Cryptanalysis of multilinear maps from ideal lattices: revisited

Abstract

Multilinear map is a central primitive in cryptography and Garg, Gentry and Halevi proposed the first approximate multilinear maps over ideal lattices (GGH13 map) at EUROCRYPT 2013. Ever since then, multilinear maps has caused the extensive concern and has found too numerous applications to name. Very recently, Hu and Jia put forward an efficient attack on the multipartite key exchange and witness encryption based on GGH13 map. In this paper, we describe another efficient cryptanalysis of GGH13 map, an augmented version of Hu and Jia’s attack on it. More specifically, we improve their attacking tools and propose a “downgrading” method, which enable us to get a low level encoding from a higher level encoding. As a result, we can break the multilinear computational Diffie–Hellman assumption in the GGH13 setting with great ease while Hu and Jia only dealt with the decisional version. Furthermore, by applying our augmented cryptanalysis straightforwardly, we break two schemes from GGH13 map published at CRYPTO 2013: attribute-based encryption for general circuits and identity-based aggregate signatures.

Appendices

Appendix 1: ABE for general circuits from GGH map [10]

1.1 Circuit notation

The authors restrict their consideration to certain classes of boolean circuits. First, their circuits will have a single output gate. Next, they consider layered circuits. In a layered circuit a gate at depth j will receive both of its inputs from wires at depth \(j-1\). Finally, they restrict themselves to monotonic circuits where gates are either AND or OR gates of two inputs, due to the folklore transformation that uses De Morgan’s rule to transform any general boolean circuit into an equivalent monotone boolean circuit, with negation gates only allowed at the inputs.

Their circuit is a five-tuple \(f=(n,q,\texttt {A}, \texttt {B},\texttt {GateType})\). Let n be the number of inputs and q be the number of gates. Define Inputs=\(\{1,\ldots ,n\}\) (shorthand as [n]), Wire=\(\{1,\ldots ,n+q\}\), and Gates=\(\{n+1,\ldots ,n+q\}\). The wire \(n+q\) is the designated output wire. A: Gates \(\rightarrow \) Wires/outputwire is a function where \(\texttt {A}(w)\) identifies w’s first incoming wire, and \(\texttt {B}(w)\) means w’s seconding incoming wire. Finally, GateType: Gates \(\rightarrow \) AND,OR is a function that identifies a gate as either an AND or OR gate.

It is required that \(w>\texttt {A}(w)>\texttt {B}(w)\). Define also a function depth(w) where if \(w\in \texttt {Inputs}\) then \(\texttt {depth}(w)=1\) and in general \(\texttt {depth}(w)\) of wire w is equal to the shortest path to an input wire plus 1. Since the circuit is layered it is required for all \(w\in \texttt {Gates}\) that if \(\texttt {depth}(w)=j\) then \(\texttt {depth}(A(w))=\texttt {depth}(B(w))=j-1\). Moreover, let f(x) be the evaluation of the circuit for input \(x\in \{0,1\}^{n}\) and \(f_{w}(x)\) the value of wire of the circuit on input x.

1.2 Definitions for ABE for circuits

Setup \((1^{\lambda },n,l)\) The setup algorithm takes as input the security parameter, the length n of input descriptors from the ciphertext and a bound l on the circuit depth. It outputs the public parameters PP and a master key MSK.

Encrypt \((PP,x\in \{0,1\}^{n},M)\) The encryption algorithm takes as input the public parameters PP, a bit string \(x\in \{0,1\}^{n}\) representing the assignment of boolean variables, and a message M. It outputs a ciphertext CT.

KeyGen \((MSK,f=(n,q,\texttt {A}, \texttt {B},\texttt {GateType}))\) The key generation algorithm takes as input the master key MSK and a description of a circuit f,where the depth of f is at most l. The algorithm outputs a private key SK.

Decrypt(SK, CT) The decryption algorithm takes as input a secret key SK and ciphertext CT. The algorithm attempts to decrypt and outputs a message M if successful; otherwise, it outputs a special symbol \(\bot \).

Correctness Consider all messages M, strings \(x\in \{0,1\}^{n}\), and depth l circuits f where \(f(x)=1\). If Encrypt \((\hbox {PP},x,M)\rightarrow CT\) and KeyGen \((MSK,f)\rightarrow SK\) where PP, MSK were generated from a call to the setup algorithm, then Decrypt \((SK,CT)=M\).

Security Model for ABE for Circuits Here briefly describe the security model of selective security for ABE for general circuits. For a formal treatment, please refer to [10]. The selective security definition requires that the attacker first specifies the string \(x^{*}\) and later queries on multiple secret keys, but not ones that can trivially be used to decrypt a ciphertext encrypted under \(x^{*}\). In particular the adversary can ask secret keys corresponding to any circuit f of his choice, such that \(f(x^{*})=0\). The goal of the adversary is then to break semantic security of a challenge ciphertext encrypted under the string \(x^{*}\).

1.3 ABE construction in the GGH framework

Setup \((1^{\lambda },n,l)\) The setup algorithm takes as input a security parameter \(\lambda \), the maximum depth l of a circuit and the number of boolean inputs n.

It then runs (params,\(\mathbf{p }_{zt})\leftarrow \) InstGen(\(1^{\lambda },1^{\kappa =l+1}\)). Next, it samples \(\alpha ,{\widehat{h}}_{1},\ldots ,{\widehat{h}}_{n}\leftarrow \) samp(params). Then the public parameters \(PP=(\texttt {params},\mathbf{p }_{zt},H=\texttt {cenc}_{2}(\kappa ,\alpha ),h_{1}=\texttt {cenc}_{2}(1,{\widehat{h}}_{1}),\ldots ,h_{n}=\texttt {cenc}_{2}(1,{\widehat{h}}_{n}))\), and the master secret key \(MSK=\alpha \).

Encrypt \((PP,x\in \{0,1\}^{n},M\in \{0,1\})\) The encryption algorithm takes as input the public parameters PP, an descriptor input \(x\in \{0,1\}^{n}\) representing the assignment of boolean variables, and a message bit M.

Then choose a random \(s \leftarrow \) samp(params). If \(M=0\) it sets \(C_{M}\) to be a random value:

$$\begin{aligned} C_{M}=\texttt {cenc}_{3}(\kappa ,\texttt {samp}(\texttt {params})) \end{aligned}$$

otherwise it lets

$$\begin{aligned} C_{M}=\texttt {cenc}_{3}(\kappa ,H\cdot s). \end{aligned}$$

Next, let S be the set of i such that \(x_{i}=1\). Then the ciphertext is created as

$$\begin{aligned} CT=(C_{M},{\widetilde{s}}=\texttt {cenc}_{1}(1,s),\forall i\in S,C_{i}=\texttt {cenc}_{1}(1,h_{i}\cdot s)). \end{aligned}$$

KeyGen \((MSK=\alpha ,f=(n,q,\texttt {A}, \texttt {B},\texttt {GateType}))\) The key generation algorithm takes as input the master key and a description f of a circuit. Recall, that the circuit has \(n+q\) wires with n input wires, q gates and the wire \(n+q\) designated as the output wire.

Then choose random \(r_{1},\ldots ,r_{n+q} \leftarrow \) samp(params), where we think of randomness \(r_{w}\) as being associated with wire w. The algorithm produces a “header” component

$$\begin{aligned} K_{H}=\texttt {cenc}_{3}(\kappa -1,\alpha -r_{n+q}). \end{aligned}$$

Next, the algorithm generates key components for every wire w. The structure of the key components depends upon if w is an input wire, an OR gate, or an AND gate. We describe how it generates components for each case.

• Input wire

  By the convention if \(w\in [1,n]\) then it corresponds to the w-th input. The key generation algorithm chooses random \(z_{w}\leftarrow \) samp(params). The key components are:

  $$\begin{aligned} K_{w,1}=\texttt {cenc}_{3}(1,\texttt {enc}(1,r_{w})+h_{w}\cdot z_{w}),\ K_{w,2}=\texttt {cenc}_{3}(1,-z_{w}). \end{aligned}$$

• OR gate

  Let \(j=\texttt {depth}(w)\) be the depth of wire w. The algorithm choose random \(a_{w},b_{w}\leftarrow \) samp(params) and creates key components:

  $$\begin{aligned} K_{w,1}=\texttt {cenc}_{3}(1,a_{w}),\ K_{w,2}=\texttt {cenc}_{3}(1,b_{w}),\\ K_{w,3}=\texttt {cenc}_{3}(j,r_{w}-a_{w}\cdot r_{A(w)}),\ K_{w,4}=\texttt {cenc}_{3}(j,r_{w}-b_{w}\cdot r_{B(w)}). \end{aligned}$$

• AND gate

  Let \(j=\texttt {depth}(w)\) be the depth of wire w. The algorithm choose random \(a_{w},b_{w}\leftarrow \) samp(params) and creates key components:

  $$\begin{aligned} K_{w,1}= & {} \texttt {cenc}_{3}(1,a_{w}),\ K_{w,2}=\texttt {cenc}_{3}(1,b_{w}),\\ K_{w,3}= & {} \texttt {cenc}_{3}(j,r_{w}-a_{w}\cdot r_{A(w)}-b_{w}\cdot r_{B(w)}). \end{aligned}$$

The secret key SK output consists of the description of f, the header component \(K_{H}\) and the key components for each wire w.

Decrypt(SK, CT) Note that the goal of decryption should be to compute a level-\(\kappa \) encoding of \(\alpha \cdot s\) such that we can test if this is equal to \(C_{M}\). First, there is a header computation where everyone can compute \(E'=K_{H}\cdot {\widetilde{s}}\). Note also that \(E'\) should thus be a level-\(\kappa \) encoding of \(\alpha \cdot s-r_{n+q}\cdot s\). The goal is now reduced to computing a level-\(\kappa \) encoding of \(r_{n+q}\cdot s\).

Next, evaluate the circuit from the bottom up. Consider wire w at depth j; if \(f_{w}(x)=1\) then, compute \(E_{w}\) to be a level \(j+1\) encoding of \(sr_{w}\), otherwise, nothing needs to be computed for that wire. It follows how to compute \(E_{w}\) for all w where \(f_{w}(x)=1\), again breaking the cases according to whether the wire is an input wire, OR gate, or AND gate.

• Input wire

  By the convention if \(w\in [1,n]\) then it corresponds to the w-th input. Suppose that \(x_{w}=f_{w}(x)=1\). The algorithm computes:

  $$\begin{aligned} E_{w}=K_{w,1}\cdot {\widetilde{s}}+K_{w,1}\cdot C_{w} \end{aligned}$$

• OR gate

  Let \(j=\texttt {depth}(w)\) be the depth of wire w. Suppose that \(f_{w}(x)=1\). Without loss of generality, suppose that \(f_{A(w)}(x)=1\), then compute:

  $$\begin{aligned} E_{w}=E_{A(w)}\cdot K_{w,1}+K_{w,3}\cdot {\widetilde{s}} \end{aligned}$$

• AND gate

  Let \(j=\texttt {depth}(w)\) be the depth of wire w. Suppose that \(f_{w}(x)=1\), i.e. \(f_{A(w)}(x)=f_{B(w)}(x)=1\), then compute:

  $$\begin{aligned} E_{w}=E_{A(w)}\cdot K_{w,1}+E_{B(w)}\cdot K_{w,2}+K_{w,3}\cdot {\widetilde{s}}. \end{aligned}$$

If \(f(x)=f_{n+q}(x)=1\), then the algorithm will compute \(E_{n+q}\) to be a level \(\kappa \) encoding of \(r_{n+q}\cdot s\). It finally computes \(E'+E_{n+q}\) which is a level \(\kappa \) encoding of \(\alpha \cdot s\) and tests if this equals \(C_{M}\) using isZero(params,\(\mathbf{p }_{zt},E'+E_{n+q}-C_{M}\)), outputting \(M=1\) if so and \(M=0\) otherwise.

Appendix 2: ID-based aggregate signatures from GGH map [17]

1.1 Definitions for ID-based aggregate signatures

Setup \((1^{\lambda },l,n)\) The trusted setup algorithm takes as input the security parameter as well the bit-length l of messages and bit-length n of the identities. It outputs a common set of public parameters PP and a master key MSK.

KeyGen \((MSK,{\mathcal {I}}\in \{0,1\}^{n})\) The key generation algorithm is run by the authority. It takes as input the system master secret key and an identity \({\mathcal {I}}\), and outputs a secret signing key \(SK_{{\mathcal {I}}}\).

Sign \((PP,SK_{{\mathcal {I}}},{\mathcal {I}}\in \{0,1\}^{n},M\in \{0,1\}^{l})\) The signing algorithm takes as input a secret signing key and corresponding identity \({\mathcal {I}}\in \{0,1\}^{n}\), the common public parameters as well as a message \(M\in \{0,1\}^{l}\). It outputs a signature \(\sigma \) for identity \({\mathcal {I}}\). We emphasize that a single signature that is output by this algorithm is considered to also be an aggregate signature.

Aggregate \((PP,{\widetilde{S}},S',{\widetilde{\sigma }},\sigma ')\) The aggregation algorithm takes as input two multisets \({\widetilde{S}}\) and \(S'\) and purported signatures \({\widetilde{\sigma }}\) and \(\sigma '\). The elements of \({\widetilde{S}}\) consist of identity/message pairs \(\{(\widetilde{{\mathcal {I}}}_{1},{\widetilde{M}}_{1}),\ldots ,(\widetilde{{\mathcal {I}}}_{|{\widetilde{S}}|},{\widetilde{M}}_{|{\widetilde{S}}|})\}\) and the elements of \(S'\) consist of identity/message pairs \(\{(\mathcal {I'}_{1},M'_{1}),\ldots ,(\mathcal {I'}_{|S'|},M'_{|S'|})\}\). The process produces a signature \(\sigma \) on the multiset \(S={\widetilde{S}}\cup S'\) where \(\cup \) is a multiset union.

Verify \((PP,S,\sigma )\) The verification algorithm takes as input the public parameters, a multiset S of identity and message pairs and an aggregate signature \(\sigma \). It outputs true or false to indicate whether the verification succeeded.

1.2 ID-based aggregate signatures construction in the GGH framework

Setup \((1^{\lambda },l,n)\) The trusted setup algorithm takes as input the security parameter as well the bit-length l of messages and bit-length n of the identities. It then runs (params,\(\mathbf{p }_{zt})\leftarrow \) InstGen(\(1^{\lambda },1^{\kappa =l+n}\)). Next, it chooses random encodings \(a_{i,\beta }\leftarrow \texttt {samp}(\texttt {params})\) for \(i\in [1,l]\) and \(\beta \in \{0,1\}\); and random encodings \(b_{i,\beta }\leftarrow \texttt {samp}(\texttt {params})\) for \(i\in [1,n]\) and \(\beta \in \{0,1\}\). Then it assigns \(A_{i,\beta }=\texttt {cenc}_{1}(\texttt {params},1,a_{i,\beta })\) for \(i\in [1,l]\) and \(\beta \in \{0,1\}\) and it assigns \(B_{i,\beta }=\texttt {cenc}_{1}(\texttt {params},1,b_{i,\beta })\) for \(i\in [1,l]\) and \(\beta \in \{0,1\}\).

These will be used to compute a function H mapping \(l+n\) bit strings to level \(\kappa -1\) encodings. Let \(m_{1},\ldots ,m_{l}\) be the bits of M and \(id_{1},\ldots ,id_{n}\) be the bits of \({\mathcal {I}}\). It is computed iteratively as

$$\begin{aligned}&H_{1}({\mathcal {I}},M)=B_{1,id_{1}}\ \ \ \ \text {for\ }i\in [2,n]\ \ \ H_{i}({\mathcal {I}},M)=H_{i-1}({\mathcal {I}},M)\cdot B_{i,id_{i}}\\&\quad \text {for\ }i\in [n+1,n+l=\kappa ]\ \ \ H_{i}({\mathcal {I}},M)=H_{i-1}({\mathcal {I}},M)\cdot A_{i-n,m_{i-n}}. \end{aligned}$$

Define \(H({\mathcal {I}},M)=\texttt {cenc}_{1}(\texttt {params},\kappa ,H_{\kappa =l+n}({\mathcal {I}},M))\).

Then the public parameters PP consist of the params, \(\mathbf{p }_{zt}\) plus:

$$\begin{aligned} (A_{1,0},A_{1,1}),\ldots ,(A_{l,0},A_{l,1}),(B_{1,0},B_{1,1}),\ldots ,(B_{n,0},B_{n,1})) \end{aligned}$$

and the master secret key MSK includes PP together with the encodings \((b_{1,0},b_{1,1}), \ldots ,(b_{n,0},b_{n,1})\).

KeyGen \((MSK,{\mathcal {I}}\in \{0,1\}^{n})\) The signing key for identity \({\mathcal {I}}\) is \(SK_{{\mathcal {I}}}=\) cenc \(_{2}\)(params,\(n-1, \prod _{i\in [1,n]}b_{i,id_{i}})\).

Sign \((PP,SK_{{\mathcal {I}}},{\mathcal {I}}\in \{0,1\}^{n},M\in \{0,1\}^{l})\) The signing algorithm lets temporary variable \(D_{0}=SK_{{\mathcal {I}}}\). Then for \(i=1\) to l it computes \(D_{i}=D_{i-1}\cdot A_{i,m_{i}}\). The output signature is

$$\begin{aligned} \sigma =\texttt {cenc}_{3}(\texttt {params},\kappa ,D_{l}). \end{aligned}$$

This serves as an ID-based aggregate signature for the (single element) multiset \(S=\{({\mathcal {I}},M)\}\).

Aggregate \((PP,{\widetilde{S}},S',{\widetilde{\sigma }},\sigma ')\) The aggregation algorithm simply computes the output signature \(\sigma \) as \(\sigma ={\widetilde{\sigma }}+\sigma '\). This serves as a signature on the multiset \(S={\widetilde{S}}\cup S'\) where \(\cup \) is a multiset union.

Verify \((PP,S,\sigma )\) The verification algorithm parses S as \(\{({\mathcal {I}}_{1},M_{1}),\ldots ,({\mathcal {I}}_{|S|},M_{|S|})\}\). It rejects if the multiplicity of any identity/message pair is greater than \(2^{\lambda }\).

The algorithm then proceeds to check the signature by setting \(\tau =\texttt {cenc}_{2}(\texttt {params},1,y)\), and testing:

$$\begin{aligned} \texttt {isZero}\Big (\texttt {params},\mathbf{p }_{zt},\tau \cdot \sigma -\sum _{i\in [1,|S|]}H({\mathcal {I}}_{i},M_{i})\Big ) \end{aligned}$$

and accepts if and only if the zero testing procedure outputs true. Recall that y above is a level 1 encoding of 1 that is included in params, part of the public parameters.