Self-Bilinear Map on Unknown Order Groups from Indistinguishability Obfuscation and Its Applications

Takashi Yamakawa; Shota Yamada; Goichiro Hanaoka; Noboru Kunihiro

doi:10.1007/s00453-016-0250-8

Algorithmica

December 2017, Volume 79, Issue 4, pp 1286–1317 | Cite as

Self-Bilinear Map on Unknown Order Groups from Indistinguishability Obfuscation and Its Applications

Authors
Authors and affiliations

Takashi YamakawaEmail author
Shota Yamada
Goichiro Hanaoka
Noboru Kunihiro

Article

First Online: 22 November 2016

Received: 26 June 2015

Accepted: 09 November 2016

Abstract

A self-bilinear map is a bilinear map where the domain and target groups are identical. In this paper, we introduce a self-bilinear map with auxiliary information which is a weaker variant of a self-bilinear map, construct it based on indistinguishability obfuscation and prove that a useful hardness assumption holds with respect to our construction under the factoring assumption. From our construction, we obtain a multilinear map with interesting properties: the level of multilinearity is not bounded in the setup phase, and representations of group elements are compact, i.e., their size is independent of the level of multilinearity. This is the first construction of a multilinear map with these properties. Note, however, that to evaluate the multilinear map, auxiliary information is required. As applications of our multilinear map, we construct multiparty non-interactive key-exchange and distributed broadcast encryption schemes where the maximum number of users is not fixed in the setup phase. Besides direct applications of our self-bilinear map, we show that our technique can also be used for constructing somewhat homomorphic encryption based on indistinguishability obfuscation and the $\varPhi $-hiding assumption.

Keywords

Self-bilinear map Indistinguishability obfuscation Multilinear map Factoring assumption

This is a preview of subscription content, to check access.

Notes

Acknowledgements

We would like to thank the anonymous reviewers of CRYPTO 2014 and Algorithmica. We thank members of the study group “Shin-Akarui-Angou-Benkyou-Kai” for their helpful comments. Especially, we would like to thank Satsuya Ohata for his instructive comment on self-bilinear maps, and Takahiro Matsuda and Jacob Schuldt for their detailed proofreading. We also thank Kenny Paterson for his valuable comments. The second author was supported by a JSPS Fellowship for Young Scientists during this work.

Appendix: Multi-bit Variant

In the construction of a self-bilinear map with auxiliary information which is given in Sect. 4, we can obtain only 1-bit hardcore function for the MHDH assumption. Here, we modify the construction so that we can obtain k-bit hardcore function for any integer k (which is polynomially bounded in $\lambda $). The idea of our multi-bit variant is similar to that of the Blum–Blum–Shub pseudorandom number generator [6].

Construction

The construction of our multi-bit variant $\mathcal {SBP}_{\mathsf {Mult}}$ is as follows.

$\mathsf {InstGen}(1^{\lambda })\rightarrow {\mathsf {params}}=(N,g)$ : It runs $\mathsf {RSAGen}(1^{\lambda })$ to obtain (N, P, Q), chooses Open image in new window and outputs $\mathsf {params}:=(N,g)$. ${\mathsf {params}}$ defines the underlying group $G:={\mathbb {QR}}_N^+$, the self-bilinear map as $e(g^{x},g^{y})=g^{2^{k}xy}$ and $\mathrm{Approx}(G)=(N-1)/4$. For an integer x and $\ell \in \mathbb {N}$, a set $T_{x}^{\ell }$ is defined as $T_{x}^{\ell }=\{i{\mathcal {O}}(M_\ell , C_{N,2^{k}x};r): C_{N,2^{k}x}\in \mathcal {C}_{N,2^{k}x} \text{ such } \text{ that } |C_{N,2^{k}x}|\le M_\ell , r\in \{0,1\}^*\}$, where $M_\ell $ is defined later.
$\mathsf {AIGen}({\mathsf {params}}, \ell ,x)\rightarrow \tau _{x}$ : It takes the canonical circuit $\tilde{C}_{N,2^{k}x}\in \mathcal {C}_{N,2^{k}x}$, sets $\tau _{x}\leftarrow i{\mathcal {O}}(M_\ell ,\tilde{C}_{N,2^{k}x})$ and outputs $\tau _{x}$.
$\mathsf {Map}({\mathsf {params}},g^{x},\tau _{y})\rightarrow e(g^{x},g^{y})$ : It computes $\tau _y(g^{x})$ and outputs it. (Recall that $\tau _y$ is a circuit that computes the $2^{k}y$-th power for an element of ${\mathbb {QR}}_N^+$.)
$\mathsf {AIMult}({\mathsf {params}}, \ell , \tau _{x}, \tau _{y})\rightarrow \tau _{x+y}$ : It computes $\tau _{x+y}\leftarrow i{\mathcal {O}}(M_{\ell },\mathsf {Mult}(\tau _x,\tau _y))$ and outputs it.

Definition of $M_\ell $ $M_\ell $ represents an upper bound of the size of a circuit which is obfuscated by $i{\mathcal {O}}$ when auxiliary information with level $\ell $ is generated (by $\mathsf {AIGen}$ or $\mathsf {AIMult}$). It can be defined recursively as follows. We let $M_1:= \max _{x\in [(N-1)/4]}\{|\tilde{C}_{N,2^{k}x}|\}$ and $M_{\ell +1}:=2\mathsf {poly}(M_{\ell },\lambda )+|C_{\mathsf {Mult}}|$ for $\ell \ge 1$ where $\mathsf {poly}$ is a polynomial that satisfies $|i{\mathcal {O}}(M,C)|<\mathsf {poly}(M,\lambda )$ for any integer M and circuit C such that $|C|<M$.

Indistinguishability of auxiliary information If we have $z\equiv x+y \bmod \mathrm{ord}({\mathbb {QR}}_N^+)$, then $C_{N,2^{k}z}$ and $\mathsf {Mult}(\tau _{x},\tau _{y})$ have exactly the same functionality. Therefore if we obfuscate these circuits by $i{\mathcal {O}}$, then the resulting circuits are computationally indistinguishable.

Indistinguishability of auxiliary information easily follows from the security of the indistinguishability obfuscator since $\tau _{x}\in \cup _{\ell \in \mathbb {N}}T_{x}^{\ell }$ is an obfuscation of a circuit that computes the 2x-th power for an element of ${\mathbb {QR}}_N^+$ regardless of whether $\tau _x$ is generated by $\mathsf {AIGen}$ or $\mathsf {AIMult}$.

We also define the BBS generator which we will use as a hardcore function.

Definition 9

For $\ell _N$-bit Blum integer N, $g\in {\mathbb {QR}}_N^+$ and $r\in \{0,1\}^{\ell _N}$, we define the BBS generator as

$$\begin{aligned} BBS_r(g):=(\mathsf {GL}_r(g),\ldots ,\mathsf {GL}_r(g^{k-1})) \end{aligned}$$

where $\mathsf {GL}$ denote the Goldreich–Levin hardcore bit function [27]. That is, $\mathsf {GL}_r(x):=\bigoplus _{i=1}^{\ell _N}r_ix_i$ where $r_i$ and $x_i$ are i-th bit of r and x which is represented as an integer in $\{1,\ldots ,(N-1)/2\}$. We write $\mathcal {BBS}$ to denote the family of functions $\{BBS_{r}\}_{r\in \{0,1\}^{\ell _N}}$.

Hardness Assumption

The following hardness assumption holds with respect to our construction.

Theorem 6

The MHDH assumption holds with respect to $\mathcal {SBP}_{\mathsf {Mult}}$ and $\mathcal {BBS}$ if the factoring assumption holds for $\mathsf {RSAGen}$ and $i{\mathcal {O}}$ is an indistinguishability obfuscator for P / poly.

Proof

For an algorithm ${\mathcal {A}}$, we consider the following games.

$\mathsf {Game}$ 1:: This game is the original n-MHDH game. More precisely, it is as follows.
Open image in new window
$\mathsf {Game}$ $1'$:: This game is the same as $\mathsf {Game}$ 1 except that $x_0,\ldots ,x_n$ are chosen from $[\mathrm{ord}({\mathbb {QR}}_N^+)]$.
$\mathsf {Game}$ $2'$:: This game is the same as $\mathsf {Game}$ 1 except that g, $x_0,\ldots , x_n$, $\tau _{x_0},\ldots ,\tau _{x_n}$ are set differently. More precisely, it is as follows.
Open image in new window
$\mathsf {Game}$ 2:: This game is the same as $\mathsf {Game}$ $2'$ except that $x'_0,\ldots ,x'_n$ are chosen from $[(N-1)/4]$.
$\mathsf {Game}$ 3:: This game is the same as $\mathsf {Game}$ 2 except that T is set as a random k-bit string.

Let $T_{i}$ be the event that ${\mathcal {A}}$ outputs 1 in $\mathsf {Game}$ i and $T'_{i}$ be the event that ${\mathcal {A}}$ outputs 1 in $\mathsf {Game}$ $i'$. What we want to prove is $|\Pr [T_1]-\Pr [T_3]|$ is negligible. We prove this by the following lemmas. $\square $

Lemma 8

$|\Pr [T_i]-\Pr [T'_i]|$ is negligible for $i=1,2$.

Proof

This follows since $(N-1)/4$ is negligibly close to $\mathrm{ord}({\mathbb {QR}}_N^+)$. $\square $

Lemma 9

$|\Pr [T'_1]-\Pr [T'_2]|$ is negligible if $i{\mathcal {O}}$ is an indistinguishability obfuscator for P / poly.

Proof

We define hybrid games $H_{1,0},\ldots H_{1,n+1}$. A hybrid game $H_{1,i}$ is the same as $\mathsf {Game}$ $1'$ except that the first i auxiliary information (i.e, $\tau _{x_0},\tau _{x_1},\ldots ,\tau _{x_{i-1}}$) are generated as in $\mathsf {Game}$ $2'$. Let $T_{1,i}$ be the event that ${\mathcal {A}}$ outputs 1 in the hybrid $H_{1,i}$. It is clear that $H_{1,0}$ is $\mathsf {Game}$ $1'$ and $H_{1,n+1}$ is $\mathsf {Game}$ $2'$. Let $T_{1,i}$ be the event that ${\mathcal {A}}$ wins in $\mathsf {Game}$ $H_{1,i}$. Since we have $x_i\equiv x'_i+1/2^{k} \bmod \mathrm{ord}({\mathbb {QR}}_N^+)$, $C_{N,2^{k}x'_i+1}$ computes exactly the same as $C_{N,2^{k}x_i}$ for any input for $i=0,\ldots n$. (Recall that these circuits computes the exponentiation only for an element of ${\mathbb {QR}}_N^+$.) Then we can see that $|\Pr [T_{1,i}]-\Pr [T_{1,i-1}]$ is negligible for $i\in [n+1]$ from the security of $i{\mathcal {O}}$. (Note that a reduction algorithm here may know the factorization of N.) $\square $

Lemma 10

$|\Pr [T_2]-\Pr [T_3]|$ is negligible if the factoring assumption holds for $\mathsf {RSAGen}$ and $i{\mathcal {O}}$ is an indistinguishability obfuscator for P / poly.

Proof

We define hybrid games $H_{2,0},\ldots H_{2,k}$. For $i=0,1,\ldots ,k$, a hybrid game $H_{2,i}$ is the same as $\mathsf {Game}$ 2 except that the first i-bit of T are set as in $\mathsf {Game}$ 2 and other bits are set as in $\mathsf {Game}$ 3, i.e, $T:=U_1||\ldots ||U_i||\mathsf {GL}_{r}(g^{2^{k(n-1)+i}\varPi _{j=0}^{n}x_j})||\ldots ||\mathsf {GL}_{r}(g^{2^{kn-1}\varPi _{j=0}^{n}x_j})$, where Open image in new window . It is clear that $H_{2,0}$ is the same as $\mathsf {Game}$ 2 and $H_{2,k}$ is the same as $\mathsf {Game}$ 3. Let $T_{2,i}$ be the event that ${\mathcal {A}}$ outputs 1 in the hybrid $H_{2,i}$. We prove that $|\Pr [T_{2,i-1}]-\Pr [T_{2,i}]|$ is negligible for all $i\in [k]$. To do so, we assume that there exists an algorithm ${\mathcal {A}}$ that distinguishes $H_{2,i}$ and $H_{2,i-1}$, and construct a factoring algorithm by using ${\mathcal {A}}$. Without loss of generality, we can assume that there exists a non-negligible function $\epsilon $ such that $\Pr [T_{2,i-1}]-\Pr [T_{2,i}]>\epsilon $. This is because given ${\mathcal {A}}$, the sign of $\Pr [T_{2,i-1}]-\Pr [T_{2,i}]$ can be checked efficiently, and if $\Pr [T_{2,i-1}]-\Pr [T_{2,i}]<0$ then we can modify ${\mathcal {A}}$ to output inverse of the original output so that $\Pr [T_{2,i-1}]-\Pr [T_{2,i}]>0$. In the following, we use a similar argument as in [40]. Specifically, we first construct a “reconstruction algorithm” based on the Goldreich–Levin theorem [27], and then construct a factoring algorithm. In the following, we write $X_i$ to denote $g^{2^{k(n-1)+i}\varPi _{j=0}^{n}x_j}$ and Y to denote $(N,g, g^{x_0},\ldots ,g^{x_n},\tau , \tau _{x_0}\ldots ,\tau _{x_n},X_i)$ for notational simplicity.

Hardcore distinguisher We construct an algorithm ${\mathcal {D}}$ that distinguish $\mathsf {GL}_{r}(X_{i-1})$ from a uniformly random bit with non-negligible advantage when it is given $(r,N,g, g^{x_0},\ldots ,g^{x_n},\tau _{x_0}\ldots ,\tau _{x_n},X_i)$ where r, N, g, $x_0,\ldots ,x_n$ and $\tau _{x_0}\ldots ,\tau _{x_n}$ are generated as in $\mathsf {Game}$ 2. The construction of ${\mathcal {D}}$ is as follows.

${\mathcal {D}}(r,Y,B)$:: ${\mathcal {D}}'$ picks Open image in new window , sets $T:=U_1||\ldots ||U_{i-1}||B||\mathsf {GL}_{r}(X_i)||\ldots ||\mathsf {GL}_r(X_{k-1})$ and runs ${\mathcal {A}}(N,g, g^{x_0},\ldots ,g^{x_n},\tau _{x_0}\ldots ,\tau _{x_n},r,T)$. We note that ${\mathcal {D}}$ can generate $\mathsf {GL}_r(X_i),\ldots ,\mathsf {GL}_r(X_{k-1})$ since it knows $X_i$. If ${\mathcal {A}}$ outputs b, then ${\mathcal {D}}$ also outputs b.

If $B=\mathsf {GL}_{r}(X_{i-1})$, then ${\mathcal {D}}$ simulates $H_{2,i-1}$ exactly and if B is a random bit, then ${\mathcal {D}}$ simulates $H_{2,i}$ from the view of ${\mathcal {A}}$. Therefore we have

Open image in new window

By the averaging argument, with at least $\epsilon /2$ fraction of the choice of Y, we have

Open image in new window

Here we note that $\epsilon /2$ is non-negligible since we assumed that $\epsilon $ is non-negligible.

Reconstruction Algorithm Next, we construct a reconstruction algorithm $\mathcal {R}$ that computes $X_{i-1}$ with non-negligible probability when it is given Y for non-negligible fraction of its input. This can be constructed based on the Goldreich–Levin theorem. $\square $

Theorem 7

(Goldreich–Levin Theorem [27]) Let X be any n-bit string. If there exists a PPT algorithm ${\mathcal {D}}'$ such that

$$\begin{aligned} |\Pr [1\leftarrow {\mathcal {D}}'(r,\mathsf {GL}_r(X))]-\Pr [1\leftarrow {\mathcal {D}}'(r,U)]| \end{aligned}$$

is non-negligible where Open image in new window

and Open image in new window

, then there exists a PPT algorithm $\mathcal {R'}$ such that

$$\begin{aligned} \Pr [X\leftarrow \mathcal {R'}(1^{n})] \end{aligned}$$

is non-negligible.

As seen above, there exists ${\mathcal {D}}$ which distinguishes $X:=X_{i-1}$ from a random bit when it is given Y for non-negligible fraction of choice of Y. Here, we remark that X is completely determined by Y. For any Y, we consider an algorithm ${\mathcal {D}}_{Y}$, which is given r, B and runs ${\mathcal {D}}(r,Y,B)$. For non-negligible fraction of choice of Y, $|\Pr [1\leftarrow {\mathcal {D}}_Y(r,\mathsf {GL}_r(X))]-\Pr [1\leftarrow {\mathcal {D}}_Y(r,U)]|$ is non-negligible. Therefore by the above theorem, for such Y, there exists $R_{Y}$ which computes X with non-negligible probability. Therefore we can construct $\mathcal {R}$ which is given Y and outputs X with non-negligible probability, which simply runs $\mathcal {R}_{Y}$ to get X for input Y.

Factoring Algorithm Then we construct an algorithm ${\mathcal {B}}$ that given an RSA modulus N factorizes N. The construction of ${\mathcal {B}}$ is as follows.

${\mathcal {B}}(N)$:: ${\mathcal {B}}$ chooses Open image in new window sets $h:=|h'^{2} \mod N|\in {\mathbb {QR}}_N^+$, $g:=h^{2^{k}}$, chooses Open image in new window , sets $g^{x_0}:=g^{x'_0}h^{2^{k-i}}$, $\tau _{x_0}\leftarrow i{\mathcal {O}}(M'_1,C_{N,2^{k}x'_0+2^{k-i}})$, $g^{x_i}:=g^{x'_i}h$, $\tau _{x_i}\leftarrow i{\mathcal {O}}(M'_1,C_{N,2^{k}x'_i+1})$ for $i\in [n]$. Then ${\mathcal {B}}$ can compute $g^{2^{k(n-1)+i}\varPi _{j=0}^{n}x_j}=h^{2^{kn+i}\varPi _{j=0}^{n}x_j}=h^{(2^{i}x'_0+1)\varPi _{j=1}^{n}(2^{k}x'_j+1)}$. ${\mathcal {B}}$ sets $Y:=(N,g, g^{x_0},\ldots ,g^{x_n},\tau _{x_0},\ldots ,\tau _{x_n},g^{2^{k(n-1)+i}\varPi _{j=0}^{n}x_j}))$ and runs $\mathcal {R}(Y)$. Let U be the output of $\mathcal {R}$. Then ${\mathcal {B}}$ computes $X:=\varPi _{j=1}^{n}(2^{k}x'_j+1)$ and computes $V=Uh^{-(2^{i-1}x'_0X+(X-1)/2)}$. (Note that X is odd and therefore $(X-1)/2$ is an integer.) Then it outputs $\gcd (h',V)$.

First, we consider the distribution of input for $\mathcal {R}$. Clearly, all components except $g^{x_0}$ and $\tau _{x_0}$ are distributed as in $\mathsf {Game}$ 2. In the above algorithm, $g^{x_0}$ is distributed almost uniformly on ${\mathbb {QR}}_N^+$ as in $\mathsf {Game}$ 2 and therefore this difference causes a negligible difference on the behavior of $\mathcal {R}.$ $\tau _{x_0}$ is set as an obfuscation of a circuit that computes $2^{k}x_0$-th power both in the above algorithm and in $\mathsf {Game}$ 2, and this causes a negligible difference by the property of indistinguishability obfuscation. Therefore $\mathcal {R}$ outputs $g^{2^{k(n-1)+i-1}\varPi _{j=0}^{n}x_j}$ with non-negligible probability for non-negligible fraction of its input. In this case, we have

$$\begin{aligned} U= & {} g^{2^{k(n-1)+i-1}\varPi _{j=0}^{n}x_j}\\= & {} h^{2^{kn+i-1}(x'_0+1/2^{i})\varPi _{j=1}^{n}(x'_j+1/2^{k})}\\= & {} h^{(2^{i-1}x'_0+1/2)\varPi _{j=1}^{n}(2^{k}x'_j+1)}\\= & {} h^{2^{i-1}x'_0X+(X-1)/2+1/2}. \end{aligned}$$

Therefore we have $V=h^{1/2}$. Thus $h'$ and V are distinct square roots of h in ${\mathbb {Z}}_N^*$ and therefore $\gcd (h',V)$ is a non-trivial factor of N. $\square $

Theorem 6 is proven by the above lemmas. $\square $

References

1.
Ananth, P.V., Gupta, D., Ishai, Y., Sahai, A.: Optimizing obfuscation: avoiding Barrington’s theorem. In: ACM SIGSAC 2014, pp. 646–658 (2014)Google Scholar
2.
Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: EUROCRYPT, pp. 221–238 (2014)Google Scholar
3.
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: CRYPTO, pp. 1–18 (2001)Google Scholar
4.
Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: ACM CCS’12, pp. 784–796 (2012)Google Scholar
5.
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy, pp. 321–334 (2007)Google Scholar
6.
Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15(2), 364–383 (1986)MathSciNetCrossRefMATHGoogle Scholar
7.
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: EUROCRYPT, pp. 223–238 (2004)Google Scholar
8.
Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. In: CRYPTO, pp. 213–229 (2001)Google Scholar
9.
Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2002)MathSciNetCrossRefMATHGoogle Scholar
10.
Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: CRYPTO (2014)Google Scholar
11.
Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: TCC, pp. 1–25 (2014)Google Scholar
12.
Cheon, J.H., Fouque, P.-A., Lee, C., Minaud, B., Ryu, H.: Cryptanalysis of the new CLT multilinear map over the integers. In: EUROCRYPT 2016 Part I, pp. 509–536 (2016)Google Scholar
13.
Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: EUROCRYPT 2015 Part I, pp. 3–12 (2015)Google Scholar
14.
Cheon, J.H., Lee, D.H.: A note on self-bilinear maps. Bull. Korean Math. Soc. 46(2), 303–309 (2009)MathSciNetCrossRefMATHGoogle Scholar
15.
Coron, J.-S., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of GGH15 multilinear maps. In: CRYPTO 2016 Part II, pp. 607–628 (2016)Google Scholar
16.
Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: CRYPTO (1), pp. 476–493 (2013)Google Scholar
17.
Coron, J.-S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: CRYPTO 2015 Part I, pp. 267–286 (2015)Google Scholar
18.
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
19.
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: EUROCRYPT, pp. 1–17 (2013)Google Scholar
20.
Garg, S., Gentry, C., Halevi, S., Raykova, M.: Two-round secure MPC from indistinguishability obfuscation. In: TCC, pp. 74–94 (2014)Google Scholar
21.
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar
22.
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. In: CRYPTO (2), pp. 479–499 (2013)Google Scholar
23.
Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: STOC, pp. 467–476 (2013)Google Scholar
24.
Garg, S., Miles, E., Mukherjee, P., Sahai, A., Srinivasan, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model. Cryptology ePrint Archive, Report 2016/817. http://eprint.iacr.org/2016/817 (2016)
25.
Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: TCC 2015 Part II, pp. 498–527 (2015)Google Scholar
26.
Gentry, C., Lewko, A.B., Sahai, A., Waters, B.: Indistinguishability obfuscation from the multilinear subgroup elimination assumption. In: FOCS 2015, pp. 151–170 (2015)Google Scholar
27.
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: STOC, pp. 25–32 (1989)Google Scholar
28.
Goldwasser, S., Gordon, S.D., Goyal, V., Jain, A., Katz, J., Liu, F.-H., Sahai, A., Shi, E., Zhou, H.-S.: Multi-input functional encryption. In: Eurocrypt (2014)Google Scholar
29.
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: STOC, pp. 545–554 (2013)Google Scholar
30.
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006)Google Scholar
31.
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: EUROCRYPT, pp. 339–358 (2006)Google Scholar
32.
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: EUROCRYPT, pp. 415–432 (2008)Google Scholar
33.
Hofheinz, D.: Fully secure constrained pseudorandom functions using random oracles. Cryptology ePrint Archive, Report 2014/372. http://eprint.iacr.org/ (2014)
34.
Hofheinz, D., Kiltz, E.: The group of signed quadratic residues and applications. In: CRYPTO, pp. 637–653 (2009)Google Scholar
35.
Hohenberger, S., Sahai, A., Waters, B.: Replacing a random oracle: full domain hash from indistinguishability obfuscation. In: Eurocrypt (2014)Google Scholar
36.
Hu, Y., Jia, H.: Cryptanalysis of GGH map. In: EUROCRYPT 2016 Part I, pp. 537–565 (2016)Google Scholar
37.
Joux, A.: A one round protocol for tripartite Diffie–Hellman. In: ANTS, pp. 385–394 (2000)Google Scholar
38.
Khurana, D., Rao, V., Sahai, A.: Multi-party key exchange for unbounded parties from indistinguishability obfuscation. In: ASIACRYPT 2015 I, pp. 52–75 (2015)Google Scholar
39.
Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under chosen-plaintext attack. In: CRYPTO, pp. 295–313 (2010)Google Scholar
40.
Mei, Q., Li, B., Lu, X., Jia, D.: Chosen ciphertext secure encryption under factoring assumption revisited. In: Public Key Cryptography, pp. 210–227 (2011)Google Scholar
41.
Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)MathSciNetCrossRefMATHGoogle Scholar
42.
Pandey, O., Prabhakaran, M., Sahai, A.: Obfuscation-based non-black-box simulation and four message concurrent zero knowledge for NP. In: TCC 2015 Part II, pp. 638–667 (2015)Google Scholar
43.
Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semantically-secure multilinear encodings. In: CRYPTO 2014 Part I, pp. 500–517 (2014)Google Scholar
44.
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: EUROCRYPT, pp. 457–473 (2005)Google Scholar
45.
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC (2014)Google Scholar
46.
Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing (in Japanese). In: SCIS (2000)Google Scholar
47.
Seurin, Y.: New constructions and applications of trapdoor DDH groups. In: Public Key Cryptography, pp. 443–460 (2013)Google Scholar
48.
Waters, B.: Efficient identity-based encryption without random oracles. In: EUROCRYPT, pp. 114–127 (2005)Google Scholar

Copyright information

Authors and Affiliations

Takashi Yamakawa
- 1
Email authorView author's OrcID profile
Shota Yamada
- 2
Goichiro Hanaoka
- 2
Noboru Kunihiro
- 1

1.Department of Complexity Science and Engineering, Graduate School of Frontier SciencesThe University of TokyoChibaJapan
2.Advanced Cryptosystems Research Group, Information Technology Research InstituteNational Institute of Advanced Industrial Science and TechnologyTokyoJapan

Self-Bilinear Map on Unknown Order Groups from Indistinguishability Obfuscation and Its Applications

Abstract

Keywords

Notes

Acknowledgements

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite article