Multilinear Maps Using Ideal Lattices without Encodings of Zero 1

Multilinear Maps Using Ideal Lattices without Encodings of Zero
Gu Chunsheng
School of Computer Engineering, Jiangsu University of Technology, Changzhou 213001, China
E-mail: [email protected]
May 26, 2015
Abstract. Garg, Gentry and Halevi (GGH) described the first candidate multilinear maps using
ideal lattices. However, Hu and Jia recently presented an efficient attack for two applications based
on the GGH map, multipartite Diffie-Hellman key exchange and an instance of witness encryption
using 3-exact cover problem. In this paper, we describe a modification construction of multilinear
maps from ideal lattices without encodings of zero by introducing random matrices to avoid the
zeroing attack problem. The security of our construction depends upon new hardness assumption,
which is seemingly closely related to hardness problems of lattices. Furthermore, we present
multipartite Diffie-Hellman key exchange protocol using our construction, and an instance of
witness encryption using 3-exact cover problem based on a variant of our construction.
Keywords. Multilinear maps, Ideal lattices, Multipartite Diffie-Hellman key exchange, Witness
Encryption, Zeroizing attack
1 Introduction
Boneh and Silverberg [BS03] first introduced the notion of multilinear maps, which is an extension
of bilinear maps. There exist many applications on bilinear maps, such as [SOK00, Jou00, BF03,
Sma03] and multilinear maps [BS03, RS09, PTT10, Rot13]. However, different from bilinear maps,
which come from pairing of elliptic curves, constructing multilinear maps is a long-standing open
problem. Recently, Garg, Gentry, and Halevi (GGH) described the first plausible construction of
multilinear maps that use ideal lattices [GGH13]. Their multilinear maps, whose encodings were
randomized with noise and bounded with a fixed maximum degree, were different from the ideal
multilinear maps defined by Boneh and Silverberg. To improve the efficiency of GGH, Langlois,
Stehlé and Steinfeld[LSS14] constructed GGHLite, in which the re-randomization process of GGH
was reanalyzed by applying the Rényi divergence. However, Hu and Jia [HJ15a] recently presented
an efficient attack on GGH map, which breaks two applications, multipartite key exchange (MPKE)
and witness encryption (WE) based on 3-exact cover problem.
Following the GGH’s framework, Coron, Lepoint, and Tibouchi [CLT13] (CLT) described a
relatively practical construction that works over integers instead of ideal lattices, and is implemented
using heuristic optimization techniques. However, Cheon, Han, Lee, Ryu, and Stehle had broken the
CLT construction using level-1 encodings of zero. To avoid this zeroizing attack for CLT, Garg,
Gentry, Halevi and Zhandry [GGH+14], and Boneh, Wu and Zimmerman [BWZ14] proposed two
candidate fixes of multilinear maps over the integers. However, Coron, Lepoint, and Tibouchi
showed that two candidate fixes of CLT can be defeated in polynomial time using extensions of the
Cheon et al.’s attack. Currently, Coron, Lepoint and Tibouchi [CLT15] proposed a new construction
of multilinear map over the integers by modifying zero-testing parameter.
Recently, Gentry, Gorbunov and Halevi [GGH14] described a construction of graph-induced
multilinear maps from lattices using approximate eigenvector [GSW13b], which encodes LWE
samples in short square matices of higher dimensions. However, the security of the construction
[GGH14] is also not reduced to LWE. Moreover, the efficiency of the constructions based on LWE
is lower than previous schemes. Since the GGH construction is more efficient than other schemes,
we will focus on the improvement of GGH in this paper.
We first recall the GGH construction of multilinear maps. GGH works in the polynomial rings
R  [ x]/  x n  1  and Rq  R / qR . GGH chooses a secret short g  R , and a secret
random element z  Rq . I  g  R is the principal ideal generated by g . Plaintexts are cosets
1
of R / I . To encode a coset eI  e  I , set
c / z q
with short c  eI as the encoding of eI .
Because g, z are hidden in GGH, the public parameters of GGH gave the encoding y of the
coset 1  I . So, the encoding of eI is computed as
encoding scheme, that is, e is a level- 0 encoding,
e  y q . The GGH construction is a graded
e  y q a level-1 encoding, and e  y i  q a
level- i encoding. It is easy to verify that encodings can both be added and multiplied if the
numerator norm remains smaller than q . For a level-  encoding u , the GGH can determine
whether u is the encoding of zero using the zero-testing parameter p zt . This defines a degree- 
multilinear map for level- 1 encodings.
Our results. Our main contribution is to describe a construction of multilinear maps using ideal
lattices without encoding of zero. Our construction improves GGH in two aspects. First, we modify
the zero-testing parameter of GGH. The public parameters of our construction only give some pairs
of the encoding of non-zero element and the zero-testing parameter corresponding to this non-zero
element. Second, we multiply short matrices on both sides of the public parameters. Unlike the GGH
construction, our construction does not give level-1 encodings of “ 1 ” and “ 0 ”, and cannot generate
level- 1 of given level- 0 encoding. Our construction only generates a level- 1 encoding for a
hidden level- 0 encoding, and the encoding in a sense is a deterministic encoding without
re-randomization process.
Our second contribution is to describe an asymmetric variant of our symmetric version. In our
symmetric construction, one can still compute hidden level-  encoding of zero element even if our
public parameters do not give level- 1 encodings of zero elements. This is because one can obtain
level-  encoding of zero by cross-multiplying pairs of the encodings and the zero-testing
parameters in the public parameters. To avoid this case, our asymmetric variant will not support
multiplying the encoding by the zero-testing parameter with the same index set. Thus, one cannot
generate a nontrivial level- j encoding of zero in our asymmetric version, where j  1 . Namely,
unlike GGH, there exist no easily computable quantities in our asymmetric construction.
Our third contribution is to describe the commutative variant and simplified variant of our
constructions. To guarantee the security of our construction, we must make sure that the dimension
of matrix in our construction is large enough. As a result, our construction is less practical than
previous schemes. So, one must use matrices of small dimension, and large degree polynomial ring
to improve the efficiency of our constructions. Furthermore, in the simplified variant, we really
thwart the zeroing attack problem in the GGH construction if every party in MPKE does not
cooperate.
Our forth contribution is to present a construction of multilinear map using random matrix. In
the construction, one can generate feasible level encoding with known level- 0 encoding. This
solves a drawback of the first construction, which can only generate a level- 1 encoding of a hidden
level- 0 encoding. Moreover, this variant seemly supports the subgroup membership problem and
the decisional linear problem.
Our final contribution is to describe two applications, one-round multipartite Diffie-Hellman
key exchange protocol and witness encryption based 3-exact cover problem.
Organization. We recall some background on multilinear maps in Section 2. In Section 3, we
describe our symmetric construction, and in Section 4 we provide asymmetric construction. In
Section 5, we construct the commutative variant of our constructions. In Section 6, we describe a
simplified asymmetric variant. In Section 7, we describe a construction of multilinear maps using
random matrix. In Section 8, we optimize and implement one round multipartite Diffie-Hellman key
exchange protocol. In Section 9, we describe an instance of witness encryption using a variant of our
multilinear map. Finally, we draw conclusion and open problem for this paper.
2
2 Preliminaries
2.1 Notations
We denote , ,  the ring of integers, the field of rational numbers, and the field of real
numbers. We take n as a positive integer and a power of 2. Notation
 n
denotes the set
{1, 2, , n} , and  a q the absolute minimum residual system  a q  a mod q  (q / 2, q / 2] .
Vectors and matrices are denoted in bold, such as a, b, c and A, B, C . Let I be the identity
matrix. The j -th entry of a is denoted as a j , the element of the i -th row and j -th colomn of
A is denoted as Ai , j (or A[i, j ] ). Notation a

( a
for short) denotes the infinity norm of
a . The polynomial ring [ X ]/  x  1  is denoted by R , and  q [ X ]/  x n  1  by Rq .
n
The elements in R and Rq are denoted in bold as well. Similarly, notation a q denotes each
entry (or each coefficient) ai  (  p / 2, p / 2] of a .
2.2 Lattices and Ideal Lattices
An n -dimension full-rank lattice L  

n
n
is the set of all integer linear combinations
x b i of n linearly independent vectors bi   n . If we arrange the vectors b i as the
i 1 i
columns of matrix B  
n n

, then L  Bz : z  Z
n
 . We say that
B spans L if B is a
basis for L . Given a basis B of L , we define P (B)  {Bz | z   , i : 1/ 2  zi  1/ 2}
n
as the parallelization corresponding to B . Let det(B) denote the determinant of B .
Given g  R , let I  g  be the principal ideal in R generated by g , whose  -basis
is Rot (g )  (g, x  g,..., x
n 1
 g) .
Given c   ,   0 , the Gaussian distribution of a lattice L is defined as x  L ,
n
DL , ,c   ,c (x) /  ,c ( L) , where  ,c (x)  exp( x  c /  2 ) ,  ,c ( L)   xL  ,c (x) .
2
In the following, we will write Dn , ,0 as Dn , . We denote a Gaussian sample as x  DL ,
(or d  DI , ) over the lattice L (or ideal lattice I ).
2.3 Multilinear Maps
Definition 2.1 (Multilinear Map [BS03]). For
order q , a
  1 cyclic groups G1 ,..., G , GT of the same
 -multilinear map e : G1   G  GT has the following properties:
(1) Elements
g
j
Gj
j 1,...,
, index j    , and integer a   q hold that
e( g1 ,, a  g j ,, g )  a  e( g1 , , g )
(2) Map e is non-degenerate in the following sense: if elements
g
j
Gj
j 1,...,
are
generators of their respective groups, then e( g1 , , g ) is a generator of GT .
Definition 2.2 (  -Graded Encoding System [GGH13]). A
3
 -graded encoding system over R

( )
is a set system of S  S j
 R :   R, j    with the following properties:
(1) For every index j    , the sets
S
( )
j
:   R are disjoint.
(2) Binary operations ‘  ’ and ‘  ’ exist, such that every
every u1  S
(1 )
j
and u2  S
( 2 )
j
hold that u1  u2  S
1 ,  2 , every index j    , and
(1  2 )
j
(1  2 )
and u1  u2  S j
, where
1   2 and 1   2 are the addition and subtraction operations in R respectively.
(3) Binary operation ‘  ’ exists, such that every 1 ,  2 , every index j1 , j2    with
j1  j2   , and every u1  S (j11 ) and u2  S (j2 2 ) hold that u1  u2  S (j11j2 2 ) , where 1   2
is the multiplication operation in R and j1  j2 is the integer addition.
3 Construction of symmetric multilinear maps
In this section, we first describe the symmetric construction of multilinear maps. Then we give
new hardness assumption and some known cryptanalysis for our construction.
Setting the parameters. Because our construction uses the GGH construction as the basic
component, our parameter setting is set as that of GGH to conveniently describe and compare. Let
 be the security parameter,  the multilinearity level, n the dimension of elements of R .
Concrete parameters are set as
 ( 2 ) ,
   n ,     n1.5 ,    2 , q  28 nO ( ) , n  O
  O(n 2 ) .
3.1 Construction
The starting point of our construction is to remove level- 1 encodings of zero in the public
parameters. We modify the zero-testing parameter of GGH so that the public parameters in our
construction only include some pairs of the level- 1 encoding of non-zero element and the
zero-testing parameter corresponding to this non-zero element. Moreover, we multiply both sides of
these encodings and zero-testing parameters by random short matrices. Our construction is as
follows:
 
Instance generation: (par0 )  InstGen 0 (1 ,1 ) .
8
(1) Choose a prime q  2
n O ( ) ;
(2) Choose an element g  Dn , in R so that g
1
 n2 ;
(3) Choose elements ai , ei  Dn , ' , bi  Dn , q , i    in R ;
(4) Choose a random element z  Rq so that z  Rq ;
-1
1
1
nn
(5) Choose two matrices T  Dnn , and S  Dnn , so that T , S   q ;


(6) Set Yi   TRot (

z (bi g  ei ) 
ai g  ei 1 
)S  , i    ;
)T  and Pzt ,i  TRot (
g
z
q

q
 


(7) Output the public parameters par0  q, Yi , Pzt,i , i    .
According to [GGH13], g  R, z  Rq , ai , b i , ei  R can be efficiently sampled. It is easy to
see that T, S  
1
n n
can be sampled. This is because that if det(T), det(S) are not divisible by
1
q , then T , S   nqn . Without loss of generality, assume that det(T), det(S) are uniform
over  q . Thus, the probability that T, S are invertible is about 1  O (1/q ) .
4
Generating level- 1 encoding: U  enc0 (par0 ,1, d) .

Given a random vector d  D , * , then U  
hidden level-0 encoding e=


i 1

i 1
(di  Yi )  is the level-1 encoding of
q
( d i  ei ) .
Because both sides of Yi are multiplied by matrices T, T
the scalar di can be commutative with T to obtain di  Rot (
1
respectively, Yi multiplied by
ai g  ei
) . Thus, we have
z


di (ai g  ei ) 1  
ag  e 1 

U    i 1 (di  Yi )   TRot ( i 1
)T   TRot (
)T 

q 
z
z


q

q

,
where
a= i 1 (di  ai ) and e= i 1 (d i  ei ) . That is, U is the level- 1 encoding of hidden plaintext
element e .
In our construction, one cannot directly generate the level- 1 encoding of a given level- 0
encoding since one does not know the level- 0 encoding ei encoded by Yi . Although one can


obtain a level- j encoding U j  ( Yi ) , one cannot know the level- 0 element (ei )
j
j
encoded by
U j . This point is different from the GGH construction. In the following Remark 3.1 (4), we will
discuss how to generate a level- j encoding.
Adding encodings: U  add 0 (par0 , j , U1 , , U m ) .

Given m level- j encodings U l , their sum U = 
U l  is a level- j encoding.
q
r g  e 1 

Because the level- j encoding U l is the form of U l   TRot ( l j l )T  , their sum
z

q
m
l 1
m

(rl g  el ) 1  
rg  e


U =  l 1 U l   TRot ( l 1 j
)T   TRot ( j )T1 

q 
z
z
 
q

q
m
encoding, where r=

m
is
a
level-
j
r and e= l 1 el .
m
l 1 l
Multiplying encodings: U  mul0 (par0 ,1, U1 , , U ) .
Given
 level- 1 encodings U j , their product U =  j 1 U j  is a level-  encoding.



q
rj g  e j

z
Because the level- 1 encoding U j is the form of U j  TRot (
of
 level-1 encodings is:

U =  j 1 U j 

q
r j g  e j 1 
 
)T 
  j 1 TRot (
z

q


(r j g  e j ) 1  ,

j 1

 TRot (
)T 


z

q
rg  e


 TRot (  )T1 
z

q
5

)T1  , the product
q

where e=
e , r  ( j 1 (r j g  e j )  e) / g .
j 1 j


We use T  T  I in third equation, and denote the level-  encoding U as the standard
form in the final equation.
1
Zero testing: isZero 0 (par0 , U ) .
To determine whether
rg  e


U  TRot (  )T1  is a level- 
z

q
encoding of zero,
V =  U  Pzt q is computed in  nqn and checked whether V is short:
1 if  U  P   q 3/4
zt q
isZero0 (par0 , U)  
0 otherwise
,
Pzt   i 1 ri Pzt,i
and
b= i 1 (ri bi )
and

where
r  D , .
Since

z (bg  c) 
Pzt   i 1 ri Pzt,i  TRot (
)S 
g

q

,

where
c= i 1 (ri ei ) . If U is a level-  encoding of zero, namely e  0 mod I , then we have


rg
z (bg  c) 
)S    TRot (r (bg  c))S q .
V =  U  Pzt q   TRot (  )T1  TRot (
z
g

q
For our choice of parameter,
rg  e  rg  q1/8 and T
V is not reduced modulo q , that is  V q  V . Thus, we have

 S

 n . Moreover,
V   TRot (r (bg  c))S q
 TRot (r (bg  c))S
 n 2  T Rot (r (bg  c)) S
 n3  n Rot (r ) Rot (bg  c)
n .
 n 4 2  rg  g 1 Rot (bg  c)
 n 4 2  q1/8  poly (n)  q1/ 2  poly (n)
 q 3/4
If U is a level-  encoding of non-zero element, namely e  0 mod I . Then, we have



rg  e
z (bg  c) 
rg  e
V =  U  Pzt q  TRot (  )T 1  TRot (
)S   TRot (
(bg  c))S  .
z
g
g
q

q 
By Lemma 4 in [GGH13], we have

rg  e 
 Rot ( g )   q . Thus, V  q .

q
Extraction: sk  ext 0 (par0 , U ) .
Given a level-  encoding U , U is multiplied by Pzt 


i 1
wi Pzt,i , where w  D ,
and (log q ) / 4   most-significant bits of each of the n  n entries of
ext 0 (par0 , U )  Extract(msb( U  Pzt q )) .
6
 U  Pzt q
is collected:
Because


z (bg  c) 
Pzt   i 1 wi Pzt,i  TRot (
)S  ,
g

q
where
b= i 1 wi bi

and

rg  e


c= i 1 wi ei . Assume U = TRot (  )T1  such that rg  e  q1/8 , then we have
z

q
V   U  Pzt q

rg  e 1
z  (bg  c) 
 TRot (  )T  TRot (
)S 
z
g

q

(rg  e)(bg  c) 
 TRot (
)S 
g

q
.


e
  TRot (r (bg  c))S q  TRot ( (bg  c))S 
g

q
For our parameter setting,
 TRot (r (bg  c))S q
 q 3/ 4 . By Lemma 4 in [GGH13], we have
e
Rot ( (bg  c))  q for e  0 mod I . Therefore, the extraction algorithm can correctly work.
g
Remark 3.1 (1) For our construction, different from the GGH construction, one cannot directly
generate level-1 encoding of a given level- 0 encoding, and can only generate level-1 encoding of
hidden level- 0 encoding e=


i 1
(di  ei ) . Moreover, in a sense the level-1 encoding of our
construction is deterministic, and it is no longer random and without re-randomization process.
However, we do not also find the necessity generating given level- 0 encoding or knowing concrete
level- 0 encoding in our construction.
(2) Choose   O ( n ) is to erase the structure of input encoding applying re-randomization
process in [GGH13]. Although our construction is deterministic, the process generating level-1
encoding of hidden level-0 encoding is same as the re-randomization process of the GGH
construction. The cost using large  is that the public parameter size of our construction is bigger a
2
n factor than that of GGH. We notice that  > n 2   is the lowest requirement, otherwise
attacker can directly solve d applying linear equation system.
(3) When constructing multipartite key exchange using our symmetric construction, every
participant can compute the zero testing parameter corresponding to the hidden e=
  i 1
encoded by U  



i 1
( d i  ei )
(di  Yi )  , that is, the zero testing parameter corresponding to level- 0
q
encoding e is

Pzt =   i 1 di  Pzt,i 

q



z ( i 1 di bi g   i 1 di ei ) 
)S  .
= TRot (
g


q

z (bg  e) 
)S 
= TRot (
g

q
(4) The public parameters in the above construction only contain level-1 encoding Yi of
7
non-zero element ei and its corresponding zero testing parameter Pzt,i , so level-1 encoding of
usable hidden level- 0 plaintext can be generated using the public parameter. If level- j encoding
of usable hidden level- 0 is required, then the public parameters must contain level- j encoding
a ge


Y j ,i   TRot ( j ,i j j,i )T1  of non-zero element e j ,i and its corresponding zero testing
z

q
parameter
Pzt , j ,i

z (b j ,i g  e j,i ) 
)S  .
  TRot (
g

 q
In
this
case,
given
d  D , * ,


U j    i 1 d i Y j ,i  is level- j encoding of hidden level- 0 plaintext w j   i 1 di e j ,i . Notice that

q
for a given d , hidden plaintexts w j   i 1 di e j ,i are not same for different j ’s.

(5) Pzt,i , i    or their combination Pzt can be used as zero testing parameter. In addition,
the zero testing parameter generated by random combination of Pzt,i can thwart invalid encoding
attack for only one zero testing parameter.
(6) The matrices T , S in our construction are to thwart adversary not only generating less
than level- k encoding of zero from the public parameter, but also getting the basis of the secret
principal ideal lattices in our construction. This is because Pzt,i cannot directly be multiplied. For
arbitrary i, j    , we have
P  Pzt,i  Pzt,j
z (b j g  e j ) 

z (bi g  ei )  
)S   TRot (
)S  .
  TRot (
g
g

 q 
 q

z (b j g  e j ) 
z (bi g  ei )
  TRot (
)S  TRot (
)S 
g
g

 q

Since matrix multiplication does not support commutative rule, the second numerator z in P
cannot be canceled by multiplying a level- 2 encoding. Therefore, we may sample b i  Dn , '
nO ( ) to decrease by half the size of the public parameter. Moreover, using z
guarantees that Pzt,i can only be used as the zero-testing for a level-  encoding.
and set q  2
4
n n
(7) One can choose T, S   q
1
1
n n
so that T , S   q
, t , s  Dn , ' . One sets

a g  ei 1 
z (bi g  ei ) 

t*  tT T1 , s* = S 1s , Yi  TRot ( i
)T  and Pzt ,i  TRot (
)S  . Now,
g
z

q

q
the zero-testing and extraction algorithm are modified as follows:
*
*
3/4
1 if t  U  Pzt  s  q  q
;
isZero 0 (par0 , U )  
0 otherwise
ext 0 (par0 , U )  Extract(msb( t *  U  Pzt  s*  )) .
q
To improve efficiency, one can also use p zt ,i   Pzt ,i  s  instead of Pzt ,i in the public
q
parameters.
3.2 Security
*
Similar as the previous constructions [GGH13, CLT13, LSS14], the security of our construction
cannot be reduced to classic hardness assumptions. In [GGH13], the security of GGH is defined as
8
the hardness assumptions of graded computational Diffie-Hellman (GCDH) and graded decisional
Diffie-Hellman (GDDH). That is, given the public parameters and   1 level- 1 encodings of
random elements, it is unfeasible to generate a level-  encoding of their product or distinguish it
from random elements. Langlois, Stehlé and Steinfeld[9] introduced the hardness assumptions
ext-GCDH/ext-GDD, which is variant of GCDH/GDDH defined in [GGH13]. The security of our
construction relies on new hardness assumption ext-GCDH/ext-GDDH. In the following, we
adaptively define the ext-GCDH/ext-GDDH in [LSS14] to our construction.
Consider the following security experiment:
 
(1) par0  InstGen 0 (1 ,1 )
(2) For j  0 to
:
Sample r j , w j  D , * ;
Generate level-1 encoding of hidden d j 
 j 1

(3) Compute U  
*


i 1
w j ,i ei : U j    i 1 w j ,i Yi  .

q

Uj .
q
(4) Compute VC  VD   U Pzt  , where Pzt  
q

*

(5) Compute VR   U Pzt _ rand  , where Pzt _ rand  
q

*

i 1
w0,i Pzt ,i  .
q


r Pzt ,i  .
q
i 1 0,i
Definition 3.2 (ext-GCDH/ext-GDDH). According to the above experiment, the ext-GCDH and
ext-GDDH are defined as follows:
Level-  extraction CDH (ext-GCDH): Given par0 , U 0 , , U  , output a level-  extraction
n n
encoding W   q
such that
 VC  W q

 q 3/ 4 .
par0 , U 0 ,, U , V , distinguish
Dext  RAND  par0 , U 0 , , U , VR  .
Level-  extraction DDH (ext-GDDH): Given
Dext GDDH  par0 , U 0 , , U , VD  and
between
In our construction, the ext-GCDH is harder than the ext-GDDH. This is because given
V   Dext GDDH , Dext  RAND  , one can compute W using the oracle of solving ext-GCDH, and
further determine V .
It is easy to verify that breaking our construction is harder than breaking the GGH construction.
If there exists an algorithm A which breaks our construction, then there exists an algorithm B
using A , which breaks the GGH construction. This is because one can sample the matrices T, S ,
generate the public parameters of our construction using the instance generation, and call A to
solve the corresponding problem.
In the following, we will show that the matrices of both sides of the public parameters cannot
be removed only using arithmetic operations.
 


Lemma 3.3 Given the public parameters par0  q, Yi , Pzt,i , i   
of our symmetric
construction, using arithmetic operations cannot remove the matrices, which are multiplied on both
sides of Yi , Pzt,i .


Proof. (1) By the instance generation algorithm InstGen 0 (1 ,1 ) , both sides of Yi , Pzt,i are
multiplied by matrices T , T
1

and X1  T1X S , X 2  T2 X S 2 with X , X
'
1 1
'
2

and T , S , respectively. (2) Assume X1 , X 2  Yi , Pzt,i , i   
'
1
'
2
generated by some principal ideal lattices. It is
obvious that both sides of the results X1  X 2 , X1  X 2 have the matrices if addition or
9
subtraction operations can be supported. For multiplication, the left and right sides of X1  X 2 will
1
1
have T1 and S 2 respectively. Similarly, both sides of X 2  X1 , X1  ( X 2 ) , ( X1 )  X 2 also
have random matrices. (3) Using recursive method, we show that arbitrary arithmetic operations
over Yi , Pzt,i cannot remove the matrices of both sides of generating result. □
3.3 Cryptanalysis
In this subsection, we describe easily computable quantities in our construction, and then
analyze possible attacks for our construction using these quantities.
Easily computable quantities. Because Yi , Pzt,i encode the same level-0 encoding ei , for
arbitrary i, j , t    with i  j , one can compute Vi , j ,t as follows:
Vi , j ,t
  Yt  1 (Yi  Pzt,j  Y j  Pzt,i ) 
q


a g  e j z (bi g  ei )  .
a g  et  1
a g  ei z (b j g  e j )
))  ( Rot ( i
)  Rot ( j
))S 
 T( Rot ( t


z
z
g
z
g

 q
 T( Rot (at g  et )) 1  Rot (ai b j g  ai e j  b j ei  a j bi g  a j ei  bi e j )S 
q
According to our parameter setting, it is easy to see that Vi , j ,t is not reduced modulo q ,
nn
using different combinations
namely  Vi , j ,t   Vi , j ,t . Thus, one can obtain many Vi , j ,t  
q
i, j , t    . These Vi , j ,t ’s have the form Vi , j ,t  T( Rot (ri , j ,t g  ei , j ,t ))S .
Compute the norm of ideal. By computing the determinant det(Vi , j ,t ) of Vi , j ,t , one can
obtain the norm of the ideal at g  et using GCD algorithm. When knowing the norm p , one
factors x  1 
n
at g  et

n
i 1
( x   i ) mod p , and solves the generator of the principal ideal lattice
generated by two element ( p,  i ) . If at g  et can be solved, then our construction is
broken. This is because given a1g  e1 and a 2 g  e 2 , one solves the matrix T
by
Vi , j ,1 (Vi , j ,2 ) 1  T((a1g  e1 )(a 2 g  e 2 ) 1 )T 1 . Using the same method, one also obtains S .
However, there currently exists no efficient algorithm which solves short generator of principal ideal
lattice for large enough n .
Eigenvalue attack [CHL+14]. Because Vi , j ,t  T( Rot (ri , j ,t g  ei , j ,t ))S  TEi , j ,t S , one can
generate
Vi , j ,t (Vi ', j ',t ' ) 1  TEi , j ,t (Ei ', j ',t ' ) 1 T 1
However, the matrices Ei , j ,t (Ei ', j ',t ' )
1
and
(Vi ', j ',t ' ) 1 Vi , j ,t  S 1 (Ei ', j ',t ' ) 1 Ei , j ,t S .
1
and (Ei ', j ',t ' ) Ei , j ,t are not diagonal. Therefore, the attack
in [CHL+14] cannot work for this case.
Lattice reduction attack. Given Vi , j ,t , one can obtain the bases of the lattices generated by
T and S . However, at present there exists no efficient algorithm, which computes T and S for
large dimension n . Without loss of generality, assume that T'  T  C1 and S'  C2  S are the
bases of the lattices generated by T and S , where C1 , C2 are unimodular matrices, one can
1
compute ( Vi , j ,t )'  (T' ) Vi , j ,t (S' )
1
remove the matrices (C1 ) , (C2 )
1
1
 (C1 ) 1 ( Rot (ri , j ,t g  ei , j ,t ))(C2 ) 1 . However, one cannot
of both sides of ( Vi , j ,t )' . Thus, one cannot get the principal
ideal ri , j ,t g  ei , j ,t in Vi , j ,t .
10
  i 1
Lattice reduction attack for level-1 encoding. Because U  

(di  Yi )  , then the
q
  i 1
entry U j ,t  

di  Yi , j ,t  , j , t   n  . Thus, U j ,t , Yi , j ,t , q consist of a generalizing subset
q
sum problem. However, for large  there exist no efficient algorithm, which solves this
generalizing subset sum problem. Moreover, it is easy to verify that one cannot also use linear
2
equation system to solve d i , i    since   n   .
4 Construction of asymmetric multilinear maps
Although our symmetric construction does not give level- 1 encoding of zero, one can also
generate level-  encodings of zero by using the public parameters. In this section, we describe a
construction of asymmetric multilinear maps to avoid any non-zero level encoding of zero.
4.1 Construction
In our symmetric construction, the level-  encodings of zero is generated by
cross-multiplying the level- 1 encoding and the zero-testing parameter in the public parameters. If in
a scheme, its level- 1 encoding cannot multiply by the zero-testing parameter belonging to same
group, then the level-  encodings of zero cannot be generated. Therefore, the starting point of our
work is to construct an asymmetric version, which assigns “index set” to the encodings and the
zero-testing parameters in the public parameter. As a result, an encoding and a zero-testing parameter
cannot be multiplied if their “index sets” are identical. Our asymmetric construction is as follows:
 
Instance generation: (par1 )  InstGen1 (1 ,1 )
8
(1) Choose a prime q  2
n O ( ) ;
(2) Choose g  Dn , such that g
1
 n2 ;
(3) Choose a j ,i , e j ,i  Dn , ' , b j ,i  Dn , q , j   , i    ;
(4) Choose random elements z j  Rq , j    such that z j  Rq ;
1
(5) Choose matrices S j  Dnn , , j  {0,1,...,  } such that S j   q , j    ;
1

(6) Set z j  (
*

t 1
n n
z t ) / z j , j    , and Tj  S j , j  {0,1,...,   1} , T  (S ) 1 .
For j    , i    ,
set Y j,i


z*j (b j,i g  e j,i ) 1 
a j ,i g  e j,i 1 
)Tj  , P j,i  Tj 1 Rot (
 Tj 1 Rot (
) Tj  .
g
zj

 q

 q
 


(7) Output the public parameter par1  q, Y j,i , P j,i , j   , i    .
 j : U j  enc1 (par1 ,  j , d) .

index-  j encoding of hidden e j = i 1 ( di  e j,i )
Generating encodings with index
Given d  D , * , an
is computed as

a g  e j 1 


)Tj  , where a j   i 1 (di a j ,i ) .
U j    i 1 (di  Y j,i )   Tj 1 Rot ( j

q 
zj
 q

Adding encodings with index S   j  t  \  j  : U S  add1 (par1 , U S ,1 , , U S , m ) .
  l 1
Given m encodings U S ,l , l   m  with index S , their sum U S = 
encoding with index S .
Multiplying encodings: U S  mul1 (par1 , S , U j 1 , , U j t ) .
1
11
1
m
U S ,l  is an
q
t
Given
U j
encodings
j  S   j1  t  \  j1 
for
,
their
product
U S =  U j1 1   U j1 t  is an encoding with index S   j1  t  \  j1  .
q
Zero testing: isZero1 (par1 , U S ) .
For simplicity, we assume S    1 . To determine whether U S with index S is an
encoding of zero, V =  U S  P  
n n
 q is computed in  q and checked whether V is short:

1 if  U  P   q 3/4

 S    q
isZero1 (par1 , U S )  
,
0 otherwise
where P  


r P ,i and r  D , .
i 1 i

a jg  e j

zj
For j  S    1 , assume U j  Tj 1 Rot (

)Tj 1  , then we have
 q


 1
ag  e
U S =  j 1 U j  = T1 Rot ( * )(T 1 ) 1  ,

q 
z
q
where e =

 1
j 1
e j , a  ( j 1 (a j g  e j )  e) / g .
 1



z* (bg  c)
P    i 1 ri P ,i  T 1 Rot ( 
)(T ) 1 
g

q
Since
,
where
c =  i 1 ri e ,i ,

b   i 1 ri b ,i , then we have

V =  U S  P  
q


z* (bg  c)
ag  e
 T0 Rot ( * )(T 1 ) 1  T 1 Rot ( 
)T 
z
g

q
.


ag  e
(bg  c))(T ) 1 
 T0 Rot (
g

q


ag  e
 S 0 Rot (
(bg  c))S 
g

q
If U S is an encoding of zero, namely e  0 mod I , then V is not reduced modulo q and

ag  e 
)  q by Lemma 4 in [GGH13].
V is small. Otherwise, e  0 mod I , and  Rot (
g  q

Hence, P  is a zero testing parameter of U S with index S    1 .
For S   j ,1  j   , one can determine whether U S is an encoding of zero. Without loss
of generality, assume U S1 is an arbitrary encoding with index S1    \  j  1 , and
P j 1   i 1 ri P j 1,i

is
a
random
zero-testing
parameter
for
US
.
Then
V =  U S  P j 1  U S1  is computed and checked V  q 3/4 .
q
Similarly, for other index S   j1  t  \  j1 , S    , one can determine whether U S is an
12
encoding of zero by using Pt , t   j1  .
Extraction: sk  ext1 (par1 , U S1 , U S2 ) .
Let S1  1,..., j  1 , S 2   j  1,...,   . Given index- S1 encoding U S1 and index- S 2
encoding U S2 , V   U S1  P j  U S2 

q
is computed, where P j 


r P j,i , r  D ,
i 1 i
and (log q ) / 4   most-significant bits of each entry of the n  n -matrix V is collected:
ext1 (par1 , U S1 , U S2 )  Extract(msb(  U S1  P j  U S2  )) .
q
Remark 4.1 (1) Because both sides of them are multiplied by random matrices in our asymmetric
construction, the encodings that have same index can be added, and the encodings that have adjacent
index can be multiplied. (2) One cannot generate any level non-trivial encoding of zero using the
public parameter in our construction. Although Y j,i , P j,i encode the same coset of R / I , they
cannot be cross-multiplied since Y j,i P j,i - Y j,i P j,i is not an encoding of zero. (3) When
1
2
2
1
constructing one-round multipartite Diffie-Hellman key exchange using our asymmetric scheme, the

j -th party generates an index-  j encoding U j    i 1 (d j,i  Y j,i )  and the corresponding

q

zero-testing parameter P j  

 i1 d j ,i Tj 1Rot (

z*j (b j ,i g  e j,i )
g

)(Tj ) 1  . Given U1 ,..., U  ,
 q
the j -th party computes V   U1  U j 1  P j  U j 1  U 
 q and extracts the common bit

string by using Extract(msb(V )) .
4.2 Security
Currently, we cannot also reduce the security of our asymmetric construction to classical
hardness assumptions. The security of our construction relies on new hardness assumption.
Consider the following security experiment:
 
(1) par1  InstGen1 (1 ,1 ) .
(2) For j  1 to
:
Sample r j , w j  D , * ;
Generate
 j -index encoding of hidden
d j   i 1 w j ,i e j ,i :


U j    i 1 w j ,i Y j,i  .

q

(3) Set U 1  
 1
j 1
U j  .
q
(4) Set VC  VD   U 1P   , where P   

q


(5) Set VR   U 1P _ r  , where P _ r  


q


i 1
w ,i P ,i  .
q
r P ,i  .
q
i 1  ,i
Definition 4.2 (ext-GCDH/ext-GDDH). According to the above experiment, the ext-GCDH and
ext-GDDH are defined as follows:
Extraction GCDH (ext-GCDH): Given
W   nqn such that
 VC  W q
Extraction
(ext-GDDH):
GDDH

par , U  ,, U  , output an extraction encoding
1

1
 q 3/ 4 .
Given
par , U  ,, U  , V
1
13
1

,
distinguish
between

Dext GDDH  par1 , U1 , , U  , VD



and Dext  RAND  par1 , U1 , , U  , VR .
5 Commutative Variant
In our symmetric/asymmetric construction, the dimension n requires to be large enough to
guarantee security and   n   is the lowest requirement to avoid algebraic equation attack. As
a result, the public parameter size of our construction is larger than that of GGH. To decrease the
public parameter size, we use polynomial ring instead of the ring of integers. Moreover, we will also
use polynomial drowning method of Rényi divergence which is used in the security analysis of
[LLS14].
y
m
y
m
We use R  [ y ]/  y  1  and Rq   q [ y ]/  y  1  instead of  and  q for
2
our symmetric/asymmetric constructions. It is easy to verify that our constructions are still correct
under this case.
O (1)
Let  be the security parameter, m  
and n constant number (e.g. n  2, 4,8 ), and
  n 2  1 . Let R yx  R y [ x]/  x n  1  and Rqyx   q [ y ][ x]/  y m  1  x n  1  . In this
denote the infinity norm of v  ( a1 ,..., a n ) for a  R .
yx
section, we let a
For completeness, we adaptively describe the commutative variant of the symmetric
construction in Section 3.1 as follows:
 
Instance generation: (par2 )  InstGen 2 (1 ,1 ) .
8
(1) Pick a prime q  2
n O ( ) ;
(2) Choose g  Dnm , over R
1
yx
1
such that g
 n2 ,
where g  [ y ][ x]/  y  1  x  1  ;
m
n
(3) Choose ai , b i , ei  Dnm , * , i    over R ;
yx
(4) Choose randomly z  Rq over Rq
yx
such that z  Rq ;
-1
y n n
(5) Choose matrices T  Dnnm , ' , S  Dnnm , ' over ( R )


(6) For i    , set Yi  TRot (
y n n
over ( Rq )
y
1
y n n
so that T  ( Rq )
;

z (bi g  ei ) 
ai g  ei 1 
)S 
)T  and Pzt ,i  TRot y (
g
z
q

q
;
 


(7) Output the public parameter par2  q, Yi , Pzt,i , i    .
Generating level- 1 encoding: U  enc 2 (par2 ,1, di ) .
Given

  i 1

elements di  Dm , * , then U  
hidden level-0 encoding e=


i 1
(di  Yi )  is a level-1 encoding of
q
(di  ei ) .
Adding encodings: U  add 2 (par2 , j , U1 , , U m ) .

Given m level- j encodings U l , their sum U = 
m
l 1
U l  is a level- j encoding.
q
Multiplying encodings: U  mul 2 (par2 ,1, U1 , , U ) .
Given
 level-1 encodings U j , their product U =  j 1 U j  is a level-  encoding.


Zero testing: isZero 2 (par2 , U ) .
14
q
rg  e


U  TRot (  )T1  is a level- 
z

q
To determine whether
encoding of zero,
V =  U  Pzt q is computed in ( Rqy ) nn and checked whether V is short:
1 if  U  P   q 3/4
zt q
,
isZero 2 (par2 , U)  
0 otherwise
where Pzt 


r  Pzt,i , ri  Dm , .
i 1 i
Extraction: sk  ext 2 (par2 , di , U ) .
Given a level-
 encoding U , U is multiplied by Pzt   i 1 (di  Pzt,i ) and

(log q) / 4   most-significant bits of each coefficient of each entry in  U  Pzt q is collected:
ext 2 (par2 , di , U)  Extract(msb( U  Pzt q )) .
Similarly, we can construct the commutative variant of our asymmetric multilinear maps in
Section 4.1.
6 Simplified variant of asymmetric construction
In this section, we give a simplified variant of our asymmetric multilinear maps using
polynomial ring, instead of the ring of integers, to reduce the public parameter size. In fact, our
simplified variant sets S i  I for our asymmetric construction in Section 4.1.
Our simplified asymmetric construction is an asymmetric variant in [GGH13]. In a sense, our
asymmetric simplified variant is an extension of the multilinear Jigsaw puzzles [GGH+13a]. The
main difference is that our construction modifies the zero-testing parameter, which also encodes the
hidden plaintext encoded by the level- 1 encoding. Hence, in our construction, one can generate
level- 1 encoding of hidden plaintext, which can be used according to the corresponding zero-testing
parameter. Moreover, the aim setting b j ,i  Dn , q is to guarantee that one cannot generate any
level nontrivial encoding of zero for our asymmetric simplified variant. When implementing, we use
polynomial drowning method of Rényi divergence which is used in the security analysis of [LLS14]
and set  =2 , to reduce the public parameter size.
For completeness, we give our simplified variant as follows:
 
Instance generation: (par3 )  InstGen 3 (1 ,1 )
8
(1) Choose a prime q  2
n O ( ) ;
(2) Choose g  Dn , such that g
1
 n2 ;
(3) Choose a j ,i , e j ,i  Dn , ' , b j ,i  Dn , q , j   , i    ;
(4) Choose random element z j  Rq , j    such that z j  Rq ;
1

(5) Set z j  (
*

t 1
z t ) / z j , j    . For j    , i    ,
 a j ,i g  e j,i 
 z*j (b j,i g  e j,i ) 

,
p


 ;
 j,i
g
zj

 q

 q
set y j,i  
 


(6) Output the public parameter par3  q, y j,i , p j,i , j   , i    .
Generating encodings: u i  enc3 (par3 ,  j , d) .
15
Given d i  Dn , * , i    , an index-  j encoding of hidden e j =


i 1
(di  e j,i ) is
a g  e j 

(di  y j,i )    j
, where a j   i 1 (d i  a j ,i ) .

q  z j 

q
Adding encodings: u S  add 3 (par3 , u S ,1 , , u S ,m ) .
computed as u j  



i 1
  l 1
Given m encodings u S ,l , l   m  with index S    , their sum u S = 
m
u S ,l  is
q
an index- S encoding.
Multiplying encodings: u S1  S2  mul3 (par3 , u S1 , u S2 ) .
encodings u S1 , u S2
Given
with index
S1 , S 2   , S1  S 2   , their product
u S1  S2 = u S1  u S2  is an encoding with index S  S1  S2 .
q
Zero testing: isZero3 (par3 , u S ) .
Assume S    1 . To determine whether u S with index S is an encoding of zero,
v = u S  p  
is computed in Rq and checked whether
q
v is short:
1 if u  p   q 3/4

 S    q
,
isZero3 (par3 , u S )  
0 otherwise
where p  


r  p ,i with ri  Dn , .
i 1 i
Extraction: sk  ext 3 (par3 , u S ) .
Given an encoding u S with index S  [1,   1] , u S is multiplied by a zero-testing
parameter p  with p  


r  p ,i , ri  Dn , , and (log q) / 4   most-significant
i 1 i
bits of each coefficient of u S  p  

 q is collected:
ext 3 (par3 , u S )  Extract(msb( u S  p   )) .
q
The correctness of the simplified variant follows from the correctness of the asymmetric
construction in the Section 4. In the following we show that the simplified variant is optimal.
Lemma 6.1 Suppose that every party does not cooperate in the MPKE protocol based on the
simplified asymmetric variant, then one cannot generate a quantity that is not reduced modulo q
from the public parameters.
Proof. Since every party does not cooperate, then the j -th party has merely a list of y j,i , p j,i
for index
 j . Because
y j,i , p j,i encode the same coset e'j ,i  e j,i  I of R / I , thus
u   y j,i1 p j,i2  y j,i2 p j,i1 
q
 z*j (a j ,i1 b j,i2 g  a j ,i1 e j,i2  b j,i2 e j,i1  a j ,i2 b j,i1 g  a j ,i2 e j,i1  b j,i1 e j,i2 ) 

 .
zj

 q
 z* b 
 j j
 z j  q
16
 z*j bt 
 ,t  j .
 g  q
To cancel the denominator z j of u , one must multiply u by some pt  
However, by b j ,i  Dn ,
we know
q
b j  q and bt  q . Thus, v  u  u'  pt 
q
must be reduced modulo q , where u' is an arbitrary rational function of y j,i , p j,i .
On the other hand, since y j ,i , y j ,i with different index encode the different hidden coset
1
2
e'j1 ,i  e j1 ,i  I , e'j2 ,i  e j2 ,i  I , one cannot obtain an encoding of zero using arithmetic operations
for them. Similarly, one cannot obtain a zero-testing encoded zero from p j ,i , p j ,i .□
1
2
Lemma 6.2 Given the public parameters of any multilinear map with noise, one can always generate
a quantity that is not reduced modulo q from the public parameters.
Proof. Given the public parameters of any multilinear map with noise, one can simulate the MPKE
protocol to generate   1 encodings u i with corresponding level- 0 ai . Then, encodings
a1  i  2 ui
 1
a 1  i 1 ui

and
have
same
0
level-
encoding.
Namely,
a1  i  2 ui  a 1  i 1 ui is a level-  encoding of zero. Thus, using zero-testing parameter, one
 1

can obtain a quantity that is not reduced modulo q .
□
Therefore, for our simplified variant, one can only compute a easily quantity that does not
include the factor of the secret element g . As a result, one cannot generate a basis of g .
7 Multilinear map using random matrix
For the above constructions, one can only use plaintext element of level- 1 encoding, which is
hidden in zero-testing parameter. In the following, we improve the construction in Section 3 by
modifying zero-testing parameter. In this new construction, one can generate usable level- 0
encoding of arbitrary feasible level encoding.
To improve security, we use two countermeasures in our construction. (1) g is set as the
product of m coprime elements; (2) plaintext is graded by using f . In fact, we currently do not
find feasible attacks for our construction when m  1 , f  1 . It is easy to verify that the
countermeasures can also be used in the above constructions.
Setting the parameters. Let  be the security parameter,  the multilinearity level, n the
dimension of elements of R . Concrete parameters are set as
   n ,     n1.5 ,    2 ,
 ( 2 ) ,   O(n 2 ) .
q  216 nO ( ) , m  2 , n  O
7.1 Construction


Instance generation: (par4 )  InstGen 4 (1 ,1 ) .
16
n O ( ) ;
(2) Choose elements f  Dn , ' , g j  Dn ,
(1) Choose a prime q  2

, h j  Dn ,
q
, j   m  in R , and set
g   j 1 g j so that g j ’s are coprime and g j 1  n ;
m
(3) Choose elements ai , b i , ei  Dn , ' , i    in R ;
(4) Choose a random element z  Rq so that z  Rq ;
-1
1
1
n n
(5) Choose two matrices T, S  Dnn , so that T , S   q ;
17


(6) Set Yi  TRot (
ai g  ei f 1 
)T  , Xi  S 1 Rot (bi g  ei )S  , i    ;
q
z
q
(7) Set Pzt  TRot ( z



m
j 1
h j g j 1 )S  ;
q


(8) Output the public parameters par4  q, Yi , Xi i  , Pzt .


It is easy to prove that InstGen 4 (1 ,1 ) runs in polynomial time.
Generating level- t encoding: U  enc 4 (par4 , t , d) .

Given a random vector d  D , * , then U  

level- 0 encoding E= 

i 1

i 1
di  (Yi )t  is a level- t encoding of
q
d i  ( X i )t  .
q
ai g  ei f t 1  
ai' g  (ei )t f t 1 

) T   TRot (
)T  , we have
Since ( Yi )  TRot (
z
zt

q 
q
t
U    i 1 di  (Yi )t 

q




d a' g   i 1 di (ei )t f t 1 

i 1 i i
  TRot (
)T  ,
zt


q

ag  ef t 1 
  TRot (
)T 
zt

q
where a=


i 1
di  ai' and e= i 1 d i  (ei )t .

Since ( Xi )  S Rot (b i g  ei ) S   S Rot (b i g  (ei ) )S  , we have
q
q
t
1
1
t
'
t



E=   i 1 di  ( Xi )t   S 1 Rot ( i 1 di bi' g   i 1 di (ei )t )S   S 1 Rot (bg  e)S  ,
q

q 
q
where b=


i 1
di  bi' and e= i 1 di  (ei )t .

Thus, U is a level- t encoding of the level- 0 encoding E .
Adding encodings: U  add 4 (par4 , t , U1 , , U k ) .

Given k level- t encodings U l , their sum U = 
k
l 1
U l  is a level- t encoding.
q

rl'g  el' f t 1 
)T  , their sum
Because the level- t encoding U l is the form of U l  TRot (
zt

q
m

(rl'g  el' f t ) 1  
rg  ef t 1 

l
U =   l 1 U l   TRot ( 1 t
)T   TRot (
)T 
t

q 
z
z

q

q 
m
encoding, where r=

is a level- t
r and e= l 1 el' .
m
'
l 1 l
m
Multiplying encodings: U  mul 4 (par4 ,1, U1 , , U k ) .

Given k level- 1 encodings U l , their product U = 
k
l 1
U l  is a level- k encoding.
q

rl'g  el' f 1 
)T  , the product
Because the level- 1 encoding U l is the form of U l   TRot (
z

q
18
of k level-1 encodings is:
k
U =  l 1 U l 

q
 k
r 'g  el' f 1 
  l 1 TRot ( l
)T 
z

q
k

(r 'g  el' f ) 1  ,

j 1 l
 TRot (
)T 


zk

q

rg  ef k 1 
 TRot (
)T 
zk

q

where e=
e' , r  ( l 1 (rl'g  el' )  e) / g .
l 1 l
k
k
Zero testing: isZero 4 (par4 , U, R ) .
Given a level-

 encoding U  TRot (

rg  ef  1 
)T  and a level- 0 encoding
z
q

R    i 1 ri Xi  , to determine whether U is a level-  encoding of zero, V =  U  Pzt  R q

q
n n
is computed in  q
and checked whether
V is short:
1 if  U  P  R   q 3/4
zt
q
.
isZero 4 (par4 , U)  
0 otherwise
If U is a level-  encoding of zero, namely e  0 mod g j . By g j ’s are coprime, we obtain
e  r'g . So, we have
V   U  Pzt  R q



m
rg  r'gf  1
 TRot (
)T  TRot (z   j 1 h j g j 1 )S   i 1 ri Xi 

z

q

m
 TRot ((rg  r'f  g)( j 1 h j g j 1 )( i 1 ri bi g  ri ei ))S 

q
.
m
 TRot ((r  r'f  )( j 1 h j  g / g j )(b'g  e' ))S 

q
For our choice of parameter, r  r'f

 q1/8 , b'g  e'  nO (1) and T
Moreover, V is not reduced modulo q , that is
 V q  V . So,
19

 S

 n .
m
V  TRot ((r  r'f  )( j 1 h j  g / g j )(b'g  e' ))S 

q
 TRot ((r  r'f  )( j 1 h j  g / g j )(b'g  e' ))S
m
 n3  T Rot ((r  r'f  ) j 1 h j  g / g j ) Rot (b'g  e' ) S
m
 n 4  n Rot (r  r'f  ) Rot ( j 1 h j  g / g j )  nO (1)  n .
m
 nO (1) 2  q1/8  m  Rot (h j  g / g j )
 nO (1) 2  q1/8  poly (n)  q1/2  poly (n)
 q 3/4
If U is a level-  encoding of non-zero element, namely j   m  , e  0 mod g j . Thus,
we have
V =  U  Pzt  R q


m
rg  ef  1

)T  TRot (z  j 1 h j g j 1 )S   i 1 ri Xi 
 TRot (

z

q
.
m
 TRot (rg  ef  ) Rot ( j 1 h j g j 1 ) Rot (b'g  e' )S 

q



m
m h j ef (b'g  e' )
 TRot (rg(b'g  e' ) j 1 h j g j 1 )S  TRot ( j 1
)S 
gj

 q
By Lemma 4 in [GGH13], we have TRot (

m
j 1
h j ef  (b'g  e' )
gj
)S  q . Thus, V  q .
Extraction: sk  ext 4 (par4 , U, R ) .
Given a level-
 encoding U and a level- 0 encoding R    i 1 ri Xi  , U is

q
multiplied by Pzt  R , and (log q ) / 4   most-significant bits of each of the n  n entries of
 U  Pzt  R q

is collected:
ext 4 (par, U, R )  Extract 4 (msb( U  Pzt  R q )) .
Assume

rg  ef  1 
U   TRot (
)T 
z

q
,
R  S 1 Rot (b'g  e' )S
such
that
rg  ef   q1/8 , b'g  e'  nO (1) . So, we have
V =  U  Pzt  R q



m
m h j ef (b'g  e' )
1
 TRot (rg(b'g  e' ) j 1 h j g j )S  TRot ( j 1
)S 
gj

 q



 
m
m h j ef (b'g  e' )
1


  TRot (rg (b'g  e' ) j 1 h j g j )S  TRot ( j 1
)S  
q 
gj


 q  q

20
.
TRot (rg (b'g  e' ) m h j g j 1 )S   q 3/4 . By Lemma 4 in
j 1

q
For our parameter setting,



m h j ef (b'g  e' )
)S   q when j   m  , e  0 mod g j .
[GGH13], we have TRot ( j 1
gj

 q
Thus, the extraction algorithm can correctly work.
Remark 7.1 (1) We can transform the above n  n -dimensional matrix in the final result into
k1  k2 -dimensional matrix to damage the structure of the principal ideal lattice problem. One
n n
randomly chooses T, S   q
with
k1  k2  n   .

Then
1
1
nn
such that T , S   q , and T1  Dk1n , , S1  Dnk2 ,

one
T*  T1T1 , S* = S 1S1 ,
computes
and
output
par4  q, Yi , Xi i  , Pzt , T* , S* . Now, we modify the zero-testing and extraction algorithm as
follows:
1 if  T*  U  P  R  S*   q 3/4

zt

q
;
isZero 4 (par4 , U, R )  
 0 otherwise
ext 4 (par4 , U, R )  Extract(msb( T*  U  Pzt  R  S*  )) .
q
By cross-multiplication, we can get that V   T  U  Pzt  R  S   T1 Rot (r )S1 is not
*
*
q
reduced modulo q . It is easy to see that the integer Vi , j  f ti ,s j ( Rot (r ))  t i  Rot (r )  s j is a
function defined by vectors t i , s j , where t i is the i -th row of T1 , and s j is the j -th column
of S1 . Even if Vi , j is not reduced modulo q , one cannot find usable quantities from some
integers Vi , j since t i , s j , r all are unknown.
(2) From (1), we know V  T1 Rot (r )S1 have removed the structure of the principal ideal
lattice problem. Thus, we conjecture that the SubM problem is hard in our encoding scheme. For the
SubM problem, let R j  R / g j R , G  R1   Rm , and G1  0  R2   Rm . Let Zi
(1)
be level-1 encodings of elements from G , and Z i
be level-1 encodings of elements from G1 .
When generating encoding U  enc(par, t , d, r ) , we replace Yi with Zi or Z i . The
(1)
subgroup membership problem is to distinguish between U  enc(par, t , d, r ) using Zi and
U1  enc(par, t , d1 , r1 ) using Zi(1) . By the above analysis, V ( ) has erased the structure of
principal ideal lattice problem. That is, one cannot distinguish between U and U1 .
Based on same reason, we conjecture that the DLIN problem is hard in our encoding scheme.
w w
and their encodings
For the DLIN problem, given a matrix of elements A  (ai , j )  R
matrix T  (enc(par, t , ai , j , r )) , the DLIN problem is to distinguish between rank w and rank
w  1 matrices A .
(3) Notice that one can remove R from the zero-testing and extraction algorithm above.
Using R is to define the security of our construction and present one round multipartite
Diffie-Hellman key exchange in the following.
7.2 Security
We first consider the following security experiment:
21


(1) par4  InstGen 4 (1 ,1 )
:
(2) For l  0 to
Sample rl , dl  D , * ;

Generate level-1 encoding of El  

(3) Set U  

j 1

i 1

dl ,i Xi  : U l    i 1 dl ,i Yi  .
q

q
Uj .
q
(4) Set VC  VD   U  Pzt  E0 q .
(5) Set VR   U  Pzt  R 0 q , where R 0  


r Xi  .
q
i 1 0,i
Definition 7.2 (ext-GCDH/ext-GDDH). According to the above experiment, the ext-GCDH and
ext-GDDH are defined as follows:
Level-  extraction CDH (ext-GCDH): Given par4 , U 0 , , U  , output a level-  extraction
n n
encoding W   q
such that
 VC  W q

 q 3/ 4 .
par4 , U 0 ,, U , V , distinguish
Dext  RAND  par4 , U 0 , , U , VR  .
Level-  extraction DDH (ext-GDDH): Given
Dext GDDH  par4 , U 0 , , U , VD  and
between
7.3 Cryptanalysis
We describe easily computable quantities for the construction of multilinear map using random
matrix, and analyze possible attacks using these quantities.
Easily computable quantities. While Yi , Xi encode same level-0 encoding ei , they are
multiplied by the matrices T, S . One must use zero-testing parameter Pzt to obtain non-reduced
quantities. For arbitrary i, j , t    with i  j , one can compute Vi , j ,t as follows:
Vi , j ,t
  Yt  1 (Yi  Pzt  X j  Y j  Pzt  Xi ) 
q
m
 TRot ((at g  et f ) 1   l 1 hl g l1 ((ai g  ei f )(b j g  e j )  (a j g  e j f )(bi g  ei )))S  ,

q
m
 TRot ((at g  et f ) 1   l 1 hl g l' (ai b j g  ai e j  b j ei f  a j b i g  a j ei  bi e j f )S 

q
 TRot ((at g  et f ) 1  i , j )S 
where g l  g / g l ,  i , j 
'

m
l 1
q
hl g l' (ai b j g  ai e j  b j ei f  a j bi g  a j ei  b i e j f .
By the parameter setting, it is easy to see that Vi , j ,t is not reduced modulo q , namely
 Vi , j ,t   Vi , j ,t .
q
Similarly, one can compute
22
Vi , j ,t1 ,t2
  Yt1 k1 Yt2  1 k1 (Yi  Pzt  X j  Y j  Pzt  Xi ) 
.
q
 TRot ((at1 g  et1 f ) k1 (at2 g  et2 f ) 1 k1  i , j )S 
So, one can obtain many non-reduced matrices Vi , j ,t1 ,t2  
n n
q
using different combinations
i, j , t1 , t2    .
Compute the norm of ideal. By computing the determinant det(Vi , j ,t1 ,t2 ) of Vi , j ,t1 ,t2 , one
can obtain the norm p of ideal at g  et f using GCD algorithm. When knowing the norm p ,
one factors x  1 
n
lattice
a t g  et f

n
i 1
( x   i ) mod p , and solves a short generator of the principal ideal
generated by two elements ( p,  i ) . If at g  et f can be solved, then our
construction is broken. Given a1g  e1f and a 2 g  e 2f , one can solve the matrix T by
Vi , j ,1 (Vi , j ,2 ) 1  T((a1g  e1f )(a 2 g  e 2f ) 1 )T1 . Using same method, one can also get S .
However, there currently exists no efficient algorithm which solves short generator of principal ideal
lattice for large enough n .
Notably, the easily computable quantities above cannot be computed if we use the variant in
Remark 7.1.
8 One round multipartite Diffie-Hellman key exchange
In this section, we first describe the construction of one round multipartite Diffie-Hellman key
exchange protocol using commutative variant and asymmetric variant of ideal lattices. Then we
optimize and implement one round multipartite Diffie-Hellman key exchange protocol.
8.1 Construction
8.1.1 Construction based on commutative variant
We describe the construction of one round multipartite Diffie-Hellman key exchange using our
symmetric commutative variant as follows:
Setup(1 ,1N ) . Output (par2 )  InstGen 2 (1 ,1 ) as the public parameters. Let N    1 ,


par3  q, Yi , Pzt,i  , i   
Publish(par2 , p zt , j ) . The j -th party samples d j ,i  Dm , * , i    , computes and publishes
U j    i 1 (d j,i  Yi )  .

q

KeyGen(par2 , j , d j ,i , U k k  j ) . The j -th party computes C j   k  j U k and extracts the
common secret key sk  ext(par2 , d j ,i , C j )  Extract(msb( C j  (



i 1
d j ,i  Pzt,i )  )) .
q
Theorem 8.1 Suppose the ext-GCDH/ext-GDDH defined in Section 3.2 is hard, then our
construction is one round multipartite Diffie-Hellman key exchange protocol.
Proof. The proof is similar as Theorem 2 in [GGH13].□
8.1.2 Construction based on simplified asymmetric variant
We describe the construction of one round multipartite Diffie-Hellman key exchange using our
simplified asymmetric variant as follows:
23
Setup(1 ,1N ) . Output (par3 )  InstGen 3 (1 ,1 ) as the public parameters. Let N   ,
 


par3  q, y j,i , p j,i , j   , i   
Publish(par2 , j ) . The j -th party samples d j ,i  Dn , * , i    , computes and publishes

u j    i 1 (d j,i  y j,i )  .

q
 
KeyGen(par3 , j , d j ,i , uk
k j
) . The j -th party computes u S j   k  j uk , S j      j
and extracts the common secret key sk  ext(par3 , d j ,i , u S j ) .
Theorem 8.2 Suppose the ext-GCDH/ext-GDDH defined in Section 4.2 is hard, then our
construction is one round multipartite Diffie-Hellman key exchange protocol.
Proof. The proof is similar as Theorem 2 in GGH13.□
8.2 Implementation
8.2.1 Implement the construction based on the commutative variant
We implement our one round multipartite Diffie-Hellman key exchange protocol using NTL
[Sho09].
Setting parameters. Let  be the security parameter, m  O ( ) , n  2, 4 ,   5,17 ,
N   1  7
R y  [ y ]/  y m  1 
,
R yx  R y [ x]/  x n  1 
,
yx
m
n
Rq   q [ y ][ x]/  y  1  x  1  . When setting concrete parameters, the coefficients
.
Let
g j , ai , j , bi , j , ei , j  R y in g, ai , bi , ei  R yx are satisfied to g j  ai , j  bi , j  ei , j  1 ,
y n n
the entry of the matrices S, T  ( R )
is satisfied to
y 
invertible over Rq . Random sampling d j  ( R )
parameters,
we
first
is satisfied to d j ,i  1 . After sampling these
V = T( Rot (g  i 1 d j ,i ai ) 1 )S

compute

Si , j  Ti , j  3 , and S, T are

over
( R y ) n n
and
l  q1 , q1  max Vi , j | i, j   n  , then set l   , (20    25) as the bit length of modulo
q . When extracting common bits, we only extract one bit from each coefficient. As a result, the
20
probability that the common bits for all parties are inconsistent is about O (2 ) .
Table 1: The parameters of implementing the protocol based on the commutative variant
n
m

l

|q|
pk size
Setup
Publish
Key generation
Security
time
time
time
estimation
2
128
5
70
20
90
167KB
18.1s
0.1s
0.17s
50
2
256
5
79
21
100
342KB
84.2s
0.2s
0.33s
60
2
512
5
88
22
110
709KB
263.1s
0.4s
2.86s
70
2
1024
5
97
23
120
1518KB
1520.5s
1.0s
11.5s
80
4
64
17
70
20
90
972KB
20.9s
0.2s
0.21s
50
4
128
17
79
21
100
2198KB
100.4s
0.4s
1.23s
60
4
256
17
88
22
110
4814KB
330.5s
1.0s
5.87s
70
4
512
17
97
23
120
10325KB
1650.5s
2.0s
92.8s
80
24
Remark 8.3. (1) All algorithms run over single processor (Intel Xeon E5620 4-core CPU, 2.4GHz).
1
1
1
In setup stage, solving g , z , T is the most cost time computation. (2) Notation q denotes
the bit length of q . (3) Security estimation is the time computing approximate short vector of a
lattice using BKZ [CN11].
8.2.2 Implement the construction based on the simplified asymmetric variant
Setting parameters. Let
 be the security parameter, n  O( ) ,   2 , N    7 . Let
R  R[ x]/  x  1  , Rq   q [ x]/  x n  1  . When choosing the parameters, their coefficients
n
g j , ai , j , bi , j , ei , j  R in g, ai , bi , ei  R are satisfied to

Random sampling d j  ( R )
compute
v = (g  i 1 d j ,i ai )

g j  ai , j  b i , j  ei , j  1 .
is satisfied to d j ,i  1 . After choosing these parameters, we first
R
over
and
l  q1 , q1  max  v i | i   n  , then set
l   , (20    30) as the bit length of modulo q . When extracting common bits, we only
extract one bit from each coefficient. As a result, the probability that the common bits for all parties
20
are inconsistent is about O (2 ) .
Table 2: The parameters of implementing the protocol based on the simplified asymmetric variant
l

256
73
512
n
Key generation
Security
time
estimation
0.05s
0.3s
50
228.1s
0.10s
1.1s
60
1.0MB
1750.8s
0.30s
2.8s
70
2.1MB
15682.6s
0.65s
5.8s
80
|q|
pk size
Setup time
Publish time
20
93
210KB
17.1s
84
21
105
469KB
1024
92
23
115
2048
103
23
126
 z*j b j 


Remark 8.4. Because u = y  j,i p j,i  y  j,i p j,i

 by Lemma 6.1, u must be
1
2
2
1 q

 z j  q
z*j z *t r
multiplied by some pt , t  j to remove z j . Assume v' = u  pt 
. Under this case,
zj
* *
one requires to multiply two times for almost every index encoding to cancel numerator z j z t . By
our parameter setting, we have (g


i 1
d j ,i ai ) 2  q . Thus, setting bi , j  1 , one cannot still
obtain a nontrivial quantity which is not reduced modulo q .
9 Witness Encryption
Garg, Gentry, Sahai, and Waters [GGSW13] constructed an instance of witness encryption based on
the NP-complete 3-exact cover problem and the GGH map. However, Hu and Jia [HJ15a] have
broken the GGH-based WE. Furthermore, one cannot construct a witness encryption scheme by
directly using our construction according to a comment [HJ15b]. Thus, in this section, we present an
instance of WE based on a variant of our multilinear map.
Different from that in [GGSW13], the ciphertext in our scheme does not include encodings of
zero.
9.1 Construction
3-Exact Cover Problem [GGH13, Gol08] Given a collection Set of subsets T1 , T2 ,..., T
25
of
 K   1, 2,..., K 
such that K  3 and Ti  3 , find a 3-exact cover of
 K .
For an
instance of witness encryption, the public key is a collection Set , and the secret key is a hidden
3-exact cover of
 K .
Encrypt (1 , par, M ) :


(1) The algorithm generates Yi   TRot (

and X j   TRot (


ai g  ei 1 
hz  
)T  , Pzt  TRot (
)S  , i    ,
g
z
q

q

)T1  , j     , where g  Dn , , z  Rq , ai , ei  Dn , ' , i    ,
z
q
c jg
c j  Dn , ' , j     , T  Dnn , , and S  Dnn , .
(2) For k   K  , sample d k  DZ  , , rk  D  , * and generate level- 1 encodings


U k    i 1 d k ,i Yi   j 1 (rk,j  X j )  .

q

(3) Compute U  
U k  and sk  Ext(Pzt , U)  Extract(msb(UPzt ) , and encrypt
q
a message M into ciphertext C , where I is the identity matrix.
(4) For each element Ti  i1 , i2 , i3  , sample rTi  D , * , and generate a level- 3 encoding
K
k 1


3

UTi   U i1 U i2 U i3   j 1 rTi ,j ( X j )  . Let E  UTi , Ti  Set .

 q
(5) Output the ciphertext CT  (q, C , E , Pzt ) .
Decrypt (CT ,W ) :
U  .
 Ti W Ti  q
(2) Generate sk  Ext(Pzt , U )  Extract(msb(UPzt ) , and decrypt C to a message M .
(1) Given CT and a witness set W , compute U  
Similar to [GGSW13], the security of our construction depends on the hardness assumption of
the Decision Graded Encoding No-Exact-Cover.
Theorem 9.1 Suppose that the Decision Graded Encoding No-Exact-Cover is hard. Then our
construction is a witness encryption scheme.
It is easy to verify that the Hu-Jia attacks [HJ15a, HJ15b] are prevented in our new
construction.
10 Conclusion and open problem
In this paper, we describe an improved construction of multilinear maps from ideal lattices,
multiplying by matrices the level-1 encoding of non-zero element. The security of our construction
depends upon new hardness assumption, which is seemly closely related to hardness problems of
lattices. We also describe an asymmetric construction to avoid any nontrivial encoding of “0”.
Furthermore, we describe one-round multipartite Diffie-Hellman key exchange protocol and an
instance of witness encryption using our construction and the variant.
The security of all current schemes relies on hardness assumption, which cannot be reduced to
classical hardness problem. An open problem is to reduce the security of our construction of
multilinear maps to classical hardness problem.
References
[BF03]
D. Boneh and M. K. Franklin. Identity-based encryption from the Weil pairing, SIAM
26
Journal on Computing, 32(3):586–615, 2003.
[BGG+14] D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, V. Nikolaenko, G. Segev, V.
Vaikuntanathan, and D. Vinayagamurthy. Fully keyhomomorphic encryption, arithmetic
circuit abe and compact garbled circuits. EUROCRYPT 2014, LNCS 8441, pp. 533-556.
[BR14] Z. Brakerski and G. N. Rothblum. Virtual black-box obfuscation for all circuits via generic
graded encoding. TCC 2014, LNCS 8349, pp. 1-25.
[BS03] D. Boneh and A. Silverberg. Applications of multilinear forms to cryptography.
Contemporary Mathematics, 324:71–90, 2003.
[BWZ14] D. Boneh, D. J. Wu, and J. Zimmerman. Immunizing multilinear maps against zeroizing
attacks. http://eprint.iacr.org/2014/930.
[BZ14]D. Boneh and M. Zhandry. Multiparty key exchange, efficient traitor tracing, and more from
indistinguishability obfuscation. CRYPTO 2014, LNCS 8616, pp. 480-499.
[CHL+14] J. H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehle. Cryptanalysis of the Multilinear Map
over the Integers. http://eprint.iacr.org/2014/906.
[CN11] Y. Chen and P. Q. Nguyen. BKZ 2.0 Better Lattice Security Estimates, ASIACRYPT 2011,
LNCS 7073, pp. 1–20.
[CLT13] J. S. Coron, T. Lepoint, and M. Tibouchi. Practical multilinear maps over the integers.
CRYPTO 2013, LNCS 8042, pp. 476–493.
[CLT14] J. S. Coron, T. Lepoint, and M. Tibouchi. Cryptanalysis of two candidate fixes of
multilinear maps over the integers. http://eprint.iacr.org/2014/975.
[CLT15] J. S. Coron, T. Lepoint, and M. Tibouchi. New Multilinear Maps over the Integers.
http://eprint.iacr.org/2015/162.
[GGH13] S. Garg, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices.
EUROCRYPT 2013, LNCS 7881, pp. 1–17.
[GGH14] C. Gentry, S. Gorbunov, S. Halevi. Graph-induced Multilinear Maps from Lattices.
http://eprint.iacr.org/2014/645.
[GGH+13a] S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate
indistinguishability obfuscation and functional encryption for all circuits. FOCS 2013,
pp.40-49.
[GGH+13b] S. Garg, C. Gentry, S. Halevi, A. Sahai, and B. Waters. Attribute-based encryption for
circuits from multilinear maps, CRYPTO (2) 2013, LNCS 8043, 479-499.
[GGH+14] S. Garg, C. Gentry, S. Halevi, and M. Zhandry. Fully secure functional encryption
without obfuscation. http://eprint.iacr.org/2014/666.
[GHM+14] C. Gentry, S. Halevi, H. K. Majiy, A. Sahaiz. Zeroizing without zeroes: Cryptanalyzing
multilinear maps without encodings of zero. http://eprint.iacr.org/2014/929.
[GSW13a] S. Garg, C. Gentry, A. Sahai, and B. Waters. Witness encryption and its applications.
STOC 2013, pp. 467-476.
[GSW13b] C. Gentry, A. Sahai and B. Waters. Homomorphic encryption from learning with errors:
Conceptually-simpler, asymptotically-faster, attribute-based. CRYPTO (1) 2013, LNCS
8042, pp. 75-92.
[HAO14] R. Hiromasa, M. Abe and T. Okamoto. Multilinear Maps on LWE. SCIS 2014, pp. 1-8.
[HIL+99] J. Hastad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from
any one-way function. SIAM Journal on Computing, 1999, 28(4):1364-1396.
[HJ15a] Yupu Hu and Huiwen Jia. Cryptanalysis of GGH Map. http://eprint.iacr.org/2015/301.
[HJ15b] Yupu Hu and Huiwen Jia. A Comment on Gu Map-1. http://eprint.iacr.org/2015/448.
[HPS98] J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: a ring based public key cryptosystem.
27
ANTS 1998, LNCS 1423, pp. 267-288.
[Jou00]
A. Joux. A one round protocol for tripartite Diffie-Hellman. ANTS 2000, LNCS 1838, pp.
385–394.
[LSS14] A. Langlois, D. Stehlé, and R. Steinfeld, GGHLite: More Efficient Multilinear Maps from
Ideal Lattices, EUROCRYPT 2014, LNCS 8441, 2014, pp. 239–256.
[PTT10] C. Papamanthou, R. Tamassia, and N. Triandopoulos. Optimal authenticated data structures
with multilinear forms. Pairing 2010, LNCS 6487, pp. 246–264.
[Rot13]
R. Rothblum. On the circular security of bit-encryption. TCC 2013, LNCS 7785, 2013, pp.
579–598.
[RS09]
M. Rückert and D. Schröder. Aggregate and verifiably encrypted signatures from
multilinear maps without random oracles. ISA 2009, LNCS 5576, pp. 750–759.
[Sho09] V. Shoup. NTL: A Library for doing Number Theory. http://shoup.net/ntl/, Version 5.5.2,
2009. 2009.08.14.
[Sma03]
Smart, N.P. An identity based authenticated key agreement protocol based on the Weil
pairing, Electronics Letters, 38(13), pp. 630-632, 2002.
[SOK00]
R. Sakai, K. Ohgishi and M. Kasahara. Cryptosystems based on pairing, the 2000
Symposium on Cryptography and Information Security, Okinawa, Japan, 2000.
[SS11] D. Stehlé and R. Steinfeld. Making NTRU as secure as worst-case problems over ideal
lattices, EUROCRYPT 2011, LNCS 6632, pp. 27–47.
28