma 3.14

4 New Lemmas on Preimage Sampling

4.1 The Statistical Lemma

Lemma 4.1

Proof

Lemma 4.2

Proof

Lemma 4.3

Proof

4.2 The Computational Lemma

Lemma 4.4

Proof

5 Generalized GGH15 Encodings

5.1 The Construction Framework

Construction 5.1

Remark 5.2

Lemma 5.3

Proof

Remark 5.4

5.2 Security Notions

Definition 5.5

Remark 5.6

5.3 Semantic Security for \(\gamma _{\text {diag}}\)-GGH15 and \(\gamma _{\otimes \text {diag}}\)-GGH15 Encodings

Definition 5.7

Theorem 5.8

Remark 5.9

Corollary 5.10

5.4 Proof of the Main Theorem

Proof

Lemma 5.11

Proof

Lemma 5.12

Proof

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us