Implementing Candidate Graded Encoding Schemes from Ideal Lattices
 9 Citations
 1.3k Downloads
Abstract
Multilinear maps have become popular tools for designing cryptographic schemes since a first approximate realisation candidate was proposed by Garg, Gentry and Halevi (GGH). This construction was later improved by Langlois, Stehlé and Steinfeld who proposed GGHLite which offers smaller parameter sizes. In this work, we provide the first implementation of such approximate multilinear maps based on ideal lattices. Implementing GGHlike schemes naively would not allow instantiating it for nontrivial parameter sizes. We hence propose a strategy which reduces parameter sizes further and several technical improvements to allow for an efficient implementation. In particular, since finding a prime ideal when generating instances is an expensive operation, we show how we can drop this requirement. We also propose algorithms and implementations for sampling from discrete Gaussians, for inverting in some Cyclotomic number fields and for computing norms of ideals in some Cyclotomic number rings. Due to our improvements we were able to compute a multilinear jigsaw puzzle for \(\kappa =52\) (resp. \(\kappa =38\)) and \(\lambda = 52\) (resp. \(\lambda = 80\)).
Keywords
Algorithms Implementation Latticebased cryptography Cryptographic multilinear maps1 Introduction
Multilinear maps, starting with bilinear ones, are popular tools for designing cryptosystems. When pairings were introduced to cryptography [Jou04], many previously unreachable cryptographic primitives, such as identitybased encryption [BF03], became possible to construct. Maps of higher degree of linearity were conjectured to be hard to find – at least in the “realm of algebraic geometry” [BS03]. But in 2013, Garg, Gentry and Halevi [GGH13a] proposed a construction, relying on ideal lattices, of a socalled “graded encoding scheme” that approximates the concept of a cryptographic multilinear map.
As expected, graded encoding schemes quickly found many applications in cryptography. Already in [GGH13a] the authors showed how to generalise the 3partite DiffieHellman key exchange first constructed with cryptographic bilinear maps [BS03] to N parties: the protocol allows N users to share a secret key with only one broadcast message each. Furthermore, a graded encoding scheme also allows constructing very efficient broadcast encryption [BS03, BWZ14]: a broadcaster can encrypt a message and send it to a group where only a part of it (decided by the broadcaster before encrypting) will be able to read it. Moreover, [GGH+13b] introduced indistinguishability obfuscation (iO) and functional encryption based on a variant of multilinear maps — multilinear jigsaw puzzles — and some additional assumptions.
The GGH Scheme. For a multilinearity parameter \(\kappa \), the principle of the symmetric GGH graded encoding scheme is as follows: given a ring R and a principal ideal \(\mathcal {I}\) generated by a small secret element \(g \in R\), a plaintext is a small element of \(R/\mathcal {I}\) and is viewed as a level0 encoding. Given a level0 encoding, it is easy increase the level to a higher level \(i \leqslant \kappa \), but it is assumed hard to come back to an inferior level. The encodings are additively homomorphic at the same level, and multiplicatively homomorphic up to \(\kappa \) operations. The multiplication of a leveli and a levelj encoding gives a level\((i+j)\) encoding. Additionally, a zerotesting parameter \(p_{zt} \) allows testing if a level\(\kappa \) element is an encoding of 0, and hence also allows testing if two level\(\kappa \) encodings are encoding the same elements. Finally, the extraction procedure uses \(p_{zt} \) to extract \(\ell \) bits which are a “canonical” representation of a ring element given its level\(\kappa \) encoding.
More precisely, in GGH we are given \(R = {{\mathbb {Z}}} [X] /(X^n +1)\), where n is a power of 2, a secret element z uniformly sampled in \(R_q=R/qR\) (for a certain prime number q), and a public element y which is a level1 encoding of 1 of the form \({\left[ a/z\right] }_{q} \) for some small a in the coset \(1+\mathcal {I}\). We are also given m leveli encodings of 0 named \(x^{({i})}_{j} \), for all \(1 \leqslant i \leqslant \kappa \), and a zerotesting parameter \(p_{zt} \). To encode an element of \(R/\mathcal {I}\) at leveli (for \(i \leqslant \kappa \)), we multiply it by \(y^{i}\) in \(R_q\) (which give an element of the form \({\left[ c/z^{i}\right] }_{q} \), where c is an arbitrary small coset representative). Then, we add a linear combination of encodings of 0 at leveli of the form \(\sum _j \rho _j x_j^{(i)}\) to it where the \(\rho _j\) are sampled from a certain discrete Gaussian. This last step is the rerandomisation process and ought to ensure that the analogue of the discrete logarithm problem is hard: going from leveli to level0, for example by multiplying the encoding by \(y^{i}\). We will see later that the encodings of zero made public for this step are a problem for the security of the scheme.
The asymmetric variant of this scheme replaces levels by “groups” which are identified with subsets of \(\{1,\dots ,\kappa \}\). Addition of two elements in the same group stays within the group, multiplying two elements of different groups with disjoint index sets produces an element in the group defined by the union of their index sets. These groups are realised by defining one \(z_i\) for each index \(1 \leqslant i \leqslant \kappa \) and then dividing by the appropriate product of \(z_i\). Given a group characterised by \(S \subseteq \{1,\dots ,\kappa \}\) we call the cardinality of S its level.
We can distinguish between GGH instances where encodings of zero are made publicly available to allow anyone to encode elements and those where this is not the case. The latter are also called “Multilinear Jigsaw Puzzles” and were introduced in [GGH+13b] as a building block for indistinguishability obfuscation. Such instances can be thought of as secretkey graded encoding schemes. To distinguish the two cases, we denote those instances where no encodings of zero \(x^{({i})}_{j} \) are published as GGH\(_{s}\). In such instances the secret elements g and \(z_i\) are required to encode elements at levels above zero.
Security. Already in [GGH13a] it was shown that an attacker can recover the ideal (g) and the coset of (g) for any encoding at level \(\leqslant \kappa \) if encodings of zero are made available. However, since these representatives of either (g) or the cosets are not small, it was believed that these “weak discrete log” attacks would not undermine the central security goal of GGH – the analogue of the BDDH assumption. However, in [HJ15] it was shown that these attacks can be extended to recover short representatives of the cosets. As a consequence, if encodings of zero are published, then [HJ15] breaks the GGH security goals in many scenarios and it is not clear, at present, if and how GGHlike graded encoding schemes can be defended against such attacks. A candidate proposal to prevent weak discrete logarithm attacks was proposed in [CLT15, Appendix G], where the strategy is to change zero testing to make it nonlinear in the encodings such that the attack does not work anymore. However, no security analyses was provided in [CLT15] and revision 20150516:083005 of [CLT15] drops any mention of this candidate fix. Hence, the status of GGHlike schemes where encodings of zero are published is currently unclear. However, we note that GGH\(_s\), where no encodings of zero are made available, does not appear to be vulnerable to weak discrete log attacks if the freedom of an attacker to produce encodings of zero at the higher levels is also severely restricted to prevent generalisations of “zeroizing” attacks such as [CGH+15]. Such variants are the central building block of indistinguishability obfuscation, i.e. this case has important applications despite being more limited in functionality. Indeed, at present no known attack threatens the security of indistinguishability obfuscation constructed from graded encoding schemes such as GGH.
Alternative Constructions. An alternative instantiation of graded encoding schemes over the integers promising practicality was proposed by Coron, Lepoint and Tibouchi [CLT13]. This first proposal was also broken in polynomial time using public encodings of zero in [CHL+15]. The attack was later generalised in [CGH+15] and a candidate defence against these attacks was proposed in [CLT15]. The authors of [CLT15] also provided a C++ implementation of a heuristic variant of this scheme. They report that the Setup phase of an 7partite DiffieHellman key exchange takes 4528 s (parallelised on 16 cores), publishing a share (Publish) takes 7.8 s per party (single core) and the final key derivation (KeyGen) takes 23.9 s per party (single core) for a level of security \(\lambda = 80\).
Instantiation. The implementation reported in [CLT15] is to date the only implementation of a candidate graded encoding scheme. This is partly because instantiating the original GGH construction is too costly in practice for anything but toy instances. In 2014, Langlois, Stehlé and Steinfeld [LSS14a] proposed a variant of GGH called GGHLite, improving the rerandomisation process of the original scheme. It reduces the number m of rerandomisers, public encodings of zero, needed from \(\Omega (n\log n)\) to 2 and also the size of the parameter \(\sigma _i^\star \) of the Gaussian used to sample multipliers \(\rho _j\) during the rerandomisation phase from \(\widetilde{\mathcal {O}}(2^{\lambda }\, \lambda \, n^{4.5} \kappa )\) to \(\widetilde{\mathcal {O}}(n^{5.5} \sqrt{\kappa })\). These improvements allow reducing the size of the public parameters and improving the overall efficiency of the scheme. But even though [LSS14a] made a step forward towards efficiency and in some cases no public rerandomisation is required at all (GGH\(_s\)), GGHlike schemes are still far from being practical.
Our contribution. Our main contribution is a first and efficient implementation of improved GGHlike schemes which we make publicly available under an opensource license. This implementation covers symmetric and asymmetric flavours and we allow encodings of zero to be published or not. However, since the security of GGHlike constructions is unclear when encodings of zero are published, we do not discuss this variant in this paper. We note, however, that our implementation provides a good basis for implementing any future fixes and improvements for GGHbased graded encoding schemes.

We show that we do not require (g) to be a prime ideal for the existing proofs to go through. Indeed, sampling an element \(g \in {\mathbb {Z}} [X]/(X^n+1)\) such that the ideal it generates is prime, as required by GGH and GGHLite, is a prohibitively expensive operation. Avoiding this check is then a key step to allow us to go beyond toy instances.

We give a strategy to choose practical parameters for the scheme and extend the analysis of [LSS14a] to ensure the correctness of all the procedures of the scheme. Our refined analysis reduces the bitsize of q by a factor of about 4, which in turn reduces the required dimension n.

We apply the analyses from [CS97] to pick parameters to defend against lattice attacks.

For all steps during the instance generation we provide implementations and algorithms which work in quasilinear time and efficiently in practice. In particular, we provide algorithms and implementations for inverting in some Cyclotomic number fields, for computing norms of ideals in some Cyclotomic number rings, for producing short representatives of elements modulo (g) and for sampling from discrete Gaussians in \(\widetilde{\mathcal {O}}(n)\). For the latter we use Ducas and Nguyen’s strategy [Duc13] Our implementation of these operations might be of independent interest (cf. [LP15] for recent work on efficient sampling from a discrete Gaussian distribution), which is why they are available as a separate module in our code.

We discuss our implementation and report on experimental results.
Computing a \(\kappa \)level asymmetric multilinear maps with our implementation without encodings of zero. Column \(\lambda \) gives the minimum security level we accepted, column \(\lambda '\) gives the actually expected security level based on the best known attacks for the given parameter sizes. Timings produced on Intel Xeon CPU E5–2667 v2 3.30 GHz with 256 GB of RAM, parallelised on 16 cores, but not all operations took full advantage of all cores. Setup gives the time for generating the GGH instance. Encode lists the time it takes to reduce an element \(\in {\mathbb {Z}} _p\) with \(p = \mathcal {N}({\mathcal {I}}) \) to a small element in \({\mathbb {Z}} [X]/\left( X^n+1 \right) \) modulo (g). Mult lists the time to multiply \(\kappa \) elements. All times are wall times.
\(\lambda \)  \(\kappa \)  \(\lambda '\)  n  \(\log q\)  Setup  Encode  Mul  \(\Vert enc \Vert \) 

52  6  64.4  \(2^{15}\)  2117  114 s  26 s  0.05 s  8.3 MB 
52  9  53.5  \(2^{15}\)  3086  133 s  25 s  0.12 s  12.1 MB 
52  14  56.6  \(2^{16}\)  4966  634 s  84 s  0.62 s  38.8 MB 
52  19  56.6  \(2^{16}\)  6675  762 s  75 s  1.38 s  52.2 MB 
52  25  59.6  \(2^{17}\)  9196  2781 s  243 s  5.78 s  143.7 MB 
52  52  62.7  \(2^{18}\)  19898  26695 s  1016 s  84.1 s  621.8 MB 
80  6  155.2  \(2^{16}\)  2289  415 s  74 s  0.13 s  17.9 MB 
80  9  86.7  \(2^{16}\)  3314  445 s  72 s  0.27 s  25.9 MB 
80  14  120.9  \(2^{17}\)  5288  1525 s  252 s  1.38 s  82.6 MB 
80  19  80.4  \(2^{17}\)  7089  1821 s  268 s  3.07 s  110.8 MB 
80  25  138.8  \(2^{18}\)  9721  9595 s  967 s  13.52 s  303.8 MB 
80  38  80.3  \(2^{18}\)  14649  20381 s  947 s  16.21 s  457.8 MB 
Technical Overview. Our implementation relies on FLINT [HJP14]. However, we provide our own specialised implementations for operations in the ring of integers of Cyclotomic number fields where the degree is a power of two and related rings as listed above.
Our variant of GGH foregoes checking if g generates a prime ideal. During instance generation [GGH13a, LSS14a] specify to sample g such that (g) is a prime ideal. This condition is needed in [GGH13a, LSS14a] to ensure that no nonzero encoding passes the zerotesting test and to argue that the noninteractive Npartite key exchange produces a shared key with sufficient entropy. We show that for both arguments we can drop the requirement that g generates a prime ideal. This was already mentioned as a potential improvement in [Gar13, Section 6.3] but not shown there. As rejection sampling until a prime ideal (g) is found is prohibitively expensive due to the low density of prime ideals in \({\mathbb {Z}} [X]/(X^n+1)\), this allows speedingup instance generation such that nontrivial instances are possible. We also provide fast algorithms and implementations for checking if \((g) \subset {\mathbb {Z}} [X]/(X^n+1)\) is prime for applications which still require prime (g).
We also improve the size of the two parameters q and \(\ell \) compared to [LSS14a]. We first perform a finer analysis than [LSS14a], which allows us to reduce the size of the parameter q by a factor 2. Then, we introduce a new parameter \(\xi \), which controls what fraction of q is considered “small”, i.e. passes the zerotesting test, which reduces the size of q further. This also reduces the number of bits extracted from each coefficient \(\ell \). Indeed, instead of setting \(\ell = 1/4 \log q  \lambda \) where \(\lambda \) is the security parameter, we set \(\ell = \xi \log q  \lambda \) with \(0 < \xi \leqslant 1/4\). We then show that for a good choice of \(\xi \) this is enough to ensure the correctness of the extraction procedure and the security of the scheme. Overall, our refined analysis allows us to reduce the size of \(q \approx {(3n^{\frac{3}{2}}\sigma ^{\star }_1 \sigma ')}^{8\kappa }\) in [LSS14a] to \(q \approx {(3n^{\frac{3}{2}}\sigma ^{\star }_1 \sigma ')}^{(2+\varepsilon )\kappa }\) which, in turn, allows reducing the dimension n. When no encodings of zero are published we simply set \(\sigma _1^\star = 1\) and apply the same analysis.
Open Problems. The most pressing question at this point is whether GGHlike constructions are secure. There exist no security proofs for any variant and recent cryptanalysis results recommend caution. Even speculating that secure variants of GGHlike multilinear maps can be found, performance is still an issue. While we manage to compute approximate multilinear maps for relatively high levels of \(\kappa \) in this work, all known schemes are still at least quadratic in \(\kappa \) which presents a major obstacle to efficiency. Any improvement which would reduce this to something linear in \(\kappa \) would mean a significant step forward. Finally, establishing better estimates for lattice reduction and tuning the parameter choices of our schemes are areas of future work.
Roadmap. We give some preliminaries in Sect. 2. In Sect. 3 we describe the GGHlike asymmetric graded encoding schemes and the multilinear jigsaw puzzles used for iO. In Sect. 4, we explain our modifications to GGHlike schemes, especially concerning the parameter q. We also recall a lattice attack to derive the parameter n and show that we do not require (g) to be prime. In Sect. 5, we give the details of our implementation.
2 Preliminaries
Lattices and Ideal Lattices. An mdimensional lattice L is an additive subgroup of \(\mathbb {R}^m\). A lattice L can be described by its basis \(B = \{b_1,b_2,\dots ,b_k\}\), with \(b_i \in \mathbb {R}^m\), consisting in k linearly independent vectors, for some \(k \leqslant m\), called the rank of the lattice. If \(k=m\), we say that the lattice has fullrank. The lattice L spanned by B is given by \(L = \{\sum _{i=1}^k c_i \cdot b_i, c_i \in {\mathbb {Z}} \}\). The volume of the lattice L, denoted by \(\text {vol} (L)\), is the volume of the parallelepiped defined by its basis vectors. We have \(\text {vol} (L) = \sqrt{\det (B^T B)}\), where B is any basis of L.
For n a power of two, let \(f(X) \in {\mathbb {Z}} [X]\) be a monic polynomial of degree n (in our case, \(f(X) = X^n + 1\)). Then, the polynomial ring \(R = {\mathbb {Z}} [X]/f(X)\) is isomorphic to the integer lattice\(~{\mathbb {Z}} ^n\), i.e. we can identify an element \(u(X) = \sum _{i=0}^{n1}u_i\cdot X^i \in R\) with its corresponding coefficient vector \((u_0,u_1,\dots ,u_{n1})\). We also define \(R_q = R/qR = {\mathbb {Z}} _q[X]/(X^n+1)\) (isomorphic to \(~{\mathbb {Z}} _q^n\)) for a large prime q and \(K = {{\mathbb {Q}}} [X] / (X^n+1)\) (isomorphic to\(~{\mathbb {Q}} ^n\)).
Given an element \(g\in R\), we denote by \(\mathcal {I}\) the principal ideal in R generated by g: \( (g) = \{g\cdot u: u\in R\}\). The ideal (g) is also called an ideal lattice and can be represented by its \({\mathbb {Z}} \)basis \((g,X \cdot g,\dots ,X^{n1}\cdot g)\). We denote by \(\mathcal {N}(g)\) its norm. For any \(y \in R\), let \([y]_g\) be the reduction of y modulo \(\mathcal {I}\). That is, \([y]_g\) is the unique element in R such that \(y[y]_g \in (g)\) and \([y]_g = \sum _{i=0}^{n1} y_i X^ig\), with \(y_i \in [1/2,1/2), \forall i, 0\leqslant i \leqslant n1\). Following [LSS14a] we abuse notation and let \(\sigma _n(b)\) denotes the last singular value of the matrix \(\text {rot} (b) \in {\mathbb {Z}} ^{n \times n}\), for any \(b \in \mathcal {I}\). For \(z \in R\), we denote by \(\text {MSB}_{\ell } \in \{ 0,1 \}^{\ell \cdot n}\) the \(\ell \) most significant bits of each of the n coefficients of z in R.
Gaussian Distributions. For a vector \(c \in \mathbb {R}^n\) and a positive parameter \(\sigma \in \mathbb {R}\), we define the Gaussian distribution of centre c and width parameter \(\sigma \) as \( \rho _{\sigma ,c}(x) = \exp (\pi \frac{xc^2}{\sigma ^2} ), \text { for all } x \in \mathbb {R}^n.\) This notion can be extended to ellipsoid Gaussian distribution by replacing the parameter \(\sigma \) with the square root of the covariance matrix \(\varSigma = BB^t \in ~\mathbb {R}^{n\times n}\) with \(\det (B) \ne 0\). We define it by \(\rho _{\sqrt{\varSigma },c}(x) = \exp (\pi \cdot (xc)^t(B^tB)^{1}(xc))\), for all \(x \in \mathbb {R}^n\). For L a subset of \({\mathbb {Z}} ^n\), let \(\rho _{\sigma ,c}(L) = \sum _{x\in L}\rho _{\sigma ,c}(x)\). Then, the discrete Gaussian distribution over L with centre c and standard deviation \(\sigma \) (resp. \(\sqrt{\varSigma }\)) is defined as \(D_{L,\sigma ,c}(y) = \frac{\rho _{\sigma ,c}(y)}{\rho _{\sigma ,c}(L)}, \text { for all } y \in L.\) We use the notations \(\rho _\sigma \) (resp. \(\rho _{\sqrt{\varSigma }}\)) and \(D_{L,\sigma }\) (resp. \(D_{L,\sqrt{\varSigma }}\)) when c is 0.
Finally, for a fixed \(Y = (y_1,y_{2}) \in R^2\), we define: \(\widetilde{\mathcal {E}}_{Y,s} = y_1 D_{R,s} + y_2 D_{R,s}\) as the distribution induced by sampling \(\mathbf {u} = (u_1,u_2) \in R^2\) from a discrete spherical Gaussian with parameter s, and outputting \(y = y_1 u_1 + y_2 u_2\). It is shown in [LSS14a, Theorem 5.1] that if \(Y \cdot R^{2} = \mathcal {I}\) and \(s \geqslant \max (\Vert g^{1}y_1\Vert _{\infty },\Vert g^{1}y_2\Vert _{\infty }) \cdot n \cdot \sqrt{2 \log ( 2 n (1+1/\varepsilon )) / \pi }\) for \(\varepsilon \in (0,1/2)\), this distribution is statistically close to the Gaussian distribution \(D_{\mathcal {I},s Y^T}\).
3 GGHlike Asymmetric Graded Encoding Scheme
We now recall the definitions given in [GGH+13b, Section 2.2] for the notions of Jigsaw specifier, Multilinear Form and Multilinear Jigsaw puzzle.
Definition 1
([GGH+13b, Definition 5]). A Jigsaw specifier is a tuple \((\kappa ,\ell ,A)\) where \(\kappa , \ell \in {\mathbb {Z}} ^+\) are parameters and A is a probabilistic circuit with the following behavior: On input a prime number q, A outputs the prime q and an ordered set of \(\ell \) pairs \((S_1,a_1), \ldots , (S_{\ell },a_{\ell })\) where each \(a_i \in {\mathbb {Z}} _q\) and each \(S_i \subseteq [\kappa ]\).
Definition 2
([GGH+13b, Definition 6 and 7]). A Multilinear Form is a tuple \(\mathcal {F}=(\kappa ,\ell ,\varPi ,F)\) where \(\kappa , \ell \in {\mathbb {Z}} ^+\) are parameters and \(\varPi \) is a circuit with \(\ell \) input wires, made out of binary and unary gates. F is an assignment of an index set \(I \subseteq [\kappa ]\) to every wire of \(\varPi \). A multilinear form must satisfies constraints given in the original definition (on gates, and the output wire is assigned to \([\kappa ]\)).
We say that a Multilinear Form \(\mathcal {F}=(\kappa ',\ell ',\varPi ,F)\) is compatible with \(X=((S_1,a_1), \ldots , (S_{\ell },a_{\ell }))\) if \(\kappa =\kappa '\), \(\ell =\ell '\) and the input wires of \(\varPi \) are assigned to the sets \(S_1, \ldots , S_{\ell }\). The evaluation of \(\mathcal {F}\) on X is then doing arithmetic operations on the inputs depending on the gates. We say that the evaluation succeeds if the final output is \(([\kappa ],0)\).
We now define the Multilinear Jigsaw Puzzles.

Jigsaw Generator: \(\mathsf {JGen}(\lambda ,\kappa ,\ell ,\) A \() \rightarrow (q,X,\mathsf {puzzle})\). This algorithm takes as input \(\lambda \), and a Jigsaw specifier \((\kappa ,\ell ,A)\). It outputs a prime q, a private output X and a public output \(\mathsf {puzzle}\). The generator is using a pair of PPT algorithms \(\mathsf {JGen} = (\mathsf {InstGen},\mathsf {Encode}) \).

\(\mathsf {InstGen}(\lambda , \kappa ) \rightarrow (q,\mathsf {params}, s)\). This algorithm takes \(\lambda \) and \(\kappa \) as inputs and outputs \((q,\mathsf {params}, s)\), where q is a prime of size at least \(2^{\lambda }\), \(\mathsf {params}\) is a description of public parameters, and s is a secret state to pass to the encoding algorithm.

\(\mathsf {Encode}(q,\mathsf {params},s,(S,a)) \rightarrow (S,u)\). The encoding algorithm takes as inputs the prime q, the parameters \(\mathsf {params}\), the secret state s, and a pair (S, a) with \(S \subseteq [\kappa ]\) and \(a \in {\mathbb {Z}} _q\) and outputs u, an encoding of a relative to S.
More precisely, the algorithm runs the Jigsaw specifier on input q to get \(\ell \) pairs \((S_1,a_1), \ldots , (S_{\ell },a_{\ell })\). Then encodes all the plaintext elements by using the \(\mathsf {Encode}\) algorithm on each \((S_i,a_i)\) which return \((S_i,u_i)\). We have:$$X=(q,(S_1,a_1), \ldots ,(S_{\ell },a_{\ell })) \text { and } \mathsf {puzzle}=(\mathsf {params}, (S_1,u_1), \ldots ,(S_{\ell },u_{\ell })).$$ 

Jigsaw Verifier: \(\mathsf {JVer}(\mathsf {puzzle}, \mathcal {F}) \rightarrow \{0,1\}\) . This algorithm takes as input the public output of a Jigsaw Generator \(\mathsf {puzzle}\), and a multilinear form \(\mathcal {F}\). It outputs either accept (1) or reject (0).
Security. The hardness assumptions for the Multilinear Jigsaw puzzle requires that for two different polynomialsize families of Jigsaw Specifier \({\{ (\kappa _{\lambda },\ell _{\lambda },A_{\lambda }) \}}_{\lambda \in {\mathbb {Z}} ^+}\) and \({\{ (\kappa _{\lambda },\ell _{\lambda },A'_{\lambda }) \}}_{\lambda \in {\mathbb {Z}} ^+}\) the public output of the Jigsaw Generator on \((\kappa _{\lambda },\ell _{\lambda },A_{\lambda })\) will be computationally indistinguishable from the public output of the Jigsaw Generator on \((\kappa _{\lambda },\ell _{\lambda },A'_{\lambda })\).
3.1 Using GGH to Construct Jigsaw Puzzles

Jigsaw Generator. The Jigsaw Generator uses \(\mathsf {InstGen}\) to generate all the public (\(\mathsf{params}\) and \(p_{zt} \)) and secret parameters of the multilinear map. Each level of the multilinear map will be associated with a subset of the set \([\kappa ]\). To create the puzzle pieces, which are encodings of some elements of R at different level, the Generator simply encodes some random elements at level \(S \subset [1,\kappa ]\), those are given as \(\mathsf {puzzle}\).

Jigsaw Verifier. The verifier is given the public parameters \(\mathsf{params}\) and \(p_{zt} \), a valid form \(\varPi \) (which is defined [GGH+13b, Def. 6] in as a circuit made of binary and unary gates) and \(\mathsf {puzzle}\), an input for \(\varPi \) (which are some encodings). The verifier is then evaluating \(\varPi \) on these input using \(\mathsf {Add}\) for addition gates and \(\mathsf {Mult}\) for multiplication gates. The verifier must succeeds if the evaluation of \(\mathcal {F}\) on X succeeds, which means that the final output of the evaluation is an encoding of zero at level \(\kappa \). The verifier is invoking the zerotesting procedure, and outputs 1 if the test passes, 0 otherwise.
4 Modifications to and Parameters for GGHlike Schemes
In this section, we first show that we do not require a prime (g) and then describe a method which allows to reduce the size of two parameters: the modulus q and the number \(\ell \) of extracted bits. In Sect. 4.3 then we describe the latticeattack against the scheme which we use to pick the dimension n. Finally, we describe our strategy to choose parameters that satisfy all these constraints.
4.1 Nonprime (g)
Both GGHLite and GGHlike jigsaw puzzles as specified in Fig. 1 require to sample a g such that (g) is a prime ideal. However, finding such a g is prohibitively expensive. While checking each individual g whether (g) is a prime ideal is asymptotically not slower than polynomial multiplication, finding such a g requires to run this check often. The probability that an element generates a prime ideal is assumed to be roughly \(1/(n^c)\) for some constant \(c>1\) [Gar13, Conjecture 5.18], so we expect to run this check \(n^c\) times. Hence, the overall complexity is at least quadratic in n which is too expensive for anything but toy instances.
Primality of (g) is used in two proofs. Firstly, to ensure that after multiplying \(\kappa +1\) elements in \(R_g\) the product contains enough entropy. This is used to argue entropy of the Npartite noninteractive key exchange. Secondly, to prove that \(c\cdot h/g\) is big if \(c, h \not \in g\) (cf. Lemma 2). Below, we show that we can relax the conditions on g for these two arguments to still go through, which then allows us to drop the condition that (g) should be prime. We note, though, that some other applications might still require g to be prime and that future attacks might find a way to exploit nonprime (g).
Entropy of the Product. The next lemma shows that excluding prime factors \(\leqslant 2N\) and guaranteeing \(\mathcal {N}({g}) \geqslant 2^n\) is sufficient to ensure \(2\lambda \) bits of entropy in a product of \(\kappa +1\) elements in \(R_g\) with overwhelming probability. We note that both conditions hold with high probability, are easy to check and are indeed checked in our implementation.
Lemma 1
Let \(\kappa \geqslant 2\), \(\lambda \) be the security parameter and \(g \in {\mathbb {Z}} [X]/(X^n+1)\) with norm \(p = \mathcal {N}({g}) \geqslant 2^n\) such that p has no prime factors \(\leqslant 2\kappa +2\), and such that \(n \geqslant \kappa \cdot \lambda \cdot \log (\lambda )\). Then, with overwhelming probability, the product of \(\kappa +1\) uniformly random elements in \(R_g\) has at least \(\kappa \cdot \lambda \cdot \log (\lambda )/4\) bits of entropy.
Proof
Write \(p = \prod _{i=1}^{r} p_i^{e_i}\) where \(p_i\) are distinct primes and \(e_i \ge 1\) for all i. Let us consider the set \(\mathcal {S} = \{i \in \{1,\dots ,r\}: e_i = 1 \}\). Then, following [CDKD14] we define \(p_s = \prod _{i \in \mathcal {S}} p_i\) as the squarefree part of p. Asymptotically, it holds that \(\#\{p \leqslant x : p/p_s > p_s\}\) is \(cx^{3/4}\) for some computable constant c (cf. [CDKD14]). Since in our case we have \(x\geqslant 2^n\), this implies that with overwhelming probability it holds that \(p_s \geqslant \sqrt{p}\) and hence \(\log (p_s) \geqslant n/2\).
Probability of False Positive. It remains to be shown that we can ensure that there are no false positives even if (g) is not prime. In [GGH13a, Lemma 3] false positives are ruled out as follows. Let \(u = {\left[ c / z^{\kappa }\right] }_{q} \) where c is a short element in some coset of \(\mathcal {I}\), and let \(w = {\left[ p_{zt} \cdot u\right] }_{q} \), then we have \(w = {\left[ c \cdot h / g\right] }_{q} \). The first step in [GGH13a] is to suppose that \(\left\ {g \cdot w}\right\ _{} \) and \(\left\ {c \cdot h}\right\ _{} \) are each at most q / 2, then, since \( g \cdot w = c \cdot h \mod q\) we have that \( g \cdot w = c \cdot h\) exactly. We also have an equality of ideals: \((g) \cdot (w) = (c) \cdot (h)\), and then several cases are possible. If (g) is prime as in [GGH13a, Lemma 3], then (g) divides either (c) or (h) and either c or h is in (g). As, by construction, none of them is in (g) if c is not in \(\mathcal {I}\), either \( \left\ {g \cdot w}\right\ _{} \) or \(\left\ {c \cdot h}\right\ _{} \) is more than q / 2. Using this, they conclude that there is no small c (not in \(\mathcal {I}\)) such that w is small enough to be accepted by the zerotest.
Our approach is to simply notice that all we require is that (g) and (h) are coprime. Checking if (g) and (h) are coprime can be done by checking \(\gcd (\mathcal {N}({g}),\mathcal {N}({h})) = 1\). However, computing \(\mathcal {N}({h}) \) is rather costly because h is sampled from \(D_{{\mathbb {Z}} ^n,\sqrt{q}}\) and hence has a large norm. To deal with this issue we notice that if \(\gcd (\mathcal {N}({g}),\mathcal {N}({h})) \ne 1\) then we also have \(\gcd (\mathcal {N}({g}),\mathcal {N}({h \mod g})) \ne 1\) which can be verified with a simple calculation. Now, interpreting \(h \mod g\) as “a small representative of h modulo g”, we can compute \(h \mod g\) as \(h  g \cdot \lfloor g^{1} \cdot h\rceil \), which produces an element of size \(\approx \sqrt{n}\cdot \left\ {g}\right\ _{} \). We can use this observation to reduce the complexity of checking if (g) and (h) are coprime to computing two norms for elements of size \(\left\ {g}\right\ _{} \) and \(\approx \sqrt{n}\cdot \left\ {g}\right\ _{} \) and taking their gcd. Furthermore, this condition holds with high probability, i.e. we only have to perform this test \(\mathcal {O}(1)\) times. Indeed, by ruling out likely common prime factors first, we expect to run this test exactly once. Hence, checking coprimality of (g) and (h) is much cheaper than finding a prime (g) but still rules out false positives.
Finally, we note that recent proposals of indistinguishability obfuscation from multilinear maps [Zim15, AB15] requires composite order maps. These are not the maps we are concerned with here as in [Zim15, AB15] it is assumed that the factorisation of (g) is known. However, we note that our techniques and implementation easily extend to this case by considering \(g = g_1 \cdot g_2\) for known coprime \(g_1\) and \(g_2\).
4.2 Reducing the Size of q
In this section, we show how to reduce q for which we consider the case where rerandomisers are published for level1 but no other levels. This matches the requirements of the Npartite DiffieHellman key exchange but not the Jigsaw puzzle case. However, when no rerandomisers are published we may simply set \(\sigma ^\star _{1} = 1\) and apply the same analysis. Hence, assuming that rerandomisers are published fits our framework in all cases and makes our analysis compatible with previous work. We note that the analysis can be easily generalised to accommodate rerandomisers at higher levels than one by increasing q to accommodate “numerator growth”.
New parameter \(\xi \) . The choice suggested in [LSS14a] is to extract \(\ell = \log (q)/4  \lambda \) bits from each element of the level\(\kappa \) encoding. We show that this supplies much more entropy than needed and that we can sample a smaller fraction, \(\ell = \xi \log (q)  \lambda \) bits. The equation for q can be rewritten in terms of the variable \(\xi \), by setting the initial condition \(\Vert p_{zt} \, u\Vert _\infty < q^{1\xi }\).
Lemma 2
(Adapted from Lemma A.1 in [LSS14b]). Let \(g \in R\) and \(\mathcal {I}=(g)\), let \(c,h \in R\) such that \(c \notin \mathcal {I}\), (g) and (h) are coprime, \(\left\ {c \cdot h}\right\ _{} < q/2\) and \(q>{(2tn\sigma )}^{1/\xi }\) for some \(t \geqslant 1\) and any \(0 < \xi \leqslant 1/4\). Then \(\Vert {\left[ c \cdot h/ g\right] }_{q} \Vert > t\cdot q^{1\xi }\).
Proof
From [GGH13a, Lemma 3] and the discussion in Sect. 4.1 we know that since \(\left\ {c \cdot h}\right\ _{} < q/2\) we must have \(\left\ {g \cdot {\left[ c \cdot h/ g\right] }_{q}}\right\ _{} > q/2\) if (g) and (h) are coprime (note that \(c\cdot h \ne g \cdot {\left[ c \cdot h/ g\right] }_{q} \) in \(R/(X^n+1)\)). So we have \(\left\ {g \cdot {\left[ c \cdot h/g\right] }_{q}}\right\ _{} > q/2 \Longrightarrow \sqrt{n} \left\ {g}\right\ _{} \cdot \left\ {{\left[ c \cdot h/g\right] }_{q}}\right\ _{} > q/2 \Longrightarrow \left\ {{\left[ c \cdot h/g\right] }_{q}}\right\ _{} > q/(2n \sigma )\). We have \(t \cdot q^{1\xi } = t \cdot q/q^{\xi } < t \cdot q/(2tn \sigma ) = q/(2n \sigma )\) and the claim follows. \(\square \)
Correctness of ZeroTesting. We can obtain a tighter bound on q by refining the analysis in [LSS14a]. Recall that \(\Vert {\left[ p_{zt} \, u\right] }_{q} \Vert _\infty = \Vert {\left[ hc/g\right] }_{q} \Vert _\infty = \Vert h ~\cdot ~ c/g\Vert _\infty \leqslant \Vert h\Vert \cdot \Vert c/g\Vert \leqslant \Vert h\Vert \cdot \Vert c\Vert \cdot \Vert g^{1}\Vert \sqrt{n}\). The first inequality is a direct application of the inequalities between the infinity norm of a product and the product of the Euclidean norms, the second comes from [Gar13, Lemma 5.9].
Correctness of Extraction. As in [LSS14a], we need that two level\(\kappa \) encodings u and \(u'\) of different elements have different extracted elements, which implies that we need: \(\Vert {\left[ p_{zt} (uu') \right] }_{q} \Vert _{\infty } > 2^{L\ell +1}\) with \(L=\lfloor \log q \rfloor \). This condition follows from Lemma 2 with t satisfying \(t \cdot q^{1\xi } > 2^{L\ell +1}\), which holds for \(t=q^{\xi } \cdot 2^{\ell +1}\). As a consequence, the condition \(q > {(2tn\sigma )}^{1/x}\) is still satisfied if we have \(\ell > \log _2(8n\sigma )\), and to ensure that \(t>1\) we need that \(\ell < \xi \log q + 2\). Finally, to ensure that \(\varepsilon _{ext}\), the probability of the extraction to be the same for two different elements, is negligible, we need that \( \ell \leqslant \xi \log _2 q  \log _2 (2n / \varepsilon _{ext})\).
4.3 Lattice Attacks
Currently, the most efficient algorithm for lattice reduction is a variant of the BKZ algorithm [SE94] referred to as BKZ 2.0 [CN11]. However, its running time and behaviour, especially in high dimensions, is not very well understood: there is no consensus in the literature as to how to relate a given \(\sigma _{0}\) to computational cost. We estimate the cost of lattice reduction as in [APS15].
We stress, though, that these assumptions requires further scrutiny. Firstly, this attack does not use \(p_{zt} \) which means we expect that better lattice attacks can be found eventually. Secondly, we are assuming that the lattice reduction estimates in [APS15] are accurate. However, should these assumptions be falsified, then this part of the analysis can simply be replaced by refined estimates.
4.4 Putting Everything Together
Our overall strategy is as follows. Pick an n and compute parameters \(\sigma \), \(\sigma '\), \(\sigma _1^\star \) as in [LSS14a] and \(\ell _g\) and q as in Sect. 4.2. Now, establish the rootHermite factor required to carry out the attack in Sect. 4.3 using Equation (5). If this \({\sigma }_0\) is small enough to satisfy security level \(\lambda \) terminate, otherwise double n and restart the procedure.
Parameter choices for multilinear jigsaw puzzles.
\(\lambda \)  \(\kappa \)  n  q  \({\parallel \text {enc}\parallel }\)  \({\parallel \text {params}\parallel }\)  \(\sigma _0\)  BKZ Enum  BKZ Sieve 

52  2  \(2^{14}\)  \(\approx 2^{ 781.5}\)  \(\approx 2^{23.6}\)  \(\approx 2^{23.6}\)  1.006855  \(\approx 2^{112.2}\)  \(\approx 2^{101.8}\) 
52  4  \(2^{15}\)  \(\approx 2^{ 1469.0}\)  \(\approx 2^{25.5}\)  \(\approx 2^{25.5}\)  1.007031  \(\approx 2^{110.4}\)  \(\approx 2^{102.3}\) 
52  6  \(2^{15}\)  \(\approx 2^{ 2114.9}\)  \(\approx 2^{26.0}\)  \(\approx 2^{26.0}\)  1.010477  \(\approx 2^{ 64.4}\)  \(\approx 2^{ 83.3}\) 
52  10  \(2^{15}\)  \(\approx 2^{ 3406.8}\)  \(\approx 2^{26.7}\)  \(\approx 2^{26.7}\)  1.017404  \(\approx 2^{ 53.5}\)  \(\approx 2^{ 68.6}\) 
52  20  \(2^{16}\)  \(\approx 2^{ 7014.8}\)  \(\approx 2^{28.8}\)  \(\approx 2^{28.8}\)  1.018311  \(\approx 2^{ 56.6}\)  \(\approx 2^{ 71.7}\) 
52  40  \(2^{17}\)  \(\approx 2^{14599.3}\)  \(\approx 2^{30.8}\)  \(\approx 2^{30.8}\)  1.019272  \(\approx 2^{ 59.6}\)  \(\approx 2^{ 74.8}\) 
52  80  \(2^{18}\)  \(\approx 2^{30508.4}\)  \(\approx 2^{32.9}\)  \(\approx 2^{32.9}\)  1.020258  \(\approx 2^{ 62.7}\)  \(\approx 2^{ 77.8}\) 
52  160  \(2^{18}\)  \(\approx 2^{60827.8}\)  \(\approx 2^{33.9}\)  \(\approx 2^{33.9}\)  1.040912  \(\approx 2^{ 54.0}\)  \(\approx 2^{ 54.0}\) 
80  2  \(2^{14}\)  \(\approx 2^{ 837.5}\)  \(\approx 2^{23.7}\)  \(\approx 2^{23.7}\)  1.007451  \(\approx 2^{ 98.2}\)  \(\approx 2^{ 94.5}\) 
80  4  \(2^{15}\)  \(\approx 2^{ 1525.0}\)  \(\approx 2^{25.6}\)  \(\approx 2^{25.6}\)  1.007330  \(\approx 2^{103.7}\)  \(\approx 2^{ 98.8}\) 
80  6  \(2^{16}\)  \(\approx 2^{ 2287.2}\)  \(\approx 2^{27.2}\)  \(\approx 2^{27.2}\)  1.005661  \(\approx 2^{160.9}\)  \(\approx 2^{128.3}\) 
80  10  \(2^{17}\)  \(\approx 2^{ 3844.7}\)  \(\approx 2^{28.9}\)  \(\approx 2^{28.9}\)  1.004882  \(\approx 2^{209.0}\)  \(\approx 2^{150.9}\) 
80  20  \(2^{18}\)  \(\approx 2^{ 7824.9}\)  \(\approx 2^{30.9}\)  \(\approx 2^{30.9}\)  1.005074  \(\approx 2^{198.9}\)  \(\approx 2^{148.5}\) 
80  40  \(2^{19}\)  \(\approx 2^{16152.9}\)  \(\approx 2^{33.0}\)  \(\approx 2^{33.0}\)  1.005294  \(\approx 2^{188.4}\)  \(\approx 2^{145.7}\) 
80  80  \(2^{20}\)  \(\approx 2^{33546.4}\)  \(\approx 2^{35.0}\)  \(\approx 2^{35.0}\)  1.005528  \(\approx 2^{179.7}\)  \(\approx 2^{143.6}\) 
80  160  \(2^{21}\)  \(\approx 2^{69810.9}\)  \(\approx 2^{37.1}\)  \(\approx 2^{37.1}\)  1.005769  \(\approx 2^{171.3}\)  \(\approx 2^{141.4}\) 
5 Implementation
Our implementation relies on FLINT [HJP14]. We use its data types to encode elements in \({\mathbb {Z}} [X]\), \({\mathbb {Q}} [X]\), and \({{\mathbb {Z}_q}} [X]\) but reimplement most nontrivial operations for the ring of integers of a Cyclotomic number field where the degree is a power of two. Other operations — such as Gaussian sampling or taking approximate inverses — are not readily available in FLINT and are hence provided by our implementation. For computation with elements in \(\mathbb {R}\) we use MPFR’s mpfr_t [The13] with precision \(2\lambda \) if not stated otherwise. Our implementation is available under the GPLv2+ license at https://bitbucket.org/malb/gghliteflint. We give experimental results for computing multilinear maps using our implementation in Table 1.
For all operations considered in this section naive algorithms are available in \(\mathcal {O}\left( n^2 \log q\right) \) or \(\mathcal {O}\left( n^3 \log n\right) \) bit operations. However, the smallest set of parameters we consider in Table 1 is \(n=2^{15}\) which implies that if implemented naively each operation would take \(2^{49}\) bit operations for the smallest set of parameters we consider. Even quadratic algorithms can be prohibitively expensive. Hence, in order to be feasible, all algorithms should run in quasilinear time in n, or more precisely in \(\mathcal {O}\left( n \log n\right) \) or \(\mathcal {O}\left( n \log ^2 n\right) \). All algorithms discussed in this section run in quasilinear time.
5.1 Polynomial Multiplication in \({\mathbb {Z}_q} [X]/(X^n+1)\)
During the evaluation of a GGHstyle graded encoding scheme multiplications of polynomials in \({\mathbb {Z}} _q[X]/(X^n+1)\) are performed. Naive multiplication takes \(\mathcal {O}\left( n^2\right) \) time in n, Asymptotically fast multiplication in this ring can be realised by first reducing to multiplication in \({\mathbb {Z}} [X]\) and then to the Sch?nehageStrassen algorithm for multiplying large integers in \(\mathcal {O}(n \log n \log \log n)\). This is the strategy implemented in FLINT, which has a highly optimised implementation of the Sch?nehageStrassen algorithm. Alternatively, we can get an \(\mathcal {O}(n\log n)\) algorithm by using the NumberTheoretic Transform (NTT). Furthermore, using a negative wrapped convolution we can avoid reductions modulo \((X^n+1)\):
Theorem 1
(Adapted from [Win96]). Let \(\omega _n\) be a nth root of unity in \({\mathbb {Z}_q} \) and \(\varphi ^2 = \omega _n\). Let \(a = \sum _{i=0}^{n1} a_i X^i\) and \(b = \sum _{i=0}^{n1} b_i X^i\) \(\in {\mathbb {Z}_q} [X]/(X^n+1)\). Let \(c = a \cdot b \in {\mathbb {Z}_q} [X]/(X^n+1)\) and let \(\overline{a} = (a_0, \varphi a_1, \dots , \varphi ^{n1}a_{n1})\) and define \(\overline{b}\) and \(\overline{c}\) analogously. Then \(\overline{c} = 1/n \cdot \text{ NTT }_{\omega _n}^{1}(\text{ NTT }_{\omega _n}(\overline{a})\odot \text{ NTT }_{\omega _n}(\overline{b}))\).
The NTT with a negative wrapped convolution has been used in latticebased cryptography before, e.g. [LMPR08]. We note that if we are doing many operations in \({\mathbb {Z}_q} [X]/(X^n+1)\) we can avoid repeated conversions between coefficient and “evaluation” representations, \(\left( f(1),f(\omega _n),\dots ,f(\omega _n^{n1})\right) \), of our elements, which reduces the amortised cost from \(\mathcal {O}(n \log n)\) to \(\mathcal {O}(n)\). That is, we can convert encodings to their evaluation representation once on creation and back only when running extraction. We implemented this strategy. We observe a considerable overall speedup with the strategy of avoiding the conversions where possible. We also note that operations on elements in their evaluation representation are embarrassingly parallel.
5.2 Computing Norms in \({\mathbb {Z}} [X]/(X^n+1)\)
During instance generation we have to compute several norms of elements in \({\mathbb {Z}} [X]/(X^n+1)\). The norm \(\mathcal {N}({f}) \) of an element f in \({\mathbb {Z}} [X]/(X^n+1)\) is equal to the resultant \(\text{ res }(f,X^n+1)\). The usual strategy for computing resultants over the integers is to use a multimodular approach. That is, we compute resultants modulo many small primes \(q_i\) and then combine the results using the Chinese Remainder Theorem. Resultants modulo a prime \(q_i\) can be computed in \(\mathcal {O}(M(n)\log n)\) operations where M(n) is the cost of one multiplication in \({\mathbb {Z}} _{q_i}[X]/(X^n+1)\). Hence, in our setting computing the norm costs \(\mathcal {O}(n \log ^2 n)\) operations without specialisation.
However, we can observe that \(\text{ res }(f,X^n+1) \mod q_i\) can be rewritten as \(\prod _{(X^n+1)(x) = 0} f(x) \mod q_i\) as \(X^n+1 \) is monic, i.e. as evaluating f on all roots of \(X^n+1 \). Picking \(q_i\) such that \(q_i \equiv 1 \mod 2n\) this can be accomplished using the NTT reducing the cost mod \(q_i\) to \(\mathcal {O}(M(n))\) saving a factor of \(\log n\), which in our case is typically \(>15\).
5.3 Checking if (g) is a Prime Ideal
While we show in Sect. 4.1 that we do not necessarily require a prime (g), some applications might still rely on this property. We hence provide an implementation for sampling such g.
Average time of checking primality of a single (g) on Intel Xeon CPU E5–2667 v2 3.30 GHz with 256 GB of RAM using 16 cores.
n  \(\log \sigma \)  wall time  n  \(\log \sigma \)  wall time  n  \(\log \sigma \)  wall time 

1024  15.1  0.54 s  2048  16.2  3.03 s  4096  17.3  20.99 s 
5.4 Verifying that \((b^{({1})}_{1} b^{({1})}_{2}) = (g)\)
If rerandomisation elements are required, then it is necessary that they generate all of \(\left( g\right) \), i.e. \((b^{({1})}_{1},b^{({1})}_{2}) = (g)\). If \(b^{({1})}_{i} = \tilde{b}^{({1})}_{i} \cdot g\) for \(0 < i \leqslant 2\) then this condition is equivalent to \((\tilde{b}^{({1})}_{1}) + (\tilde{b}^{({1})}_{2}) = R\). We check the sufficient but not necessary condition \(\text{ gcd }(\text{ res }(\tilde{b}^{({1})}_{1},X^n+1),\, \text{ res }(\tilde{b}^{({1})}_{2},X^n+1)) = 1\), i.e. if the respective ideal norms are coprime. This check, which we have to perform for every candidate pair \((\tilde{b}^{({1})}_{1},\tilde{b}^{({1})}_{2})\), involves computing two resultants and their gcd which is quite expensive. However, we observe that \(\text{ gcd }(\text{ res }(\tilde{b}^{({1})}_{1},X^n+1),\, \text{ res }(\tilde{b}^{({1})}_{2},X^n+1)) \ne 1\) when \(\text{ res }(\tilde{b}^{({1})}_{1},X^n+1) = 0 = \text{ res }(\tilde{b}^{({1})}_{2},X^n+1) \mod q_i\) for any modulus \(q_i\). Hence, we first check this condition for several “interesting” primes and resample if this condition holds. These “interesting” primes are the same as in the previous section. Only if these tests pass, we compute two full resultants and their gcd. Indeed, after having ruled out small common prime factors it is quite unlikely that the gcd of the norms is not equal to one which means that with good probability we will perform this expensive step only once as a final verification. However, this step is still by far the most time consuming step during setup even with our optimisations applied. We note that a possible strategy for reducing setup time is to sample \(m>2\) rerandomisers \(b^{({1})}_{i} \) and to apply some bounds on the probability of m elements \(\tilde{b}^{({1})}_{i} \) sharing a prime factor (after excluding small prime factors).
5.5 Computing the Inverse of a Polynomial Modulo \(X^n+1 \)
Instance generation relies on inversion in \({\mathbb {Q}} [X]/(X^n+1)\) in two places. Firstly, when sampling g we have to check that the norm of its inverse is bounded by \(\ell _g\). Secondly, to set up our discrete Gaussian samplers we need to run many inversions in an iterative process. We note that for computing the zerotesting parameter we only need to invert g in \({\mathbb {Z}} _q[X]/(X^n+1)\) which can be realised in n inversions in \({\mathbb {Z}_q} \) in the NTT representation.
In both cases where inversion in \({\mathbb {Q}} [X]/(X^n+1)\) is required approximate solutions are sufficient. In the first case we only need to estimate the size of \(g^{1}\) and in the second case inversion is a subroutine of an approximation algorithm (see below). Hence, we implemented a variant of [BCMM98] to compute the approximate inverse of a polynomial in \({\mathbb {Q}} [X]/(X^n+1)\), with n a power of two.
From this, inverting f(X) can be done by inverting \(F(X^2)\) and multiplying polynomials of degree n / 2. It remains to recursively call the inversion of F(Y) modulo \((X^{n/2}+1)\) (by setting \(Y=X^2)\). This leads to an algorithm for approximately inverting elements of \({\mathbb {Q}} [X]/(X^n+1)\) when n is a power of 2 which can be performed in \(\mathcal {O}(n \log ^2(n))\) operations in \({\mathbb {Q}} \). We give experimental results in Table 4.
Inverting \(g \hookleftarrow D_{{\mathbb {Z}} ^n,\sigma }\) with FLINT’s extended Euclidean algorithm (“xgcd”), our implementation with precision 160 (“160”), iterating our implementation until \(\Vert \tilde{f}^{1}(X) \cdot f(X)\Vert < 2^{160}\) (“160iter”) and our implementation without truncation (“\(\infty \)”) on Intel Core i7–4850HQ CPU at 2.30 GHz, single core.
n  \(\log \sigma \)  xgcd  160  160iter  \(\infty \) 

4096  17.2  234.1 s  0.067 s  0.073 s  121.8 s 
8192  18.3  1476.8 s  0.195 s  0.200 s  755.8 s 
5.6 Small Remainders
5.7 Sampling from a Discrete Gaussian
Example timings for discrete Gaussian sampling over \({\mathbb {Z}} \) on Intel Core i7–4850HQ CPU at 2.30 GHz, single core.
Algorithm  \(\sigma \)  c  double  mpfr_t  

prec  samp./s  prec  samp./s  
Tabulated [GPV08, Sample\({\mathbb {Z}} \)]  10000  1.0  53  660.000  160  310.000 
Tabulated [GPV08, Sample\({\mathbb {Z}} \)]  10000  0.5  53  650.000  160  260.000 
Online [GPV08, Sample\({\mathbb {Z}} \)]  10000  1.0  53  414.000  160  9.000 
Online [GPV08, Sample\({\mathbb {Z}} \)]  10000  0.5  53  414.000  160  9.000 
[DDLL13, Algorithm 12]  10000  1.0  53  350.000  160  123.000 
Given an approximation \(\sqrt{\varSigma _2}'\) of \(\sqrt{\varSigma _2}\) we then sample a vector \(x \hookleftarrow \mathbb {R}^n\) from a standard normal distribution and interpret it as a polynomial in \({\mathbb {Q}} [X]/(X^n+1)\). We then compute \(y = \sqrt{\varSigma _2}' \cdot x\) in \({\mathbb {Q}} [X]/(X^n+1)\) and return \(g \cdot (\lfloor y \rceil _r)\), where \(\lfloor y \rceil _r\) denotes sampling a vector in \({\mathbb {Z}} ^n\) where the ith component follows \(D_{{\mathbb {Z}},r,y_i}\). This algorithm is then easily extended to sample from arbitrary centres c. The whole algorithm is summarised in Algorithm 3 and we give experimental results in Table 6.
5.8 Approximate Square Roots
Approximate square roots of \(\varSigma _2 = \sigma '^2 \cdot g^{T} \cdot g  r^2 \cdot I\) for discrete Gaussian sampling over g with parameter \(\sigma '\) on Intel Core i7–4850HQ CPU at 2.30 GHz, 2 cores for DenmanBeavers, 4 cores for estimating the scaling factor, one core for sampling. The last column lists the rate (samples per second) of sampling from \(D_{(g),\sigma '}\).
Square root  

prec  n  \(\log \sigma '\)  Iterations  Wall time  \(\log \Vert {(\sqrt{\varSigma _2}')}^2  \varSigma _2\Vert \)  \(D_{(g),\sigma '}/s\) 
160  1024  45.8  9  0.4 s  \(\)200  26.0 
160  2048  49.6  9  0.9 s  \(\)221  12.0 
160  4096  53.3  10  2.5 s  \(\)239  5.1 
160  8192  57.0  10  8.6 s  \(\)253  2.0 
160  16384  60.7  10  35.4 s  \(\)270  0.8 
We implemented the Babylonian method, the DenmanBeavers iteration [DB76] and the Padé iteration [Hig97]. Although the Babylonian method only involves one inversion which allows us to compute with lower precision, we used DenmanBeavers, since it converges faster in practice and can be parallelised on two cores. While the Padé iteration can be parallelised on arbitrarily many cores, the workload on each core is much greater than in the DenmanBeavers iteration and in our experiments only improved on the latter when more than 8 cores were used.
Most algorithms have quadratic convergence but in practice this does not assure rapid convergence as error can take many iterations to become small enough for quadratic convergence to be observed. This effect can be mitigated, i.e. convergence improved, by scaling the operands appropriately in each loop iteration of the approximation [Hig97, Section 3]. A common scaling scheme is to scale by the determinant which in our case means computing \(\text{ res }(f,X^n+1)\) for some \(f \in {\mathbb {Q}} [X]/(X^n+1)\). Computing resultants in \({\mathbb {Q}} [X]/(X^n+1)\) reduces to computing resultants in \({\mathbb {Z}} [X](X^n+1)\). As discussed above, computing resultants in \({\mathbb {Z}} [X]/(X^n+1)\) can be expensive. However, since we are only interested in an approximation of the determinant for scaling, we can compute with reduced precision. For this, we clear all but the most significant bit for each coefficient’s numerator and denominator of f to produce \(f'\) and compute \(\text{ res }(f',X^n+1)\). The effect of clearing out the lower order bits of f is to reduce the size of the integer representation in order to speed up the resultant computation. With this optimisation scaling by an approximation of the determinant is both fast and precise enough to produce fast convergence. See Table 6 for timings.
Notes
Acknowledgement
We would like to thank Guilhem Castagnos, Guillaume Hanrot, Bill Hart, ClaudePierre Jeannerod, Clément Pernet, Damien Stehlé, Gilles Villard and Martin Widmer for helpful discussions. We would like to thank Steven Galbraith for pointing out the NTRUstyle attack to us and for helpful discussions. This work has been supported in part by ERC Starting Grant ERC2013StG335086LATTAC. The work of Albrecht was supported by EPSRC grant EP/L018543/1 “Multilinear Maps in Cryptography”.
References
 [AB15]Applebaum, B., Brakerski, Z.: Obfuscating circuits via compositeorder graded encoding. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 528–556. Springer, Heidelberg (2015)Google Scholar
 [APS15]Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015). http://eprint.iacr.org/2015/046
 [BCMM98]Bini, D., Del Corso, G.M., Manzini, G., Margara, L.: Inversion of circulant matrices over \({\bf Z}_m\). In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, p. 719. Springer, Heidelberg (1998)CrossRefGoogle Scholar
 [BF03]Boneh, D., Franklin, M.: Identitybased encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)zbMATHMathSciNetCrossRefGoogle Scholar
 [BLR+15]Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure orderrevealing encryption: Multiinput functional encryption without obfuscation. In: Oswald and Fischlin [OF15b], pp. 563–594Google Scholar
 [BS03]Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2003)MathSciNetCrossRefGoogle Scholar
 [BWZ14]Boneh, D., Waters, B., Zhandry, M.: Low overhead broadcast encryption from multilinear maps. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 206–223. Springer, Heidelberg (2014)Google Scholar
 [CDKD14]Cloutier, M.É., de Koninck, J.M., Doyon, N.: On the powerful and squarefree parts of an integer. J. Integer Sequences 17(2), 28 (2014)Google Scholar
 [CG13]Canetti, R., Garay, J.A. (eds.): CRYPTO 2013, Part I. LNCS, vol. 8042. Springer, Heidelberg (2013)Google Scholar
 [CGH+15]Coron, J.S., Gentry, C., Halevi, S., Lepoint, T., Maji, H.K., Miles, E., Raykova, M., Sahai, A., Tibouchi, M.: Zeroizing without lowlevel zeroes: New MMAP attacks and their limitations. In: Gennaro and Robshaw [GR15], pp. 247–266Google Scholar
 [CHL+15]Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald and Fischlin [OF15a], pp. 3–12Google Scholar
 [CLT13]JeanSébastien Coron, Tancrède Lepoint, and Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti and Garay [CG13], pp. 476–493Google Scholar
 [CLT15]Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro and Robshaw [GR15], pp. 267–286Google Scholar
 [CN11]Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 [CS97]Coppersmith, D., Shamir, A.: Lattice attacks on NTRU. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 52–61. Springer, Heidelberg (1997)Google Scholar
 [DB76]Denman, E.D., Beavers, Jr., A.N.: The matrix sign function and computations in systems. Appl. Math. Comput., vol. 2, pp. 63–94 (1976)Google Scholar
 [DDLL13]Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti and Garay [CG13], pp. 40–56Google Scholar
 [Duc13]Ducas, L.: Signatures Fondées sur les Réseaux Euclidiens: Attaques, Analyse et Optimisations. Ph.D. thesis, Université Paris, Diderot (2013)Google Scholar
 [Gar13]Garg, S.: Candidate Multilinear Maps. Ph.D. thesis, University of California, Los Angeles (2013)Google Scholar
 [GGH13a]Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [GGH+13b]Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013Google Scholar
 [GPV08]Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press, May 2008Google Scholar
 [GR15]Gennaro, R., Robshaw, M.J.B.: CRYPTO 2015, Part I, vol. 9215. Springer, Heidelberg (2015)Google Scholar
 [Hig97]Higham, N.J.: Stable iterations for the matrix square root. Numer. Algorithms 15(2), 227–242 (1997)zbMATHMathSciNetCrossRefGoogle Scholar
 [HJ15]Hu, Y., Jia, H.: Cryptanalysis of GGH map. Cryptology ePrint Archive, Report 2015/301 (2015). http://eprint.iacr.org/2015/301
 [HJP14]Hart, W., Johansson, F., Pancratz, S.: FLINT: fast library for number theory (2014). Version 2.4.4. http://flintlib.org
 [Jou04]Joux, A.: A one round protocol for tripartite DiffieHellman. J. Cryptol. 17(4), 263–276 (2004)zbMATHMathSciNetCrossRefGoogle Scholar
 [LMPR08]Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 [LP15]Lyubashevsky, V., Prest, T.: Quadratic time, linear space algorithms for gramschmidt orthogonalization and gaussian sampling in structured lattices. In: Oswald and Fischlin [OF15a], pp. 789–815Google Scholar
 [LSS14a]Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 [LSS14b]Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: More efficient multilinear maps from ideal lattices. Cryptology ePrint Archive, Report 2014/487 (2014). http://eprint.iacr.org/2014/487
 [OF15a]Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9056. Springer, Heidelberg (2015)Google Scholar
 [OF15b]Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015. LNCS, vol. 9057. Springer, Heidelberg (2015)Google Scholar
 [Pei10]Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 [SE94]Schnorr, C.P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)zbMATHMathSciNetCrossRefGoogle Scholar
 [The13]The MPFR team. GNU MPFR: The Multiple Precision FloatingPoint Reliable Library, 3.1.2 edition (2013). http://www.mpfr.org/
 [Win96]Winkler, F.: Polynomial Algorithms in Computer Algebra. Texts and Monographs in Symbolic Computation. Springer, Heidelberg (1996)zbMATHCrossRefGoogle Scholar
 [Zim15]Zimmerman, J.: How to obfuscate programs directly. In: Oswald and Fischlin [OF15b], pp. 439–467Google Scholar