Cryptanalysis of GGH Map

Multilinear map is a novel primitive which has many cryptographic applications, and GGH map is a major candidate of K-linear maps for K > 2. GGH map has two classes of applications, which are respectively applications with public tools of encoding and with hidden tools of encoding. In this paper we show that applications of GGH map with public tools of encoding are not secure, and that one application of GGH map with hidden tools of encoding is not secure. On the basis of weak-DL attack presented by authors themselves, we present several efficient attacks on GGH map, aiming at multipartite key exchange (MKE) and the instance of witness encryption (WE) based on the hardness of 3-exact cover problem. First, we use special modular operations, which we call modified encoding/decoding, to filter the decoded noise much smaller. Such filtering is enough to break MKE. Moreover, such filtering negates K-GMDDH assumption, which is the security basis of an ABE scheme. The procedure almost breaks away from those lattice attacks and looks like an ordinary algebra. The key point is our special tools for modular operations. Second, under the condition of public tools of encoding, we break the instance of WE based on the hardness of 3-exact cover problem. To do so, we not only use modified encoding/decoding, but also introduce and solve “combined 3-exact cover problem”, which is a problem never hard to be solved. This attack is under an assumption, which seems at least nonnegligible. Third, for hidden tools of encoding, we break the instance of WE based on the hardness of 3-exact cover problem. To do so, we construct level-2 encodings of 0, used as alternative tools of encoding. Then we break the scheme by applying modified encoding/decoding and combined 3-exact cover. This attack is under several stronger assumptions, which seem nonnegligible. Finally, we present cryptanalysis of two simple revisions of GGH map, aiming at MKE. We show that MKE on these two revisions can be broken under the assumption that 2 is polynomially large. To do so, we further generalize our modified encoding/decoding.