Cryptanalysis of CLT13 Multilinear Maps with Independent Slots

Abstract

Many constructions based on multilinear maps require independent slots in the plaintext, so that multiple computations can be performed in parallel over the slots. Such constructions are usually based on CLT13 multilinear maps, since CLT13 inherently provides a composite encoding space, with a plaintext ring \(\bigoplus _{i=1}^n \mathbb {Z}/g_i\mathbb {Z}\) for small primes \(g_i\)’s. However, a vulnerability was identified at Crypto 2014 by Gentry, Lewko and Waters, with a lattice-based attack in dimension 2, and the authors have suggested a simple countermeasure. In this paper, we identify an attack based on higher dimension lattice reduction that breaks the author’s countermeasure for a wide range of parameters. Combined with the Cheon et al. attack from Eurocrypt 2015, this leads to the recovery of all the secret parameters of CLT13, assuming that low-level encodings of almost zero plaintexts are available. We show how to apply our attack against various constructions based on composite-order CLT13. For the [FRS17] construction, our attack enables to recover the secret CLT13 plaintext ring for a certain range of parameters; however, breaking the indistinguishability of the branching program remains an open problem.

A Proofs

1.1 A.1 Proof of Lemma 4

Let \(\mathcal {B} = \{(B\varvec{u}_j,v_j) : 1 \le j \le \ell +1\}\) be a basis of L. We show that the vectors \(\{\varvec{u}_j : 1 \le j \le \ell \}\) corresponding to the first \(\ell \) vectors, must necessarily be linearly independent over \(\mathbb {R}\). For the sake of contradiction, we assume they are linearly dependent. For every vector \((B\varvec{u}_j,v_j)\) (with \(1 \le j \le \ell \)), we consider the associated vector \(\varvec{p}_{\varvec{u}_j,v_j}\). By assumption, the vectors \(\{\varvec{p}_{\varvec{u}_j,v_j} : 1 \le j \le \ell \}\) belong to the lattice generated by the vectors \(\{\varvec{q}_i : 1 \le i \le \theta \}\), so there are integers \(\beta _{ij} \in \mathbb {Z}\) such that \( \varvec{p}_{\varvec{u}_j,v_j} = \sum _{i=1}^{\theta } \beta _{ij} \varvec{q}_i \) for every \(1 \le j \le \ell \). The definition of the vectors \(\{\varvec{q}_i : 1 \le i \le \theta \}\) gives \( \varvec{p}_{\varvec{u}_j,v_j} = (C\beta _{1j}g_1,\ldots ,C\beta _{\theta j}g_{\theta }, -\sum _{i=1}^{\theta } \beta _{ij}s_i) \) for every \(1 \le j \le \ell \); and from the definition of the vector \(\varvec{p}_{\varvec{u}_j,v_j}\), we conclude by equalizing the components, the relations

$$\begin{aligned} \beta _{ij} g_i =\langle \varvec{u}_j , \hat{\varvec{m}_i} \rangle \end{aligned}$$

(26)

and

$$\begin{aligned} - \sum _{i=1}^{\theta } \beta _{ij} s_i = \langle \varvec{u}_j, \varvec{R} \rangle + v_j \end{aligned}$$

(27)

for every \(1 \le j \le \ell , 1 \le i \le \theta \). Combining Eqs. (26) and (27) gives

$$\begin{aligned} v_j = -\sum _{i=1}^{\theta } \frac{s_i}{g_i} \langle \varvec{u}_j, \hat{\varvec{m}_i} \rangle -\langle \varvec{u}_j, \varvec{R} \rangle , \ 1 \le j \le \ell \end{aligned}$$

This implies that if the vectors \(\{\varvec{u}_j: 1\le j \le \ell \}\) are linearly dependent over \(\mathbb {R}\), then also the vectors \(\{(B \varvec{u}_j , v_j ) : 1 \le j \le \ell \}\) are linearly dependent over \(\mathbb {R}\), which contradicts the fact that \(\mathcal {B}\) is a basis of L.    \(\square \)

1.2 A.2 Proof of Proposition 5

Let \(\varvec{a}=(\alpha _1,\ldots ,\alpha _{\theta },1) \in \mathbb {Z}^{\theta +1}\). We let \(C=2^{\rho _R-\alpha +1}\) and consider the lattice \(A^{\perp }\) of vectors \((C\varvec{x},y) \in \mathbb {Z}^{\theta }\times \mathbb {Z}\) such that \((\varvec{x},y)\) is orthogonal to \(\varvec{a}\) modulo \(x_0\). Further, we let \(B=\theta 2^{\rho _R+2}\) and let \(L \subseteq \mathbb {Z}^{\ell +1}\) denote the lattice of vectors \((B\varvec{u},v) \in \mathbb {Z}^{\ell }\times \mathbb {Z}\) such that the vector \((\varvec{u},v)\) is orthogonal to the vector \((\varvec{\omega },1)\) modulo \(x_0\).

Let \(\varLambda ^{\perp }\) be the lattice of vectors \(\varvec{u} \in \mathbb {Z}^{\ell }\) such that \(\langle \varvec{u},\hat{\varvec{m}_i} \rangle \equiv 0 \pmod {g_i}\) for all \(1 \le i \le \theta \). We denote by \(\varvec{u}_0\) a shortest non-zero vector of \(\varLambda ^{\perp }\). We write \(\langle \varvec{u}_0, \hat{\varvec{m}_i}\rangle = k_i g_i\) with \(k_i \in \mathbb {Z}\). To \(\varvec{u}_0\) we thus associate the vector \(F(\varvec{u}_0)=(B\varvec{u}_0, -\sum _{i=1}^{\theta } k_i s_i - \langle \varvec{u}_0,\varvec{R} \rangle )\). From the definition of \(\varvec{\omega }\) and the congruence relations \(g_i \alpha _i \equiv s_i \pmod {x_0}\), we have that \((\varvec{u}_0,-\sum _{i=1}^{\theta } k_is_i - \langle \varvec{u}_0,\varvec{R} \rangle )\) is orthogonal to \((\varvec{\omega },1)\) modulo \(x_0\), and therefore \(F(\varvec{u}_0) \in L\).

Letting \(g=\prod _{i=1}^{\theta } g_i\), we now show that \(F(\varvec{u}_0)\) has square norm upper bounded by

$$\begin{aligned} \Vert F(\varvec{u}_0) \Vert ^2\le & {} (\ell +1) B^2 \Vert \varvec{u}_0 \Vert ^2 \le \ell (\ell +1) B^2 g^{2/\ell }. \end{aligned}$$

(28)

Indeed, we write \(\Vert F(\varvec{u}_0) \Vert ^2 \le B^2 \Vert \varvec{u}_0 \Vert ^2 + (\sum _{i=1}^{\theta } |k_i s_i| + \Vert \varvec{u}_0 \Vert \Vert \varvec{R} \Vert )^2\). From \(\Vert \hat{\varvec{m}_i} \Vert \le \sqrt{\ell } 2^{\alpha }\), we obtain \(2^{\alpha -1}|k_i|\le |k_i| g_i \le \Vert \varvec{u}_0 \Vert \Vert \hat{\varvec{m}_i} \Vert \le \sqrt{\ell } 2^{\alpha } \Vert \varvec{u}_0 \Vert \); i.e. \(|k_i| \le 2\sqrt{\ell }\Vert \varvec{u}_0 \Vert \) for all i. Combined with \(\Vert \varvec{R} \Vert \le \sqrt{\ell } \Vert \varvec{R} \Vert _{\infty } \le \sqrt{\ell }2^{\rho _R}\), this gives

$$\sum _{i=1}^{\theta } |k_is_i| + \Vert \varvec{u}_0 \Vert \Vert \varvec{R} \Vert \le \sqrt{\ell } \Vert \varvec{u}_0 \Vert \cdot (2^{\rho _R+1} \theta + 2^{\rho _R}) \le \sqrt{\ell } \Vert \varvec{u}_0 \Vert (2\cdot 2^{\rho _R+1}\theta ) = \sqrt{\ell } B \Vert \varvec{u}_0 \Vert $$

Therefore, \(\Vert F(\varvec{u}_0) \Vert ^2 \le B^2 \Vert \varvec{u}_0 \Vert ^2 + \ell B^2 \Vert \varvec{u}_0 \Vert ^2 = (\ell +1) B^2 \Vert \varvec{u}_0 \Vert ^2\). Now, since \(\varvec{u}_0\) has length \(\lambda _1(\varLambda ^{\perp })\), it follows from Minkowski’s Theorem that \(\Vert \varvec{u}_0 \Vert \le \sqrt{\ell } g^{1/\ell }\) where \(g=\det (\varLambda ^{\perp })\), and (28) easily follows.

Let \(\varvec{x}_1=(B\varvec{u}_1,v_1)\) be the first vector in a (3/4)-reduced basis of the lattice L, obtained from LLL. By Theorem 3, it satisfies \(\Vert \varvec{x}_1 \Vert \le 2^{\ell /2} \Vert F(\varvec{u}_0) \Vert \), that is, combined with (28), \(\Vert \varvec{x}_1 \Vert \le 2^{\ell /2} \sqrt{\ell (\ell +1)} B g^{1/{\ell }}\). In particular, we obtain the bounds

$$\begin{aligned} \Vert \varvec{u}_1 \Vert \le 2^{\ell /2} \sqrt{\ell (\ell +1)} \cdot g^{1/\ell } \end{aligned}$$

(29)

$$\begin{aligned} |v_1| \le 2^{\ell /2} B \sqrt{\ell (\ell +1)} \cdot g^{1/\ell } . \end{aligned}$$

(30)

For simplicity we write \(K=2^{\ell /2} \sqrt{\ell (\ell +1)} g^{1/\ell }\). Now, to the vector \(\varvec{x}_1 \in L\), we associate, for C as above, the vector \(f(\varvec{x}_1)= (C\langle \varvec{u}_1,\hat{\varvec{m}_1} \rangle , \ldots , C\langle \varvec{u}_1,\hat{\varvec{m}_{\theta }} \rangle , \langle \varvec{u}_1,\varvec{R} \rangle + v_1) \in A^{\perp }.\) Because \((B\varvec{u}_1,v_1) \in L\), it is a direct check that \(f(\varvec{x}_1) \in A^{\perp }\). Its square norm is upper bounded by

$$ \Vert f(\varvec{x}_1) \Vert ^2 \le C^2 \sum _{i=1}^{\theta } \Vert \varvec{u}_1 \Vert ^2 \Vert \hat{\varvec{m}_i} \Vert ^2 + (\Vert \varvec{u}_1 \Vert \Vert \varvec{R} \Vert + v_1)^2 . $$

Using once again that \(\Vert \hat{\varvec{m}_i} \Vert \le 2^{\alpha }\sqrt{\ell }\) and \(\Vert \varvec{R}\Vert \le 2^{\rho _R} \sqrt{\ell }\), and combining with (29) and (30), we obtain

$$\begin{aligned} \Vert f(\varvec{x}_1) \Vert ^2\le & {} C^2 K^2 \cdot \theta \ell 2^{2 \alpha } + (K\sqrt{\ell } 2^{\rho _R}+KB)^2 \le C^2 K^2 \cdot \theta \ell 2^{2 \alpha } + (2 K \sqrt{\ell } B)^2 \\= & {} K^2 \ell (C^2 \theta 2^{2\alpha }+4B^2) \end{aligned}$$

so that, using \(C^2 \theta 2^{2\alpha }\le B^2=16 \theta ^2 2^{2\rho _R}\), this gives

$$\begin{aligned} \Vert f(\varvec{x}_1) \Vert \le 4\sqrt{5} \cdot \sqrt{\ell } \cdot \theta \cdot K \cdot 2^{\rho _R} . \end{aligned}$$

(31)

We now consider the vectors \(\{\varvec{q}_i:1 \le i \le \theta \}\) defined by \(\varvec{q}_i = (0,\ldots 0,Cg_i,\) \(0,\ldots ,0,-s_i) \in \mathbb {Z}^{\theta +1}\). They are linearly independent; moreover, from the congruence relations \(g_i \alpha _i \equiv s_i \pmod {x_0}\) for \(1 \le i \le \theta \) we deduce that for all i, \(\langle \varvec{q}_i, \varvec{a} \rangle \equiv 0 \pmod {x_0}\); i.e. \(\varvec{q}_i \in A^{\perp }\). Further, as \(|s_i|\le 2^{\rho _R}\), their norm is upper bounded by \(\Vert \varvec{q}_i \Vert ^2 \le C^2 g_i^2 + 2^{2\rho _R} \le C^2 g_i^2 + C g_i^2 \le 2 C^2 g_i^2 \) because \(Cg_i \ge 2^{\rho _R-\alpha +1} \cdot 2^{\alpha -1} = 2^{\rho _R}\). Consequently,

$$\begin{aligned} \prod _{i=1}^{\theta } \Vert \varvec{q}_i \Vert \le 2^{\theta /2} C^{\theta } \prod _{i=1}^{\theta } g_i = 2^{\theta /2} C^{\theta } g . \end{aligned}$$

(32)

Now, (17) together with \(g \le 2^{\alpha \theta }\), implies \( (1 + 1/\ell ) \log _2(g) + (\ell +\theta )/2 + \log _2(4\sqrt{5}\sqrt{\ell +1} \theta \ell ) < \log _2(x_0)-\rho _R \) and, by raising to the power of 2, we obtain \( g^{1+1/{\ell }} \cdot 2^{\ell /2} \cdot 2^{\theta /2} \cdot 4\sqrt{5}\sqrt{\ell +1} \theta \ell < x_0/2^{\rho _R} \). This is equivalent to

$$\begin{aligned} g^{1/{\ell }} \cdot 2^{\ell /2} \cdot 2^{\rho _R} \cdot 4\sqrt{5}\sqrt{\ell +1} \cdot \theta \ell < \frac{C^{\theta } x_0}{C^{\theta } 2^{\theta /2} g}. \end{aligned}$$

(33)

The left hand side is lower bounded by \(\Vert f(\varvec{x}_1) \Vert \) by (31), and the right hand side is upper bounded by \(\det (A^{\perp })/\prod _{i=1}^{\theta } \Vert \varvec{q}_i \Vert \), by (32) together with \(\det (A^{\perp })=C^{\theta }x_0\). Therefore (33) implies \(\Vert f(\varvec{x}_1) \Vert < \det (A^{\perp })/\prod _{i=1}^{\theta } \Vert \varvec{q}_i \Vert \). It follows from Lemma 2 that \(f(\varvec{x}_1)\) is in the linear span generated by the vectors \(\{\varvec{q}_i : 1 \le i \le \theta \}\). Since \(g_i\) are distinct prime numbers and \(\gcd (s_i,g_i) = 1\) for \(1\le i \le \theta \), we conclude that \(f(\varvec{x}_1)\) is in the sublattice generated by the vectors \(\{\varvec{q}_i : 1 \le i \le \theta \}\). Consequently, for all \(1 \le i \le \theta \), one has \(\langle \varvec{u}_1, \hat{\varvec{m}_i} \rangle \equiv 0 \pmod {g_i}\).

The rows \(\{\varvec{b}_j:1\le j \le \ell +1\}\) of the matrix

$$ \begin{bmatrix} B \varvec{I}_{\ell } &{} -\varvec{\omega }^T \\ 0 &{} x_0 \end{bmatrix}, $$

where \(\varvec{I}_{\ell }\) denotes the \(\ell \times \ell \) identity matrix, form a \(\mathbb {Z}\)-basis of L. Hence, by running LLL on this matrix with \(\delta =3/4\), we obtain a vector \(\varvec{x}_1\) of which the first \(\ell \) entries, divided by B, produce a vector \(\varvec{u}=\varvec{u}_1\) satisfying \(\langle \varvec{u}_1, \hat{\varvec{m}_i} \rangle \equiv 0 \pmod {g_i}\) for all i. By Theorem 3, the algorithm terminates in polynomial time.    \(\square \)