mathematical analysis of cryptographic multilinear...

저 시-비 리- 경 지 2.0 한민

는 아래 조건 르는 경 에 한하여 게

l 저 물 복제, 포, 전송, 전시, 공연 송할 수 습니다.

다 과 같 조건 라야 합니다:

l 하는, 저 물 나 포 경 , 저 물에 적 된 허락조건 명확하게 나타내어야 합니다.

l 저 터 허가를 면 러한 조건들 적 되지 않습니다.

저 에 른 리는 내 에 하여 향 지 않습니다.

것 허락규약(Legal Code) 해하 쉽게 약한 것 니다.

Disclaimer

저 시. 하는 원저 를 시하여야 합니다.

비 리. 하는 저 물 리 목적 할 수 없습니다.

경 지. 하는 저 물 개 , 형 또는 가공할 수 없습니다.

http://creativecommons.org/licenses/by-nc-nd/2.0/kr/legalcode

http://creativecommons.org/licenses/by-nc-nd/2.0/kr/

이학 박사 학위논문

Mathematical Analysis ofCryptographic Multilinear Maps

(암호학적 다중선형함수의수학적 분석에 관한 연구)

2017년 8월

서울대학교 대학원

수리과학부

이창민


(암호학적 다중선형함수의수학적 분석에 관한 연구)

지도교수 천정희

이 논문을 이학 박사 학위논문으로 제출함

2017년 4월

서울대학교 대학원

수리과학부

이창민

이창민의 이학 박사 학위논문을 인준함

2017년 6월

위 원 장 김 명 환 (인)

부 위 원 장 천 정 희 (인)

위 원 David Donghoon Hyeon (인)

위 원 권 순 학 (인)

위 원 윤 아 람 (인)


A dissertation

submitted in partial fulfillment

of the requirements for the degree of

Doctor of Philosophy

to the faculty of the Graduate School of

Seoul National University

by

Changmin Lee

Dissertation Director : Professor Jung Hee Cheon

Department of Mathematical Sciences


August 2017

Abstract

Mathematical Analysis of

Cryptographic Multilinear Maps

Changmin Lee

Department of Mathematical Sciences

The Graduate School


Multilinear maps are a very powerful tool in cryptography. Nonetheless,

to date, only three types of multilinear maps have been published relying on

a graded encoding scheme. The first candidate is proposed by Garg, Gen-

try, and Halevi (GGH) relying on an ideal lattice [GGH13a], the second

one is defined on integers as established by Coron, Lepoint, and Tibouchi

(CLT) [CLT13], and the last one is provided by Gentry, Gorbunov, and Halevi

(GGH15) relying on a graph induced graded encoding scheme [GGH15].

These multilinear maps have led to a number of applications in cryptogra-

phy such as one round key exchange protocol, witness encryptions, and even

indistinguishable obfuscations. The security of the applications depends on

some hardness problems derived from a graded encoding scheme.

However, none of them have reduction to well-known hard problems. For

that reasons, many researches attempt to investigate the hardness of the

problems. Actually, when low-level encodings of zero are given, the GGH

scheme is known to be insecure by Hu and Jia [HJ16] and the last candidate

of a multilinear map GGH15 is known to be insecure [CLLT16].

In the thesis, we describe an algebraic analysis on the hardness problems

of two GGH and CLT multilinear maps. Common to two candidates are

i

ii

constructed by graded encoding schemes and provide an additional public

information zerotesting parameter, which is used to determine whether the

hidden message is zero or not. Exploiting the structure of graded encoding

scheme and additional input, we study how to solve the hardness problems

in three cases.

First, we show another approach to break the GGH scheme with low level

encodings of zero. According to the original GGH paper, finding a short vec-

tor for a given principal ideal lattice enables to break the scheme. Therefore,

the parameters are set to be invulnerable to the best known algorithm for

finding a short vector on ideal lattice. By proposing an improved lattice re-

duction algorithm to find a short vector, we prove that the multilinear map

is broken within quasi polynomial time of the suggested parameters.

Second, we describe that how to construct a level-0 encoding of zero

from GGH public parameter without level encodings of zero in the quasi-

polynomial time of the suggested parameters. The obtained encoding of zero

serves as a low level encoding of zero in the first study. Thus we also show

that GGH without low level encodings of zero is insecure.

Finally, for CLT scheme with low level encodings of zero, we attempt to

reveal the all secret elements of scheme in polynomial time. By multiplying

encodings of zero to zerotesting parameter appropriately, one can obtain an

integer matrix of secret quantities. Next we recover the secret elements by

computing eigenvalues.

Key words: GGH multilinear maps, SVP, NTRU, ideal lattice, CLT multi-

linear maps, CRT-ACD

Student Number: 2012-20254

Contents

Abstract i

1 Introduction 1

1.1 Multilinear maps . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2.1 Analysis of the GGH scheme . . . . . . . . . . . . . . . 3

1.2.2 Analysis of the CLT scheme . . . . . . . . . . . . . . . 5

2 Preliminaries 7

2.1 Notations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Graded encoding Schemes and Multilinear map Procedure. . . 8

2.3 Hardness Problems. . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Multilinear maps over the Ideal Lattices and Its Analysis 13

3.1 GGH13 Multilinear maps . . . . . . . . . . . . . . . . . . . . . 14

3.2 Basic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.3 Attack on GGH with low level encodings of zero . . . . . . . . 19

3.3.1 Sublattice Algorithm . . . . . . . . . . . . . . . . . . . 21

3.4 Attack on GGH with top level encodings of zero . . . . . . . . 24

3.4.1 Overstretched NTRU Problem and Its Analysis . . . . 25

4 Multilinear Maps over the Integers and Its Analysis 38

4.1 The CLT13 Multilinear Map. . . . . . . . . . . . . . . . . . . 39

4.2 CRT-ACD with auxiliary input and Its Analysis . . . . . . . . 42

iii

CONTENTS

4.2.1 Application to CLT Schemes . . . . . . . . . . . . . . . 47

4.3 Analysis of the Related Problems. . . . . . . . . . . . . . . . . 50

4.3.1 Solving the CLT SubM Problem . . . . . . . . . . . . . 55

4.3.2 Solving the CLT DLIN Problem . . . . . . . . . . . . . 56

4.3.3 Solving the CLT GXDH Problem . . . . . . . . . . . . 57

5 Conclusions 59

Abstract (in Korean) 67

Acknowledgement (in Korean) 68

iv

Chapter 1

Introduction

1.1 Multilinear maps

Multilinear maps are one of the important primitives in cryptography. Since

Boneh and Silverberg formalized cryptographic multilinear maps in 2003 [BS03],

various cryptographic applications have been proposed using multilinear map

such as one round multi-party key exchange protocol, a witness encryption

scheme, and indistinguishable obfuscation [BS03, GLW14, GGH`13b]. Be-

cause these applications are a long standing open problems, designing mul-

tilinear maps has become an important research topic. Unfortunately, for a

long time, it fails to produce secure multilinear maps and such applications

could not actually be realized.

A decade later, in 2013, Garg, Gentry Halevi [GGH13a] introduced the

new concept of (approximate) graded encoding scheme and proposed the con-

struction of multilinear maps by using the graded encoding scheme. Moreover,

by designing the graded encoding schemes relying on an ideal lattice they de-

scribed the first candidate of multilinear maps as GGH scheme. Soon after,

Coron et al. introduced another candidate of multilinear map by designing

a new graded encoding schemes over the integers as CLT scheme [CLT13].

Both schemes are share similarity, which one is to provide extra public data

called the zero-testing or extraction parameter, which allow to publicly de-

1

CHAPTER 1. INTRODUCTION

cide whether the message of the given encoding is zero or not. The GGH

scheme and CLT scheme lead us to realize the various applications based on

multilinear maps.

The security of the applications rely on 4 types of new hardness assump-

tions such as Graded Decisional Diffie-Hellman assumption (GDDH), Deci-

sional Linear problem (DLIN), Subgroup Membership problem (SubM), and

Graded External Decision Diffie-Hellman problem (GXDH), which are served

from graded encoding schemes. These problems have been initially used in

the context of cryptographic bilinear maps [Sco02, BBS04, BGN05].

Unfortunately, in case of the GGH scheme with low grade encoding of

zeros (i.e. low level encoding of zeros), it was realized that the hardness

problems could be broken in polynomial-time by using called zeroizing at-

tack. [HJ16, GGH13a]. Briefly, The attack consists in multiplying the en-

coding of zero and zero-testing parameters for a given encoding of m allows

us to obtain multiples of m exactly. This value serves to solve all related

problems of GGH schemes. The more details were described in original pa-

per [HJ16, GGH13a].

On the other hand, in the case of CLT, since the attack algorithm us-

ing the encoding of zero is not known, the presumed hardness of the CLT

instantiations of GDDH, SubM, DLIN and GXDH was exploited as a se-

curity grounding for several cryptographic constructions [ABP15, BLMR13,

GLSW15, Zim15]. Whereas the both schemes without low grade encodings

of zero are still known to be hard.

Soon after, a third candidate construction of a variant of graded encoding

schemes was proposed in [GGH15]. And at a similar time, a new CLT mul-

tilinear maps [CLT15] are proposed. Unfortunately, these schemes are also

known to be insecure [CLLT15, CFL`16].

2


1.2 Contributions

In this thesis, we provide an algebraic analysis of the hardness problems de-

pended on multilinear maps. First of all, we abstract the problems of the

GGH scheme to shortest vector problem on ideal lattice or Overstretched

NTRU problem. In case of CLT scheme, we reduce the CRT-ACD with aux-

iliary input. Next we describe an analysis of the problems.

1.2.1 Analysis of the GGH scheme

GGH with low level encodings of zero

As mentioned above, the GGH scheme with low level encodings of zero was

broken by Hu and Jia [HJ16]. In this thesis, we provide another approach

to analysis of the scheme. According to original GGH paper [GGH13a, Sec.

6.3.3], for a secret element g of the GGH scheme, if one can finds a short

element of b P xgy such that b ď q14, the GDDH problems is not secure.

In other words, the GDDH problem are reduced to shortest vector problem

(SVP) on lattice. More precisely, let R be a ring ZrXsxXn ` 1y and xgy

an ideal generated by g “n´1ř

i“0

gi P R. For a generator g, by identifying

it to a vector pg0, g1, ¨ ¨ ¨ , gn´1q, the size of g, g, is defined by

d

n´1ř

i“0

g2i .

Moreover, one can consider the principal ideal xgy as a lattice generated by

tg,g ¨X, ¨ ¨ ¨ ,g ¨Xn´1u. Given a basis of the lattice xgy, SVP on ideal lattice

is to find an short element b of an ideal xgy.

As the first contribution of this thesis, we improve a lattice reduction

algorithm to find a short vector. The algorithm is called by sublattice algo-

rithm. Generally, a lattice basis reduction algorithm Aδ with a root Hermite

factor δ on n-dimensional lattice L outputs a lattice point b P L such that

b ď δn ¨ detpLq1n. When the determinant of an integral lattice is less

than δn2, we propose an algorithm to obtain a lattice point b such that

b ď 22¨?log δ¨log detL. This algorithms run in time of algorithm Aδ with poly-

3


nomial time of the dimension n and logpdetLq. The main idea is to reduce a

SVP on a lattice L to one on its sublattice whose determinant is bounded by

that of L. This technique was used to orthogonal lattice attacks on Learning

with Errors or Small Integer Solution problems where the lattice dimension

can be taken flexible without increasing determinant [MR09] Our idea is not

bounded to specific attacks and can be applied to any integral lattices.

In general, the determinant of a sublattice may be smaller or larger than

that of the original lattice. Our idea is to use the Hermite normal form (HNF)

to obtain a sublattice with bounded determinant. The HNF of an integral

lattice is a unique (generalized) lower-triangular matrix, the columns of which

form a basis of the lattice and it can be computed in polynomial time from

any basis of the lattice [MW01]. We show that the sublattice generated by

the last m columns has a smaller determinant than that of the original lattice

for any positive integer m ď n. For example, by applying LLL algorithm to

this sublattice of appropriate m, we obtain a short vector, the size of which is

upper-bounded by 2?log detL, which is smaller than the shortest vector from

LLL when the determinant of L is smaller than 2n24. We may apply any

approximate SVP algorithm to our algorithm instead of LLL, including the

BKZ algorithm. Our algorithm with BKZ of block size polylogpλq breaks the

GGH scheme with the security parameter λ.

GGH with top level encodings of zero

In case of the GGH scheme with top level encodings of zero, we observe

that the GDDH problem is transformed to Overstretched NTRU problem

(ONTRU). Let f and g be polynomials of a bounded Euclidean coefficient

in the ring ZrXsxXn ` 1y with a power of two n. Given the polynomial

rfgsq P ZqrXsxXn`1y, the NTRU problem is to find a, b P ZrXsxXn`1y

with a small Euclidean coefficient such that rabsq “ rfgsq. When, q is a

super polynomial on security parameter λ, it is called by ONTRU problem

and which is introduced in [ABD16].

In order to solve the ONTRU, we provide so called subfield algorithm and

4


hybrid algorithm combining the subfield and sublattice algorithm. In detail,

when n is Oplog2 qq and g, f, g´1 are Opnq, we propose an algorithm to

solve the ONTRU problem, which runs in 2Oplog2 qq time. The main technique

of our algorithm is the reduction of a problem on a field to one in a subfield

with trace map. Concurrently and independently, Albrecht et al. suggest a

very similar algorithm and hold same results by using norm map instead

of trace [ABD16]. In the GGH scheme without low-level encodings of zero,

our algorithm can be directly applied to attack this scheme if we have some

top-level encodings of zero. Using our algorithm, we can construct a level-0

encoding of zero and utilize it to attack a security ground of this scheme in

the quasi-polynomial time of its security parameter suggested by [GGH13a]

In addition, we suggest an improvement of the subfield attack by com-

bining the sublattice algorithm and subfield algorithm. Our attack reduces

the required block sizes of the BKZ algorithm from β to β1 satisfying β1

log β1„

27n logM2 log2 q

, while βlog β

„16n logMlog2 q

in the previous. Our Hybrid attack implies

that the degree should be increased from n to 32n27

in order to maintain the

same security level in the cryptosystems based on the ONTRU problems.

1.2.2 Analysis of the CLT scheme

Although the CLT scheme also exposes low level encodings of zero, the scheme

has no way of attacking with zero encodings. In this thesis, we first define

a new problem CRT-ACD with auxiliary input (CRT-ACDwAI) and reduce

from the CLT scheme with low level encodings of zero to CRT-ACDwAI.

The CRT-ACDwAI is to find η-bit primes pi for all 1 ď i ď n for given

many samples in the form of CRTpp1,¨¨¨ ,pnqpr1, ¨ ¨ ¨ , rnq which is an integer

congruent to integer ri in modulo pi, x0 “nś

i“1

pi and P “nř

i“1

x0pi.

When 3 log |ri| ` 1 ă η, we describe an algorithm to solve the CRT-

ACDwAI. The algorithm runs in polynomial-time and allows one to publicly

compute all pi, which is also secret parameters of the CLT scheme. By adapt-

ing the zeroizing attack to CLT scheme, one can reduce from public parame-

ters of CLT scheme to CRT-ACDwAI. It implies that any quantities involving

5


the kept secret of the CLT scheme are recovered. Additionally we describe

another algorithm. It runs also in polynomial-time and reveals thenś

i“1

ri and

can be used to solve the SubM, DLIN, GXDH for CLT scheme.

List of Papers. This thesis contains results of sublattice algorithm origi-

nally appeared in [CL15]. The attack algorithm for NTRU problem, subfield

algorithm, that were obtained jointly with Jung Hee Cheon and Jin Heok

Jung [CJL16], which was presented in Algorithmic Number Theory Sym-

posium (ANTS 2016). It also contains the result of the improved subfield

algorithm by [CHL17].

In addition, this thesis includes a joint work with Jung Hee Cheon, Hansol

Ryu, Kyoohyung Han, and Damien Stehle [CHL`15], which published in

Eurocrypt 2015 and its variant version.

• [CJL16] Jung Hee Cheon, Jinhyuck Jeong, and Changmin Lee. An al-

gorithm for NTRU problems and cryptanalysis of the GGH multilinear

map without a low level encoding of zero. Mh, 1:0, 2016.

• [CL15] Jung Hee Cheon, and Changmin Lee. Approximate algorithms

on lattices with small determinant. IACR Cryptology ePrint Archive,

Report 2015/461, 2015.

• [CHL17] Jung Hee Cheon, Minki Hhan, and Changmin Lee: Crypt-

analysis of the Overstretched NTRU Problem for General Modulus

Polynomial, preprint.

• [CHLRS15] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol

Ryu, and Damien Stehle: Cryptanalysis of the multilinear map over the

integers. In Advances in Cryptology - EUROCRYPT 2015, pages 3–12,

2015.

• [CHLRS15] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol

Ryu, and Damien Stehle: Cryptanalysis on the Multilinear Map over

the Integers and its Related Problems, preprint.

6

Chapter 2

Preliminaries

First of all, we define some notations to be used and basic notions related to

multilinear maps.

2.1 Notations.

For an integer q, we use the notation Zq :“ ZpqZq and rRsq :“ ZqrXsxXn`

1y “ RqR. We denote the number in Zq within the range`

´q2, q2

‰

by px

mod qq or rxsq, which is congruent to x modulo q. For u “n´1ř

i“0

uiXi P R,

rusq “n´1ř

i“0

ruisqXi and u denote the Euclidean norm of u.

We define ι : Zq ÝÑ Z by rxsq P Zq ÞÑ x P Z for ´ q2ă x ď q

2. We extend

this map to rRsq by applying it to each coefficient. By abuse of notation, we

omit ι unless it will be confused when identifying rxsq P Zq with an integer

x when ´ q2ă x ď q

2.

Throughout this paper, we assume that an integer n is a power of 2.

Then, K :“ QrXsxXn ` 1y is a number field with the ring of integers

R :“ ZrXsxXn ` 1y. In particular, K is a Galois extension of Q, and we

denote the Galois group of K over Q by GalpKQq. As in the technical

overview, for any polynomial h “n´1ř

i“0

hiXi P K, we consider it to be a column

vector ph0, ¨ ¨ ¨ , hn´1qT . When we need an inverse of an element a P R, we

7

CHAPTER 2. PRELIMINARIES

usually consider the inverse inK with the notation a´1. If we want to consider

it in rRsq and not in K, then we denote it by ra´1sq. We use bold letters to

denote vectors or ring elements in Zn or R.

2.2 Graded encoding Schemes and Multilin-

ear map Procedure.

We first recall the formal definition of multilinear map suggested by Boneh

and Silverberg [BS03].

Definition 2.2.1 (Multilinear maps [BS03]). For κ`1 cyclic groupsG1, ¨ ¨ ¨ , Gκ,

and GT of the same order p, an κ-multilinear map e : G1 ˆ ¨ ¨ ¨ ˆ Gκ Ñ GT

has the following properties:

1. For an element a P Zp and tgi P Giu1ďiďκ, it holds:

epg1, ¨ ¨ ¨ , a ¨ gi, ¨ ¨ ¨ , gκq “ a ¨ epg1, ¨ ¨ ¨ , gi, ¨ ¨ ¨ , gκq.

2. If the elements gi is a generator of Gi, respectively, then epg1, ¨ ¨ ¨ , gκq

is a generator of GT .

In the original definition [BS03], the cyclic group are set as same group

G1 “ G2 “ ¨ ¨ ¨ “ Gκ, which is called symmetric multilinear maps. The

asymmetric multilinear maps with different Gi’s are considered in [GGH13a].

Throughout this thesis, we generally deal with symmetric case, and only with

asymmetric case if necessary.

Unfortunately, when κ ě 3, none of the multilinear maps are published

matched to the formal definition of multilinear maps. At 2013, instead of

a formal definition, Garg et al. proposed a new concept ”graded encoding

scheme” and proposed an approximate multilinear maps by exploiting the

graded encoding scheme. After that, GGH and CLT (approximate) multilin-

ear maps are provided by constructing a graded encoding scheme relying on

8


ideal lattice and integers, respectively. Now we describe the formal definition

of a κ-graded encoding scheme referring to original paper [GGH13a].

Definition 2.2.2 (Graded Encoding Scheme [GGH13a]). A κ-Graded En-

coding Scheme for a commutative ring R is a system of sets S “ tSpαqi P

t0, 1u˚ : 1 ď i ď κ, α P Ru, with the following properties

1. For every 1 ď i ď κ, the sets tSpαqi : α P Ru are disjoint.

2. There are binary operations ` and ´ (on t0, 1u˚) such that for every

α1, α2 P R, every 1 ď i ď κ, and every u1 P Spα1q

i and u2 P Spα2q

i , it

holds that

u1 ` u2 P Spα1`α2q

i and u1 ´ u2 P Spα1´α2q

i ,

where α1 ` α2 and α1 ´ α2 are addition and subtraction in R.

3. There in an associative binary operation ˆ (on t0, 1u˚) such that for

every α1, α2 P R, every 1 ď i, j ď κ with 0 ď i ` j ď κ, and every

u1 P Spα1q

i and u2 P Spα2q

j , it holds that

u1 ˆ u2 P Spα1¨α2q

i`j ,

where α1 ¨ α2 is multiplication in R.

Throughout this thesis, we denote a level-i encoding of m as enctpmq. The

main difference between multilinear maps and graded encoding scheme is two

fold; one is that the encodings has a level (or grade). The set Sαi means that

level i encoding of α. The second main difference is that the encodings in

graded encoding scheme are randomized whereas the encodings of multilinear

maps are deterministic. It implies that a ring element α can be encoded many

ways.

Since the image of multilinear map is a deterministic function for a ring

element α’s only, it needs additional procedure to erase the randomness.

9


In [GGH13a] and [CLT13], by providing a zerotesting procedure, they delete

the randomness and enable to construct a multilinear map. Now we de-

scribe a multilinear map procedure using graded encoding scheme; we refer

to [GGH13a] As previously we consider only the symmetric case.

Multilinear map Procedure.

Instance Generation. The randomized InstGenp1λ, 1κq takes as inputs the

parameters λ and κ, and outputs (params, pzt), where params is a description

of a κ-Graded Encoding System as above, and pzt is a zero-test parameter.

Ring Sampler. The randomized samp(params) outputs a level-zero encoding

a P Sα0 for a nearly uniform element α PR R. Note that the encoding a does

not need to be uniform in Sα0 .

Encoding. The (possibly randomized) enc(params, a) takes as input a level-

zero encoding a Sα0 for some α P Sα0 , and outputs the level-one encoding

u P Sα1 for some α.

Re-Randomization. The randomized reRand(params, i, u) re-randomizes

encodings relative to the same level i. Specifically, given a level-l encoding

u P Spαql , it outputs another encoding u0 P S

pαql . Moreover for any two u1, u2 P

Spαql , the output distributions of reRand(params, i, u1) and reRand(params, i,

u2) are nearly the same.

Addition and negation. Given params and two encodings relative to the

same level, u1 P Spα1q

l and u2 P Spα2q

l , we have add(params, u1, u2)P Spα1`α2q

l

and neg(params, u1)P Sp´α1q

l . Below we write u1`u2 and ´u1 as a shorthand

for applying these procedures.

Multiplication. For u1 P Spα1q

i and u2 P Spα2q

j , we have mul(params, u1,

u2)“ u1 ˆ u2 P Spα1¨α2q

i`j .

Zero-test. The procedure isZero(params, pzt, u) outputs 1 if u P Sp0qκ and 0

otherwise.

Extraction. The procedure extracts a random function of ring elements from

their level-κ encoding. Namely ext(params, pzt, u) outputs s P t0, 1uλ, such

that:

10


1. For any α P R and u1, u2 P Spαqκ , ext(params, pzt, u1)= ext(params, pzt,

u2).

2. The distribution text(params, pzt, u): α PR R, u P Spαqκ u is nearly uni-

form over t0, 1uλ.

In the original [GGH13a] paper, the authors provide a slightly weak defini-

tions of isZero and ext, where isZero can output 1 even for top level encoding

of some nonzero element with negligible probability, and ext can output dif-

ferent outputs for top level encodings of same element, also with negligible

probability. In this sense, a multilinear map relying on a graded encoding

scheme is a approximate function.

2.3 Hardness Problems.

Finally, we recall the hardness problems and its related problems for multi-

linear maps underlying on graded encoding scheme. described in [GGH13a].

First, we introduce a hardness assumption for multilinear maps, graded deci-

sional Diffie-Hellman (GDDH) problem. Briefly, given a set of κ`1 level-one

encodings of random elements, it is to distinguish between a level-κ encodings

of their product and a random element.

Definition 2.3.1 (Graded Decisional Diffie-Hellman (GDDH)). For an ad-

versary A and parameters λ, κ we consider the following process:

Generating public parameter: (params, pzt) Ð InstGenp1λ, 1κq

Sampling: Choose aj Ð samppparamsq for all 0 ď j ď κ

Encoding: Set uj ÐreRand(params, 1, enc(params, 1, aj)) for all 0 ď j ď κ

Random sampling: Choose bÐ samppparamsq

Right product at level-κ: Set u “reRand(params, κ,κś

j“0

aj)

Random value at level-κ: Set u “reRand(params, κ, b)

The GDDH problem is to distinguish between two distributions, DDDH and

11


DR, where

DDDH “ tparams,pzt, u0, . . . , uκ, uu and DR “ tparams,pzt, u0, . . . , uκ, uu.

Remark As mentioned previously, the many applications of multilinear maps

rely on several problems such as SubM, DLIN, GXDH. In the first public ver-

sion of [GGH13a] (dated 29 Oct. 2012),˚ the GGH construction was thought

to provide secure SubM, DLIN, and GXDH instantiation. It was soon real-

ized that these problems could be broken in polynomial-time. Therefore, we

only introduce these problems and analysis for the CLT version in Section 4.3

˚It can be accessed from the IACR eprint server.

12

Chapter 3

Multilinear maps over the Ideal

Lattices and Its Analysis

In this chapter, we introduce GGH multilinear maps and its analysis. The

GGH scheme are provided relying on ideal lattices. Basically, its underlying

set is a polynomial quotient ring R “ ZrXsxXn` 1y with a power of two n.

Let xgy Ă R be an principal ideal generated by a secret short element g P R,

and Rq :“ Rxq ¨ Ry for a fixed large integer q. Then a message space and a

ciphertext space are defined by Rxgy and Rq, respectively.

Because the GGH schme is constructed by a graded encoding scheme, it

provide a zero-testing parameter and its encodings are defined with level. In

GGH scheme, the level-t encoding of m P R and zerotesting parameter are

of the form:

enctpmq “r ¨ g `m

ztmod q,pzt “

h ¨ zκ

gmod q

where r is a short random element and z,h are fixed secret elements. In the

original GGH paper, the authors observe that if one can find a short element

of xgy, the GGH scheme becomes insecure. Therefore in this chapter, we focus

on how to recover the short element of xgy from public parameters and use

it to break the GGH scheme.

13

CHAPTER 3. MULTILINEAR MAPS OVER THE IDEAL LATTICESAND ITS ANALYSIS

3.1 GGH13 Multilinear maps

First, we briefly recall the Garg et al. GGH construction. We refer to the

original paper [GGH13a] for a complete description. The scheme relies on

the following parameters.

λ: the security parameter

κ: the multilinearity parameter

σ: the basic Gaussian parameter for drawing the ideal generator g

σ1: the Gaussian parameter for sampling level-zero elements

σ˚: the Gaussian parameter for constructing nonzero level elements

m: the number of encodings of zero in the public parameters at each

level.

q: the modulus of a ciphertext

n: the dimension of a base ring

Instance generation: pparams,pztq Ð InstGenp1λ, 1κq.

For a given λ and κ, InstGenp1λ, 1κq outputs the following elements.

Sample g Ð DR,σ until g, g´1 ď n2 and, I “ xgy is a prime ideal in R.

Sample z ÐR Rq.

Sample a Ð D1`I,σ1 and set a level-1 encoding of 1, y “

„

a

z

q

.

Sample Xi “ tbijgu Ð DI,σ1 and set a level-i encoding of zero, xij “

„

bijg

zi

q

for all 1 ď i ď κ, 1 ď j ď m.

Sample h Ð DR,?q and set a zero-testing parameter pzt “

„

h

gzκ

q

.

Then publish params “ pn, q, κ,y, txijuq and pzt.

14


Sampling level-zero encodings: a Ð samppparamsq.

To sample a valid level-0 encoding a, we draw an element from DI,σ1 . In other

words, a Ð DI,σ1 .

Encodings at higher levels: ci Ð encpparams, i, cq.

Given a level-j encoding c for j ă i, we draw an m integers rk Ð DZ,σ˚

1 ď k ď m and compute ci “

„

c ¨ yi´j `mř

k“1

rk ¨ xik

q

.

Adding and multiplying encodings:

Given two encodings c1 and c2 of the same level, the sum of c1 and c2 is

computed by Add(c1, c2)=rc1 ` c2sq. Given two encodings c1 and c2, we

multiply c1 and c2 by Mul(c1, c2)=rc1 ¨ c2sq.

Zero testing: isZeropparams, pzt, cq?“ 01.

To test given a level-κ encoding c is zero or not, we compute rpzt ¨ csq8. So

zerotesting procedure returns 1 if rpzt ¨ csq8 ă q34; otherwise, return 0.

Extraction: v Ð extpparams, pzt, cq.

To extract a canonical representation of a coset from an encoding u “ rczκsq,

we just multiply by the zero-testing parameter pzt, collect the plog qq4`λ

most-significant bits of each of the n coefficients of the result. In other words,

for given a level-κ encoding c, compute MSBlog q4´λprpzt ¨ csqq.

This works because for any two encodings u,u1 of the same coset we have

pzt ¨ u´ pzt ¨ u1 “ pzt ¨ pu´ u1q ă q34,

therefore we guarantee pzt ¨ u, pzt ¨ u1 to agree on their plog qq4`λ most sig-

nificant bits without negligible probability.

15


Hardness Assumptions

We recall the definitions of the graded decisional Diffie-Hellman problem

(GDDH) for GGH scheme and its computational variant GCDH. They do

not seem to be reducible to more classical assumptions in generic ways.

For an adversary A and the parameters λ and κ, we consider the follow-

ing process in the GGH scheme.

1. Choose (n, q, κ, txκju, pzt) Ð InstGen(1λ, 1κ).

2. Sample mi Ð samppparamsq for each 0 ď i ď κ.

3. Set ui “”ri ¨ g `mi

z

ı

qÐ encpparams, 1, miq for all 0 ď i ď κ.

4. Choose r Ð DR,σ1 .

5. Sample ρj Ð t0, 1u for 1 ď j ď m.

6. Set u=

«

m0 ˆκś

i“1

ui `ř

j

ρjxκj

ff

q

.

7. Set u=

«

rˆκś

i“1

ui `ř

j

ρjxκj

ff

q

.

The GDDH problem is to distinguish between two distributions, DDDH and

DR, where

DDDH “ tq, txiu,pzt,u0, . . . ,uκ, uu and DR “ tq, txiu,pzt,u0, . . . ,uκ,uu.

The GCDH problem is to output a level-κ encoding ofκś

i“0

mi ` I given the

inputs

tq, txiu,pzt,u0, . . . ,uκu.

Parameter Settings.

Garg et al. suggested to set the parameters so that the following conditions

are met:

‚ σ “?λn, σ1 “ λn32: to bound the size of g and level-1 encodings. It

means that with overwhelming probability g ď n?λ and a, bij ď

16


λn2.

‚ σ˚ “ 2λ, m “ Opn2q: so that the distribution of level-1 encoding u is

independent to its re-randomized one of u1.

‚ q ě 28κλ ¨ nOpκq: to valid zero test, we need to q18 larger than the size

of denominator of level-κ encodings.

‚ n “ Opκλ2q: to thwart lattice reduction attacks.

3.2 Basic Notions

In this section, we introduce basic notions related to analysis of GGH scheme.

Lattices.

An m-dimensional lattice of rank n is the set of all integer combinations

třni“1 xibi | xi P Zu of n linear independent vectors b1, . . . ,bn P Rm. The

set of bi’s is called a basis of L. If n “ m, L is called a full rank lattice. A

sublattice is a subset L1 Ă L that is also a lattice. A matrix B “ rb1 ¨ ¨ ¨bns

is a basis matrix of a lattice L. If L Ă Zn, we call it an integral lattice. In

this study, we only focus on integral lattices.

Given a lattice L in Rm with a basis matrix B, the determinant of the

lattice is defined asa

detpBTBq, where BT is the transpose matrix of B

and detpMq denotes the determinant of a square matrix M . By abusing the

notations, detL is used to denote the determinant of L. The i-th successive

minimum of a lattice L, denoted by λipLq, is defined by

λipLq “ minrtr : dimpspanpLXBprqqq ě iu,

where Bprq : tx P Rn : x ď ru.

Given a basis tb1, ¨ ¨ ¨ ,bnu, we denote by b˚1, ¨ ¨ ¨ ,b˚n the output of the

Gram-Schmidt orthogonalization of the basis, i.e., b˚i is the component of bi

orthogonal to spanpb1, ¨ ¨ ¨ ,bi´1q.

17


Ideal lattice.

For an element g P R, we denote the principal ideal in R generated by g by

xgy, whose basis consists of tg, Xg, . . . , Xn´1gu. By identifying a polynomial

g “ř

giXi P R with a vector pgn´1, gn´2, . . . , g0q

T in Zn, we can apply

lattice theory to the algebraic ring R and algebraic ring theory to the ideal

lattice xgy. For a polynomial u P R and a basis B :“ tb1,b2, . . . ,bnu, we

denote the reduction of u modulo the fundamental region of lattice B by

u mod B; that is, u mod B is the unique representation of u P R such that

u ´ pu mod Bq P B and u mod B “n´1ř

i“0

αibi for αi P p´12, 12s. For the

polynomials u,v P R, we use the notation u mod v as u mod V , where Vis a basis tv, Xv, . . . , Xn´1vu. By the definition of u mod v, it is of the

formn´1ř

i“0

αiXiv for αi P p´12, 12s. Hence, the size of its Euclidean norm is

bounded byn´1ř

i“0

X iv2 “n´1ř

i“0

v2 “n

2v.

Lattice reduction algorithm

To find a short element of a lattice, lattice reduction algorithms such as

the LLL algorithm and the BKZ algorithm are described in [LLL82, HPS11,

ADRSD14]. These algorithms lead us to find an approximately short vector

of a lattice with bounded time.

In the case of the BKZ algorithm, by [HPS11], the quality of the al-

gorithms relies on the block size β. More precisely, using the BKZ algo-

rithm upon basis B “ tb1,b2, ¨ ¨ ¨ ,bnu, we obtain a reduced basis B1 “

tb11,b12, ¨ ¨ ¨ ,b

1nu, which satisfies:

- b11 ď 2pγβqn´1

2pβ´1q` 3

2 ¨ pdetLq 1n in polypn, sizepBqq ¨ CHKZpβq times or

- b11 ď 4pγβqn´1β´1

`3¨ pΛ1pLqq

1n in polypn, sizepBqq ¨ CHKZpβq times,

where L is the lattice LpBq, γβ ď β is the Hermite constant of rank β, sizepBq

is the size of the largest entries of the basis matrix B, and CHKZpβq “ 2Opβq

is the cost of HKZ-reduction in dimension β. For an output b11 of lattice

18


reduction algorithms, we callb11

detpLq1nand

b11λ1pLq

as a Hermite factor and

approximate factor, respectively.

For convenience of calculation, throughout this paper, we assume that

we have a lattice reduction algorithm Aδ , whose output contains a short

vector b with Euclidean norm less than δn ¨ detpLq1n or δ2n ¨ λ1pLq for an

n-dimensional lattice L instead of 2pγβqn´1

2pβ´1q` 3

2 ¨ pdetLq 1n or 4pγβq

n´1β´1

`3¨

pΛ1pLqq1n , respectively.

3.3 Attack on GGH with low level encodings

of zero

In this section, we explain an attack algorithm, which is a different approach

from [HJ16], to solve the GDDH problem of the GGH scheme with low-level

encodings of zero

Now we are given a set

tn, q, κ, y, txiju,pzt,u0 “ enc1pm0q, . . . ,uκ “ enc1pmκq,wu,

where w is a challenge element and it can be written of the form encκpr ¨śκ

i“1 miq. Then our attack algorithm consists of the following four steps:

• First, find a basis of an ideal lattice xgy.

• Second, compute a short element d ¨ g P xgy

• Third, recover an short element r1 from w and d¨g such that r1´r P xgy

• Last, determine whether an element r1 ¨ y ´ u0 is an encoding of zero

or not.

Except for the second step, the whole process consists of easy calculations.

Therefore it implies that the GDDH problem is reduced to SVP on ideal

lattice.

19


At first when a short element in xgy is given, we describe an cryptanalysis

which is introduced in original GGH paper. Using different κ-products of

level-1 encoding of one y and level-1 encoding of zero x1j’s, one can generate

several level-κ encodings of zero and its zerotesting value is of the form:

ryi ¨κíź

k“1

x1jk ¨ pztsq “ ai ¨κíź

k“1

b1jk ¨ gκí´1

¨ h (3.3.1)

Here, essential property is two fold. The first one is that the right hand side

of the equation 3.3.1 is not reduced modulo q, because it is a zerotesting

value of level-κ encoding of zero, its size is smaller than q34. The second

one is that all of the quantity has the multiple of h. It implies that it is an

element of ideal lattice xhy. Hence, by obtaining these several elements, one

can recover a basis of the ideal lattice xhy.

With a similar arguments, when κ ´ i ´ 1 ě 1, the right hand side is a

multiple of g ¨h and one can recover a basis of the ideal lattice xg ¨hy. Using

the basis of xhy and xg ¨ hy, we can also recover the basis of xgy.

Suppose we have an element of xgy smaller than q14. Then any element

of xgy has the form d ¨ g for some d ď q14. By multiplying it to zerotesting

parameter, we make a modified zerotesting parameter p1zt “ rd¨g¨h¨zκgsq “

rd ¨ h ¨ zκsq. Here we assume w is a right product of ui. Next we multiply

the modified zerotesting parameter to w andśκ

i“1 ui, respectively. Because

these are level-κ encodings, it can be written as w “c1 ¨ g `

śκi“0 mi

zκmod q

andśκ

i“1 ui “c2 ¨ g `

śκi“1 mi

zκmod q for some small ci P R. Then we have

following quantities:

rp1zt ¨wsq “ d ¨ h ¨

˜

c1 ¨ g `κź

i“0

mi

¸

and rp1zt ¨κź

i“1

uisq “ d ¨ h ¨

˜

c2 ¨ g `κź

i“1

mi

¸

.

Since, both of the right hand side are smaller than q14 ¨ q12 ¨ q18 ă

20


q2, there is no modulus reduction for q. Hence, it satisfies rp1zt ¨ wsqrp1zt ¨

śκi“1 uisq “ m0 mod xgy. Because we know the basis of xgy, we can compute

the quantity easily. Finally, we can reduce the value modulo the rotation basis

td ¨ g, ¨ ¨ ¨ ,d ¨ g ¨Xn´1u. This yields a short element m10 and it is a valid level-

0 encoding of m0. Hence, the zerotesting value rpm10 ÿú0q ÿ

κ´1 ¨pztsq are

smaller than q34. If w is not a right product, the above value cannot be small

with overwhelming probability. Hence, one can solve the GDDH problems.

Since the overall attack algorithm consists of only basic arithmetics, the

time complexity of the algorithm heavily relies on finding short vector of xgy.

We now how to find such a short vector in the lattice. Actually, a desired

short element in the ideal lattice can be computed in quasi-polynomial time

in λ, which yields a break of the GGH scheme with the current parameters.

3.3.1 Sublattice Algorithm

Currently, all approximate lattice reduction algorithms have exponentially

large Hermite factors in the rank of the input matrix. For example, LLL has

a Hermite factor 2n4 for the rank n of input matrix L. To obtain a short

vector with a smaller Hermite factor, we may attempt to apply LLL to a

sublattice of L of smaller dimension. However, it is not always true that a

sublattice of smaller dimension has a determinant smaller than that of the

original lattice L.

In this subsection, we show how to use HNF to obtain a sublattice having

a determinant not larger than that of the original lattice.

Theorem 3.3.1. Given a basis matrix rb1, ¨ ¨ ¨ ,bns of integral lattice L in

Hermite normal form, detprbi, ¨ ¨ ¨ ,bnsq ě detprbi`1, ¨ ¨ ¨ ,bnsq for 1 ď i ď

n´ 1.

Proof. Suppose bi is a vector with pivot di. Consider an ordered basis Bi :“

tbn, ¨ ¨ ¨ ,biu and its corresponding Gram-Schmidt basis tb˚n, ¨ ¨ ¨ ,b˚i u. Then

detpBiq “nś

j“i

b˚j “ b˚i ¨ detpBi`1q. Here b˚i is of the form bi ´ pcnbn `

¨ ¨ ¨ ` ci`1bi`1q for some cn, . . . , ci`1 P R and so the first nonzero component

21


of b˚i is also di. Hence, b˚i ě di and detpBiq ě di ¨ detpBi`1q. Since di is a

positive integer by the definition of HNF, we have detpBiq ě detpBi`1q.

An Algorithm for SVP

We apply the LLL algorithm to a sublattice L1 of integral lattice L with

detpL1q ď detpLq obtained as in the previous section. It is described in Algo-

rithm 1.

Algorithm 1 LLL with HNF

Input: tb1, ¨ ¨ ¨ ,bnu and m ă n

Output: tv1, . . . ,vmu

1. Compute the HNF basis pb11, ¨ ¨ ¨ ,b1nq of pb1, ¨ ¨ ¨ ,bnq.

2. Set pv1, . . . ,vmq as the output vector of LLL upon input

pb1n´m`1, ¨ ¨ ¨ ,b1nq

return pv1, . . . ,vmq.

If we take an appropriate m, the first vector of the output of Algorithm

1 is shorter than that of LLL on the original lattice when the determinant

of the lattice is not large.

Theorem 3.3.2. For an n-dimensional integral lattice L with log detpLq ă

n24 and m “

Y

2a

logpdetpLqqU

, Algorithm 1 outputs an LLL-reduced basis

of a certain sublattice L1 of L with detL1 ď detL in polynomial time in n

and detpLq. In particular, the first vector satisfies v1 P L such that v1 ă

2?

log detpLq`12.

Proof. Let tb11, ¨ ¨ ¨ ,b1nu be an HNF basis of lattice L. By the given con-

ditions, m “

Y

2a

logpdetpLqqU

ă n. When Algorithm 1 is applied to L,

the output is merely the output of LLL on the sublattice L1 generated by

tb1n´m`1, ¨ ¨ ¨ , b1nu.

22


Moreover, since detpL1q ď detpLq by Theorem 1, the first vector v1 of the

output satisfies

v1 ď 2m4 ¨ detpL1q1m ď 2m4 ¨ detpLq1m “ 2?

logpdetpLqq`ε,

where 0 ď ε ď 12.

Obviously, v1 P L1 Ă L, and the running time is upper bounded by the

running time of LLL and HNF.

Another lattice reduction algorithm, the BKZ algorithm with block size

β, outputs a lattice vector of a size bounded by 2pγβqn´1

2pβ´1q` 3

2 ¨ pdetLq1n in

polypn, sizepBqq ¨ CHKZpβq times, where γβ is the Hermite constant of rank β,

sizepBq is the size of largest entries of basis matrix B of L, and CHKZpβq “2Opβq is the cost of HKZ-reduction in dimension β [HPS11, ADRSD14].

We claim that our algorithm asymptotically outperforms BKZ with block

size β “ polylogpnq for an n-dimensional integral lattice with determinant 2nδ

for δ ă 2. While the output vector of BKZ with β has a Euclidean norm of at

most 2pn log βqβ`Op1q, Algorithm 1 with BKZ gives a vector of the Euclidean

norm at most 2nδ2

, which is asymptotically smaller than the previous one.

We remark that when the basis entries of an n-dimensional lattice L are

bounded by 2opnq, we achieve a subquadratic determinant 2opn2q of L.

Furthermore, we may plug BKZ in our algorithm (instead of LLL) to

obtain a shorter lattice vector b P L. More precisely, when detL “ βopn2q, we

have b ă 2β?p2 logβ detpLqqpβ´1q` 3

2 .The running time is upper bounded by

the running time of the BKZ algorithm with block size β, polypn, sizepBqq ¨

CHKZpβq, and the running time of computing HNF.

As an application of our algorithm, we find a short vector of an ideal

lattice xgy used in GGH scheme. The determinant of the ideal lattice xgy is

equal to detrg, xg, ¨ ¨ ¨ , xn´1gs, which is bounded by gn.

Applying the Algorithm 1 with β-block size BKZ , we can have the

following result, a variant of Theorem 3.3.2:

Theorem 3.3.3. Given an element g of R “ Zrxsxxn ` 1y with g ă

23


βnp2βq, one can find an element f P xgy such that f ď 2β?p2 logβ detpLqqpβ´1q`32

“

2O´b

n log β log gβ

¯

in polypn, log gq ¨ CHKZpβq running times.

According to previous arguments in Section 3.3 if one finds a short element

d ¨ g in xgy such that d ¨ g ď q14, the GGH scheme is not secure. Since

a basis of the ideal lattice xgy is easily recovered in polynomial time, we

may apply our Algorithm 1 to find a short element in the lattice xgy and

break the GGH scheme. From the Theorem 3.3.3, we can obtain an element

d ¨ g P xgy satisfying

d ¨ g ď 2O´b

n log β log gβ

¯

“ 2O´

λb

log β log λβ

¯

,

which is asymptotically smaller than q14 for β “ log2pλq. Hence, it yields

that GDDH problem of the GGH scheme with the current parameters can

be broken in quasi-polynomial time in λ.

3.4 Attack on GGH with top level encodings

of zero

Since some applications such as indistinguishable obfuscation have no low

level encodings of zero, the analysis of the GDDH with low level encoding of

zero is not enough to explain the hardness of GGH scheme. In this section,

we provide an algorithm for the GDDH problem of the GGH scheme only

using top level encodings of zero. More precisely, suppose we have

tn, q, κ, y, txκiu, pzt, u0, ¨ ¨ ¨ ,uκ,wu.

If one can find a basis of xgy, by sublattice algorithm one can also recover

a short element d ¨ g P xgy. It leads to generate a low level encoding of zero

by multiplying the short element to level-1 encoding of one y. Hence, as an

attack algorithm suggested in Section 3.3, one can solve the GDDH problems.

Now we propose an idea to obtain a basis of xgy. Considering ruκ1xκ1sq “

24


rmκ1bκ1gsq, the sizes of the denominator and numerator are bounded by

n3.5κ?nκ´1

ă n4κ and n3.5, which are very smaller than modulus q. In other

words, it is written by ratio of small polynomial in ring Rq. If we recover the

denominator and numerator, one can obtain the multilple of g. By repeating

the procedure, it gives several multiples of g and a basis of g. This means

that GDDH is reduced to the NTRU problem because it is precisely the

NTRU problem of finding elements from small ratio. Especially, the size of q

is exponential of λ, it corresponds to ONTRU problem.

3.4.1 Overstretched NTRU Problem and Its Analysis

In this section, we now explain the formal definition of NTRU problem and

how to solve it using lattcie reduction algorithms. First of all, we state an

NTRU problem as follows:

Definition 3.4.1 (The NTRU problem).

Let n and q be integers, M be a positive real number and F pXq be a degree

n integral polynomial. For a polynomial ring R :“ ZrXsxF pXqy, f and g

are sampled from R and have Euclidean norms bounded by M . For given a

polynomial h “ rfgsq, the NTRU problem NTRUR,q,M,τ is to find a ¨ f , a ¨ g P

R for some a P R, such that a ¨ f, a ¨ g ď τ .

In many NTRU-based applications, M is taken to be similar to polypnq.

Furthermore, when q is set to be super-polynomial in n, the NTRU problem

is called the overstretched NTRU problem (ONTRU). In [ABD16, KF17],

the authors solved ONTRU problem on R “ ZrXsxXn ` 1y for a power

of two n with τ “ q. In this paper we focus on the ONTRU problem on

R “ ZrXsxXn ` 1y with τ “ q2 and M “ polypnq.

Lattice Based Algorithms for NTRU

Now, we state an useful lemma to solve the NTRU problem.

25


Lemma 3.4.1 ([GGH13a], Lemma 3). Let f ,g P R “ ZrXsxXn ` 1y

be relative prime and rgsq is invertible in rRsq “ RqR. If c P R satisfies

c ăq

2?n ¨ f

and rc ¨ f ¨ g´1sq ăq

2?n ¨ g

, then c and rc ¨ f ¨ g´1sq are

contained in the ideal xgy and xfy, respectively.

Proof. Let w :“ rc ¨ f ¨g´1sq. Then, rgwsq “ rcf sq. Since w ă qp2g ¨?nq,

we have gw ď g¨w¨?n ď q2 and cf ď c¨f¨

?n ď q2. Therefore,

gw “ cf in ZrXsxXn ` 1y. Because cf P xgy and f is a relative prime to g,

we can conclude c P xgy. With similar reasons, we have w P xfy.

Hence, Lemma 3.4.1 gives if one can find a short pair prc ¨ hsq, cq with

an Euclidean norm smaller thanq

2 ¨?n ¨M

, one will be able to solve the

NTRUR,q,M, q2.

By employing the above property, we can describe the basic lattice-based

approach to solve the NTRU problem with an input polynomial h “ rfgsq.

Let consider the lattice L generated by following 2nˆ 2n basis matrix:

B “

˜

q ¨ In φphq

O In

¸

P Z2nˆ2n.

For a polynomial c “n´1ř

i“0

ci ¨ Xi, the polynomial vector pc ¨ h, cq “

n´1ř

i“0

ci ¨

pXi ¨ h,Xiq corresponds to a lattice pointn´1ř

i“0

ci ¨ Bn`i, where Bn`i is the

n ` i-th column vector of the basis matrix B. It implies that prc ¨ hsq, cq is

also identified to lattice point of LpBq. Hence, finding a short pair prc ¨hsq, cq

is the same as finding a short lattice point of LpBq.We also state another lemma to solve NTRU problems. This is applicable

to the pair pa,bq where b is known to be a multiple of g.

Lemma 3.4.2. Let g be an element of R “ ZrXsxXn ` 1y and f P R

be relative prime to g. For some d P R, if d ¨ g P xgy Ă R satisfies d ¨

g ăq

2 ¨ n ¨ f ¨ g´1then d ¨ g and rd ¨ g ¨hsq are solution of NTRUR,q,M, q

2

problem with input h.

26


Proof. By conditions, we have

d ¨ f “ d ¨ f ¨ g´1 ¨ g ď C2Fd ¨ g ¨ f ¨ g

´1 ă q2.

Hence, rd ¨ g ¨ hsq has the form d ¨ f .

Subfield Algorithm

Generally, the dimension is too large to solve the NTRU problem by using

a lattice reduction algorithm. Therefore we focus on redcuing the dimension

of the NTRU problems. As one of the methods, we discuss how the NTRU

problem with a given input rfgsq is reduced to the NTRU problem with an

input whose denominator and numerator have half of the degree of f and

g using a subfield technique. Concurrently and independently, in [ABD16],

the authors introduced the this technique using a Norm map. Instaed of the

Norm maps, we exploit the Trace map. In our work, we can achieve the same,

but slightly better, results by using the trace map.

Throughout this section, let n “ 2s and denote QrX2tsxXn ` 1y and

ZrX2tsxXn ` 1y by Kt and Rt, respectively, with 0 ď t ď s. Note that

Ks :“ Q ď Ks´1 ď ¨ ¨ ¨ ď K0 “ QrXsxXn ` 1y, where A ď B denotes

that A is a subfield of B. Since K0 is a Galois extension field of K1 with a

degree of 2, GalpK0K1q is a group of order 2. That is, GalpK0K1q “ tid, σu,

satisfying σpXq “ ´X; therefore, σ2 “ id, where id is the identity map. For

an element h,g P R Ă K0, the following elements are contained in R1 Ă K1:

TrK0K1phq “ h` σphq,

NK0K1phq “ h ¨ σphq,

T rK0Ktphσpgqq “ hσpgq ` σphqg,

since they are fixed by GalpK0K1q. Note that these elements have only

n2 terms, and the last one lies in 2 ¨ R1. Generally, for 0 ă t ď s, K0

is a Galois extension field of Kt with a degree of 2t and the Galois group

27


Gt :“ GalpK0Ktq “ tσ0 “ id, σ1, . . . , σ2t´1u. For an element h,g P R Ă K0,

the following elements are contained in Rt Ă Kt:

2t´1ÿ

i“0

σiphq “ h` σ1phq ` ¨ ¨ ¨ ` σ2t´1phq,

2t´1ź

i“0

σiphq “ h ¨ σ1phq ¨ ¨ ¨ ¨ ¨ σ2t´1phq,

T rK0Ktphσ1pgqσ2pgq ¨ ¨ ¨σ2t´1pgqq,

since they are fixed by GalpK0Ktq. Moreover, these elements have only n2t

terms, and the last one lies in 2t ¨Rt. Using this property, we can obtain the

following main theorem of this section.

Theorem 3.4.1. Let q and m P Z be integers and let D and N be positive

real numbers. Set B “ mint q2D?n, q2N?nu. Then, for FnpXq “ Xn ` 1 with

n “ 2s and 0 ă t ď s, we can reduce NTRUFn,q,D,N,B to NTRUFn2t ,q,Dt,Nt,Bt,

where Bt “ mint q2Dt

?n, q2Nt

?n, q2nN2g´1

?nu, Dt “ D2t

tś

j“1

a

n2j, and Nt “

ND2t´1tś

j“1

a

n2j.

Proof. Suppose we are given rfgsq, where g and f are sampled from the set

tpg, fq P R2 “ pZrXsxFnpXqyq2 : f ă N, g ă Du. We consider the useful

element

TrK0Kt

ˆ

f

g

˙

“f

g` σ1

ˆ

f

g

˙

` ¨ ¨ ¨ ` σ2t´1

ˆ

f

g

˙

“TrK0Ktpfσ1pgqσ2pgq ¨ ¨ ¨σ2t´1pgqq

ś2t´1i“0 σipgq

„

TrK0Kt

ˆ

f

g

˙

q

“

«

TrK0Ktpfσ1pgqσ2pgq ¨ ¨ ¨σ2t´1pgqqś2t´1

i“0 σipgq

ff

q

inKt andRq. For the sake of simplicity, we denote a quantity

„

TrK0Kt

ˆ

f

g

˙

q

,

28


its denominator polynomial, and its numerator polynomial by ht, DPt, and

NPt, respectively. Then it satisfies

• DPt P Rt, and NPt P 2t ¨Rt,

•›

›

›

›

NPt

2t

›

›

›

›

ď ND2t´1tś

j“1

a

n2j,

• DPt ď D2ttś

j“1

a

n2j.

Therefore, we get a new instance ht for NTRUFn2t ,q,Dt,Nt,Bt from an original

instance h, where Dt “ D2ttś

j“1

a

n2j, Nt “ ND2t´1tś

j“1

a

n2j, and Bt “

mint q2Dt

?n, q2Nt

?n, q2nN2g´1

?nu. Now, suppose that a solution pat,btq P Rt of

NTRUφn2t ,q,Dt,Nt,Bt is known such that

rbtatsq “ ht.

Moreover, since g and f are relative primes with a high probability [ABD16],

we assume the coprimality of g and f . Then, by Lemma 3.4.1, at is of the

form at “ d ¨DPt “ d ¨ś2t´1

i“0 σipgq. After computing

rat ¨ hsq “

«

d2t´1ź

i“0

σipgq ¨ rfgsq

ff

q

“

«

df2t´1ź

i“1

σipgq

ff

q

,

set a “ at and b “”

dfś2t´1

i“1 σipgqı

q. Then, we can conclude that the pair

29


pa,bq is a solution of NTRUφn,q,D,N,B with following properties:

rbasq “ rfgsq,

a ďq

2Nt

?nď

q

2N?n,

›

›

›

›

›

df2t´1ź

i“1

σipgq

›

›

›

›

›

“

›

›

›

›

›

dg´1f2t´1ź

i“0

σipgq

›

›

›

›

›

ď at ¨ g´1 ¨ f ¨ n

ăq

2nN2g´1?n¨ g´1 ¨N ¨ n

“q

2N?n.

The last inequality implies that b “

”

dfś2t´1

i“1 σipgqı

qis actually b “

dfś2t´1

i“1 σipgq in R. Thus, we obtain the desired result.

Comparing with [ABD16], our result works better when N ě D because

the value of our N1 is smaller than that of [ABD16] while the values of D1 are

same. By Theorem 3.4.1, one can solve the ONTRU problem with smaller

dimension and obtain the following result.

Theorem 3.4.2. Let q be an integer, n a power of 2, and λ the security

parameter. Let h “ rfgsq be an instance of the NTRUφn,q,D,N,B problem with

the parameters log q “ c1 ¨λ`, n ď c2 ¨λ

2`, N “ qa, 0 ă a ă 12, D “ λk ă N ,

φnpXq “ Xn ` 1, and B “ mint q2D?n, q2N?nu. For β ą 0 and t P Z, if

2βnt

2pβ´1q` 3

2?q ď mint

q

2Dt

?n,

q

2Nt

?n,

q

2nN2g´1?nu,

where Dt “ D2ttś

j“1

a

n2j, Nt “ ND2t´1tś

j“1

a

n2j , and nt “n

2t, then the

problem is solved in 2Opβq time.

In particular, if g´1 ďD2t´1

N¨?nt´2¨2

tpt`1q4 and β “ log2 λ, the problem

is solved in 2Oplog2 λq time. ˚

˚If h and g are sampled from continuous spherical Gaussian distributions, we can obtaina bound of g´1 with a high probability. [ABD16, Lemma 3]

30


For example, when n “ λ2, D “ λ2, N “ q18, and log q “ λ, one can

solve NTRUφn,q,D,N,B in quasi-polynomial time in λ.

Proof. By Theorem 3.4.1, one can obtain a new instance rTrKKtprfgsqq2tsq P

rRsqXRt for NTRUφnt ,q,Nt,Dt,Bt . Now, we consider the following column lattice

Bt:

Bt “

˜

Int φtphtq

O q ¨ Int

¸

,

where Int is the identity matrix with a size nt “ n2t, and φtphtq P Zntˆnt is

a matrix whose i-th column is ιpX i2trTrKKtprfgsq2tsqqq for 0 ď i ă n2t.

In other words, for rTrKKtprfgsqq2tsq “

nt´1ř

j“0

hjXj2t , the i-th column of

φtphtq is of the form p´hntí, ¨ ¨ ¨ ,´hnt´1, h0, ¨ ¨ ¨hntí´1qT . Using the BKZ

algorithm with a block size β, one can obtain an element in Bt,

ut “ pu0, ¨ ¨ ¨ , unt´1, unt , ¨ ¨ ¨ , u2nt´1qT ,

with ut ď 2βnt´12pβ´1q

` 32 detpBtq

12nt “ 2β

nt´12pβ´1q

` 32?q [HPS11]. Taking c “

nt´1ř

i“0

uiXi2t P ZrX2tsxXn ` 1y, we then have rc ¨ rTrKKtprfgsqq2

tsqsq “

nt´1ř

i“0

untìXi2t P ZrX2tsxXn ` 1y. Moreover, if we choose t such that

2βnt

2pβ´1q` 3

2?q ď Bt, (3.4.2)

then c and rc ¨ TrKKtprfgsqqsq satisfy

c ă ut ď 2βnt´12pβ´1q

` 32?q ď Bt ď

q

2Nt

?n,

rc ¨ TrKKtprfgsqqsq ă ut ď 2βnt´12pβ´1q

` 32?q ď Bt ď

q

2Dt

?n.

In other words, c satisfies the conditions of Lemma 3.4.1. Therefore, c is

in xNKKtpgqy Ă xgy. Note that c is of the form c “ d ¨NKKtpgq “ d1g P Rt

for some d, d1 P R. Hence, by Theorem 1, a pair pc, rc ¨ hsqq is a solution of

NTRUφn,q,N,D,B. The running time of this procedure is dominated by that of

31


the BKZ algorithm with a block size β, which is polypn, log qq ¨CHKZpβq time,

where CHKZpβq “ 2Opβq is the cost of the HKZ reduction in the dimension

β [ADRSD14, HPS11]. When g´1 ďD2t´1

N¨?

nt´2

¨ 2tpt`1q

4 , we obtain

Bt “q

2Nt?n. To check that the above condition for β and t is satisfied, we

have the following equivalence equation:

2βnt

2pβ´1q` 3

2?q ď

q

2Nt

?n

ô

ˆ

nt2pβ ´ 1q

`3

2

˙

log β ` logDt ´ logD `log n

2` 2 ă

log q

2´ logN.

To optimize the left-hand side of the inequality, we choose t such that

t “

S

log

d

n log β

2kpβ ´ 1q log λ

_

.

Then, the left-hand side is asymptotic to the following:

ˆ

nt2pβ ´ 1q

`3

2

˙

log β ` logDt ´ logD `log n

2` 2

«n

2t ¨ 2pβ ´ 1qlog β ` 2t log λk `Op1q

« 2

d

n log β log λk

2pβ ´ 1q`Op1q,

where the last approximation originates from the arithmetic–geometric mean.

This implies that if one chooses β “ log2 λ, then the last value is asymptoti-

cally smaller than p12´ aqlog q. Hence, one can obtain the results.

Hybrid Algorithm

In this section, we describe an improved algorithm to solve the ONTRU

problems upon h “ rfgsq. We also denote Kt “ QrX2tsxXn ` 1y, Rt “

ZrX2tsxXn ` 1y, and nt “ n2t as in subfield algorithm.

The subfield attack [ABD16, CJL16] uses only one polynomial NKKtphq

or TrKKtphq. Instead, we use several polynomials rather than a single one.

32


Then we have the following theorem.

Theorem 3.4.3. Let n be a power of two and g an element of R “ ZrXsxXn`

1y with square free algebraic norm and f P R a relatively prime to g. When

the sizes of M and g´1K are polypnq, and q is super-polynomial in n, one

can solve the NTRUR,q,M,q2 problems upon rfgsq using the BKZ algorithm

with block size β with β log β ě 27n logM2 log2 q

` o´

n logn logMlog3 q

¯

in polypnq ¨ 2Opβq

time.

Generally, it is expected that it would be easier to recover g, if several

NTRU instances hi “ rfigsq are given instead of one element. Unfortunately,

there is no algorithm that uses multiple instances to the best of our knowl-

edge.

When an ONTRU instance rfgsq with square free norm Npgq is given,

we provide a new algorithm that employs several polynomials in the form of

Trph ¨Xíq. More precisely, we prove that if there exist polynomials ci P Rt

such that the size of tciunt´1i“0 and

nt´1ř

i“0

ci ¨Trph ¨Xíq2t is small,nt´1ř

i“0

ci ¨Xí

is a multiple of g.: The proof reduces the NTRU problem to finding a short

vector in an appropriate lattice. By applying a sublattice algorithm, we can

get the above theorem.

Now we start proving the Theorem 3.4.3. Let µj,tpaq “TrKKtpa ¨X

´jq

2t

for given t. Then a “n´1ř

i“0

ai ¨Xt P R could be expressed as

2t´1ř

j“0

µj,tpaq ¨Xj.

Using a µ notation, the h is of the form2t´1ř

j“0

µj,tphq ¨Xj. Our strategy is to

use several polynomials µ0,tphq, µ1,tphq, ¨ ¨ ¨ , µm´1,tphq rather than a single

one. From now on, we use µj instead of µj,t for simplicity. Then, we can have

the following lemma, extended from Lemma 3.4.1.

Lemma 3.4.1. Let q be an integer and n be a power of two and nt “ n2t,

f ,g P R “ ZrXsxXn ` 1y and g has a square free norm NKQpgq, h “

rfgsq P Rq. If ci P Rt “ ZrX2tsxXn ` 1y for 0 ď i ă 2t satisfies the

:In particular if ci is equal to zero for 1 ď i ď nt ´ 1 , it is an original subfield attack.

33


following inequalities:

ci ăq

2t`1 ¨ C3F ¨ f ¨ g

´1K ¨ g2t for all i

›

›

›

›

›

›

«

2t´1ÿ

i“0

ci ¨ µiphq

ff

q

›

›

›

›

›

›

ăq

2CF ¨ g2t ,

then c “2t´1ř

i“0

ci ¨Xí is contained in the ideal xgy , and the pair pc, rc ¨ f ¨

g´1sqq is a solution of NTRUR,q,M,q2.

Proof. Throughout in this proof, we write Trpaq and Npaq instead of TrKKtpaq

and NKKtpaq. and define h “ f ¨ g´1 P K. Trivially, rhsq “ h. Let w :“«

2t´1ř

i“0

ci ¨ µiphq

ff

q

. Since Npgq P Rt, we get Npgq ¨ µiphq “ Npgq ¨ Trph ¨

Xíq2t “ TrpNpgq ¨ h ¨Xíq2t “ µipNpgq ¨ hq, and following equality holds:

rNpgq ¨wsq “

«

Npgq ¨2t´1ÿ

i“0

ci ¨ µiphq

ff

q

“

«

2t´1ÿ

i“0

ci ¨ µiph ¨ Npgqq

ff

q

.

By two conditions of lemma, we have

1. Npgq ¨w ď CF ¨ Npgq ¨ w ď CF ¨ g2t¨ w ď q2

2.

›

›

›

›

›

2t´1ÿ

i“0


›

›

›

›

›

ď CF ¨2t´1ÿ

i“0


ď CF ¨2t´1ÿ

i“0

ci ¨ h ¨ Npgq ď C3F ¨

2t´1ÿ

i“0

ci ¨ f ¨ g´1K ¨ g

2t

ď q2

Therefore, Npgq ¨w “2t´1ř

i“0

ci ¨ µiph ¨Npgqq “2t´1ř

i“0

ci ¨Trph ¨Npgq ¨Xíq2t

34


in Rt. It is rewritten as

2t ¨ Npgq ¨w ´

2t´1ÿ

i“0

ci ¨`

TrpXí¨ f ¨ Npgqgq ´Xí

¨ f ¨ Npgqgq˘

“ p

2t´1ÿ

i“0

ci ¨Xíq ¨ f ¨ Npgqg.

Because the left hand side of the equation is a multiple of g and f ¨Npgqg is

a relative prime to g by the conditions, we can conclude2t´1ř

i“0

ci ¨Xí P xgy.

Moreover, we get

2t´1ÿ

i“0

ci ¨Xí ď

2t´1ÿ

i“0

ci ăq

2 ¨C3F ¨ f ¨ g

´1K ¨ g2t ă

q

2C2F ¨ f ¨ g

´1K

as a condition. Finally, Lemma 3.4.2 shows that pc, rc¨f ¨g´1sqq is a solution

of NTRUR,q,M, q2.

Next, we consider the following matrix for h “2t´1ř

i“0

µiphq ¨Xi so that we

find such a vector c P R

pBt “

¨

˚

˚

˚

˚

˚

˚

˚

˝

q ¨ Int φtpµ0phqq φtpµ1phqq ¨ ¨ ¨ φtpµ2t´1phqq

0 Int 0 ¨ ¨ ¨ 0

0 0 Int ¨ ¨ ¨ 0...

......

. . ....

0 0 0 0 Int

˛

‹

‹

‹

‹

‹

‹

‹

‚

,

where φtpµiphqq is a basis matrix corresponding to the ideal lattice xµiphqy

over ZrXntsxXn ` 1y. Suppose that one can find a lattice point

b “ pb1||b0|| ¨ ¨ ¨ ||b2t´1q P LpBtq

such that b ďq

2t`1 ¨C3F ¨ f ¨ g

´1K ¨ g2t . Then, trivially, bi ď b

35


and

›

›

›

›

›

›

«

2t´1ř

i“0

bi ¨ µiphq

ff

q

›

›

›

›

›

›

“ b1 ď b. Hence, the short vector of LppBtq

guarantee to find a vector satisfying the condition of Lemma 3.4.1.

To find a short lattice point, we apply the lattice reduction algorithms Aδ

to a sublattice L1 generated by the first nt `m column vector of the matrixp~Bt. Therefore if we have:

δnt`mqnt

nt`m ďq

2t`1 ¨ C3F ¨ f ¨ g

´1K ¨ g2t ,

we can find a lattice point b as we want.

Finally, in order to achieve the optimizing condition, one can get the fol-

lowing inequality by taking the logarithm function on both side. Therefore

we have the following asymptotic inequality:

pnt `mq log δ `n

ntlogM `

ntnt `m

log q ď log q ` oplog nq,

The equation means that log δ ď log2 q27n logM

is the condition of δ to solve the

NTRU problem. Hence, we can solve NTRUR,q,M, q2

in polypnq ¨ 2Opβq time if

β log β ě 27n logM2 log2 q

`o´

n logn logMlog3 q

¯

, using the BKZ algorithm with block size

β.

Application to GGH: Finding a lattice point of xgy

Now we explain how to use the Theorem 3.4.3 in order to recover a ba-

sis of xgy. Suppose we have top level encodings of zerotxκi “ rbκigzκsq

and level-1 encodings ui “ rrig ` mizκsq “ rm1

izκsq 0 ď i ď κ. Note

that bκig, m1i ď σ˚

?n ď n3.5 with overwhelming probability. For conve-

nience, we use the notation Gt to denote GalpKKtq. Considering ruκ1xκ1sq “

rm1κ1bκ1gsq, the sizes of the denominator and numerator are bounded by

n3.5κ?nκ´1

ă n4κ and n3.5, respectively. Using the algorithm in Theo-

rem 3.4.3 for several rm1Ibκjgsq :“ rm1

i1 ¨ ¨ ¨m1iκbκjgsq for I “ ri1, ¨ ¨ ¨ , iκs,

36


i1, ¨ ¨ ¨ , iκ P t0, ¨ ¨ ¨ , κu, and j P t1, ¨ ¨ ¨ ,mu, one can recover several mul-

tiples cIb1κj ¨ g

1bκj ¨ g of NKKtpgq, where b1κj “ś

σPGtztidu

σpbκjq and g1 “

ś

σPGtztidu

σpgq. Multiplying it by rm1Ibκjgsq, one can obtainAI,j “ m1

IcIb1κjg

1.

We remark that AI,j is in RzRt because AI,j is not fixed for any subgroup of

Gt, except the trivial group. Moreover, although AI,j is not in xgy, we have

δpAI,jq “ δpm1IcIb

1κjg

1q “ δpm1IcIq ¨

ś

σPGtztδu

σpbκj ¨ gq P xgy for δ P Gtztidu.

One can easily see that tδpAI,jquδPGtztidu only have a common factor g. There-

fore, using tδpAI,jquδPGtztidu, we recover a basis matrix of the ideal lattice of

xgy. Using NKKtpaq for a P xgy, which is a multiple of NKKtpgq, one can

also recover a basis matrix of the ideal lattice of xNKKtpgqy. Now, using the

sublattice algorithm with β block-BKZ algorithm, one can obtain an element

cg P xNKKtpgqy such that cg ď 2βnt´12pβ´1q

` 32 ¨ n2t`1

In summary, we can obtain the following corollary.

Corollary 3.4.3.1. Given tn, q, κ, txκiu, pzt, u0, ¨ ¨ ¨ ,uκ,wu of the GDDH

instances, where n is Θpλ2q, log q “ Θpλq, xκi is a level-κ encoding of zero,

ui is a level-1 encoding of mi, and w is a challenge element, one can solve

the GDDH in the GGH scheme in 2Oplog2 λq.

According to this Corollary, using the parameters suggested by [GGH13a]

leads to attack a security ground of this scheme in the quasi-polynomial time

of its security parameter. Thus, n must be at least Ωpλ3q when log q “ Θpλq

with the security parameter λ to avoid our attack.

Remark. We assume that the size of the numerator is small for the top

level encoding of zero, but in practice this assumption may not be valid for

applications. That is, the size of the numerator of the top level encoding of

zero is very large, and the GDDH problem in this case is still a hard problem.

37

Chapter 4

Multilinear Maps over the

Integers and Its Analysis

In this chapter, we introduce CLT multilinear maps and its analysis. The

CLT scheme are provided relying over the integers and Chinese remainder

theorem (CRT). In other words, all elements of CLT are provided in the form

of CRT. In this chapter, for n primes p1, . . . , pn we use a notation to express

the CRT form

CRTpp1,...,pnqpr1, . . . , rnq or CRTppiqpriq,

which means an integer congruent to ri in modulo pi for all 1 ď i ď n in

range r´nś

i“1

pi2,nś

i“1

pi2s. By CRT, it is uniquely determined.

Basically, its underlying set of CLT is a Zn. Let gi P Z 1 ď i ď n be

small integers and pi, 1 ď i ď n, large integers. Then a message space and a

ciphertext space are defined bynś

i“1

Zxgi ¨ Zy and Zxnś

i“1

pi ¨ Zy, respectively.

Because also the CLT schme is constructed by a graded encoding scheme,

it provide a zero-testing parameter and its encodings are defined with level.

A difference with GGH scheme is that CLT provides n zerotesting param-

eters in order to sure the zerotesting process in CLT work properly. How-

ever, some applications give up on that guarantee and provide only one

zerotesting parameter. For that reason, this thesis suggests an analysis us-

ing only one zerotesting parameter. In CLT scheme, the level-t encoding of

38

CHAPTER 4. MULTILINEAR MAPS OVER THE INTEGERS AND ITSANALYSIS

m “ pm1, ¨ ¨ ¨ ,mnq P Zn and zerotesting parameter are of the form:

enctpmq “ri ¨ gi `mi

ztmod pi,

pzt ““

hi ¨ pzκ¨ g´1i q

‰

pi¨ź

i1‰i

pi1 mod pi,

where ri is a small random integer and z, h are fixed secret integers. If one

can recover a secret pi, the CLT scheme with public data is reduced to GGH

scheme over integer. With a similar argument described in Section 3.3, one

can recover xhiy and xgiy over Z so hi and gi are also recovered. Indepen-

dently from enctpm1qenctpm2q “ pri1 ¨ gi `mi1qpri2 ¨ gi `mi2q mod pi, one

can obtain the its denominator and numerator. Then its modulus reduction

with gi reveals the secret message. It means that to find pi leads to break the

CLT scheme. Hence, we focus on finding a prime pi.

4.1 The CLT13 Multilinear Map.

First, we briefly recall the Coron et al. construction. We refer to the original

paper [CLT13] for a complete description. The scheme relies on the following

parameters.

λ: the security parameter

κ: the multilinearity parameter

ρ: the bit length of the randomness used for encodings

α: the bit length of the message slots

η: the bit length of the secret primes pi

n: the number of distinct secret primes

τ : the number of level-1 encodings of zero in public parameters

`: the number of level-0 encodings in public parameters

39


ν: the bit length of the image of the multilinear map

β: the bit length of the entries of the zero-test matrix H

Instance generation: pparams,pztq Ð InstGenp1λ, 1κq. Set the scheme pa-

rameters as explained above. For i P rns, generate η-bit primes pi, α-bit

primes gi, and compute x0 “ś

iPrns pi. Sample z Ð Zx0 . Let Π “ pπijq P Znˆn

with πij Ð pn2ρ, pn ` 1q2ρq X Z if i “ j, otherwise πij Ð p´2ρ, 2ρq X Z. For

i P rns, generate ~ri P Zn by choosing randomly and independently in the

half-open parallelepiped spanned by the columns of the matrix Π and denote

by rij the j-th component of ~ri. Generate H “ phijq P Znˆn,A “ paijq P Znˆ`

such that H is invertible and HT 8 ď 2β, pH´1qT 8 ď 2β and for i P rns,

j P r`s, aij Ð r0, giq. Then define:

y “ CRTppiq

ˆ

rigi ` 1

z

˙

, for i P rns,

xj “ CRTppiq

´rijgiz

¯

for j P rτ s,

x1j “ CRTppiqpx1ijq “ CRTppiqpr

1ijgi ` aijq, for i P rns, j P r`s,

ppztqj “

«

nÿ

i“1

“

hij ¨ pzκ¨ g´1i q

‰

pi¨ź

i1‰i

pi1

ff

x0

for j P rns,

where ri Ð p´2ρ, 2ρq X Z and r1ij Ð p´2ρ, 2ρq X Z. Output params “

pn, η, α, ρ, β, τ, `, ν, x0, y, txju, tx1ju, tΠju, sq and pzt. Here s is a seed for a

strong randomness extractor, which is used for an “Extraction” procedure.

We do not recall the latter as it is not needed to describe our attack.

Re-randomizing level-1 encodings: c1 Ð reRandpparams, cq. For j P

rτ s, i P rns, sample bj Ð t0, 1u, b1i Ð r0, 2µq XZ, with µ “ ρ` α` λ. Return

c1 “ rc`ř

jPrτ s bj ¨ xj `ř

iPrns b1i ¨ Πisx0 . Note that this is the only procedure

in the CLT multilinear map that uses the xj’s.˚

˚This procedure can be adapted to higher levels 1 ă k ď κ by publishing appropriatequantities in params.

40


Adding and multiplying encodings: Given two encodings c1 and c2 of

the same level, the sum of c1 and c2 is computed by Add(c1, c2)=rc1` c2sx0 .

Given two encodings c1 and c2, we multiply c1 and c2 by Mul(c1, c2)=rc1 ¨

c2sx0 .

Zero-testing: isZeropparams, pzt, uκq?“ 01. Given a level-κ encoding c,

return 1 if rpzt ¨ csx08 ă x0 ¨ 2´ν , and return 0 otherwise.

Coron et al. also described a variant where only one such ppztqj is given

out, rather than n of them (see [CLT13, Se. 6]) and some applications are use

the variant. Since, our attack requires only one ppztqj, without loss of gen-

erality, we denote one zerotesting parameter as pzt without index notation.

In [GLW14, App. B.3], Gentry et al. described a variant of the above con-

struction that aims at generalizing asymmetric cryptographic bilinear maps.

Our attack can be adapted to that variant.

Hardness Assumptions

Instead of recalling the definitions of the GDDH problem of the CLT scheme.

We introduce the more difficult problem we are trying to solve. For given

the inputs params “ pn, η, α, ρ, β, τ, `, ν, x0, y, txju, tx1ju, tΠju, sq and pzt, the

hardness problem is to output a prime factor of

Parameter Settings.

Coron et al. suggested to set the parameters so that the following conditions

are met:

‚ ρ “ Ωpλq: to avoid brute force attack (see also [LS14] for a constant

factor improvement).

‚ α “ λ : so that the ring of messages Zg1 ˆ . . .ˆZgn does not contain a

small subring Zgi .:

:In fact, it seems that making the primes gi public, equal, and Ωpκq may not lead toany specific attack [CLT14b].

41


‚ n “ Ωpη ¨ λq: to thwart lattice reduction attacks.

‚ ` ě n¨α`2λ: to be able to apply the leftover hash lemma from [CLT13,

Le. 1].

‚ τ ě n ¨ pρ` log2p2nqq` 2λ: to apply leftover hash lemma from [CLT13,

Se. 4].

‚ β “ Ωpλq: to avoid the so-called gcd attack.

‚ η ě ρκ ` α ` 2β ` λ ` 8, where ρκ is the maximum bit size of the

random ri’s a level-κ encoding. When computing the product of κ level-

1 encodings and an additional level-0 encoding, one obtains ρκ “ κ ¨

p2α ` 2ρ` λ` 2 log2 n` 2q ` ρ` log2 `` 1.

‚ ν “ η ´ β ´ ρf ´ λ´ 3: to ensure zero-test correctness.

4.2 CRT-ACD with auxiliary input and Its

Analysis

In this section, we introduce a CRT-ACD problem with auxiliary input and

analyze the problem. Next by adapting the analysis of CRT-ACD with auxil-

iary input to CLT multilinear maps, we describe to find pi from params and

zerotesting parameter of the CLT scheme.

The approximate greatest common divisor problem (ACD) is initially in-

troduced by Howgrave-Graham [HG01]. It is a problem to find a secret prime

p given many near-multiples of p. One of the promising applications of this

problem is a homomorphic encryption scheme [vDGHV10]. The scheme has

superiority in regard to conceptual simplicity compared to other homomor-

phic encryption schemes based on lattice problems.

The ACD problem is naturally extended by using multiple primes rather

than a single one. An instance of the problem is an integer of the form

piqi ` ri for each prime pi. Therefore, it can be defined by using Chinese

42


Remainder Theorem (CRT). Now we give a precise definition of an extended

ACD problem, which is called CRT-ACD problem.

Definition 4.2.1. (CRT-ACD) Let n, η, ε P N, and χε be a distribution over

Z X p´2ε, 2εq. For given η bit primes p1, ¨ ¨ ¨ , pn, the sampleable CRT-ACD

distribution Dχε,η,npp1, ¨ ¨ ¨ , pnq is defined as

Dχε,η,npp1, ¨ ¨ ¨ , pnq “ tCRTppiqpriq | ri Ð χεu.

The CRT-ACD problem is: For given many samples from Dχε,η,npp1, ¨ ¨ ¨ , pnqand x0 “

nś

i“1

pi, find pi for all i.

Cheon et al. gave a batch homomorphic encryption [CCK`13] based on

a stronger variant of CRT-ACD problems, where the size of p1 is larger than

other pi’s and they take r1 from uniform distribution over Zp1 . In that case,

it can be reduced to the original ACD problem.

For proper parameters, the CRT-ACD problems are regarded to be hard.

In this section, however, we show that when the auxiliary input CRTppiqpx0piq

is given, the CRT-ACD is solved in polynomial-time of n, η, ε. Now we define

a variant of CRT-ACD, as CRT-ACD problem with auxiliary input.

Definition 4.2.2. (CRT-ACDwAI) Let n, η, ε P N, and χε be a distribution

over Z X p´2ε, 2εq. For given η bit primes p1, ¨ ¨ ¨ , pn, define x0 “śn

i“1 pi

and pi “ x0pi, for 1 ď i ď n. The sampleable CRT-ACD distribution

Dχε,η,npp1, ¨ ¨ ¨ , pnq is defined as

Dχε,η,npp1, ¨ ¨ ¨ , pnq “ tCRTppiqpriq | ri Ð χεu.

The CRT-ACDwAI is: For given many samples from Dχε,η,npp1, ¨ ¨ ¨ , pnq, x0and P “ CRTppiqppiq, to find pi for all i.

The auxiliary input P has a special feature which can be written as a

summation of its CRT components in Zx0 . A key observation is that the

equation holds over the integers when log n` 1 ă η. Using this property, we

obtain a following lemma.

43


Lemma 4.2.2. For given P “ CRTppiqppiq, x0 “nś

i“1

pi, and a “ CRTppiqpriq Ð

Dχε,η,npp1, ¨ ¨ ¨ , pnq, it satisfies:

a ¨ P mod x0 “ CRTppiqpri ¨ piq “nÿ

i“1

ri ¨ pi

if ε` log n` 1 ă η.

Proof. The first equality is correct by the definition of Chinese remainder

theorem. To show that the second equality is correct, we consider the equation

modulo pi for each i. Then the left hand side is ri ¨ pi and the right hand side

is also ri ¨ pi, because pj “ 0 mod pi, for j ‰ i. Finally, the size ofnř

i“1

ri ¨ pi is

smaller than n ¨ 2ε ¨ 2pn´1q¨η which is less than x02. Hence, by the uniqueness

of CRT, the second equality holds.

This lemma transforms the modulus equation to an integer equation of

r1, ¨ ¨ ¨ , rn with unknown coefficients p1, ¨ ¨ ¨ , pn. Our goal is to recover ri

by using the integral equation.

Now we describe full details of solving the CRT-ACDwAI.

Constructing Matrix Equations over Z

Now we show how to compute p1, ¨ ¨ ¨ , pn when given polynomially many

samples of the CRT-ACD from Dχε,η,npp1, ¨ ¨ ¨ , pnq with ε` log n` 1 ă η and

the auxiliary input P “ CRTppiqppiq. For given two instances of CRT-ACD

a “ CRTppiqpaiq and b “ CRTppiqpbiq, abP mod x0 “ř

aibipi mod x0. If all of

ai’s and bi’s are small enough, the right hand side equals toř

aibipi, and so

it can be written as the following matrix equation over the integers:

abP mod x0 “´

a1 a2 ¨ ¨ ¨ an

¯

¨

˚

˚

˚

˚

˚

˝

p1 0 ¨ ¨ ¨ 0

0 p2 ¨ ¨ ¨ 0

0 0. . . 0

0 0 ¨ ¨ ¨ pn

˛

‹

‹

‹

‹

‹

‚

¨

˚

˚

˚

˚

˚

˝

b1

b2...

bn

˛

‹

‹

‹

‹

‹

‚

44


The matrix representations share the diagonal matrix diagpp1, ¨ ¨ ¨ , pnq for

any CRT-ACD instances a and b. Hence, we can construct an pnˆ nq-matrix

which is a multiple of diagpp1, ¨ ¨ ¨ , pnq by arranging abP mod x0 for various

a and b.

More precisely, we are given 2n` 1 number of samples from the distribu-

tion Dχε,η,n as following:

ai “ CRTppkqpak,iq, b “ CRTppkqpbkq, cj “ CRTppkqpck,jq for 1 ď i, j ď n.

To adapt Lemma 4.2.2 to aibcj mod x0, we assume that the parameters

of the problem satisfy the condition: 3ε ` log n ` 1 ă η. Then compute the

following values by multiplying the samples:

wi,j “ ai ¨ b ¨ cj ¨ P mod x0 “nÿ

k“1

ak,i ¨ bkpk ¨ ck,j for 1 ď i, j ď n,

w1i,j “ ai ¨ cj ¨ P mod x0 “nÿ

k“1

ak,i ¨ pk ¨ ck.j for 1 ď i, j ď n.

They can be written as the the following matrix form:

wi,j “nÿ

i“1

ai ¨ pibi ¨ ci “´

a1,i a2,i ¨ ¨ ¨ an,i

¯

¨

˚

˚

˚

˚

˚

˝

b1p1 0 ¨ ¨ ¨ 0

0 b2p2 ¨ ¨ ¨ 0

0 0... 0

0 0 ¨ ¨ ¨ bnpn

˛

‹

‹

‹

‹

‹

‚

¨

˚

˚

˚

˚

˚

˝

c1,j

c2,j...

cn,j

˛

‹

‹

‹

‹

‹

‚

w1i,j “nÿ

i“1

ai ¨ pi ¨ ci “´

a1,i a2,i ¨ ¨ ¨ an,i

¯

¨

˚

˚

˚

˚

˚

˝

p1 0 ¨ ¨ ¨ 0

0 p2 ¨ ¨ ¨ 0

0 0... 0

0 0 ¨ ¨ ¨ pn

˛

‹

‹

‹

‹

‹

‚

¨

˚

˚

˚

˚

˚

˝

c1,j

c2,j...

cn,j

˛

‹

‹

‹

‹

‹

‚

By collecting these values, we can construct two matrices W “ pwi,jq and

45


W1 “ pw1i,jq PMnˆnpZq, which can be written as

W “ AT¨ diagpb1p1, ¨ ¨ ¨ , bnpnq ¨C,

W1“ AT

¨ diagpp1, ¨ ¨ ¨ , pnq ¨C

for AT “ pak,iq and C “ pck,jq PMnˆnpZq.

Disclosing all the Secret Quantities

Suppose A and C are invertible matrices over Q. We compute pW1q´1 over

Q and the following matrix:

V “ W ¨ pW1q´1“ AT

¨ diagpb1, ¨ ¨ ¨ , bnq ¨ pATq´1.

Here the eigenvalues of the matrix V are exactly the set B “ tb1, ¨ ¨ ¨ , bnu.

The set B can be computed in polynomial-time of η, n, and ε from V

(e.g., by factoring the characteristic polynomial over Z). The prime pi is a

common factor of both pb ´ biq and x0, and they have other common factor

if and only if bj “ bi for some j P t1, ¨ ¨ ¨ , nu. Hence if bi’s are distinct , we

can get all secret integers p1, ¨ ¨ ¨ , pn.

tGCDpb´ β, x0q | β P Bu “ tpi | 1 ď i ď nu.

Remark. The probability prob1 that matrix A and C are invertible matrices

depends on the distribution χε. The probability prob2 that bi ‰ bj for all

1 ď i ă j ď n also depends on the distribution χε. Our attack succeeds with

probability of prob1 ¨prob2. For example, this probability is overwhelming with

respect to ε when χε is uniform distribution over p´2ε, 2εq. Since our attack

consists of a matrix multiplication, computing a characteristic polynomial

and finding roots of the polynomial, the overall cost is bounded by rOpn2`ω ¨ηq,

with ω ď 2.38. Hence, we obtain the following result:

Theorem 4.2.1. Let Uε be the uniform distribution over p´2ε, 2εqXZ. When

46


ε` log n` 1 ă η and given Opnq CRT-ACD samples from DUε,η,npp1, ¨ ¨ ¨ , pnqwith x0 “

nś

i“1

pi, and P “ CRTppiqppiq, one can recover every secret primes

p1, ¨ ¨ ¨ , pn in time rOpn2`ω ¨ ηq with ω ď 2.38 and overwhelming probability to

ε.

4.2.1 Application to CLT Schemes

In this section, we adapt the analysis of CRT-ACD with auxiliary input to

CLT multilinear maps. The instances params and pzt of the problem and

the CLT multilinear map are quite similar. The encodings of CLT resemble

the instances of the problem except the secret constant z. The zero-testing

parameters pzt also has a similar structure with P but contains coefficients

with large size about pi. However, when we restrict zero-testing to encodings

of 0, it behaves similar to Lemma 4.2.2.

More precisely, let a be a top-level encoding of 0 and can be written by

a “ CRTppiqprigizκq. Hereafter since we use only one zero-testing parameter,

without loss of generality, we denote ppztq1 as pzt. As similar in Lemma 4.2.2,

pzt ¨ a mod x0 “ CRTpippihiriq “nÿ

i“1

pihiri

as long as the last quantity is smaller than x02. By zero-testing conditions,

it is always true for valid top level encodings of zero. Next, by replacing a by

valid κ level encodings of zero x1j ¨x11 ¨xk ¨ y

k´1 or x1j ¨xk ¨ yk´1 for 1 ď j, k ď n

47


in the above equation, for 1 ď j, k ď n, we have:

wjk “ x1j ¨ x11 ¨ xk ¨ y

κ´1¨ pzt mod x0 “

nÿ

i“1

pi ¨ hi ¨ x1ij ¨ prigi ` 1qκ´1 ¨ x1i1 ¨ rik

“

nÿ

i“1

x1ij ¨ x1i1 ¨ h

1i ¨ rik, and

w1jk “ x1j ¨ xk ¨ yκ´1

¨ pzt mod x0 “nÿ

i“1

pi ¨ hi ¨ x1ij ¨ prigi ` 1qκ´1 ¨ rik

“

nÿ

i“1

x1ij ¨ h1i ¨ rik,

where h1i “ pi ¨ hi ¨ prigi ` 1qκ´1. By spanning 1 ď i, j ď n, we obtain the

matrix W and W1:

W “ X1T¨ diagpx111 ¨ h

11, ¨ ¨ ¨ , x

1n1 ¨ h

1nq ¨R,

W1“ X1T

¨ diagph11, ¨ ¨ ¨ , h1nq ¨R,

for X1T “ px1ijq and R “ prikq. By applying the same method in the section

2, we can recover tx11, ¨ ¨ ¨ , xn1u by computing the eigenvalues of W ¨W1´1.

Hence we can compute all secret pi by computing GCDpx11 ´ xi1, x0q.

Consequently, we need W1 and W to be invertible. We argue that this

is the case here. We prove it for W. Note first that the x1i1’s and the h1i’s

are all non-zero, with overwhelming probability. Note that by design, the

matrix prijqiPrns,jPrτ s has rank n (see [CLT13, Section. 4]). The same holds

for the matrix px1ijqiPrns,jPr`s (see [CLT13, Lemma. 1]). As we can compute

the rank of a W P Ztˆt obtained by using an X1 P Ztˆn and an R P Znˆt

obtained by respectively using a t-subset of the x1j’s and a t-subset of the xj’s.

Without loss of generality we may assume that our X1,R P Znˆn are non-

singular. The cost of finding such a pair pX1,Rq is bounded as rOppτ ` `q ¨

pnω log x0qq “ rOpκω`3λ2ω`6q, with ω ď 2.38 (assuming all parameters are

set smallest possible so that the bounds of parameter setting hold). Here

we used the fact that the rank of a matrix A P Znˆn may be computed

48


in time rOpnω log A8q (see [Sto09]). This dominates the overall cost of the

attack.

After we know all the pi’s, we have xjy “ rijgiprigi ` 1q mod pi. As

the numerator and denominator are coprime and very small compared to pi,

they can be recovered by the rational reconstruction algorithm. We hence

obtain prijgiq’s for all j. The gcd of all the prijgiq’s reveals gi. As a result,

we can also recover all the rij’s and ri’s. As x1 “ ri1giz mod pi and the

numerator is known, we can recover z mod pi for all i, and hence z mod x0.

The hij’s can then be recovered as well, so can the r1ij’s and aij’s.

Related and Follow-up Works. Our attack was extended in [BWZ14,

GHMS14, CGH`15] to settings in which no low-level encoding of 0 are avail-

able. The extensions rely on low-level encodings of elements corresponding

to orthogonal vectors and impact [GLW14, GLSW15, GGH`13b].

After our attack was published in Eurocrypt’15, the draft [GGHZ14] was

update to propose a candidate immunization against our attack (see [GGHZ14,

Se. 6]).; Another candidate immunization was proposed in [BWZ14]. Both

immunizations have proved insecure in [CLT14a]. See also [CGH`15].

A further modification of CLT was proposed by Coron, Lepoint and Ti-

bouchi in the proceedings of CRYPTO’15 [CLT15]. They claimed that our

attack is thwarted since the modified scheme keeps the modulus secret so

that the zero-testing procedure depends on the CRT components in a non-

linear way. However, it turned out to be insecure as proved by Cheon et al.

in [CFL`16] who exploit an extension of eigenvalues and determinant tech-

niques as in Section 4.2 and 4.3.

Remark. In case of the obfuscation on CLT multilinear map, the security

remained open problems because the applications is not given an encodings

of zero. Recently, Coron et al. provide a new result [CLLT16] about it, which

enables one to break the obfuscation on CLT multilinear map in polynomial-

;The former version that was impacted by our attack can still be accessed from theIACR eprint server.

49


time.

4.3 Analysis of the Related Problems.

In this section, we provide an analysis of the SubM, DLIN, and GXDH prob-

lems associated with the CLT multilinear map. We start by defining these

problems adapted to CLT version. We then describe how to solve these prob-

lems in polynomial-time. Briefly,these problems are unified by the problem

of determining whether a given matrix is full rank or not. The only difference

is the dimension of a given matrix. SubM is given rank n, L-DLIN is Ln, and

GXDH is 2n. Therefore, the attack algorithm of these problems is the same

process.

The attack procedure consists of two steps. First, in Section 4.3, we show

how to recoverś

i gi. Next, in Sections 4.3.1 and 4.3.2, we use that quantity

to recognize valid instances of the SubM and DLIN. In Section 4.3.3, we

introduce a method to solve the GXDH.

Let G “ Zg1 ˆ . . .ˆ Zgn and Gi be the subgroup of order gi obtained by

making the components of the other Zgj ’s to be zero. For index set I Ď rns,

we denote GI “ś

iPI Gi. We let enc1pmq denote a properly generated level-1

encoding of m P G. For integers L,N ą 0, we let RkipZLˆLN q denote the set

of L ˆ L matrices over ZN of rank i. If N is a product of primes, we define

the rank of a matrix as the maximum of the ranks of the matrices obtained

by reduction modulo all the prime divisors of N .

Definition 4.3.1. (The Subgroup Membership Problem) SubM is as

follows. Given λ and κ, generate params and pzt using InstGen and tenc1pgiq :

i P r`su where the gi’s are uniformly and independently sampled in a strict

subgroup GI of G, with ` sufficiently large so that the gi’s generate GI with

overwhelming probability. Given params, pzt, tenc1pgiq : i P r`su and u “

enc1pmq, determine whether m is sampled uniformly in GI or in G.

Definition 4.3.2. (L-Decisional Linear Problem) L-DLIN is as follows.

Given λ and κ, generate params and pzt using InstGen. Define N “ś

i gi.

50


Given params and pzt, the goal is to distinguish between the distributions

tpenc1pmpi,jqqqi,jupmpi,jqqi,jÐRkL´1pZLˆLN q

and tpenc1pmpi,jqqqi,jupmpi,jqqi,jÐRkLpZLˆLN q

.

In one of the constructions of [ABP15], the authors rely on the following

particular case. The problem is as follows. The algorithm is given params and

pzt as well as tenc1paiquiPrLs and tenc1paibiquiPrLs for some uniform and inde-

pendent a1, . . . , aL, b1, . . . , bL P G. It is also given enc1pmq, and it has to assess

whether m is uniformly and independently sampled in G or whether m “

b1 ` . . . ` bL. This can be restated as a special case of Definition 4.3.2, by

noting that it requests to assess whether the matrix just below is full-rank.

¨

˚

˚

˚

˚

˚

˚

˚

˝

a1b1 a1 0 . . . 0

a2b2 0 a2 . . . 0...

aLbL 0 0 . . . aL

m 1 1 . . . 1

˛

‹

‹

‹

‹

‹

‹

‹

‚

We recall asymmetric multilinear maps and the associated GXDH prob-

lem. By applying the attacks described above, we can solve GXDH in polynomial-

time.

Instance generation: pparams,pztq Ð InstGenp1λ, 1κq. The setting of the

parameters pi, gi, x0, tx1ju,Π and H are as in the original scheme. For 1 ď

t ď κ, sample zt uniformly in Zx0 . Then define, for all 1 ď t ď κ:

yptq “ CRTppiq

˜

rptqi ¨ gi ` 1

zt

¸

, where rptqi Ð p´2ρ, 2ρq X Z, for 1 ď i ď n,

xptqj “ CRTppiq

˜

rptqij ¨ gi

zt

¸

, for 1 ď j ď τ.

51


Further, we define:

ppztqj “nÿ

i“1

hij ¨ pź

1ďtďκ

zt ¨ g´1i mod piq ¨

ź

i1‰i

pi1 mod x0, for 1 ď j ď n.

Output params “ pn, η, α, ρ, β, τ, `, ν, x0typtqu, tx

ptqj u, tx

1ju, tΠju, sq and pzt.

From now on, we let enctpmq denote CRTppiqpmi`si¨gi

ztq.

Since, as same as in section 3.2, we only use one zero-testing parameter, we

denote ppztq1 as pzt. We now define the CLT variant of the GXDH problem.

Definition 4.3.3. (Graded External DDH Problem) GXDH is as fol-

lows. Given λ and κ, generate params and pzt using InstGen. Given params,

pzt and enctpaq, enctpbq and enctpcq with a, b Ð G and for a given t P rκs,

the goal is to decide whether c “ a ¨ b or c is uniformly and independently

sampled in G.

This can be regarded as a variant of 2-DLIN problems by distinguishing

the following distributions

#˜

enctpcq enctpaq

enctpbq enctp1q

¸+

and

#˜

enctpabq enctpaq

enctpbq enctp1q

¸+

,where cÐ G.

Our main strategy to solve these three related problem of CLT scheme is

that: For a given level-1 encoding

E “ pei,jq “ CRTppkq

˜

spi,jqk gk `m

pi,jqk

z

¸

for 1 ď i, j ď t,

we can construct a matrix Wei,j :“ Wi,j as similar to Section 4.2 by com-

puting rx1k ¨ ei,j ¨ xl ¨ yκ´2 ¨ pztsx0 for 1 ď k, l ď n:

Wi,j “ X1¨ pSi,jG`Mi,jq ¨ diagph1, ¨ ¨ ¨ , hnq ¨R

“ X1¨ pSi,jG`Mi,jq ¨R

1,

where hi “ hi ¨ prigi ` 1qκ´2 ¨ pi, Si,j “ diagpspi,jq1 , ¨ ¨ ¨ , s

pi,jqn q and Mi,j “

52


diagpmpi,jq1 , ¨ ¨ ¨ ,m

pi,jqn q. By collecting these matrix W “ pWi,jq for 1 ď i, j ď

t, we can get following matrix:

W “ X1¨

¨

˚

˚

˝

¨

˚

˚

˝

S1,1 ¨G . . . S1,t ¨G...

. . ....

St,1 ¨G . . . St,t ¨G

˛

‹

‹

‚

`

¨

˚

˚

˝

M1,1 . . . M1,t

.... . .

...

Mt,1 . . . Mt,t

˛

‹

‹

‚

˛

‹

‹

‚

¨R1.

Related problems are to distinguish problems for given matrix of encoding E,

the size of matrix is different depending on problem. Those related problems

can be seen as following:

SubM: For t “ 1 and a given E, determine mÐ GI or not.

L-DLIN: For t “ L and a given E, determine pmpi,jqqi,j Ð RkL´1pZLˆLN q

or RkLpZLˆLN q.

GXDH: For t “ 2 and a given E, determine

˜

c a

b 1

¸

is a full rank or

not

In case of SubM, determining m “ pmiq1ďiďn is in GI or not is the same as

computing factors of gcdpś

prigi ` miq,ś

giq. This value can be computed

from determinant of W andś

gi. In case of GXDH and L-DLIN, the deter-

minant of W is a multiple of gi for any i, if the middle term matrix M does

not have a full rank. In other case, the determinant of M is not a multiple of

gi with a high probability. Hence, if one can recover theś

gi, one can solve

the related problems.

Remark. The important difference between cryptanalysis of these related

problems and the cryptanalysis of the CLT scheme is the form of the middle

matrix of W. The previous attack in Section 3 is based on the fact that the

middle matrix is a diagonal matrix. For example, in [BWZ14], the authors

fixed the middle matrix into block diagonal matrix form.§ On the other hand,

the attack of related problems in this section does not depend on it.

§Soon after, it is also known to be insecure by Coron et al.’s extended attack

53


Step 1: Computingś

i gi

Suppose we have public instances

params “ pn, η, α, ρ, β, τ, `, ν, x0, y, txju, tx1ju, tΠju, sq and pzt.

The main step in the attack is to getś

i gi from pparams,pztq. It may be

admissible to assume that the gi’s are public in which computingś

i gi is

trivial. If for some reason the gi’s have to stay secret, one must set their bit-

sizes as Ωpλ2q, so that they cannot be recovered by combining the approach

described below with the elliptic curve factorization algorithm.

Similarly to the Section 4.2, we compute wkl :“ rx1k ¨ y ¨ xl ¨ yκ´2 ¨ pztsx0 ,

wpiqkl :“ rx1k ¨ xi ¨ xl ¨ y

κ´2 ¨ pztsx0 and obtain a matrix

Wy “ X1¨ diagpr1g1 ` 1, . . . , rngn ` 1q ¨R1.

Wi “ X1¨ diagpri1g1, . . . , ringnq ¨R

1.

We can get a multiple ofś

i gi by taking a ratio of gcd’s of determinants of

appropriate subsets of tW1, . . . ,Wm,Wyu:

gcdpdet W1, . . . , det Wmq

gcdpdet W1, . . . , det Wm, det Wyq

“gcdp

ś

i ri1, . . . ,ś

i rimq

gcdpś

i ri1gi, . . . ,ś

i rimgi,ś

iprigi ` 1qq¨ź

i

gi

“ ∆ ¨ź

i

gi,

for some integer ∆. We expect that ∆ consists of only small factors because

it is a common divisor of many random variables. These variables do not sat-

isfy uniformity condition, because rij is chosen in a half-open parallelepiped

spanned by matrix Π. However the elements of matrix Π are drawn from

some interval that is independent of an arbitrary prime p. Therefore, we may

(heuristically) assume that the smoothness probabilities are the same as that

of the uniform case. Under this assumption, the integer ∆ is 2n-smooth (i.e.,

54


all its divisors are ď 2n) with probability ě 0.9, as we explain below. The

more general results can be found in [CK16].

Lemma 4.3.3 (Heuristic). Let rij be a random integer for i P rns, j P rms

with m ě s logp2nq for some positive integer s. Then gcdpś

i ri1, . . . ,ś

i rimq

is 2n-smooth with probability ě ζpsq´1, which is ě 0.9 when s ě 4.

Proof. Our heuristic assumption is that each rij is divisible by a prime p ą 2n

with probabilityď 1p, for all p’s. First, we observe that for each j, the integerś

i rij is divisible by p with probability ď 1 ´ p1 ´ 1pqn ď np. Then the

probability that gcdpś

i ri1, . . . ,ś

i rimq is divisible by p is ď pnpqm. As a

result, the gcd is 2n-smooth with probability at least

ź

pą2n

p1´ pnpqmq ěź

pą2n

p1´ 1psq “ ζpsq´1ź

pď2n

p1´ 1psq´1 ě ζpsq´1.

Here the first inequality comes from pnpqm ď pn2nqm “ p12qm ď 1ps for

m ě s log p. The equality is Euler’s identity for the Riemann zeta function.

The latter is decreasing and ζp4q´1 ą 0.9. This completes the proof.

By Lemma 4.3.3, the integer ∆ is p2nq-smooth with probability ą 0.9.

We eliminate it by trial division by all integers ď 2n. This costs rOpκ2λ5qbit operations. This is dominated by the cost of the operations described in

Sections 4.2, which is rOpκω`3λ2ω`6q.

4.3.1 Solving the CLT SubM Problem

We compute wkl “ rx1k ¨ enc1pmq ¨ xl ¨ y

κ´2 ¨ pztsx0 :

W “ X1¨ diagpr1g1 ` x1, . . . , rngn ` xnq ¨R

1,

with xi P Zgi for all i. The attack consists in computing gcdpdet W,ś

i giq.

If m is uniformly sampled in G, then we expect n2α of the xi’s to be

zero. Hence, in that case, we have log gcdpdet W,ś

i giq « αn2α. For the

original setting of α “ λ, this is essentially 0.

55


If m is uniformly sampled in GI , then all the xi’s for i R I are zero,

and we expect pn ´ |I|q2α of the others to be zero. Hence, in that case, we

have log gcdpdet W,ś

i giq « α|I| ` αpn´ |I|q2α.

4.3.2 Solving the CLT DLIN Problem

As we have seen, we assume thatś

i gi is known. In DLIN, we are given a ma-

trix of level-1 encodings E “ pei,jqi,j. We write ei,j “ pspi,jqk gk `m

pi,jqk qz mod

pk. Using the same method to above, we compute matrices Wi,j P Znˆn for

all ei,j . We define

W “

¨

˚

˚

˚

˚

˚

˝

W11 W12 . . . W1L

W21 W22 . . . W2L

.... . .

WL1 WL2 . . . WLL

˛

‹

‹

‹

‹

‹

‚

P ZnLˆnL.

We compute the determinant of W. It satisfies the following equation.

detpWq “ detpX1qL¨ detpR1

qL¨ det

¨

˚

˚

˚

˚

˚

˝

B1,1 B1,2 . . . B1,L

B2,1 B2,2 . . . B2,L

.... . .

BL,1 BL,2 . . . BL,L

˛

‹

‹

‹

‹

‹

‚

,

where Bi,j “ diagpspi,jq1 ¨ g1`m

pi,jq1 , ¨ ¨ ¨ , s

pi,jqn ¨ gn`m

pi,jqn q for all i, j. Let ∆ “

detpX1qL ¨ detpR1qL. We have det W “ ∆ ¨ś

k det Qk, where Qk “ prpi,jqk ¨

gk `mpi,jqk qi,j and it is congruent to Pk “ pm

pi,jqk qpi,jq in modulo gk.

To distinguish among the instances of DLIN, we compute det W and

check whether it is divisible byś

k gk. If E is sampled from a full rank

matrix, the determinant of Pk is nonzero for some k. Hence det W cannot

be multiple ofś

k gk. In other case, then det Pi “ 0 for all i. Hence det W is

a multiple ofś

k gk. The total bit-complexity of the attack is rOpκω`3λ2ω`6`κω`3Lω`1λ2ω`5q.

56


4.3.3 Solving the CLT GXDH Problem

In the following, we assume that κ ě 3. Without loss of generality, we assume

that t “ 1 in the GXDH problem. The first step in the attack is to getś

i gi

from pparams,pztq. Similar to Section 4.1, we compute Wyp1q and the Wi’s

by using pparamsq, as follows (for 1 ď i ď m):

Wyp1q “ pryp1q ¨ xp2qk x

p3ql ¨ yp4q . . . ypκq ¨ pztsx0qk,l

“ R ¨ diagprp1q1 g1 ` 1, . . . , r

p1qn gn ` 1q ¨ diagph11, . . . , h

1nq ¨R

1,

Wi “ prxp1qi ¨ x

p2qk x

p3ql ¨ yp4q . . . ypκq ¨ pztsx0qk,l

“ R ¨ diagprp1qi1 g1, . . . , r

p1qin gnq ¨ diagph

11, . . . , h

1nq ¨R

1,

where R “ prp2qki q and R1 “ pr

p3qil q.

Similar to Section 4.1, we obtain a multiple ofś

i gi by taking a ratio of

gcd’s of determinants of appropriate subsets of tW1, . . . ,Wm,Wyp1qu:

gcdpdet W1, . . . , det Wmq

gcdpdet W1, . . . , det Wm, det Wyp1qq“ ∆ ¨

ź

i

gi,

for some integer ∆. For the same reason as before, by Lemma 4.3.3, the

integer ∆ is p2nq-smooth with probability ą 0.9. We eliminate it by trial

division by all integers ď 2n. Thus, we can getś

i gi in time rOpκω`3λ2ω`6q.Next, we instantiate with yp1q “ enc1paq, enc1pbq, enc1pcq, respectively. We

get:

Wa “ R ¨ diagprp1qa1 g1 ` a1, . . . , r

p1qan gn ` anq ¨ diagph

11, . . . , h

1nq ¨R

1,

Wb “ R ¨ diagprp1qb1 g1 ` b1, . . . , r

p1qbn gn ` bnq ¨ diagph

11, . . . , h

1nq ¨R

1,

Wc “ R ¨ diagprp1qc1 g1 ` c1, . . . , r

p1qcn gn ` cnq ¨ diagph

11, . . . , h

1nq ¨R

1.

Then, we can compute:

W “

˜

Wc Wa

Wb Wyp1q

¸

P Z2nˆ2n and

det W “ ∆1¨

´

prp1qai gi ` aiq ¨ pr

p1qbi gi ` biq ´ pr

p1qci gi ` ciq ¨ pr

p1qi gi ` 1q

¯

,

57


where ∆1 “ detpRq2 ¨detpR1q2 ¨ pś

i h1iq2. If c is equal to a ¨b, then the quantity

above hasś

i gi as a large factor. If c is uniformly and independently sampled

in G, then the quantity above is independent fromś

i gi. The cost of the

attack is bounded by rOpκω`3λ2ω`6q.

58

Chapter 5

Conclusions

In this thesis, we present the analysis of two candidate of multilinear maps

of CLT and GGH.

First, in case of GGH, we have shown that if the low level encodings of

zero exist, the underlying problem is reduced to the SVP on ideal lattice. By

using the sublattice algorithm, we also show that given parameters in GGH

is insecure.

If we have only a top level encoding of zero, we reduce from the under-

lying problem GDDH of the GGH to the ONTRU problem. In this work, we

described how to find a small solution of the variant of the NTRU problem

using a reduction technique. By applying our proposed algorithm, subfield

algorithm, to the GGH scheme, we could attack the GDDH problem in the

GGH scheme. Therefore, our results imply that there is no guarantee for the

security of the GGH scheme when we are given a small encoding of zero and

also when we are not given.

Unfortunately, the current attacks of the GGH scheme can be resist by

increasing the size of dimension n from λ2 to λ3, where λ is a security pa-

rameter. Thus, the natural extension of this research is to increase the range

of possible attack parameters.

Finally, we propose polynomial-time attacks for CRT-ACD with auxiliary

input, the CLT scheme and its related problems. Until now, the CRT-ACD

59

CHAPTER 5. CONCLUSIONS

is known to be hard problems. However, if an auxiliary input P “nř

i“1

ś

j‰i

pj

is given, we find quadratic equations for secret parameters and construct a

matrix. The matrix has eigenvalues as secret parameters and reveals them by

computing characteristic polynomial of the matrix. Adapting this methods

to the CLT scheme allows us to totally find every secret parameters.

Unfortunately, this analysis is possible only when low level encodings of

zero and zero-testing parameter are given. To date, there is no known how

to analyze the CLT scheme when there is no encoding of zero. Therefore,

natural proceedings of this research is to extend the range of applications of

graded encoding schemes for which the encodings of zero are not needed.

60

Bibliography

[ABD16] Martin Albrecht, Shi Bai, and Leo Ducas. A subfield lattice

attack on overstretched ntru assumptions. In Annual Cryptology

Conference, pages 153–178. Springer, 2016.

[ABP15] Michel Abdalla, Fabrice Benhamouda, and David Pointcheval.

Disjunctions for hash proof systems: New constructions and ap-

plications. In Advances in Cryptology - EUROCRYPT 2015,

pages 69–100, 2015.

[ADRSD14] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah

Stephens-Davidowitz. Solving the shortest vector problem

in 2n time via discrete gaussian sampling. arXiv preprint

arXiv:1412.7994, 2014.

[BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group

signatures. In Advances in Cryptology - CRYPTO 2004, pages

41–55, 2004.

[BGN05] Dan Boneh, Eu-Jin Goh, and Kobbi Nissim. Evaluating 2-dnf

formulas on ciphertexts. In Theory of Cryptography, Second

Theory of Cryptography Conference, TCC 2005, pages 325–341,

2005.

[BLMR13] Dan Boneh, Kevin Lewi, Hart William Montgomery, and

Ananth Raghunathan. Key homomorphic prfs and their ap-

61

BIBLIOGRAPHY

plications. In Advances in Cryptology - CRYPTO 2013, pages

410–428, 2013.

[BS03] Dan Boneh and Alice Silverberg. Applications of multilinear

forms to cryptography. Contemporary Mathematics, American

Mathematical Society, 324:71–90, 2003.

[BWZ14] Dan Boneh, David J. Wu, and Joe Zimmerman. Immunizing

multilinear maps against zeroizing attacks. IACR Cryptology

ePrint Archive, 2014.

[CCK`13] Jung Hee Cheon, Jean-Sebastien Coron, Jinsu Kim, Moon Sung

Lee, Tancrede Lepoint, Mehdi Tibouchi, and Aaram Yun. Batch

fully homomorphic encryption over the integers. In Annual In-

ternational Conference on the Theory and Applications of Cryp-

tographic Techniques, pages 315–335. Springer, 2013.

[CFL`16] Jung Hee Cheon, Pierre-Alain Fouque, Changmin Lee, Brice

Minaud, and Hansol Ryu. Cryptanalysis of the new CLT multi-

linear map over the integers. IACR Cryptology ePrint Archive,

2016.

[CGH`15] Jean-Sebastien Coron, Craig Gentry, Shai Halevi, Tancrede Le-

point, Hemanta K. Maji, Eric Miles, Mariana Raykova, Amit

Sahai, and Mehdi Tibouchi. Zeroizing without low-level zeroes:

New MMAP attacks and their limitations. In Advances in Cryp-

tology - CRYPTO 2015, pages 247–266, 2015.

[CHL`15] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu,

and Damien Stehle. Cryptanalysis of the multilinear map over

the integers. In Advances in Cryptology - EUROCRYPT 2015,

pages 3–12, 2015.

62

BIBLIOGRAPHY

[CJL16] Jung Hee Cheon, Jinhyuck Jeong, and Changmin Lee. An algo-

rithm for ntru problems and cryptanalysis of the ggh multilinear

map without a low level encoding of zero. Mh, 1:0, 2016.

[CK16] Jung Hee Cheon and Duhyeong Kim. Probability that the k-gcd

of products of positive integers is b-smooth. IACR Cryptology

ePrint Archive, page 334, 2016.

[CL15] Jung Hee Cheon and Changmin Lee. Approximate algorithms

on lattices with small determinant. Technical report, Cryptology

ePrint Archive, Report 2015/461, 2015.

[CLLT15] Jean-Sebastien Coron, Moon Sung Lee, Tancrede Lepoint, and

Mehdi Tibouchi. Cryptanalysis of ggh15 multilinear maps. 2015.

[CLLT16] Jean-Sebastien Coron, Moon Sung Lee, Tancrede Lepoint, and

Mehdi Tibouchi. Zeroizing attacks on indistinguishability ob-

fuscation over clt13. 2016.

[CLT13] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi.

Practical multilinear maps over the integers. In Advances in

Cryptology - CRYPTO 2013, pages 476–493, 2013.

[CLT14a] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi.

Cryptanalysis of two candidate fixes of multilinear maps over

the integers. IACR Cryptology ePrint Archive, 2014.

[CLT14b] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi.

Personal communication. 2014.

[CLT15] Jean-Sebastien Coron, Tancrede Lepoint, and Mehdi Tibouchi.

New multilinear maps over the integers. In Advances in Cryp-

tology - CRYPTO 2015, pages 267–286, 2015.

63

BIBLIOGRAPHY

[GGH13a] Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate mul-

tilinear maps from ideal lattices. In Advances in Cryptology -

EUROCRYPT 2013, pages 1–17, 2013.

[GGH`13b] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova,

Amit Sahai, and Brent Waters. Candidate indistinguishability

obfuscation and functional encryption for all circuits. In IEEE

Symposium on Foundations of Computer Science, FOCS, pages

40–49, 2013.

[GGH15] Craig Gentry, Sergey Gorbunov, and Shai Halevi. Graph-

induced multilinear maps from lattices, 2015.

[GGHZ14] Sanjam Garg, Craig Gentry, Shai Halevi, and Mark Zhandry.

Fully secure attribute based encryption from multilinear maps.

IACR Cryptology ePrint Archive, 2014.

[GHMS14] Craig Gentry, Shai Halevi, Hemanta K. Maji, and Amit Sa-

hai. Zeroizing without zeroes: Cryptanalyzing multilinear maps

without encodings of zero. IACR Cryptology ePrint Archive,

2014.

[GLSW15] Craig Gentry, Allison B. Lewko, Amit Sahai, and Brent Waters.

Indistinguishability obfuscation from the multilinear subgroup

elimination assumption. In Proceedings of FOCS 2015, pages

151–170, 2015.

[GLW14] Craig Gentry, Allison B. Lewko, and Brent Waters. Witness

encryption from instance independent assumptions. In Advances

in Cryptology - CRYPTO 2014, pages 426–443, 2014.

[HG01] Nick Howgrave-Graham. Approximate integer common divisors.

pages 51–66, 2001.

[HJ16] Yupu Hu and Huiwen Jia. Cryptanalysis of GGH map. In

Eurocrypt, pages 537–565, 2016.

64

BIBLIOGRAPHY

[HPS11] Guillaume Hanrot, Xavier Pujol, and Damien Stehle. Analyzing

blockwise lattice algorithms using dynamical systems. 2011:447–

464, 2011.

[KF17] Paul Kirchner and Pierre-Alain Fouque. Revisiting lattice at-

tacks on overstretched ntru parameters. In Annual International

Conference on the Theory and Applications of Cryptographic

Techniques, pages 3–26. Springer, 2017.

[LLL82] Arjen Klaas Lenstra, Hendrik Willem Lenstra, and Laszlo

Lovasz. Factoring polynomials with rational coefficients. Math-

ematische Annalen, 261(4):515–534, 1982.

[LS14] Hyung Tae Lee and Jae Hong Seo. Security analysis of mul-

tilinear maps over the integers. In Advances in Cryptology -

CRYPTO 2014, pages 224–240, 2014.

[MR09] Daniele Micciancio and Oded Regev. Lattice-based cryptogra-

phy. In Post-quantum cryptography, pages 147–191. Springer,

2009.

[MW01] Daniele Micciancio and Bogdan Warinschi. A linear space algo-

rithm for computing the hermite normal form. In Proceedings

of the 2001 international symposium on Symbolic and algebraic

computation, pages 231–236. ACM, 2001.

[Sco02] Mike Scott. Authenticated ID-based key exchange and remote

log-in with simple token and PIN number. IACR Cryptology

ePrint Archive, page 164, 2002.

[Sto09] Arne Storjohann. Integer matrix rank certification. In Symbolic

and Algebraic Computation, International Symposium, ISSAC,

pages 333–340, 2009.

[vDGHV10] Marten van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikun-

tanathan. Fully homomorphic encryption over the integers.

65

BIBLIOGRAPHY

In Advances in Cryptology - EUROCRYPT 2010, pages 24–43,

2010.

[Zim15] Joe Zimmerman. How to obfuscate programs directly. In

Advances in Cryptology - EUROCRYPT 2015, pages 439–467,

2015.

66

국문초록

다중선형함수는 암호학에서 강력한 도구 중 하나이다. 그럼에도 불구하고, 현재까지

3종류의 다중선형함수만이 제안되었다. Garg 등에 의해 첫 번째로 제안된 다중선형

함수(GGH)는아이디얼격자를이용하여제안되었고, Coron등은정수기반다중선형

함수(CLT)를 제안했다. 마지막으로 Gentry 등에 의해 그래프 기반 다중선형함수가

제안되었다. 다중선형함수의 등장은 여러 암호학적 응용들을 현실화 시키는 계기가

되었다.

이러한 응용들의 안전성은 주어진 다중선형함수로부터 파생된 어려운 문제들에

기반을두어설명이되는데아직까지파생된문제들의안전성은설명되지못하고있는

상황이다. 이로 인해 다중선형함수의 안전성을 설명하기 위한 후속 연구가 꾸준히 진

행되고 있는데, 실제로 GGH 다중선형함수에서 낮은 등급의 0의 인코딩이 주어지는

경우와 세 번째 다중선형함수는 안전하지 않은 것으로 밝혀졌다.

본 학위 논문에서는 GGH와 CLT 다중선형함수의 대수적 구조를 활용하여 다중

선형함수 및 이로부터 파생된 문제를 분석하는 연구를 진행한다.

우선 GGH 다중선형함수에서 낮은 등급의 0의 인코딩이 주어지는 경우, 주어진

아이디얼 격자에서 빠른 시간 안에 짧은 길이의 벡터를 찾는 연구를 진행하여 기존에

알려진 GGH 다중선형함수와 다른 공격 알고리즘을 제안하고, 그 결과 GGH 다중선

형함수가 안전하지 않음을 보인다.

두 번째로 낮은 등급의 0의 인코딩이 없는 경우에는, 주어진 GGH의 공개 데이터

로부터 낮은 등급의 0의 인코딩을 만드는 방법에 대한 연구를 진행한다. 앞서 진행한

연구결과를 적용하여, 낮은 등급의 0의 인코딩이 없는 경우에도 GGH 함수가 주어진

파라미터에서 안전하지 않음을 보인다.

마지막으로 CLT함수의 경우에는 주어진 공개 정보로부터, 비공개 정보들을 고유

값(eigenvalue) 으로 갖는 정방행렬을 설계하는 방법에 대해 연구를 진행한다. 이를

확장하여, CLT 함수의 모든 비공개 정보들을 복구함으로서 CLT 다중선형함수가

구조적으로 안전하지 않음을 증명한다.

주요어휘: GGH 다중선형함수, 최소 격자 문제, NTRU문제, 아이디얼 격자,

CLT 다중선형함수, 중국인의 나머지 정리 기반 근사 공약수 문제

학번: 2012-20254

mathematical analysis of cryptographic multilinear...

Documents