Multilinear Maps from Obfuscation

Abstract

We provide constructions of multilinear groups equipped with natural hard problems from indistinguishability obfuscation, homomorphic encryption, and NIZKs. This complements known results on the constructions of indistinguishability obfuscators from multilinear maps in the reverse direction. We provide two distinct, but closely related constructions and show that multilinear analogues of the \({\text {DDH}} \) assumption hold for them. Our first construction is symmetric and comes with a \(\kappa \)-linear map \(\mathbf{e }: {{\mathbb {G}}}^\kappa \longrightarrow {\mathbb {G}}_T\) for prime-order groups \({\mathbb {G}}\) and \({\mathbb {G}}_T\). To establish the hardness of the \(\kappa \)-linear \({\text {DDH}} \) problem, we rely on the existence of a base group for which the \(\kappa \)-strong \({\text {DDH}} \) assumption holds. Our second construction is for the asymmetric setting, where \(\mathbf{e }: {\mathbb {G}}_1 \times \cdots \times {\mathbb {G}}_{\kappa } \longrightarrow {\mathbb {G}}_T\) for a collection of \(\kappa +1\) prime-order groups \({\mathbb {G}}_i\) and \({\mathbb {G}}_T\), and relies only on the 1-strong \({\text {DDH}} \) assumption in its base group. In both constructions, the linearity \(\kappa \) can be set to any arbitrary but a priori fixed polynomial value in the security parameter. We rely on a number of powerful tools in our constructions: probabilistic indistinguishability obfuscation, dual-mode NIZK proof systems (with perfect soundness, witness-indistinguishability, and zero knowledge), and additively homomorphic encryption for the group \(\mathbb {Z}_N^{+}\). At a high level, we enable “bootstrapping” multilinear assumptions from their simpler counterparts in standard cryptographic groups and show the equivalence of PIO and multilinear maps under the existence of the aforementioned primitives.

Introduction

Main Contribution

In this paper, we explore the relationship between multilinear maps and obfuscation. Our main contribution is a construction of multilinear maps for groups of prime order equipped with natural hard problems, using indistinguishability obfuscation (IO) in combination with other tools, namely NIZK proofs, homomorphic encryption, and a base group \({\mathbb {G}}_{0}\) satisfying a mild cryptographic assumption. This complements known results in the reverse direction, showing that various forms of indistinguishability obfuscation can be constructed from multilinear maps [17, 24, 45]. The relationship between IO and multilinear maps is a very natural question to study, given the rich diversity of cryptographic constructions that have been obtained from both multilinear maps and obfuscation, and the apparent fragility of current constructions for multilinear maps. More on this below.

We provide two distinct but closely related constructions. One is for multilinear maps in the symmetric setting, that is, non-degenerate multilinear maps \(\mathbf{e }: {{\mathbb {G}}_1}^\kappa \longrightarrow {\mathbb {G}}_T\) for groups \({\mathbb {G}}_1\) and \({\mathbb {G}}_T\) of prime order N. Our construction relies on the existence of a base group \({\mathbb {G}}_0\) in which the \(\kappa -{\text {SDDH}} \) assumption holds—this states that, given a \((\kappa +1)\)-tuple of \({\mathbb {G}}_0\)-elements \((g,g^\omega ,\ldots , g^{\omega ^{\kappa }} )\), we cannot efficiently distinguish \(g^{\omega ^{\kappa +1}}\) from a random element of \({\mathbb {G}}_0\). Under this assumption, we prove that the \(\kappa -{\text {MDDH}} \) problem, a natural analogue of the DDH problem as stated below, is hard.

(The\(\kappa -{\text {MDDH}} \)problem, informal) Given a generator \(g_1\) of \({\mathbb {G}}_1\) and \(\kappa +1\) group elements \(g_1^{a_i}\) in \({\mathbb {G}}\) with \(a_i \leftarrow _{{\$}}\mathbb {Z}_N\), distinguish \({\mathbf{e } (g_1,\ldots ,g_1)}^{\prod _{i=1}^{\kappa +1}a_i}\) from a random element of \({\mathbb {G}}_T\).

This problem can be used as the basis for several cryptographic constructions [7], including by now the classic example of multiparty non-interactive key exchange (NIKE) [23].

Our other construction is for the asymmetric setting; that is, for multilinear maps \(\mathbf{e }: {\mathbb {G}}_1 \times \cdots \times {\mathbb {G}}_{\kappa } \longrightarrow {\mathbb {G}}_T\) for a collection of \(\kappa \) groups \({\mathbb {G}}_i\) and \({\mathbb {G}}_T\) all of prime order N. It uses a base group \({\mathbb {G}}_0\) in which we require only that the \(1-{\text {SDDH}} \) assumption holds. For this construction, we show that a natural asymmetric analogue of the \(\kappa -{\text {MDDH}} \) assumption holds.

At a high level, then, our constructions are able to “bootstrap” from rather mild assumptions in a standard cryptographic group to much stronger multilinear assumptions in a group (or groups, in the asymmetric setting) equipped with a \(\kappa \)-linear map. Here, \(\kappa \) is fixed up-front at the time of setup, but is otherwise unrestricted. Of course, such constructions cannot be expected to come “for free,” and we need to make use of powerful tools including probabilistic IO (PIO) for obfuscating randomized circuits [17], dual-mode NIZK proofs enjoying perfect soundness (for a binding CRS), perfect witness-indistinguishability (for a hiding CRS), and perfect zero knowledge, and additive homomorphic encryption for the group \((\mathbb {Z}_N,+)\) (or alternatively, a perfectly correct FHE scheme). We note that all these tools can be constructed from a (pair of) pairing-friendly groups (in which, e.g., the SXDH assumption holds), subexponentially secure one-way functions, and subexponentially secure IO. It is an important open problem arising from our work to weaken the requirements on, or remove altogether, these additional tools.

General Approach

Our approach to obtaining multilinear maps in the symmetric setting is as follows (with many details to follow in the main body).¹ Let \({\mathbb {G}}_0\) with generator \(g_0\) be a group of prime order N in which the \(\kappa -{\text {SDDH}} \) assumption holds.

We work with redundant encodings of elements h of the base group \({\mathbb {G}}_0\) of the form \(h = g_0^{x_0}{(g_0^{\omega })}^{x_1}\) where \(g_0^{\omega }\) comes from a \(\kappa -{\text {SDDH}} \) instance; we write \({\mathbf{x }}= (x_0,x_1)\) for the vector of exponents representingh. Then, \({\mathbb {G}}_1\) consists of all strings of the form \((h,{\mathbf{c }}_{1},{\mathbf{c }}_{2},{\pi })\) where \(h \in {\mathbb {G}}_0\), ciphertext \({\mathbf{c }}_{1}\) is a homomorphic encryption under public key \({\textit{pk}}_1\) of a vector \({\mathbf{x }}\) representing h, ciphertext \({\mathbf{c }}_{2}\) is a homomorphic encryption under a second public key \({\textit{pk}}_2\) of another vector \({\mathbf{y }}\) also representing h, and \({\pi }\) is a NIZK proof showing consistency of the two vectors \({\mathbf{x }}\) and \({\mathbf{y }}\), i.e., a proof that the plaintexts \({\mathbf{x }}\), \({\mathbf{y }}\) underlying \({\mathbf{c }}_{1}\), \({\mathbf{c }}_{2}\) encode the same group element h. Note that each element of the base group \({\mathbb {G}}_0\) is multiply represented when forming elements in \({\mathbb {G}}_1\), but that equality of group elements in \({\mathbb {G}}_1\) is easy to test. An alternative viewpoint is to consider \(({\mathbf{c }}_{1},{\mathbf{c }}_{2},{\pi })\) as being auxiliary information accompanying element \(h \in {\mathbb {G}}_0\); we prefer the perspective of redundant encodings, and our abstraction in Sect. 3 is stated in such terms. When viewed in this way, our approach can be seen as closely related to the Naor–Yung paradigm for constructing CCA-secure PKE [37].

Addition of two elements in \({\mathbb {G}}_1\) is carried out by an obfuscation of a circuit \(C_{\text {Add}}\) that is published along with the groups. It has the secret keys \({\textit{sk}}_1, {\textit{sk}}_2\) hard-coded in; it first checks the respective proofs, then uses the additive homomorphic property of the encryption scheme to combine ciphertexts, and finally uses the secret keys \({\textit{sk}}_1, {\textit{sk}}_2\) as witnesses to generate a new NIZK proof showing equality of encodings. Note that the new encoding is as compact as that of the two input elements.

The multilinear map on inputs \((h_i,{\mathbf{c }}_{i,1},{\mathbf{c }}_{i,2},{\pi }_i)\) for \(1 \le i \le \kappa \) is computed using the obfuscation of a circuit \(C_{\text {Map}}\) that has \({\textit{sk}}_1\) and \(\omega \) hard-coded in. This allows \(C_{\text {Map}}\) to “extract” full exponents of \(h_i\) in the form \((x_{i,1}+\omega \cdot x_{i,2})\) from \({\mathbf{c }}_{i,1}\) and thereby compute the element \(g_0^{\prod _i (x_{i,1}+\omega \cdot x_{i,2})}\). This is defined to be the output of our multilinear map \(\mathbf{e } \), and so our target group \({\mathbb {G}}_T\) is in fact \({\mathbb {G}}_0\), the base group. The multilinearity of \(\mathbf{e } \) follows immediately from the form of the exponent.

In the asymmetric case, the main difference is that we work with different values \(\omega _i\) in each of our input groups \({\mathbb {G}}_i\). However, the groups are all constructed via redundant encodings, just as above.

This provides a high-level view of our approach, but no insight into why the approach achieves our aim of building multilinear maps with associated hard problems. Let us give some intuition on why the \(\kappa -{\text {MDDH}} \) problem is hard in our setting. We transform a \(\kappa -{\text {MDDH}} \) tuple \({\mathbf{h }}= ({(g_1^{a_i})}_{i \le \kappa +1},g_T^{d})\), where d is the product of the \(a_i \in \mathbb {Z}_N\), \(g_1\) is in the “encoded” form above, and thus, \(g_1 = (h_1,{\mathbf{c }}_{1},{\mathbf{c }}_{2},{\pi })\), and \(g_T\) is a generator of \({\mathbb {G}}_{T}={\mathbb {G}}_{0}\), into another \(\kappa -{\text {MDDH}} \) tuple \({\mathbf{h }}'\) with exponents \(a'_i = a_i+\omega \) for \(i \le \kappa +1\). This means that the exponent of the challenge element in the target group \(d' = \prod _{i = 1}^{\kappa +1}(a_i +\omega )\) can be seen as a degree \(\kappa +1\) polynomial in \(\omega \). Therefore, with the knowledge of the \(a_i\) and a \(\kappa -{\text {SDDH}} \) challenge, with \(\omega \) implicit in the exponent, we are able to switch \(g_T^{d'}\) to a uniformly random value.

Nevertheless, in the preceding simplistic argument, we have made two assumptions. The first is that we are able to provide an obfuscation of a circuit \(C_{\text {Map}}'\) that has the same functionality as \(C_{\text {Map}}\) over \({\mathbb {G}}_{1}\)without the explicit knowledge of \(\omega \). We resolve this by showing a way of evaluating the \(\kappa \)-linear map on any elements of \({\mathbb {G}}_{1}\) using only the powers \(g_0^{\omega ^i}\) for \(1 \le i \le \kappa \), and vectors extracted from the accompanying ciphertexts, and then applying \({\text {IO}}\) to the two circuits.²

The second assumption we made is that we can indeed switch from \({\mathbf{h }}\) to \({\mathbf{h }}'\) without being noticed. In other words, that the vectors \({\mathbf{x }}_i\), \({\mathbf{y }}_{i}\) representing \(g^{a_i}\) can be replaced (without being noticed) with vectors \({\mathbf{h }}_{i}'\) whose second coordinate is always fixed. Intuitively, this is based on the \({\text {IND-CPA}} \) security of the FHE scheme, but in order to give a successful reduction, we also have to change the circuit \(C_{\text {Add}}\) (since \(C_{\text {Add}}\) uses both decryption keys) and apply probabilistic indistinguishability obfuscation [17] to the circuit.

We note that in this work, we do not construct graded encoding schemes as in [23]. That is, we do not construct maps from \({\mathbb {G}}_i \times {\mathbb {G}}_j\) to \({\mathbb {G}}_{i+j}\). On the other hand, our construction is noiseless and is closer to multilinear maps as defined by Boneh and Silverberg [7].

The Current State of Multilinear Maps Constructions

Multilinear maps have been in a state of turmoil, with the discovery of attacks [9, 13, 14, 30, 36] against the GGH13 [23], CLT [15], and GGH15 [26] proposals, and a sequence of countermeasures and fixes [12, 16], which since have been broken, too. Hence, our confidence in constructions for graded encoding schemes (and thereby multilinear maps) has been shaken. On the other hand, recently, several constructions of IO from increasingly weaker assumptions have been proposed (see, for example, [1, 3, 24, 33,34,35, 45]), culminating in the construction [35] that requires only trilinear (non-graded) multilinear maps.

Hence, currently it is perhaps more plausible to assume that IO exists than it is to assume that secure (multi-level) multilinear maps exist. However, we stress that more cryptanalysis of IO constructions is required to investigate what security they provide.

Moreover, even though current constructions for IO rely on graded encoding schemes, it is not implausible that alternative routes to achieving IO without relying on multilinear maps will emerge in due course. Furthermore, multilinear maps, and more generally graded encoding schemes, have proven to be very fruitful as constructive tools in their own right (cf. [7, 40], resp., [5, 8, 22, 25, 27, 31, 42]). This rich set of applications coupled with the current uncertainty over the status of graded encoding schemes and multilinear maps provides additional motivation to ask what additional tools are needed in order to upgrade IO to multilinear maps. As an additional benefit, we upgrade (via IO) noisy graded encoding schemes to clean multilinear maps—sometimes now informally called “dream” or “ideal” multilinear maps.

Related Work

The work that is technically closest to ours is that of Yamakawa et al. (see [43, 44]); indeed, their work was the starting point for ours. Yamakawa et al. construct a self-pairing map, that is, a bilinear map from \({\mathbb {G}}\times {\mathbb {G}}\) to \({\mathbb {G}}\); multilinear maps can be obtained by iterating their self-pairing. Their work is limited to the RSA setting. It uses the group of signed quadratic residues modulo a Blum integer N, denoted \(\mathrm{QR}_N^{+}\), to define a pairing function that, on input elements \(g^x\), \(g^y\) in \(\mathrm{QR}_N^{+}\), outputs \(g^{2xy}\). In their construction, elements of \(\mathrm{QR}_N^{+}\) are augmented with auxiliary information to enable the pairing computation—in fact, the auxiliary information for an element \(g^x\) is simply an obfuscation of a circuit for computing the 2xth power modulo \({{\text {ord}}}(\mathrm{QR}_N^{+})\), and the pairing is computed by evaluating this circuit on an input \(g^y\) (say). The main contribution of [43] is in showing that these obfuscated circuits leak nothing about x or the group order.

A nice feature of their scheme is that the degree of linearity \(\kappa \) that can be accommodated is not limited up-front in the sense that the pairing output is also a group element to which further pairing operations (derived from auxiliary information for other group elements) can be applied. However, the construction has several drawbacks. First, the element output by the pairing does not come with auxiliary information.³ Second, the size of the auxiliary information for a product of group elements grows exponentially with the length of the product, as each single product involves computing the obfuscation of a circuit for multiplying, with its inputs already being obfuscated circuits. Third, the main construction in [43] only builds hard problems for the self-pairing of the computational type. (In fact, they show the hardness of the computational version of the \(\kappa -{\text {MDDH}} \) problem in \(\mathrm{QR}_N^{+}\) assuming that factoring is hard.) Still, this is sufficient for several cryptographic applications.

In contrast, our construction is generic with respect to its platform group. Furthermore, the equivalent of the auxiliary information in our approach does not itself involve any obfuscation. Consequently, the description of a product of group elements stays compact. Indeed, given perfect additive homomorphic encryption for \((\mathbb {Z}_p,+)\), we can perform arbitrary numbers of group operations in each component group \({\mathbb {G}}_i\). It is an open problem to find a means of augmenting our construction with the equivalent of auxiliary information in the target group \({\mathbb {G}}_T\), to make our multilinear maps amenable to iteration and thereby achieve graded maps as per [15, 23].

Another related work is the work of Paneth and Sahai [39]. They show a near equivalence between a suitable abstraction of multilinear maps and IO. Their result requires no computational assumptions at all, but also does not consider multilinear maps in our sense. In particular, they construct an abstraction of a multilinear map that only admits restricted access to encodings, similar to the one in [24]. Beyond the group operation and the multilinear map, other procedures for, e.g., uniform sampling, comparison or rerandomization of encodings are not part of this abstraction. Our notion of a multilinear map, on the other hand, contains descriptions of efficient procedures for all of these tasks.

Follow-Up Work

The work [21] extends our approach from this work to graded encoding schemes (with multilinear maps). They use techniques similar to ours and in particular employ a suitable “switching theorem” (like our Theorem 1) to replace encodings of equivalent group elements.

On the other hand, the work [2] aims to construct groups (or, rather, encoding schemes) that support stronger computational assumptions. Specifically, [2] construct encoding schemes in which even an adaptive variant of the so-called Uber assumption [6] holds. The price that [2] pay is that their encoding scheme has no extraction algorithm (i.e., no algorithm that takes an encoding and outputs a bit string that is unique for the encoded group element). Not only such an extraction algorithm is useful to compare elements, it can also be used to transform non-unique group elements to a unique common secret in a Diffie–Hellman key exchange protocol. Observe that with non-unique group elements and without such an extraction algorithm, the two parties may end with different representations of the same shared key.

In this setting, the only means to compare two group elements (given by possibly different encodings) is an explicit comparison algorithm that takes two encodings as input and outputs whether these encodings represent the same group element. ([2] provide such a comparison algorithm.) The techniques that [2] use are again an extension of our techniques.

Relation to Conference Version of This Work

Erratum. After the publication of the conference version of this work at TCC 2016-A, we became aware of several technical problems in our work. Specifically, the conference version of our work (and of course a previous full version) claimed (a) the validity of the RANK assumption (a reformulation of the \(\mathcal {U}_n\)-matrix Diffie–Hellman assumption from [19]) in our framework and (b) a variant of our construction that only uses indistinguishability obfuscation (instead of probabilistic indistinguishability obfuscation). We encountered serious problems in both respective proofs, and we are currently not aware of a way to repair these proofs.

Furthermore, we became aware of problems in the proof of the multilinear DDH assumption in our framework (both in the symmetric and asymmetric settings). These problems can be resolved, which in fact leads to a simpler proof from a slightly stronger computational assumption.

Hence, this version of our work omits the results (a) and (b) described above and provides corrected versions of the proofs of the MDDH assumption in our framework.

Changes to conference version. Besides the corrections explained above, this version features full proofs, and in particular a detailed and modular treatment of the central switching theorem (Theorem 1). Our constructed group has non-unique, randomized encodings in place of group elements, and Theorem 1 allows to replace one encoding with another encoding, as long as both encodings are functionally equivalent.

Preliminaries

Notation

We denote the security parameter by \(\lambda \in \mathbb {N}\) and assume that it is implicitly given to all algorithms in the unary representation \(1^\lambda \). By an algorithm, we mean a stateless Turing machine. Algorithms are randomized unless stated otherwise, and ppt as usual stands for “probabilistic polynomial-time” in the (unary) security parameter. Given a randomized algorithm \(\mathcal {A} \), we denote the action of running \(\mathcal {A} \) on input(s) \((1^\lambda ,x_1,\ldots )\) with fresh random coins r and assigning the output(s) to \(y_1,\ldots \) by \((y_1,\ldots ) \leftarrow _{{\$}}\mathcal {A} (1^\lambda ,x_1,\ldots ;r)\). For a finite set X, we denote its cardinality by |X| and the action of sampling a uniformly random element x from X by \(x \leftarrow _{{\$}}X\). Vectors are written in boldface \(\mathbf{x }\) and by slight abuse of notation, running algorithms on vectors of elements indicates component-wise operation. Throughout the paper, \(\bot \) denotes a special error symbol, and \({{\text {poly}}}(\cdot )\) stands for a fixed polynomial. A real-valued function \({{\text {negl}}}(\lambda )\) is negligible if \({{\text {negl}}}(\lambda ) \in \mathcal {O}(\lambda ^{-\omega (1)})\). We denote the set of all negligible functions by \({\textsc {Negl}}\) and use \({{\text {negl}}}(\lambda )\) to denote an unspecified negligible function.

Homomorphic Public-Key Encryption

Circuits. A polynomial-sized deterministic circuit family \({\mathcal {C}}:= \{ {\mathcal {C}}_{\lambda } \}_{\lambda \in \mathbb {N}}\) is a sequence of sets of \({{\text {poly}}}(\lambda )\)-sized circuits for a fixed polynomial \({{\text {poly}}}\). We assume that for all \(\lambda \in \mathbb {N}\), all circuits \(C \in {\mathcal {C}}_\lambda \) share a common input domain \((\{0,1\}^\lambda )^{a(\lambda )}\), where \(a(\lambda )\) is a the arity of the circuit family, and codomain \(\{0,1\}^\lambda \). A randomized circuit family is defined similarly except that the circuits now also take random coins \({r}\in \{0,1\}^{r(\lambda )}\). To make the coins used by a circuit explicit (e.g., to view a randomized circuit as a deterministic one), we write C(x; r).

Syntax and compactness. A tuple of ppt algorithms \({{\Pi }}:=({\mathbf{Gen }},{\mathbf{Enc }},{\mathbf{Dec }},{\mathbf{Eval }})\) is called a homomorphic public-key encryption (HPKE) scheme for deterministic circuit family \({\mathcal {C}}={\{{\mathcal {C}}_{\lambda }\}}_{\lambda \in \mathbb {N}}\) of arity \(a(\lambda )\) if \(({\mathbf{Gen }},{\mathbf{Enc }},{\mathbf{Dec }})\) is a conventional public-key encryption scheme with message space \(\{0,1\}^\lambda \) and \({\mathbf{Eval }}\) is a deterministic algorithm that on input, a public key \({\textit{pk}}\), a circuit \(C \in {\mathcal {C}}_\lambda \) and ciphertexts \({\textit{c}}_1, \ldots , {\textit{c}}_{a(\lambda )}\) output a ciphertext c. We require HPKE schemes to be compact in the sense that the outputs of \({\mathbf{Eval }}\) have a size that is bounded by a polynomial function of the security parameter (and independent of the size of the circuit). Without loss of generality, we assume that secret keys of an HPKE scheme are the random coins used in key generation. This will allow us to check key pairs for validity.

Correctness. We require the following perfect correctness requirements from a HPKE scheme:

1. 1.

   Scheme \({{\Pi }}:=({\mathbf{Gen }},{\mathbf{Enc }},{\mathbf{Dec }})\) is perfectly correct as a PKE scheme; that is, for any \(\lambda \in \mathbb {N}\), any \(({\textit{sk}},{\textit{pk}}) \leftarrow _{{\$}}{\mathbf{Gen }}(1^\lambda )\), any \({\textit{m}}\in \{0,1\}^\lambda \), and any \({\textit{c}}\leftarrow _{{\$}}{\mathbf{Enc }}({\textit{m}},{\textit{pk}})\), we have that \({\mathbf{Dec }}({\textit{c}},{\textit{sk}}) = {\textit{m}}\).

2. 2.

   We furthermore require that any ciphertext (i.e., not only honestly generated ones) uniquely determines the message it decrypts to. That is, for any \(\lambda \in \mathbb {N}\), any \({\textit{pk}}\) in the range of \({\mathbf{Gen }}(1^\lambda )\), and any syntactically possible \({\textit{c}}\), there is precisely one \({\textit{m}}\) (which may be \({\textit{m}}=\bot \)), such that for all \({\textit{sk}}\) with \(({\textit{pk}},{\textit{sk}})={\mathbf{Gen }}({\textit{sk}})\), we have \({\mathbf{Dec }}({\textit{c}},{\textit{sk}})={\textit{m}}\).

3. 3.

   The evaluation algorithm is also perfectly correct in the sense that for any \(\lambda \in \mathbb {N}\), any \(({\textit{sk}},{\textit{pk}}) \leftarrow _{{\$}}{\mathbf{Gen }}(1^\lambda )\), any \({\textit{m}}_i \in \{0,1\}^\lambda \) for \(i \in [a(\lambda )]\), any \({\textit{c}}_i \leftarrow _{{\$}}{\mathbf{Enc }}({\textit{m}}_i,{\textit{pk}})\), any \(C \in {\mathcal {C}}_\lambda \) and any \({\textit{c}}\leftarrow {\mathbf{Eval }}({\textit{pk}},C,{\textit{c}}_1,\ldots ,{\textit{c}}_{a(\lambda )})\), we have that \({\mathbf{Dec }}({\textit{c}},{\textit{sk}}) = C({\textit{m}}_1,\ldots ,{\textit{m}}_{a(\lambda )})\).

We note that perfect correctness implies that every ciphertext (even an adversarially generated one) uniquely determines its decryption result, independently of the used secret key (for a given public key). Hence, it is reasonable to think of any ciphertext as “containing” a uniquely defined message (as long as only secret keys consistent with a given public key are used).

Security. The \({\text {IND-CPA}} \) security of an HPKE scheme is defined identically to a standard PKE scheme without reference to the \({\mathbf{Dec }}\) and \({\mathbf{Eval }}\) algorithms. Formally, we require that for any legitimate ppt adversary \(\mathcal {A}:=(\mathcal {A} _1,\mathcal {A} _2)\),

$$\begin{aligned} \mathbf{Adv } ^{{\text {ind-cpa}}}_{{{\Pi }},\mathcal {A}}(\lambda ):=2 \cdot \text {Pr }\left[ {\text {IND-CPA}} _{{{\Pi }}}^{\mathcal {A}}(\lambda ) \right] - 1 \in {\textsc {Negl}}~, \end{aligned}$$

where game \({\text {IND-CPA}} _{{{\Pi }}}^{\mathcal {A}}(\lambda )\) is shown in Fig. 1 (left). Adversary \(\mathcal {A} \) is legitimate if it outputs two messages of equal lengths.

HPKE schemes can be constructed from rerandomizable IND-CPA secure PKE schemes, subexponentially secure IO, and subexponentially secure one-way functions [17]. The correctness properties of this construction immediately follow from those of its underlying components. Although this HPKE construction may not be perfectly correct in our sense above, when used with ElGamal (which is rerandomizable and IND-CPA secure under the DDH assumption), it does satisfy our notion of perfect correctness.

Obfuscators

Syntax and correctness. A ppt algorithm \({\mathbf{Obf }}\) is called an obfuscator for (deterministic or randomized) circuit class \({\mathcal {C}}=\{{\mathcal {C}}_\lambda \}_{\lambda \in \mathbb {N}}\) if \({\mathbf{Obf }}\) on input the security parameter \(1^\lambda \) and the description of a (deterministic or randomized) circuit \(C \in {\mathcal {C}}_\lambda \) outputs a deterministic circuit \(\overline{C}\). For deterministic circuits, we require \({\mathbf{Obf }}\) to be perfectly correct in the sense the circuits C and \(\overline{C}\) are functionally equivalent; that is, that for all \(\lambda \in \mathbb {N}\), all \(C \in {\mathcal {C}}_\lambda \), all \(\overline{C} \leftarrow _{{\$}}{\mathbf{Obf }}(1^\lambda ,C)\), and all \({\textit{m}}_i \in \{0,1\}^\lambda \) for \(i \in [a(\lambda )]\), we have that \(C({\textit{m}}_1,\ldots ,{\textit{m}}_{a(\lambda )}) = \overline{C}({\textit{m}}_1,\ldots ,{\textit{m}}_{a(\lambda )})\). For randomized circuits, the authors of [17] define correctness via computational indistinguishability of the outputs of C and \(\overline{C}\). For our constructions, we do not rely on this property and instead require that C and \(\overline{C}\) are functionally equivalent up to a change in randomness; that is, for all \(\lambda \in \mathbb {N}\), all \(C \in {\mathcal {C}}_\lambda \), all \(\overline{C} \leftarrow _{{\$}}{\mathbf{Obf }}(1^\lambda ,C)\) and all \({\textit{m}}_i \in \{0,1\}^\lambda \) for \(i \in [a(\lambda )]\), we require there is an r such that \(\overline{C}({\textit{m}}_1,\ldots ,{\textit{m}}_{a(\lambda )}) = C({\textit{m}}_1,\ldots ,{\textit{m}}_{a(\lambda )};r)\). In this paper by correctness, we refer to this latter property. We note that the construction from [17] is correct as it relies on a correct (indistinguishability) obfuscator (and a PRF to internally generate the required random coins).

Fig. 1

Left: \({\text {IND-CPA}} \) security of a (homomorphic) PKE scheme. Middle: Indistinguishability security of an obfuscator. Right: Static input (aka. selective) \(X{\text {-IND}} \) property of \(\mathcal {A}:=(\mathcal {A} _1,\mathcal {A} _2)\)

Security. The security of an obfuscator \({\mathbf{Obf }}\) requires that for any legitimate ppt adversary \(\mathcal {A}:=(\mathcal {A} _1,\mathcal {A} _2)\)

$$\begin{aligned} \mathbf{Adv } ^{{\text {ind}}}_{{\mathbf{Obf }},\mathcal {A}}(\lambda ):= 2 \cdot \text {Pr }\left[ {\text {IND}} _{{\mathbf{Obf }}}^{\mathcal {A}}(\lambda ) \right] - 1 \in {\textsc {Negl}}~, \end{aligned}$$

where game \({\text {IND}} \) is shown in Fig. 1 (middle). Depending on the notion of legitimacy different security notions for the obfuscator emerge, we consider two such notions below.

Functionally equivalent samplers. We call (the first phase of) \(\mathcal {A} \) a functionally equivalent sampler if for any (possibly unbounded) distinguisher \(\mathcal {D} \)

$$\begin{aligned} \mathbf{Adv } ^{\mathrm{eq}\$}_{\mathcal {A},\mathcal {D}}(\lambda ):= & {} \text {Pr }\left[ C_0(x) \ne C_1(x): (C_0,C_1,st) \leftarrow _{{\$}}\mathcal {A} _1(1^\lambda ); x \leftarrow _{{\$}}\mathcal {D} (C_0,C_1,st) \right] \\\in & {} {\textsc {Negl}}. \end{aligned}$$

The security notion associated with equivalent samplers is called indistinguishability. We call an obfuscator meeting this level of security an indistinguishability obfuscator [24] and use \({\mathbf{IO }}\) instead of \({\mathbf{Obf }}\) to emphasize this.

\(X{\text {-IND}} \)samplers [17] Roughly speaking, \(\mathcal {A} \) is an \(X{\text {-IND}} \) sampler if there is a set \(\mathcal {X}\) of size at most X such that the circuits output by \(\mathcal {A} \) are functionally equivalent outside \(\mathcal {X}\) and furthermore within \(\mathcal {X}\) the outputs of the two sampled circuits are indistinguishable. Formally, let \(X(\cdot )\) be a function such that \(X(\lambda )\le 2^\lambda \) for all \(\lambda \in \mathbb {N}\). We call \(\mathcal {A} \) an \(X{\text {-IND}} \)sampler if there is a set \(\mathcal {X}_\lambda \) of size at most \(X(\lambda )\) such that the following two conditions hold: (1) for all (possibly unbounded) \(\mathcal {D} \), the advantage function below is negligible

$$\begin{aligned} \mathbf{Adv } ^{\mathrm{eq}\$}_{\mathcal {A},\mathcal {D}}(\lambda ):= & {} \text {Pr }\left[ C_0(x;r) \ne C_1(x;r) \wedge x \notin \mathcal {X}_\lambda : \right. \\&\left. (C_0,C_1,st) \leftarrow _{{\$}}\mathcal {A} (1^\lambda ); (x,r) \leftarrow _{{\$}}\mathcal {D} (C_0,C_1,st) \right] . \end{aligned}$$

(2) For all non-uniform ppt distinguishers \(\mathcal {D}:= (\mathcal {D} _1,\mathcal {D} _2)\)

$$\begin{aligned} X(\lambda ) \cdot \mathbf{Adv } ^{\text {sel-ind}} _{\mathcal {A},\mathcal {D}}(\lambda ):= X(\lambda ) \cdot \text {Pr }\left[ {\text {Sel-IND}} _{\mathcal {A}}^{\mathcal {D}}(1^\lambda ) \right] \in {\textsc {Negl}}~, \end{aligned}$$

where game \({\text {Sel-IND}} _{\mathcal {A}}^{\mathcal {D}}(1^\lambda )\) is shown in Fig. 1 (right). This game has a static (or selective) flavor as \(\mathcal {D} _1\) chooses a differing input xbefore it gets to see the challenge circuit pair. We call an obfuscator meeting this level of security a probabilistic indistinguishability obfuscator [17] and use \(\mathbf{PIO } \) instead of \({\mathbf{Obf }}\) to emphasize this.

[17] show how to construct secure probabilistic indistinguishability obfuscators for \(X{\text {-IND}} \) samplers from subexponentially secure indistinguishability obfuscation and subexponentially secure one-way functions.

Dual-Mode NIZK Proof Systems

In our constructions, we will be relying on special types of non-interactive zero-knowledge proof systems [29]. These systems have “dual-mode” common reference string (CRS) generation algorithms that produce indistinguishable CRSs in the “binding” and “hiding” modes. They also enjoy perfect completeness in both modes, are perfectly sound and extractable in the binding mode, and perfectly witness-indistinguishable (WI) and zero knowledge (ZK) in the hiding mode. The standard prototype for such schemes is pairing-based Groth–Sahai proofs [29]. These proof systems can be instantiated in any (pair of) pairing-friendly groups, under a variety of computational assumptions, including the SXDH and \(k\)-Linear assumptions. Moreover, using a generic NP reduction to the satisfiability of (systems of) quadratic equations, we can obtain a suitable proof system for any NP language.⁴ We formalize the syntax and security of such proof systems next.

Syntax. A relation with setup is a pair of ppt algorithms \(({\mathbf{S }},{\mathbf{R }})\) such that \({\mathbf{S }}(1^\lambda )\) outputs \(({\textit{gpk}},{\textit{gsk}})\) and \({\mathbf{R }}({\textit{gpk}},x,w)\) is a ternary relation that outputs a bit \(b\in \{0,1\}\). A dual-mode non-interactive zero-knowledge (NIZK) proof system \(\Sigma \) for \(({\mathbf{S }},{\mathbf{R }})\) consists of six algorithms as follows. (1) Algorithm \({\mathbf{BCRS }}({\textit{gpk}},{\textit{gsk}})\) outputs a (binding) common reference string \({\textit{crs}}\) and an extraction trapdoor \({\textit{td}}_{ext}\); (2) \({\mathbf{HCRS }}({\textit{gpk}},{\textit{gsk}})\) outputs a (hiding) common reference string \({\textit{crs}}\) and a simulation trapdoor \({\textit{td}}_{zk}\); (3) \({\mathbf{Prove }}({\textit{gpk}},{\textit{crs}},x,w)\) on input \({\textit{crs}}\), an instance x, and a witness w, outputs a proof \(\pi \); (4) \({\mathbf{Verify }}({\textit{gpk}},{\textit{crs}},x,\pi )\) on input a bit string \({\textit{crs}}\), an instance x, and a proof \(\pi \), outputs accept or reject; (5) \({\mathbf{WExt }}({\textit{td}}_{ext},x,\pi )\) on input an extraction trapdoor, an instance \(x\), and a proof \(\pi \), outputs a witness \(w\); and (6) \({\mathbf{Sim }}({\textit{td}}_{zk},{\textit{crs}},x)\) on input the simulation trapdoor \({\textit{td}}_{zk}\), the CRS \({\textit{crs}}\), and an instance x, outputs a simulated proof \({\pi }\). We require a dual-mode NIZK to meet the following requirements.

CRS indistinguishability. The common reference strings generated through \({\mathbf{BCRS }}({\textit{gpk}},{\textit{gsk}})\) and \({\mathbf{HCRS }}({\textit{gpk}},{\textit{gsk}})\) are computationally indistinguishable. We denote the distinguishing advantage of a ppt adversary \(\mathcal {A} \) in the relevant security game by \(\mathbf{Adv } ^{{\text {crs}}}_{\Sigma ,\mathcal {A}}(\lambda )\).

Perfect completeness under\({\mathbf{BCRS }}\)/\({\mathbf{HCRS }}\). For any \(\lambda \in \mathbb {N}\), any \(({\textit{gpk}},{\textit{gsk}}) \leftarrow _{{\$}}{\mathbf{S }}(1^\lambda )\), any \({\textit{crs}}\leftarrow _{{\$}}{\mathbf{BCRS }}({\textit{gpk}},{\textit{gsk}})\), any (x, w) such that \({\mathbf{R }}({\textit{gpk}},x,w)=1\), and any \(\pi \leftarrow _{{\$}}{\mathbf{Prove }}({\textit{gpk}},{\textit{crs}},x,w)\), we have that \({\mathbf{Verify }}({\textit{gpk}},{\textit{crs}},x,\pi )=1\). We require this property to also hold for any choice of \({\textit{crs}}\leftarrow _{{\$}}{\mathbf{HCRS }}({\textit{gpk}},{\textit{gsk}})\).

Perfect soundness under\({\mathbf{BCRS }}\). For any \(\lambda \in \mathbb {N}\), any \(({\textit{gpk}},{\textit{gsk}}) \leftarrow _{{\$}}{\mathbf{S }}(1^\lambda )\), any common reference string \({\textit{crs}}\leftarrow _{{\$}}{\mathbf{BCRS }}({\textit{gpk}},{\textit{gsk}})\), any x for which for all \(w\in \{0,1\}^*\), we have \({\mathbf{R }}({\textit{gpk}},x,w)=0\), and any \(\pi \in \{0,1\}^*\), we have that \({\mathbf{Verify }}({\textit{gpk}},{\textit{crs}},x,\pi ) = 0\).

Perfect extractability under\({\mathbf{BCRS }}\). For any \(\lambda \in \mathbb {N}\), any \(({\textit{gpk}},{\textit{gsk}}) \leftarrow _{{\$}}{\mathbf{S }}(1^\lambda )\), any \(({\textit{crs}},{\textit{td}}_{ext}) \leftarrow _{{\$}}{\mathbf{BCRS }}({\textit{gpk}},{\textit{gsk}})\), any tuple \((x,\pi )\) with \({\mathbf{Verify }}({\textit{gpk}},{\textit{crs}},x,\pi )=1\), and for \(w\leftarrow _{{\$}}{\mathbf{WExt }}({\textit{td}}_{ext},x,\pi )\), we always have \({\mathbf{R }}({\textit{gpk}},x,w)=1\).

Perfect WI under\({\mathbf{HCRS }}\). For any \(\lambda \in \mathbb {N}\), any \(({\textit{gpk}},{\textit{gsk}}) \leftarrow _{{\$}}{\mathbf{S }}(1^\lambda )\), any \(({\textit{crs}},{\textit{td}}_{zk}) \leftarrow _{{\$}} {\mathbf{HCRS }}({\textit{gpk}}, {\textit{gsk}})\), any \((x,w_b)\) such that \({\mathbf{R }}({\textit{gpk}},x,w_b)=1\) for \(b\in \{0,1\}\), we have that \({\pi }_b \leftarrow _{{\$}}{\mathbf{Prove }}({\textit{gpk}},{\textit{crs}},x,w_b)\) for \(b\in \{0,1\}\) are identically distributed.

Perfect ZK under\({\mathbf{HCRS }}\). For any \(\lambda \in \mathbb {N}\), any \(({\textit{gpk}},{\textit{gsk}}) \leftarrow _{{\$}}{\mathbf{S }}(1^\lambda )\), any \(({\textit{crs}},{\textit{td}}_{zk}) \leftarrow _{{\$}} {\mathbf{HCRS }}({\textit{gpk}}, {\textit{gsk}})\), any (x, w) such that \({\mathbf{R }}({\textit{gpk}},x,w)=1\), it is that \({\pi }_0 \leftarrow _{{\$}}{\mathbf{Prove }}({\textit{gpk}},{\textit{crs}},x,w)\) and \(\pi _1 \leftarrow _{{\$}}{\mathbf{Sim }}({\textit{td}}_{zk},x)\) are identically distributed.

Hard Membership Problems

Finally, we will use languages with hard membership problems. Let \(U=\{U_\lambda \}\) be a collection of universal sets, and let \(\mathcal {L}=\{\mathcal {L}_\lambda \}\) be a collection of sets \(\mathcal {L}_\lambda =\{L\}\) of languages with \(L\subseteq U_\lambda \) for each \(L \in \mathcal {L}_\lambda \). We say that \(\mathcal {L}\) has a hard subset membership problem if the following holds: No ppt algorithm given \(L\leftarrow _{{\$}}\mathcal {L}_\lambda \) can efficiently distinguish between \(x\leftarrow _{{\$}}L\) and \(x\leftarrow _{{\$}}U_\lambda \).

Multilinear Groups with Non-Unique Encodings

Before presenting our constructions, we formally introduce what we mean by a multilinear group (MLG) scheme. Our abstraction differs from that of Garg, Gentry, and Halevi [23] in that our treatment of MLG schemes is a direct adaptation of the “dream” MLG setting (called the “cryptographic” MLG setting in [7]) to a setting where group elements have non-unique encodings (as in [23]). In our abstraction, on top of the procedures needed for generating, manipulating, and checking group elements, we introduce an equality procedure which generalizes the equality relation for groups with unique encodings.

Syntax. A multilinear group (MLG) scheme \(\varGamma \) consists of six ppt algorithms as follows.

• \(\mathbf{Setup } (1^\lambda ,1^\kappa )\): This is the setup algorithm. On input the security parameter \(1^\lambda \) and the multilinearity \(1^\kappa \), it outputs the group parameters \({\textit{pp}}\). These parameters include generators\(\textit{g} _1,\ldots ,\textit{g} _{\kappa +1}\), identity elements\(\textsf {1} _1,\ldots ,\textsf {1} _{\kappa +1}\), and integers \(N_1,\ldots ,N_{\kappa +1}\), which will represent group orders. Generators, identity elements, and group orders are discussed in detail below. In our constructions, we will have \(N_1,\ldots ,N_{\kappa +1}\) all equal to some prime N, but we work here at a greater level of generality because it may be useful in future work. We assume \({\textit{pp}}\) is provided to the various algorithms below.

• \(\mathbf{Val } _i({h})\): This is the validity testing algorithm. On input (the group parameters), a group index \(1 \le i \le \kappa +1\) and a string \({h}\in \{0,1\}^*\), it returns \(b\in \{0,1\}\). We define \({\mathbb {G}}_i\), which is also parameterized by \({\textit{pp}}\), as the set of all \({h}\) for which \(\mathbf{Val } _i({h})=1\). We write \({h}\in {\mathbb {G}}_i\) when \(\mathbf{Val } _i({h})=1\) and refer to such strings as group elements (since we will soon impose a group structure on \({\mathbb {G}}_i\)). Without loss of generality, we assume the \({\mathbb {G}}_i\) to be non-intersecting sets (since a string \({h}\in {\mathbb {G}}_i\) can always be augmented with an encoding of i). We require that the bit strings in \({\mathbb {G}}_i\) have lengths that are polynomial in \(\lambda \) and \(\kappa \), a property that we refer to as compactness.

• \(\mathbf{Eq } _i({h}_1,{h}_2)\): This is the equality algorithm. On input two valid group elements \({h}_1,{h}_2 \in {\mathbb {G}}_i\), it outputs a bit \(b \in \{0,1\}\). We require \(\mathbf{Eq } _i\) to define an equivalence relation. We say that the group has unique encodings if \(\mathbf{Eq } _i\) simply checks the equality of bit strings. We write \({\mathbb {G}}_i({h})\) for the set of all \({h}' \in {\mathbb {G}}_i\) such that \(\mathbf{Eq } _i({h},{h}')=1\); for any such \({h}, {h}'\) in \({\mathbb {G}}_i\), we write \({h}= {h}'\); sometimes we write \({h}= {h}'\)in\({\mathbb {G}}_i\) for clarity. Since “\(=\)” refers to equality of bit strings as well as equivalence under \(\mathbf{Eq } _i\), we will henceforth write “as bit strings” when we mean equality in that sense. We require \(|{\mathbb {G}}_i/\mathbf{Eq } _i|\), the number of equivalence classes into which \(\mathbf{Eq } _i\) partitions \({\mathbb {G}}_i\), to be finite and equal to \(N_i\) (where \(N_i\) comes from \({\textit{pp}}\)). We assume throughout the paper that various algorithms below return \(\bot \) when run on invalid group elements.

• \(\mathbf{Op } _i({h}_1,{h}_2)\): This algorithm defines the group operation. On input two valid group elements \({h}_1,{h}_2 \in {\mathbb {G}}_i\), it outputs \({h}\in {\mathbb {G}}_i\). We write \({h}_1{h}_2\) in place of \(\mathbf{Op } _i({h}_1,{h}_2)\) for simplicity. We require that \(\mathbf{Op } _i\) respect the equivalence relations \(\mathbf{Eq } _i\), meaning that if \({h}_1 = {h}_2\) in \({\mathbb {G}}_i\) and \({h}\in {\mathbb {G}}_i\), then \({h}_1{h}= {h}_2{h}\) in \({\mathbb {G}}_i\). We also demand that \({h}_1 {h}_2 = {h}_2 {h}_1\) in \({\mathbb {G}}_i\) (commutativity); for any third \({h}_3 \in {\mathbb {G}}_i\), we require \({h}_1 ({h}_2 {h}_3) = ({h}_1 {h}_2){h}_3\) in \({\mathbb {G}}_i\) (associativity), and we require \({h}\textsf {1} _i = {h}\) in \({\mathbb {G}}_i\) for all \({h}\in {\mathbb {G}}_i\). The algorithm \(\mathbf{Op } _i\) gives rise to an exponentiation algorithm \(\mathbf{Exp } _i({h},z)\) that on input \({h}\in {\mathbb {G}}_i\) and \(z \in \mathbb {N}\) outputs an \(h' \in {\mathbb {G}}_i\) such that \(h' = h \cdots h\) in \({\mathbb {G}}_i\) with z occurrences of \({h}\). When no h is specified, we assume \({h}=\textit{g} _i\). This algorithm runs in polynomial time in the length of z. We denote \(\mathbf{Exp } _i({h},z)\) by \({h}^z\) and define \({h}^0:=\textsf {1} _i\). Note that under the definition of \(N_i\) for any \({h}\in {\mathbb {G}}_i\) we have that \(\mathbf{Exp } _i({h},N_i)=\textsf {1} _i\). This in turn leads to an inversion algorithm \(\mathbf{Inv } _i({h})\) that on input \({h}\in {\mathbb {G}}_i\) outputs \({h}^{N_i-1}\). We insist that \(g_i\) in fact has order \(N_i\), so that (the equivalence class containing) \(g_i\) generates \({\mathbb {G}}_i/\mathbf{Eq } _i\). The above requirements ensure that \({\mathbb {G}}_i/\mathbf{Eq } _i\) acts as a cyclic group of order \(N_i\) with respect to the operation induced by \(\mathbf{Op } _i\), with identity (the equivalence class containing) \(\textsf {1} _i\), and inverse operation \(\mathbf{Inv } _i\). We use the bracket notion [19] to denote an element \({h}= \textit{g} _i^x\) in \({\mathbb {G}}_i\) with \([ x ] _i\). When using this notation, we will write the group law additively. This notation will be convenient in the construction and analysis of our MLG schemes. For example, \({[z]}_i + {[z']}_i\) succinctly denotes \(\mathbf{Op } _i(\mathbf{Exp } (\textit{g} _i,z),\mathbf{Exp } (\textit{g} _i,z'))\). Note that when writing \({[z]}_i\), it is not necessarily the case that z is explicitly known.

• \(\mathbf{e } (h_1,\ldots ,h_\kappa )\): This is the multilinear map algorithm. For \(\kappa \) group elements \({h}_i \in {\mathbb {G}}_i\) as input, it outputs \({h}_{\kappa +1} \in {\mathbb {G}}_{\kappa +1}\). We demand that for any \(1 \le j \le \kappa \) and any \({h}'_j \in {\mathbb {G}}_j\)

  $$\begin{aligned} \mathbf{e } ({h}_1,\ldots ,{h}_j {{h}'}_j,\ldots ,{h}_\kappa ) = \mathbf{e } ({h}_1,\ldots ,{h}_j,\ldots ,{h}_\kappa ) \mathbf{e } ({h}_1,\ldots ,{h}'_j,\ldots ,{h}_\kappa ) \text{ in } {\mathbb {G}}_{\kappa +1}. \end{aligned}$$

  We also require the map to be non-degenerate in the sense that for some tuple of elements as input the multilinear map outputs an element of \({\mathbb {G}}_{\kappa +1}\) outside the equivalence class of \(\textsf {1} _{\kappa +1}\). We call an MLG scheme symmetric if the group algorithms are independent of the group index for \(1 \le i \le \kappa \) and \(\mathbf{e } \) is invariant under permutations of its inputs. That is, for any permutation \(\pi :[\kappa ] \longrightarrow [\kappa ]\), we have

  $$\begin{aligned} \mathbf{e } ({h}_{1},\ldots ,{h}_{\kappa }) = \mathbf{e } (h_{\pi (1)},\ldots ,{h}_{\pi (\kappa )}) \text{ in } {\mathbb {G}}_{\kappa +1}~. \end{aligned}$$

  We refer to all the other cases as being asymmetric. To distinguish the target group, we frequently write \({\mathbb {G}}_T\) instead of \({\mathbb {G}}_{\kappa +1}\) (and similarly for \(\textsf {1} _T\) and \(\textit{g} _T\) in place of \(\textsf {1} _{\kappa +1}\) and \(\textit{g} _{\kappa +1}\)) as its structure in our construction will be different from that of the source groups \({\mathbb {G}}_1,\ldots ,{\mathbb {G}}_{\kappa }\).

• \(\mathbf{Sam } _i(z)\): This is the sampling algorithm. On input \(z \in \mathbb {N}\), it outputs some \({h}\in {\mathbb {G}}_i\). We also allow a special input \(\varepsilon \) to this algorithm, in which case the sampler is required to output some \({h}\in {\mathbb {G}}_i\) together with a uniformly distributed z such that \({h}\in {\mathbb {G}}_i(\textit{g} _i^z)\). Note that for groups with unique encodings, these algorithms trivially exist. For notational convenience, for a known a, we define \([a]_i\) to be an element sampled via \(\mathbf{Sam } _i(a)\).

Some applications also rely on the following algorithm which provides a canonical bit string for the group elements within a single equivalence class.

• \(\mathbf{Ext } _i({h})\): This is the extraction algorithm. On input \({h}\in {\mathbb {G}}_i\), it outputs a string \(s \in \{0,1\}^{{{\text {poly}}}(\lambda )}\). We demand that for any \({h}_1,{h}_2 \in {\mathbb {G}}_i\) with \({h}_1 = {h}_2\) in \({\mathbb {G}}_i\), we have that \(\mathbf{Ext } _i({h}_1)= \mathbf{Ext } _i({h}_2)\) (as bit strings). We also require that for \({[z]}_i \leftarrow _{{\$}}\mathbf{Sam } _i(\varepsilon )\), the distribution of \(\mathbf{Ext } _i({[z]}_i)\) is uniform over \(\{0,1\}^{{{\text {poly}}}(\lambda )}\). For groups with unique encodings, this algorithm trivially exists.

Comparison with GGH. Our formalization differs from that of [23] which defines a graded encoding scheme. The main difference is that a graded encoding scheme defines bilinear maps \(\mathbf{e } _{i,j}: {\mathbb {G}}_i \times {\mathbb {G}}_j \longrightarrow {\mathbb {G}}_{i+j}\). Using this algorithm, one can implement \(\mathbf{Eq } _i\) for any \(1 \le i \le \kappa \) from \(\mathbf{Eq } _{\kappa +1}\) as follows (if \(\mathbf{e } _{i,j}\) is injective). To check the equality of \({h}_1,{h}_2 \in {\mathbb {G}}_i\), call \(\mathbf{e } _{i,\kappa +1-i}({h},\textit{g} _{\kappa +1-i})\) for \({h}={h}_1,{h}_2\) to map these elements to the target group and check equality there using \(\mathbf{Eq } _{\kappa +1}\). Similarly, \(\mathbf{Ext } _{i}({h})\) can be constructed from \(\mathbf{Ext } _{\kappa +1}({h})\) and \(\textsf {1} _j\) for all \({\mathbb {G}}_j\). (Note that for extraction we need a canonical string rather than a canonical group element.) Moreover, the abstraction and construction of graded encodings schemes in [23] do not provide any validity algorithms; these are useful in certain adversarial situations such as CCA security and signature verification. Further, all known candidate constructions of graded encoding schemes are noisy and only permit a limited number of group operations (though parameters can be set to allow that number to be polynomial). Finally, the known candidate graded encoding schemes do not permit sampling for specific values of z, but rather only permit sampling elements with a z that is only known up to its equivalence class.

Syntactic extensions. Although our syntax does not treat the cases of graded [15, 23], exponentially multilinear, or self-pairing [43] maps, it can be modified to capture these variants. We briefly outline the required modifications. For graded maps, we require the existence of a map that on input \({h}_i \in {\mathbb {G}}_i\) for indices \(i=i_1,\ldots ,i_\ell \) with \(t:=\sum _{i=1}^{\ell } i_j \le \kappa \) outputs a group element in \({\mathbb {G}}_t\). This map is required to be multilinear in each component. For exponential (aka. unbounded) linearity, we provide the linearity \(\kappa \) in its binary representation to the \(\mathbf{Setup } \) algorithm. We also include procedures for generator and identity element generation. Proper self-pairing maps correspond to a setting where the group algorithms are independent of the group index for \(1 \le i \le \kappa +1\) (including the target index \(\kappa +1\)), and the group generators and identity elements are all identical. Observe that a proper self-pairing would induce a graded encoding scheme of unbounded linearity; recall from the introduction that the scheme of Yamakawa et al. [43] does not meet this definition because of the growth in the size of its auxiliary information.

The Construction

We now present our construction of an MLG scheme \(\varGamma \) according to the syntax introduced in Sect. 3. In the later sections, we will consider special cases of the construction and prove the hardness of analogues of the multilinear DDH problem under various assumptions.

We rely on the following building blocks in our MLG scheme. (1) A cyclic group \({\mathbb {G}}_0\) of some order \(N_0\) with generator \(\textit{g} _0\) and identity \(\textsf {1} _0\); formally, we think of this as a 1-linear MLG scheme \(\varGamma _0\) with unique encodings in which \(\mathbf{e } \) is trivial; the algorithm \(\mathbf{Val } _0\) implies that elements of \({\mathbb {G}}_0\) are efficiently recognizable. (2) A general-purpose obfuscator \({\mathbf{Obf }}\). (3) A perfectly correct additively homomorphic public-key encryption scheme \({{\Pi }}:=({\mathbf{Gen }},{\mathbf{Enc }},{\mathbf{Dec }},{\mathbf{Eval }})\) with plaintext space \(\mathbb {Z}_{N}\).⁵ (4) A dual-mode NIZK proof system. (5) A family \(\mathcal {TD}\) of (families of) languages TD  which has a hard subset membership problem, and such that all TD  have efficiently computable witness relations with unique witnesses.⁶ (See Sect. 2 for more formal definitions.)

We reserve variables and algorithms with index 0 for the base scheme \(\varGamma _0\); we also write \(N=N_0\). We require that the algorithms of \(\varGamma _0\) except for \(\mathbf{Setup } _0\) and \(\mathbf{Sam } _0\) are deterministic. We will also use the bracket notation to denote the group elements in \({\mathbb {G}}_0\). For example, we write \({[z]}_0,{[z']}_0 \in {\mathbb {G}}_0\) for two valid elements of the base group and \({[z]}_0+{[z']}_0 \in {\mathbb {G}}_0\) for \(\mathbf{Op } _0({[z]}_0,{[z']}_0)\). Variables with nonzero indices correspond to various source and target groups. Given all of the above components, our MLG scheme \(\varGamma \) consists of algorithms as detailed in the sections that follow.

Setup

The setup algorithm for \(\varGamma \) samples parameters \({\textit{pp}}_0 \leftarrow _{{\$}}\mathbf{Setup } _0(1^\lambda )\) for the base MLG scheme generates two encryption key pairs \(({\textit{pk}}_j,{\textit{sk}}_j) \leftarrow _{{\$}}{\mathbf{Gen }}(1^\lambda )\) (\(j=1,2\)) of an HPKE scheme, and a matrix \({\mathbf{W }}= {({\varvec{\omega }}_{1},\ldots ,{\varvec{\omega }}_{\kappa })}^t \in \mathbb {Z}_N^{\kappa \times \ell }\) where \(\kappa \) is the linearity and \(\ell = 2\) is a parameter of our construction. Although many of the upcoming results hold for more general distributions of \({\mathbf{W }}\), for concreteness, we set \({\varvec{\omega }}_{i}=(1,\omega )\) for all \(i\) and a uniformly random \(\omega \). The setup algorithm then sets

$$\begin{aligned} {\textit{gpk}}:= ({\textit{pp}}_0,{\textit{pk}}_1,{\textit{pk}}_2,{[{\mathbf{W }}]}_0,{\textsf {TD}},{y})~, \end{aligned}$$

where \({[{\mathbf{W }}]}_0\) denotes a matrix of \({\mathbb {G}}_0\) elements that entrywise is written in the bracket notation, \({\textsf {TD}}\leftarrow _{{\$}}\mathcal {TD}\), and \({y}\) is not in TD. In our MLG scheme, we set \(N_1 = \cdots = N_{\kappa +1} := N\), where N is the group order implicit in \({\textit{pp}}_0\). The setup algorithm then generates a common reference string \({\textit{crs}}= ({\textit{crs}}',y)\) where \({\textit{crs}}'\leftarrow _{{\$}}{\mathbf{BCRS }}({\textit{gpk}},{\textit{gsk}})\) for a relation \(({\mathbf{S }},{\mathbf{R }})\) that will be defined in Sect. 4.2. It also constructs two obfuscated circuits \(\overline{C}_{{\text {Map}}}\) and \(\overline{C}_{{\text {Add}}}\) which we will describe in Sects. 4.3 and 4.4. For \(1 \le i \le \kappa \), the identity elements \(\textsf {1} _i\) and group generators \(\textit{g} _i\) are sampled using \(\mathbf{Sam } _i(0)\) and \(\mathbf{Sam } _i(x_i)\), respectively, for algorithm \(\mathbf{Sam } _i\) described in Sect. 4.5 with \(x_i \in [N-1]\). We emphasize that this approach is well defined since the operation of \(\mathbf{Sam } _i\) is defined independently of the generators and the identity elements and depends only on \({\textit{gpk}}\) and \({\textit{crs}}\). We set \(\textsf {1} _{\kappa +1}= \textsf {1} _0\) and \(\textit{g} _{\kappa +1} = \textit{g} _0\). The scheme parameters are

$$\begin{aligned} {\textit{pp}}: = ({\textit{gpk}},{\textit{crs}},\overline{C}_{{\text {Map}}},\overline{C}_{{\text {Add}}},\textit{g} _1,\ldots ,\textit{g} _{\kappa +1},\textsf {1} _1,\ldots ,\textsf {1} _{\kappa +1})~. \end{aligned}$$

We note that this algorithm runs in polynomial time in \(\lambda \) as long as \(\kappa \) is polynomial in \(\lambda \).

Validity and Equality

The elements of \({\mathbb {G}}_i\) for \(1 \le i \le \kappa \) are tuples of the form \({h}= ({[z]}_0,{\mathbf{c }}_{1},{\mathbf{c }}_{2},{\pi })\) where \({\mathbf{c }}_{1},{\mathbf{c }}_{2}\) are encryptions of vectors from \(\mathbb {Z}_{N}^\ell \) under \({\textit{pk}}_1,{\textit{pk}}_2\), respectively (encryption algorithm \({\mathbf{Enc }}\) extends from plaintext space \(\mathbb {Z}_{N}\) to \(\mathbb {Z}_{N}^\ell \) in the obvious way) and where \({\pi }\) is a NIZK to be defined below. We refer to \(({\mathbf{c }}_{1},{\mathbf{c }}_{2},{\pi })\) as the auxiliary information for \({[z]}_0\). The elements of \({\mathbb {G}}_{\kappa +1}\) are just those of \({\mathbb {G}}_0\).

The NIZK proof system that we use corresponds to the following inclusive disjunctive relation \(({\mathbf{S }},{\mathbf{R }}:={\mathbf{R }}_{1}\vee {\mathbf{R }}_{2})\). Algorithm \({\mathbf{S }}(1^\lambda )\) outputs \({\textit{gpk}}= ({\textit{pp}}_0,{\textit{pk}}_1,{\textit{pk}}_2,{[{\mathbf{W }}]}_0,{\textsf {TD}})\) as defined above and sets \({\textit{gsk}}= ({\textit{sk}}_1,{\textit{sk}}_2)\). Relation \({\mathbf{R }}_{1}\) on input \({\textit{gpk}}\), tuple \(({[z]}_0,{\mathbf{c }}_{1},{\mathbf{c }}_{2})\), and witness \(({\mathbf{x }},{\mathbf{y }},{\mathbf{r }}_1,{\mathbf{r }}_2,{\textit{sk}}_1,{\textit{sk}}_2)\) accepts iff \({[z]}_0 \in {\mathbb {G}}_0\), the representations of \({[z]}_0\) as \({\mathbf{x }},{\mathbf{y }}\in \mathbb {Z}_{N}^\ell \) are valid with respect to \({[{\mathbf{W }}]}_0\) in the sense that

$$\begin{aligned} {[z]}_0 = {[{\langle {\mathbf{x }},{\varvec{\omega }}_{i} \rangle }]}_0 \wedge \, {[z]}_0 = {[{\langle {\mathbf{y }},{\varvec{\omega }}_{i} \rangle }]}_0~, \end{aligned}$$

(where \({\langle \cdot ,\cdot \rangle }\) denotes inner product) and the following ciphertext validity condition (with respect to the inputs to the relation) is met:

$$\begin{aligned} \begin{aligned} ({\mathbf{c }}_{1} = {\mathbf{Enc }}({\mathbf{x }},{\textit{pk}}_1;{\mathbf{r }}_1)&\wedge {\mathbf{c }}_{2} = {\mathbf{Enc }}({\mathbf{y }},{\textit{pk}}_2;{\mathbf{r }}_2)) \\&\ \vee \\ \big (({\textit{pk}}_1,{\textit{sk}}_1) = {\mathbf{Gen }}({\textit{sk}}_1)&\wedge \, ({\textit{pk}}_2,{\textit{sk}}_2) = {\mathbf{Gen }}({\textit{sk}}_2)\\ \wedge \,{\mathbf{x }}= {\mathbf{Dec }}({\mathbf{c }}_{1},{\textit{sk}}_1)&\wedge {\mathbf{y }}= {\mathbf{Dec }}({\mathbf{c }}_{2},{\textit{sk}}_2))\big ) \end{aligned} \end{aligned}$$

(1)

Recall that we have assumed the secret key of the encryption scheme to be the random coins used in \({\mathbf{Gen }}\). Note that the representation validity check can be efficiently performed “in the exponent” using \({[{\mathbf{W }}]}_0\) and the explicit knowledge of \({\mathbf{x }}\) and \({\mathbf{y }}\). Note also that for honestly generated keys and ciphertexts, the two checks in the expression above are equivalent (although this is not generally the case when public keys are malformed, i.e., not in the range of Gen).

Intuitively, the upper branch of the disjunction (1) checks consistency based on encryption randomness. This branch allows \(\mathbf{Sam } \) to generate proofs without decryption keys. The lower branch of (1) uses decryption keys. This branch is used by the addition circuit \(\mathbf{Add } \) to generate proofs without knowing the encryption randomness.

Relation \({\mathbf{R }}_{2}\) depends on the language TD, and on input \({\textit{gpk}}\), tuple \(({[z]}_0,{\mathbf{c }}_{1},{\mathbf{c }}_{2})\), and witness \(w_y\) accepts iff \(w_y\) is a valid witness to \( y \in {\textsf {TD}}\). (Note that \({\mathbf{R }}_{2}\) completely ignores \(({[z]}_0,{\mathbf{c }}_{1},{\mathbf{c }}_{2})\).) Intuitively, \({\mathbf{R }}_{2}\) creates a simulation trapdoor (i.e., \(w_y\)) that allows to generate proofs for statements that are not in \({\mathbf{R }}_{1}\).

For \(1 \le i \le \kappa \), the \(\mathbf{Val } _i\) algorithm for \(\varGamma \), on input \(({[z]}_0,{\mathbf{c }}_{1},{\mathbf{c }}_{2},{\pi })\), first checks that the first component is in \({\mathbb {G}}_0\) using \(\mathbf{Val } _0\) and then checks the proof \({\pi }\); if both tests pass, it then returns \(\top \), else \(\bot \). Observe that for an honest choice of \({\textit{crs}}= ({\textit{crs}}',y)\), the perfect completeness and the perfect soundness of the proof system ensure that only those elements which pass relation \({\mathbf{R }}_{1}\) are accepted. Algorithm \(\mathbf{Val } _{\kappa +1}\) just uses \(\mathbf{Val } _0\).

The equality algorithm \(\mathbf{Eq } _i\) of \(\varGamma \) for \(1 \le i \le \kappa \) first checks the validity of the two group elements passed to it and then returns true iff their first components match, according to \(\mathbf{Eq } _0\), the equality algorithm from the base scheme \(\varGamma _0\). Algorithm \(\mathbf{Eq } _{\kappa +1}\) just uses \(\mathbf{Eq } _0\). The correctness of this algorithm follows from the perfect completeness of \(\Sigma \).

Group Operations

We provide a procedure that, given as inputs \({h}=([ z ] _0, {\mathbf{c }}_{1},{\mathbf{c }}_{2},{\pi })\) and \({h}'=([ z' ] _0, {\mathbf{c }}_{1}',{\mathbf{c }}_{2}',{\pi }') \in {\mathbb {G}}_i\), generates a tuple representing the product \(h\cdot h'\). This, in particular, will enable our multilinear map to be run on the additions of group elements whose explicit representations are not necessarily known. We exploit the structure of the base group as well as the homomorphic properties of the encryption scheme to “add together” the first three components. We then use \(({\textit{sk}}_{1},{\textit{sk}}_{2})\) as a witness to generate a proof \({\pi }''\) that the new tuple is well formed. (For technical reasons, we check the validity of \({h}\) and \({h}'\) in two different ways: using proofs \({\pi }\), \({\pi }'\), and also explicitly using \(({\textit{sk}}_{1},{\textit{sk}}_{2})\). Note that, although useful in the analysis, the explicit check is redundant by the perfect soundness of the proof system under a binding \({\textit{crs}}'\).)

In \({\textit{pp}}\), we include an obfuscation of the \(C_{{\text {Add}}}\) circuit shown in Fig. 2 (top), and again, we emphasize that steps 5a or 5b are never reached with a binding \({\textit{crs}}'\) (but they may be reached with a hiding \({\textit{crs}}'\) later in the analysis). Note that although we have assumed the evaluation algorithm to be deterministic, algorithm \({\mathbf{Prove }}\) is randomized and we need to address how we deal with its coins. To this end, we use a \(\mathbf{PIO }\) to obfuscate \({C}_{{\text {Add}}}\); the probabilistic obfuscator directly deals with the needed randomness.⁷ The \(\mathbf{Op } _i\) algorithm for \(1 \le i \le \kappa \) runs the obfuscated circuit on i, the input group elements. Algorithm \(\mathbf{Op } _{\kappa +1}\) just uses \(\mathbf{Op } _0\) as usual. The correctness of this algorithm follows from those of \(\varGamma _0\) and \({{\Pi }} \), the completeness of \(\Sigma \), and the correctness, in our sense, of the probabilistic obfuscator \({\mathbf{Obf }}\)\(= \mathbf{PIO } \); see Sect. 2 for the definitions.

Fig. 2

Top: Circuit for addition of group elements. Explicit randomness \({r}\) is internally generated when using a \(\mathbf{PIO }\). Bottom: Circuit implementing the multilinear map. Recall that here \({\textit{gpk}}= ({\textit{pp}}_0,{\textit{pk}}_1,{\textit{pk}}_2,{[{\mathbf{W }}]}_0,{\textsf {TD}},y)\)

The Multilinear Map

The multilinear map for \(\varGamma \), on input \(\kappa \) group elements \(h_i=[ {z}_i ] _i = ([ z_i ] _0, {\mathbf{c }}_{i,1},{\mathbf{c }}_{i,2},{\pi }_i)\), uses \({\textit{sk}}_1\) to recover the representation \({\mathbf{x }}_{i}\). It then uses the explicit knowledge of the matrix \({\mathbf{W }}\) to compute the output of the map as

$$\begin{aligned} \mathbf{e } ([ {z}_{1} ] _1,\ldots ,[ {z}_{\kappa } ] _\kappa ) : = {\left[ \prod _{i = 1}^k\langle {\mathbf{x }}_{i},{\varvec{\omega }}_i \rangle \right] }_{\kappa +1}~. \end{aligned}$$

Recalling that \({\mathbb {G}}_{\kappa +1}\) is nothing other than \({\mathbb {G}}_0\), and \(\textit{g} _{\kappa +1} = \textit{g} _0\), the output of the map is just the \({\mathbb {G}}_0\)-element \({(\textit{g} _0)}^{\prod _{i = 1}^k\langle {\mathbf{x }}_{i},{\varvec{\omega }}_i \rangle }\). The product in the exponent can be efficiently computed over \(\mathbb {Z}_N\) for any polynomial level of linearity \(\kappa \) and any \(\ell \) as it uses \({\mathbf{x }}_{i}\) and \({\varvec{\omega }}_i\) explicitly. The multilinearity of the map follows from the linearity of each of the multiplicands in the above product (and the completeness of \(\Sigma \), the correctness of \({{\Pi }} \), and the correctness of the (possibly probabilistic) obfuscator \({\mathbf{Obf }}\)). An obfuscation \(\overline{C}_{{\text {Map}}}\) of the circuit implementing this operation (see Fig. 2, bottom) will be made available through the public parameters, and \(\mathbf{e } \) is defined to run this circuit on its inputs.

Sampling and Extraction

For sampling random group elements, we first define two vectors \({\mathbf{x }}\) and \({\mathbf{y }}\) in \(\mathbb {Z}_N^\ell \) satisfying \({\langle {\mathbf{x }},{\varvec{\omega }}_{i} \rangle } = {\langle {\mathbf{y }},{\varvec{\omega }}_{i} \rangle }\). In other words, these vectors define two equivalent representations of a group element relative to a matrix \({\mathbf{W }}\). If \({\mathbf{W }}\) is explicitly known, the vectors \({\mathbf{x }}\) and \({\mathbf{y }}\) can take arbitrary forms subject to validity. However, is only implicitly known by an honest user of the system, and in order to sample random group elements, we set \({\mathbf{x }}={\mathbf{y }}=(z,0)\) for \(\ell =2\). (We call these the canonical representations.)

Then, we set \({[z]}_0 := {[{\langle {\mathbf{y }},{\varvec{\omega }}_{i} \rangle }]}_0\) (which can be computed using \([{\mathbf{W }}]_0\) and explicit knowledge of \({\mathbf{x }}\)) and

$$\begin{aligned} {[z]}_i \leftarrow \big (&{[z]}_0, {\mathbf{c }}_{1} = {\mathbf{Enc }}({\mathbf{x }},{\textit{pk}}_1;{\mathbf{r }}_1), {\mathbf{c }}_{2} ={\mathbf{Enc }}({\mathbf{y }},{\textit{pk}}_2;{\mathbf{r }}_2),\\&\,{\pi }= {\mathbf{Prove }}({\textit{gpk}},{\textit{crs}},([ z ] _i,{\mathbf{c }}_{1},{\mathbf{c }}_{2}),({\mathbf{x }},{\mathbf{y }},{\mathbf{r }}_1,{\mathbf{r }}_2) \big )~. \end{aligned}$$

Note that the outputs of the sampler are not statistically uniform within \({\mathbb {G}}_i({[z]}_i)\). Indeed, not even the \({\text {IND-CPA}} \) security of the encryption directly implies any form of security of the generated ciphertexts (since the addition circuit \(\mathbf{Add }\) contains the corresponding decryption keys). Our upcoming “switching theorem” (Theorem 1) will, however, prove that encodings that are functionally equivalent cannot be efficiently distinguished.

Since the target group has unique encodings, as noted in Sect. 3, an extraction algorithm for all groups can be derived from one for the target group. The latter can be implemented by applying a universal hash function to the group elements in \({\mathbb {G}}_T\), for example.

Indistinguishability of Encodings

In this section, we will prove a theorem that is an essential tool in establishing the intractability of the \(\kappa -{\text {MDDH}} \) for our MLG scheme \(\varGamma \) constructed in Sect. 4. This theorem, roughly speaking, states that valid encodings of elements within a single equivalence class are computationally indistinguishable. We formalize this property via the \(\kappa -{\text {Switch}} \) game shown in Fig. 3. This game lets an adversary \(\mathcal {A} \) choose an element \([ z ] _i \in {\mathbb {G}}_i\) by producing two valid representations \(({\mathbf{x }}_{0},{\mathbf{y }}_{0})\) and \(({\mathbf{x }}_{1},{\mathbf{y }}_{1})\) for it. The adversary is given an encoding of \([ z ] _i\) generated using \(({\mathbf{x }}_{b},{\mathbf{y }}_{b})\) for a random b and has to guess the bit b. In this game, besides access to \({\textit{pp}}\), which contains the obfuscated circuits for the group operation and the multilinear map, we also provide the matrix \({\mathbf{W }}\) in the clear to the adversary. This strengthens the \(\kappa -{\text {Switch}} \) game and is needed for our later analysis.

To prove that the advantage of \(\mathcal {A} \) in the \(\kappa -{\text {Switch}} \) game is negligible, we rely on the security of the obfuscator, the \({\text {IND-CPA}} \) security of the encryption scheme, and the security of the NIZK proof system.

Fig. 3

Game formalizing the indistinguishability of encodings with an equivalence class. This game is specific to our construction \(\varGamma \). An adversary is legitimate if \(z = \langle {\mathbf{x }}_{b},{\varvec{\omega }}_i \rangle = \langle {\mathbf{y }}_{b},{\varvec{\omega }}_i \rangle \) for \(b \in \{0,1\}\). We note that \(\mathcal {A} \) gets explicit access to matrix \({\mathbf{W }}\) generated during setup

Intuitively, the \({\text {IND-CPA}} \) security of the encryption scheme will ensure that the encryptions of the two representations are indistinguishable. This argument, however, does not immediately work as the parameters \({\textit{pp}}\) contain component \(\overline{C}_{\text {Add}}\) that depends on both decryption keys. We deal with this by finding an alternative implementation of this circuit without the knowledge of the secret keys, in the presence of a slightly different public parameters (which are computationally indistinguishable to those described in Sect. 4). The next lemma, roughly speaking, says that provided parameters ppinclude an instance \(y\in {\textsf {TD}}\); then, there exists an alternative implementation \(\widehat{C}_{{\text {Add}}}\) that does not use the secret keys, and whose obfuscation is indistinguishable to that of \(\widetilde{C}_{{\text {Add}}}\) of Fig. 2 (top) for an adversary that knows the secret keys. It relies on the security of the obfuscator and the security of the NIZK proof system.

Lemma 1

(\(C_{{\text {Add}}}\) without decryption keys) Let \(\mathbf{PIO } \) be a secure obfuscator for \(X{\text {-IND}} \) samplers and \(\Sigma \) be a dual-mode NIZK proof system. Additionally, let parameters \(\widetilde{{\textit{pp}}}\) be sampled as in Sect. 4 but with \(\widetilde{y}\in {\textsf {TD}}\). Furthermore, let \(\widehat{{\textit{pp}}}\) be sampled as \(\widetilde{{\textit{pp}}}\), but with a hiding CRS \(\widehat{{\textit{crs}}}'\), and an obfuscation of circuit \(\widehat{C}_{{\text {Add}}}\) of Fig. 4 (bottom). Then, for any ppt adversary \(\mathcal {A}\), there are ppt adversaries \(\mathcal {B} _1\) and \(\mathcal {B} _2\) of essentially the same complexity as \(\mathcal {A} \) such that for all \(\lambda \in \mathbb {N}\)

$$\begin{aligned}&\text {Pr }[\mathcal {A} (\widetilde{{\textit{pp}}},{\textit{sk}}_{1},{\textit{sk}}_{2}) = 1\;:\; ({\textit{sk}}_{1},{\textit{sk}}_{2}) \leftarrow _{{\$}}{\mathbf{Gen }}(1^\lambda )]\\&\quad -\text {Pr }[\mathcal {A} (\widehat{{\textit{pp}}},{\textit{sk}}_{1},{\textit{sk}}_{2}) = 1\;:\; ({\textit{sk}}_{1},{\textit{sk}}_{2}) \leftarrow _{{\$}}{\mathbf{Gen }}(1^\lambda )]\\&\quad \le 2\cdot \mathbf{Adv } _{\mathbf{PIO },\mathcal {B} _1}^{{\text {ind}}}(\lambda ) + \mathbf{Adv } ^{{\text {crs}}}_{\Sigma ,\mathcal {B} _2}(\lambda ). \end{aligned}$$

Proof

The crucial observation is that a witness \(w_y\) to \(\widetilde{y}\in {\textsf {TD}}\) is also a witness to \(x\in {\mathbf{R }}\), and therefore, \(\widehat{C}_{{\text {Add}}}\) can use \(w_y\) instead of \({\textit{sk}}_{1}\), \({\textit{sk}}_{2}\) to produce the output proof \({\pi }''\). Below we provide descriptions of the transformation from \(C_{{\text {Add}}}\) to \(\widehat{C}_{{\text {Add}}}\), and let \({\text {W}}_i\) denote the event that \(\mathcal {A}\) in \({\text {Game}} _i\) outputs 1.

\({\text {Game}} _0\)::

We start with (a \({\text {PIO}}\) obfuscation of) circuit \(C_{{\text {Add}}}\) of Fig. 2 and with \(\widetilde{{\textit{pp}}}\) including \(\widetilde{y}\in {\textsf {TD}}\) and a binding \({\textit{crs}}'\).

\({\text {Game}} _1\)::

The circuit has witness \(w_y\) to \(\widetilde{y}\in {\textsf {TD}}\) hard-coded. If some input reaches the “invalid” branches, \(C_{{\text {Add}}}\) does not extract a witness from the corresponding proof, but instead uses \(w_y\) to generate proof \({\pi }''\). [See Fig. 4 (top).] Note that \({\text {Game}} _1\) requires no extraction trapdoor \({\textit{td}}_{ext}\) anymore. We claim that \(|Pr[{\text {W}}_0(\lambda )] - Pr[{\text {W}}_1(\lambda )] |\le \mathbf{Adv } _{\mathbf{PIO },\mathcal {B} _1}^{{\text {ind}}}(\lambda )\). By construction, the only difference between the games is that in \({\text {Game}} _1\), proof \({\pi }''\), with respect to invalid (input) encodings, is generated using hard-coded witness \(w_y\) to \(\widetilde{y}\in {\textsf {TD}}\). Since \(w_y\) is unique, and the CRS \({\textit{crs}}'\) guarantees perfect soundness, this leads to identical behavior of \(C_{{\text {Add}}}\) in Game 0. Hence, this hop is justified by \({\text {PIO}}\).

\({\text {Game}} _2\)::

The CRS \(\widehat{{\textit{crs}}}'\) included in the public parameters is now hiding (such that the generated proofs are perfectly witness-indistinguishable). We have that

$$\begin{aligned} |Pr[{\text {W}}_1(\lambda )] - Pr[{\text {W}}_2(\lambda )] |\le \mathbf{Adv } ^{{\text {crs}}}_{\Sigma ,\mathcal {B} _2}(\lambda ), \end{aligned}$$

where \(\mathcal {B} _2\) is a ppt algorithm against the indistinguishability of binding and hiding CRS’s.

\({\text {Game}} _3\)::

ere, output proofs \({\pi }''\) for those inputs entering the “valid” branch (step 5b of Fig. 4 (top)) use \(w_y\) (and not \({\textit{sk}}_1,{\textit{sk}}_2\)) as witness. In particular, this game does not need to perform a explicit validity check (using \({\textit{sk}}_1,{\textit{sk}}_2\)) anymore, and therefore, the addition circuit can be described as in Fig. 4 (bottom). We claim that \(|Pr[{\text {W}}_2(\lambda )] - Pr[{\text {W}}_3(\lambda )] |\le \mathbf{Adv } _{\mathbf{PIO },\mathcal {B} _1}^{{\text {ind}}}(\lambda )\). By construction, the only difference between both games is that the public parameters in \({\text {Game}} _2\) contain a \({\text {PIO}}\) obfuscation of \(C_{{\text {Add}}}\) and in \({\text {Game}} _3\) contain a \({\text {PIO}}\) obfuscation of \(\widehat{C}_{{\text {Add}}}\) of Fig. 4. In Lemma 2, we prove that these circuit variants are given by an X-IND sampler, and therefore, their \({\text {PIO}}\) obfuscations are indistinguishable.\(\square \)

Fig. 4

Circuits for addition of group elements used in Lemma 1. \(\widehat{{\textit{pp}}}\) includes \({\textit{gpk}}= ({\textit{pp}}_0,{\textit{pk}}_1,{\textit{pk}}_2,{[{\mathbf{W }}]}_0,{\textsf {TD}},\widetilde{y})\) where \(\widetilde{y}\in {\textsf {TD}}\) (also includes a hiding CRS \(\widehat{{\textit{crs}}}'\)). Both circuits also have hard-coded (the) witness \(w_y\) to \(\widetilde{y}\in {\textsf {TD}}\). Top:\({\textit{sk}}_{1}\), \({\textit{sk}}_{2}\) are used to produce \({\pi }''\) on valid inputs. Bottom:\(w_y\) is always used to produce \({\pi }''\)

Lemma 2

(X-IND sampling) Let \(\Sigma \) be a dual-mode NIZK proof system for the relation \(({\mathbf{S }},{\mathbf{R }})\) defined in Sect. 4.2. Suppose \(\Sigma \) is perfectly witness-indistinguishable under a hiding CRS. Let \(\mathcal {A} \) be a sampler which outputs circuits \((\widetilde{C}_{\text {Add}},\widehat{C}_{\text {Add}})\) of Fig. 4. (Both circuits have the system parameters hard-coded in.) Then, \(\mathcal {A} \) is \(X{\text {-IND}} \) for (the optimal) X, the size of the domain of the circuits. More precisely, for any (possibly unbounded) distinguisher \(\mathcal {D} '\) and for any ppt distinguisher \(\mathcal {D} =(\mathcal {D} _1,\mathcal {D} _2)\) and any \(\lambda \in \mathbb {N}\),

$$\begin{aligned} \mathbf{Adv } ^{\mathrm{eq}\$}_{\mathcal {A},\mathcal {D} '}(\lambda ) = 0 \quad \text{ and } \quad \mathbf{Adv } ^{{\text {sel-ind}}}_{\mathcal {A},\mathcal {D}}(\lambda ) = 0~. \end{aligned}$$

Proof

The first equality is immediate as \(\mathcal {X}\) is set to be the entire domain of the circuits. The second equality follows from the perfect witness-indistinguishability property of the proof system. Indeed, the only difference between the two circuits is that, for those inputs that are valid encodings, \(\widetilde{C}_{{\text {Add}}}\) uses decryption keys \({\textit{sk}}_{1},{\textit{sk}}_{2}\) as witness to generate the output proof \({\pi }'' \leftarrow {\mathbf{Prove }}({\textit{gpk}},{\textit{crs}}, ([ z'' ] _0,{\mathbf{c }}_{1}'',{\mathbf{c }}_{2}''),({\textit{sk}}_{1},{\textit{sk}}_{2});{r})\), and \(\widehat{C}_{{\text {Add}}}\) uses witness \(w_y\) to \(\widetilde{y}\in {\textsf {TD}}\) (with \(\widetilde{y}\) in the public parameters) to generate the proof \(\widehat{{\pi }}'' \leftarrow {\mathbf{Prove }}({\textit{gpk}},{\textit{crs}}, ([ z'' ] _0,{\mathbf{c }}_{1}'',{\mathbf{c }}_{2}''),w_y;{r})\). The WI property with a hiding \(\widehat{{\textit{crs}}}'\) guarantees that \({\pi }''\) and \(\widehat{{\pi }}''\) are identically distributed and hence so are the outputs of \(\widetilde{C}_{{\text {Add}}}\) and \(\widehat{C}_{{\text {Add}}}\). Note that no random coins are hardwired into these circuits—we are in the PIO setting—and fresh coins are used to compute the circuits’ outputs.

With Lemma 1, we can invoke \({\text {IND-CPA}} \) security and via a sequence of games obtain the result stated below. The proof can be found in “Appendix A.1”; we will give a high-level overview of the proof below. (See also Fig. 5.)

Fig. 5

Outline of the proof steps of Theorem 1. b is the random bit of the \(\kappa -{\text {Switch}} \) game. (See Fig. 3.) Changing between pp  and \(\widetilde{{\textit{pp}}}\) is justified by the hardness of deciding membership of TD, and changing between \(\widetilde{{\textit{pp}}}\) and \(\widehat{{\textit{pp}}}\) by Lemma 1. The hops relying on \({\text {PIO}}\) use the perfect correctness of \({{\Pi }}\), and the perfect completeness and the perfect soundness of \(\Sigma \)  under binding \({\textit{crs}}'\) to argue function equivalence of \(C_{{\text {Map}}}\)

Theorem 1

(Switching encodings using PIO) Let \(\varGamma \) be the MLG scheme constructed in Sect. 4, where \(\mathbf{PIO } \) is secure for \(X{\text {-IND}} \) samplers, \({{\Pi }} \) is an \({\text {IND-CPA}} \)-secure encryption scheme, and \(\Sigma \) is a dual-mode NIZK proof system. Then, encodings of equivalent group elements are indistinguishable. More precisely, for any ppt adversary \(\mathcal {A} \) and all \(\lambda \in \mathbb {N}\), there are ppt adversaries \(\mathcal {B} _1\), \(\mathcal {B} _2\), \(\mathcal {B} _3\), and \(\mathcal {B} _4\) of essentially the same complexity as \(\mathcal {A} \) such that for all \(\lambda \in \mathbb {N}\)

$$\begin{aligned} \mathbf{Adv } ^{\kappa -{\text {switch}}}_{\varGamma ,\mathcal {A}}(\lambda ) \le 3 \cdot \mathbf{Adv } _{{\textsf {TD}},\mathcal {B} _1}^{{\text {sm}}} + 7 \cdot \mathbf{Adv } _{\mathbf{PIO },\mathcal {B} _2}^{{\text {ind}}}(\lambda ) + 3 \cdot \mathbf{Adv } ^{{\text {crs}}}_{\Sigma ,\mathcal {B} _3}(\lambda ) + 2 \cdot \mathbf{Adv } ^{{\text {ind-cpa}}}_{{{\Pi }},\mathcal {B} _4}(\lambda ) ~. \end{aligned}$$

Furthermore, \(\mathcal {B} _2\) is an \(X{\text {-IND}} \) sampler for any function \(X(\lambda )\).

Proof sketch

The proof of this theorem proceeds via a sequence of 9 games as follows.

\({\text {Game}} _0\)::

This is the \(\kappa -{\text {Switch}} \) game. The public parameters pp  contain a no-instance \(y\notin {\textsf {TD}}\), a binding \({\textit{crs}}'\), and \(C_{{\text {Add}}}\) is constructed using \(({\textit{sk}}_{1},{\textit{sk}}_{2})\) and \(C_{{\text {Map}}}\) using \({\textit{sk}}_{1}\). (See Fig. 2.) The ciphertexts \({\mathbf{c }}_{1}\) and \({\mathbf{c }}_{2}\) contain \({\mathbf{x }}_{b}\) and \({\mathbf{y }}_{b}\) for a random bit b.

\({\text {Game}} _1\)::

This game generates the public parameters \(\widetilde{{\textit{pp}}}\) so that they include a yes-instance \(y\in {\textsf {TD}}\). The difference to the previous game can be bounded via the hardness of deciding membership in TD.

\({\text {Game}} _2\)::

The public parameters \(\widehat{pp}\) change so that they include a hiding \(\widehat{crs}'\), and a (\({\text {PIO}}\)) obfuscation of circuit \(\widehat{C}_{{\text {Add}}}\), see Fig. 4. (Recall that this circuit uses the witness \(w_y\) to \(y\in {\textsf {TD}}\) to produce the output proofs \(\widetilde{{\pi }}''\), and therefore, the simultaneous knowledge of decryption keys \({\textit{sk}}_{1}\),\({\textit{sk}}_{2}\) is not needed anymore.) Additionally, the game uses \(w_y\) to prepare the proof \(\pi \) in the \(\kappa \)-Switch challenge for \(\mathcal {A}\). By Lemma 1 and the perfect witness-indistinguishability of \(\Sigma \), the difference with the previous game can be bounded by \({\text {PIO}}\) and CRS indistinguishability.

\({\text {Game}} _3\)::

This game generates \({\mathbf{c }}_{2}\) by encrypting \({\mathbf{y }}_{1}\), even when \(b=0\). We can bound the difference in any adversary’s success probability via the \({\text {IND-CPA}}\) advantage of \({{\Pi }}\) with respect to \({\textit{pk}}_{2}\). (The reduction will know \(({\textit{pk}}_{1},{\textit{sk}}_{1})\) so as to be able to construct \(C_{{\text {Map}}}\).)

\({\text {Game}} _4\)::

The public parameters are changed back to \(\widetilde{{\textit{pp}}}\), so that they include a binding \({\textit{crs}}'\), and a (\({\text {PIO}}\)) obfuscation of circuit \(\widetilde{C}_{{\text {Add}}}\) of Fig. 2 (top). The difference with the previous game is bounded again with Lemma 1.

\({\text {Game}} _5\)::

Now, a no-instance \(y\notin {\textsf {TD}}\) is included in the public parameters \({\textit{pp}}\). This game is justified by the hardness of deciding membership in TD.

\({\text {Game}} _6\)::

This game uses \({\textit{sk}}_{2}\) (in place of \({\textit{sk}}_{1}\)) in the generation of \(C_{{\text {Map}}}\) circuit. In this transition, we rely on the security of Obf, the perfect correctness of \({{\Pi }}\), and the perfect soundness of \(\Sigma \). Perfect soundness of \(\Sigma \)  implies that \(C_{{\text {Map}}}\) rejects ciphertexts unless relation \({\mathbf{R }}_{1}\) holds. Together with the perfect correctness of \({{\Pi }}\), \({\mathbf{R }}_{1}\) implies that \(C_{{\text {Map}}}\) yields identical results with \({\textit{sk}}_{1}\) and \({\textit{sk}}_{2}\). We can then use the \({\text {IO}}\) security of Obf to justify the switch from using \({\textit{sk}}_{1}\) to using \({\textit{sk}}_{2}\). (Note that for any function X, any obfuscator that is secure for X-IND samplers is also secure as an indistinguishability obfuscator.) Note that in this game, it is crucial that the \({\textit{crs}}'\) is in the binding mode.

\({\text {Game}} _7\)::

This game, similar to \({\text {Game}} _1\), switches to public parameters \(\widetilde{{\textit{pp}}}\) with a yes-instance \(y\in {\textsf {TD}}\). The analysis is as before.

\({\text {Game}} _8\)::

This game, similar to \({\text {Game}} _2\), includes in \(\widehat{pp}\) a hiding \(\widehat{crs}'\), and a (\({\text {PIO}}\)) obfuscation of circuit \(\widehat{C}_{{\text {Add}}}\). (See Fig. 4.) The analysis is as before.

\({\text {Game}} _9\)::

This game generates \({\mathbf{c }}_{1}\) by encrypting \({\mathbf{x }}_{1}\), even when \(b=0\). The analysis is as in \({\text {Game}} _3\). Observe that the challenge encoding in \({\text {Game}} _9\) is independent of the random bit b and the advantage of any (possibly unbounded) adversary \(\mathcal {A}\) is 0. Collecting bounds on the probabilities involved in the various game hops concludes the proof.

\(\square \)

The Multilinear DDH Problem

In this section, we show that natural multilinear analogues of the decisional Diffie–Hellman (DDH) problem are hard for our MLG scheme \(\varGamma \) from Sect. 4. We will establish this for two specific \(\mathbf{Setup } \) algorithms which give rise to symmetric and asymmetric multilinear maps in groups of prime order N. (See Sect. 3 for the formal definition.) In the symmetric case, we will base hardness on the q-strong DDH problem [4] and in the asymmetric case on the 1-strong DDH problem.

Intractable Problems

We start by formalizing the hard problems that we will be relying on and those whose hardness we will be proving. We do this in a uniform way using the language of group schemes of Sect. 3. Informally, the \(q-{\text {SDDH}} \) problem requires the indistinguishability of \(g^{x^{q+1}}\) from a random element given \((g^x,g^{x^2},\ldots ,g^{x^q})\) for a random x, and the \(\kappa -{\text {MDDH}} \) problem, whose hardness we will be establishing, generalizes the standard bilinear DDH problem (and its variants) and requires this for \(g_T^{a_1 \cdots a_{\kappa +1} }\) in the presence of \((g^{a_1},\ldots ,g^{a_{\kappa +1}})\) (for uniformly random \(a_i\)).

The\(q-{\text {SDDH}} \)problem. For \(q\in \mathbb {N}\), we say that a group scheme \(\varGamma _0\) is \(q-{\text {SDDH}} \) intractable if

$$\begin{aligned} \mathbf{Adv } ^{q-{\text {sddh}}}_{\varGamma _0,\mathcal {A}}(\lambda ) := 2 \cdot \text {Pr }\left[ q-{\text {SDDH}} ^{\mathcal {A}}_{\varGamma _0}(\lambda ) \right] - 1 \in {\textsc {Negl}}~, \end{aligned}$$

where game \(q-{\text {SDDH}} ^\mathcal {A} _{\varGamma _0}(\lambda )\) is shown in Fig. 6 (left).

The\((\kappa ,I)-{\text {MDDH}} \)problem. We use a slight reformulation of the (generalized) MDDH problem from [23]. For \(\kappa \in \mathbb {N}\) we say that an MLG scheme \(\varGamma \) is \(\kappa -{\text {MDDH}} \) intractable with respect to the index set I if

$$\begin{aligned} \mathbf{Adv } ^{(\kappa ,I)-{\text {mddh}}}_{\varGamma ,\mathcal {A}}(\lambda ) := 2 \cdot \text {Pr }\left[ (\kappa ,I)-{\text {MDDH}} ^{\mathcal {A}}_{\varGamma }(\lambda ) \right] - 1 \in {\textsc {Negl}}~, \end{aligned}$$

where game \((\kappa ,I)-{\text {MDDH}} ^\mathcal {A} _{\varGamma }(\lambda )\) is shown in Fig. 6 (right). Here, I is a set of ordered pairs of integers (i, j) with \(1 \le i \le \kappa +1\), \(1 \le j \le \kappa \). The adversary is provided with challenge group elements \([ a_i ] _j\) for \((i,j) \in I\), so that its challenge elements may lie in any combination of the groups. The following example of such a set \(I\) leads to a generalization of the symmetric external Diffie–Hellman (SXDH) assumption to the multilinear case:

$$\begin{aligned} I=I^*:=\{(1,1),\ldots ,(\kappa ,\kappa ), (\kappa +1,\kappa )\}~. \end{aligned}$$

Of course, when generalizing SXDH, the choice of the last element of \(I\) is not canonical. Instead of \((\kappa +1,\kappa )\), also other values \((\kappa +1,j)\) for \(j\in \{1,\dots ,\kappa \}\) seem natural.

Fig. 6

Left: The strong DDH problem. Right: The multilinear DDH problem, where I specifies the available group elements. By slight abuse of notation, repeated use of \([a_i]_i\) denotes the same sample. Recall that we use the notation \([z]_T\) and \([z]_{\kappa +1}\) for elements of the target group \({\mathbb {G}}_{\kappa +1}\) interchangeably

The Symmetric Setting

We describe a special variant of our general construction in Sect. 4 which gives rise to a symmetric MLG scheme as defined in Sect. 3.

We set \(\ell :=2\) and sample \({\mathbf{W }}= ({\varvec{\omega }}_1,\ldots ,{\varvec{\omega }}_\kappa )^t\) by setting \({\varvec{\omega }}_i = (1,\omega )\) for a random \(\omega \in \mathbb {Z}_N\). The generators and identity elements for all groups are set to be a single value generated for the first group. These modifications ensure that the scheme algorithms are independent of the index for \(1 \le i \le \kappa \) and that \(\mathbf{e } \) is invariant under all permutations of its inputs.

The following lemma, which provides a mechanism to compute polynomial values “in the exponent,” will be helpful in the security analysis of our constructions.

Lemma 3

(Horner in the exponent) Let \(\varvec{\omega } = (\omega _0,\omega _1) \in \mathbb {Z}_N^2\) and \({\mathbf{x }}_i = (x_{i,0}, x_{i,1}) \in \mathbb {Z}_N^{2}\) for \(i=1,\dots , \kappa \). Define \(z_i := \langle {\mathbf{x }}_i,\varvec{\omega } \rangle \). Then, given only the implicit values \([ \omega _0^j \omega _1^k ] _T\), for all j, k such that \(j+k=\kappa \) and the explicit values \({\mathbf{x }}_i\), the element \([ z_1 \cdots z_\kappa ] _T\) can be efficiently computed.

Proof

Let

$$\begin{aligned} P(\omega _0,\omega _1) := \prod _{i=1}^\kappa (x_{i,0} \cdot \omega _0 + x_{i,1} \cdot \omega _1 ) = \sum _{j+k = \kappa } p_{jk} \cdot \omega _0^j \omega _1^k~. \end{aligned}$$

Clearly, if all \(p_{jk}\) are known, then \([ P(\omega _0,\omega _1) ] _T\) can be computed using \([ \omega _0^j \omega _1^k ] _T\) with polynomially many operations. (There are \(\mathcal {O}(\kappa )\) summands above.) To obtain these values, we apply Horner’s rule. Define

$$\begin{aligned} P_i(\omega _0,\omega _1) := {\left\{ \begin{array}{ll} 1 &{} \text{ if } i=0~;\\ (x_{i,0} \cdot \omega _0 + x_{i,1} \cdot \omega _1) \cdot P_{i-1}(\omega _0,\omega _1) &{} \text{ otherwise }. \end{array}\right. } \end{aligned}$$

The coefficients of \(P_\kappa \) are the required \(p_{jk}\) values. Let \(t_i\) denote the number of terms in \(P_i\). It takes at most \(2 t_i\) multiplications and \(t_i-1\) additions in \(\mathbb {Z}_N\) to compute the coefficients of \(P_i\) from \(P_{i-1}\) and \({\mathbf{x }}_i\). Since \(t_i \in \mathcal {O}(\kappa )\), at most \(\mathcal {O}(\kappa ^2)\) many operations in total are performed. We note that the lemma generalizes to any (constant) \(\ell \) with computational complexity \(\mathcal {O}(\kappa ^\ell )\). \(\square \)

We prove the following result formally in “Appendix A.2” and give an overview of the proof here.

Theorem 2

(\(\kappa -{\text {SDDH}} \) hard \(\implies \) symmetric \((\kappa ,I^*)-{\text {MDDH}} \) hard) Write \(I=I^*=\{(i,1)\mid i\in [\kappa +1]\}\) for the index set with all the second components being 1. Let \(\varGamma ^*\) denote scheme \(\varGamma \) of Sect. 4 constructed using base group \(\varGamma _0\) and a probabilistic indistinguishability obfuscator \(\mathbf{PIO } \) with modifications as described above, and let \(\kappa \in \mathbb {N}\). Then, for any ppt adversary \(\mathcal {A} \), there are \({\textsc {ppt}} \) adversaries \(\mathcal {B} _1\), \(\mathcal {B} _2\), and \(\mathcal {B} _3\) of essentially the same complexity as \(\mathcal {A} \) such that for all \(\lambda \in \mathbb {N}\)

$$\begin{aligned} \mathbf{Adv } ^{(\kappa ,I^*)-{\text {mddh}}}_{\varGamma ^*,\mathcal {A}}(\lambda ) \le \mathbf{Adv } ^{\kappa -{\text {sddh}}}_{\varGamma _0,\mathcal {B} _1}(\lambda ) + \mathbf{Adv } ^{{\text {ind}}}_{\mathbf{PIO },\mathcal {B} _2}(\lambda ) + (\kappa +1) \cdot \mathbf{Adv } ^{\kappa -{\text {switch}}}_{\varGamma ^*,\mathcal {B} _3}(\lambda ) ~. \end{aligned}$$

Proof

In our reduction, the value \(\omega \) used to generate \({\mathbf{W }}\) will play the role of the implicit value in the \({\text {SDDH}} \) problem instance. We therefore change the implementation of \(C_{\text {Map}}\) to one that does not know\(\omega \) in the clear and only uses the implicit values \([ \omega ^i ] _0\). (Recall that in our construction \({\mathbb {G}}_T\) is just \({\mathbb {G}}_0\), so these elements come from the \({\text {SDDH}} \) instance.) Such a circuit \(C^*_{\text {Map}}\) can be efficiently implemented using Horner’s rule above. In more detail, \(C_{\text {Map}}^*\) has \([ \omega ^i ] _T\) hard-coded in, recovers \({\mathbf{x }}_i\) from its inputs using \({\textit{sk}}_1\), and then applies Lemma 3 with \((\omega _0,\omega _1) := (1,\omega )\) to evaluate the multilinear map.

The proof proceeds along a sequence of \(\kappa +4\) games as follows.

\({\text {Game}} _0\)::

This is the \(\kappa -{\text {MDDH}} \) problem (Fig. 6, right). We use \({\mathbf{x }}_{i}\) and \({\mathbf{y }}_{i}\) to denote the representation vectors of \(a_i\) generated within the sampler \(\mathbf{Sam } _{I(i)}(a_i)\), where \((i,I(i)) \in I\).

\({\text {Game}} _1\)–\({\text {Game}} _{\kappa +1}\)::

In these games, we gradually switch the representations of \([a_i]_1\) for \(i \in [\kappa +1]\) so that they are of the form \((a_i-\omega ,1)\). Each hop can be bounded via the \({\text {Switch}} \) game.

\({\text {Game}} _{\kappa +2}\)::

This game introduces a conceptual change: the \(a_i\) for \(i \in [\kappa +1]\) are generated as \(a_i + \omega \). Note that the distributions of these values are still uniform and that the exponent of the \({\text {MDDH}} \) challenge when \(b=1\) is

$$\begin{aligned} \prod _{i=1}^{\kappa +1} (a_i+\omega )~. \end{aligned}$$

This game prepares us for embedding a \(\kappa -{\text {SDDH}} \) challenge and then to randomize the exponent above.

\({\text {Game}} _{\kappa +3}\)::

This game switches \(C_{\text {Map}}\) to \(C^*_{\text {Map}}\) as defined above. We use indistinguishability obfuscation and the fact that these circuits are functionally equivalent to bound this hop. We are now in a setting where \(\omega \) is only implicitly known.

\({\text {Game}} _{\kappa +4}\)::

This game replaces \({\text {MDDH}} \) challenge \([\omega ^{\kappa +1}]_0\) with a random value \([\sigma ]_0\) in case \(b=1\). (Hence, the \({\text {MDDH}}\) challenge is independently uniform regardless of \(b\).) Observe that \({\text {Game}} _{\kappa +3}\) and \({\text {Game}} _{\kappa +4}\) only require \([\omega ^i]_0\) (for \(i\le \kappa +1\)) and in fact require \([\omega ^{\kappa +1}]_0\) only for the \({\text {MDDH}}\) challenge. Hence, we can bound this hop using the \(\kappa -{\text {SDDH}} \) assumption.

In \({\text {Game}} _{\kappa +4}\), irrespective of the value of \(b\in \{0,1\}\), the challenge is uniformly and independently distributed as \(\sigma \) remains outside the view of the adversary. Hence, the advantage of any (unbounded) adversary in this game is 0. This concludes the sketch proof. \(\square \)

We note that in this symmetric case, \(C^*_{\text {Map}}\) can be directly used as the implementation of the multilinear map. We chose \(C_{\text {Map}}\) because it is somewhat simpler and also more in line with the upcoming asymmetric case.

The Asymmetric Setting

We describe a second variant of the construction in Sect. 4 that results in an asymmetric MLG scheme. We set \(\ell :=2\) and choose the matrix \({\mathbf{W }}= ({\varvec{\omega }}_1,\ldots ,{\varvec{\omega }}_\kappa )^t\) by setting \({\varvec{\omega }}_i := (1,\omega _i)\) for random \(\omega _i \in \mathbb {Z}_N\).

The following theorem shows that for index set \(I = \{(i,I(i)):1 \le i \le \kappa + 1\}\) given by an arbitrary function \(I:[\kappa +1] \longrightarrow [\kappa ]\), this construction is \((\kappa ,I)-{\text {MDDH}} \) intractable under the \(1-{\text {SDDH}} \) assumption in the base group, the security of the obfuscator, and the \(\kappa -{\text {Switch}} \) game in Sect. 5. We present the proof intuition here and leave the details to “Appendix A.3.”

Theorem 3

(\(1-{\text {SDDH}} \) hard \(\implies \) asymmetric \((\kappa ,I)-{\text {MDDH}} \) hard) Let \(\varGamma ^*\) denote scheme \(\varGamma \) of Sect. 4 constructed using base group \(\varGamma _0\) and a probabilistic indistinguishability obfuscator \(\mathbf{PIO } \) with modifications as described above, and let \(\kappa \in \mathbb {N}\). Then, for any ppt adversary \(\mathcal {A} \), there are \({\textsc {ppt}} \) adversaries \(\mathcal {B} _1\), \(\mathcal {B} _2\), and \(\mathcal {B} _3\) such that for all \(\lambda \)

$$\begin{aligned} \mathbf{Adv } ^{(\kappa ,I)-{\text {mddh}}}_{\varGamma ^*,\mathcal {A}}(\lambda ) \le \mathbf{Adv } ^{1-{\text {sddh}}}_{\varGamma _0,\mathcal {B} _1}(\lambda ) + \mathbf{Adv } ^{{\text {ind}}}_{\mathbf{PIO },\mathcal {B} _2}(\lambda ) + 2 \cdot \mathbf{Adv } ^{\kappa -{\text {switch}}}_{\varGamma ^*,\mathcal {B} _3}(\lambda ) + \frac{\kappa -1}{N(\lambda )}. \end{aligned}$$

Proof

The general proof strategy is similar to that of the symmetric case and proceeds along a sequence of 5 games as follows.

\({\text {Game}} _0\)::

This is the \((\kappa ,I)-{\text {MDDH}} \) problem. By the pigeon-hole principle, there must exist a pair of distinct \(i, i' \in [\kappa +1]\) such that \(I(i) = I(i') \in [\kappa ]\). Without loss of generality, we assume that \(I(1) = I(2) = 1\).

\({\text {Game}} _1\)–\({\text {Game}} _{2}\)::

In these games, we gradually switch the representation vectors of \([a_i]_1\) for \(i = 1, 2\) to those of the form \((a_i-\omega _1,1)\). Each of these hops can be bounded via the \({\text {Switch}} \) game.

\({\text {Game}} _{3}\)::

This game introduces a conceptual change and generates \(a_i\) as \(a_i + \omega _1\) for \(i =1, 2\). The exponent of the \({\text {MDDH}} \) challenge when \(b=1\) is

$$\begin{aligned} (a_{1} + \omega _1) (a_{2} + \omega _1) \cdot \prod _{j=3}^{\kappa +1} a_j~. \end{aligned}$$

\({\text {Game}} _{4}\)::

In this game, we change the implementation of \(C_{\text {Map}}\) to one which uses all but one of the \(\omega _i\) explicitly, and the remaining one implicitly via \([\omega _1]_0\). The new circuit \(C^*_{\text {Map}}\) is functionally equivalent to the original circuit used in the scheme. We invoke the IO security of the obfuscator to conclude the hop. This game prepares us to embed a \(1-{\text {SDDH}} \) challenge next.

\({\text {Game}} _{5}\)::

This game replaces \({\text {MDDH}} \) challenge \([{\omega _1}^{2}]_0\) with a random value \([\sigma ]_0\) in case \(b=1\). Observe that \({\text {Game}} _{4}\) and \({\text {Game}} _{5}\) only require \([{\omega _1}]_0\) and \([{\omega _1}^2]_0\) and in fact require \([{\omega _1}^{2}]_0\) only for the \({\text {MDDH}}\) challenge. Hence, we can bound the distinguishing advantage in this hop down to the \(1-{\text {SDDH}} \) game.

In \({\text {Game}} _{5}\), irrespective of the value of \(b\in \{0,1\}\), the challenge is uniformly and independently distributed as \(\sigma \) remains outside the view of the adversary. Hence, the advantage of any (possibly unbounded) adversary in this game is 0. \(\square \)

Full Proofs from the Main Body

Proof of Theorem 1: Indistinguishability of encodings using PIO

Proof

We consider a chain of 10 games, with \({\text {Game}} _0\) being the \(\kappa -{\text {Switch}} \) game, such that in the last game the challenge encoding is drawn independently of the bit b. Below we let \({\text {W}}_i\) denote the event that \({\text {Game}} _i\) outputs 1.

\({\text {Game}} _0\)::

The original \({\text {Switch}} \) game.

\({\text {Game}} _1\)::

As \({\text {Game}} _0\) but now the public parameters \(\widetilde{{\textit{pp}}}\) are changed so that they include a yes-instance \(y\in {\textsf {TD}}\). We have that

$$\begin{aligned} |\text {Pr }[{\text {W}}_0(\lambda )] - \text {Pr }[{\text {W}}_1(\lambda )] |\le \mathbf{Adv } ^{{\text {sm}}}_{{\textsf {TD}},\mathcal {B} _1}(\lambda ), \end{aligned}$$

where TD  is a language in which membership is hard to decide.

\({\text {Game}} _2\)::

The public parameters \(\widehat{{\textit{pp}}}\) change so that they include a hiding \(\widehat{{\textit{crs}}}'\), and a (\({\text {PIO}}\)) obfuscation of circuit \(\widehat{C}_{{\text {Add}}}\). [See Fig. 4 (bottom).] Recall that this circuit uses the witness \(w_y\) to \(y\in {\textsf {TD}}\) to produce the output proofs \(\widetilde{{\pi }}''\). Therefore, the simultaneous knowledge of decryption keys \({\textit{sk}}_{1}\),\({\textit{sk}}_{2}\) is not needed anymore. Additionally, \({\text {Game}} _2\) uses \(w_y\) to prepare the proof \(\pi \) in the \(\kappa \)-Switch challenge for \(\mathcal {A}\). By Lemma 1 and the perfect witness-indistinguishability of \(\Sigma \), we have that

$$\begin{aligned} |\text {Pr }[{\text {W}}_1(\lambda )] - \text {Pr }[{\text {W}}_2(\lambda )] |\le 2 \cdot \mathbf{Adv } _{\mathbf{PIO },\mathcal {B} _2}^{{\text {ind}}}(\lambda ) + \mathbf{Adv } ^{{\text {crs}}}_{\Sigma ,\mathcal {B} _3} \end{aligned}$$

\({\text {Game}} _3\)::

As \({\text {Game}} _2\), but, if \(b=0\), the challenge encoding is generated by mixing the representation vectors w.r.t public key \({\textit{pk}}_{2}\). Thus, on \(\mathcal {A}\) ’s response \((z,({\mathbf{x }}_{0},{\mathbf{y }}_{0}),({\mathbf{x }}_{1},{\mathbf{y }}_{1}))\), in this game we set \({\mathbf{c }}_{0} \leftarrow {\mathbf{Enc }}({\mathbf{x }}_{0},{\textit{pk}}_1;{\mathbf{r }}_1)\), and \({\mathbf{c }}_{1} \leftarrow {\mathbf{Enc }}({\mathbf{y }}_{1},{\textit{pk}}_2;{\mathbf{r }}_2)\).

Claim

\(|\text {Pr }[{\text {W}}_2(\lambda )] - \text {Pr }[{\text {W}}_3(\lambda )] |\le \mathbf{Adv } _{{{\Pi }},\mathcal {B} _4}^{{\text {ind-cpa}}}(\lambda )\).

Proof Claim A.1

Consider the following ppt distinguisher \(\mathcal {B} _4\) against the \({\text {IND-CPA}}\) security of the encryption scheme \(\Pi \), with respect to key pair \(({\textit{pk}}_{2}, {\textit{sk}}_{2})\). The distinguisher runs experiment \({\text {Game}} _2\) using \(\mathcal {A}\) as a subroutine with the following differences: When it receives \(\mathcal {A}\) ’s vectors \(({\mathbf{x }}_{j},{\mathbf{y }}_{j})\) (in \(\mathbb {Z}_p^\ell \) for \(j = 0,1\)), it submits \(({\mathbf{y }}_{0},{\mathbf{y }}_{1})\) to the \({\text {IND-CPA}}\) challenger. It gets back \({\mathbf{c }}^* = {\mathbf{Enc }}({\mathbf{y }}_{r^*},{\textit{pk}}_{2})\). Next, \(\mathcal {B} _4\) generates \({\mathbf{c }}_{1} \leftarrow {\mathbf{Enc }}({\mathbf{x }}_{0},{\textit{pk}}_{1})\) and sets \({\mathbf{c }}_{2} = {\mathbf{c }}^*\); the proof \(\pi \) on instance \(x = ([ z ] _i,{\mathbf{c }}_{1},{\mathbf{c }}_{2})\) is generated using the simulation trapdoor of the proof system. Namely, \(\pi \leftarrow _{{\$}}{\mathbf{Sim }}({\textit{crs}},x,{\textit{td}}_{zk})\). Finally, \(\mathcal {B} _4\) outputs what \(\mathcal {A}\) outputs.

Algorithm \(\mathcal {B} _4\) perfectly simulates the challenger in experiment \({\text {Game}} _2\) if \(r^*=0\) and in experiment \({\text {Game}} _3\) if \(r^*=1\). This follows from the facts that (1) \((x,\pi )\) is a valid encoding, indeed ciphertext \({\mathbf{c }}^*\) contains an encryption of \({\mathbf{y }}_{r^*}\), such that \([ z ] _i = [ \langle {\mathbf{y }}_{r^*},{\varvec{\omega }}_i \rangle ] _i\); and (2) real and simulated proofs are identically distributed under (the hiding) \(\widehat{{\textit{crs}}}'\) included in \(\widehat{{\textit{pp}}}\). \(\square \)

\({\text {Game}} _4\)::

The public parameters are changed back to \(\widetilde{{\textit{pp}}}\), so that they include a binding \({\textit{crs}}'\), and a (\({\text {PIO}}\)) obfuscation of circuit \(C_{{\text {Add}}}\) of Fig. 2 (top). (\(\widetilde{{\textit{pp}}}\) also include a yes-instance \(y\in {\textsf {TD}}\).) Again by Lemma 1, we have that

$$\begin{aligned} |\text {Pr }[{\text {W}}_3(\lambda )] - \text {Pr }[{\text {W}}_4(\lambda )] |\le 2 \cdot \mathbf{Adv } _{\mathbf{PIO },\mathcal {B} _2}^{{\text {ind}}}(\lambda ) + \mathbf{Adv } ^{{\text {crs}}}_{\Sigma ,\mathcal {B} _3}. \end{aligned}$$

\({\text {Game}} _5\)::

As \({\text {Game}} _4\) but now the public parameters \({\textit{pp}}\) are changed back to the original one described in Sect. 4 so that they include a no-instance \(y\notin {\textsf {TD}}\). We have that

$$\begin{aligned} |\text {Pr }[{\text {W}}_4(\lambda )] - \text {Pr }[{\text {W}}_5(\lambda )] |\le \mathbf{Adv } ^{{\text {sm}}}_{{\textsf {TD}},\mathcal {B} _1}(\lambda ), \end{aligned}$$

where TD  is a language where is hard to decide membership.

\({\text {Game}} _6\)::

As \({\text {Game}} _5\), but now the challenger constructs a different circuit \(C_{\text {Map}}\) with the second encryption secret key hard-coded. Thus, the extracted vector is set to \({\mathbf{y }}_{i} \leftarrow {\mathbf{Dec }}({\mathbf{c }}_{i,1},{\textit{sk}}_{2})\). We claim that

$$\begin{aligned} |\text {Pr }[{\text {W}}_5(\lambda )] - \text {Pr }[{\text {W}}_6(\lambda )] |\le \mathbf{Adv } _{\mathbf{PIO },\mathcal {B} _1}^{{\text {ind}}}(\lambda ). \end{aligned}$$

The variants of the \(C_{\text {Map}}\) circuit described in the games extract (possibly different) encoding vectors \({\mathbf{x }}_{i}^*\), \({\mathbf{y }}_{i}^*\), respectively, for any adversarial input \({\mathbf{x }}^* = (x^*_1,\ldots ,x^*_\kappa )\). Observe that the i-th argument \({x}^*_i = (i,[ z_i ] _0,{\mathbf{c }}_{i,1},{\mathbf{c }}_{i,2},{\pi }_i)\) has a non-rejecting proof \({\pi }_i\) iff \(([ z_i ] _0,{\mathbf{c }}_{i,1},{\mathbf{c }}_{i,2})\) passes relation \({\mathbf{R }}_{1}\). (In other words, the ciphertexts encrypt representation vectors of the same \([ z_i ] _0\).) We remark that at this point, we also use \({{\Pi }}\) ’s perfect correctness. Indeed, observe that while \({\mathbf{R }}_{1}\) implies that there exist encryption random coins or secret keys that decrypt \({\mathbf{c }}_{i,1}\) and \({\mathbf{c }}_{i,2}\) to consistent representation vectors \({\mathbf{x }}_{i,1}\) and \({\mathbf{y }}_{i,2}\), the perfect correctness of \({{\Pi }}\) implies that the secret keys used by \(C_{\text {Map}}\) retrieve those same representation vectors \({\mathbf{x }}_{i,1}\) and \({\mathbf{y }}_{i,2}\). By the definition of \({\mathbf{R }}_{1}\), these representation vectors lead to the same outputs of \(C_{\text {Map}}\). It follows that these variants of \(C_{\text {Map}}\) behave identically on any (possibly malformed) input \({\mathbf{x }}^*\). Therefore, the variants are functionally equivalent and hence trivially drawn by an X-IND sampler, so that their \({\text {PIO}}\) obfuscations are indistinguishable.

\({\text {Game}} _7\)::

As \({\text {Game}} _6\) but now the public parameters \(\widetilde{{\textit{pp}}}\) are changed so that they include a yes-instance \(y\in {\textsf {TD}}\). We have that

$$\begin{aligned} |\text {Pr }[{\text {W}}_6(\lambda )] - \text {Pr }[{\text {W}}_7(\lambda )] |\le \mathbf{Adv } ^{{\text {sm}}}_{{\textsf {TD}},\mathcal {B} _1}(\lambda ), \end{aligned}$$

where TD  is a language where is hard to decide membership.

\({\text {Game}} _8\)::

The public parameters \(\widehat{{\textit{pp}}}\) change so that they include a hiding \(\widehat{{\textit{crs}}}'\), and a (\({\text {PIO}}\)) obfuscation of circuit \(\widehat{C}_{{\text {Add}}}\). [See Fig. 4 (bottom).] By Lemma 1, we have that

$$\begin{aligned} |\text {Pr }[{\text {W}}_7(\lambda )] - \text {Pr }[{\text {W}}_8(\lambda )] |\le 2 \cdot \mathbf{Adv } _{\mathbf{PIO },\mathcal {B} _2}^{{\text {ind}}}(\lambda ) + \mathbf{Adv } ^{{\text {crs}}}_{\Sigma ,\mathcal {B} _3} \end{aligned}$$

\({\text {Game}} _9\)::

As \({\text {Game}} _8\), but, if \(b=0\), the challenge encoding is generated by mixing the representation vectors w.r.t public key \({\textit{pk}}_{1}\). Thus, on \(\mathcal {A}\) ’s response \((z,({\mathbf{x }}_{0},{\mathbf{y }}_{0}),({\mathbf{x }}_{1},{\mathbf{y }}_{1}))\), in this game, we set \({\mathbf{c }}_{0} \leftarrow {\mathbf{Enc }}({\mathbf{x }}_{1},{\textit{pk}}_1;{\mathbf{r }}_1)\), and \({\mathbf{c }}_{1} \leftarrow {\mathbf{Enc }}({\mathbf{y }}_{1},{\textit{pk}}_2;{\mathbf{r }}_2)\). Using a similar argument as in Claim A.1, we have that

$$\begin{aligned} |\text {Pr }[{\text {W}}_8(\lambda )] - \text {Pr }[{\text {W}}_9(\lambda )] |\le \mathbf{Adv } _{{{\Pi }},\mathcal {B} _4}^{{\text {ind-cpa}}}(\lambda ). \end{aligned}$$

Finally, \(\text {Pr }[{\text {W}}_9(\lambda )] = 1/2\) because the challenge encoding is generated using the same pair of representation vectors \(({\mathbf{x }}_{1},{\mathbf{y }}_{1})\) regardless of the bit b. The proof of the theorem is concluded by collecting the terms above. \(\square \)

Fig. 7

The symmetric multilinear DDH problem for our MLG scheme. Here, \(I^*=\{(1,1),\ldots ,(\kappa +1,1)\}\)

Proof of Theorem 2: Hardness of Symmetric \({\text {MDDH}} \)

Proof

We show via a chain of games, starting with the symmetric \(\kappa \)-\({\text {MDDH}}\) problem, such that the last game chooses the challenge at random and independently of the guess bit b. Below we let \({\text {W}}_i\) denote the event that \({\text {Game}} _i\) outputs 1.

\({\text {Game}} _0\)::

The \(\kappa \)-\({\text {MDDH}}\) problem as shown in Fig. 7. Here, there is only one source group.

\({\text {Game}} _s\) for \(1 \le s \le \kappa +1\)::

As \({\text {Game}} _{s-1}\), the difference is that the representation vectors \(({\mathbf{x }}_{s},{\mathbf{y }}_{s})\) of the sth challenge encoding \([ a_s ] \) are given by

$$\begin{aligned} x_{s,0} = y_{s,0} = a_s-\omega \quad \text{ and } \quad x_{s,1} = y_{s,1} = 1. \end{aligned}$$

Thus, in game \(s' \ge s\), the second coordinates of the sth encoding vectors are always fixed to 1. Now, a straightforward reduction yields an adversary \(\mathcal {B} \) that satisfies:

Claim

$$\begin{aligned} |\text {Pr }[{\text {W}}_{s-1}(\lambda )] - \text {Pr }[{\text {W}}_s(\lambda )] |\le \mathbf{Adv } _{\varGamma ^*,\mathcal {B}}^{\kappa -{\text {switch}}}(\lambda ) \text { for } 1 \le s \le \kappa +1~. \end{aligned}$$

Proof

Consider the following ppt adversary \(\mathcal {B} =(\mathcal {B} _1,\mathcal {B} _2)\) against game \(\kappa -{\text {Switch}} \) of Fig. 3. \(\mathcal {B} _1\) outputs \((({\mathbf{x }}_{s-1},{\mathbf{y }}_{s-1}),({\mathbf{x }}_{s},{\mathbf{y }}_{s}),s,st)\) representing a uniform value \(a_s\) in \(\mathbb {Z}_N\), where \(({\mathbf{x }}_{s-1},{\mathbf{y }}_{s-1})\) is as in \({\text {Game}} _{s-1}\) and \(({\mathbf{x }}_{s},{\mathbf{y }}_{s})\) as in \({\text {Game}} _s\). \(\mathcal {B} _1\) can form these vectors because it knows matrix W  and \(a_s\) explicitly. Next, \(\mathcal {B} _2\) receives an encoding \([ a_s ] _s\) that has embedded in it vector \(({\mathbf{x }}_{s+b-1},{\mathbf{y }}_{s+b-1})\) for a random bit b and uses \([ a_s ] _s\) to simulate \({\text {Game}} _{s+b-1}\). Last, \(\mathcal {B} _2\) outputs what \(\mathcal {A}\) outputs.

\({\text {Game}} _{\kappa +2}\)::

The ith source exponent is changed to \(a_i' = a_i + \omega \) for randomly chosen \(a_i \in \mathbb {Z}_N\) and all \(i \in [\kappa +1]\). This means that the target exponent for \(b=1\) is

$$\begin{aligned} d = (a_1 +\omega ) \cdots (a_{\kappa +1} +\omega ) \end{aligned}$$

(2)

The distribution from which the exponents \(a_i'\) are drawn has not changed and indeed is the uniform distribution. Therefore, \(\text {Pr }[{\text {W}}_{\kappa +1}(\lambda )] = \text {Pr }[{\text {W}}_{\kappa +2}(\lambda )]\).

\({\text {Game}} _{\kappa +3}\)::

The differences with the previous game are twofold. First, for case \(b=1\), the challenge group element \([ d ] _T\) is generated as in Lemma 3. More precisely, we first write Eq. (2) as

$$\begin{aligned} d = P(\omega )~, \end{aligned}$$

where P is a degree \(\kappa +1\) polynomial whose coefficients \({\mathbf{p }}=(p_0,\ldots ,p_\kappa ,p_{\kappa +1})\) are computed using the iterative rule of Lemma 3, with \((x_{i,0},x_{i,1}) = (a_i,1)\). Then, \([ d ] _T\) is obtained by evaluating P at point \(\omega \) in the exponent using group elements \(([ 1 ] _T,[ \omega ] _T,\ldots ,[ \omega ^\kappa ] _T,[ \omega ^{\kappa +1} ] _T)\). The other difference is that we obfuscate a different circuit \(C_{\text {Map}}^*\) which has the powers \([ \omega ^i ] _T\) hard-coded, for \(1 \le i \le \kappa \). This new circuit extracts the encoding vectors \({\mathbf{x }}_{i}\) from the inputs, as usual; then, it computes the coefficients of \(Q(w) = \prod _{i=1}^\kappa (x_{i,0} + x_{i,1}\omega )\) by Lemma 3 and evaluates it at \(\omega \) in the exponent. Lemma 3 implies that (1) both circuits are functionally equivalent, and (2) \(C_{\text {Map}}^*\) is of size \(poly(\lambda )\). We conclude that obfuscations of these two variants are indistinguishable. Or putting it differently:

$$\begin{aligned} |\text {Pr }[{\text {W}}_{\kappa +2}(\lambda )] - \text {Pr }[{\text {W}}_{\kappa +3}(\lambda )] |\le \mathbf{Adv } _{\mathbf{PIO },\mathcal {B}}^{{\text {ind}}}(\lambda )~. \end{aligned}$$

\({\text {Game}} _{\kappa +4}\)::

The last game samples the challenge \([ d ] _T\) for case \(b=1\) as \([ d ] _T = [ \sigma ] _T\) for independently random \(\sigma \in \mathbb {Z}_N\). A \(\kappa \)-\({\text {SDDH}}\) challenge \(([ \omega ^i ] _0)_{i \le \kappa },[ \sigma ] _0)\) can be used to emulate the challenger in \({\text {Game}} _{\kappa +3}\) if \(\sigma = \omega ^{\kappa +1}\), or in \({\text {Game}} _{\kappa +4}\) if \(\sigma \) is random. The latter follows from the fact that knowing \(\omega ^i\) in the exponent for \(i\in [\kappa +1]\) suffices to generate \([ d ] _T\). (Recall that \({\mathbb {G}}_T={\mathbb {G}}_0\).) This shows:

$$\begin{aligned} |\text {Pr }[{\text {W}}_{\kappa +3}(\lambda )] - \text {Pr }[{\text {W}}_{\kappa +4}(\lambda )] |\le \mathbf{Adv } _{\varGamma _0,\mathcal {B}}^{\kappa -{\text {sddh}}}(\lambda )~. \end{aligned}$$

To conclude, to see that \(\text {Pr }[{\text {W}}_{\kappa +4}] \le 1/2\), it suffices to observe that the exponent target challenge d is randomly distributed, regardless of the challenge bit \(b\). \(\square \)

Proof of Theorem 3: Hardness of Asymmetric \({\text {MDDH}} \)

Proof

Let \(I:[\kappa +1] \longrightarrow [\kappa ]\) be any function. Slightly abusing notation, we set \(I=(i,I(i))\) for \(1 \le i \le \kappa +1\). By the pigeon-hole principle, there must exist a pair of distinct \(i, i' \in [\kappa +1]\) such that \(I(i) = I(i') \in [\kappa ]\). For simplicity, and without loss of generality, we assume that \(I(1) = I(2) = 1\).

Fig. 8

The asymmetric multilinear DDH problem for our MLG scheme. Here, I is a function defining the index set \(I={(i,I(i))}\)

We show a chain of games, starting with the asymmetric \((\kappa ,I)-{\text {MDDH}} \) problem, such that the last game chooses the challenge encoding at random and independently of the challenge bit b. Below we let \({\text {W}}_i\) denote the event that \({\text {Game}} _i\) outputs 1.

\({\text {Game}} _0\)::

The asymmetric \((\kappa ,I)-{\text {MDDH}} \) problem as shown in Fig. 8.

\({\text {Game}} _s\) for \(s = 1,2\)::

Similar to \({\text {Game}} _{s-1}\) with the difference that the representation vectors \(({\mathbf{x }}_{s},{\mathbf{y }}_{s})\) of the source encoding \([ a_s ] _1\) are given by

$$\begin{aligned} x_{s,0} = y_{s,0} = a_s-\omega _1 \quad \text{ and } \quad x_{s,1} = y_{s,1} = 1~. \end{aligned}$$

Thus, in game \(s' \ge s\), the second coordinates of the sth encoding vectors are always fixed to 1. Using a similar argument as Claim A.2, we have that

$$\begin{aligned} |\text {Pr }[{\text {W}}_{s-1}(\lambda )] - \text {Pr }[{\text {W}}_{s}(\lambda )] |\le \mathbf{Adv } _{\varGamma ^*,\mathcal {B}}^{\kappa -{\text {switch}}}(\lambda )~. \end{aligned}$$

\({\text {Game}} _3\)::

We change the first two source exponents to \(a'_i = a_i + \omega _{1}\) for randomly chosen \(a_i \in \mathbb {Z}_N\). This means that the target exponent for \(b=1\) is

$$\begin{aligned} d = (a_1 +\omega _1)(a_2 +\omega _1) \cdot a_{3} \cdots a_{\kappa +1}~. \end{aligned}$$

The first two elements \(a'_i\) are drawn from the uniform distribution, and their respective representation vectors are \((a_i,1)\) so \(\text {Pr }[{\text {W}}_2(\lambda )] = \text {Pr }[{\text {W}}_3(\lambda )]\).

\({\text {Game}} _4\)::

The implementation of \(C_{{\text {Map}}}\) is changed. Now, it has hard-coded

$$\begin{aligned}{}[ \omega _1 ] _0, \omega _2, \omega _3, \ldots , \omega _{\kappa }~. \end{aligned}$$

The polynomial \(P(\omega _1,\ldots ,\omega _\kappa ) = \prod _{i=1}^\kappa (x_{i,0} + x_{i,1}\omega _i)\) on point \((\omega _{1},\ldots ,\omega _{\kappa })\) can be evaluated in the exponent knowing \([ \omega _1 ] _0\) and explicit \(\omega _{i}\) for \(i \ge 2\). Since the output of the original \(C_{{\text {Map}}}\) is exactly \([ P(\omega _{1},\ldots ,\omega _{\kappa }) ] _T\), we conclude that

$$\begin{aligned} |\text {Pr }[{\text {W}}_{3}(\lambda )] - \text {Pr }[{\text {W}}_{4}(\lambda )] |\le \mathbf{Adv } _{\mathbf{PIO },\mathcal {B}}^{{\text {ind}}}(\lambda )~. \end{aligned}$$

\({\text {Game}} _5\)::

The challenge target d is set to

$$\begin{aligned} d = (a_1a_2+\omega _1a_2+\omega _1a_1+\sigma ) \cdot a_{3} \cdots a_{\kappa +1}~, \end{aligned}$$

(3)

where \(\sigma \) is a fresh random value in \(\mathbb {Z}_N\). Note that if \(\sigma = {\omega _1}^2\), then this is precisely the challenge target d in the previous game. Thus, a \(1-{\text {SDDH}} \) challenge \(([ \omega _1 ] _0,[ \sigma ] _0)\) can be used to generate the pair \(([ d ] _T, \overline{C^*}_{{\text {Map}}})\) as in \({\text {Game}} _4\) if \(\sigma = {\omega _1}^2\), or as in \({\text {Game}} _5\) if \(\sigma \) is random. This shows:

$$\begin{aligned} |\text {Pr }[{\text {W}}_{4}(\lambda )] - \text {Pr }[{\text {W}}_{5}(\lambda )] |\le \mathbf{Adv } _{\varGamma _0,\mathcal {B}}^{1-{\text {sddh}}}(\lambda )~. \end{aligned}$$

To conclude, we have \(\text {Pr }[{\text {W}}_5(\lambda )] \le 1/2 + {{\text {negl}}}(\lambda )\). To see this, we argue that d is randomly distributed in \(\mathbb {Z}_N\) for challenge bit \(b=1\) with overwhelming probability in \(\lambda \) as follows: If N is prime, then \(\prod _{j=3}^{\kappa +1} a_{j}\) has an inverse in \(\mathbb {Z}_N\), and therefore, d in Eq. (3) seen as a function of \(\sigma \) and parametrized by \(a_{j}\) defines a bijection in \(\mathbb {Z}_N\) with overwhelming probability. Thus, if \(\sigma \) is uniform so is d. \(\square \)