New Multilinear Maps Over the Integers
 59 Citations
 3k Downloads
Abstract
In the last few years, cryptographic multilinear maps have proved their tremendous potential as building blocks for new constructions, in particular the first viable approach to general program obfuscation. After the first candidate construction by Garg, Gentry and Halevi (GGH) based on ideal lattices, a second construction over the integers was described by Coron, Lepoint and Tibouchi (CLT). However the CLT scheme was recently broken by Cheon et al.; the attack works by computing the eigenvalues of a diagonalizable matrix over \({\mathbb Q}\) derived from the multilinear map.
In this paper we describe a new candidate multilinear map over the integers. Our construction is based on CLT but with a new arithmetic technique that makes the zerotesting element nonlinear in the encoding, which prevents the Cheon et al. attack. Our new construction is relatively practical as its efficiency is comparable to the original CLT scheme. Moreover the subgroup membership and decisional linear assumptions appear to hold in the new setting.
1 Introduction
Multilinear Maps. Since the breakthrough construction of Garg, Gentry and Halevi [GGH13a], there has been a growing interest in cryptographic multi linear maps. They have spurred scores of new cryptographic applications. Chiefly among them is possibly the first proposed approach to general program obfuscation [GGH+13b]. Currently only three candidate constructions are known. Shorty after the first candidate construction of multilinear maps based on ideal lattices [GGH13a] (which we will refer to as GGH), Coron, Lepoint and Tibouchi proposed a second construction over the integers (CLT) using the same general paradigm [CLT13]. Recently, Gentry, Gorbunov and Halevi proposed another multilinear maps in which the map is defined with respect to a directed acyclic graph [GGH15].
A straightforward application of multilinear maps is multipartite DiffieHellman key exchange with \(\kappa +1\) users, where \(\kappa \) is the maximum level of the multilinear map scheme. Initially each user publishes a level1 encoding of a random element while keeping a level0 encoding of the same element private. Then each user can compute the product its level0 by the product of the level1 encodings of the other users. With \(\kappa +1\) users this gives a level\(\kappa \) encoding from which the same secret value can be extracted by all users. The security of the protocol relies on a new hardness assumption which is a natural extension of the Decisional DiffieHellman assumption.
Cheon et al. Attack. The CLT scheme above was completely broken by a recent attack from Cheon, Han Lee, Ryu and Stehlé [CHL+15]; the attack runs in polynomial time, and recovers all secret parameters. The attack works by computing the eigenvalues of a diagonalizable matrix over \({\mathbb Q}\) derived from the multilinear map. More precisely, when applying the zerotesting procedure to the product of two encodings x and \(x'\), where x is an encoding of 0, the resulting \(\omega \) in (2) can be seen as a diagonal quadratic form over \({\mathbb Z}\) in the CRT components \(x {\hbox { mod }}p_i\) and \(x' {\hbox { mod }}p_i\). By computing the values \(\omega _{jk}\) of the quadratic form for \(n^2\) product pairs of encodings \(x_j \cdot x'_k\), one can then recover the coefficients of the quadratic form using eigendecomposition, which reveals all the secret \(p_i\)’s and completely breaks the scheme. We recall the attack in more details in Sect. 3.
Tentative Fixes. Shortly after Cheon et al. attack, two independent approaches to fix the CLT scheme have been proposed on the Cryptology ePrint Archive, due to Garg, Gentry, Halevi and Zhandry on the one hand [GGHZ14, Sect. 7]^{1}, and Boneh, Wu and Zimmerman on the other [BWZ14]. However, both countermeasures were shown to be insecure in [CLT14, CGH+15]. Indeed, although these countermeasures do not expose encodings of zero, the value \(\omega \) from the zerotesting procedure can still be expressed as a quadratic form in the CRT components of encodings. As a result, they can both be broken by a variant of the original Cheon et al. attack. Further extensions of the Cheon et al. attack along those lines are presented in [GHMS14, CGH+15].
Our New Construction. Our new construction keeps the same CLT encodings but departs from the two previous countermeasures by modifying the zerotesting procedure itself. Namely, we modify the definition of the zerotesting element \(p_{zt}\) so that \(\omega \) cannot be expressed as a quadratic form anymore. For this we use a new arithmetic technique that maps the n CRT components \(c {\hbox { mod }}p_i\) to some value modulo an independent integer N, so that the resulting \(\omega \) in the zerotesting procedure depends on the CRT components in a nonlinear way, rather than linearly as in (2).
Security Analysis. By comparing Eqs. (2) and (4), we see that the original CLT scheme is actually a particular case, with \(N=x_0\) and \(v_0=0\). Therefore the main difference in the new scheme is that \(v_0 \ne 0\), which causes the value \(\omega \) in (4) to depend on the integer a in (3). But that integer a depends on the CRT components \(r_i\) in a nonlinear way. As a result, it is no longer true that the value \(\omega \) computed from encoding products \(x_j \cdot x'_k\) can be expressed as a quadratic form in the CRT components of \(x_j\) and \(x'_k\), and the Cheon et al. attack is thus thwarted.
Another difference with the original CLT scheme is that we cannot publish \(x_0=\prod _{i=1}^n p_i\) anymore. Namely for encodings of 0 we get a small \(\omega \) and therefore (4) holds over \({\mathbb Z}\). Therefore from \(x_0\) one could compute \(v_0=p_{zt} \cdot x_0 {\hbox { mod }}N\) and apply the Cheon et al. attack modulo \(v_0\) instead of over \({\mathbb Z}\). It is not a problem to keep \(x_0\) private, however, as we can mimic the technique introduced by van Dijk et al. for their fully homomorphic encryption scheme over the integers [DGHV10] and approximate modular reduction by \(x_0\) with a ladder of encodings of zero of increasing sizes.
We provide a detailed security analysis of our new construction in Sect. 3 (for the Cheon et al. attack and its variants) and Sect. 4 (for lattice attacks). We also explain why the subgroup membership (SubM) and decisional linear (DLIN) problems, which are known to be easy in the GGH scheme [GGH13a], seem to be hard in our new setting.
Implementation. We describe an implementation of our scheme, with a few optimizations. Instead of using a ladder of encodings of 0 at every level, we publish a small multiple \(x'_0\) of \(x_0\) so that intermediate encodings can be reduced modulo \(x'_0\); only at the last level do we use a ladder of a few level\(\kappa \) encodings of 0. Additionally, to reduce the size of public parameters, we store only a small subset of the public elements needed for rerandomization and combine them pairwise to generate the full public parameters, as in [CLT13]; such an optimization was originally described in [GH11]. With these optimizations our scheme is relatively practical; for reasonable security parameters a multipartite DiffieHellman computation with 7 users requires about 30 seconds, with a public parameter size of roughly 6 GBytes; a proofofconcept implementation is available at [Lep15].
2 New Multilinear Map Over the Integers
 1.
The zerotesting parameter \({{\varvec{p}}}_{zt}\) is computed differently, so that the CRT components modulo \(p_i\) of a level\(\kappa \) encoding c are mapped to some value modulo an independent integer N, instead of modulo \(x_0\). The resulting \(\varvec{\omega }\) in the zerotesting procedure then depends on those CRT components in a nonlinear way, rather than linearly in the original CLT scheme, which prevents the Cheon et al. attack.
 2.
The integer \(x_0=\prod _{i=1}^n p_i\) is kept private. For rerandomization, this implies that we must slightly modify the proof of statistical indistinguishability. To reduce the size of intermediate encodings back to the size of \(x_0\), we publish a ladder of encodings of 0. In Sect. 5 we describe a simple optimization with a public multiple \(x'_0\) of \(x_0\).
2.1 Scheme Description

n: the vector dimension

\(\eta \): the bitsize of the primes \(p_i\)

\(\alpha \): the bitsize of the primes \(g_i\)

\(\rho \): the bitsize of the randomness used in encodings
Instance Generation: \((\mathsf {pp}, {{\varvec{p}}}_{zt}) \leftarrow \mathsf {instGen}(1^\lambda ,1^\kappa )\). Instance generation is similar to [CLT13], except for the generation of \({{\varvec{p}}}_{zt}\); moreover \(x_0\) is kept private. We generate n secret random \(\eta \)bit primes \(p_i\) and compute \( x_0=\prod _{i=1}^n p_i\). We generate a random invertible integer z modulo \(x_0\). We generate n random \(\alpha \)bit prime integers \(g_i\), and various other parameters that will be specified later.
Lemma 1
([CLT13]). Let \(c\leftarrow \mathsf {samp}(\mathsf {pp})\) and write \(c\equiv r_i\cdot g_i+m_i\pmod {p_i}\). Assume \(\ell \geqslant n \cdot \alpha +2\lambda \). The distribution of \((\mathsf {pp},{{\varvec{m}}})\) is statistically close to the distribution of \((\mathsf {pp},{{\varvec{m}}}')\) where \({{\varvec{m}}}' \leftarrow R\).
As opposed to [CLT13] we cannot reduce c modulo \(x_0\); we only have the upperbound \(c \leqslant \ell \cdot 2^\gamma \), where \(\gamma \) is the size of \(x_0\) in bits. In the full version of this paper [CLT15], we show that instead of random sampling one can also publicly encode elements from the domain R, using a technique described in [BWZ14].
More generally to generate a levelk encoding we compute \(c_k=c_0 \cdot y^k\), and the size of \(c_k\) can be iteratively reduced after each multiplication by y using ladders of similarly designed levelk encodings \(\{X^{(k')}_j\}_{j=0}^{\gamma +\lfloor \log _2\ell \rfloor }\) for levels \(k'=1,\ldots ,k\).
Lemma 2
Let the encodings \(c \leftarrow \mathsf {samp}(\mathsf {pp})\), \(\hat{c}_1 \leftarrow \mathsf {enc}(\mathsf {pp},1,c)\), and \(c'_1\) as given by (10). Write \(c'_1\equiv (r_i \cdot g_i+m_i)/z \pmod {p_i}\) for all \(1 \leqslant i \leqslant n\) and \(r_{n+1}=(c'_1\sum r_i\cdot g_i\cdot u_i)/x_0\), and define \({{\varvec{r}}}=(r_1,\ldots ,r_n,r_{n+1})^T\). If \(2(\rho +\alpha +\lambda ) \leqslant \eta \) and \(\tau \geqslant (n+2) \cdot \rho +2\lambda \), then the distribution of \((\mathsf {pp},{{\varvec{r}}})\) is statistically close to that of \((\mathsf {pp},{{\varvec{r'}}})\), where \({{\varvec{r'}}} \in \mathbb {Z}^{n+1}\) is randomly generated in the halfopen parallelepiped spanned by the column vectors of \(2^\mu \varvec{\varPi }\). Moreover we have \(r_i \cdot g_i+m_i \leqslant 4n^2 \cdot 2^{2\rho +2\alpha +\lambda }\) for all \(1 \leqslant i \leqslant n\).
Lemma 3
Let n, \(\eta \), \(\alpha \) and \(\beta \) be as in our parameter setting. Let \(\rho _f\) be such that \(\alpha +\log _2 n<\rho _f \leqslant \eta 2\beta 2\alpha \lambda 8\), and let \(\nu =\eta \rho _f\beta \lambda 3 \geqslant 2\alpha +\beta +5\). Let c be such that \( c \equiv (r_i \cdot g_i+m_i)/z^\kappa \pmod {p_i}\) for all \(1 \leqslant i \leqslant n\), where \(0 \leqslant m_i < g_i\) for all i. Let \({{\varvec{r}}}=(r_i)_{1 \leqslant i \leqslant n}\) and assume that \(\Vert {{\varvec{r}}} \Vert _{\infty } < 2^{\rho _f}\). If \({{\varvec{m}}}=0\) then \(\Vert {\varvec{\omega }} \Vert _{\infty } < 2^{\nu \lambda }\cdot N\). Conversely if \({{\varvec{m}}} \ne 0\) then \(\Vert \varvec{\omega } \Vert _{\infty } > 2^{\nu +2}\cdot N\).
Namely if two encodings c and \(c'\) encode the same \({{\varvec{m}}} \in \mathbb {Z}^n\) then from Lemma 3 we have \( \Vert (cc') \cdot {{\varvec{p}}}_{zt} {\hbox { mod }}N \Vert _\infty < N \cdot 2^{\nu \lambda }\), and therefore we expect that \(\varvec{\omega }=c \cdot {{\varvec{p}}}_{zt} {\hbox { mod }}N\) and \(\varvec{\omega '}=c' \cdot {{\varvec{p}}}_{zt} {\hbox { mod }}N\) agree on their \(\nu \) most significant bits, and therefore extract to the same value.
Conversely if c and \(c'\) encode different vectors then by Lemma 3 we must have \( \Vert (cc') \cdot {{\varvec{p}}}_{zt} {\hbox { mod }}N \Vert _\infty > N \cdot 2^{\nu +2}\), and therefore the \(\nu \) most significant bits of the corresponding \(\varvec{\omega }\) and \(\varvec{\omega '}\) must be different. This implies that for random \({{\varvec{m}}} \in R=\mathbb {Z}_{g_1} \times \cdots \times \mathbb {Z}_{g_n}\) the minentropy of \(\mathsf{msbs}_{\nu }(c \cdot {{\varvec{p}}}_{zt} {\hbox { mod }}N)\) when c encodes \({{\varvec{m}}}\) is at least \(\log _2 R \geqslant n(\alpha 1)\). Therefore we can use a strong randomness extractor to extract a nearly uniform bitstring of length \(\lfloor \log _2 R \rfloor \lambda \).
This concludes the description of our new multilinear encoding scheme.
Remark 1
By comparing Eqs. (2) and (4) we see that the original CLT scheme is a particular case with \(N=x_0\) and \(\alpha _i=0\) for all \(1 \leqslant i \leqslant n\). Therefore the main difference of our construction is that it incorporates the additional term a, which depends on the \(r_i\)’s in a nonlinear way; this is to prevent the Cheon et al. attack (see Sect. 3).
2.2 Setting the Parameters
The constraints on the system parameters are similar to [CLT13].

The bitsize \(\rho \) of the randomness used for encodings must satisfy \(\rho =\varOmega (\lambda )\) to avoid brute force attack on the noise. The improved attacks from [CN12] and [LS14] both have complexity \(\mathcal{\tilde{O}}(2^{\rho /2})\), but with a large overhead, so in practice we can take \(\rho =\lambda \).

The bitsize \(\alpha \) of the primes \(g_i\) must be large enough so that the order of the group \(R=\mathbb {Z}_{g_1} \times \cdots \times \mathbb {Z}_{g_n}\) does not contain small prime factors (see the full version of this paper [CLT15]). One can take \(\alpha =\lambda \).

The parameter n must be large enough to thwart latticebased attacks on the encodings, namely \(n = \omega (\eta \log \lambda )\); see Sect. 4.

The number \(\ell \) of level0 encodings \(x'_j\) for \(\mathsf{samp}\) must satisfy \(\ell \geqslant n\cdot \alpha +2\lambda \) in order to apply the leftover hash lemma; see Lemma 1.

The number \(\tau \) of level1 encodings \(x_j\) must satisfy \(\tau \geqslant (n+2) \cdot \rho +2\lambda \) in order to apply the leftover hash lemma over lattices; see Lemma 2.

As a conservative security precaution, we take \(\beta =3\lambda \) (see the full version of this paper [CLT15]).

The bitsize \(\eta \) of the primes \(p_i\) must satisfy \(\eta \geqslant \rho _f+2\alpha +2\beta +\lambda +8\), where \(\rho _f\) is the maximum bit size of the randoms \(r_i\) a level\(\kappa \) encoding (see Lemma 3). When computing the product of \(\kappa \) level1 encodings and an additional level0 encoding (as in a multipartite DiffieHellman key exchange with \(\kappa +1\) users), one obtains \(\rho _f=\kappa \cdot (2\rho +2\alpha +\lambda +2\log _2 n+3)+\rho +\log _2 \ell +1\) (see previous Section).

We set \(\nu =\eta \rho _f\lambda \beta 3\) for the number of most significant bits to extract (see Lemma 3).
2.3 Security of Our Construction
As in the original CLT scheme [CLT13] and in the GGH scheme [GGH13a] the security of our construction does not seem to be reducible to more classical assumptions, such as for example the ApproximateGCD problem. To prove the security of the oneround \((\kappa +1)\)way DiffieHellman key exchange protocol, as in [GGH13a] one must therefore make the assumption that solving the Graded DDH problem (GDDH) is hard in our scheme; see the full version of this paper [CLT15].
3 Cheon et al. Attack
The goal of this section is to argue that the Cheon et al. attack [CHL+15] is prevented in our new construction.
3.1 Attack Description
We first recall the Cheon et al. attack against the original CLT scheme. This attack makes use of lowlevel encodings of 0: if such encodings are made public, one can recover in polynomial time all secret parameters. In the CLT scheme such encodings of 0 are used for the rerandomization procedure, therefore the Cheon et al. attack leads to a complete break of CLT.
Extension. A similar attack applies against two independent approaches to fix the CLT scheme, [GGHZ14, Sect. 7] and [BWZ14], proposed shortly after the Cheon et al. attack. Namely, although the two countermeasures do not expose encodings of zero, the value \(\omega \) from the zerotesting procedure can still be expressed as a diagonal quadratic form in the CRT components of encodings, as in Eq. (18), hence the two countermeasure can be broken by the same technique; we refer to [CLT14] for a description of the modified attacks.
3.2 Nonapplicability of Cheon et al. Attack
Now comparing equalities (16) and (21), we see that we obtain two additional terms: the \(s_i\)’s and the integer a. The \(s_i\)’s come from reducing \(c'\) with the ladder of level\(\kappa \) encodings of 0, so that eventually \(0 \leqslant c'' <x_0\); therefore the \(s_i\)’s depend on \(x \cdot c \cdot x'\) in a nonlinear way. Similarly the integer a in (21), which is the quotient of the division of \(\sum _{i=1}^n \left( x_i \cdot c_i \cdot r'_i +s_i \right) \cdot u_i\) by \(x_0\), depends on the \(x_i \cdot c_i \cdot x'_i\) in a nonlinear way. Therefore, if we apply Cheon et al. attack, we do not obtain a quadratic form as in (18) anymore.
Remark 2
If we do not reduce \(c'_{jk}\) with the ladder of encodings, the \(s_{ijk}\) terms disappear but the integers \(a_{jk}\) becomes too large and (22) does not hold over \({\mathbb Z}\) anymore. The equation still holds modulo N, however there is still the additional term \(a_{jk}\) that prevents the Cheon et al. attack.
3.3 Attack with Known \(x_0\)
In this section we describe an extension of the Cheon et al. attack against our scheme when \(x_0\) is known; this explains why \(x_0\) must be kept secret in our scheme.
Therefore we can apply the Cheon et al. attack modulo \(v_0\) instead of over \({\mathbb Z}\). If \(v_0\) is prime, one can recover the eigenvalues of \({{\varvec{W}}}={\varvec{W}}_{{\varvec{c}}} \cdot {{\varvec{W}}}_\mathbf{1 }^{1} {\hbox { mod }}v_0\) by factoring the characteristic polynomial modulo \(v_0\), which reveals the \(c_i\)’s as previously. If a prime p can be extracted from \(v_0\), one can still apply the attack modulo p and recover the \(c_i\)’s modulo p; for large enough p this reveals the \(c_i\)’s; alternatively for sufficiently many such primes p, the \(c_i\)’s could be recovered by CRT.
Actually the attack also works even if \(v_0\) is hard to factor and no prime can be extracted. Namely the eigenvalues \(c_i\)’s are small, so to recover the roots of the characteristic polynomial one can use Coppersmith’s first theorem for finding small roots of polynomial equations modulo an integer of unknown factorization [Cop97]. Namely Coppersmith’s bound applies: with a modulus \(v_0\) of size roughly \(\gamma \) bits and a characteristic polynomial of degree n, the roots have size only roughly \(\rho \) bits, with \(\rho \ll \eta \simeq \gamma /n\).
3.4 Attack for Small Multiple of \(x_0\)
3.5 The Subgroup Membership and Decision Linear Problems
In the full version of this paper [CLT15] we also explain why the subgroup membership (SubM) and decisional linear (DLIN) problems, which are known to be easy in the GGH scheme [GGH13a], seem to be hard in our new setting.
4 Lattice Attacks
4.1 Lattice Attack on the Encodings
The first attack considered in [CLT13] against the original CLT scheme was based on computing a short basis for the lattice of vectors orthogonal modulo \(x_0\) to \({{\varvec{x}}} = (x_j)_{1\leqslant j\leqslant t}\), where the \(x_j\)’s are level0 encodings of zero [CLT13, Sect. 5.1]. If the reduced basis vectors are short enough, they can reveal the noise values of the \(x_j\)’s and hence break the scheme.
The attack does not apply directly to our modified scheme, because \(x_0\) is now secret, and it is therefore no longer possible to compute a basis for the lattice of vectors orthogonal to \({{\varvec{x}}}\) modulo \(x_0\). However, we can also mount the attack using the lattice \({{\varvec{x}}}^\perp \) of vectors orthogonal to \({{\varvec{x}}}\) over \(\mathbb {Z}\), or the lattice of vectors orthogonal to \({{\varvec{x}}}\) modulo some multiple \(x'_0\) of \(x_0\) when using the optimization suggested in Sect. 5 below.
Just as in [CLT13, Sect. 5.1], though, the complexity of these extended attacks remains exponential in n; it is in fact slightly worse, because the new lattice has slightly longer vectors for a given choice of the lattice dimension t. In particular, the complexity lower bound of \(2^{\varOmega (\gamma /\eta ^2)}\) applies a fortiori. The attack is therefore defeated by letting \(n=\omega (\eta \log \lambda )\).
4.2 Lattice Attack Against \(p_{zt}\)
We describe the attack in more details in the full version of this paper [CLT15]. We show that the lattice attack has a complexity lower bound of \(2^{\varOmega (n/\eta )} = 2^{\varOmega (\gamma /\eta ^2)}\), just as in Sect. 4.1. Thus, this attack is thwarted by our choice of parameters.
In the full version of this paper [CLT15], we consider three other lattice attacks on the zerotesting parameter \(p_{zt}\), which are variants of the lattice attacks considered in [CLT13, Sects. 5.2, 5.3 and 5.4]. We show that they are also thwarted by our choice of parameters.
5 Optimizations and Implementation
 1.
Integer \(p_{zt}\): as in [CLT13] we use a single integer \(p_{zt}\) instead of a vector \({{\varvec{p}}}_{zt}\) with n components, as this is enough for DiffieHellman key exchange. Moreover the integer N can be generated as the product of large enough prime integers, instead of being prime.
 2.
Known multiple of \(x_0\): we publish a multiple \(x'_0=q \cdot x_0\) of \(x_0\), so that all intermediate encodings can be reduced modulo \(x'_0\), instead of using a ladder of encodings of 0 at each level.
 3.
Quadratic rerandomization: as in [CLT13] we only store a small subset of encodings which are later combined pairwise to generate the full set of encodings. This implies that the randomization of encodings becomes heuristic only. We describe a slightly more efficient variant.
Parameters and timings to instantiate a oneround 7way DiffieHellman key exchange protocol with \(\kappa =6\), \(\ell =2\lambda \) and \(\alpha ,\beta ,\nu =\lambda \) on a 16core computer (Intel Xeon E78837 at 2.67 GHz). \(\mathsf{Setup}\) was run in parallel on the 16 cores, while the other steps ran on a single core. Publish and KeyGen timings are per party.

Footnotes
 1.
We refer to the revised version of [GGHZ14] of November 12 2014, accessible on the Cryptology ePrint Archive.
 2.
More precisely, we apply Legendre reduction to the 2dimensional lattice generated by the rows of \(\begin{pmatrix} \lceil N/B^2\rceil &{} u'_i/p_i {\hbox { mod }}N \\ 0 &{} N \end{pmatrix}\), where \(B = (3/4)^{1/4} 2^{\eta 1}\). The shortest vector is of the form \((\alpha _i\lceil N/B^2\rceil , \beta _i)\).
References
 [ACPS]Albrecht, M., Cadé, D., Pujol, X., Stehlé, D.: fpLLL4.0, a floatingpoint LLL implementation. http://perso.enslyon.fr/damien.stehle
 [BS03]Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2003)MathSciNetCrossRefGoogle Scholar
 [BWZ14]Boneh, D., Wu, D.J., Zimmerman, J.: Immunizing multilinear maps against zeroizing attacks. Cryptology ePrint Archive, report 2014/930 (2014). http://eprint.iacr.org/
 [CGH+15]Coron, J.S., Gentry, C., Halevi, S., Lepoint, T., Maji, H.K., Miles, E., Raykova, M., Sahai, A., Tibouchi, M.: Zeroizing without lowlevel zeroes: new attacks on multilinear maps and their limitations. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO, LNCS. Springer (2015, to appear)Google Scholar
 [CHL+15]Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015) Google Scholar
 [CLT13]Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 [CLT14]Coron, J.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of two candidate fixes of multilinear maps over the integers. Cryptology ePrint Archive, report 2014/975 (2014). http://eprint.iacr.org/
 [CLT15]Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. Cryptology ePrint Archive, report 2015/162 (2015). http://eprint.iacr.org/. Full version of this paper
 [CN12]Chen, Y., Nguyen, P.Q.: Faster algorithms for approximate common divisors: breaking fullyhomomorphicencryption challenges over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 502–519. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 [Cop97]Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Crypt. 10(4), 233–260 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
 [DGHV10]van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 [GGH13a]Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 [GGH+13b]Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49. IEEE Computer Society (2013)Google Scholar
 [GGH15]Gentry, C., Gorbunov, S., Halevi, S.: Graphinduced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015) Google Scholar
 [GGHZ14]Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Fully secure functional encryption without obfuscation. Cryptology ePrint Archive, report 2014/666 (2014). http://eprint.iacr.org/
 [GH11]Gentry, C., Halevi, S.: Implementing Gentry’s fullyhomomorphic encryption scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 129–148. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 [GHMS14]Gentry, C., Halevi, S., Maji, H.K., Sahai, A.: Zeroizing without zeroes: cryptanalyzing multilinear maps without encodings of zero. Cryptology ePrint Archive, report 2014/929 (2014). http://eprint.iacr.org/
 [Gt14]Granlund, T. and the GMP development team. GNU MP: the GNU multiple precision arithmetic library, 6.0.0 edn. (2014). http://gmplib.org/
 [Lep15]Lepoint, T.: Proofofconcept implementation of the “new” multilinear maps over the integers (2015). https://github.com/tlepoint/newmultilinearmaps
 [LS14]Lee, H.T., Seo, J.H.: Security analysis of multilinear maps over the integers. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 224–240. Springer, Heidelberg (2014) Google Scholar