Cryptographic multilinear map

A cryptographic ${\displaystyle n}$-multilinear map is a kind of multilinear map, that is, a function ${\displaystyle e:G_1\times \cdots \times G_n\to G_T}$ such that for any integers ${\displaystyle a_1,\dots ,a_n}$ and elements ${\displaystyle g_i\in G_i}$, ${\displaystyle e(g_1^{a_1},\dots ,g_n^{a_n})=e(g_1,\dots ,g_n{)}^{{\displaystyle \prod _{i=1}^n}{a}_i}}$, and which in addition is efficiently computable and satisfies some security properties. It has several applications on cryptography, as key exchange protocols, identity-based encryption, and broadcast encryption. There exist constructions of cryptographic 2-multilinear maps, known as bilinear maps,^[1] however, the problem of constructing such multilinear^[1] maps for ${\displaystyle n>2}$ seems much more difficult^[2] and the security of the proposed candidates is still unclear.^[3]

In this case, multilinear maps are mostly known as bilinear maps or pairings, and they are usually defined as follows:^[4] Let ${\displaystyle G_1,G_2}$ be two additive cyclic groups of prime order ${\displaystyle q}$, and ${\displaystyle G_T}$ another cyclic group of order ${\displaystyle q}$ written multiplicatively. A pairing is a map: ${\displaystyle e:G_1\times G_2\to G_T}$, which satisfies the following properties:

Bilinearity

${\displaystyle \mathrm{\forall }a,b\in F_q^{*},\mathrm{\forall }P\in G_1,Q\in G_2:e(aP,bQ)=e(P,Q{)}^{ab}}$

Non-degeneracy

If ${\displaystyle g_1}$ and ${\displaystyle g_2}$ are generators of ${\displaystyle G_1}$ and ${\displaystyle G_2}$, respectively, then ${\displaystyle e(g_1,g_2)}$ is a generator of ${\displaystyle G_T}$.

Computability

There exists an efficient algorithm to compute ${\displaystyle e}$.

In addition, for security purposes, the discrete logarithm problem is required to be hard in both ${\displaystyle G_1}$ and ${\displaystyle G_2}$.

We say that a map ${\displaystyle e:G_1\times \cdots \times G_n\to G_T}$ is a ${\displaystyle n}$-multilinear map if it satisfies the following properties:

1. All ${\displaystyle G_i}$ (for ${\displaystyle 1\le i\le n}$) and ${\displaystyle G_T}$ are groups of same order;
2. if ${\displaystyle a_1,\dots ,a_n\in \mathbb{Z}}$ and ${\displaystyle (g_1,\dots ,g_n)\in G_1\times \cdots \times G_n}$, then ${\displaystyle e(g_1^{a_1},\dots ,g_n^{a_n})=e(g_1,\dots ,g_n{)}^{{\displaystyle \prod _{i=1}^n}{a}_i}}$;
3. the map is non-degenerate in the sense that if ${\displaystyle g_1,\dots ,g_n}$ are generators of ${\displaystyle G_1,\dots ,G_n}$, respectively, then ${\displaystyle e(g_1,\dots ,g_n)}$ is a generator of ${\displaystyle G_T}$
4. There exists an efficient algorithm to compute ${\displaystyle e}$.

In addition, for security purposes, the discrete logarithm problem is required to be hard in ${\displaystyle G_1,\dots ,G_n}$.

All the candidates multilinear maps are actually slightly generalizations of multilinear maps known as graded-encoding systems, since they allow the map ${\displaystyle e}$ to be applied partially: instead of being applied in all the ${\displaystyle n}$ values at once, which would produce a value in the target set ${\displaystyle G_T}$, it is possible to apply ${\displaystyle e}$ to some values, which generates values in intermediate target sets. For example, for ${\displaystyle n=3}$, it is possible to do ${\displaystyle y=e(g_2,g_3)\in G_{T_2}}$ then ${\displaystyle e(g_1,y)\in G_T}$.

The three main candidates are GGH13,^[5] which is based on ideals of polynomial rings; CLT13,^[6] which is based approximate GCD problem and works over integers, hence, it is supposed to be easier to understand than GGH13 multilinear map; and GGH15,^[7] which is based on graphs.

Template:Reflist