Multilinear Maps from Obfuscation

We provide constructions of multilinear groups equipped with natural hard problems from indistinguishability obfuscation, homomorphic encryption, and NIZKs. This complements known results on the constructions of indistinguishability obfuscators from multilinear maps in the reverse direction. We provide two distinct, but closely related constructions and show that multilinear analogues of the DDH\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\text {DDH}} $$\end{document} assumption hold for them. Our first construction is symmetric and comes with a κ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\kappa $$\end{document}-linear map e:Gκ⟶GT\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbf{e }: {{\mathbb {G}}}^\kappa \longrightarrow {\mathbb {G}}_T$$\end{document} for prime-order groups G\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}$$\end{document} and GT\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_T$$\end{document}. To establish the hardness of the κ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\kappa $$\end{document}-linear DDH\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\text {DDH}} $$\end{document} problem, we rely on the existence of a base group for which the κ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\kappa $$\end{document}-strong DDH\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\text {DDH}} $$\end{document} assumption holds. Our second construction is for the asymmetric setting, where e:G1×⋯×Gκ⟶GT\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbf{e }: {\mathbb {G}}_1 \times \cdots \times {\mathbb {G}}_{\kappa } \longrightarrow {\mathbb {G}}_T$$\end{document} for a collection of κ+1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\kappa +1$$\end{document} prime-order groups Gi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_i$$\end{document} and GT\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mathbb {G}}_T$$\end{document}, and relies only on the 1-strong DDH\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\text {DDH}} $$\end{document} assumption in its base group. In both constructions, the linearity κ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\kappa $$\end{document} can be set to any arbitrary but a priori fixed polynomial value in the security parameter. We rely on a number of powerful tools in our constructions: probabilistic indistinguishability obfuscation, dual-mode NIZK proof systems (with perfect soundness, witness-indistinguishability, and zero knowledge), and additively homomorphic encryption for the group ZN+\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {Z}_N^{+}$$\end{document}. At a high level, we enable “bootstrapping” multilinear assumptions from their simpler counterparts in standard cryptographic groups and show the equivalence of PIO and multilinear maps under the existence of the aforementioned primitives.


Main Contribution
In this paper, we explore the relationship between multilinear maps and obfuscation. Our main contribution is a construction of multilinear maps for groups of prime order equipped with natural hard problems, using indistinguishability obfuscation (IO) in combination with other tools, namely NIZK proofs, homomorphic encryption, and a base group G 0 satisfying a mild cryptographic assumption. This complements known results in the reverse direction, showing that various forms of indistinguishability obfuscation can be constructed from multilinear maps [17,24,45]. The relationship between IO and multilinear maps is a very natural question to study, given the rich diversity of cryptographic constructions that have been obtained from both multilinear maps and obfuscation, and the apparent fragility of current constructions for multilinear maps. More on this below.
We provide two distinct but closely related constructions. One is for multilinear maps in the symmetric setting, that is, non-degenerate multilinear maps e : G 1 κ −→ G T for groups G 1 and G T of prime order N . Our construction relies on the existence of a base group G 0 in which the κ-SDDH assumption holds-this states that, given a (κ +1)-tuple of G 0 -elements (g, g ω , . . . , g ω κ ), we cannot efficiently distinguish g ω κ+1 from a random element of G 0 . Under this assumption, we prove that the κ-MDDH problem, a natural analogue of the DDH problem as stated below, is hard.
(The κ-MDDH problem, informal) Given a generator g 1 of G 1 and κ + 1 group elements g a i 1 in G with a i ←$ Z N , distinguish e(g 1 , . . . , g 1 ) κ+1 i=1 a i from a random element of G T .
This problem can be used as the basis for several cryptographic constructions [7], including by now the classic example of multiparty non-interactive key exchange (NIKE) [23].
Our other construction is for the asymmetric setting; that is, for multilinear maps e : G 1 × · · · × G κ −→ G T for a collection of κ groups G i and G T all of prime order N . It uses a base group G 0 in which we require only that the 1-SDDH assumption holds. For this construction, we show that a natural asymmetric analogue of the κ-MDDH assumption holds.
At a high level, then, our constructions are able to "bootstrap" from rather mild assumptions in a standard cryptographic group to much stronger multilinear assumptions in a group (or groups, in the asymmetric setting) equipped with a κ-linear map. Here, κ is fixed up-front at the time of setup, but is otherwise unrestricted. Of course, such constructions cannot be expected to come "for free," and we need to make use of powerful tools including probabilistic IO (PIO) for obfuscating randomized circuits [17], dualmode NIZK proofs enjoying perfect soundness (for a binding CRS), perfect witnessindistinguishability (for a hiding CRS), and perfect zero knowledge, and additive homomorphic encryption for the group (Z N , +) (or alternatively, a perfectly correct FHE scheme). We note that all these tools can be constructed from a (pair of) pairing-friendly groups (in which, e.g., the SXDH assumption holds), subexponentially secure one-way functions, and subexponentially secure IO. It is an important open problem arising from our work to weaken the requirements on, or remove altogether, these additional tools.

General Approach
Our approach to obtaining multilinear maps in the symmetric setting is as follows (with many details to follow in the main body). 1 Let G 0 with generator g 0 be a group of prime order N in which the κ-SDDH assumption holds.
We work with redundant encodings of elements h of the base group G 0 of the form h = g x 0 0 (g ω 0 ) x 1 where g ω 0 comes from a κ-SDDH instance; we write x = (x 0 , x 1 ) for the vector of exponents representing h. Then, G 1 consists of all strings of the form (h, c 1 , c 2 , π) where h ∈ G 0 , ciphertext c 1 is a homomorphic encryption under public key pk 1 of a vector x representing h, ciphertext c 2 is a homomorphic encryption under a second public key pk 2 of another vector y also representing h, and π is a NIZK proof showing consistency of the two vectors x and y, i.e., a proof that the plaintexts x, y underlying c 1 , c 2 encode the same group element h. Note that each element of the base group G 0 is multiply represented when forming elements in G 1 , but that equality of group elements in G 1 is easy to test. An alternative viewpoint is to consider (c 1 , c 2 , π) as being auxiliary information accompanying element h ∈ G 0 ; we prefer the perspective of redundant encodings, and our abstraction in Sect. 3 is stated in such terms. When viewed in this way, our approach can be seen as closely related to the Naor-Yung paradigm for constructing CCA-secure PKE [37].
Addition of two elements in G 1 is carried out by an obfuscation of a circuit C Add that is published along with the groups. It has the secret keys sk 1 , sk 2 hard-coded in; it first checks the respective proofs, then uses the additive homomorphic property of the encryption scheme to combine ciphertexts, and finally uses the secret keys sk 1 , sk 2 as witnesses to generate a new NIZK proof showing equality of encodings. Note that the new encoding is as compact as that of the two input elements.
The multilinear map on inputs (h i , c i,1 , c i,2 , π i ) for 1 ≤ i ≤ κ is computed using the obfuscation of a circuit C Map that has sk 1 and ω hard-coded in. This allows C Map to "extract" full exponents of h i in the form (x i,1 + ω · x i,2 ) from c i,1 and thereby compute the element g i (x i,1 +ω·x i,2 ) 0 . This is defined to be the output of our multilinear map e, and so our target group G T is in fact G 0 , the base group. The multilinearity of e follows immediately from the form of the exponent.
In the asymmetric case, the main difference is that we work with different values ω i in each of our input groups G i . However, the groups are all constructed via redundant encodings, just as above. This provides a high-level view of our approach, but no insight into why the approach achieves our aim of building multilinear maps with associated hard problems. Let us give some intuition on why the κ-MDDH problem is hard in our setting. We transform a κ-MDDH tuple h = ((g a i 1 ) i≤κ+1 , g d T ), where d is the product of the a i ∈ Z N , g 1 is in the "encoded" form above, and thus, g 1 = (h 1 , c 1 , c 2 , π), and g T is a generator of G T = G 0 , into another κ-MDDH tuple h with exponents a i = a i +ω for i ≤ κ +1. This means that the exponent of the challenge element in the target group d = κ+1 i=1 (a i + ω) can be seen as a degree κ + 1 polynomial in ω. Therefore, with the knowledge of the a i and a κ-SDDH challenge, with ω implicit in the exponent, we are able to switch g d T to a uniformly random value.
Nevertheless, in the preceding simplistic argument, we have made two assumptions. The first is that we are able to provide an obfuscation of a circuit C Map that has the same functionality as C Map over G 1 without the explicit knowledge of ω. We resolve this by showing a way of evaluating the κ-linear map on any elements of G 1 using only the powers g ω i 0 for 1 ≤ i ≤ κ, and vectors extracted from the accompanying ciphertexts, and then applying IO to the two circuits. 2 The second assumption we made is that we can indeed switch from h to h without being noticed. In other words, that the vectors x i , y i representing g a i can be replaced (without being noticed) with vectors h i whose second coordinate is always fixed. Intuitively, this is based on the IND-CPA security of the FHE scheme, but in order to give a successful reduction, we also have to change the circuit C Add (since C Add uses both decryption keys) and apply probabilistic indistinguishability obfuscation [17] to the circuit.
We note that in this work, we do not construct graded encoding schemes as in [23]. That is, we do not construct maps from G i × G j to G i+ j . On the other hand, our construction is noiseless and is closer to multilinear maps as defined by Boneh and Silverberg [7].
Hence, currently it is perhaps more plausible to assume that IO exists than it is to assume that secure (multi-level) multilinear maps exist. However, we stress that more cryptanalysis of IO constructions is required to investigate what security they provide.
Moreover, even though current constructions for IO rely on graded encoding schemes, it is not implausible that alternative routes to achieving IO without relying on multilinear maps will emerge in due course. Furthermore, multilinear maps, and more generally graded encoding schemes, have proven to be very fruitful as constructive tools in their own right (cf. [7,40], resp., [5,8,22,25,27,31,42]). This rich set of applications coupled with the current uncertainty over the status of graded encoding schemes and multilinear maps provides additional motivation to ask what additional tools are needed in order to upgrade IO to multilinear maps. As an additional benefit, we upgrade (via IO) noisy graded encoding schemes to clean multilinear maps-sometimes now informally called "dream" or "ideal" multilinear maps.

Related Work
The work that is technically closest to ours is that of Yamakawa et al. (see [43,44]); indeed, their work was the starting point for ours. Yamakawa et al. construct a self-pairing map, that is, a bilinear map from G×G to G; multilinear maps can be obtained by iterating their self-pairing. Their work is limited to the RSA setting. It uses the group of signed quadratic residues modulo a Blum integer N , denoted QR + N , to define a pairing function that, on input elements g x , g y in QR + N , outputs g 2xy . In their construction, elements of QR + N are augmented with auxiliary information to enable the pairing computation-in fact, the auxiliary information for an element g x is simply an obfuscation of a circuit for computing the 2xth power modulo ord(QR + N ), and the pairing is computed by evaluating this circuit on an input g y (say). The main contribution of [43] is in showing that these obfuscated circuits leak nothing about x or the group order.
A nice feature of their scheme is that the degree of linearity κ that can be accommodated is not limited up-front in the sense that the pairing output is also a group element to which further pairing operations (derived from auxiliary information for other group elements) can be applied. However, the construction has several drawbacks. First, the element output by the pairing does not come with auxiliary information. 3 Second, the size of the auxiliary information for a product of group elements grows exponentially with the length of the product, as each single product involves computing the obfuscation of a circuit for multiplying, with its inputs already being obfuscated circuits. Third, the main construction in [43] only builds hard problems for the self-pairing of the computational type. (In fact, they show the hardness of the computational version of the κ-MDDH problem in QR + N assuming that factoring is hard.) Still, this is sufficient for several cryptographic applications.
In contrast, our construction is generic with respect to its platform group. Furthermore, the equivalent of the auxiliary information in our approach does not itself involve any obfuscation. Consequently, the description of a product of group elements stays compact. Indeed, given perfect additive homomorphic encryption for (Z p , +), we can perform arbitrary numbers of group operations in each component group G i . It is an open problem to find a means of augmenting our construction with the equivalent of auxiliary information in the target group G T , to make our multilinear maps amenable to iteration and thereby achieve graded maps as per [15,23].
Another related work is the work of Paneth and Sahai [39]. They show a near equivalence between a suitable abstraction of multilinear maps and IO. Their result requires no computational assumptions at all, but also does not consider multilinear maps in our sense. In particular, they construct an abstraction of a multilinear map that only admits restricted access to encodings, similar to the one in [24]. Beyond the group operation and the multilinear map, other procedures for, e.g., uniform sampling, comparison or rerandomization of encodings are not part of this abstraction. Our notion of a multilinear map, on the other hand, contains descriptions of efficient procedures for all of these tasks.

Follow-Up Work
The work [21] extends our approach from this work to graded encoding schemes (with multilinear maps). They use techniques similar to ours and in particular employ a suitable "switching theorem" (like our Theorem 1) to replace encodings of equivalent group elements.
On the other hand, the work [2] aims to construct groups (or, rather, encoding schemes) that support stronger computational assumptions. Specifically, [2] construct encoding schemes in which even an adaptive variant of the so-called Uber assumption [6] holds. The price that [2] pay is that their encoding scheme has no extraction algorithm (i.e., no algorithm that takes an encoding and outputs a bit string that is unique for the encoded group element). Not only such an extraction algorithm is useful to compare elements, it can also be used to transform non-unique group elements to a unique common secret in a Diffie-Hellman key exchange protocol. Observe that with non-unique group elements and without such an extraction algorithm, the two parties may end with different representations of the same shared key.
In this setting, the only means to compare two group elements (given by possibly different encodings) is an explicit comparison algorithm that takes two encodings as input and outputs whether these encodings represent the same group element. ( [2] provide such a comparison algorithm.) The techniques that [2] use are again an extension of our techniques.

Relation to Conference Version of This Work
Erratum. After the publication of the conference version of this work at TCC 2016-A, we became aware of several technical problems in our work. Specifically, the conference version of our work (and of course a previous full version) claimed (a) the validity of the RANK assumption (a reformulation of the U n -matrix Diffie-Hellman assumption from [19]) in our framework and (b) a variant of our construction that only uses indistinguishability obfuscation (instead of probabilistic indistinguishability obfuscation). We encountered serious problems in both respective proofs, and we are currently not aware of a way to repair these proofs.
Furthermore, we became aware of problems in the proof of the multilinear DDH assumption in our framework (both in the symmetric and asymmetric settings). These problems can be resolved, which in fact leads to a simpler proof from a slightly stronger computational assumption.
Hence, this version of our work omits the results (a) and (b) described above and provides corrected versions of the proofs of the MDDH assumption in our framework.
Changes to conference version. Besides the corrections explained above, this version features full proofs, and in particular a detailed and modular treatment of the central switching theorem (Theorem 1). Our constructed group has non-unique, randomized encodings in place of group elements, and Theorem 1 allows to replace one encoding with another encoding, as long as both encodings are functionally equivalent.

Notation
We denote the security parameter by λ ∈ N and assume that it is implicitly given to all algorithms in the unary representation 1 λ . By an algorithm, we mean a stateless Turing machine. Algorithms are randomized unless stated otherwise, and ppt as usual stands for "probabilistic polynomial-time" in the (unary) security parameter. Given a randomized algorithm A, we denote the action of running A on input(s) (1 λ , x 1 , . . .) with fresh random coins r and assigning the output(s) to y 1 , . . . by (y 1 , . . .)←$ A(1 λ , x 1 , . . . ; r ). For a finite set X , we denote its cardinality by |X | and the action of sampling a uniformly random element x from X by x←$ X . Vectors are written in boldface x and by slight abuse of notation, running algorithms on vectors of elements indicates component-wise operation. Throughout the paper, ⊥ denotes a special error symbol, and poly(·) stands for a fixed polynomial. A real-valued function negl(λ) is negligible if negl(λ) ∈ O(λ −ω(1) ). We denote the set of all negligible functions by Negl and use negl(λ) to denote an unspecified negligible function.

Homomorphic Public-Key Encryption
Circuits. A polynomial-sized deterministic circuit family C := {C λ } λ∈N is a sequence of sets of poly(λ)-sized circuits for a fixed polynomial poly. We assume that for all λ ∈ N, all circuits C ∈ C λ share a common input domain ({0, 1} λ ) a(λ) , where a(λ) is a the arity of the circuit family, and codomain {0, 1} λ . A randomized circuit family is defined similarly except that the circuits now also take random coins r ∈ {0, 1} r (λ) . To make the coins used by a circuit explicit (e.g., to view a randomized circuit as a deterministic one), we write C(x; r ). Syntax and compactness. A tuple of ppt algorithms := (Gen, Enc, Dec, Eval) is called a homomorphic public-key encryption (HPKE) scheme for deterministic circuit family C = {C λ } λ∈N of arity a(λ) if (Gen, Enc, Dec) is a conventional public-key encryption scheme with message space {0, 1} λ and Eval is a deterministic algorithm that on input, a public key pk, a circuit C ∈ C λ and ciphertexts c 1 , . . . , c a(λ) output a ciphertext c. We require HPKE schemes to be compact in the sense that the outputs of Eval have a size that is bounded by a polynomial function of the security parameter (and independent of the size of the circuit). Without loss of generality, we assume that secret keys of an HPKE scheme are the random coins used in key generation. This will allow us to check key pairs for validity.
We note that perfect correctness implies that every ciphertext (even an adversarially generated one) uniquely determines its decryption result, independently of the used secret key (for a given public key). Hence, it is reasonable to think of any ciphertext as "containing" a uniquely defined message (as long as only secret keys consistent with a given public key are used).
Security. The IND-CPA security of an HPKE scheme is defined identically to a standard PKE scheme without reference to the Dec and Eval algorithms. Formally, we require that for any legitimate ppt adversary A : where game IND-CPA A (λ) is shown in Fig. 1 (left). Adversary A is legitimate if it outputs two messages of equal lengths. HPKE schemes can be constructed from rerandomizable IND-CPA secure PKE schemes, subexponentially secure IO, and subexponentially secure one-way functions [17]. The correctness properties of this construction immediately follow from those of its underlying components. Although this HPKE construction may not be perfectly correct in our sense above, when used with ElGamal (which is rerandomizable and IND-CPA secure under the DDH assumption), it does satisfy our notion of perfect correctness.

Obfuscators
Syntax and correctness. A ppt algorithm Obf is called an obfuscator for (deterministic or randomized) circuit class C = {C λ } λ∈N if Obf on input the security parameter 1 λ and the description of a (deterministic or randomized) circuit C ∈ C λ outputs a deterministic circuit C. For deterministic circuits, we require Obf to be perfectly correct in the sense the circuits C and C are functionally equivalent; that is, that for all λ ∈ N, ). For randomized circuits, the authors of [17] define correctness via computational indistinguishability of the outputs of C and C. For our constructions, we do not rely on this property and instead require that C and C are functionally equivalent up to a change in randomness; that is, for all In this paper by correctness, we refer to this latter property. We note that the construction from [17] is correct as it relies on a correct (indistinguishability) obfuscator (and a PRF to internally generate the required random coins).
Security. The security of an obfuscator Obf requires that for any legitimate ppt adver- where game IND is shown in Fig. 1 (middle). Depending on the notion of legitimacy different security notions for the obfuscator emerge, we consider two such notions below. Functionally equivalent samplers. We call (the first phase of) A a functionally equivalent sampler if for any (possibly unbounded) distinguisher D The security notion associated with equivalent samplers is called indistinguishability. We call an obfuscator meeting this level of security an indistinguishability obfuscator [24] and use IO instead of Obf to emphasize this. X -IND samplers [17] Roughly speaking, A is an X -IND sampler if there is a set X of size at most X such that the circuits output by A are functionally equivalent outside X and furthermore within X the outputs of the two sampled circuits are indistinguishable. Formally, let X (·) be a function such that X (λ) ≤ 2 λ for all λ ∈ N. We call A an X -IND sampler if there is a set X λ of size at most X (λ) such that the following two conditions hold: (1) for all (possibly unbounded) D, the advantage function below is negligible (2) For all non-uniform ppt distinguishers D : Fig. 1 (right). This game has a static (or selective) flavor as D 1 chooses a differing input x before it gets to see the challenge circuit pair. We call an obfuscator meeting this level of security a probabilistic indistinguishability obfuscator [17] and use PIO instead of Obf to emphasize this. [17] show how to construct secure probabilistic indistinguishability obfuscators for X -IND samplers from subexponentially secure indistinguishability obfuscation and subexponentially secure one-way functions.

Dual-Mode NIZK Proof Systems
In our constructions, we will be relying on special types of non-interactive zeroknowledge proof systems [29]. These systems have "dual-mode" common reference string (CRS) generation algorithms that produce indistinguishable CRSs in the "binding" and "hiding" modes. They also enjoy perfect completeness in both modes, are perfectly sound and extractable in the binding mode, and perfectly witness-indistinguishable (WI) and zero knowledge (ZK) in the hiding mode. The standard prototype for such schemes is pairing-based Groth-Sahai proofs [29]. These proof systems can be instantiated in any (pair of) pairing-friendly groups, under a variety of computational assumptions, including the SXDH and k-Linear assumptions. Moreover, using a generic NP reduction to the satisfiability of (systems of) quadratic equations, we can obtain a suitable proof system for any NP language. 4 We formalize the syntax and security of such proof systems next.

Syntax.
A relation with setup is a pair of ppt algorithms (S, R) such that S(1 λ ) outputs (gpk, gsk) and R(gpk, x, w) is a ternary relation that outputs a bit b ∈ {0, 1}. A dualmode non-interactive zero-knowledge (NIZK) proof system for (S, R) consists of six algorithms as follows. (1) Algorithm BCRS(gpk, gsk) outputs a (binding) common reference string crs and an extraction trapdoor td ext ; (2) HCRS(gpk, gsk) outputs a (hiding) common reference string crs and a simulation trapdoor td zk ; (3) Prove(gpk, crs, x, w) on input crs, an instance x, and a witness w, outputs a proof π ; (4) Verify(gpk, crs, x, π) on input a bit string crs, an instance x, and a proof π , outputs accept or reject; (5) WExt(td ext , x, π) on input an extraction trapdoor, an instance x, and a proof π , outputs a witness w; and (6) Sim(td zk , crs, x) on input the simulation trapdoor td zk , the CRS crs, and an instance x, outputs a simulated proof π . We require a dual-mode NIZK to meet the following requirements.

Hard Membership Problems
Finally, we will use languages with hard membership problems. Let U = {U λ } be a collection of universal sets, and let L = {L λ } be a collection of sets L λ = {L} of languages with L ⊆ U λ for each L ∈ L λ . We say that L has a hard subset membership problem if the following holds: No ppt algorithm given L←$ L λ can efficiently distinguish between x←$ L and x←$ U λ .

Multilinear Groups with Non-Unique Encodings
Before presenting our constructions, we formally introduce what we mean by a multilinear group (MLG) scheme. Our abstraction differs from that of Garg, Gentry, and Halevi [23] in that our treatment of MLG schemes is a direct adaptation of the "dream" MLG setting (called the "cryptographic" MLG setting in [7]) to a setting where group elements have non-unique encodings (as in [23]). In our abstraction, on top of the procedures needed for generating, manipulating, and checking group elements, we introduce an equality procedure which generalizes the equality relation for groups with unique encodings.
Syntax. A multilinear group (MLG) scheme Γ consists of six ppt algorithms as follows.
Setup(1 λ , 1 κ ): This is the setup algorithm. On input the security parameter 1 λ and the multilinearity 1 κ , it outputs the group parameters pp. These parame-ters include generators g 1 , . . . , g κ+1 , identity elements 1 1 , . . . , 1 κ+1 , and integers N 1 , . . . , N κ+1 , which will represent group orders. Generators, identity elements, and group orders are discussed in detail below. In our constructions, we will have N 1 , . . . , N κ+1 all equal to some prime N , but we work here at a greater level of generality because it may be useful in future work. We assume pp is provided to the various algorithms below. Val i (h): This is the validity testing algorithm. On input (the group parameters), a group index 1 ≤ i ≤ κ + 1 and a string h ∈ {0, 1} * , it returns b ∈ {0, 1}. We define G i , which is also parameterized by pp, as the set of all h for which Val i (h) = 1. We write h ∈ G i when Val i (h) = 1 and refer to such strings as group elements (since we will soon impose a group structure on G i ). Without loss of generality, we assume the G i to be non-intersecting sets (since a string h ∈ G i can always be augmented with an encoding of i). We require that the bit strings in G i have lengths that are polynomial in λ and κ, a property that we refer to as compactness.
: This is the equality algorithm. On input two valid group elements We require Eq i to define an equivalence relation. We say that the group has unique encodings if Eq i simply checks the equality of bit strings. We write Since "=" refers to equality of bit strings as well as equivalence under Eq i , we will henceforth write "as bit strings" when we mean equality in that sense. We require |G i /Eq i |, the number of equivalence classes into which Eq i partitions G i , to be finite and equal to N i (where N i comes from pp). We assume throughout the paper that various algorithms below return ⊥ when run on invalid group elements.
This algorithm defines the group operation. On input two valid group elements h 1 , h 2 ∈ G i , it outputs h ∈ G i . We write h 1 h 2 in place of Op i (h 1 , h 2 ) for simplicity. We require that Op i respect the equivalence relations Eq i , meaning that if The algorithm Op i gives rise to an exponentiation algorithm Exp i (h, z) that on input h ∈ G i and z ∈ N outputs an h ∈ G i such that h = h · · · h in G i with z occurrences of h. When no h is specified, we assume h = g i . This algorithm runs in polynomial time in the length of z. We denote Exp i (h, z) by h z and define h 0 : We insist that g i in fact has order N i , so that (the equivalence class containing) g i generates G i /Eq i . The above requirements ensure that G i /Eq i acts as a cyclic group of order N i with respect to the operation induced by Op i , with identity (the equivalence class containing) 1 i , and inverse operation Inv i . We use the bracket notion [19] to denote an element h = g x i in G i with [x] i . When using this notation, we will write the group law additively. This notation will be convenient in the construction and analysis of our MLG schemes. For example, z )). Note that when writing [z] i , it is not necessarily the case that z is explicitly known. e(h 1 , . . . , h κ ): This is the multilinear map algorithm. For κ group elements h i ∈ G i as input, it outputs h κ+1 ∈ G κ+1 . We demand that for any 1 ≤ j ≤ κ and any We also require the map to be non-degenerate in the sense that for some tuple of elements as input the multilinear map outputs an element of G κ+1 outside the equivalence class of 1 κ+1 . We call an MLG scheme symmetric if the group algorithms are independent of the group index for 1 ≤ i ≤ κ and e is invariant under permutations of its inputs. That is, for any permutation π : We refer to all the other cases as being asymmetric. To distinguish the target group, we frequently write G T instead of G κ+1 (and similarly for 1 T and g T in place of 1 κ+1 and g κ+1 ) as its structure in our construction will be different from that of the source groups G 1 , . . . , G κ . Sam i (z): This is the sampling algorithm. On input z ∈ N, it outputs some h ∈ G i . We also allow a special input ε to this algorithm, in which case the sampler is required to output some h ∈ G i together with a uniformly distributed z such that h ∈ G i (g z i ). Note that for groups with unique encodings, these algorithms trivially exist. For notational convenience, for a known a, we define [a] i to be an element sampled via Sam i (a).
Some applications also rely on the following algorithm which provides a canonical bit string for the group elements within a single equivalence class.
Ext i (h): This is the extraction algorithm. On input h ∈ G i , it outputs a string s ∈ {0, 1} poly(λ) . We demand that for any h 1 , h 2 ∈ G i with h 1 = h 2 in G i , we have that Ext i (h 1 ) = Ext i (h 2 ) (as bit strings). We also require that for [z] i ←$ Sam i (ε), the distribution of Ext i ([z] i ) is uniform over {0, 1} poly(λ) . For groups with unique encodings, this algorithm trivially exists.
Comparison with GGH. Our formalization differs from that of [23] which defines a graded encoding scheme. The main difference is that a graded encoding scheme defines bilinear maps e i, j : G i × G j −→ G i+ j . Using this algorithm, one can implement Eq i for any 1 ≤ i ≤ κ from Eq κ+1 as follows (if e i, j is injective). To check the equality of h 2 to map these elements to the target group and check equality there using Eq κ+1 . Similarly, Ext i (h) can be constructed from Ext κ+1 (h) and 1 j for all G j . (Note that for extraction we need a canonical string rather than a canonical group element.) Moreover, the abstraction and construction of graded encodings schemes in [23] do not provide any validity algorithms; these are useful in certain adversarial situations such as CCA security and signature verification. Further, all known candidate constructions of graded encoding schemes are noisy and only permit a limited number of group operations (though parameters can be set to allow that number to be polynomial). Finally, the known candidate graded encoding schemes do not permit sampling for specific values of z, but rather only permit sampling elements with a z that is only known up to its equivalence class.
Syntactic extensions. Although our syntax does not treat the cases of graded [15,23], exponentially multilinear, or self-pairing [43] maps, it can be modified to capture these variants. We briefly outline the required modifications. For graded maps, we require the existence of a map that on input h i ∈ G i for indices i = i 1 , . . . , i with t := i=1 i j ≤ κ outputs a group element in G t . This map is required to be multilinear in each component. For exponential (aka. unbounded) linearity, we provide the linearity κ in its binary representation to the Setup algorithm. We also include procedures for generator and identity element generation. Proper self-pairing maps correspond to a setting where the group algorithms are independent of the group index for 1 ≤ i ≤ κ + 1 (including the target index κ + 1), and the group generators and identity elements are all identical. Observe that a proper self-pairing would induce a graded encoding scheme of unbounded linearity; recall from the introduction that the scheme of Yamakawa et al. [43] does not meet this definition because of the growth in the size of its auxiliary information.

The Construction
We now present our construction of an MLG scheme Γ according to the syntax introduced in Sect. 3. In the later sections, we will consider special cases of the construction and prove the hardness of analogues of the multilinear DDH problem under various assumptions.
We rely on the following building blocks in our MLG scheme. (1) A cyclic group G 0 of some order N 0 with generator g 0 and identity 1 0 ; formally, we think of this as a 1-linear MLG scheme Γ 0 with unique encodings in which e is trivial; the algorithm Val 0 implies that elements of G 0 are efficiently recognizable. (2) A general-purpose obfuscator Obf. (3) A perfectly correct additively homomorphic public-key encryption scheme := (Gen, Enc, Dec, Eval) with plaintext space Z N . 5 (4) A dual-mode NIZK proof system. (5) A family T D of (families of) languages TD which has a hard subset membership problem, and such that all TD have efficiently computable witness relations with unique witnesses. 6 (See Sect. 2 for more formal definitions.) We reserve variables and algorithms with index 0 for the base scheme Γ 0 ; we also write N = N 0 . We require that the algorithms of Γ 0 except for Setup 0 and Sam 0 are deterministic. We will also use the bracket notation to denote the group elements in G 0 . For example, we write [z] 0 , [z ] 0 ∈ G 0 for two valid elements of the base group and . Variables with nonzero indices correspond to various source and target groups. Given all of the above components, our MLG scheme Γ consists of algorithms as detailed in the sections that follow.

Setup
The setup algorithm for Γ samples parameters pp 0 ←$ Setup 0 (1 λ ) for the base MLG scheme generates two encryption key pairs (pk j , sk j )←$ Gen(1 λ ) ( j = 1, 2) of an 5 Note that such a scheme can be constructed from any perfectly correct HPKE scheme. 6 An example of such a language is the Diffie-Hellman language TD = {(g r 1 , g r 2 ) | r ∈ N} in a DDH group with generators g 1 , g 2 . In particular, a suitable trapdoor language imposes no additional computational assumption in our upcoming security proof. HPKE scheme, and a matrix W = (ω 1 , . . . , ω κ ) t ∈ Z κ× N where κ is the linearity and = 2 is a parameter of our construction. Although many of the upcoming results hold for more general distributions of W, for concreteness, we set ω i = (1, ω) for all i and a uniformly random ω. The setup algorithm then sets where [W] 0 denotes a matrix of G 0 elements that entrywise is written in the bracket notation, TD←$ T D, and y is not in TD. In our MLG scheme, we set N 1 = · · · = N κ+1 := N , where N is the group order implicit in pp 0 . The setup algorithm then generates a common reference string crs = (crs , y) where crs ←$ BCRS(gpk, gsk) for a relation (S, R) that will be defined in Sect. 4.2. It also constructs two obfuscated circuits C Map and C Add which we will describe in Sects. 4.3 and 4.4. For 1 ≤ i ≤ κ, the identity elements 1 i and group generators g i are sampled using Sam i (0) and Sam i (x i ), respectively, for algorithm Sam i described in Sect. 4.5 with x i ∈ [N −1]. We emphasize that this approach is well defined since the operation of Sam i is defined independently of the generators and the identity elements and depends only on gpk and crs. We set 1 κ+1 = 1 0 and g κ+1 = g 0 . The scheme parameters are pp := (gpk, crs, C Map , C Add , g 1 , . . . , g κ+1 , 1 1 , . . . , 1 κ+1 ) .
We note that this algorithm runs in polynomial time in λ as long as κ is polynomial in λ.

Validity and Equality
The elements of G i for 1 ≤ i ≤ κ are tuples of the form h = ([z] 0 , c 1 , c 2 , π) where c 1 , c 2 are encryptions of vectors from Z N under pk 1 , pk 2 , respectively (encryption algorithm Enc extends from plaintext space Z N to Z N in the obvious way) and where π is a NIZK to be defined below. We refer to (c 1 , c 2 , π) as the auxiliary information for [z] 0 . The elements of G κ+1 are just those of G 0 . The NIZK proof system that we use corresponds to the following inclusive disjunctive relation (S, R := R 1 ∨ R 2 ). Algorithm S(1 λ ) outputs gpk = (pp 0 , pk 1 , pk 2 , [W] 0 , TD) as defined above and sets gsk = (sk 1 , sk 2 ). Relation R 1 on input gpk, tuple ([z] 0 , c 1 , c 2 ), and witness (x, y, r 1 , r 2 , sk 1 , sk 2 ) accepts iff [z] 0 ∈ G 0 , the representations of [z] 0 as x, y ∈ Z N are valid with respect to [W] 0 in the sense that (where ·, · denotes inner product) and the following ciphertext validity condition (with respect to the inputs to the relation) is met: (c 1 = Enc(x, pk 1 ; r 1 ) ∧ c 2 = Enc(y, pk 2 ; r 2 )) ∨ (pk 1 , sk 1 ) = Gen(sk 1 ) ∧ (pk 2 , sk 2 ) = Gen(sk 2 ) Recall that we have assumed the secret key of the encryption scheme to be the random coins used in Gen. Note that the representation validity check can be efficiently performed "in the exponent" using [W] 0 and the explicit knowledge of x and y. Note also that for honestly generated keys and ciphertexts, the two checks in the expression above are equivalent (although this is not generally the case when public keys are malformed, i.e., not in the range of Gen).
Intuitively, the upper branch of the disjunction (1) checks consistency based on encryption randomness. This branch allows Sam to generate proofs without decryption keys. The lower branch of (1) uses decryption keys. This branch is used by the addition circuit Add to generate proofs without knowing the encryption randomness.
Relation R 2 depends on the language TD, and on input gpk, tuple ([z] 0 , c 1 , c 2 ), and witness w y accepts iff w y is a valid witness to y ∈ TD. (Note that R 2 completely ignores ([z] 0 , c 1 , c 2 ).) Intuitively, R 2 creates a simulation trapdoor (i.e., w y ) that allows to generate proofs for statements that are not in R 1 .
For 1 ≤ i ≤ κ, the Val i algorithm for Γ , on input ([z] 0 , c 1 , c 2 , π), first checks that the first component is in G 0 using Val 0 and then checks the proof π ; if both tests pass, it then returns , else ⊥. Observe that for an honest choice of crs = (crs , y), the perfect completeness and the perfect soundness of the proof system ensure that only those elements which pass relation R 1 are accepted. Algorithm Val κ+1 just uses Val 0 .
The equality algorithm Eq i of Γ for 1 ≤ i ≤ κ first checks the validity of the two group elements passed to it and then returns true iff their first components match, according to Eq 0 , the equality algorithm from the base scheme Γ 0 . Algorithm Eq κ+1 just uses Eq 0 . The correctness of this algorithm follows from the perfect completeness of .

Group Operations
We provide a procedure that, given as inputs h = ([z] 0 , c 1 , c 2 , π) and h = ([z ] 0 , c 1 , c 2 , π ) ∈ G i , generates a tuple representing the product h · h . This, in particular, will enable our multilinear map to be run on the additions of group elements whose explicit representations are not necessarily known. We exploit the structure of the base group as well as the homomorphic properties of the encryption scheme to "add together" the first three components. We then use (sk 1 , sk 2 ) as a witness to generate a proof π that the new tuple is well formed. (For technical reasons, we check the validity of h and h in two different ways: using proofs π , π , and also explicitly using (sk 1 , sk 2 ). Note that, although useful in the analysis, the explicit check is redundant by the perfect soundness of the proof system under a binding crs .) In pp, we include an obfuscation of the C Add circuit shown in Fig. 2 (top), and again, we emphasize that steps 5a or 5b are never reached with a binding crs (but they may be reached with a hiding crs later in the analysis). Note that although we have assumed the evaluation algorithm to be deterministic, algorithm Prove is randomized and we need to address how we deal with its coins. To this end, we use a PIO to obfuscate C Add ; the probabilistic obfuscator directly deals with the needed randomness. 7 The Op i algorithm for 1 ≤ i ≤ κ runs the obfuscated circuit on i, the input group elements. Algorithm Op κ+1 just uses Op 0 as usual. The correctness of this algorithm follows from those of Γ 0 and , the completeness of , and the correctness, in our sense, of the probabilistic obfuscator Obf = PIO; see Sect. 2 for the definitions.

The Multilinear Map
The multilinear map for Γ , on input κ group elements uses sk 1 to recover the representation x i . It then uses the explicit knowledge of the matrix W to compute the output of the map as Recalling that G κ+1 is nothing other than G 0 , and g κ+1 = g 0 , the output of the map is just the G 0 -element (g 0 ) k i=1 x i ,ω i . The product in the exponent can be efficiently computed over Z N for any polynomial level of linearity κ and any as it uses x i and ω i explicitly. The multilinearity of the map follows from the linearity of each of the multiplicands in the above product (and the completeness of , the correctness of , and the correctness of the (possibly probabilistic) obfuscator Obf). An obfuscation C Map of the circuit implementing this operation (see Fig. 2, bottom) will be made available through the public parameters, and e is defined to run this circuit on its inputs.

Sampling and Extraction
For sampling random group elements, we first define two vectors x and y in Z N satisfying x, ω i = y, ω i . In other words, these vectors define two equivalent representations of a group element relative to a matrix W. If W is explicitly known, the vectors x and y can take arbitrary forms subject to validity. However, is only implicitly known by an honest user of the system, and in order to sample random group elements, we set x = y = (z, 0) for = 2. (We call these the canonical representations.) Then, we set [z] 0 := [ y, ω i ] 0 (which can be computed using [W] 0 and explicit knowledge of x) and [z] i ← [z] 0 , c 1 = Enc(x, pk 1 ; r 1 ), c 2 = Enc(y, pk 2 ; r 2 ), Note that the outputs of the sampler are not statistically uniform within G i ([z] i ). Indeed, not even the IND-CPA security of the encryption directly implies any form of security of the generated ciphertexts (since the addition circuit Add contains the corresponding decryption keys). Our upcoming "switching theorem" (Theorem 1) will, however, prove that encodings that are functionally equivalent cannot be efficiently distinguished.
Since the target group has unique encodings, as noted in Sect. 3, an extraction algorithm for all groups can be derived from one for the target group. The latter can be implemented by applying a universal hash function to the group elements in G T , for example.

Indistinguishability of Encodings
In this section, we will prove a theorem that is an essential tool in establishing the intractability of the κ-MDDH for our MLG scheme Γ constructed in Sect. 4. This theorem, roughly speaking, states that valid encodings of elements within a single equivalence class are computationally indistinguishable. We formalize this property via the κ-Switch game shown in Fig. 3. This game lets an adversary A choose an element [z] i ∈ G i by producing two valid representations (x 0 , y 0 ) and (x 1 , y 1 ) for it. The adversary is given an encoding of [z] i generated using (x b , y b ) for a random b and has to guess the bit b. In this game, besides access to pp, which contains the obfuscated circuits for the group operation and the multilinear map, we also provide the matrix W in the clear to the adversary. This strengthens the κ-Switch game and is needed for our later analysis.
To prove that the advantage of A in the κ-Switch game is negligible, we rely on the security of the obfuscator, the IND-CPA security of the encryption scheme, and the security of the NIZK proof system.  = x b , ω i = y b , ω i for b ∈ {0, 1}. We note that A gets explicit access to matrix W generated during setup .
Intuitively, the IND-CPA security of the encryption scheme will ensure that the encryptions of the two representations are indistinguishable. This argument, however, does not immediately work as the parameters pp contain component C Add that depends on both decryption keys. We deal with this by finding an alternative implementation of this circuit without the knowledge of the secret keys, in the presence of a slightly different public parameters (which are computationally indistinguishable to those described in Sect. 4). The next lemma, roughly speaking, says that provided parameters ppinclude an instance y ∈ TD; then, there exists an alternative implementation C Add that does not use the secret keys, and whose obfuscation is indistinguishable to that of C Add of Fig. 2 (top) for an adversary that knows the secret keys. It relies on the security of the obfuscator and the security of the NIZK proof system. Lemma 1. (C Add without decryption keys) Let PIO be a secure obfuscator for X -IND samplers and be a dual-mode NIZK proof system. Additionally, let parameters pp be sampled as in Sect. 4 but with y ∈ TD. Furthermore, let pp be sampled as pp, but with a hiding CRS crs , and an obfuscation of circuit C Add of Fig. 4 (bottom). Then, for any ppt adversary A, there are ppt adversaries B 1 and B 2 of essentially the same complexity as A such that for all λ ∈ N Proof. The crucial observation is that a witness w y to y ∈ TD is also a witness to x ∈ R, and therefore, C Add can use w y instead of sk 1 , sk 2 to produce the output proof π . Below we provide descriptions of the transformation from C Add to C Add , and let W i denote the event that A in Game i outputs 1.
Game 0 : We start with (a PIO obfuscation of) circuit C Add of Fig. 2 and with pp including y ∈ TD and a binding crs . Game 1 : The circuit has witness w y to y ∈ TD hard-coded. If some input reaches the "invalid" branches, C Add does not extract a witness from the corresponding proof, but instead uses w y to generate proof π . [See Fig. 4 (top).] Note that Game 1 requires no extraction trapdoor td ext anymore. We claim that |Pr[W 0 (λ)] − Pr[W 1 (λ)]| ≤ Adv ind PIO,B 1 (λ). By construction, the only difference between the games is that in Game 1 , proof π , with respect to invalid (input) encodings, is generated using hard-coded witness w y to y ∈ TD. Since w y is unique, and the CRS crs guarantees perfect soundness, this leads to identical behavior of C Add in Game 0. Hence, this hop is justified by PIO. Game 2 : The CRS crs included in the public parameters is now hiding (such that the generated proofs are perfectly witness-indistinguishable). We have that where B 2 is a ppt algorithm against the indistinguishability of binding and hiding CRS's. Game 3 : ere, output proofs π for those inputs entering the "valid" branch (step 5b of Fig. 4 (top)) use w y (and not sk 1 , sk 2 ) as witness. In particular, this game does not need to perform a explicit validity check (using sk 1 , sk 2 ) anymore, and therefore, the addition circuit can be described as in Fig. 4 (bottom).
. By construction, the only difference between both games is that the public parameters in Game 2 contain a PIO obfuscation of C Add and in Game 3 contain a PIO obfuscation of C Add of Fig. 4. In Lemma 2, we prove that these circuit variants are given by an X -IND sampler, and therefore, their PIO obfuscations are indistinguishable. Proof. The first equality is immediate as X is set to be the entire domain of the circuits. The second equality follows from the perfect witness-indistinguishability property of the proof system. Indeed, the only difference between the two circuits is that, for those inputs that are valid encodings, C Add uses decryption keys sk 1 , sk 2 as witness to generate the output proof π ← Prove(gpk, crs, ([z ] 0 , c 1 , c 2 ), (sk 1 , sk 2 ); r ), and C Add uses witness w y to y ∈ TD (with y in the public parameters) to generate the proof π ← Prove(gpk, crs, ([z ] 0 , c 1 , c 2 ), w y ; r ). The WI property with a hiding crs guarantees that π and π are identically distributed and hence so are the outputs of C Add and C Add . Note that no random coins are hardwired into these circuits-we are in the PIO setting-and fresh coins are used to compute the circuits' outputs.  4. Circuits for addition of group elements used in Lemma 1. pp includes gpk = (pp 0 , pk 1 , pk 2 , [W] 0 , TD, y) where y ∈ TD (also includes a hiding CRS crs ). Both circuits also have hardcoded (the) witness w y to y ∈ TD. Top: sk 1 , sk 2 are used to produce π on valid inputs. Bottom: w y is always used to produce π .
With Lemma 1, we can invoke IND-CPA security and via a sequence of games obtain the result stated below. The proof can be found in "Appendix A.1"; we will give a high-level overview of the proof below.  B 1 , B 2 , B 3 , and B 4 of essentially the same complexity as A such that for all λ ∈ N Adv κ-switch

Furthermore, B 2 is an X -IND sampler for any function X (λ).
Proof sketch. The proof of this theorem proceeds via a sequence of 9 games as follows. Game 0 : This is the κ-Switch game. The public parameters pp contain a no-instance y / ∈ TD, a binding crs , and C Add is constructed using (sk 1 , sk 2 ) and C Map using sk 1 . (See Fig. 2.) The ciphertexts c 1 and c 2 contain x b and y b for a random bit b. Game 1 : This game generates the public parameters pp so that they include a yes-instance y ∈ TD. The difference to the previous game can be bounded via the hardness of deciding membership in TD. Game 2 : The public parameters pp change so that they include a hiding cr s , and a (PIO) obfuscation of circuit C Add , see Fig. 4. (Recall that this circuit uses the witness w y to y ∈ TD to produce the output proofs π , and therefore, the simultaneous knowledge of decryption keys sk 1 ,sk 2 is not needed anymore.) Additionally, the game uses w y to prepare the proof π in the κ-Switch challenge for A. By Lemma 1 and the perfect witness-indistinguishability of , the difference with the previous game can be bounded by PIO and CRS indistinguishability. Game 3 : This game generates c 2 by encrypting y 1 , even when b = 0. We can bound the difference in any adversary's success probability via the IND-CPA advantage of with respect to pk 2 . (The reduction will know (pk 1 , sk 1 ) so as to be able to construct C Map .) Game 4 : The public parameters are changed back to pp, so that they include a binding crs , and a (PIO) obfuscation of circuit C Add of Fig. 2 (top). The difference with the previous game is bounded again with Lemma 1. Game 5 : Now, a no-instance y / ∈ TD is included in the public parameters pp. This game is justified by the hardness of deciding membership in TD. Game 6 : This game uses sk 2 (in place of sk 1 ) in the generation of C Map circuit. In this transition, we rely on the security of Obf, the perfect correctness of , and the perfect soundness of . Perfect soundness of implies that C Map rejects ciphertexts unless relation R 1 holds. Together with the perfect correctness of , R 1 implies that C Map yields identical results with sk 1 and sk 2 . We can then use the IO security of Obf to justify the switch from using sk 1 to using sk 2 . (Note that for any function X , any obfuscator that is secure for X -IND samplers is also secure as an indistinguishability obfuscator.) Note that in this game, it is crucial that the crs is in the binding mode. Game 7 : This game, similar to Game 1 , switches to public parameters pp with a yesinstance y ∈ TD. The analysis is as before. Game 8 : This game, similar to Game 2 , includes in pp a hiding cr s , and a (PIO) obfuscation of circuit C Add . (See Fig. 4.) The analysis is as before. Game 9 : This game generates c 1 by encrypting x 1 , even when b = 0. The analysis is as in Game 3 .
Observe that the challenge encoding in Game 9 is independent of the random bit b and the advantage of any (possibly unbounded) adversary A is 0. Collecting bounds on the probabilities involved in the various game hops concludes the proof.

The Multilinear DDH Problem
In this section, we show that natural multilinear analogues of the decisional Diffie-Hellman (DDH) problem are hard for our MLG scheme Γ from Sect. 4. We will establish this for two specific Setup algorithms which give rise to symmetric and asymmetric multilinear maps in groups of prime order N . (See Sect. 3 for the formal definition.) In the symmetric case, we will base hardness on the q-strong DDH problem [4] and in the asymmetric case on the 1-strong DDH problem.

Intractable Problems
We start by formalizing the hard problems that we will be relying on and those whose hardness we will be proving. We do this in a uniform way using the language of group schemes of Sect. 3. Informally, the q-SDDH problem requires the indistinguishability of g x q+1 from a random element given (g x , g x 2 , . . . , g x q ) for a random x, and the κ-MDDH problem, whose hardness we will be establishing, generalizes the standard bilinear DDH problem (and its variants) and requires this for g a 1 ···a κ+1 T in the presence of (g a 1 , . . . , g a κ+1 ) (for uniformly random a i ). The q-SDDH problem. For q ∈ N, we say that a group scheme Γ 0 is q-SDDH intractable if Adv q-sddh where game q-SDDH A Γ 0 (λ) is shown in Fig. 6 (left). The (κ, I )-MDDH problem. We use a slight reformulation of the (generalized) MDDH problem from [23]. For κ ∈ N we say that an MLG scheme Γ is κ-MDDH intractable with respect to the index set I if

Adv
where game (κ, I )-MDDH A Γ (λ) is shown in Fig. 6 (right). Here, I is a set of ordered pairs of integers (i, j) with 1 ≤ i ≤ κ + 1, 1 ≤ j ≤ κ. The adversary is provided with challenge group elements [a i ] j for (i, j) ∈ I , so that its challenge elements may lie in any combination of the groups. The following example of such a set I leads to a generalization of the symmetric external Diffie-Hellman (SXDH) assumption to the multilinear case: (1, 1), . . . , (κ, κ), (κ + 1, κ)} .

The Symmetric Setting
We describe a special variant of our general construction in Sect. 4 which gives rise to a symmetric MLG scheme as defined in Sect. 3.
We set := 2 and sample W = (ω 1 , . . . , ω κ ) t by setting ω i = (1, ω) for a random ω ∈ Z N . The generators and identity elements for all groups are set to be a single value generated for the first group. These modifications ensure that the scheme algorithms are independent of the index for 1 ≤ i ≤ κ and that e is invariant under all permutations of its inputs.
The following lemma, which provides a mechanism to compute polynomial values "in the exponent," will be helpful in the security analysis of our constructions. Proof. Let Clearly, if all p jk are known, then [P(ω 0 , ω 1 )] T can be computed using [ω j 0 ω k 1 ] T with polynomially many operations. (There are O(κ) summands above.) To obtain these values, we apply Horner's rule. Define The coefficients of P κ are the required p jk values. Let t i denote the number of terms in P i . It takes at most 2t i multiplications and t i − 1 additions in Z N to compute the coefficients of P i from P i−1 and x i . Since t i ∈ O(κ), at most O(κ 2 ) many operations in total are performed. We note that the lemma generalizes to any (constant) with computational complexity O(κ ).
We prove the following result formally in "Appendix A.2" and give an overview of the proof here.
Proof. In our reduction, the value ω used to generate W will play the role of the implicit value in the SDDH problem instance. We therefore change the implementation of C Map to one that does not know ω in the clear and only uses the implicit values [ω i ] 0 . (Recall that in our construction G T is just G 0 , so these elements come from the SDDH instance.) Such a circuit C * Map can be efficiently implemented using Horner's rule above. In more detail, C * Map has [ω i ] T hard-coded in, recovers x i from its inputs using sk 1 , and then applies Lemma 3 with (ω 0 , ω 1 ) := (1, ω) to evaluate the multilinear map.
The proof proceeds along a sequence of κ + 4 games as follows.
Game 0 : This is the κ-MDDH problem (Fig. 6, right). We use x i and y i to denote the representation vectors of a i generated within the sampler Sam I (i) (a i ), where (i, I (i)) ∈ I . Game 1 -Game κ+1 : In these games, we gradually switch the representations of [a i ] 1 for i ∈ [κ + 1] so that they are of the form (a i − ω, 1). Each hop can be bounded via the Switch game.
Game κ+2 : This game introduces a conceptual change: the a i for i ∈ [κ + 1] are generated as a i + ω. Note that the distributions of these values are still uniform and that the exponent of the MDDH challenge This game prepares us for embedding a κ-SDDH challenge and then to randomize the exponent above. Game κ+3 : This game switches C Map to C * Map as defined above. We use indistinguishability obfuscation and the fact that these circuits are functionally equivalent to bound this hop. We are now in a setting where ω is only implicitly known. In Game κ+4 , irrespective of the value of b ∈ {0, 1}, the challenge is uniformly and independently distributed as σ remains outside the view of the adversary. Hence, the advantage of any (unbounded) adversary in this game is 0. This concludes the sketch proof.
We note that in this symmetric case, C * Map can be directly used as the implementation of the multilinear map. We chose C Map because it is somewhat simpler and also more in line with the upcoming asymmetric case.

The Asymmetric Setting
We describe a second variant of the construction in Sect. 4 that results in an asymmetric MLG scheme. We set := 2 and choose the matrix W = (ω 1 , . . . , ω κ ) t by setting The following theorem shows that for index set I = {(i, I (i)) : 1 ≤ i ≤ κ + 1} given by an arbitrary function I : [κ+1] −→ [κ], this construction is (κ, I )-MDDH intractable under the 1-SDDH assumption in the base group, the security of the obfuscator, and the κ-Switch game in Sect. 5. We present the proof intuition here and leave the details to "Appendix A.3."

Theorem 3.
(1-SDDH hard ⇒ asymmetric (κ, I )-MDDH hard) Let Γ * denote scheme Γ of Sect. 4 constructed using base group Γ 0 and a probabilistic indistinguishability obfuscator PIO with modifications as described above, and let κ ∈ N. Then, for any ppt adversary A, there are ppt adversaries B 1 , B 2 , and B 3 such that for all λ and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

A. Full Proofs from the Main Body
A.1. Proof of Theorem 1: Indistinguishability of encodings using PIO Proof. We consider a chain of 10 games, with Game 0 being the κ-Switch game, such that in the last game the challenge encoding is drawn independently of the bit b. Below we let W i denote the event that Game i outputs 1.
Game 0 : The original Switch game. Game 1 : A s G a m e 0 but now the public parameters pp are changed so that they include a yesinstance y ∈ TD. We have that where TD is a language in which membership is hard to decide. Game 2 : The public parameters pp change so that they include a hiding crs , and a (PIO) obfuscation of circuit C Add . [See Fig. 4 (bottom).] Recall that this circuit uses the witness w y to y ∈ TD to produce the output proofs π . Therefore, the simultaneous knowledge of decryption keys sk 1 ,sk 2 is not needed anymore. Additionally, Game 2 uses w y to prepare the proof π in the κ-Switch challenge for A. By Lemma 1 and the perfect witness-indistinguishability of , we have that Game 3 : A s G a m e 2 , but, if b = 0, the challenge encoding is generated by mixing the representation vectors w.r.t public key pk 2 . Thus, on A's response (z, (x 0 , y 0 ), (x 1 , y 1 )), in this game we set c 0 ← Enc(x 0 , pk 1 ; r 1 ), and c 1 ← Enc(y 1 , pk 2 ; r 2 ).
Proof Claim A.1. Consider the following ppt distinguisher B 4 against the IND-CPA security of the encryption scheme , with respect to key pair (pk 2 , sk 2 ). The distinguisher runs experiment Game 2 using A as a subroutine with the following differences: When it receives A's vectors (x j , y j ) (in Z p for j = 0, 1), it submits (y 0 , y 1 ) to the IND-CPA challenger. It gets back c * = Enc(y r * , pk 2 ). Next, B 4 generates c 1 ← Enc(x 0 , pk 1 ) and sets c 2 = c * ; the proof π on instance x = ([z] i , c 1 , c 2 ) is generated using the simulation trapdoor of the proof system. Namely, π ←$ Sim(crs, x, td zk .

Game 5 :
A s G a m e 4 but now the public parameters pp are changed back to the original one described in Sect. 4 so that they include a no-instance y / ∈ TD. We have that where TD is a language where is hard to decide membership. Game 6 : A s G a m e 5 , but now the challenger constructs a different circuit C Map with the second encryption secret key hard-coded. Thus, the extracted vector is set to y i ← Dec(c i,1 , sk 2 ). We claim that The variants of the C Map circuit described in the games extract (possibly different) encoding vectors x * i , y * i , respectively, for any adversarial input (In other words, the ciphertexts encrypt representation vectors of the same [z i ] 0 .) We remark that at this point, we also use 's perfect correctness. Indeed, observe that while R 1 implies that there exist encryption random coins or secret keys that decrypt c i,1 and c i,2 to consistent representation vectors x i,1 and y i,2 , the perfect correctness of implies that the secret keys used by C Map retrieve those same representation vectors x i,1 and y i,2 . By the definition of R 1 , these representation vectors lead to the same outputs of C Map . It follows that these variants of C Map behave identically on any (possibly malformed) input x * . Therefore, the variants are functionally equivalent and hence trivially drawn by an X -IND sampler, so that their PIO obfuscations are indistinguishable. Game 7 : A s G a m e 6 but now the public parameters pp are changed so that they include a yesinstance y ∈ TD. We have that where TD is a language where is hard to decide membership. Game 8 : The public parameters pp change so that they include a hiding crs , and a (PIO) obfuscation of circuit C Add . [See Fig. 4  A s G a m e 8 , but, if b = 0, the challenge encoding is generated by mixing the representation vectors w.r.t public key pk 1 . Thus, on A's response (z, (x 0 , y 0 ), (x 1 , y 1 )), in this game, we set c 0 ← Enc(x 1 , pk 1 ; r 1 ), and c 1 ← Enc(y 1 , pk 2 ; r 2 ). Using a similar argument as in Claim A.1, we have that Finally, Pr [W 9 (λ)] = 1/2 because the challenge encoding is generated using the same pair of representation vectors (x 1 , y 1 ) regardless of the bit b. The proof of the theorem is concluded by collecting the terms above.
A.2. Proof of Theorem 2: Hardness of Symmetric MDDH Proof. We show via a chain of games, starting with the symmetric κ-MDDH problem, such that the last game chooses the challenge at random and independently of the guess bit b. Below we let W i denote the event that Game i outputs 1.
Game 0 : T h e κ-MDDH problem as shown in Fig. 7. Here, there is only one source group. Thus, in game s ≥ s, the second coordinates of the sth encoding vectors are always fixed to 1. Now, a straightforward reduction yields an adversary B that satisfies: Claim.
Proof. Consider the following ppt adversary B = (B 1 , B 2 ) against game κ-Switch of Fig. 3. Game κ+2 : T h eith source exponent is changed to a i = a i + ω for randomly chosen a i ∈ Z N and all i ∈ [κ + 1]. This means that the target exponent for b = 1 is d = (a 1 + ω) · · · (a κ+1 + ω) The distribution from which the exponents a i are drawn has not changed and indeed is the uniform distribution. Therefore, Pr [W κ+1 (λ)] = Pr [W κ+2 (λ)]. Game κ+3 : The differences with the previous game are twofold. First, for case b = 1, the challenge group element [d] T is generated as in Lemma 3. More precisely, we first write Eq. (2) as where P is a degree κ + 1 polynomial whose coefficients p = ( p 0 , . . . , p κ , p κ+1 ) are computed using the iterative rule of Lemma 3, with (x i,0 , x i,1 ) = (a i , 1). Then, The other difference is that we obfuscate a different circuit C * Map which has the powers [ω i ] T hard-coded, for 1 ≤ i ≤ κ. This new circuit extracts the encoding vectors x i from the inputs, as usual; then, it computes the coefficients of Q(w) = κ i=1 (x i,0 + x i,1 ω) by Lemma 3 and evaluates it at ω in the exponent.  be any function. Slightly abusing notation, we set I = (i, I (i)) for 1 ≤ i ≤ κ + 1. By the pigeon-hole principle, there must exist a pair of distinct i, i ∈ [κ + 1] such that I (i) = I (i ) ∈ [κ]. For simplicity, and without loss of generality, we assume that I (1) = I (2) = 1.
We show a chain of games, starting with the asymmetric (κ, I )-MDDH problem, such that the last game chooses the challenge encoding at random and independently of the challenge bit b. Below we let W i denote the event that Game i outputs 1.  We change the first two source exponents to a i = a i + ω 1 for randomly chosen a i ∈ Z N . This means that the target exponent for b = 1 is d = (a 1 + ω 1 )(a 2 + ω 1 ) · a 3 · · · a κ+1 .
The first two elements a i are drawn from the uniform distribution, and their respective representation vectors are (a i , 1) so Pr [W 2 (λ)] = Pr [W 3 (λ)].

Game 5 :
The challenge target d is set to d = (a 1 a 2 + ω 1 a 2 + ω 1 a 1 + σ ) · a 3 · · · a κ+1 , where σ is a fresh random value in Z N . Note that if σ = ω 1 2 , then this is precisely the challenge target d in the previous game. To conclude, we have Pr [W 5 (λ)] ≤ 1/2 + negl(λ). To see this, we argue that d is randomly distributed in Z N for challenge bit b = 1 with overwhelming probability in λ as follows: If N is prime, then κ+1 j=3 a j has an inverse in Z N , and therefore, d in Eq. (3) seen as a function of σ and parametrized by a j defines a bijection in Z N with overwhelming probability. Thus, if σ is uniform so is d.