Self-Bilinear Map on Unknown Order Groups from Indistinguishability Obfuscation and Its Applications

Abstract

A self-bilinear map is a bilinear map where the domain and target groups are identical. In this paper, we introduce a self-bilinear map with auxiliary information which is a weaker variant of a self-bilinear map, construct it based on indistinguishability obfuscation and prove that a useful hardness assumption holds with respect to our construction under the factoring assumption. From our construction, we obtain a multilinear map with interesting properties: the level of multilinearity is not bounded in the setup phase, and representations of group elements are compact, i.e., their size is independent of the level of multilinearity. This is the first construction of a multilinear map with these properties. Note, however, that to evaluate the multilinear map, auxiliary information is required. As applications of our multilinear map, we construct multiparty non-interactive key-exchange and distributed broadcast encryption schemes where the maximum number of users is not fixed in the setup phase. Besides direct applications of our self-bilinear map, we show that our technique can also be used for constructing somewhat homomorphic encryption based on indistinguishability obfuscation and the \(\varPhi \)-hiding assumption.

Appendix: Multi-bit Variant

In the construction of a self-bilinear map with auxiliary information which is given in Sect. 4, we can obtain only 1-bit hardcore function for the MHDH assumption. Here, we modify the construction so that we can obtain k-bit hardcore function for any integer k (which is polynomially bounded in \(\lambda \)). The idea of our multi-bit variant is similar to that of the Blum–Blum–Shub pseudorandom number generator [6].

1.1 Construction

The construction of our multi-bit variant \(\mathcal {SBP}_{\mathsf {Mult}}\) is as follows.

• \(\mathsf {InstGen}(1^{\lambda })\rightarrow {\mathsf {params}}=(N,g)\) : It runs \(\mathsf {RSAGen}(1^{\lambda })\) to obtain (N, P, Q), chooses and outputs \(\mathsf {params}:=(N,g)\). \({\mathsf {params}}\) defines the underlying group \(G:={\mathbb {QR}}_N^+\), the self-bilinear map as \(e(g^{x},g^{y})=g^{2^{k}xy}\) and \(\mathrm{Approx}(G)=(N-1)/4\). For an integer x and \(\ell \in \mathbb {N}\), a set \(T_{x}^{\ell }\) is defined as \(T_{x}^{\ell }=\{i{\mathcal {O}}(M_\ell , C_{N,2^{k}x};r): C_{N,2^{k}x}\in \mathcal {C}_{N,2^{k}x} \text{ such } \text{ that } |C_{N,2^{k}x}|\le M_\ell , r\in \{0,1\}^*\}\), where \(M_\ell \) is defined later.

• \(\mathsf {AIGen}({\mathsf {params}}, \ell ,x)\rightarrow \tau _{x}\) : It takes the canonical circuit \(\tilde{C}_{N,2^{k}x}\in \mathcal {C}_{N,2^{k}x}\), sets \(\tau _{x}\leftarrow i{\mathcal {O}}(M_\ell ,\tilde{C}_{N,2^{k}x})\) and outputs \(\tau _{x}\).

• \(\mathsf {Map}({\mathsf {params}},g^{x},\tau _{y})\rightarrow e(g^{x},g^{y})\) : It computes \(\tau _y(g^{x})\) and outputs it. (Recall that \(\tau _y\) is a circuit that computes the \(2^{k}y\)-th power for an element of \({\mathbb {QR}}_N^+\).)

• \(\mathsf {AIMult}({\mathsf {params}}, \ell , \tau _{x}, \tau _{y})\rightarrow \tau _{x+y}\) : It computes \(\tau _{x+y}\leftarrow i{\mathcal {O}}(M_{\ell },\mathsf {Mult}(\tau _x,\tau _y))\) and outputs it.

Definition of \(M_\ell \) \(M_\ell \) represents an upper bound of the size of a circuit which is obfuscated by \(i{\mathcal {O}}\) when auxiliary information with level \(\ell \) is generated (by \(\mathsf {AIGen}\) or \(\mathsf {AIMult}\)). It can be defined recursively as follows. We let \(M_1:= \max _{x\in [(N-1)/4]}\{|\tilde{C}_{N,2^{k}x}|\}\) and \(M_{\ell +1}:=2\mathsf {poly}(M_{\ell },\lambda )+|C_{\mathsf {Mult}}|\) for \(\ell \ge 1\) where \(\mathsf {poly}\) is a polynomial that satisfies \(|i{\mathcal {O}}(M,C)|<\mathsf {poly}(M,\lambda )\) for any integer M and circuit C such that \(|C|<M\).

Indistinguishability of auxiliary information If we have \(z\equiv x+y \bmod \mathrm{ord}({\mathbb {QR}}_N^+)\), then \(C_{N,2^{k}z}\) and \(\mathsf {Mult}(\tau _{x},\tau _{y})\) have exactly the same functionality. Therefore if we obfuscate these circuits by \(i{\mathcal {O}}\), then the resulting circuits are computationally indistinguishable.

Indistinguishability of auxiliary information easily follows from the security of the indistinguishability obfuscator since \(\tau _{x}\in \cup _{\ell \in \mathbb {N}}T_{x}^{\ell }\) is an obfuscation of a circuit that computes the 2x-th power for an element of \({\mathbb {QR}}_N^+\) regardless of whether \(\tau _x\) is generated by \(\mathsf {AIGen}\) or \(\mathsf {AIMult}\).

We also define the BBS generator which we will use as a hardcore function.

Definition 9

For \(\ell _N\)-bit Blum integer N, \(g\in {\mathbb {QR}}_N^+\) and \(r\in \{0,1\}^{\ell _N}\), we define the BBS generator as

$$\begin{aligned} BBS_r(g):=(\mathsf {GL}_r(g),\ldots ,\mathsf {GL}_r(g^{k-1})) \end{aligned}$$

where \(\mathsf {GL}\) denote the Goldreich–Levin hardcore bit function [27]. That is, \(\mathsf {GL}_r(x):=\bigoplus _{i=1}^{\ell _N}r_ix_i\) where \(r_i\) and \(x_i\) are i-th bit of r and x which is represented as an integer in \(\{1,\ldots ,(N-1)/2\}\). We write \(\mathcal {BBS}\) to denote the family of functions \(\{BBS_{r}\}_{r\in \{0,1\}^{\ell _N}}\).

1.2 Hardness Assumption

The following hardness assumption holds with respect to our construction.

Theorem 6

The MHDH assumption holds with respect to \(\mathcal {SBP}_{\mathsf {Mult}}\) and \(\mathcal {BBS}\) if the factoring assumption holds for \(\mathsf {RSAGen}\) and \(i{\mathcal {O}}\) is an indistinguishability obfuscator for P / poly.

Proof

For an algorithm \({\mathcal {A}}\), we consider the following games.

\(\mathsf {Game}\) 1::

This game is the original n-MHDH game. More precisely, it is as follows.

\(\mathsf {Game}\) \(1'\)::

This game is the same as \(\mathsf {Game}\) 1 except that \(x_0,\ldots ,x_n\) are chosen from \([\mathrm{ord}({\mathbb {QR}}_N^+)]\).

\(\mathsf {Game}\) \(2'\)::

This game is the same as \(\mathsf {Game}\) 1 except that g, \(x_0,\ldots , x_n\), \(\tau _{x_0},\ldots ,\tau _{x_n}\) are set differently. More precisely, it is as follows.

\(\mathsf {Game}\) 2::

This game is the same as \(\mathsf {Game}\) \(2'\) except that \(x'_0,\ldots ,x'_n\) are chosen from \([(N-1)/4]\).

\(\mathsf {Game}\) 3::

This game is the same as \(\mathsf {Game}\) 2 except that T is set as a random k-bit string.

Let \(T_{i}\) be the event that \({\mathcal {A}}\) outputs 1 in \(\mathsf {Game}\) i and \(T'_{i}\) be the event that \({\mathcal {A}}\) outputs 1 in \(\mathsf {Game}\) \(i'\). What we want to prove is \(|\Pr [T_1]-\Pr [T_3]|\) is negligible. We prove this by the following lemmas. \(\square \)

Lemma 8

\(|\Pr [T_i]-\Pr [T'_i]|\) is negligible for \(i=1,2\).

Proof

This follows since \((N-1)/4\) is negligibly close to \(\mathrm{ord}({\mathbb {QR}}_N^+)\). \(\square \)

Lemma 9

\(|\Pr [T'_1]-\Pr [T'_2]|\) is negligible if \(i{\mathcal {O}}\) is an indistinguishability obfuscator for P / poly.

Proof

We define hybrid games \(H_{1,0},\ldots H_{1,n+1}\). A hybrid game \(H_{1,i}\) is the same as \(\mathsf {Game}\) \(1'\) except that the first i auxiliary information (i.e, \(\tau _{x_0},\tau _{x_1},\ldots ,\tau _{x_{i-1}}\)) are generated as in \(\mathsf {Game}\) \(2'\). Let \(T_{1,i}\) be the event that \({\mathcal {A}}\) outputs 1 in the hybrid \(H_{1,i}\). It is clear that \(H_{1,0}\) is \(\mathsf {Game}\) \(1'\) and \(H_{1,n+1}\) is \(\mathsf {Game}\) \(2'\). Let \(T_{1,i}\) be the event that \({\mathcal {A}}\) wins in \(\mathsf {Game}\) \(H_{1,i}\). Since we have \(x_i\equiv x'_i+1/2^{k} \bmod \mathrm{ord}({\mathbb {QR}}_N^+)\), \(C_{N,2^{k}x'_i+1}\) computes exactly the same as \(C_{N,2^{k}x_i}\) for any input for \(i=0,\ldots n\). (Recall that these circuits computes the exponentiation only for an element of \({\mathbb {QR}}_N^+\).) Then we can see that \(|\Pr [T_{1,i}]-\Pr [T_{1,i-1}]\) is negligible for \(i\in [n+1]\) from the security of \(i{\mathcal {O}}\). (Note that a reduction algorithm here may know the factorization of N.) \(\square \)

Lemma 10

\(|\Pr [T_2]-\Pr [T_3]|\) is negligible if the factoring assumption holds for \(\mathsf {RSAGen}\) and \(i{\mathcal {O}}\) is an indistinguishability obfuscator for P / poly.

Proof

We define hybrid games \(H_{2,0},\ldots H_{2,k}\). For \(i=0,1,\ldots ,k\), a hybrid game \(H_{2,i}\) is the same as \(\mathsf {Game}\) 2 except that the first i-bit of T are set as in \(\mathsf {Game}\) 2 and other bits are set as in \(\mathsf {Game}\) 3, i.e, \(T:=U_1||\ldots ||U_i||\mathsf {GL}_{r}(g^{2^{k(n-1)+i}\varPi _{j=0}^{n}x_j})||\ldots ||\mathsf {GL}_{r}(g^{2^{kn-1}\varPi _{j=0}^{n}x_j})\), where . It is clear that \(H_{2,0}\) is the same as \(\mathsf {Game}\) 2 and \(H_{2,k}\) is the same as \(\mathsf {Game}\) 3. Let \(T_{2,i}\) be the event that \({\mathcal {A}}\) outputs 1 in the hybrid \(H_{2,i}\). We prove that \(|\Pr [T_{2,i-1}]-\Pr [T_{2,i}]|\) is negligible for all \(i\in [k]\). To do so, we assume that there exists an algorithm \({\mathcal {A}}\) that distinguishes \(H_{2,i}\) and \(H_{2,i-1}\), and construct a factoring algorithm by using \({\mathcal {A}}\). Without loss of generality, we can assume that there exists a non-negligible function \(\epsilon \) such that \(\Pr [T_{2,i-1}]-\Pr [T_{2,i}]>\epsilon \). This is because given \({\mathcal {A}}\), the sign of \(\Pr [T_{2,i-1}]-\Pr [T_{2,i}]\) can be checked efficiently, and if \(\Pr [T_{2,i-1}]-\Pr [T_{2,i}]<0\) then we can modify \({\mathcal {A}}\) to output inverse of the original output so that \(\Pr [T_{2,i-1}]-\Pr [T_{2,i}]>0\). In the following, we use a similar argument as in [40]. Specifically, we first construct a “reconstruction algorithm” based on the Goldreich–Levin theorem [27], and then construct a factoring algorithm. In the following, we write \(X_i\) to denote \(g^{2^{k(n-1)+i}\varPi _{j=0}^{n}x_j}\) and Y to denote \((N,g, g^{x_0},\ldots ,g^{x_n},\tau , \tau _{x_0}\ldots ,\tau _{x_n},X_i)\) for notational simplicity.

Hardcore distinguisher We construct an algorithm \({\mathcal {D}}\) that distinguish \(\mathsf {GL}_{r}(X_{i-1})\) from a uniformly random bit with non-negligible advantage when it is given \((r,N,g, g^{x_0},\ldots ,g^{x_n},\tau _{x_0}\ldots ,\tau _{x_n},X_i)\) where r, N, g, \(x_0,\ldots ,x_n\) and \(\tau _{x_0}\ldots ,\tau _{x_n}\) are generated as in \(\mathsf {Game}\) 2. The construction of \({\mathcal {D}}\) is as follows.

\({\mathcal {D}}(r,Y,B)\)::

\({\mathcal {D}}'\) picks , sets \(T:=U_1||\ldots ||U_{i-1}||B||\mathsf {GL}_{r}(X_i)||\ldots ||\mathsf {GL}_r(X_{k-1})\) and runs \({\mathcal {A}}(N,g, g^{x_0},\ldots ,g^{x_n},\tau _{x_0}\ldots ,\tau _{x_n},r,T)\). We note that \({\mathcal {D}}\) can generate \(\mathsf {GL}_r(X_i),\ldots ,\mathsf {GL}_r(X_{k-1})\) since it knows \(X_i\). If \({\mathcal {A}}\) outputs b, then \({\mathcal {D}}\) also outputs b.

If \(B=\mathsf {GL}_{r}(X_{i-1})\), then \({\mathcal {D}}\) simulates \(H_{2,i-1}\) exactly and if B is a random bit, then \({\mathcal {D}}\) simulates \(H_{2,i}\) from the view of \({\mathcal {A}}\). Therefore we have

By the averaging argument, with at least \(\epsilon /2\) fraction of the choice of Y, we have

Here we note that \(\epsilon /2\) is non-negligible since we assumed that \(\epsilon \) is non-negligible.

Reconstruction Algorithm Next, we construct a reconstruction algorithm \(\mathcal {R}\) that computes \(X_{i-1}\) with non-negligible probability when it is given Y for non-negligible fraction of its input. This can be constructed based on the Goldreich–Levin theorem. \(\square \)

Theorem 7

(Goldreich–Levin Theorem [27]) Let X be any n-bit string. If there exists a PPT algorithm \({\mathcal {D}}'\) such that

$$\begin{aligned} |\Pr [1\leftarrow {\mathcal {D}}'(r,\mathsf {GL}_r(X))]-\Pr [1\leftarrow {\mathcal {D}}'(r,U)]| \end{aligned}$$

is non-negligible where and , then there exists a PPT algorithm \(\mathcal {R'}\) such that

$$\begin{aligned} \Pr [X\leftarrow \mathcal {R'}(1^{n})] \end{aligned}$$

is non-negligible.

As seen above, there exists \({\mathcal {D}}\) which distinguishes \(X:=X_{i-1}\) from a random bit when it is given Y for non-negligible fraction of choice of Y. Here, we remark that X is completely determined by Y. For any Y, we consider an algorithm \({\mathcal {D}}_{Y}\), which is given r, B and runs \({\mathcal {D}}(r,Y,B)\). For non-negligible fraction of choice of Y, \(|\Pr [1\leftarrow {\mathcal {D}}_Y(r,\mathsf {GL}_r(X))]-\Pr [1\leftarrow {\mathcal {D}}_Y(r,U)]|\) is non-negligible. Therefore by the above theorem, for such Y, there exists \(R_{Y}\) which computes X with non-negligible probability. Therefore we can construct \(\mathcal {R}\) which is given Y and outputs X with non-negligible probability, which simply runs \(\mathcal {R}_{Y}\) to get X for input Y.

Factoring Algorithm Then we construct an algorithm \({\mathcal {B}}\) that given an RSA modulus N factorizes N. The construction of \({\mathcal {B}}\) is as follows.

\({\mathcal {B}}(N)\)::

\({\mathcal {B}}\) chooses sets \(h:=|h'^{2} \mod N|\in {\mathbb {QR}}_N^+\), \(g:=h^{2^{k}}\), chooses , sets \(g^{x_0}:=g^{x'_0}h^{2^{k-i}}\), \(\tau _{x_0}\leftarrow i{\mathcal {O}}(M'_1,C_{N,2^{k}x'_0+2^{k-i}})\), \(g^{x_i}:=g^{x'_i}h\), \(\tau _{x_i}\leftarrow i{\mathcal {O}}(M'_1,C_{N,2^{k}x'_i+1})\) for \(i\in [n]\). Then \({\mathcal {B}}\) can compute \(g^{2^{k(n-1)+i}\varPi _{j=0}^{n}x_j}=h^{2^{kn+i}\varPi _{j=0}^{n}x_j}=h^{(2^{i}x'_0+1)\varPi _{j=1}^{n}(2^{k}x'_j+1)}\). \({\mathcal {B}}\) sets \(Y:=(N,g, g^{x_0},\ldots ,g^{x_n},\tau _{x_0},\ldots ,\tau _{x_n},g^{2^{k(n-1)+i}\varPi _{j=0}^{n}x_j}))\) and runs \(\mathcal {R}(Y)\). Let U be the output of \(\mathcal {R}\). Then \({\mathcal {B}}\) computes \(X:=\varPi _{j=1}^{n}(2^{k}x'_j+1)\) and computes \(V=Uh^{-(2^{i-1}x'_0X+(X-1)/2)}\). (Note that X is odd and therefore \((X-1)/2\) is an integer.) Then it outputs \(\gcd (h',V)\).

First, we consider the distribution of input for \(\mathcal {R}\). Clearly, all components except \(g^{x_0}\) and \(\tau _{x_0}\) are distributed as in \(\mathsf {Game}\) 2. In the above algorithm, \(g^{x_0}\) is distributed almost uniformly on \({\mathbb {QR}}_N^+\) as in \(\mathsf {Game}\) 2 and therefore this difference causes a negligible difference on the behavior of \(\mathcal {R}.\) \(\tau _{x_0}\) is set as an obfuscation of a circuit that computes \(2^{k}x_0\)-th power both in the above algorithm and in \(\mathsf {Game}\) 2, and this causes a negligible difference by the property of indistinguishability obfuscation. Therefore \(\mathcal {R}\) outputs \(g^{2^{k(n-1)+i-1}\varPi _{j=0}^{n}x_j}\) with non-negligible probability for non-negligible fraction of its input. In this case, we have

$$\begin{aligned} U= & {} g^{2^{k(n-1)+i-1}\varPi _{j=0}^{n}x_j}\\= & {} h^{2^{kn+i-1}(x'_0+1/2^{i})\varPi _{j=1}^{n}(x'_j+1/2^{k})}\\= & {} h^{(2^{i-1}x'_0+1/2)\varPi _{j=1}^{n}(2^{k}x'_j+1)}\\= & {} h^{2^{i-1}x'_0X+(X-1)/2+1/2}. \end{aligned}$$

Therefore we have \(V=h^{1/2}\). Thus \(h'\) and V are distinct square roots of h in \({\mathbb {Z}}_N^*\) and therefore \(\gcd (h',V)\) is a non-trivial factor of N. \(\square \)

Theorem 6 is proven by the above lemmas. \(\square \)