Algebraic blinding and cryptographic trilinear maps
aa r X i v : . [ c s . CR ] A p r Algebraic blinding and cryptographic trilinearmaps
Ming-Deh A. Huang (USC, [email protected])
Computer Science Department,University of Southern California, U.S.A.
Abstract.
It has been shown recently that cryptographic trilinear mapsare sufficient for achieving indistinguishability obfuscation. In this paperwe develop algebraic blinding techniques for constructing such maps. Anearlier approach involving Weil restriction can be regarded as a specialcase of blinding in our framework. However, the techniques developedin this paper are more general, more robust, and easier to analyze. Thetrilinear maps constructed in this paper are efficiently computable. Therelationship between the published entities and the hidden entities underthe blinding scheme is described by algebraic conditions. Finding pointson an algebraic set defined by such conditions for the purpose of unblind-ing is difficult as these algebraic sets have dimension at least linear in n and involves Ω ( n ) variables, where n is the security parameter. Findingpoints on such algebraic sets in general takes time exponential in n log n with the best known methods. Additionally these algebraic sets are char-acterized as being triply confusing and most likely uniformly confusing as well. These properties provide additional evidence that efficient algo-rithms to find points on such algebraic sets seems unlikely to exist. Inaddition to algebraic blinding, the security of the trilinear maps also de-pends on the computational complexity of a trapdoor discrete logarithmproblem which is defined in terms of an associative non-commutativepolynomial algebra acting on torsion points of a blinded product of el-liptic curves. In this paper we develop algebraic blinding techniques for the construction ofcryptographically interesting trilinear maps. Cryptographic applications of n -multilinear maps for n > H ( A, µ ℓ ) × H ( A, µ ℓ ) × H ( A, µ ℓ ) → H ( A, µ ⊗ ℓ ∼ = µ ℓ where A is an abelian surface over a finite field F and the prime ℓ = char( F ).Following up on Chinburg’s idea, a method for constructing trilinear maps wasproposed in [8,9]. It was based on the following map that can be derived from thecohomological map just mentioned: ( α, β, L ) → e ℓ ( α, ϕ L ( β )), where α, β ∈ A [ ℓ ], L is an invertible sheaf, and ϕ L is the map A → A ∗ = Pic (A) so that ϕ L ( a ) = t ∗ a L ⊗ L − ∈ Pic (A)for a ∈ A (¯ F ) where t a is the translation map defined by by a ([16] § § A is ofdimension 2, and the third participant L in the trilinear map can be identifiedwith an endomorphism of A . With this approach the third group in the pairingis to be constructed from endomorphisms of A , and the challenge is to encodethe endomorphisms involved in such a way that the resulting group has harddiscrete logarithm problem. The method proposed in [10] tackles this issue byusing Weil descent (or Weil restriction) [5,6,7,19]. The trilinear map in [10] isderived from a blinded version of the following trilinear map: A [ ℓ ] d × A [ ℓ ] d × M at d ( F ℓ ) → µ ℓ ( α, β, M ) → e ( α, M ( β ))where α, β ∈ A [ ℓ ] d , M ∈ M at d ( F ℓ ) ⊂ End(A[ ℓ ] d ), and e is a non-degeneratebilinear pairing on A [ ℓ ] d (determined by a non-degenerate bilinear pairing on A [ ℓ ]). The blinding of the map just described involves Weil descent.In this paper we develop algebraic blinding techniques for constructing trilinearmaps. The blinding in [10] involving Weil descent can be regarded as a spe-cial case in our framework. In comparison, blinding using Weil descent is morerestrictive, and the analysis is more complicated. The blinding techniques de-veloped in this paper are more robust, more general, and easier to analyze. Thetrilinear maps constructed in this paper are efficiently computable. Under ouralgebraic blinding system, the relationship between the published entities andthe hidden entities is described by algebraic conditions. Finding a point on analgebraic set defined by such conditions implies uncovering the blinding at leastpartially up to local isomorphism. However Theorem 12 shows that such an alge-braic set has dimension at least linear in n and involves Ω ( n ) variables, where n is the security parameter. Solving such non-linear polynomial systems in gen-eral takes expected time 2 O ( n log n ) if the polynomials are of bounded degree([1,12]). Theorem 12 also shows that these algebraic sets are triply confusing uniformly confusing . These properties, as defined and discussed § § The blinding scheme developed in this paper can be easily adapted to a broadercontext. However, to simplify presentation we restrict ourselves to the situationwhere the objects to be blinded are points and maps on Q ni =1 V i ( K ) where V i is an algebraic set contained in ¯ k defined over a finite field K over a smallerfinite field k = F q . For the trilinear map construction V i will be an elliptic curveisomorphic over K to some elliptic curve E chosen from an isogeny class ofpairing friendly elliptic curves, and n is linear in the security parameter.In this restrictive framework, a basic blinding map ρ is an isomorphism over K from a subset W of ¯ k n onto ¯ k n . Let ˆ V be the inverse image of Q ni =1 V i under ρ . We say that Q ni =1 V i is blinded in ˆ V by the secret map ρ . We say that( α i ) ni =1 ∈ Q ni =1 V i ( K ) blinded in ˆ α ∈ ˆ V ( K ) n if ρ (ˆ α ) = ( α i ) ni =1 .The maps to be blinded are local in nature. For example, a map that arises inthe trilinear map construction is of the form ϕ = ( ϕ i ) ni =1 : Q ni =1 V i → Q ni =1 V i where ϕ i : Q nj =1 V j → V i is of locality two in the sense that ϕ i (( α j ) nj =1 ) dependson α i and α i for some i and i . More specifically, V i is isomorphic to anelliptic curve E for all i , ϕ i (( α j ) nj =1 ) is the point on V i ≃ E corresponding tothe sum of the points α i ∈ V i ≃ E and α i ∈ V i ≃ E . Thus ϕ determines anelement of End(E n [ ℓ ]) when it is restricted to Q ni =1 V i [ ℓ ], and can be identifiedwith M ∈ M at n ( F ℓ ) ⊂ End(E n [ ℓ ]), where the i -th row of M is all 0s except two1s at the entries ( i, i ) and ( i, i ) .The secret map ϕ , hence the secret matrix M , is blinded in ˆ ϕ = ρ − ϕρ : ˆ V → ˆ V .Suppose ρ (ˆ α ) = ( α i ) ni =1 , ρ ( ˆ β ) = ( β i ) ni =1 and ˆ ϕ (ˆ α ) = ˆ β . Then (ˆ α, ˆ β ) hides thepair ( α i ) ni =1 and ( β i ) ni =1 and the fact that β i = ϕ i ( α i , α i ).3e make some remark about the security of blinding. Suppose ˆ ϕ is specifiedand made accessible to the public. If ρ can be efficiently discovered say fromevaluation of ˆ ϕ at publicly available sampled points of ˆ V , then the blinding iscertainly insecure since ϕ is revealed as ϕ = ρ ˆ ϕρ − . More generally we considerthe blinding compromised if some ρ ′ : W → ¯ k n , and ϕ ′ = ( ϕ i ) ni =1 : Q ni =1 V ′ i → Q ni =1 V ′ i of locality 2 can be efficiently constructed in the public such that ρ ′ maps ˆ V isomorphically onto Q ni =1 V ′ i , and ρ ′− ϕ ′ ρ ′ = ˆ ϕ . Let ρ ′ = ( ρ ′ i ) ni =1 where ρ ′ i : ¯ k n → ¯ k . If ρ ′− ϕ ′ ρ ′ = ˆ ϕ then ϕ ′ i ◦ ( ρ ′ i , ρ ′ i ) = ρ ′ i ˆ ϕ for i = 1 , . . . , n . We alsoconsider the blinding compromised if for some i , ρ ′ i , ρ ′ i and ρ ′ i and ϕ ′ i are foundsuch that ϕ ′ i ◦ ( ρ ′ i , ρ ′ i ) = ρ ′ i ˆ ϕ . The left hand side of the equality, ϕ ′ i ◦ ( ρ ′ i , ρ ′ i ),is an example of semi-local decomposition studied in § Our blinding system involves maps from general linear groups, quadratic iso-morphisms of affine spaces of small dimension, and Frobenius twists.
Maps from general linear groups
Let Gl m ( K ) be the general linear groupover K where each A ∈ Gl m ( K ) can be identified with an m by m invertiblematrices ( a ij ) with a ij ∈ K for 1 ≤ i, j ≤ m , so that for x = ( x , . . . , x m ) ∈ ¯ k m , A ( x ) = ( P mj =1 a ij x j ) mi =1 .Suppose the algebraic set to be blinded is the product of n algebraic sets con-tained in ¯ k . Then the general linear groups involved are Gl m ( K ) where m = 3 n and m = 2 , Local quadratic isomorphisms
Let p ( x ) ∈ K [ x ], q ( x, y ) ∈ K [ x, y ] wheredeg p ( x ) = deg q ( x, y ) = 2. Then ( x, y, z ) → ( x, y + p ( x ) , z + q ( x, y ) defines anisomorphism ¯ k → ¯ k , denoted as λ p,q .Let A, B ∈ Gl ( K ) and let p ( x ) ∈ K [ x ], q ( x, y ) ∈ K [ x, y ] where deg p ( x ) =deg q ( x, y ) = 2. Then λ = B ◦ λ p,q ◦ A defines an isomorphism ¯ k → ¯ k . For x ∈ ¯ k , λ ( x ) = ( f i ( x )) i =1 where f i is a quadratic polynomial in K [ x, y, z ] for i = 1 , ,
3. For random choices of p, q, A, B , the f i ’s are most likely dense. Blinding space and blinding maps
Let λ = B ◦ λ p,q ◦ A be as discussedabove with A, B ∈ Gl ( K ) and p ( x ) ∈ K [ x ], q ( x, y ) ∈ K [ x, y ] where deg p ( x ) =deg q ( x, y ) = 2. Let µ = λ − . Let ˜ µ be the map ¯ k → ¯ k such that ˜ µ ( x, y ) = µ ( x, y, y ), and let W λ be the isomorphic image of ¯ k under ˜ µ . Then W λ is iso-morphic to ¯ k .We form a blinding space W ⊂ ¯ k n , where W is isomorphic to ¯ k n , as follows.For i = 1 , . . . , n , choose a random λ i = B i ◦ λ p i ,q i ◦ A i in the manner as dis-cussed above with A i , B i ∈ Gl ( K ) and p i ( x ) ∈ K [ x ], q i ( x, y ) ∈ K [ x, y ] where4eg p i ( x ) = deg q i ( x, y ) = 2. Let W i = W λ i . Thus W i is the zero set of f i − f i where λ i ( x ) = ( f ij ( x )) j =1 where x = ( x, y, z ). Choose a random δ ∈ Gl n ( K ).Let W = δ − Q ni =1 W i .Write δ = ( δ i ) ni =1 : ¯ k n → Q ni =1 ¯ k with δ i : ¯ k n → ¯ k given by linear forms L ij , j = 1 , ,
3, in 3 n variables. For i = 1 , . . . , n , λ i ◦ δ i = ( F ij ) j =1 where F ij = f ij ◦ ( L i , L i , L i ) for j = 1 , ,
3. Let ρ i = pr ◦ λ i ◦ δ i = ( F i , F i ) where pr denotes the projection ¯ k → ¯ k : ( x, y, z ) → ( x, y ). Then W i = δ i ( W ) and W is the zero set of { F i − F i : i = 1 , . . . , n } .The basic blinding map associated with the blinding space W is ρ : ¯ k n → Q ni =1 ¯ k where ρ = ( ρ i ) ni =1 . We see that ρ maps W isomorphically to ¯ k n . Frobenius twists
Suppose [ K : k ] = d . For simplicity we assume d = O ( n ).Let τ denote the Frobenius map x → x q for x ∈ ¯ k . Let τ a also denote τ a for a ∈ Z . For 0 ≤ a, b ≤ d −
1, let τ a,b denote the map τ a,b : ¯ k → ¯ k such that τ a,b ( x, y ) = ( τ a ( x ) , τ b ( y )) = ( x q a , y q b ) for x, y ∈ ¯ k .A blinding map on W is the basic blinding map twisted by Frobenius locally,that is, ( τ a i ,b i ◦ ρ i ) ni =1 with 0 ≤ a i , b i ≤ d − i = 1 , . . . , n . Weil descent as a special case
Suppose V ⊂ ¯ k is an elliptic curve definedover K . Suppose [ K : k ] = d as above. Then a Weil descent of V from K to k can be identified with ˆ E = δ − Q di =1 V i where V i = V τ i for i = 0 , . . . , d − δ ∈ Gl d ( K ) is determined by a basis θ of K over k as follows. Organizethe coordinates of ¯ k d in two vectors ˆ x = x , . . . , x d − and ˆ y = y , . . . , y d − . For α = ( α i ) d − i =0 and β = ( β i ) d − i =0 ∈ ¯ k d , let h α, β i = P d − i =0 α i β i . Then δ = ( δ i ) d − i =0 where δ i (ˆ x, ˆ y ) = ( h ˆ x, θ τ i i , h ˆ y, θ τ i i ) ∈ V i for i = 0 , . . . , d −
1. Note that δ is determined by the matrix in Gl d ( K ) with θ τ i asthe i -th row for i = 0 , . . . , d −
1. The analysis in [10] shows that that Weil descentalone is not sufficient for the purpose of blinding, as a result additional localbirational maps are involved in the trilinear map construction there. Howeverthe restrictive nature of δ , especially the fact that δ is determined by a K/k -basis,makes things complicated both in terms of construction and analysis. In contrastthe techniques developed in this paper are more general and more robust at thesame time.In this paper we will focus on basic blinding maps for the most part since theyare sufficient for our purposes. We remark that adding Frobenius twists to basicblinding maps provides an additional layer of protection and allows us to payattention to the fact that the functions and maps of interest are applied to K -rational points. We will discuss blinding maps with Frobenius twists in § § .2 Trilinear map construction To construct a trilinear map we start by choosing from the isogeny class ofa pairing friendly elliptic curve some
E/K defined by y = x + ax + b with a, b ∈ K . Suppose E [ ℓ ] ⊂ E ( K ), and log ℓ and log | K | are linear in the securityparameter n . In case Frobenius twists are involved in forming the blinding mapthen we assume K is a finite extension over a finite field k = F q , [ K : k ] = O ( n ),and a basis of K/k is published. The curve E is considered secret.Our trilinear map is derived from a blinded version of the following map: E [ ℓ ] n × E [ ℓ ] n × M at n ( F ℓ ) → µ ℓ ( α, β, M ) → e ( α, M ( β ))where α, β ∈ E [ ℓ ] d , M ∈ M at n ( F ℓ ) is identified with an element of End(E[ ℓ ] n ),and e is a non-degenerate bilinear pairing on E [ ℓ ] n naturally induced by Weilpairing on E [ ℓ ].For A ∈ Gl ( K ), let E A denote the elliptic curve which is the image of E under A . Let E A denote the image of E A under : ( x, y ) → ( x − , y − ). Consider theset { E A : A = (cid:18) a bc d (cid:19) ∈ Gl ( K ), neither a = d = 0 nor b = c = 0 } . Chooserandomly from this family E i , i = 1 , . . . , n . The reason for considering the setof E A will be made clear in § ρ = ( ρ i ) ni =1 . Let ˆ E = ρ − Q ni =1 E i . Choose α, β ∈ E [ ℓ ] n such that e ( α, β ) = 1. Note that e is the natural extension ofWeil pairing e E on E , so that for α = ( α i ) ni =1 and β = ( β i ) ni =1 in E [ ℓ ] n with α i , β i ∈ E [ ℓ ] for i = 1 , . . . , n , e ( α, β ) = Q ni =1 e E ( α i , β i ). Let ˆ α, ˆ β ∈ ˆ E [ ℓ ] suchthat ˆ α corresponds to α and ˆ β corresponds to β under ˆ E ρ → Q ni =1 E i ≃ E n . Let G and G be the groups generated by ˆ α and ˆ β respectively. They are the firsttwo groups in the trilinear map. The points ˆ α and ˆ β are made public, while α and β are secret. The addition map on ˆ E [ ℓ ], ˆ m , serves as the group law in both G and G .Choose a set of N = O ( n ) matrices M i ∈ Gl n ( F ℓ ) such that each row of M i hastwo non-zero entries, which contain 1, and that the matrices M i together withthe identity matrix M generate M at n ( F ℓ ) as a vector space over F ℓ . Associate M i with the endomorphism ϕ i ∈ End Q ni=1 E i ≃ EndE n as follows. Suppose α ∈ Q ni =1 E i [ ℓ ] is identified with ( α i ) ni =1 , with α i ∈ E [ ℓ ], under Q ni =1 E i [ ℓ ] ≃ E n [ ℓ ].If ( j, j ) and ( j, j ) are the two non-zero entries of the j -th row of M i , then ϕ i ( α ) is identified with ( β j ) nj =1 where β j = m ( α j , α j ). Let ˆ ϕ i = ρ − ◦ ϕ i ◦ ρ for i = 1 , . . . , N .Let R = F ℓ [ z , . . . , z N ] be an associative non-commutative F ℓ -algebra generated6y variables z , . . . , z N . Define an action of R on ˆ E [ ℓ ] so that z i acts by ˆ ϕ i for i = 1 , . . . , N . This is compatible with the action of R on E n [ ℓ ] where z i actsby M i . Let Λ be the kernel of the F ℓ -algebra morphism λ : R → M at n ( F ℓ )determined by λ ( z i ) = M i , i = 1 , . . . , N .We are ready to describe the trilinear map: G × G × G → µ ℓ ⊂ K .The groups G and G are generated respectively by some ˆ α, ˆ β ∈ ˆ E [ ℓ ] withˆ e (ˆ α, ˆ β ) = 1.The group G = F ℓ is identified with ( F ℓ + Λ ) /Λ . In general a ∈ F ℓ can berepresented by polynomials in a + Λ . However for efficiency purpose we will onlychoose polynomials in a + Λ of degree n O (1) with number of terms with nonzerocoefficients bounded in n O (1) . For simplicity let [ a ] denote the subset of f ∈ a + Λ such that f is a linear polynomial plus a term of degree n . We can allow moregeneral f ∈ a + Λ to be included in [ a ] as long as the support of f is polynomiallybounded in n . The choice just made is simple but sufficient for our purposes.More explicitly we use the following procedure to encode a ∈ F ℓ . Private encoding
To encode a ∈ F ℓ , choose random i , . . . , i n ∈ { , . . . , N } ,then find c and b , . . . , b N ∈ F ℓ such that cM i . . . M i n + P Ni =0 b i M i = a . Thenset f = cz i . . . z i n + P Ni =0 b i z i . We have f ∈ [ a ]. Note that c and b i can be foundby simple linear algebra once M = M i . . . M i n is computed.For a, b, c ∈ F ℓ and f ∈ [ c ], the trilinear map sends ( a ˆ α, b ˆ β, f ) to ˆ e ( a ˆ α, f ( b ˆ β )) = ζ abc , where ζ = ˆ e (ˆ α, ˆ β ). Note that for γ ∈ ˆ E [ ℓ ], f ( γ ) = c ˆ ϕ i . . . ˆ ϕ i n ( γ ) + P Ni =0 b i ˆ ϕ i ( γ ).For the computation of ˆ e two functions ˆ g and ˆ h are specified, both are productsof semi-local functions of bounded degree, as will be discussed in § To summarize the discussion up to this point, in constructing the trilinear mapa secret random blinding map ρ is applied to Q ni =1 E i where each E i is of theform E A with secret random A = (cid:18) a bc d (cid:19) ∈ Gl ( K ), neither a = d = 0 nor b = c = 0 , and E is a secret random elliptic curve from the isogeny class of apairing friendly elliptic curve. The trilinear map is publicized by specifying thefollowing: – ˆ α, ˆ β ∈ ˆ E [ ℓ ] ⊂ K n , – the addition morphism ˆ m with the doubling map as a separate special case, – a set of maps of bounded locality: ˆ ϕ i , i = 1 , . . . , N where N = O ( n ), – two functions ˆ g and ˆ h for the computation of ˆ e .7he addition map and doubling map on ˆ E [ ℓ ], as well as the maps ˆ ϕ i , i =1 , . . . , N , will be be specified using the methods developed in §
3. In § e can be explicitly defined and specified, and efficientlycomputed using the specification of two functions ˆ g and ˆ h , both are products ofsemi-local functions of bounded degree. Security of blinding
The following theorem addresses the security of blinding. It is a simplified versionof Theorem 12, which will be proven later.
Theorem 1.
The information contained in the specification of the trilinear mapcan be described by n O (1) algebraic conditions in N unknowns where N = n O (1) and N = Ω ( n ) . These algebraic conditions describe the relation between the pub-lished polynomials and the hidden polynomials, which include the secret quadraticpolynomials that determine the basic blinding map involved in the trilinear mapconstruction. Let ˜ V T be the algebraic set determined by these conditions. Let ˜ V hT i be the algebraic set determined by these conditions, however with the quadraticpolynomials in the basic blinding map expressed in terms of the blinding param-eters. Then around every point of ˜ V T (resp. ˜ V hT i ) an algebraic set of dimension Ω ( n ) (resp. Ω ( n ) ) can be embedded. We remark that ˜ V T and ˜ V hT i can be described in terms of generically constructedpolynomial equations of bounded degrees with partial specializations determinedby the coefficients of the published polynomials (see § § V T or ˜ V hT i , which by Theorem 1 is of posi-tive dimension ( Ω ( n )), takes expected time 2 O ( N log N ) where N is the numberof unknown involved, and N = Ω ( n ) ([1,12]). Therefore Theorem 1 providesstrong evidence that the blinding is secure. In addition, it will be shown inTheorem 12 that ˜ V T and ˜ V hT i have additional properties which we call triplyconfusing . They are also most likely uniformly confusing (see § V T or˜ V hT i to sampling points on a zero dimensional set (see § Trapdoor discrete logarithm
Besides the security of blinding, the cryptographic strength of the trilinear mapalso depends on the hardness of the discrete logarithm problem on the thirdgroup G . It is a trapdoor discrete logarithm problem which we describe belowin more general terms since it may be of independent interest.Let E an elliptic curve defined over a finite field K . We remark that for theproblem defined here, E is secret but not necessarily pairing friendly. Let log | K | ,8og ℓ and n are linear in the security parameter The trapdoor secret consists ofthe following, described earlier in this section.1. ρ a randomly chosen blinding map,2. ˆ E = ρ − Q ni =1 E i ,3. M , . . . , M N ∈ Gl n ( F ℓ ) with N = O ( n ), such that each row of M i has twonon-zero entries, which contain 1, and that the matrices M i together withthe identity matrix M generate M at n ( F ℓ ) as a vector space over F ℓ ,4. R = F ℓ [ z , . . . , z N ] a non-commutative associative algebra over free variables z , . . . , z N .The following are publicly specified:1. ˆ β ∈ ˆ E [ ℓ ],2. ˆ ϕ , . . . , ˆ ϕ N ∈ End(ˆE[ ℓ ]) (where ϕ i corresponds to M i as discussed before,both being secret),3. ˆ m where m : E × E → E is the secret addition morphism.The discrete logarithm problem is: Given f ∈ R supported at 1, z , . . . , z N anda monomial of degree n , to determine a ∈ F ℓ such that f ( ˆ ϕ , . . . , ˆ ϕ N )( ˆ β ) = a ˆ β .In other word, given f ∈ [ a ] with a unknown, the problem is to find a .We assume that n O (1) many random samples of [0] are publicly available. Theset [0] contains at least N n linearly independent polynomials since there are N n (non-commutative) monomials of degree n . Suppose f ∈ [ a ]. The probabilitythat f − a is linearly dependent on the s = n O (1) samples is negligibly smallsince s << N n . Therefore it seems very unlikely to mount an efficient linearalgebra attack, unless the trapdoor secret map λ : R → M at n ( F ℓ ) is revealed.In the formulation above, it is not clear if the discrete logarithm problem caneven be solved in subexponential time. In the setting of trilinear map, an effi-ciently computable pairing ˆ e between G and G is also made available. There-fore the discrete logarithm problem can be solved in subexponential time aftera reduction through ˆ e to the group µ ℓ ⊂ K . The Decision-Diffie-Hellman (DDH) assumption
It is easy to modify the trilinear map construction so that the Decision-Diffie-Hellman (DDH) assumption is conjecturally satisfied on the pairing groups. Weuse a random blinding ρ to construct ˆ E , and form ˆ β and G and ˆ ϕ i ’s as above.Then we use a different random blinding ρ ′ to construct ˆ E ′ = ρ ′− Q ni =1 E i , andform ˆ α ∈ ˆ E ′ [ ℓ ] such that ˆ α corresponds to α under ˆ E ′ ρ ′ → Q ni =1 E i ≃ E n . Thepairing ˆ e is now between ˆ E ′ [ ℓ ] and ˆ E [ ℓ ].We note that if the same blinding ρ is used to form G as before and ˆ e is a pairing9etween ˆ E [ ℓ ] and ˆ E [ ℓ ], the group G may not satisfy the DDH assumption. Thereason is that we may heuristically assume ˆ e (ˆ α, ˆ ϕ i (ˆ α )) = 1 for some i , so we canuse ˆ ϕ i to induce a non-degenerate self-pairing on G . We can verify ab ˆ α from a ˆ α and b ˆ α using the following equality:ˆ e ( a ˆ α, ˆ ϕ i ( b ˆ α )) = ˆ e (ˆ α, ˆ ϕ i ( ab ˆ α )) . When a different blinding ρ ′ is used to form ˆ E ′ , no map from ˆ E ′ [ ℓ ] to ˆ E [ ℓ ] isavailable to induce a self-pairing on G . Similar remarks apply to G . We continue our study of algebraic blinding techniques, especially techniquesfor specifying functions and maps. As before we form a basic blinding map ρ by choosing a random δ ∈ Gl n ( K ), and for i = 1 , . . . , n , a random λ i = B i ◦ λ p i ,q i ◦ A i with A i , B i ∈ Gl ( K ) and p i ( x ) ∈ K [ x ], q i ( x, y ) ∈ K [ x, y ] wheredeg p i ( x ) = deg q i ( x, y ) = 2.Write δ = ( δ i ) ni =1 : ¯ k n → Q ni =1 ¯ k with δ i : ¯ k n → ¯ k given by linear forms L ij , j = 1 , ,
3, in 3 n variables.Write λ i ( x ) = ( f ij ( x )) j =1 where x = ( x, y, z ). The blinding space W = δ − Q ni =1 W i ,where W i is the zero set of f i − f i .For i = 1 , . . . , n , λ i ◦ δ i = ( F ij ) j =1 where F ij = f ij ◦ ( L i , L i , L i ) for j = 1 , , ρ i = pr ◦ λ i ◦ δ i = ( F i , F i ) where pr denotes the projection ¯ k → ¯ k :( x, y, z ) → ( x, y ). Then W i = δ i ( W ) and W is the zero set of { F i − F i : i =1 , . . . , n } .The basic blinding map associated with the blinding space W is ρ : ¯ k n → Q ni =1 ¯ k where ρ = ( ρ i ) ni =1 . We see that ρ maps W isomorphically to ¯ k n . Ideal of ambivalence
The ideal I generated by F i − F i , 1 ≤ i ≤ n , isconsidered the ideal of ambivalence because for polynomials H, H ′ such that H − H ′ ∈ I , H and H ′ define the same map W → ¯ k .Let I be the submodule of I generated by F i − F i , 1 ≤ i ≤ n . Theorem 2.
Let ρ = ( ρ i ) ni =1 : W → ¯ k n be a basic blinding map with ρ i =( F i , F i ) : W → ¯ k where F ij are quadratic polynomials in n variables for i = 1 , . . . , n and j = 1 , . Then ρ i = ( H i , H i ) : W → ¯ k for i = 1 , . . . n if H ij are polynomials such that H ij − F ij ∈ I for i = 1 , . . . , n and j = 1 , . The set of ( H ij ) ≤ i ≤ n ; j =1 , that determine the same basic blinding map as ρ is isomorphicto ¯ k n . roof The first assertion follows directly from the definition of I . For the secondassertion, since the zero set of I , which is W , has dimension 2 n , F i − F i , i = 1 , . . . , n , are algebraically independent, hence linearly independent as well.Hence there is a linear isomorphism between I and ¯ k n . From this the secondand the third assertions follow. ✷ Lemma 1.
For α ∈ ¯ k , let D α = α − α . Consider a local quadratic iso-morphism λ = B ◦ λ p,q ◦ A as described above. Let λ α = D α ◦ λ = B α ◦ λ p,q ◦ A where B α = D α B . Then W λ = W λ α and λ = λ α : W λ → ¯ k . Proof
Suppose λ ( x ) = ( f ( x ) , f ( x ) , f ( x )) for x ∈ ¯ k where f , f , f arequadratic polynomials. Then λ α ( x ) = ( f ′ ( x ) , f ( x ) , f ( x )) for x ∈ ¯ k where f ′ = f + α ( f − f ). Therefore W λ = W λ α . ✷ Suppose we allow the blinding parameters to take values in ¯ k , hence δ ∈ Gl n (¯ k ), A i , B i ∈ Gl (¯ k ), p i and q i a quadratic polynomials with coefficients from ¯ k for i = 1 , . . . , n . Let h ρ i denote the set of parameters ( δ, A i , B i , p i , q i : i = 1 , . . . , n )that define the blinding map ρ : W → ¯ k n . Theorem 3.
Let ρ : W → ¯ k n be a basic blinding map determined by pa-rameters: δ ∈ Gl n ( K ) , λ i = B i ◦ λ p i ,q i ◦ A i , with A i , B i ∈ Gl ( K ) , p i aquadratic polynomial in one variable, q i a quadratic polynomial in two variables,for i = 1 , . . . , n . Let λ ′ i = D α i ◦ λ i with α i ∈ ¯ k for i = 1 , . . . , n . Let ρ ′ = ( ρ ′ i ) ni =1 where ρ ′ i = pr ◦ λ ′ i ◦ δ i for i = 1 , . . . , n . Then ρ ′ = ρ : W → ¯ k n , hence there isan injective map ¯ k n → h ρ i . Proof
The theorem follows immediately from Lemma 1. ✷ . We say that a rational function f : Q ni =1 V i → ¯ k defined over K is c - local if thereare 1 ≤ i , . . . , i c ≤ n such that for x = ( x i ) with x i ∈ V i , f ( x ) depends only on x i , . . . , x i c . We call ( i , . . . , i c ) the locality of f . We say that a rational function f is of degree d if f can be expressed as GH where G and H are polynomials and d is the maximum of deg G and deg H . In this paper we only consider c -localfunctions of bounded but positive degree. By abuse of notation we also write f ( x ) = f ( x i , . . . , x i c ).Suppose f is c -local as above. We consider the function g = f ◦ ρ semi-local ,noting that g ( x ) = f ( ρ i ( x ) , ..., ρ i c ( x )). Denote by [ f ] the set of ( h , h ) where h and h are 2 c -variate polynomials such that the degree of h and h is boundedby d j at x i j for j = 1 , . . . , c and f as a rational function on in 2 c variables can be11efined by h /h . Denote by [ ρ ] the set of ( H ij ) i =1 ,...,n ; j =1 , such that the basicblinding map ρ can be defined by quadratic polynomials H ij ( x ), i = 1 , . . . , n and j = 1 ,
2, so that ρ = ( ρ i ) ni =1 with ρ i = ( H i , H i ). Then for x ∈ W , g ( x ) = h ( H i , ( x ) ,H i , ( x ) ,...,H ic, ( x ) ,H ic, ( x )) h ( H i , ( x ) ,H i , ( x ) ,...,H ic, ( x ) ,H ic, ( x )) . We say that h , h , H , H , . . . , H n , H n constitute a semi-local decomposition of g . We denote such decomposition as[ f ] ◦ [ ρ ] where [ f ] is the local part and [ ρ ] the blinding part.Let A i ∈ Gl (¯ k ) for i = 1 , . . . , n . Let A be the block-diagonal matrix with A , ..., A n as the diagonal blocks. Let g be a semi-local function as above. If g = f ◦ ρ then g = ( f ◦ A − ) ◦ ( A ◦ ρ ). Note that f ◦ A − has the same locality c as f at i , . . . , i c . We say that [ f ◦ A − ] ◦ [ A ◦ ρ ] is obtained from [ f ] ◦ [ ρ ] by the actionof the matrix A .We also consider rational functions f : Q ni =1 V i × Q ni =1 V i → ¯ k defined over K that is local in the sense that for x = ( x j ) nj =1 with x j ∈ V j and y = ( y j ) nj =1 with y j ∈ V j , f ( x , y ) depends on ( x i , y i ) for some i . By abuse of notation wewrite f ( x , y ) = f ( x i , y i ). The function g = f ◦ ( ρ, ρ ) : W × W → ¯ k is semi-local in he sense that for x , y ∈ W , g ( x , y ) = f ( ρ i ( x ) , ρ i ( y )). Similar to thediscussion before, a semi-local decomposition of g is denoted [ f ] ◦ [ ρ ] where thelocal part [ f ] consists of 4-variate polynomials h and h , and the blinding part ρ ]consists of quadratic polynomials H ij in 3 n variables, i = 1 , . . . , n , j = 1 ,
2, suchthat for x , y ∈ W , g ( x , y ) = h ( H i ( x ) ,H i ( x ) ,H i ( y ) ,H i ( y )) h ( H i ( x ) ,H i ( x ) ,H i ( y ) ,H i ( y )) . Let A j ∈ Gl (¯ k ) for j = 1 , . . . , n . Let A be the block-diagonal matrix with A , ..., A n as the diagonalblocks. Then we similarly obtain semi-local decomposition [ f ◦ A − ] ◦ [ A ◦ ρ ] from[ f ] ◦ [ ρ ] by the action of A .Similar consideration can be made if f maps V i × V i × V i → ¯ k , or more generallyif f : V ci → ¯ k where c is a constant. Theorem 4.
Suppose we have a set of semi-local functions g i , i = 1 , . . . , m ,such that g i has semi-local decomposition [ f i ] ◦ [ ρ ] for all i , where f i is a localfunction and ρ is a basic blinding map. Then the following hold.1. There is an injective map ¯ k n → [ ρ ] . More explicitly if ( F ij ) i =1 ,...,n ; j =1 , define ρ , then so does ( F ′ ij ) i =1 ,...,n ; j =1 , if F ′ ij − F ij ∈ I .2. There is an injective map ¯ k n → h ρ i .3. There is an injective map ¯ k → [ f i ] if f i is c -local depending on V i × . . . V i c and for some j the degree of f i at x i j is greater to equal to the minimumdegree of polynomials in the ideal defining V i j .4. Let A j ∈ Gl (¯ k ) for j = 1 , . . . , n . Let A be the block-diagonal matrix with A , ..., A n as the diagonal blocks. Then g i has semi-local decomposition [ f i ◦ A − ] ◦ [ A ◦ ρ ] for i = 1 , . . . , m . Proof
The first assertion follows from Theorem 2. The second assertion followsfrom Theorem 3. For the third assertion observe that if ( h , h ) ∈ [ f i ] then12 h ′ , h ′ ) ∈ [ f i ] if h ′ − h and h ′ − h are in the ideal defining V i j . The lastassertion follows the discussion above. ✷ Let S = { g i : i = 1 , . . . , m } be as in the theorem. Let V S be the union of[ f ] × . . . × [ f m ] × [ ρ ], where the union is over all f , . . . , f m , ρ such that g i hassemi-local decomposition [ f i ] ◦ [ ρ ], i = 1 , . . . , m . Similarly let V h S i be the unionof [ f ] × . . . × [ f m ] × h ρ i , where the union is over all f , . . . , f m , ρ such that g i has semi-local decomposition [ f i ] ◦ [ ρ ], i = 1 , . . . , m .We say that V S and V h S i are triply confusing for the following reasons: (1) thefirst two assertions of the theorem states that V S (resp. V h S i ) is confusing in theblinding part [ ρ ] (resp. h ρ i ), (2) the third assertion states that V S (resp. V h S i )is confusing in the local part, and (3) the fourth assertion states that there is Gl -action on the decomposition [ f i ] ◦ [ ρ ].To understand the utility of the triply confusing property, consider the simplecase S consists of a semi-local function g with semi-local decomposition [ f ] ◦ [ ρ ], g = f ◦ ( F , F ) on W , where f is a bivariate quadratic polynomial, and F , F are quadratic in 3 n variables. If we ignore the other parts of the basic blindingmap ρ but focus on F and F , then V S simplifies to an algebraic set definedin terms of the N = O ( n ) unknown coefficients of f and F and F , and V S is uniformly of positive dimension Ω ( n ). Consider the problem of samplingpoints on V S assuming V S is known. Sampling points on V S can be done by anexponential time reduction to sampling points on a hypersurface (of exponentialdegree) (see [12]). Should an efficient sampling of points on V S exists, it wouldlikely involve an efficient reduction to sampling points on some efficient-to-samplezero dimensional set. Is this possible? The following heuristic analysis suggeststhis is unlikely.Note that that g = f ◦ ( F , F ) not as global functions, but as functions onthe blinding space W . In this case we may write g ≡ f ◦ ( F , F ) mod I where I is the ideal of ambivalence. If we consider the equality as being global forthe moment, and assume g is known, then the unknown coefficients of f and F , F satisfies n O (1) very sparse conditions, resulting in a sparse polynomialsystem of bounded degree. However this is not the case with our situation. Inour case the mod I -condition leads to a much denser formulation of V S whereeach polynomial equation contains Ω ( n ) non-trivial terms. To reduce dimensionin the current situation one can try to pick a unique member from the class [ F ]heuristically by imposing linear conditions on the coefficients of F , and similarlyfor F and f . Imposing such conditions reduces the dimension (while making thepolynomial system even more dense). However after imposing such conditionsthe polynomial system remains in positive dimension due to the Gl -action;that is, if g has decomposition [ f ] ◦ [( F , F )] then g also has decomposition[ f ◦ A ] ◦ [ A − ( F , F )] for A ∈ Gl (¯ k ). Therefore it seems unlikely that sampling13oints on V S can be efficiently reduced to a zero-dimensional case given the triplyconfusing property.We shall see later on when we specify functions and maps on ˆ V , the relationshipbetween the published entities and the hidden entities is described by certainalgebraic sets. When a set S os semi-local functions is involved in such a specifi-cation, we shall see that V S and V h S i are locally embedded in the algebraic sets,making them triply confusing as well.It is desirable for V S to be not only triply confusing, but uniformly confusing inthe sense that there is not a special member in the Gl -orbit of a local function f i .Consider for example V i is the image of some secret elliptic curve E of the form y = x + ax + b , under random choices of A ∈ Gl ( K ), and g i is determined bythe doubling morphism. Then f i is typically a dense bivariate rational function.However there is some A ∈ Gl ( K ) such that f i ◦ A is the doubling morphismon E , which takes a much simpler form.To make V S uniformly and triply confusing in the above situation, we apply thefollowing treatment. Let be the map on ¯ k ∗ such that ( x, y ) = ( x − , y − ).For an algebraic set V , we let V = ( V ), V A = A ( V ) for A ∈ Gl ( K ), hence V A = A ( V ). For an algebraic set V that is the base algebraic set to be blinded,we consider the set { V A : A = (cid:18) a bc d (cid:19) ∈ Gl ( K ), neither a = d = 0 nor bc = 0 } .We choose V i uniformly and randomly from the set.Suppose f : V → ¯ k , a local function. If f is known to be of a special form then f = f ◦ is also of a special form. For A ∈ Gl ( K ), the corresponding functionof f on V A is f A = f ◦ A − ◦ . Now suppose f = g/h where g and h arebivariate polynomials, then for random A with all nonzero entries, f A is of theform ( xy ) deg h − deg g g ′ /h ′ where g ′ (resp. h ′ ) is a dense polynomials of the samedegree as g (resp. h ). Below we argue that the orbits of f A under Gl ( K ) arelikely all disjoint with different choices of A , and in particular it is unlikely for f to be in the orbit of f A . Otherwise f A ◦ B = f C for some B, C ∈ Gl ( K ),hence f ◦ A − ◦ ◦ B = f ◦ C − ◦ , which is unlikely unless A − ◦ ◦ B = C − ◦ ,hence B = AC − , but this would contradict the following lemma. Lemma 2.
For A = (cid:18) a bc d (cid:19) ∈ Gl ( K ) , ◦ A ◦ ∈ Gl ( K ) only if b = c = 0 or a = d = 0 . Proof
Let A = (cid:18) a bc d (cid:19) and B = (cid:18) r st u (cid:19) . Then ◦ A ◦ = B implies for all x, y ∈ ¯ k ∗ , ( ax + by ) − = rx − + sy − and ( cx + dy ) − = tx − + uy − . It followsby simple algebra that as = br = 0. Likewise cu = dt = 0, and the assertionfollows. ✷ g with semi-local decomposition f ◦ ρ where f = f A = f ◦ A − ◦ . We have argued that V g is not only triply confusingbut most likely uniformly confusing as well. In this kind of situation where is involved and some information is known to the public about f we may alsoconsider a more refined semi-local decomposition of g of the form f ′ ◦ ◦ ρ where f ′ = f ◦ A − . In this case the triply confusing property stated in Theorem 4 stillholds except the Gl -action needs to be modified as the action by a subgroup.More explicitly we have the following.1. There is an injective map ¯ k n → [ ρ ].2. There is an injective map ¯ k n → h ρ i .3. There is an injective map ¯ k → [ f ′ ] if f ′ is c -local depending on V i × . . . V i c and for some j the degree of f ′ at x i j is greater to equal to the minimumdegree of polynomials in the ideal defining V i j .4. Let A j ∈ Gl (¯ k ) be either of the form (cid:18) a b (cid:19) or of the form (cid:18) ab (cid:19) , for j = 1 , . . . , n . Let A be the block-diagonal matrix with A , ..., A n as thediagonal blocks. Then g has semi-local decomposition [ f ′ ◦ A ′ ] ◦ [ A ◦ ρ ] for i = 1 , . . . , m . Here for D = (cid:18) a b (cid:19) , D ′ = (cid:18) a − b − (cid:19) ; for D = (cid:18) ab (cid:19) , D ′ = (cid:18) a − b − (cid:19) The last property follows from the identity that A ′ ◦ = ◦ A if A is either ofthe form (cid:18) a b (cid:19) or of the form (cid:18) ab (cid:19) . For i >
0, let I i be the submodule of I generated by elements of the form t ( F i − F i ) where t is a monomial of degree at most i −
2. If a map W → ¯ k cande defined a polynomial h of degree d , then it is also defined by any polynomialin h + I d . For a random choice of basic blinding map ρ , the associated F ij aredense quadratic polynomials in x , so are F i − F i . Therefore a random elementof h + I d is likely a dense polynomial of degree d in x . We write f ∈ R h + I d todenote a uniform random selection from h + I d .To specify a function f that is the sum of hidden semi-local functions, say f = P mi =1 ϕ i where ϕ i is a hidden semi-local function, we take the following stepsto specify f as a sum of m random-looking functions that are not semi-local.Again we focus on the case ϕ i = f i ◦ ρ where f i is c -local in that it depends on V i × . . . × V i c for some i , . . . , i c . The case that ϕ i = f i ◦ ( ρ, ρ ) or ϕ i = f i ◦ ( ρ, ρ, ρ )where f i is local depending on V i × V i or V i × V i × V i is similar.15. Construct 2 m random linear forms ℓ i,j ( x ), i = 1 , . . . , m , j = 1 ,
2. Put ℓ m +1 ,j = ℓ , j for j = 1 , ϕ i ( x ) = g i ( x ) h i ( x ) on W with g i , h i ∈ K [ x ]. Then g i h i + ℓ i, ℓ i, − ℓ i +1 , ℓ i +1 , = g ′ i h ′ i where h ′ i = h i ℓ i, ℓ i +1 , and g ′ i = g i ℓ i, ℓ i +1 , + ℓ i, h i ℓ i +1 , − ℓ i +1 , h i ℓ i, .3. Choose random g ′′ i ∈ R g ′ i + I d i, +2 where d i, = deg g ′ i and h ′′ i ∈ R h ′ i + I d i, +2 where d i, = deg h ′ i for i = 1 , . . . , m .4. Publish { g ′′ i , h ′′ i : i = 1 , . . . , m } , and specify ϕ as P mi =1 g ′′ i h ′′ i on W . (Note that P mi =1 ℓ i,i ℓ i, − ℓ i +1 ,i ℓ i +1 , = 0.)Write f = W g if for rational functions f and g on ¯ k n , f ( x ) = g ( x ) for all x ∈ W .For simplicity assume f i has locality 2 and depends on V i × V i . Let F i =( F i , , F i , , F i , , F i , ). Suppose f i = h i h i where h i and h i are polynomials in4 variables.For i = 1 , . . . , m , f i ◦ ( ρ i , ρ i ) + ℓ i, ℓ i, − ℓ i +1 , ℓ i +1 , (1)= h i ◦ F i h i ◦ F i + ℓ i, ℓ i, − ℓ i +1 , ℓ i +1 , = W g ′′ i h ′′ i . (2)Let U, V be two algebraic sets. We say that U is locally embedded around apoint α of V if there is an injective morphism ι : U → V such that α ∈ ι ( U ).The equation (1) characterizes the algebraic condition determined by g ′′ i and h ′′ i in relation to the unknown h i , h i , F i , and ℓ i,j and ℓ i +1 ,j , j = 1 ,
2. Note thatif we treat the coefficients of g ′′ i and h ′′ i also as unknown for the moment, thenthe algebraic condition can be expressed generically by polynomial equations in x , . . . , x n and all the unknown coefficients involved, followed by specializationat the coefficients of g ′′ i and h ′′ i . The equation (1) describes an algebraic set V where each point α contains the O ( n ) coefficients of some f i , F i , ℓ i,j and ℓ i +1 ,j , j = 1 ,
2, that satisfy the equation. The subset of coordinates of α describing f i and F i corresponds to a point in V g where g = f i ◦ ( ρ i , ρ i ), a semi-local function.The set V g can be embedded around α . So V has dimension Ω ( n ) where aroundevery point a triply confusing algebraic set of dimension Ω ( n ), which is likelyuniformly confusing as well, can be embedded.The information contained in the specification is described by m algebraic con-ditions of the form (1) giving relations of the specifying polynomials g ′′ i , h ′′ i , i = 1 , . . . , m , to the hidden polynomials including h i , h i , F ij , and ℓ ij .Let V f be the algebraic set determined by these m conditions. Let V h f i be the16lgebraic set determined also by these conditions, however with F ij expressed interms of the blinding parameters.Let U, V be two algebraic sets. We say that U is locally embedded around point α of V if there is an injective morphism ι : U → V such that α ∈ ι ( U ).A point α of V f (resp. V h f i ) determines some h i , h i , F ij , and ℓ ij that satisfythe m algebraic conditions of the form (1). The local functions f i = h i h i has thesame locality and local degree as the local function involved in ϕ i , i = 1 , . . . , m .The F ij determine a basic blinding maps ρ = ( ρ i ) ni =1 where ρ i = ( F i , F i ).Let ϕ ′ i be the semi-local function with semi-local decomposition [ f i ] ◦ [ ρ ] for i = 1 , . . . , m . Suppose ϕ ′ i also has semi-local decomposition [ f ′ i ] ◦ [ ρ ′ ]. Then every( h ′ i , h ′ i ) ∈ [ f ′ i ], i = 1 , . . . , m , and ( F ′ ij ) ∈ [ ρ ′ ] also satisfy the equations with ℓ i,j and ℓ i +1 ,j . Let S ′ = { ϕ ′ i : i = 1 , . . . , m } . We have injective maps V S ′ = ∪ [ f ] × . . . × [ f m ] × [ ρ ] → ∪ [ f ] × . . . × [ f m ] × [ ρ ] × { ( ℓ ij ) } ⊂ V f V h S ′ i = ∪ [ f ] × . . . × [ f m ] × h ρ i → ∪ [ f ] × . . . × [ f m ] × h ρ i × { ( ℓ ij ) } ⊂ V h f i . It follows that V S ′ (resp. V h S ′ i ) is embed around α .We have proven the following: Theorem 5.
Let f : W → ¯ k be a function which is the sum of m semi-localfunctions of bounded degree. Suppose f is specified by a set of m polynomials g ′′ i , h ′′ i , i = 1 , . . . , m by following the procedure described above. The informationcontained in the specification can be described by a set of m algebraic conditionsof the form (1) giving relations of the published polynomials g ′′ i , h ′′ i , i = 1 , . . . , m ,to the hidden polynomials including h i , h i , F ij , and ℓ ij . Let V f be the algebraicset determined by these m conditions. Let V h f i be the algebraic set determinedalso by these conditions, however with F ij expressed in terms of the blindingparameters. Every point of V f (resp. V h f i ) determines, through a subset of itscoordinates, a set of semi-local functions of the same type as the m semi-localfunctions that sum to f . Suppose α is a point in V f (resp. V h f i ) and S ′ is theset of semi-local functions determined by α . Then V S ′ (resp. V h S ′ i ) is locallyembedded around α . Similarly, to specify a function f that is the product of semi-local functions, say f = Q mi =1 ϕ i where ϕ i is semi-local, we take the following steps to specify f as aproduct of m random-looking functions that are not semi-local. Again we focuson the case ϕ i = f i ◦ ρ where f i is c -local in that it non-trivially depends on V i × . . . × V i c for some i , . . . , i c . The case that ϕ i = f i ◦ ( ρ, ρ ) or ϕ i = f i ◦ ( ρ, ρ, ρ )where f i is local depending on V i × V i or V i × V i × V i is similar.17. Construct m random linear forms ℓ i ( x ), i = 1 , . . . , m , j = 1 ,
2. Put ℓ m +1 = ℓ .2. Suppose ϕ i ( x ) = g i ( x ) h i ( x ) on W with g i , h i ∈ K [ x ]. Then g i h i ℓ i ℓ i +1 = g ′ i h ′ i where h ′ i = h i ℓ i +1 and g ′ i = g i ℓ i .3. Choose random g ′′ i ∈ R g ′ i + I d i, +1 where d i, = deg g ′ i and h ′′ i ∈ R h ′ i + I d i, +1 where d i, = deg h ′ i for i = 1 , . . . , m .4. Publish { g ′′ i , h ′′ i : i = 1 , . . . , m } , and specify ϕ as Q mi =1 g ′′ i h ′′ i on W . (Note that Q mi =1 ℓ i ℓ i +1 = 1.)Suppose f i = h i h i where h i and h i are polynomials in 4 variables. Similar tothe case in § f is capturedin m algebraic conditions, i = 1 , . . . , m :( h i ◦ F i h i ◦ F i ) ℓ i ℓ i +1 = W g ′′ i h ′′ i . (3)As before, if we treat the coefficients of g ′′ i and h ′′ i also as unknown for themoment, then the algebraic condition can be expressed generically by polynomialequations in x , . . . , x n and all the unknown coefficients involved, followed byspecialization at the coefficients of g ′′ i and h ′′ i .The following theorem can be proven in a way that is similar to the proof forTheorem 5. Theorem 6.
Let f : W → ¯ k be a function which is the product of m semi-localfunctions of bounded degree. Suppose f is specified by a set of m polynomials g ′′ i , h ′′ i , i = 1 , . . . , m by following the procedure described above. The informationcontained in the specification can be described by a set of m algebraic conditionsof the form (3) giving relations of the specifying polynomials g ′′ i , h ′′ i , i = 1 , . . . , m ,to the hidden polynomials including h i , h i , F ij , and ℓ i . Let V f be the algebraicset determined by these m conditions. Let V h f i be the algebraic set determinedalso by these conditions, however with F ij expressed in terms of the blindingparameters. Every point of V f (resp. V h f i ) determines, through a subset of itscoordinates, a set of semi-local functions of the same type as the m semi-localfunctions that multiply to f . Suppose α is a point in V f (resp. V h f i ) and S ′ isthe set of semi-local functions determined by α . Then V S ′ (resp. V h S ′ i ) is locallyembedded around α . We consider two kinds of rational maps of bounded locality that will be involvedin the trilinear map construction.First suppose ϕ = ( ϕ i ) ni =1 : Q ni =1 V i → Q ni =1 V i is a rational map of localitybounded by c in the sense that for all i , ϕ i : Q nj =1 V j → V i ⊂ ¯ k consists of18wo c i -local functions with c i ≤ c . For simplicity of discussion we assume ϕ haslocality 2. Applying the basic blinding map ρ to ϕ we get ˆ ϕ : W → W such that ρ ˆ ϕ = ϕ ◦ ρ .Second suppose ϕ = ( ϕ i ) ni =1 : Q ni =1 V i × Q ni =1 V i → Q ni =1 V i is a rational mapsuch that for all i , ϕ i : Q ni = j V j × Q nj =1 V j → V i is local in that it depends onlyon V i × V i . Applying the basic blinding map ρ to ϕ we get ˆ ϕ : W × W → W such that ρ ˆ ϕ = ϕ ◦ ( ρ, ρ ).Let ˆ ϕ = ( ˆ ϕ i ) ni =1 . In the proofs of the results in this section we will focus on thefirst case where ϕ = ( ϕ i ) ni =1 : Q ni =1 V i → Q ni =1 V i . The argument for the secondcase is very similar and is omitted.We adopt the following notation. Suppose f i , i = 1 , , m , are polynomials in 3variables, and g i , i = 1 , ,
3, are polynomials. Let f = ( f , . . . , , f m ) and g =( g , g , g ). Then f ◦ g := ( f , . . . , f m ) ◦ ( g , g , g ) := ( f ( g , g , g ) , . . . , f m ( g , g , g )) . As before we have δ i = ( L i , L i , L i ) λ i = ( f i , f i , f i ) F ij = f ij ◦ δ i ρ i = pr ◦ λ i δ i = ( F i , F i )Suppose ϕ i determined by V i × V i . Let g ij , g ′ ij be polynomials in 4 variablessuch that ϕ i ( x ) = g ij ( x i ,x i ) g ′ ij ( x i ,x i ) where x = ( x j ) nj =1 ∈ Q nj =1 V j with x j ∈ V j ⊂ ¯ k .Let F i = ( F i , , F i , , F i , , F i , ). Then ϕ i ◦ ρ = ( g i g ′ i , g i g ′ i ) ◦ F i . Let µ i = λ − i = ( h i , h i , h i ). Let ˜ µ i ( x, y ) = µ i ( x, y, y ). Let u i = ( u i , u i , u i ) = ˜ µ i ◦ ϕ i = ( h i , h i , h i ) ◦ ( g i g ′ i , g i g ′ i , g i g ′ i ) . Then ˜ µ i ◦ ϕ i ◦ ρ = u i ◦ F i is semi-local. Let ( v i ) ni =1 be such that u ij ◦ F i = v i − j .Then ˆ ϕ i = δ − ( v i ) ni =1 . We have proved the following Lemma 3.
For i = 1 , . . . , n , ˆ ϕ i is the sum of n semi-local functions.
19e apply the procedure described in § ϕ i as the sum of 3 n random looking functions from W to ¯ k . Suppose ˆ ϕ i is specified as P nj =1 G ij G ′ ij forsome polynomials G ij and G ′ ij . Therefore ˆ ϕ is specified by these O ( n ) polyno-mials G ij and G ′ ij .Again, write f = W g if for rational functions f and g on ¯ k n , f ( x ) = g ( x ) forall x ∈ W . Now consider information revealed by the specification of ˆ ϕ aboutthe hidden map ϕ and the blinding parameters δ , λ i , i = 1 , . . . , n .Suppose δ − = ( w ij ) ≤ i,j ≤ n . We have ˆ ϕ i = P nj =1 w ij v j where v j = u rs ◦ F r with 1 ≤ r ≤ n and 1 ≤ s ≤ j = 3( r −
1) + s .We have w ij v j + ℓ i,j ℓ ′ i,j − ℓ i,j +1 ℓ ′ i,j +1 = W G ij G ′ ij , and ℓ ij , ℓ ′ ij are linear forms for i, j =1 , . . . , n with ℓ i, n +1 = ℓ i, and ℓ ′ i, n +1 = ℓ ′ i, .Put w ij u r j ,s j = gg ′ where g, g ′ are polynomials in 4 variables. Then as Theorem 5is applied in this situation we get g ◦ F r j g ′ ◦ F r j + ℓ ij ℓ ′ ij − ℓ i,j +1 ℓ ′ i,j +1 = W G ij G ′ ij (4)Equation (4) characterizes the condition in specifying G ij and G ′ ij , where ℓ ij areunknown linear forms in 3 n variables, F ij are unknown quadratic polynomials in3 n variables, g and g ′ are unknown polynomials in 4 variables of degree 2 deg ϕ i = O (1), where w ij u r j ,s j = gg ′ .The other kind of information provided once ˆ ϕ is specified is the informationthat may be obtained by evaluation of ˆ ϕ on W . Suppose α ∈ W and ˆ ϕ ( α ) = β .Then for i = 1 , . . . , n , we have ϕ i ◦ ρ ( α ) = ρ ( β ), hence we get the condition g i ( F i ( α )) g ′ i ( F i ( α )) = F i ( β ) (5) g i ( F i ( α )) g ′ i ( F i ( α )) = F i ( β ) (6)The following two theorems can be proved in a way that is similar to the proofor Theorem 5. Theorem 7.
Suppose ˆ ϕ is specified using the procedure described in § O ( n ) polynomials of bounded degree in O ( n ) variables. The information con-tained in the specification can be described by n O (1) conditions, in the forms ofEqns (4) and (5,6), in n O (1) unknowns representing the coefficients of the hiddenpolynomials, including F ij , which determine a basic blinding map, and g ij , g ′ ij ,which determine the local functions, with i = 1 , . . . , n , j = 1 , . Let V ϕ be the lgebraic set determined by these conditions. Let V h ϕ i be the algebraic set deter-mined by these conditions, however with F ij expressed in terms of the blindingparameters. Let α be a point of V ϕ (resp. V h ϕ i ). Then α determines, through asubset of its coordinates, a set S of n semi-local functions of the same type asthose involved in specifying ˆ ϕ , and V S (resp. V h S i ) is locally embedded around α . Theorem 8.
Suppose a random basic blinding map ρ is chosen and a set F offunctions each of which is either the sum or product of O ( n ) semi-local functionsof bounded degree is specified. Then the information contained in the specificationcan be described by n O (1) conditions, in the forms of Eqns (1,3),(4) and (5,6), in n O (1) unknowns representing the coefficients of the hidden polynomials, including F ij , with i = 1 , . . . , n and j = 1 , , which determine a basic blinding map, andpolynomials which determine the hidden local functions. Let V F be the algebraicset determined by these conditions. Let V hFi be the algebraic set determined bythese conditions, however with F ij expressed in terms of the blinding parameters.Let α be a point of V F (resp. V hFi ). Then α determines, through a subset of itscoordinates, a set S of semi-local functions of the same type as those involved in F , and V S (resp. V h S i ) is locally embedded around α . Theorem 8 together with Theorem 4 underscores the difficulty of solving for aclosed point of V F or V hFi for the purpose of un-blinding. Fix and publish a randomly chosen basis of
K/k , θ = θ , . . . , θ d . As before, let τ denote the Frobenius map x → x q for x ∈ ¯ k (where k = F q ), let τ a = τ a , and τ a,b denote the Frobenous twist ¯ k → ¯ k : ( x, y ) → ( τ a ( x ) , τ b ( y )) = ( x q a , y q b ).When the context is clear we also denote τ a,a as τ a .We consider a blinding map ρ ′ = ( ρ ′ i ) ni =1 of the form ρ ′ i = ( τ a i ,b i ◦ ρ i ) ni =1 where ρ = ( ρ i ) ni =1 is a basic blinding map. Suppose ρ i = ( F i , F i ) where F ij arequadratic polynomials in 3 n variables.For diagonal matrix A = (cid:18) α β (cid:19) , let A τ a,b = (cid:18) α τ a β τ b (cid:19) . It is easy to verify that τ a,b ◦ A = A τ a,b ◦ τ a,b as maps on ¯ k . Now suppose g has semi-local decomposition[ f ] ◦ [ ρ ′ ] where f is a local function. In this case we may write the decompositionas [ f ] ◦ [ τ a , b ] ◦ [ ρ ], where τ a , b = ( τ a ,b , . . . , τ a n ,b n ). Let A be a diagonal matrixwith A , ... A n as the diagonal blocks where A i ∈ Gl (¯ k ) is diagonal. Let A τ a , b denote the diagonal matrix with A τ a ,b , ... A τ an,bn n as the diagonal blocks. Then g has semi-local decomposition [ f ◦ A τ a , b ] ◦ [ τ a , b ] ◦ [ A − ρ ]. From this it is nothard to see the that we have the following generalization of Theorem 4. Theorem 9.
Suppose we have a set of semi-local functions g i , i = 1 , . . . , m ,such that g i has semi-local decomposition [ f i ] ◦ [ ρ ′ ] for all i , where f i is a lo-cal function and ρ ′ = τ a , b ◦ ρ where ρ is a basic blinding map and τ a , b =( τ a ,b , . . . , τ a n ,b n ) . Then the following hold. . There is an injective map ¯ k n → [ ρ ] , and an injective map ¯ k n → h ρ i .2. There is an injective map ¯ k → [ f i ] if f i is c -local depending on V i × . . . V i c and for some j the degree of f i at x i j is greater to equal to the minimumdegree of polynomials in the ideal defining V i j .3. Let A j ∈ Gl (¯ k ) be a diagonal matrix for j = 1 , . . . , n . Let A be the block-diagonal matrix with A , ..., A n as the diagonal blocks. Then g i has semi-local decomposition [ f i ◦ A τ a , b ] ◦ [ τ a , b ] ◦ [ A − ρ ] for i = 1 , . . . , m . Let S = { g i : i = 1 , . . . , m } be as in the theorem. Let V S be the union of[ f ] × . . . × [ f m ] × [ ρ ], where the union is over all f , . . . , f m , ρ such that g i hassemi-local decomposition [ f i ] ◦ [ τ a , b ] ◦ [ ρ ], i = 1 , . . . , m . Similarly let V h S i be theunion of [ f ] × . . . × [ f m ] × h ρ i , where the union is over all f , . . . , f m , ρ such that g i has semi-local decomposition [ f i ] ◦ [ τ a , b ] ◦ h ρ i , i = 1 , . . . , m . Then V S and V h S i admit local embedding of affine space of dimension Ω ( n ) (respectively Ω ( n ))around every point by the first two assertions of Theorem 9, and both are actedon by the subgroup of diagonal matrices of Gl n (¯ k ) in a twisted fashion. The twoproperties combined, and the fact that their dimensions are huge (respectively Ω ( n ) and Ω ( n )), seem to make it difficult to solve for a closed point even ifpolynomial systems describing V S and V h S i are known.Suppose f is a polynomial of degree d then τ a ◦ f ( x ) = ( f ( x )) q a has degree dq a .Therefore polynomials of degree exponential in q result as we apply Frobeniustwists to blind a semi-local function. This makes it more complicated to describe V S and V h S i .In order to specify blinded maps using low degree polynomials we consider the descent trick which is involved in Weil restriction (descent).Suppose F ∈ ¯ k [ x , . . . , x n ]. Let ˜ x i = P dj =1 x ij θ j , for i = 1 , . . . , n , where x ij are variables. Let x = x , . . . , x n and ˆ x = x , . . . , x n,d . Let ˜ F (ˆ x ) = F (˜ x , . . . , ˜ x n ). We call ˜ F the descent of F with respect to θ , or simply thedescent of F when θ is fixed.Let J be the ideal generated by x qij − x ij for all i, j . Let ˜ F mod J denote thepolynomial G (ˆ x ) with degree less than q in all x ij such that ˜ F (ˆ x ) ≡ G (ˆ x )mod J . For α , . . . , α n ∈ K , let ˆ α i ∈ k d such that α i = h ˆ α i , θ i for all i . Suppose G = ˜ F mod J . Then G (ˆ α , . . . , ˆ α n ) = ˜ F (ˆ α , . . . , ˆ α n ) = F ( α , . . . , α n ).Note that g x q a i ≡ P dj =1 x ij θ τ a j mod J . So for F ∈ ¯ k [ x , . . . , x n ], ^ F ( x q a , . . . , x q a n n ) ≡ F ( . . . , d X j =1 x ij θ τ ai j , . . . ) mod J. Therefore ^ F ( x q a , . . . , x q a n n ) mod J has degree bounded in deg F .22o specify a semi-local function g = f ◦ τ a , b ◦ ρ which is applied to K -points,it suffices to specify ˜ g mod J , which, from the discussion above, is of degreebounded in the degree of f ◦ ρ , which in our context is O (1).We have an injective homomorphism ¯ k [ x ] → ¯ k [ˆ x ] : f → ˜ f . Let ˜ V S (resp. ˜ V h S i )denote the image of V S (resp. V h S i ) under the map naturally induced by theinjection [ ρ ] → [˜ ρ ]. From this observation and Theorem 9 we have the followingtheorem. Theorem 10.
Suppose we have a set S of semi-local functions g i , i = 1 , . . . , m ,such that g i has semi-local decomposition [ f i ] ◦ [ ρ ′ ] for all i , where f i is a lo-cal function and ρ ′ = τ a , b ◦ ρ where ρ is a basic blinding map and τ a , b =( τ a ,b , . . . , τ a n ,b n ) . Then the following hold.1. Around every point of ˜ V S there is an embedding of ¯ k n relative to the blind-ing part, and an embedding of ¯ k relative to the local part if there is some f i , c -local depending on V i × . . . V i c , where for some j the degree of f i at x i j isgreater to equal to the minimum degree of polynomials in the ideal defining V i j .2. Around every point of ˜ V h S i there is an embedding of ¯ k n relative to the blindingpart, and an embedding of ¯ k relative to the local part if there is some f i , c -local depending on V i × . . . V i c , where for some j the degree of f i at x i j isgreater to equal to the minimum degree of polynomials in the ideal defining V i j .3. There is a twisted action of the subgroup of diagonal matrices of Gl n (¯ k ) on ˜ V S and ˜ V h S i . For specifying a function that is the sum of semi-local functions, the same pro-cedure in § g ′′ i and h ′′ i are now tobe expressed in descent form by applying the substitution x i = P dj =1 x ij θ j for i = 1 , . . . , n . The conditions (1) become in this setting the following: h i ◦ ( τ a i ,b i , τ a i ,b i ) ◦ ˜ F i mod Jh i ◦ ( τ a i ,b i , τ a i ,b i ) ◦ ˜ F i mod J + ˜ ℓ i, ˜ ℓ i, − ˜ ℓ i +1 , ˜ ℓ i +1 , = ˜ W ˜ g ′′ i ˜ h ′′ i . (7)A similar analysis can be carried out for products of semi-local functions, mapsof bounded locality. Proceeding in a way similar to the proof of Theorem 6,Theorem 7 and Theorem 8, we obtain analogous theorems for blinding withFrobenius twists. We state below the analogous theorem to Theorem 8. Theorem 11.
Suppose a random blinding map ρ is chosen and a set F of func-tions each of which is either the sum or product of O ( n ) semi-local functionsof bounded degree is specified as discussed in this section. Then we have thefollowing. . The information contained in the specification can be described by n O (1) con-ditions, in n O (1) unknowns representing the hidden polynomials in the de-scent form, including ˜ F ij , with i = 1 , . . . , n and j = 1 , , where F ij ’s deter-mine a basic blinding map, and the polynomials which determine the hiddenlocal functions.2. Let ˜ V F be the algebraic set determined by these conditions. Let ˜ V hFi be thealgebraic set determined by these conditions, however with ˜ F ij expressed interms of the blinding parameters. Let α be a point of ˜ V F (resp. ˜ V hFi ). Then α determines, through a subset of its coordinates, a set S of semi-local functionsof the same types and degrees as those involved in F , and ˜ V S (resp. ˜ V h S i ) islocally embedded around α . Suppose F contains a constant number of functions and each function is the sumor product of a constant number of semi-local functions. Then finding a point on˜ V F or ˜ V hFi reveals a blinding partially at the localities involved in the semi-localfunctions. Even in this case the number of unknown in describing ˜ V F is Ω ( n )and the number of unknown describing ˜ V hFi is Ω ( n ), and both algebraic sets areof dimension Ω ( n ). Applying best known methods to find a point on ˜ V F (resp.˜ V hFi ) takes time exponential in O ( n log n ) (resp. O ( n log n )) ([1,12]). ThereforeTheorem 11 serves as a strong evidence that the blinding is secure. Moreoverthe triply confusing property stated in Theorem 10 provides additional evidencethat efficient algorithms to find points on such algebraic sets seems unlikely toexist. Recall that to construct a trilinear map we start by choosing from the isogenyclass of a pairing friendly elliptic curve some
E/K defined by y = x + ax + b with a, b ∈ K . We assume that E [ ℓ ] ⊂ E ( K ), where log ℓ and log | K | are linearin the security parameter. The curve E is considered secret, as well as the set { E A : A ∈ Gl ( K ) } . Recall that for A ∈ Gl ( K ), E A denote the elliptic curvewhich is the image of E under A , and E A denote the image of E A under :( x, y ) → ( x − , y − ). Choose randomly from this family E i , i = 1 , . . . , n .As in § K is a finite extension over k = F q . Fix and publish arandomly chosen basis of K/k , and let τ denote the Frobenius map x → x q for x ∈ ¯ k . Choose a random blinding map ρ = ( ρ i ) ni =1 of the form ρ i = ( τ a i ◦ ρ ′ i ) ni =1 where ρ ′ = ( ρ ′ i ) ni =1 is a basic blinding map. Let ˆ E = ρ − Q ni =1 E i . Choose α, β ∈ E [ ℓ ] n such that e ( α, β ) = 1. Let ˆ α, ˆ β ∈ ˆ E [ ℓ ] such that ˆ α corresponds to α and ˆ β corresponds to β under ˆ E ρ → Q ni =1 E i ≃ E n .The trilinear map is specified to the public by ˆ α, ˆ β ∈ ˆ E [ ℓ ] ⊂ K n , the additionmorphism ˆ m (with the doubling map separately specified as a subcase), ˆ ϕ i , i = 1 , . . . , N where N = O ( n ); and for the computation of ˆ e two functions ˆ g and24 h are specified, both are products of semi-local functions of bounded degree, aswill be discussed in §
4. The addition map on ˆ E [ ℓ ], ˆ m , can be securely specifiedby generalization of Theorem 7 (as discussed in § ϕ i . Theorem 11 can be applied to specifyˆ g and ˆ h . Theorem 12.
The information contained in the specification of the trilinearmap described in this section can be described by n O (1) algebraic conditions in m unknown where m = n O (1) and m = Ω ( n ) . Let ˜ V T be the algebraic setdetermined by these conditions. Let ˜ V hT i be the algebraic set determined by theseconditions, however with the quadratic polynomials describing the basic blindingmap that is involved expressed in terms of the blinding parameters. Let S bethe set of hidden semi-local functions that are involved in specifying the trilinearmap. Then ˜ V S (resp. ˜ V h S i ) is triply confusing of dimension Ω ( n ) (resp. Ω ( n ) ).For every point of ˜ V (resp. ˜ V ρ ) either ˜ V S (resp. ˜ V h S i ) or some triply confusing ˜ V S (resp. ˜ V h S i ) can be embedded around the point, where S is a set of semi-localfunctions of the same type as S . Proof
Let S be the set of semi-local functions involved in ˆ m , ˆ ϕ i , ˆ g and ˆ h .The local functions involved in these semi-local functions are all related to theaddition law on E and are of degree 3 in at least one variable (see § V S and V h S i are triply confusing, so are˜ V S and ˜ V h S i . Theorem 12 follows as Theorem 8 and Theorem 11 are appliedto the current context. ✷ The remark below Theorem 11 can be similarly made. In addition the algebraicsets described in the theorem are most likely uniformly confusing by virtue ofthe choice of E i from the set { E A : A ∈ Gl ( K ) } . Therefore Theorem 12 servesas a strong evidence that the blinding is secure. To complete the description of the trilinear map we demonstrate in this sectionhow ˆ e can be explicitly defined and specified, and efficiently computed. To sim-ply notation and make the presentation easier we identify E i and E throughisomorphism and denote for example the addition morphism of E i ≃ E also as m . We also assume the same blinding map ρ is used to form the pairing groups,so that ˆ e is a pairing on ˆ E [ ℓ ].Suppose the characteristic of K is not 2 or 3, and E is given y = x + ax + b with a, b ∈ K . The addition map of E can be described as follows (see [18]).Let P = ( x , y ), P = ( x , y ) be two points on E . If x = x and y = − y ,then P + P = 0. Otherwise, we can find P = ( x , − y ) such that P , P and¯ P = ( x , y ) lie on a line y = λx + ν , and we have P + P = P .251) If x = x , then λ = y − y x − x and ν = y x − y x x − x .(2) If x = x and y = 0, then λ = x + a y and ν = − x + ax +2 b y In both cases x = λ − x − x , y = − λx − ν .Suppose P i = ( x i , y i ) with P i ∈ E for i = 1 , , x = x and P + P = P . Then g P ,P := y − λx + νx − x + P − O = P + P − O , where λ = y − y x − x and ν = y x − y x x − x .Let g : E × E × E → ¯ k such that for P = ( x , y ) , P = ( x , y ) ∈ E , and Q = ( x, y ) ∈ E , g ( P , P , Q ) = y − λx + νx − x = g P ,P ( Q ).Let ˆ g : ˆ E × ˆ E × ˆ E → ¯ k so that for ˆ α, ˆ β, ˆ γ ∈ ˆ E . ˆ g (ˆ α, ˆ β, ˆ γ ) = Q ni =1 g ( ρ i (ˆ α ) , ρ i ( ˆ β ) , ρ i (ˆ γ )).For D = P − O where P = ( x , y ) is not 2-torsion, we have 2 D = ( h D ) + D ′ where D ′ = P − O with 2 P = P = ( x , y ) given by the formula above,and h D ( x, y ) = Lx − x where L = y − λx − ν , λ = x + a y and ν = − x + ax +2 b y .So let h : E × E → ¯ k so that for P = ( x, y ) ∈ E and P = ( x , y ) ∈ E , h ( P , P ) = h D ( P ) = h D ( x , y ) as above where D = P − O .Let ˆ h : ˆ E × ˆ E → ¯ k so that for ˆ α, ˆ β ∈ ˆ E . ˆ h (ˆ α, ˆ β ) = Q ni =1 h ( ρ i (ˆ α ) , ρ i ( ˆ β )).Suppose P ∈ E [ ℓ ]. Then D = P − O is an ℓ -torsion divisor. We recall how toefficiently construct h such that ℓD = ( h ) through the squaring trick [14,15].Let D i = P i − O where P i = 2 i P for all i . Apply addition to double D , and get2 D = ( h D ) + D . Inductively, we have H i such that2 i D = ( H i ) + D i . Apply addition to double D i and get2 D i = ( h D i ) + D i +1 . We have 2 i +1 D = ( H D,i +1 ) + D i +1 where H D,i +1 = H D,i h D i .Write ℓ = P i a i i with a i ∈ { , } . Let H D = Q i H a i D,i . Then ℓD = ( H D ) + P i a i D i +1 .Write P i a i D i +1 = D i + . . . + D i m with i > . . . > i m . Then P i + P i = Q ,26 + P i = Q , ..., Q i m − + P i m = O with Q j ∈ E for j = 1 , . . . , m −
1. We have P i a i D i +1 = ( G D ) where G D = g P i ,P i g Q ,P i . . . g Q im − ,P im .We have ℓD = ( H D G D ). Let f P = H D G D . Then for P, Q ∈ E [ ℓ ], e E ( P, Q ) = f P ( Q ) f Q ( P ) , where e E is the Weil pairing on E [ ℓ ].Suppose ˆ α ∈ ˆ E [ ℓ ]. Let ˆ α i = 2 i ˆ α . Then for j = 1 , . . . , n , 2 ρ j ˆ α i = ρ j ˆ α i +1 .Let ˆ D = ˆ α − O . Let h be as defined before where h ( P , P ) = h P − O ( P ) for P , P ∈ E . Inductively define ˆ H i +1 = ˆ H i ˆ h . We can verify inductivelyˆ H j (ˆ α, ˆ β ) = n Y i =1 H ρ i ( ˆ D ) ,j ( ρ i (ˆ α ) , ρ i ( ˆ β ))Let ˆ H = Q i ˆ H a i i . Then ˆ H (ˆ α, ˆ β ) = Q ni =1 H ρ i (ˆ α ) − O ( ˆ β ), and can be efficientlycomputed once ˆ h is specified.Write P i a i ˆ α i +1 = ˆ α i + . . . + ˆ α i m = O with i > . . . > i m . Let ˆ β i be such thatˆ α i + ˆ α i = ˆ β , ˆ β + ˆ α i = ˆ β , . . . , ˆ β i m − + ˆ α i m = O . We haveˆ g (ˆ α i , ˆ α i , ˆ β ) = n Y i =1 g ( ρ i ( ˆ α i ) , ρ i (ˆ α ı ) , ρ i ( ˆ β ))ˆ g ( ˆ β , ˆ α i , ˆ β ) = n Y i =1 g ( ρ i ( ˆ β ) , ρ i (ˆ α ı ) , ρ i ( ˆ β )) . . . ˆ g ( ˆ β m − , ˆ α i m , ˆ β ) = n Y i =1 g ( ρ i ( ˆ β m − ) , ρ i (ˆ α ı m ) , ρ i ( ˆ β ))So ˆ g (ˆ α i , ˆ α i , ˆ β )ˆ g ( ˆ β , ˆ α i , ˆ β ) . . . ˆ g ( ˆ β m − , ˆ α i m , ˆ β ) = n Y i =1 G ρ i (ˆ α − O ) ( ρ i ( ˆ β ))Therefore Q ni =1 f ρ i (ˆ α ) ( ρ i ( ˆ β )) can be computed efficiently using ˆ g and ˆ h .Similaly Q ni =1 f ρ i ( ˆ β ) ( ρ i (ˆ α )) can be computed efficiently using ˆ g and ˆ h . So ˆ e (ˆ α, ˆ β ) = Q ni =1 f ρi (ˆ α ) ( ρ i ( ˆ β )) Q ni =1 f ρi (ˆ β ) ( ρ i (ˆ α )) can be computed efficiently using ˆ g and ˆ h .Finally we note that both ˆ g and ˆ h are products of semi-local functions. Theycan be specified securely using the procedure described in § Acknowledgements
I would like to thank the participants of the AIM workshop on cryptographicmultilinear maps (2017), and the participants of the BIRS workshop: An alge-27raic approach to multilinear maps for cryptography (May 2018), for stimulatingand helpful discussions. I would especially like to acknowledge the contributionsof the following colleagues: Dan Boneh and Amit Sahai for valuable discussionsduring the early phase of this work; Steven Galbraith for careful reading of thepreprint in [8] as well as valuable comments and questions; Steven Galbraith,Karl Rubin, Travis Scholl, Shahed Sharif, Alice Silverberg, and Ben Smith forvaluable comments and questions on a subsequent preprint [9].
References
1. A. Ayad, A Survey on the Complexity of Solving Algebraic Systems, InternationalMathematical Forum, 5, 2010, no. 7, 333 - 353.2. B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K.Yang, On the (im)possibility of obfuscating programs. In
Advances in Cryptology ,CRYPTO 2001, pp. 118. Springer, 2001.3. D. Boneh and A. Silverberg, Applications of Multilinear Forms to Cryptography,
Contemporary Mathematics
Vol. 324, American Mathematical Society, pp. 71-90,20034. D. Cantor, Computing in the jacobian of a hyperelliptic curve,
Mathematics ofcomputation
Handbook ofelliptic curve and hyperelliptic curve cryptography , CRC Press 2006.8. M.-D. Huang, Trilinear maps for cryptography, arXiv:1803.10325, 2018.9. M.-D. Huang, Trilinear maps for cryptography II, arXiv:1810.03646, 2019.10. M.-D. Huang, Weil descent and cryptographic trilinear maps, arXiv:1908.06891,201911. M.-D. Huang and W. Raskind, A Multilinedar Generalization of the Tate Pairing,with Wayne Raskind,
Proc. 9th Int’l Conf. on Finite Fields and their Applications(Fq 9), AMS Contemporary Mathematics Series Vol 518 , ed. by G. Mullen, 255-263, 2010.12. M.-D. Huang and Y.-C. Wong, Extended Hilbert Irreducibility and Its Applica-tions,
J. Alforithms
37, 121-145 (2000)13. H. Lin and S. Tessaro, Indistinguishability Obfuscation from Trilinear Maps andBlock-Wise Local PRGs, in
CRYPTO 2017
14. V. Miller, Short programs for functions on curves, unpublished manuscript, 1986.15. V. Miller, The Weil pairing, and its efficient calculation,
J. Cryptology
17 (2004)235-261.16. J.S Milne, Abelian varieties, in
Arithmetic Geometry
G. Cornell and J. Silvermaneditors, Spring Verlag 198617. J.S Milne, Jacobian varieties, in
Arithmetic Geometry
G. Cornell and J. Silvermaneditors, Spring Verlag 198618. J.H. Silverman,
The arithmetic of elliptic curves , 2nd ed., Springer, 2009.19. A. Weil, Adeles and Algebraic Groups, Progress in Math. 23, Birkhuser 1982.(Notes of Lectures given 1959-1960.), 2nd ed., Springer, 2009.19. A. Weil, Adeles and Algebraic Groups, Progress in Math. 23, Birkhuser 1982.(Notes of Lectures given 1959-1960.)