Multilinear Cryptography using Nilpotent Groups

by   Delaram Kahrobaei, et al.
NYU college
University of Salerno

In this paper we develop a novel idea of multilinear cryptosystem using nilpotent group identities.



There are no comments yet.


page 1

page 2

page 3

page 4


Bilinear cryptography using finite p-groups of nilpotency class 2

In this short note, we develop a novel idea of a bilinear cryptosystem u...

Problems in group theory motivated by cryptography

This is a survey of algorithmic problems in group theory, old and new, m...

New Kloosterman sum identities from the Helleseth-Zinoviev result on Z_4-linear Goethals codes

In the paper of Tor Helleseth and Victor Zinoviev (Designs, Codes and Cr...

A Closer Look at the Multilinear Cryptography using Nilpotent Groups

In a previous paper we generalized the definition of a multilinear map t...

The Hidden Subgroup Problem and Post-quantum Group-based Cryptography

In this paper we discuss the Hidden Subgroup Problem (HSP) in relation t...

Monoidal categories, representation gap and cryptography

The linear decomposition attack provides a serious obstacle to direct ap...

MeetSense: A Lightweight Framework for Group Identification using Smartphones

In an organization, individuals prefer to form various formal and inform...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In recent years multilinear maps have attracted attention in cryptography community. The idea has been first proposed by Boneh and Silverberg [1]. For the existence of -linear maps is still an open question. One of the main applications of multilinear maps is their use for indistinguishability obfuscation. For example in [5] Lin and Tessaro proved that trilinear maps are sufficient for the purpose of achieving indistinguishability obfuscation. Recently, Huang [3] constructed cryptographic trilinear maps that involve simple, non-ordinary abelian varieties over finite fields.

Group-based cryptography has some new direction to offer to answer this question. A bilinear cryptosystem using the discrete logarithm problem in matrices coming from a linear representation of a group of nilpotency class has been proposed in [7].

In this paper, we propose multilinear cryptosystems using identities in nilpotent groups, in which the security is based on the chosen discrete logarithm problem in finite -groups.

2 Multilinear Maps in Cryptography

Let be a positive integer. For cyclic groups and of prime order , a map is said to be a (symmetric) -linear map (or a multilinear map) if for any and , we have

and further is non-degenerate in the sense that is a generator of for any generator of .

2.1 Fully Homomorphic Encryption and Graded Encoding Schemes

One of the interesting importance of multilinear maps arises in the notion of one of the revolution which swept the world of cryptography, namely fully homomophic encryption (FHE). The intuition is that FHE ciphertexts behave like the exponents of group elements in a multilinear map, the so called graded encoding scheme [2]. Such a scheme is a family of efficient cyclic groups of the same prime order together with efficient non-degenerate bilinear pairings whenever . In other words, if we fix a family of generators of the ’s in such a way that , we can add exponents within a given group

and multiply exponents from two groups , as long as :

This makes somewhat similar to an FHE encryption of .

2.2 Generalization of Multilinear Maps to any Group

Here we generalize the definition of a multilinear map to arbitrary groups and . We say that a map is a (symmetric) -linear map (or a multilinear map) if for any and , we have

Notice that the map is not necessarily linear in each component. In addition, we say that is non-degenerate if there exists such that .

3 Preliminaries

3.1 Semidirect Product

Let and be two groups. Denote by the group of automorphisms of , and let be a homomorphism. Then the (external) semidirect product of and is the set

with the group operation given by

Here denotes the image of under the automorphism .

We observe that, for any integer ,


3.2 Nilpotent and Engel Groups

A group is said to be nilpotent if it has a finite series

which is central, that is, each is normal in and is contained in the center of . The length of a shortest central series is the (nilpotency) class of . Of course, nilpotent groups of class at most 1 are abelian. A great source of nilpotent groups is the class of finite -groups, i.e., finite groups whose orders are powers of a prime .

Close related to nilpotent groups is the calculus of commutators. Let be elements of a group . We will use the following commutator notation: . More generally, a simple commutator of weight is defined recursively by the rule

where by convention . A useful shorthand notation is

For the reader convenience, we recall the following property of commutators:


For further basic properties of commutators we refer to [9, 5.1].

It is useful to be able to form commutators of subsets as well as elements. Let be nonempty subsets of a group . Define the commutator subgroup of and to be

More generally, let

where . Then, there is a natural way of generating a descending sequence of commutator subgroups of a group, by repeatedly commuting with . The result is a series

in which . This is called the lower central series of and it does not in general reach . Notice that lies in the center of .

A useful characterization of nilpotent groups, in terms of commutators, is the following.

Lemma 1

A group is nilpotent of class at most if and only if the identity is satisfied in , that is . In particular, in a nilpotent group of class , the subgroup is central.

Among the best known generalized nilpotent groups are the so-called Engel groups. A group is called -Engel if for all . If is nilpotent of class , then is -Engel. Also, there are nilpotent groups of class which are not -Engel. For example, given a prime , the wreath product is nilpotent of class but not -Engel [4, Theorem 6.2].

Conversely, any finite -Engel group is nilpotent, by a well-known result of Zorn [9, 12.3.4].

3.3 Nilpotent Group Identities

The next result is a straightforward application of (2), together with Lemma 1.

Lemma 2

Let be a nilpotent group of class and let be a nonzero integer. Then, for all , we have


Then the following proposition holds:

Proposition 1

Let be a nilpotent group of class . Then


for any , and .


We argue by induction on . The case is true by Lemma 2.

Let . Then is nilpotent of class . Moreover, is central by Lemma 1. Hence the induction hypothesis gives

It follows that where . Since is central, applying (2), we get

and so

by Lemma 2.

Let be a nilpotent group of class and . According to Proposition 1 for any , we have

Therefore we can construct the multilinear map given by

Similarly, given , we can consider the multilinear map given by

Further, assuming that is not Engel, one can take in such a way that is non-degenerate. In fact there exists such that .

4 Multilinear Cryptography using Nilpotent Groups

Here we propose two multilinear cryptosystems based on the identity (3) in Proposition 1.

4.1 Protocol I

First we generalize the bilinear map which has been mentioned in [7], to multilinear (-linear) map for users. Let be the users with private exponents respectively. Given an integer , the main formula on which our key-exchange protocol is based on, is an identity in a public nilpotent group of class (see Proposition 1):

The users ’s transmit in public channel

The key exchange works as follows:

  • The user can compute .

  • The user () can compute

  • The user can compute .

The common key is .

Example: Trilinear Cryptography using Nilpotent Groups of class 3. Let be the users with private exponents respectively. The users , , and transmit in public channel

The key exchange works as follows:

  • The user can compute .

  • The user can compute .

  • The user can compute .

  • The user can compute .

The common key is .

4.2 Protocol II

Let be a public nilpotent group of class which is not -Engel (). Then there exist such that . Suppose that users want to agree on a shared secret key. Each user selects a private nonzero integer , computes and sends it to the other users. Then:

  • The user computes .

  • The user , computes .

  • The user computes .

Hence, again by Proposition 1, each user obtains which is the shared key.

5 Security and Platform Group

The security of our protocols is based on the discrete logarithm problem (DLP). The ideal platform group for our protocols must be a nonabelian nilpotent group of large order such that the nilpotency class is not too large and the DLP in such a group is hard.

5.1 The Complexity of DLP in Finite -Groups

In [10], Sutherland has studied the DLP in finite abelian -groups, and showed how to apply the algorithms for -groups to find the structure of any finite abelian group.

In a series of papers by Mahalanobis, the DLP has been studied for finite -groups but mostly for nilpotent groups of class [6, 8]. In particular, in [7], Mahalanobis and Shinde proposed -groups of class in which the platform is not practical as showed by the authors.

Solving the DLP in finite -groups of larger class is an interesting question. We consider a semidirect product of cyclic -groups of well-defined orders, to make a nilpotent group and then computing the DLP in each factor.

5.2 Suggested Platform

Take where and are large primes. Let and be the subgroups of of orders and , respectively. Selecting a nontrivial endomorphism of amounts to selecting a positive integer such that . If is relatively prime to , then is actually an automorphism. Define where is a homorphism from to such that . Assuming such that , then we have for the following presentation:

In particular is a finite -group of order and nilpotency class 3, which is not 2-Engel.

The group could be considered as a platform for Protocols I and II for and users, respectively. The appropriate choice of and is important to provide security and efficiency.

5.3 DLP in Semidirect Product of Subgroups of

Let be as in 5.2, and assume . By (1), for any , we have

The bottom line is that the DLP in can be reduced to DLP on its factors. We focus on the second component of the element on the right; an easy computation shows that it is equal to

Thus, if the adversary chooses a “direct” attack, by trying to recover the private exponent , he/she will have to solve the DLP twice: first to recover from , and then to recover from .

Acknowledgment. The authors would like to thank Antoine Joux for interesting discussions and useful comments.


  • [1] D. Boneh and A. Silverberg, Applications of Multilinear Forms to Cryptography, Contemporary Mathematics 324, American Mathematical Society, (2003) 71–90.
  • [2] S. Garg and C. Gentry and S. Halevi, Candidate multilinear maps from ideal lattices EUROCRYPT 2013 7881 LNCS (2013) 1–17.
  • [3] M. A. Huang, Trilinear maps for cryptography, preprint available at https:// (2018).
  • [4] H. Liebeck, Concerning nilpotent wreath products, Proc. Cambridge Philos. Soc. 58 (1962), 443–451.
  • [5] H. Lin and S. Tessaro, Indistinguishability Obfuscation from Trilinear Maps and Block-Wise Local PRGs, in CRYPTO 2017.
  • [6] A. Mahalanobis, The Diffie-Hellman key exchange protocol and non-abelian nilpotent groups, Israel J. Math. 165 (2008), 161–187.
  • [7] A. Mahalanobis and P. Shinde, Bilinear Cryptography Using Groups of Nilpotency Class , Cryptography and Coding, 16th IMA International Conference, IMACC 2017, Oxford, UK (2017), 127–134.
  • [8] A. Mahalanobis, The MOR cryptosystem and finite p-groups, Algorithmic problems of group theory, their complexity, and applications to cryptography, 81–95, Contemp. Math. 633, Amer. Math. Soc., Providence, RI, 2015.
  • [9] D. J. S. Robinson, A course in the Theory of Groups, 2nd edition, Springer-Verlag, New York, 1996.
  • [10] A. V. Sutherland, Structure computation and discrete logarithms in finite abelian -groups, Math. Comp. 80 (2011), no. 273, 477–500.