Multilinear Cryptography using Nilpotent Groups
Delaram Kahrobaei, Antonio Tortora, and Maria Tota

TL;DR
This paper introduces a new approach to multilinear cryptography by extending multilinear maps to arbitrary groups and utilizing nilpotent group identities for cryptosystem development.
Contribution
It generalizes multilinear maps to arbitrary groups and proposes a novel cryptosystem based on nilpotent group identities.
Findings
New multilinear cryptosystem using nilpotent groups
Generalization of multilinear maps to arbitrary groups
Potential for enhanced cryptographic protocols
Abstract
In this paper we generalize the definition of a multilinear map to arbitrary groups and develop a novel idea of multilinear cryptosystem using nilpotent group identities.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Multilinear Cryptography using Nilpotent Groups
Delaram Kahrobaei
University of York, New York University; e-mail: [email protected]
Antonio Tortora
Dipartimento di Matematica e Fisica, Università della Campania “Luigi Vanvitelli”, Caserta, Italy; e-mail: [email protected]
Maria Tota
Dipartimento di Matematica, Università di Salerno, Fisciano (SA), Italy; e-mail: [email protected]
Abstract
In this paper we generalize the definition of a multilinear map to arbitrary groups and develop a novel idea of multilinear cryptosystem using nilpotent group identities.
2010 Mathematics Subject Classification: 20F18, 94A60.
Keywords: multilinear map, nilpotent group, public-key cryptography.
1 Introduction
In recent years multilinear maps have attracted attention in cryptography community. The idea has been first proposed by Boneh and Silverberg [1]. For the existence of -linear maps is still an open question. One of the main applications of multilinear maps is their use for indistinguishability obfuscation. For example in [5] Lin and Tessaro proved that trilinear maps are sufficient for the purpose of achieving indistinguishability obfuscation. Recently, Huang [3] constructed cryptographic trilinear maps that involve simple, non-ordinary abelian varieties over finite fields.
Group-based cryptography has some new direction to offer to answer this question. A bilinear cryptosystem using the discrete logarithm problem in matrices coming from a linear representation of a group of nilpotency class has been proposed in [7].
In this paper, we propose multilinear cryptosystems using identities in nilpotent groups, in which the security is based on the discrete logarithm problem.
2 Multilinear Maps in Cryptography
Let be a positive integer. For cyclic groups and of prime order , a map is said to be a (symmetric) -linear map (or a multilinear map) if for any and , we have
[TABLE]
and further is non-degenerate in the sense that is a generator of for any generator of .
2.1 Fully Homomorphic Encryption and Graded Encoding Schemes
One of the interesting importance of multilinear maps arises in the notion of one of the revolution which swept the world of cryptography, namely fully homomophic encryption (FHE). The intuition is that FHE ciphertexts behave like the exponents of group elements in a multilinear map, the so called graded encoding scheme [2]. Such a scheme is a family of efficient cyclic groups of the same prime order together with efficient non-degenerate bilinear pairings whenever . In other words, if we fix a family of generators of the ’s in such a way that , we can add exponents within a given group
[TABLE]
and multiply exponents from two groups , as long as :
[TABLE]
This makes somewhat similar to an FHE encryption of .
2.2 Generalization of Multilinear Maps to any Group
Here we generalize the definition of a multilinear map to arbitrary groups and . We say that a map is a (symmetric) -linear map (or a multilinear map) if for any and , we have
[TABLE]
Notice that the map is not necessarily linear in each component. In addition, we say that is non-degenerate if there exists such that .
3 Preliminaries
3.1 Nilpotent and Engel Groups
A group is said to be nilpotent if it has a finite series
[TABLE]
which is central, that is, each is normal in and is contained in the center of . The length of a shortest central series is the (nilpotency) class of . Of course, nilpotent groups of class at most 1 are abelian. A great source of nilpotent groups is the class of finite -groups, i.e., finite groups whose orders are powers of a prime .
Close related to nilpotent groups is the calculus of commutators. Let be elements of a group . We will use the following commutator notation: . More generally, a simple commutator of weight is defined recursively by the rule
[TABLE]
where by convention . A useful shorthand notation is
[TABLE]
For the reader convenience, we recall the following property of commutators:
[TABLE]
For further basic properties of commutators we refer to [9, 5.1].
It is useful to be able to form commutators of subsets as well as elements. Let be nonempty subsets of a group . Define the commutator subgroup of and to be
[TABLE]
More generally, let
[TABLE]
where . Then, there is a natural way of generating a descending sequence of commutator subgroups of a group, by repeatedly commuting with . The result is a series
[TABLE]
in which . This is called the lower central series of and it does not in general reach . Notice that lies in the center of .
A useful characterization of nilpotent groups, in terms of commutators, is the following.
Lemma 3.1**.**
A group is nilpotent of class at most if and only if the identity is satisfied in , that is . In particular, in a nilpotent group of class , the subgroup is central.
Among the best known generalized nilpotent groups are the so-called Engel groups. A group is called -Engel if for all . If is nilpotent of class , then is -Engel. Also, there are nilpotent groups of class which are not -Engel. For example, given a prime , the wreath product is nilpotent of class but not -Engel [4, Theorem 6.2].
Conversely, any finite -Engel group is nilpotent, by a well-known result of Zorn [9, 12.3.4].
3.2 Nilpotent Group Identities
The next result is a straightforward application of (1), together with Lemma 3.1.
Lemma 3.2**.**
Let be a nilpotent group of class and let be a nonzero integer. Then, for all , we have
[TABLE]
and
[TABLE]
Then the following proposition holds:
Proposition 3.3**.**
Let be a nilpotent group of class . Then
[TABLE]
for any , and .
Proof.
We argue by induction on . The case is true by Lemma 3.2.
Let . Then is nilpotent of class . Moreover, is central by Lemma 3.1. Hence the induction hypothesis gives
[TABLE]
It follows that where . Since is central, applying (1), we get
[TABLE]
and so
[TABLE]
by Lemma 3.2. ∎
Let be a nilpotent group of class and . According to Proposition 3.3 for any , we have
[TABLE]
Therefore we can construct the multilinear map given by
[TABLE]
Similarly, given , we can consider the multilinear map given by
[TABLE]
Further, assuming that is not Engel, one can take in such a way that is non-degenerate. In fact there exists such that .
4 Multilinear Cryptography using Nilpotent Groups
Here we propose two multilinear cryptosystems based on the identity (2) in Proposition 3.3.
4.1 Protocol I
First we generalize the bilinear map which has been mentioned in [7], to multilinear (-linear) map for users. Let be the users with private exponents respectively. Given an integer , the main formula on which our key-exchange protocol is based on, is an identity in a public nilpotent group of class (see Proposition 3.3):
[TABLE]
The users ’s transmit in public channel
[TABLE]
The key exchange works as follows:
- •
The user can compute .
- •
The user () can compute
[TABLE]
- •
The user can compute .
The common key is .
Example: Trilinear Cryptography using Nilpotent Groups of class 3. Let be the users with private exponents respectively. The users , , and transmit in public channel
[TABLE]
The key exchange works as follows:
- •
The user can compute .
- •
The user can compute .
- •
The user can compute .
- •
The user can compute .
The common key is .
4.2 Protocol II
Let be a public nilpotent group of class which is not -Engel (). Then there exist such that . Suppose that users want to agree on a shared secret key. Each user selects a private nonzero integer , computes and sends it to the other users. Then:
- •
The user computes .
- •
The user , computes .
- •
The user computes .
Hence, again by Proposition 3.3, each user obtains which is the shared key.
5 Security and Platform Group
The security of our protocols is based on the discrete logarithm problem (DLP). The ideal platform group for our protocols must be a nonabelian nilpotent group of large order such that the nilpotency class is not too large and the DLP in such a group is hard. Please note that we do not suppose that the group is presented by generating elements and defining relators or as a subgroup of a triangular matrix group over a prime finite field (in finite case) or over the ring of integers (in torsion-free case).
In [10], Sutherland has studied the DLP in finite abelian -groups, and showed how to apply the algorithms for -groups to find the structure of any finite abelian group.
In a series of papers by Mahalanobis, the DLP has been studied for finite -groups but mostly for nilpotent groups of class [6, 8]. In particular, in [7], Mahalanobis and Shinde proposed -groups of class in which the platform is not practical as showed by the authors.
Funding. The authors were supported by the “National Group for Algebraic and Geometric Structures, and their Applications” (GNSAGA – INdAM). The first author was also partially supported by a PSC-CUNY grant from the CUNY Research Foundation.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] D. Boneh and A. Silverberg, Applications of Multilinear Forms to Cryptography, Contemporary Mathematics 324 , American Mathematical Society, (2003) 71–90.
- 2[2] S. Garg and C. Gentry and S. Halevi, Candidate multilinear maps from ideal lattices EUROCRYPT 2013 7881 LNCS (2013) 1–17.
- 3[3] M.A. Huang, Trilinear maps for cryptography , preprint available at https:// arxiv.org/abs/1803.10325 (2018).
- 4[4] H. Liebeck, Concerning nilpotent wreath products , Proc. Cambridge Philos. Soc. 58 (1962), 443–451.
- 5[5] H. Lin and S. Tessaro, Indistinguishability Obfuscation from Trilinear Maps and Block-Wise Local PR Gs , in CRYPTO 2017.
- 6[6] A. Mahalanobis, The Diffie-Hellman key exchange protocol and non-abelian nilpotent groups , Israel J. Math. 165 (2008), 161–187.
- 7[7] A. Mahalanobis and P. Shinde, Bilinear Cryptography Using Groups of Nilpotency Class 2 2 2 , Cryptography and Coding, 16th IMA International Conference, IMACC 2017, Oxford, UK (2017), 127–134.
- 8[8] A. Mahalanobis, The MOR cryptosystem and finite p-groups , Algorithmic problems of group theory, their complexity, and applications to cryptography, 81–95, Contemp. Math. 633 , Amer. Math. Soc., Providence, RI, 2015.
