1 Introduction
In recent years multilinear maps have attracted attention in cryptography community. The idea has been first proposed by Boneh and Silverberg [1]. For the existence of linear maps is still an open question. One of the main applications of multilinear maps is their use for indistinguishability obfuscation. For example in [5] Lin and Tessaro proved that trilinear maps are sufficient for the purpose of achieving indistinguishability obfuscation. Recently, Huang [3] constructed cryptographic trilinear maps that involve simple, nonordinary abelian varieties over finite fields.
Groupbased cryptography has some new direction to offer to answer this question. A bilinear cryptosystem using the discrete logarithm problem in matrices coming from a linear representation of a group of nilpotency class has been proposed in [7].
In this paper, we propose multilinear cryptosystems using identities in nilpotent groups, in which the security is based on the chosen discrete logarithm problem in finite groups.
2 Multilinear Maps in Cryptography
Let be a positive integer. For cyclic groups and of prime order , a map is said to be a (symmetric) linear map (or a multilinear map) if for any and , we have
and further is nondegenerate in the sense that is a generator of for any generator of .
2.1 Fully Homomorphic Encryption and Graded Encoding Schemes
One of the interesting importance of multilinear maps arises in the notion of one of the revolution which swept the world of cryptography, namely fully homomophic encryption (FHE). The intuition is that FHE ciphertexts behave like the exponents of group elements in a multilinear map, the so called graded encoding scheme [2]. Such a scheme is a family of efficient cyclic groups of the same prime order together with efficient nondegenerate bilinear pairings whenever . In other words, if we fix a family of generators of the ’s in such a way that , we can add exponents within a given group
and multiply exponents from two groups , as long as :
This makes somewhat similar to an FHE encryption of .
2.2 Generalization of Multilinear Maps to any Group
Here we generalize the definition of a multilinear map to arbitrary groups and . We say that a map is a (symmetric) linear map (or a multilinear map) if for any and , we have
Notice that the map is not necessarily linear in each component. In addition, we say that is nondegenerate if there exists such that .
3 Preliminaries
3.1 Semidirect Product
Let and be two groups. Denote by the group of automorphisms of , and let be a homomorphism. Then the (external) semidirect product of and is the set
with the group operation given by
Here denotes the image of under the automorphism .
We observe that, for any integer ,
(1) 
3.2 Nilpotent and Engel Groups
A group is said to be nilpotent if it has a finite series
which is central, that is, each is normal in and is contained in the center of . The length of a shortest central series is the (nilpotency) class of . Of course, nilpotent groups of class at most 1 are abelian. A great source of nilpotent groups is the class of finite groups, i.e., finite groups whose orders are powers of a prime .
Close related to nilpotent groups is the calculus of commutators. Let be elements of a group . We will use the following commutator notation: . More generally, a simple commutator of weight is defined recursively by the rule
where by convention . A useful shorthand notation is
For the reader convenience, we recall the following property of commutators:
(2) 
For further basic properties of commutators we refer to [9, 5.1].
It is useful to be able to form commutators of subsets as well as elements. Let be nonempty subsets of a group . Define the commutator subgroup of and to be
More generally, let
where . Then, there is a natural way of generating a descending sequence of commutator subgroups of a group, by repeatedly commuting with . The result is a series
in which . This is called the lower central series of and it does not in general reach . Notice that lies in the center of .
A useful characterization of nilpotent groups, in terms of commutators, is the following.
Lemma 1
A group is nilpotent of class at most if and only if the identity is satisfied in , that is . In particular, in a nilpotent group of class , the subgroup is central.
Among the best known generalized nilpotent groups are the socalled Engel groups. A group is called Engel if for all . If is nilpotent of class , then is Engel. Also, there are nilpotent groups of class which are not Engel. For example, given a prime , the wreath product is nilpotent of class but not Engel [4, Theorem 6.2].
Conversely, any finite Engel group is nilpotent, by a wellknown result of Zorn [9, 12.3.4].
3.3 Nilpotent Group Identities
Lemma 2
Let be a nilpotent group of class and let be a nonzero integer. Then, for all , we have
and
Then the following proposition holds:
Proposition 1
Let be a nilpotent group of class . Then
(3) 
for any , and .
Proof
We argue by induction on . The case is true by Lemma 2.
Let be a nilpotent group of class and . According to Proposition 1 for any , we have
Therefore we can construct the multilinear map given by
Similarly, given , we can consider the multilinear map given by
Further, assuming that is not Engel, one can take in such a way that is nondegenerate. In fact there exists such that .
4 Multilinear Cryptography using Nilpotent Groups
4.1 Protocol I
First we generalize the bilinear map which has been mentioned in [7], to multilinear (linear) map for users. Let be the users with private exponents respectively. Given an integer , the main formula on which our keyexchange protocol is based on, is an identity in a public nilpotent group of class (see Proposition 1):
The users ’s transmit in public channel
The key exchange works as follows:

The user can compute .

The user () can compute

The user can compute .
The common key is .
Example: Trilinear Cryptography using Nilpotent Groups of class 3. Let be the users with private exponents respectively. The users , , and transmit in public channel
The key exchange works as follows:

The user can compute .

The user can compute .

The user can compute .

The user can compute .
The common key is .
4.2 Protocol II
Let be a public nilpotent group of class which is not Engel (). Then there exist such that . Suppose that users want to agree on a shared secret key. Each user selects a private nonzero integer , computes and sends it to the other users. Then:

The user computes .

The user , computes .

The user computes .
Hence, again by Proposition 1, each user obtains which is the shared key.
5 Security and Platform Group
The security of our protocols is based on the discrete logarithm problem (DLP). The ideal platform group for our protocols must be a nonabelian nilpotent group of large order such that the nilpotency class is not too large and the DLP in such a group is hard.
5.1 The Complexity of DLP in Finite Groups
In [10], Sutherland has studied the DLP in finite abelian groups, and showed how to apply the algorithms for groups to find the structure of any finite abelian group.
In a series of papers by Mahalanobis, the DLP has been studied for finite groups but mostly for nilpotent groups of class [6, 8]. In particular, in [7], Mahalanobis and Shinde proposed groups of class in which the platform is not practical as showed by the authors.
Solving the DLP in finite groups of larger class is an interesting question. We consider a semidirect product of cyclic groups of welldefined orders, to make a nilpotent group and then computing the DLP in each factor.
5.2 Suggested Platform
Take where and are large primes. Let and be the subgroups of of orders and , respectively. Selecting a nontrivial endomorphism of amounts to selecting a positive integer such that . If is relatively prime to , then is actually an automorphism. Define where is a homorphism from to such that . Assuming such that , then we have for the following presentation:
In particular is a finite group of order and nilpotency class 3, which is not 2Engel.
The group could be considered as a platform for Protocols I and II for and users, respectively. The appropriate choice of and is important to provide security and efficiency.
5.3 DLP in Semidirect Product of Subgroups of
Let be as in 5.2, and assume . By (1), for any , we have
The bottom line is that the DLP in can be reduced to DLP on its factors. We focus on the second component of the element on the right; an easy computation shows that it is equal to
Thus, if the adversary chooses a “direct” attack, by trying to recover the private exponent , he/she will have to solve the DLP twice: first to recover from , and then to recover from .
Acknowledgment. The authors would like to thank Antoine Joux for interesting discussions and useful comments.
References
 [1] D. Boneh and A. Silverberg, Applications of Multilinear Forms to Cryptography, Contemporary Mathematics 324, American Mathematical Society, (2003) 71–90.
 [2] S. Garg and C. Gentry and S. Halevi, Candidate multilinear maps from ideal lattices EUROCRYPT 2013 7881 LNCS (2013) 1–17.
 [3] M. A. Huang, Trilinear maps for cryptography, preprint available at https:// arxiv.org/abs/1803.10325 (2018).
 [4] H. Liebeck, Concerning nilpotent wreath products, Proc. Cambridge Philos. Soc. 58 (1962), 443–451.
 [5] H. Lin and S. Tessaro, Indistinguishability Obfuscation from Trilinear Maps and BlockWise Local PRGs, in CRYPTO 2017.
 [6] A. Mahalanobis, The DiffieHellman key exchange protocol and nonabelian nilpotent groups, Israel J. Math. 165 (2008), 161–187.
 [7] A. Mahalanobis and P. Shinde, Bilinear Cryptography Using Groups of Nilpotency Class , Cryptography and Coding, 16th IMA International Conference, IMACC 2017, Oxford, UK (2017), 127–134.
 [8] A. Mahalanobis, The MOR cryptosystem and finite pgroups, Algorithmic problems of group theory, their complexity, and applications to cryptography, 81–95, Contemp. Math. 633, Amer. Math. Soc., Providence, RI, 2015.
 [9] D. J. S. Robinson, A course in the Theory of Groups, 2nd edition, SpringerVerlag, New York, 1996.
 [10] A. V. Sutherland, Structure computation and discrete logarithms in finite abelian groups, Math. Comp. 80 (2011), no. 273, 477–500.
Comments
There are no comments yet.