Implementing Candidate Graded Encoding Schemes from Ideal Lattices

  • Martin R. Albrecht
  • Catalin Cocis
  • Fabien Laguillaumie
  • Adeline Langlois
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9453)


Multilinear maps have become popular tools for designing cryptographic schemes since a first approximate realisation candidate was proposed by Garg, Gentry and Halevi (GGH). This construction was later improved by Langlois, Stehlé and Steinfeld who proposed GGHLite which offers smaller parameter sizes. In this work, we provide the first implementation of such approximate multilinear maps based on ideal lattices. Implementing GGH-like schemes naively would not allow instantiating it for non-trivial parameter sizes. We hence propose a strategy which reduces parameter sizes further and several technical improvements to allow for an efficient implementation. In particular, since finding a prime ideal when generating instances is an expensive operation, we show how we can drop this requirement. We also propose algorithms and implementations for sampling from discrete Gaussians, for inverting in some Cyclotomic number fields and for computing norms of ideals in some Cyclotomic number rings. Due to our improvements we were able to compute a multilinear jigsaw puzzle for \(\kappa =52\) (resp. \(\kappa =38\)) and \(\lambda = 52\) (resp. \(\lambda = 80\)).


Algorithms Implementation Lattice-based cryptography Cryptographic multilinear maps 



We would like to thank Guilhem Castagnos, Guillaume Hanrot, Bill Hart, Claude-Pierre Jeannerod, Clément Pernet, Damien Stehlé, Gilles Villard and Martin Widmer for helpful discussions. We would like to thank Steven Galbraith for pointing out the NTRU-style attack to us and for helpful discussions. This work has been supported in part by ERC Starting Grant ERC-2013-StG-335086-LATTAC. The work of Albrecht was supported by EPSRC grant EP/L018543/1 “Multilinear Maps in Cryptography”.


  1. [AB15]
    Applebaum, B., Brakerski, Z.: Obfuscating circuits via composite-order graded encoding. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 528–556. Springer, Heidelberg (2015)Google Scholar
  2. [APS15]
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015).
  3. [BCMM98]
    Bini, D., Del Corso, G.M., Manzini, G., Margara, L.: Inversion of circulant matrices over \({\bf Z}_m\). In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, p. 719. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. [BF03]
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)zbMATHMathSciNetCrossRefGoogle Scholar
  5. [BLR+15]
    Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure order-revealing encryption: Multi-input functional encryption without obfuscation. In: Oswald and Fischlin [OF15b], pp. 563–594Google Scholar
  6. [BS03]
    Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2003)MathSciNetCrossRefGoogle Scholar
  7. [BWZ14]
    Boneh, D., Waters, B., Zhandry, M.: Low overhead broadcast encryption from multilinear maps. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 206–223. Springer, Heidelberg (2014)Google Scholar
  8. [CDKD14]
    Cloutier, M.É., de Koninck, J.M., Doyon, N.: On the powerful and squarefree parts of an integer. J. Integer Sequences 17(2), 28 (2014)Google Scholar
  9. [CG13]
    Canetti, R., Garay, J.A. (eds.): CRYPTO 2013, Part I. LNCS, vol. 8042. Springer, Heidelberg (2013)Google Scholar
  10. [CGH+15]
    Coron, J.S., Gentry, C., Halevi, S., Lepoint, T., Maji, H.K., Miles, E., Raykova, M., Sahai, A., Tibouchi, M.: Zeroizing without low-level zeroes: New MMAP attacks and their limitations. In: Gennaro and Robshaw [GR15], pp. 247–266Google Scholar
  11. [CHL+15]
    Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald and Fischlin [OF15a], pp. 3–12Google Scholar
  12. [CLT13]
    Jean-Sébastien Coron, Tancrède Lepoint, and Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti and Garay [CG13], pp. 476–493Google Scholar
  13. [CLT15]
    Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro and Robshaw [GR15], pp. 267–286Google Scholar
  14. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. [CS97]
    Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997)Google Scholar
  16. [DB76]
    Denman, E.D., Beavers, Jr., A.N.: The matrix sign function and computations in systems. Appl. Math. Comput., vol. 2, pp. 63–94 (1976)Google Scholar
  17. [DDLL13]
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti and Garay [CG13], pp. 40–56Google Scholar
  18. [Duc13]
    Ducas, L.: Signatures Fondées sur les Réseaux Euclidiens: Attaques, Analyse et Optimisations. Ph.D. thesis, Université Paris, Diderot (2013)Google Scholar
  19. [Gar13]
    Garg, S.: Candidate Multilinear Maps. Ph.D. thesis, University of California, Los Angeles (2013)Google Scholar
  20. [GGH13a]
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  21. [GGH+13b]
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013Google Scholar
  22. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press, May 2008Google Scholar
  23. [GR15]
    Gennaro, R., Robshaw, M.J.B.: CRYPTO 2015, Part I, vol. 9215. Springer, Heidelberg (2015)Google Scholar
  24. [Hig97]
    Higham, N.J.: Stable iterations for the matrix square root. Numer. Algorithms 15(2), 227–242 (1997)zbMATHMathSciNetCrossRefGoogle Scholar
  25. [HJ15]
    Hu, Y., Jia, H.: Cryptanalysis of GGH map. Cryptology ePrint Archive, Report 2015/301 (2015).
  26. [HJP14]
    Hart, W., Johansson, F., Pancratz, S.: FLINT: fast library for number theory (2014). Version 2.4.4.
  27. [Jou04]
    Joux, A.: A one round protocol for tripartite Diffie-Hellman. J. Cryptol. 17(4), 263–276 (2004)zbMATHMathSciNetCrossRefGoogle Scholar
  28. [LMPR08]
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. [LP15]
    Lyubashevsky, V., Prest, T.: Quadratic time, linear space algorithms for gram-schmidt orthogonalization and gaussian sampling in structured lattices. In: Oswald and Fischlin [OF15a], pp. 789–815Google Scholar
  30. [LSS14a]
    Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  31. [LSS14b]
    Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: More efficient multilinear maps from ideal lattices. Cryptology ePrint Archive, Report 2014/487 (2014).
  32. [OF15a]
    Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9056. Springer, Heidelberg (2015)Google Scholar
  33. [OF15b]
    Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9057. Springer, Heidelberg (2015)Google Scholar
  34. [Pei10]
    Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  35. [SE94]
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)zbMATHMathSciNetCrossRefGoogle Scholar
  36. [The13]
    The MPFR team. GNU MPFR: The Multiple Precision Floating-Point Reliable Library, 3.1.2 edition (2013).
  37. [Win96]
    Winkler, F.: Polynomial Algorithms in Computer Algebra. Texts and Monographs in Symbolic Computation. Springer, Heidelberg (1996)zbMATHCrossRefGoogle Scholar
  38. [Zim15]
    Zimmerman, J.: How to obfuscate programs directly. In: Oswald and Fischlin [OF15b], pp. 439–467Google Scholar

Copyright information

© International Association for Cryptologc Research 2015

Authors and Affiliations

  • Martin R. Albrecht
    • 1
  • Catalin Cocis
    • 2
  • Fabien Laguillaumie
    • 3
  • Adeline Langlois
    • 4
    • 5
  1. 1.Information Security GroupRoyal Holloway, University of LondonEghamUK
  2. 2.Technical University of Cluj-NapocaCluj-NapocaRomania
  3. 3.LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL)Université Claude Bernard Lyon 1VilleurbanneFrance
  4. 4.EPFLLausanneSwitzerland
  5. 5.CNRS/IRISARennesFrance

Personalised recommendations