Graded Encoding Schemes from Obfuscation
 8 Citations
 1.2k Downloads
Abstract
We construct a graded encoding scheme (GES), an approximate form of graded multilinear maps. Our construction relies on indistinguishability obfuscation, and a pairingfriendly group in which (a suitable variant of) the strong Diffie–Hellman assumption holds. As a result of this abstract approach, our GES has a number of advantages over previous constructions. Most importantly:

We can prove that the multilinear decisional Diffie–Hellman (MDDH) assumption holds in our setting, assuming the used ingredients are secure (in a welldefined and standard sense). Hence, our GES does not succumb to socalled “zeroizing” attacks if the underlying ingredients are secure.

Encodings in our GES do not carry any noise. Thus, unlike previous GES constructions, there is no upper bound on the number of operations one can perform with our encodings. Hence, our GES essentially realizes what Garg et al. (EUROCRYPT 2013) call the “dream version” of a GES.
Technically, our scheme extends a previous, nongraded approximate multilinear map scheme due to Albrecht et al. (TCC 2016A). To introduce a graded structure, we develop a new view of encodings at different levels as polynomials of different degrees.
Keywords
Multilinear maps Graded encoding schemes Indistinguishability obfuscation1 Introduction
The GGH candidate multilinear map. In 2013, Garg, Gentry, and Halevi (GGH) [22] proposed the first plausible construction of an (approximate) multilinear map (MLM). In a nutshell, an MLM is a map \(e:{\mathbb {G}} ^\kappa \longrightarrow {\mathbb {G}} _T\) (for groups \({\mathbb {G}} \) and \({\mathbb {G}} _T\)) that is linear in each input. Of course, we are most interested in the case of “cryptographically interesting” groups \({\mathbb {G}} \) (in which, e.g., computing discrete logarithms is infeasible), nontrivial maps \(e\) (with nontrivial kernel), and preferably large values of \(\kappa \). The surprising cryptographic consequences of such “cryptographically interesting” MLMs were already investigated in 2003 by Boneh and Silverberg [6], but an actual construction of an MLM remained elusive until the candidate construction of GGH.

Instead of group elements, their \(e\) inputs (and outputs) are encodings. An encoding is a nonunique representation of a group element, and there is no guarantee about which particular encoding the group operation (or \(e\)) outputs. However, every encoding allows to derive a “canonical form” that uniquely determines the encoded group element. (This canonical form allows no further operations, though.)

Each encoding carries a “noise level” that increases with each operation. If the noise level grows beyond a certain threshold, no further operations are possible.
However, the GGH MLM also has an important graded property that allows to evaluate \(e\) partially, in a sense we will detail later. In particular this graded structure has made the GGH MLM tremendously useful: notable applications of graded MLMs include indistinguishability obfuscation [23], witness encryption [25], attributebased encryption for general circuits [24], and constrained pseudorandom functions for general circuits [7]. Furthermore, graded MLMs enable a very powerful class of programmable hash functions [32], which in turn allows to implement random oracles in certain “algebraic” applications [20, 33].
After GGH’s MLM construction, several other (graded and approximate) MLM constructions have been proposed [15, 16, 28, 34]. However, all of these constructions (including the original GGH scheme) succumb to cryptanalytic attacks [12, 13, 14, 37]. In particular, currently there is no obvious way to instantiate schemes relying on multilinear maps, e.g., the schemes from [7, 20, 24, 25, 33].^{1}
Graded MLMs. There is one (approximate) MLM construction of Albrecht, Farshim, Hofheinz, Larraia, and Paterson (AFHLP) [2] that does not fall victim to any of the mentioned cryptanalytic attacks on MLMs. However, this construction does not offer a graded MLM, and thus cannot be used to bootstrap, e.g., witness encryption. Graded MLMs are algebraic tools that can enable other algebraic tools such as multilinear GrothSahai proofs, or multilinear programmable hash functions. It is thus still an interesting open problem whether graded MLMs exist, and whether the results of [23] can be augmented to even show equivalence to indistinguishability obfuscation.
Our contribution. In this work, we construct graded, approximate MLMs that do not succumb to any of the known attacks. Technically, we extend the nongraded MLM construction from AFHLP [2] to a graded MLM. We prove that the multilinear decisional Diffie–Hellman (MDDH) assumption [22] holds relative to our MLM, provided that the used ingredients are secure.
 1.
Our encodings do not carry any noise (although they are not unique). In particular, there is no limit on the number of operations that one can perform with our encodings.
 2.
The canonical forms derived from encodings allow further group operations (but no further pairings).
Our new MLM (when implemented with the indistinguishability obfuscator from [23, 26]) currently forms the only plausible graded MLM, and thus the only plausible way to implement a number of MLMbased constructions [7, 20, 24, 25, 33].
Furthermore, our construction is generic and modular. In particular, we reduce the quest to develop a secure (graded) MLM to the quest for a secure indistinguishability obfuscator. This seems natural (and is standard in most areas of cryptography), but given the history of previous MLM candidates (which were based on complex algebraic or combinatorial assumptions), this is not an “understood feature” at all for MLMs.
In fact, taken together with recent constructions of indistinguishability obfuscation (iO) from multilinear maps (e.g., [3, 23, 35, 36]), our result shows a (somewhat loose) equivalence of indistinguishability obfuscation (iO) and (graded and approximate) MLMs, in the presence of a pairingfriendly group. This equivalence is loose in the following sense. First, the assumptions on both ends of the equivalence do not match: some of these works (e.g., [23]) construct iO from MLMs which support very strong computational assumptions (much stronger than MDDH) or require asymmetric multilinear maps. On the other hand, we use iO to construct symmetric MLMs in which we can (at this point) only prove comparatively mild (though still useful) computational assumptions (such as MDDH). Still, there seems no inherent barrier to proving stronger computational assumptions for our construction, or to adapt our construction to asymmetric pairings, and we leave open to tighten this equivalence. Second, going through our equivalence suffers subexponential security loss. Namely, we require probabilistic indistinguishability obfuscation, which can be constructed from iO [11], but currently only through a subexponential reduction.
However, we note that such an equivalence would not be highly surprising given recent results on constructing iO from MLMs [3, 35]. These works only require “oneshot” (but asymmetric) MLMs, and not even graded encodings as we construct them.
Related Work. Our work is closely related to [2], since the nongraded MLM there serves as a starting point for our graded MLM. We will summarize their construction in Sect. 4 and give an informal overview below.
Recently, Paneth and Sahai [39] have shown a nearequivalence of a suitable abstraction of MLMs with iO. Their result requires no computational assumptions at all, but also does not consider MLMs in our sense. In particular, they construct an abstraction of a MLM that only admits restricted access to encodings similar to the one in [23]. Beyond the group operation and the multilinear map, efficient procedures for, e.g., uniform sampling, comparison or rerandomization of encodings, are not part of this abstraction. Conversely, our notion of a MLM, like the ones from [2, 22], contains descriptions of efficient procedures for these tasks.
It would be interesting to see how the restricted MLMs of [39] can be used to instantiate the constructions from [5, 8, 20, 33] directly, i.e., without making the detour via iO. However, since iO alone is not even known to imply oneway functions (see [29] for a discussion), this will require additional assumptions.
Pass et al. [40] give a security definition of graded MLMs that requires that whenever encodings are generically equivalent (that is, cannot be distinguished with generic operations alone), they should be computationally indistinguishable as encodings. They show that this MLMs which satisfy this strong assumption imply indistinguishability obfuscation. It is not clear, however, how to construct such strongly secure MLMs (without resorting to idealized models such as the generic group model).
1.1 The (Nongraded) Approximate Multilinear Map of AFHLP

\({ c } \) is a homomorphic encryption (under some public key \({ pk } \)) of exponents \(\alpha ,\beta \in {\mathbb {Z}} _p\),

\(\pi \) is a noninteractive zeroknowledge proof that these exponents represent \(z\) in the sense that \(g^z=g^\alpha u^\beta \) for a publicly known group element \(u\). (Hence, if we write \(u=g^\omega \), we have \(z=\alpha +\beta \cdot \omega \).)
Hence, AFHLP simply enhance the group element \(g^z\in {\mathbb {G}} \) by an encrypted representation of its discrete logarithm \(z\) (and a suitable consistency proof). This added information will be instrumental in computing a multilinear map on many encodings. Note that since \({ c } \) and \(\pi \) will not be uniquely determined, there are many possible encodings of a \({\mathbb {G}} \)element \(g^z\).
 1.
\(g^z=g^{z_1+z_2}\) is computed using the group operation in \({\mathbb {G}} \);
 2.
\({ c } \) is computed homomorphically from \({ c } _1\) and \({ c } _2\) (adding the encrypted exponent vectors \((\alpha _i,\beta _i)\));
 3.
the consistency proof \(\pi \) is computed using the decryption key \({ sk } \) as a witness to show that the resulting \({ c } \) indeed contains a valid representation of \(z=z_1+z_2\).
Here, only the computation of \(\pi \) requires secret information (namely, the decryption key \({ sk } \)). This secret information allows to derive a valid representation \((\alpha ,\beta )\) of \(g^z\). The most delicate part of the security proof from [2] is to argue that the obfuscated circuit knowing \({ sk } \) does not help in solving (a multilinear variant of) the decisional Diffie–Hellman problem.
1.2 Our New Graded Encoding Scheme
Before proceeding any further, we briefly recall the notions of a graded multilinear map and a graded encoding scheme.
Unfortunately, we do not currently know how to implement such a “clean” graded multilinear map. Instead, all known graded MLM constructions work on encodings (i.e., nonunique representations of group elements). Such a construction is usually called a graded encoding scheme (GES). Following the GES notation, we will henceforth also call an encoding of a \({\mathbb {G}} _\ell \)element a level\(\ell \) encoding.
In the following, we will describe the main ideas for our GES.

\(g^z\in {\mathbb {G}} \) for a cyclic group \({\mathbb {G}} \) (that does not depend on \(\ell \)) of prime order \(p\),

\(P\in {\mathbb {Z}} _p[X]\) is a polynomial of degree up to \(\ell \), represented by its coefficient vector from \({\mathbb {Z}} _p^{\ell +1}\),

\({ c } \) is the encryption (under a fully homomorphic encryption scheme) of \(P\),

\(\pi \) is a noninteractive zeroknowledge proof of the equality \(g^z=g^{P(\omega )}\), where \(\omega \) is defined through public values \(u_0,\dots ,u_\kappa \in {\mathbb {G}} \) with \(u_i=g^{\omega ^i}\). (Hence, \(g^z=g^{P(\omega )}\) is equivalent to \(g^z=\prod _i u_i^{\gamma _i}\) for \(P(X)=\sum _i\gamma _iX^i\).)
The encodings of AFHLP can be viewed as level\(1\) encodings in our scheme (with linear polynomials \(P\)).
Adding encodings. Encodings can be added using a public (obfuscated) circuit \(\mathbf {Add} \) that proceeds similarly to the AFHLP scheme. In particular, \(\mathbf {Add} \) adds the \(g^z\) and \({ c } \) parts of the input encodings homomorphically, and derives a consistency proof \(\pi \) with the decryption key \({ sk } \) as witness.
 \(g^z\) is computed as \(g^z=g^{(P_1\cdot P_2)(\omega )}\), where the polynomials \(P_1\) and \(P_2\) are extracted from \({ c } _1\) and \({ c } _2\) with \({ sk } \), then multiplied to form \(P:=P_1\cdot P_2\in {\mathbb {Z}} _p[X]\), and finally used to compute(Since the \(u_\ell \) are public, this value can be computed as long as \(i+j\le \kappa \).)$$\begin{aligned} g^{(P_1\cdot P_2)(\omega )} \;=\; g^{P(\omega )} \;=\; \prod _{\ell =0}^{i+j}u_\ell ^{\gamma _\ell } \quad \text {for}\quad P(X)=\sum _{\ell =0}^{i+j}\gamma _\ell X^\ell . \end{aligned}$$

\({ c } \) is computed homomorphically from \({ c } _1\) and \({ c } _2\), as an encryption of the polynomial \(P_1\cdot P_2\).

The consistency proof \(\pi \) (showing that indeed \(g^z=g^{P(\omega )}\) for the polynomial \(P\) encrypted in \({ c } \)) is computed with the decryption key \({ sk } \) as witness.
The key insight needed to show that the MDDH assumption holds for our GES is the same as in AFHLP’s nongraded, approximate MLM. Namely, observe that any \(\mathbf {Mult} _{i,j}\) can only multiply encodings if \(i+j\le \kappa \). To compute the first component \(g^z\) of any “higherlevel” encoding, knowledge of \(g^{\omega ^\ell }\) for \(\ell >i+j\) seems to be required. Under the SDDH assumption in \({\mathbb {G}} \), such \(g^{\omega ^\ell }\) look random, even when given \(u_0,\dots ,u_\kappa \). Of course, to turn this observation into a full proof, more work is required.
Neglected details. For a useful GES, it should be possible to generate encodings with “known discrete logarithm”; that is, we would like to be able to generate encodings for an externally given (or at least known) \(z\in {\mathbb {Z}} _p\). For this reason, the standard way to generate encodings (at any level) is to set up \(P\) as a constant polynomial of the form \(P(X)=z\in {\mathbb {Z}} _p\). (That is, we “reserve space” in \({ c } \) for polynomials \(P\) of degree \(\ell \) in level\(\ell \) encodings, but, by default, use only constant polynomials.) For this type of encoding with “lowdegree \(P\),” however, our security argument above does not apply. Rather, it requires that the degree of \(P\) increases at higher levels.
Hence, the central technical piece in our MDDH security proof will be a “switching theorem” that allows to replace a lowdegree \(P\) in an encoding with an equivalent highdegree \(P'\) (that satisfies \(P'(\omega )=P(\omega )\)). The proof of this switching theorem is delicate, since it must work in a setting with (obfuscated) algorithms that use the decryption key \({ sk } \). (Note that free access to \({ sk } \) would allow the retrieval of the used polynomial \(P\) from an encoding, and hence would prevent such a switching of polynomials.)
To this end, we will use double encryptions \({ c } \) (instead of the single encryption \({ c } ={\mathbf {Enc}} (P,{ pk } )\) described above), along with a Naor–Yungstyle consistency proof in \(\pi \). However, this consistency proof does not show equality of encryptions, but equivalence of encrypted representations \(P,P'\) in the sense of \(P(\omega )=P'(\omega )\). This allows to switch representations without invalidating the consistency of the double encryption. As a result, the full consistency language used for \(\pi \) is considerably more complicated than the one sketched before. Additionally, the proof of our switching theorem requires a special and explicit “simulation trapdoor” and Groth–Sahaistyle dualmode proof systems.
We note that similar complications arose already in AFHLP’s proof, and required similar measures. The main technical difference in our setting is that our multiplication circuits \(\mathbf {Mult} _{i,j}\) output encodings (and not just group elements as in the multilinear map of AFHLP). Hence, our \(\mathbf {Mult} _{i,j}\) circuits also need to construct consistency proofs \(\pi \), which requires additional secrets (as witnesses) in the description of \(\mathbf {Mult} _{i,j}\) and which entails additional steps in our switching theorem. (We give more details on the technical differences with AFHLP in the main body. However, we note that, in addition to providing a graded encoding scheme, we also provide simplified and tighter proofs.
Fortunately, the indistinguishability obfuscator from [23] requires only a relatively weak MLM variant and hence is not affected by the abovementioned cryptanalyses.^{4}
Assumptions. In summary, our construction uses a cyclic group in which the SDDH assumption holds, a probabilistic indistinguishability obfuscation scheme [11], a perfectly correct fully homomorphic encryption (FHE), a dualmode noninteractive zeroknowledge proof systems, and a language with hard membership. All of these assumptions are implied by pairingfriendly SDDH groups (equipped with an asymmetric pairing) and subexponentially secure indistinguishability obfuscation (see [31]). We stress that plausible candidates for both ingredients exist (e.g., by combining [22, 23] to an indistinguishability obfuscator candidate).
Road map. We first recall some preliminaries in Sect. 2 and the GES definition in Sect. 3. Section 4 recalls the AFHLP construction. We are then ready to present our GES construction in Sect. 5, and establish our central technical tool (the “switching theorem”) in Sect. 6. We prove the hardness of \(\mathrm {MDDH}\) in Sect. 7. In the appendices, we give a technical overview of AFHLP and the full proofs of the theorems from the main body of the paper.
2 Preliminaries
Notation. We denote the security parameter by \(\lambda \in \mathbb {N}\) and assume that it is implicitly given to all algorithms in the unary representation \(1^\lambda \). By an algorithm we mean a stateless Turing machine. Algorithms are randomized unless stated otherwise, and ppt as usual stands for “probabilistic polynomialtime.” In this paper, by a ppt algorithm we mean an algorithm that runs in polynomial time in the security parameter (rather than the total length of its inputs). Given a randomized algorithm \(\mathcal {A} \) we denote the action of running \(\mathcal {A} \) on input(s) \((1^\lambda ,x_1,\ldots )\) with uniform random coins r and assigning the output(s) to \((y_1,\ldots )\) by Open image in new window . For a finite set X, we denote its cardinality by X and the action of sampling a uniformly random element x from X by Open image in new window . We write \([k]:=\{1,\dots ,k\}\). Vectors are written in boldface \(\mathbf {x}\), and slightly abusing notation, running algorithms on vectors of elements indicates componentwise operation. Throughout the paper \(\bot \) denotes a special error symbol, and \({\mathrm {poly}} (\cdot )\) stands for a fixed (but unspecified) polynomial. A realvalued function \({\mathrm {negl}} (\lambda )\) is negligible if \({\mathrm {negl}} (\lambda ) \in \mathcal {O}(\lambda ^{\omega (1)})\). We denote the set of all negligible functions by \(\textsc {Negl}\). We use bracket notation for elements in \({\mathbb {G}} \), i.e., writing [z] and \([z']\) for two elements \(g^z\) and \(g^{z'}\) in \({\mathbb {G}} \) and \([z]+[z']\) for their product \(g^z g^{z'}\).
Circuits. A polynomialsized deterministic circuit family \({\mathcal {C}} := \{ {\mathcal {C}} _{\lambda } \}_{\lambda \in \mathbb {N}}\) is a sequence of sets \({\mathcal {C}} _{\lambda }\) of \({\mathrm {poly}} (\lambda )\)sized deterministic circuits (for a fixed polynomial \({\mathrm {poly}} (\lambda )\)). We assume that for all \(\lambda \in \mathbb {N}\) all circuits \(\mathrm {C} \in {\mathcal {C}} _\lambda \) share a common input domain \((\{0,1\}^\lambda )^{a(\lambda )}\), where \(a(\lambda )\) is the arity of the circuit family, and an output codomain \(\{0,1\}^\lambda \). A randomized circuit family is defined similarly except that the circuits also take random coins \(r \in \{0,1\}^{\mathrm {rl}(\lambda )}\), for a polynomial \(\mathrm {rl}(\lambda )\) specifying the length of necessary random coins. To make the coins used by a circuit explicit (e.g., to view a randomized circuit as a deterministic one) we write \(\mathrm {C} (x;r)\).
2.1 Homomorphic PublicKey Encryption
Syntax.A homomorphic publickey encryption (PKE) scheme for a deterministic circuit family \({\mathcal {C}} ={\{{\mathcal {C}} _{\lambda }\}}_{\lambda \in \mathbb {N}}\) of arity at most \(a(\lambda )\) is a tuple of ppt algorithms \(\mathrm {\Pi }:=({\mathbf {Gen}} ,{\mathbf {Enc}} ,{\mathbf {Dec}} ,{\mathbf {Eval}} )\) such that \(({\mathbf {Gen}} ,{\mathbf {Enc}} ,{\mathbf {Dec}} )\) is a conventional publickey encryption scheme with message space \(\{0,1\}^\lambda \) and \({\mathbf {Eval}} \) is a deterministic algorithm that on input a public key \({ pk } \) a circuit \(\mathrm {C} \in {\mathcal {C}} _\lambda \) and ciphertexts \({ c } _1, \ldots , { c } _{n}\) with \(n \le a(\lambda )\) outputs a ciphertext c. Without loss of generality, we assume that secret keys of a homomorphic PKE scheme are the random coins used in key generation. This will allow us to check key pairs for validity.
Correctness and compactness. For the scheme \(\mathrm {\Pi }:=({\mathbf {Gen}} ,{\mathbf {Enc}} ,{\mathbf {Dec}} )\), we require perfect correctness as a PKE scheme; that is, for any \(\lambda \in \mathbb {N}\), any \({ m } \in \{0,1\}^\lambda \), any Open image in new window , and any Open image in new window we have that \({\mathbf {Dec}} ({ c } ,{ sk } ) = { m } \). We also require the FHE scheme to be fully compact in the following sense. For any \(\lambda \in \mathbb {N}\), any \({ m } _1,\ldots ,{ m } _n \in \{0,1\}^\lambda \) with \(n \le a(\lambda )\), any \(\mathrm {C} \in {\mathcal {C}} _\lambda \), any Open image in new window and any Open image in new window we have that \({\mathbf {Eval}} ({ pk } ,\mathrm {C},{ c } _1, \ldots , { c } _{n})\) is in the range of \({\mathbf {Enc}} (\mathrm {C} ({ m } _1,\ldots ,{ m } _n),{ pk } )\).
A fully homomorphic encryption (FHE) scheme is a homomorphic PKE that correctly and compactly supports any circuit family containing polynomialsized circuits of polynomial arity (for any a priori fixed polynomial bounds on the size and arity). In our constructions, full correctness and compactness are used to ensure that the outputs of the addition and multiplications circuits can be iteratively operated on. This in particular means that our GES is “noisefree” in the sense that its correctness is not affected by the number of operations operated on encodings.
A perfectly correct FHE scheme can be constructed from probabilistic indistinguishability obfuscation (and a rerandomizable publickey encryption scheme such as ElGamal), see [11]. (We note that the FHE scheme from [11] only enjoys perfect correctness when the obfuscator and encryption scheme are also perfectly correct.)
2.2 Obfuscators
Syntax and correctness. A ppt algorithm \({\mathbf {Obf}} \) is called an obfuscator for a (deterministic or randomized) circuit class \({\mathcal {C}} =\{{\mathcal {C}} _\lambda \}_{\lambda \in \mathbb {N}}\) if \({\mathbf {Obf}} \) on input the security parameter \(1^\lambda \) and the description of a (deterministic or randomized) circuit \(\mathrm {C} \in {\mathcal {C}} _\lambda \) of arity \(a(\lambda )\) outputs a deterministic circuit \(\overline{\mathrm {C}}\). For deterministic circuits, we require \({\mathbf {Obf}} \) to be perfectly correct in the sense the circuits \(\mathrm {C} \) and \(\overline{\mathrm {C}}\) are functionally equivalent; that is, that for all \(\lambda \in \mathbb {N}\), all \(\mathrm {C} \in {\mathcal {C}} _\lambda \), all Open image in new window , and all \({ m } _i \in \{0,1\}^\lambda \) for \(i \in [a(\lambda )]\) we have that \(\mathrm {C} ({ m } _1,\ldots ,{ m } _{a(\lambda )}) = \overline{\mathrm {C}}({ m } _1,\ldots ,{ m } _{a(\lambda )})\). For randomized circuits, the authors of [11] define correctness via computational indistinguishability of the outputs of \(\mathrm {C} \) and \(\overline{\mathrm {C}}\). For our constructions we do not rely on this property and instead require that \(\mathrm {C} \) and \(\overline{\mathrm {C}}\) are functionally equivalent up to a change in randomness; that is, for all \(\lambda \in \mathbb {N}\), all \(\mathrm {C} \in {\mathcal {C}} _\lambda \), all Open image in new window and all \({ m } _i \in \{0,1\}^\lambda \) for \(i \in [a(\lambda )]\) there is an r such that \(\overline{\mathrm {C}}({ m } _1,\ldots ,{ m } _{a(\lambda )}) = \mathrm {C} ({ m } _1,\ldots ,{ m } _{a(\lambda )};r)\). We note that the construction from [11] is correct in this sense as it relies on a correct indistinguishability obfuscator and a PRF to internally generate the required random coins.
Remark. We note that samplers that output two (possibly randomized) circuits \((\mathrm {C} _0,\mathrm {C} _1)\) for which the output distributions of \(\mathrm {C} _0(x)\) and \(\mathrm {C} _1(x)\) are identical on any input x, are \(\mathrm {Sel{\hbox {}}IND} \)secure for any function \(X(\lambda )\). The circuits samplers that we will use in our security proofs enjoy this property.
2.3 DualMode NIZK Proof Systems
In our constructions we will be relying on special types of “dualmode” noninteractive zeroknowledge (NIZK) proof systems. These systems have two common reference string (CRS) generation algorithms that produce indistinguishable CRSs in the “binding” and “hiding” modes. They are also perfectly complete in both modes, perfectly sound and extractable in the binding mode, and perfectly witness indistinguishable (WI) and perfectly zero knowledge (ZK) in the hiding mode. The standard prototype for such schemes are the pairingbased Groth–Sahai proofs [30], and using a generic NP reduction to the satisfiability of quadratic equations we can obtain a suitable proof system for any NP language.^{5} We formalize the syntax and security of such proof systems next.
Syntax. A (group) setup algorithm \({\mathbf {G}} \) is a ppt Turing machine that on input \(1^\lambda \) outputs \({ gpk } \). A ternary relation \(\mathbf {R} ({ gpk } ,x,w)\) is a deterministic algorithm that outputs 1 for true or 0 for false. A dualmode extractable noninteractive zeroknowledge (NIZK) proof system \(\mathrm {\Sigma } \) for setup \({\mathbf {G}} \) and relation \(\mathbf {R} \) consists of six algorithms as follows. (1) \({\mathbf {BCRS}} ({ gpk } )\) on input \({ gpk } \) in the support of \({\mathbf {G}} \) outputs a (binding) CRS \({ crs } \) and an extraction trapdoor \({ td }_{e} \); (2) \({\mathbf {HCRS}} ({ gpk } )\) on input \({ gpk } \) in the support of \({\mathbf {G}} \) outputs a (hiding) CRS \({ crs } \) and a simulation trapdoor \({ td }_{zk} \); (3) \({\mathbf {Prove}} ({ gpk } ,{ crs } ,x,w)\) on input \({ gpk } \) a first coordinate in the support of \({\mathbf {G}} \), a CRS \({ crs } \), an instance x, and a witness w, outputs a proof \(\pi \); (4) \({\mathbf {Verify}} ({ gpk } ,{ crs } ,x,\pi )\) on input \({ gpk } \), \({ crs } \), an instance x, and a proof \(\pi \), outputs 1 for accept or 0 for reject; (5) \({\mathbf {WExt}} ({ td }_{e} ,x,\pi )\) on input an extraction trapdoor \({ td }_{e} \), an instance x, and a proof \(\pi \), outputs a witness w; and (6) \({\mathbf {Sim}} ({ td }_{zk} ,x)\) on input the simulation trapdoor \({ td }_{zk} \) and an instance x, outputs a simulated proof \({\pi } \).
We require the extractable dualmode NIZK \(\mathrm {\Sigma } \) for \(({\mathbf {G}} ,\mathbf {R})\) to meet the following requirements.
Perfect soundness under \({\mathbf {BCRS}} \). For any \(\lambda \in \mathbb {N}\), any Open image in new window , any CRS Open image in new window , any x where it holds that \(\mathbf {R} ({ gpk } ,x,w)=0\) for all \(w\in \{0,1\}^*\), and any \(\pi \in \{0,1\}^*\) we have that \({\mathbf {Verify}} ({ gpk } ,{ crs } ,x,\pi ) = 0\).
Perfect extraction under \({\mathbf {BCRS}} \). For any \(\lambda \in \mathbb {N}\), any Open image in new window , any CRS Open image in new window , any \((x,\pi )\) with \({\mathbf {Verify}} ({ gpk } ,{ crs } ,x,\pi )=1\), and any Open image in new window we have that \(\mathbf {R} ({ gpk } ,x,w)=1\).
Perfect Witness Indistinguishability under \({\mathbf {HCRS}} \). For any \(\lambda \in \mathbb {N}\), any Open image in new window , any Open image in new window , and any \((x,w_b)\) such that \(\mathbf {R} ({ gpk } ,x,w_b)=1\) for \(b\in \{0,1\}\), the two distributions Open image in new window are identical.
Perfect Zero Knowledge under \({\mathbf {HCRS}} \). For any \(\lambda \in \mathbb {N}\), any Open image in new window , any Open image in new window , and any (x, w) such that \(\mathbf {R} ({ gpk } ,x,w)\!=\!1\), the two distributions Open image in new window and Open image in new window are identical.
2.4 Languages with Hard Membership
In our proofs of security we also rely on languages for which the membership problem is hard and whose yesinstances have unique witnesses. Formally, such a language family is defined as a tuple of four algorithms \(\mathrm {\Lambda }:=(\mathbf {Gen_L},\mathbf {YesSam_L},\mathbf {NoSam_L},\mathbf {R_L})\) as follows. (1) \(\mathbf {Gen_L} (1^\lambda )\) is randomized and on input the security parameter outputs a language key \( lk \); (2) \(\mathbf {YesSam_L} ( lk )\) is randomized and on input the language key \( lk \) outputs a yesinstance \({y} \); (3) \(\mathbf {NoSam_L} ( lk )\) is randomized and on input the language key \( lk \) outputs a noinstance \({y} \); and (4) \(\mathbf {R_L} ( lk ,{y} ,w)\) is deterministic and on input \( lk \), an instance \({y} \) and a witness w outputs 1 for true or 0 for false.
We require \(\mathbf {R_L} \) to satisfy the following correctness requirements. For all \(\lambda \in \mathbb {N}\), all Open image in new window and all Open image in new window there is a \(w\in \{0,1\}^*\) such that \(\mathbf {R_L} ( lk ,{y} ,w)=1\). For a given \( lk \), we denote the set of yesinstance by \(\mathcal {L}_ lk \). For all \(\lambda \in \mathbb {N}\), all Open image in new window and all Open image in new window there is no \(w\in \{0,1\}^*\) such that \(\mathbf {R_L} ( lk ,{y} ,w)=1\). We also require \(\mathbf {R_L} \) to have unique witnesses: for all \(\lambda \in \mathbb {N}\), all Open image in new window , all Open image in new window and all \(w,w' \in \{0,1\}^*\) if \(\mathbf {R_L} ( lk ,{y} ,w)=\mathbf {R_L} ( lk ,{y} ,w')=1\) then \(w=w'\).
3 Graded Encoding Schemes
We start by recalling (a slight variant of) the definition of graded encoding systems from Garg, Gentry and Halevi (GGH) [22].
\(\kappa \)graded encoding system. Let R be a (nontrivial) commutative ring and \(S:=\{S_i^{(a)} \subset \{0,1\}^*~:~a\in R,\, 0\le i\le \kappa \}\) a system of sets. Then (R, S) is called a \(\kappa \) graded encoding system if the following conditions are met.
 1.
For each level \(i\in \{0,\dots ,\kappa \}\) and for any \(a_1,a_2\in R\) with \(a_1\ne a_2\) we have that \(S_i^{(a_1)} \cap S_i^{(a_2)} = \emptyset \).
 2.For each level \(i\in \{0,\dots ,\kappa \}\), the set \(\{S_i^{(a)}~:~a\in R\}\) is equipped with a binary operation “\(+\)” and a unary operation “−” such that for all \(a_1,a_2\in R\) and every \(u_1\in S_i^{(a_1)},u_2\in S_i^{(a_2)}\) it holds thatHere \(a_1 + a_2\) and \( a_1\) denote addition and negation is R.$$\begin{aligned} u_1 + u_2 \in S_i^{(a_1 + a_2)} \quad \text {and} \quad u_1 \in S_i^{(a_1)}. \end{aligned}$$
 3.For each two levels \(i,j\in \{0,\dots ,\kappa \}\) with \(i+j\le \kappa \), there is a binary operation “\(\times \)” such that for all \(a_1,a_2\in R\) and every \(u_1\in S_i^{(a_1)}, u_2\in S_j^{(a_2)}\) it holds thatHere \(a_1 \cdot a_2\) denotes multiplication in R.$$\begin{aligned} u_1 \times u_2 \in S_{i+j}^{(a_1 \cdot a_2)}. \end{aligned}$$
The difference to the GGH definition is that we do not require the operations “\(+\)” and “\(\times \)” to be associative or commutative. (Indeed, our upcoming construction does not satisfy these properties.) We are not aware of any applications that require the associativity or commutativity of encodings. However, we stress that the operations “\(+\)” and “\(\times \)” must respect the ring operations from \(R\). For instance, while we may have \((u_1+u_2)+u_3\ne u_1+(u_2+u_3)\) for some \(u_i\in S_j^{(a_i)}\), both the lefthand and the righthand sides lie in \(S_j^{(a_1+a_2+a_3)}\).
Throughout the paper, we refer to an element \(a \in R\) as an exponent and a bit string \(u\in S_i^{(a)}\) as an encoding of a. Further, we write \(S_i:=\bigcup _{a\in R} S_i^{(a)}\) for the set of all leveli encodings.
We now define graded encoding schemes by introducing explicit algorithms for manipulating encodings of a graded encoding system.

\(\mathbf {Setup} (1^\lambda ,1^\kappa )\) : On input the security parameter \(1^\lambda \) and the (multi)linearity \(1^\kappa \), it outputs parameters of \(\mathrm {\Gamma } \) (which are assumed to be provided to all other algorithms). We note that this algorithm runs in time \({\mathrm {poly}} (\lambda )\) as long as \(\kappa \) is polynomial in \(\lambda \).

\(\mathbf {Eq} _i({h} _1,{h} _2)\) : For \(i\in \{0,\dots ,\kappa \}\) and two encodings \({h} _1\in S_i^{(a)}\) and \({h} _2 \in S_i^{(b)}\), this deterministic algorithm outputs 1 if and only if \(a=b\) in R.

\(\mathbf {Add} _i({h} _1,{h} _2)\) : This deterministic algorithm performs the “\(+\)” operation of (R, S) in level i. For \(i\in \{0,\dots ,\kappa \}\) and encodings \(h_1\in S_i^{(a_1)}\) and \(h_2\in S_i^{(a_2)}\) this algorithm outputs an encoding in \(h\in S_i^{(a_1+a_2)}\).

\(\mathbf {Mult} _{i,j}({h} _1,{h} _2)\) : This deterministic algorithm performs the “\(\times \)” operation of (R, S). For \({i,j}\in \{0,\dots ,\kappa \}\) with \(i+j \le \kappa \) and encodings \(h_1\in S_i^{(a_1)}\) and \(h_2\in S_j^{(a_2)}\) this algorithm outputs an encoding in \(S_{i+j}^{(a_1\cdot a_2)}\).

\(\mathbf {Sam} _i(a)\) : For \(i\in \{0,\dots ,\kappa \}\) and \(a \in R\), this probabilistic algorithm samples an encoding from \(S_i^{(a)}\).

\(\mathbf {Ext} _i({h} )\) : For \(i\in \{0,\dots ,\kappa \}\) and input \({h} \in S_i\), this deterministic algorithm outputs a bit string. Algorithm \(\mathbf {Ext} _i\) is required to respect membership in \(S_i^{(a)}\), i.e., it outputs identical strings for any two encodings \({h} _1,{h} _2 \in S_i^{(a)}\).

GGH do not permit sampling for specific values \(a \in R\). (Instead, GGH provide an algorithm to sample a random \(a\) along with its encoding.)

GGH’s zerotesting algorithm is substituted with an equality test (through \(\mathbf {Eq} _i\)) above. Our equality test must only work for consistent encodings from some \(S_i^{(a)}\) and \(S_i^{(b)}\). In contrast, the dream version of GGH requires that the set \(S_i^{(0)}\) is efficiently recognizable.
4 Approximate Multilinear Maps
We recall the approximate multilinear maps due to AFHLP [2]. The authors construct both symmetric and asymmetric multilinear maps. Their symmetric construction can be seen as a starting point for our GES.
4.1 Syntax
We start with the syntax of multilinear group (MLG) schemes [2]. Informally, a \(\kappa \)MLG scheme is a restricted form of a graded encoding scheme where encodings belong to levels 0, 1 and \(\kappa \) only and the \(\mathbf {Mult}\) algorithm takes \(\kappa \) encodings at level 1 and outputs an encoding at level \(\kappa \). We formalize MLG schemes in terms of a GES.
4.2 Overview of AFHLP
In a nutshell, [2] works with redundant encodings of elements h of the base group \({\mathbb {G}} \) of the form \(h = g ^{x_0}{( g ^{\omega })}^{x_1}\) where \( g ^{\omega }\) comes from an \(\mathrm {SDDH} \) instance. Vector \({\mathbf {x}} = (x_0,x_1)\) represents element h. The set \(S_1\) consists of all strings of the form \((h,{ c }_{1} ,{ c }_{2} ,{\pi } )\) where \(h \in {\mathbb {G}} \), ciphertext \({ c }_{1} \) is a homomorphic encryption under public key \({ pk } _1\) of a vector \({\mathbf {x}} \) representing h, ciphertext \({ c }_{2} \) is a homomorphic encryption under a second public key \({ pk } _2\) of another vector \({\mathbf {y}} \) also representing h, and \({\pi } \) is a NIZK proof showing consistency of the two vectors \({\mathbf {x}} \) and \({\mathbf {y}} \). Here consistency means that the plaintexts vectors \({\mathbf {x}} \) and \({\mathbf {y}} \) underlying \({ c }_{1} \) and \({ c }_{2} \) encode the same group element h. Note that each element of the base group \({\mathbb {G}} \) is multiply represented in \(S_1\), but that equality of elements in \(S_1\) is easy to test (via checking the equality of first components).
Addition of two elements in \(S_1\) is carried out by an obfuscation of a circuit \(\mathrm {C} _\mathrm {Add}[{ sk } _1,{ sk } _2]\), which has the two secret keys hardwired in. The circuit checks the respective proofs, adds the group elements in \({\mathbb {G}} \) and uses the additive homomorphic property of the encryption scheme to combine ciphertexts. It then uses witness \(({ sk } _1,{ sk } _2)\) to generate a NIZK proof showing equality of encodings. Note that the new encoding is as compact as the two input encodings.
The multilinear map on inputs \((h_i,{ c }_{i,1} ,{ c }_{i,2} ,{\pi } _i)\) for \(1 \le i \le \kappa \) is computed using an obfuscation of a circuit \(\mathrm {C} _\mathrm {Map}[{ sk } _1,\omega ]\), which has \({ sk } _1\) and \(\omega \) hardwired in. The circuit recovers the exponents of \(h_i\) in the form \((x_{i,1}+\omega \cdot x_{i,2})\) from \({ c }_{i,1} \) via the decryption algorithm \({\mathbf {Dec}} (\cdot ,{ sk }_{1} )\). It then uses these to compute the group element \( g ^{\prod _i (x_{i,1}+ \omega \cdot x_{i,2})}\), which is defined to be the output of \(\mathbf {Mult} \). (The target set \(S_\kappa \) is therefore \({\mathbb {G}} \), the base group.) The \(\kappa \)linearity of \(\mathbf {Mult} \) follows immediately from the form of the exponent. See the full version [19] for technical details.
In the original paper, this construction is generalized to the asymmetric setting via representations of the form \( g ^{\langle {\mathbf {x}} ,{\varvec{\omega }} \rangle }\) with \({\mathbf {x}} ,{\varvec{\omega }} \in {\mathbb {Z}} _N^\ell \) for \(\ell \in \{2,3\}\) (where \(\langle {\mathbf {x}} ,{\varvec{\omega }} \rangle \) denotes inner products modulo the basegroup order). The special case \({\varvec{\omega }} :=(1,\omega )\) then gives an MLG scheme where \(\mathrm {MDDH}\) is shown to be hard. We refer the reader to the original work [2] for the details.
5 The GES Construction
We now present our construction of a graded encoding scheme \(\mathrm {\Gamma } \) according to the syntax introduced in Sect. 3. We will use the following ingredients in our construction. A similar set of building blocks were used in [2].
 1.
A group setup algorithm \(\mathbf {Setup} _{{\mathbb {G}} }(1^\lambda )\) that samples (the description of) a group \({\mathbb {G}} \), along with a random generator \(g\) of \({\mathbb {G}} \) and the group order \(p\) and the identity element 1.^{6} We implicitly assume efficient algorithms for checking group membership, performing the group operation, inversion, and randomly sampling group elements. We further assume a unique binary representation for every group element and a randomness extractor for this group.
 2.
A generalpurpose probabilistic indistinguishability obfuscator \(\mathbf {PIO} \) that we assume is secure against XIND samplers.
 3.
A perfectly correct and INDCPAsecure fully homomorphic PKE scheme \(\mathrm {\Pi } \) with plaintext space \({\mathbb {Z}} _p^{\kappa +1}\).
 4.
An extractable dualmode NIZK proof system \(\mathrm {\Sigma } \).
 5.
A language family \(\mathrm {\Lambda } \) with hard membership problem and unique witnesses.
Given the above components, with formal syntax and security as defined in Sect. 2, our graded encoding scheme \(\mathrm {\Gamma } \) consists of the algorithms detailed in the sections that follow. (See the introduction for an intuition.)
5.1 Setup
The \(\mathbf {Setup} \) algorithm continues by generating a binding CRS Open image in new window , and also a noinstance of \(\mathcal {L}_ lk \) via Open image in new window . It sets \({ crs } := ({ crs } ',{y} )\). (The relation \(\mathbf {R} \) that the NIZK should support will be defined shortly in Sect. 5.2.)
5.2 Encodings and Equality
Level0 encodings. We treat algorithms for level0 encodings separately in our construction as they behave somewhat differently to those from the other levels. For instance, when multiplied by other encodings, they do not result in an increase in encoding levels. The canonical choice for level0 encodings is the ring \({\mathbb {Z}} _p\), which we adopt in this paper. These encodings, therefore, come with natural algorithms for generation, manipulation and testing of elements. Algorithm \(\mathbf {Mult} \) when applied to inputs one of which is at level 0 corresponds to multiplication with the element in the zeroth level. The latter can in turn be implemented with a shiftandadd algorithm that employs the encoding addition \(\mathbf {Add} \) of Sect. 5.3. We omit explicit mention of operations for level0 encodings to ease notation and focus on the more interesting cases at levels 1 and above.^{7}
Level\(\kappa \) encodings. We set \(S_\kappa := {\mathbb {G}} \) in our scheme and use the algorithms associated with \({\mathbb {G}} \) for generation, equality testing, and addition of encodings at level \(\kappa \). Once again, we omit these operations from the addition circuit for clarity. The multiplication circuit can only be called on a level\(\kappa \) together with a level0 encoding, which we have already excluded. However, we still have to deal with outputs at level \(\kappa \) in \(\mathbf {Mult} \).
 (1)
either \({ c }_{1} \) and \({ c }_{2} \) contain polynomials \(P _1\) and \(P _2\) of degree at most \(\ell \), such that \(P _1(\omega )=P _2(\omega )=z\),
 (2)
or \({y} \in \mathcal {L}_ lk \) (or both).
More formally, \({\pi } \) must be a verifying proof that \(({ gpk } ,({[ z ]},{ c }_{1} ,{ c }_{2} ,\ell ))\) satisfies one relation \(\mathbf {R} _1\) or \(\mathbf {R} _2\) as follows.

\({[ z ]} \in {\mathbb {G}} \);

both \(P _1\) and \(P _2\) are polynomials over \({\mathbb {Z}} _p\) of degree \( \le \ell \) (given by their coefficient vectors);

both \(P _1\) and \(P _2\) represent \(z\) in the sense that \([ z ] = [ P _1(\omega ) ] \) and \( [ z ] = [ P _2(\omega ) ] \);
 both \({ c } _i\) are encryptions of (or decrypt to) \(P _i\) in the following sense:$$\begin{aligned} \text {for both } i\in \{1,2\}&~:~{ c }_{i} = {\mathbf {Enc}} (P _i,{ pk } _i;{ r } _i) \\&\vee \\ \text {for both } i\in \{1,2\}&~:~({ pk } _i,{ sk } _i) = {\mathbf {Gen}} ({ sk } _i) \wedge P _i = {\mathbf {Dec}} ({ c }_{i} ,{ sk } _i). \end{aligned}$$
Note that there are two types of witnesses that can be used in proof generation for \(\mathbf {R} _1\), namely \((P _1,P _2,{ r } _1,{ r } _2)\) and \(({ sk } _1,{ sk } _2)\).
Let \(\mathbf {R_L} \) be the relation for the trapdoor language \(\mathrm {\Lambda } \). Relation \(\mathbf {R} _2\), given \({ gpk } \), an encoding, and a witness \(w_{{y} }\), accepts iff \(\mathbf {R_L} ( lk ,{y} ,w_{{y} })\) accepts. (Note that the output of \(\mathbf {R} _2\) is independent of input encodings.) Hence, intuitively, \(\mathbf {R} _2\) provides an explicit trapdoor to simulate consistency proofs (in case \(y\in \mathcal {L}_ lk \)).
We define \(\mathbf {R}:=\mathbf {R} _1 \vee \mathbf {R} _2\) and assume that \(\mathrm {\Sigma } \) is a proof system with respect to \(({\mathbf {G}} ,\mathbf {R})\) with \({\mathbf {G}} \) as defined in Sect. 5.1.
Valid and consistent encodings. The following convention will be useful in the context of valid of encodings and the correctness of out scheme. We call an encoding \({h} \) valid if the proof \(\pi \) verifies correctly under \({ crs } '\). We write \(\mathbf {Val} _\ell (h)\) iff \(h\) is valid and the level implicit in \({h} \) matches \(\ell \). We call \({h} \) consistent (with respect to \({ gpk } \)) if \(h\) is in the language defined by the first three conditions of relation \(\mathbf {R} _1\) as well as the first clause of the disjunction above. (In particular, the corresponding ciphertexts \({ c }_{i} \) are possible outputs of \({\mathbf {Enc}} (P _i,{ pk } _i)\); this implies that these ciphertexts behave as expected under the homomorphic evaluation algorithm \({\mathbf {Eval}} \).) Note that consistency implies validity but the converse is not necessarily the case and hence a valid encoding may not lie in any \(S_\ell \). For example this would be the case if an “anomalous” ciphertext decrypts correctly to a valid representation, but does not lie in the range of \({\mathbf {Enc}} \). Furthermore, validity can be publicly and efficiently checked, while this is not necessarily the case for consistency. We note, however, that if the encryption scheme does not allow for anomalous ciphertexts, our GES would also have efficiently recognizable encodings. We leave the construction of such FHE schemes as an open problem.
Algorithm \(\mathbf {Eq} \). The equality algorithm \(\mathbf {Eq} _{\ell }\) returns 1 iff the first components of the inputs match. The correctness of this algorithm follows from the fact that the base group \({\mathbb {G}} \) has unique representations. (Recall from GES syntax that \(\mathbf {Eq} _\ell \) is only required to work with respect to consistent encodings.)
5.3 Addition
We now provide a procedure for adding two level\(\ell \) encodings \({h} =([ z ], { c }_{1} ,{ c }_{2} ,{\pi } ,\ell )\) and \(h'=([ z' ], { c }_{1} ',{ c }_{2} ',{\pi } ',\ell )\) in \(S_\ell \). Conceptually, our addition circuit operates similarly to that of AFHLP. The main difference is that encodings contain polynomials and the levels. We exploit the structure of the base group as well as the homomorphic properties of the encryption scheme to “add together” the first and second components of the inputs. We then use \(({ sk }_{1} ,{ sk }_{2} )\) as a witness to generate a proof \({\pi } ''\) that the new tuple is well formed. For technical reasons we check both the validity of \({h} \) and \({h} '\) (by checking \(\pi \) and \(\pi '\)) and their consistency (using \(({ sk }_{1} ,{ sk }_{2} )\)).
Figure 2 details the operation of the addition circuit \(\mathrm {C} _{\mathrm {Add}}\). A \(\mathbf {PIO} \) of this circuit will be made public via the parameters \({ pp } \). We emphasize that step 5, that is, the explicit consistency check, is never reached under a binding \({ crs } '\) (due to the perfect soundness of the proof system), but they may be reached with a hiding \({ crs } '\) later in the security analysis. Let us expand on this.
In the analysis, we need to specify how \(\mathrm {C} _{\mathrm {Add}}\) behaves if it encounters valid inputs (in the sense the proofs pass NIZK verification), but nevertheless are inconsistent in the sense that at least one of encodings does not decrypt to a valid representation. Let us call such inputs bad.
With the knowledge of secret keys, such bad inputs can be recognized, and the natural choice would be to define \(\mathrm {C} _{\mathrm {Add}}\) to abort when this is the case. With this choice, however, we run into the following problem. During the security proof we will set the addition circuit to answer all valid inputs (including bad ones) with simulated proofs. On the other hand, the original addition circuit rejects such inputs. (Furthermore, it cannot even simulate proofs for wrong statements, and hence cannot answer bad inputs with validlooking proofs.)
On a high level, we would like to modify how \(\mathrm {C} _{\mathrm {Add}}\) reacts on bad inputs so that it uses a NIZK simulation trapdoor on bad inputs. The difficulty with this strategy is that no such simulation trapdoor exists when the NIZK CRS is binding. Hence, we create our own NIZK trapdoor through an extra “OR branch” in the proved statement (akin to the Feige–Lapidot–Shamir transform). This gives us a little more flexibility in defining and using that trapdoor.
More specifically, recall that our CRS is of the form \( { crs } = ({ crs } ', y)\) where \({ crs } '\) is a binding CRS for the dualmode NIZK proof system, and \(y\) is a noinstance of \(\mathcal {L}_ lk \). However our actual means to fake proofs will be to switch \(y\) to a yesinstance and use a witness \(w_y\) to produce proofs. Specifically, in the security proof, we will eventually let \(\mathrm {C} _{\mathrm {Add}}\) use a simulation trapdoor \(w_y\) (instead of a simulation trapdoor for the NIZK). The benefit of this is that \(\mathrm {C} _{\mathrm {Add}}\) will know an extraction trapdoor \({ td }_{e} '\) (that of course only exists if the CRS \({ crs } '\) is in the binding mode) which it can use to extract a witness from a given proof \(\pi \). Thus, whenever \(\mathrm {C} _{\mathrm {Add}}\) encounters a bad input, it can extract a witness \(w_y'\), which must at that point be a simulation trapdoor \(w_y\). This simulation trapdoor \(w_y\) can then immediately be used to produce a fake proof \(\pi ''\) even upon bad inputs. In other words, \(\mathrm {C} _{\mathrm {Add}}\) knows no simulation trapdoor a priori, but it can extract one from any simulated proof for a false statement.
The \(\mathbf {Add} _\ell \) algorithm simply runs the obfuscated circuit on the input encodings and \(\ell \). The correctness of this algorithm follows from that of \(\mathrm {\Pi } \), the completeness of \(\mathrm {\Sigma } \) and the correctness, in our sense, of the (probabilistic) obfuscator \(\mathbf {PIO} \). Note that FHE correctness is only guaranteed to hold with respect to ciphertexts that are in the range of encryption or evaluation (and not necessarily for anomalous ones that decrypt correctly). This, in particular, means that we cannot enlarge the set of encodings to contain all valid ones (as opposed to just consistent ones) to get efficient decidability of encoding sets as correctness can no longer be established. (See also remark on validity on page 18.) Note that full compactness ensures that the ciphertexts output by \(\mathbf {Add} _\ell \) are in the range of encryption, and hence they can be further operated on with \({\mathbf {Eval}} \).
5.4 Multiplication
The correctness of these maps follows from the correctness of \(\mathrm {\Pi } \) and \(\mathbf {PIO} \), and the completeness of \(\mathrm {\Sigma } \).
Enabling graded multiplication. The main difference between our circuit \(\mathrm {C} _{\mathrm {Mult}}\) and that of [2] is that here we need to output auxiliary information \(({ c }_{1} ,{ c }_{2} ,\pi )\) for multiplied encodings at output levels below \(\kappa \). This information allows the multiplication algorithm to operate in a graded fashion as any output encoding by \(\mathrm {C} _{\mathrm {Mult}}\) can be fed back into \(\mathrm {C} _{\mathrm {Mult}}\) as long as it lies at a level \(\ell <\kappa \).^{10} In order to enable \(\mathrm {C} _{\mathrm {Mult}}\) to generate this auxiliary information, we use an encryption scheme that is also homomorphic with respect to multiplication in the plaintext ring. In contrast, AFHLP only rely on an additively homomorphic encryption scheme.
5.5 Sampling
5.6 Extraction
Since at each level \(\ell \) the first component \([ z ] \) is unique for each set \(S_\ell ^{(z)}\), we may extract a uniform string from \({h} =([ z ], { c }_{1} ,{ c }_{2} ,{\pi } ,\ell )\) for a uniform z by applying a randomness extractor seeded with \({ hk } \) to \([ z ] \).
6 Indistinguishability of Encodings
We show that a key property used by AFHLP in the analysis of their multilinear map [2, Theorem 5.3] is also exhibited by our graded scheme. Roughly speaking, this property states that for any given level \(\ell \), any two valid encodings of the same \({\mathbb {Z}} _p\)element are computationally indistinguishable. This claim is formalized via the \(\kappa \hbox {}\mathrm {Switch} \) game shown in Fig. 4. Note that in this game, we allow the adversary to not only choose the representation polynomials, but also let him see part of the private information not available through the public parameters, namely the exponent \(\omega \).
Theorem 1
Proof

\(\mathrm {Game} _0\) : This is the \(\kappa \hbox {}\mathrm {Switch} \) game with a binding \({ crs } '\) and \({y} \not \in \mathcal {L}_ lk \). The addition and multiplication circuits are defined in Figs. 2 and 3, respectively.

\(\mathrm {Game} _1\) : We change the public parameters so that they include a hiding \({ crs } '\), a yes instance \({y} \) via \(\mathbf {YesSam_L} ( lk )\) and obfuscations of circuits \(\widehat{\mathrm {C}}_{\mathrm {Add}}\) and \(\widehat{\mathrm {C}}^{(1)}_{\mathrm {Mult}}\) (see Fig. 6). Thus, the second circuit uses \({ sk } _1\) to decrypt the first ciphertexts given as inputs. Observe that these circuits use the witness \(w_{{y} }\) to \({y} \in \mathcal {L}_ lk \) to produce the output proofs \({{\pi } }''\), and therefore the simultaneous knowledge of decryption keys \({ sk }_{1} ,{ sk }_{2} \) is no longer needed. The difference with the previous game can be bounded by our helper Lemma 1 with \(i=1\), where we rely on \(\mathrm {PIO}\) security, CRS indistinguishability, and the membership problem.

\(\mathrm {Game} _2\) : This game generates the second challenge ciphertext \({ c }_{2} \) by encrypting polynomial \(P _{1,2}\) even when \(b=0\). We bound this transition via the \(\mathrm {IND}\hbox {}\mathrm {CPA}\) security of \(\mathrm {\Pi }\) with respect to \({ pk }_{2} \). The reduction will choose a first decryption key \({ sk }_{1} \) and a witness \(w_{{y} }\) so as to be able to construct \(\widehat{\mathrm {C}}^{(1)}_{\mathrm {Mult}}\). It will also generate a NIZK simulation trapdoor \({ td }_{zk} \) (recall the CRS is in the hiding mode) to construct simulated proofs \(\pi \) for the (inconsistent) challenge encoding \({h} _b\). Note that the perfect ZK property guarantees that these proofs are identically distributed to the real ones in \(\mathrm {Game} _1\).

\(\mathrm {Game} _3\) : The public parameters are changed back to include a binding \({ crs } '\), a noinstance \(y\notin \mathcal {L}_ lk \) and a (\(\mathrm {PIO}\)) obfuscation of the original circuits \(\mathrm {C} _{\mathrm {Add}} \), \(\mathrm {C} _{\mathrm {Mult}} \) with both decryption keys hardwired. The difference with the previous game is bounded again via Lemma 1 (in the reverse direction and with \(i=1\)).

\(\mathrm {Game} _4\) : This transitions is defined analogously to that introduced in \(\mathrm {Game} _1\) except that this time we invoke Lemma 1 with \(i=2\) and switch to circuits \(\widehat{\mathrm {C}}_{\mathrm {Add}}\) and \(\widehat{\mathrm {C}}^{(2)}_{\mathrm {Mult}}\). Observe that knowledge of \({ sk } _1\) is no longer needed.

\(\mathrm {Game} _5\) : This transitions is defined analogously to that introduced in \(\mathrm {Game} _2\). The only difference is that this game generates the first challenge ciphertext \({ c }_{1} \) by encrypting \(P _{1,1}\) even when \(b=0\).
Finally, note that the challenge encoding in \(\mathrm {Game} _5\) is independent of the random bit b and the advantage of any (even unbounded) adversary \(\mathcal {A}\) is 0.
In the proof of Theorem 1, we need the next Lemma for changing the addition and multiplication circuits to “forget” (one or both) the secret keys and the extraction trapdoor. The proof can be found in the full version [19] of this paper.
Lemma 1
7 Hardness of \(\mathrm {MDDH}\)
We are now ready to show that \(\mathrm {MDDH}\) is hard for our GES. We improve [2] by providing a simpler and tighter proof of security. One corollary of our result is that there are no “zeroizing” attacks on our scheme as such attacks immediately lead to the break of MDDH [12, 13, 22]. We start by providing formal definition of \(\mathrm {MDDH}\) as well as the strong DDH problem whose hardness we assume in our analyses.
7.1 Hardness of \(\mathrm {MDDH}\)
Recall that the GES of Sect. 5 represents an element \(z\in {\mathbb {Z}} _p\) at level \(\ell \) with polynomials \(P _1\) and \(P _2\) of degree at most \(\ell \) such that \(P _j(\omega )=z\).
Theorem 1
( \(\kappa \hbox {}\mathrm {SDDH} \!\implies \! \kappa \hbox {}\mathrm {MDDH} \) ). Let \(\mathrm {\Gamma } \) be the GES constructed in Sect. 5 with respect to a base group \({\mathbb {G}} \) and an \(X{\hbox {}}\mathrm {IND} \)secure probabilistic obfuscator \(\mathbf {PIO} \).
Then, assuming the \(\kappa \)SDDH assumption (see Fig. 7) holds in \({\mathbb {G}} \), and using our switching lemma, the \(\kappa \)MDDH assumption holds in \(\mathrm {\Gamma } \).
Proof
(Outline). We provide a simpler proof compared to that of [2, Theorem 6.2] at the expense of relying on the slightly stronger \(\kappa \hbox {}\mathrm {SDDH} \) (instead of the \((\kappa 1)\hbox {}\mathrm {SDDH} \)) problem. At a high level, our reduction has two steps: (1) Switch all encodings from polynomials of degree 0 to those of degree 1; and (2) Randomize the \(\kappa \hbox {}\mathrm {MDDH} \) challenge using the \(\kappa \hbox {}\mathrm {SDDH} \) instance. The key difference with the proof of [2, Theorem 6.2] is that we no longer need to carry out a twostep process to randomize the exponent of the MDDH challenge. In particular, we do not change the implementation of the multiplication circuit according to a \(\kappa \hbox {}\mathrm {SDDH} \) challenge. We outline the proof along a sequence of \(\kappa +5\) games here and leave the full details to the full version [19].

\(\mathrm {Game} _0\) : This is the \(\kappa \hbox {}\mathrm {MDDH} \) problem (Fig. 7, middle). We use \(P _{i,1}\) and \(P _{i,2}\) to denote the canonical degreezero representation polynomials of \(a_i\) as generated by the sampler \(\mathbf {Sam} _{1}(a_i)\).
 \(\mathrm {Game} _1\)–\(\mathrm {Game} _{\kappa +1}\) : In these games we gradually switch the polynomials representations for level1 encodings \({h} _{i}\) for \(1\le i \le \kappa +1\) so that they take the formThese polynomials are still valid and their degrees are exactly 1. Hence when multiplied together, the resulting polynomial will be of degree \(s(\kappa +1)\). Each of these hops can be bounded via the \(\kappa \hbox {}\mathrm {Switch} \) game via Theorem 1.$$\begin{aligned} P _{i,1}(X) = P _{i,2}(X) = X + a_i  \omega . \end{aligned}$$
 \(\mathrm {Game} _{\kappa +2}\) : This game only introduces a conceptual change: \(a_i\) for \(1\le i \le \kappa +1\) are generated as \(a_i + \omega \). The distributions of these values are still uniform and the exponent of the \(\mathrm {MDDH} \) challenge when \(b=1\) is nowwhich is a polynomial in \(\omega \) of degree \(\kappa \).$$\begin{aligned} z_1 = \prod _{i=1}^{\kappa +1} (a_i+\omega ), \end{aligned}$$

\(\mathrm {Game} _{\kappa +3}\) : In this game we replace \(\mathrm {C} _\mathrm {Mult}\) with \(\mathrm {C} ^*_\mathrm {Mult}\), a circuit that uses the implicit values \([\omega ^i]\) for \(0 \le i \le \kappa \) in steps 5 and 6. (Note that \([P (\omega )]\) can be computed using \([\omega ^i]\) when the coefficients of \(P \) are explicitly known.) This change does not affect the functionality of the multiplication circuit and hence we can bound this hope via \(\mathrm {PIO}\) security. As a result, the explicit knowledge \(\omega \) is no longer needed to generate the multiplication circuit.

\(\mathrm {Game} _{\kappa +4}\) : In this game, we replace \([\omega ^{\kappa }]\) with a random value \([\sigma ]\) in challenge preparation. (Note that level\(\kappa \) encodings correspond to the base group.) We can bound this hop via the \(\kappa \hbox {}\mathrm {SDDH} \) game.
In the final game the challenge exponent (when \(b=1\)) is fully randomized. This means that the challenge is independent of b in \(\mathrm {Game} _{\kappa +4}\), which concludes the proof.
7.2 Downgrading Attacks
It might appear that our GES could be subject to a “downgrading” attack as follow. Start with any consistent encoding \({h} \) at level \(\ell \) whose representation polynomial is of degree 0. Then “maul” \({h} \) into an encoding at a lower level \(\ell ' < \ell \) by simply changing \(\ell \) to \(\ell '\) in \({h} \). Then use this malleability to attack, say, MDDH where challenge encodings are canonical and of degree 0 (see Sect. 5.5).
What is crucial and prevents this downgrade attack is the proof system. The consistency proof \(\pi \) proves that the encrypted values correspond to a polynomial \(P \) of degree up to \(\ell \) such that \(P (\omega )=z\). Note that this statement depends on \(\ell \). Hence, a proof for a level2 encoding cannot be “reused” for a level1 encoding, as in the attack: a single proof will not necessarily pass against two different statements even if they both have the same witness. In order to downgrade, the proof would have to be changed.
Indeed, suppose that one had a method for changing a proof \(\pi _2\) of a level2 encoding to a proof \(\pi _1\) of the level1 encoding (that is derived by simply omitting encrypted coefficients, as in a downgrading attack). Consider what happens if one start with equivalent level2 encoding (in the sense of our switching lemma) with degree2 polynomials \(P \). Then, the statement that \(\pi _1\) proves becomes false, so any such attack would contradict the soundness of the proof system.
Footnotes
 1.
 2.
Recall that the multiplication of polynomials can be implemented through the convolution product on the respective coefficient vectors. In particular, we have \(\sum _{i=0}^\kappa \gamma _iX^i=\prod _{i=1}^\kappa (\alpha _i+\beta _iX)\).
 3.
Since \(\mathbf {Mult} _{i,j}\) can be used to multiply two encodings at level i as long as \(2i\le \kappa \), our GES can be viewed as symmetric. We note that we do not deal with the construction of generalized GES (see [22, Appendix A] for a definition).
 4.
 5.
We note that extraction in Groth–Sahai proofs does not recover a witness for all types of statements. (Instead, for some types of statements, only \(g^{w_i}\) for a witness variable \(w_i\in {\mathbb {Z}} _p\) can be recovered.) Here, however, we will only be interested in witnesses \(w=(w_1,\ldots ,w_n)\in \{0,1\}^n\) that are bit strings, in which case extraction always recovers w. (Extraction will recover \(g^{w_i}\) for all i, and thus all \(w_i\) too.).
 6.
It is conceivable that our security proofs also hold for nonprime p up to statistical defect terms related to randomization of elements modulo a composite number.
 7.
We mention that previous GESs used more complex level\(0\) encodings, and since their encodings were noisy, they allowed only a limited number of operations on each encoding. Hence, implementing \(\mathbf {Mult} \) on level\(0\) inputs via shiftandadd could be too costly in their settings.
 8.
This “honestciphertextgeneration” condition is necessary for the (bi)linearity of our addition and multiplication algorithms. Unfortunately, this also prevents the sets \(S_\ell ^{(z)}\) from being efficiently recognizable.
 9.
Observe that with the explicit knowledge of \(P *P '\) and the powers \(([ \omega ^i ])_{1\le i\le \kappa }\) it is also possible to compute \([ zz' ] \) as long as \(P *P '\) is of degree \({\le }\kappa \); this will be exploited in the security analysis in Sect. 7.
 10.
Recall that encodings at level \(\kappa \) can only be multiplied with level0 encodings, i.e., with elements in \({\mathbb {Z}} _p\).
Notes
Acknowledgments
We thank the anonymous reviewers for their helpful comments, and Kenny Paterson and Geoffroy Couteau for useful discussions. Pooya Farshim was supported in part by grant ANR14CE280003 (Project EnBid). Dennis Hofheinz was supported by ERC grant 724307, and by DFG grants HO 4534/22 and HO 4534/41. Enrique Larraia was supported by EPSRC grant EP/L018543/1.
References
 1.Abusalah, H., Fuchsbauer, G., Pietrzak, K.: Constrained PRFs for unbounded inputs. In: Sako, K. (ed.) CTRSA 2016. LNCS, vol. 9610, pp. 413–428. Springer, Cham (2016). https://doi.org/10.1007/9783319294858_24 CrossRefGoogle Scholar
 2.Albrecht, M.R., Farshim, P., Hofheinz, D., Larraia, E., Paterson, K.G.: Multilinear maps from obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 446–473. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662490969_19 CrossRefGoogle Scholar
 3.Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree5 multilinear maps. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). https://doi.org/10.1007/9783319566207_6 CrossRefGoogle Scholar
 4.Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246763_4 CrossRefGoogle Scholar
 5.Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure orderrevealing encryption: multiinput functional encryption without obfuscation. In: Oswald and Fischlin (eds.) [38], pp. 563–594Google Scholar
 6.Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 7.Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642420450_15 CrossRefGoogle Scholar
 8.Boneh, D., Waters, B., Zhandry, M.: Low overhead broadcast encryption from multilinear maps. In: Garay and Gennaro [21], pp. 206–223Google Scholar
 9.Canetti, R., Garay, J.A. (eds.): CRYPTO 2013, Part I. LNCS, vol. 8042. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400414 zbMATHGoogle Scholar
 10.Canetti, R., Garay, J.A. (eds.): CRYPTO 2013, Part II. LNCS, vol. 8043. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400841 zbMATHGoogle Scholar
 11.Canetti, R., Lin, H., Tessaro, S., Vaikuntanathan, V.: Obfuscation of probabilistic circuits and applications. In: Dodis and Nielsen [17], pp. 468–497Google Scholar
 12.Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468005_1 Google Scholar
 13.Coron, J.S., Gentry, C., Halevi, S., Lepoint, T., Maji, H.K., Miles, E., Raykova, M., Sahai, A., Tibouchi, M.: Zeroizing without lowlevel zeroes: new MMAP attacks and their limitations. In: Gennaro and Robshaw [27], pp. 247–266Google Scholar
 14.Coron, J.S., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of GGH15 multilinear maps. In: Robshaw and Katz [41], pp. 607–628Google Scholar
 15.Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti and Garay [9], pp. 476–493Google Scholar
 16.Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro and Robshaw [27], pp. 267–286Google Scholar
 17.Dodis, Y., Nielsen, J.B. (eds.): TCC 2015, Part II. LNCS, vol. 9015. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662464977 zbMATHGoogle Scholar
 18.Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for DiffieHellman assumptions. In: Canetti and Garay [10], pp. 129–147Google Scholar
 19.Farshim, P., Hesse, J., Hofheinz, D., Larraia, E.: Graded encoding schemes from indistinguishability obfuscation. Cryptology ePrint Archive, Report 2018/011 (2015)Google Scholar
 20.Freire, E.S.V., Hofheinz, D., Paterson, K.G., Striecks, C.: Programmable hash functions in the multilinear setting. In: Canetti and Garay [9], pp. 513–530Google Scholar
 21.Garay, J.A., Gennaro, R. (eds.): CRYPTO 2014, Part I. LNCS, vol. 8616. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662443712 zbMATHGoogle Scholar
 22.Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642383489_1 CrossRefGoogle Scholar
 23.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013Google Scholar
 24.Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attributebased encryption for circuits from multilinear maps. In: Canetti and Garay [10], pp. 479–499Google Scholar
 25.Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 467–476. ACM Press, June 2013Google Scholar
 26.Garg, S., Mukherjee, P., Srinivasan, A.: Obfuscation without the vulnerabilities of multilinear maps. Cryptology ePrint Archive, Report 2016/390 (2016)Google Scholar
 27.Gennaro, R., Robshaw, M. (eds.): CRYPTO 2015, Part I. LNCS, vol. 9215. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662479896 zbMATHGoogle Scholar
 28.Gentry, C., Gorbunov, S., Halevi, S.: Graphinduced multilinear maps from lattices. In: Dodis and Nielsen [17], pp. 498–527Google Scholar
 29.Goldwasser, S., Rothblum, G.N.: On bestpossible obfuscation. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 194–213. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540709367_11 CrossRefGoogle Scholar
 30.Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540789673_24 CrossRefGoogle Scholar
 31.Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 32.Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 21–38. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540851745_2 CrossRefGoogle Scholar
 33.Hohenberger, S., Sahai, A., Waters, B.: Full domain hash from (leveled) multilinear maps and identitybased aggregate signatures. In: Canetti and Garay [9], pp. 494–512Google Scholar
 34.Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642552205_14 CrossRefGoogle Scholar
 35.Lin, H.: Indistinguishability obfuscation from DDH on 5linear maps and locality5 PRGs. Cryptology ePrint Archive, Report 2016/1096 (2016)Google Scholar
 36.Lin, H., Tessaro, S.: Indistinguishability obfuscation from bilinear maps and blockwise local PRGs. Cryptology ePrint Archive, Report 2017/250 (2017)Google Scholar
 37.Miles, E., Sahai, A., Zhandry, M.: Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. In: Robshaw and Katz [41], pp. 629–658Google Scholar
 38.Oswald, E., Fischlin, M. (eds.): EUROCRYPT 2015, Part II. LNCS, vol. 9057. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036 zbMATHGoogle Scholar
 39.Paneth, O., Sahai, A.: On the equivalence of obfuscation and multilinear maps. Cryptology ePrint Archive, Report 2015/791 (2015)Google Scholar
 40.Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semanticallysecure multilinear encodings. In: Garay and Gennaro [21], pp. 500–517Google Scholar
 41.Robshaw, M., Katz, J. (eds.): CRYPTO 2016, Part II. LNCS, vol. 9815. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530085 zbMATHGoogle Scholar
 42.Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (eds.) 46th ACM STOC, pp. 475–484. ACM Press, May/June 2014Google Scholar
 43.Zhang, F., SafaviNaini, R., Susilo, W.: An efficient signature scheme from bilinear pairings and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246329_20 CrossRefGoogle Scholar