Cryptanalysis of branching program obfuscators
Size: px
Start display at page:

Download "Cryptanalysis of branching program obfuscators"

Transcription

1 Cryptanalysis of branching program obfuscators Jung Hee Cheon 1, Minki Hhan 1, Jiseung Kim 1, Changmin Lee 1, Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

2 What is this talk about Two partial attacks against some candidate obfuscators built upon the GGH13 multilinear map [GGH13a] an attack for specific choices of parameters a quantum attack Main idea of the two attacks Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

3 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

4 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits Security. VBB: O(C) acts as a black box computing C M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

5 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits Security. VBB: O(C) acts as a black box computing C (impossible, [BGI + 01]) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

6 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits Security. VBB: O(C) acts as a black box computing C (impossible, [BGI + 01]) io: C 1 C 2, i.e. C 1 (x) = C 2 (x) x, O(C 1 ) c O(C 2 ) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

7 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits Security. VBB: O(C) acts as a black box computing C (impossible, [BGI + 01]) io: C 1 C 2, i.e. C 1 (x) = C 2 (x) x, O(C 1 ) c O(C 2 ) Many cryptographic constructions from io: functional encryption, deniable encryption, NIZKs, oblivious transfer,... M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

8 Multilinear maps (mmaps) and io Observation Almost all io constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

9 Multilinear maps (mmaps) and io Observation Almost all io constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 Caution All these candidate multilinear maps suffer from weaknesses (e.g. encodings of zero, zeroizing attacks,... ). all current attacks against io rely on the underlying mmap M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

10 Multilinear maps (mmaps) and io Observation Almost all io constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 Caution All these candidate multilinear maps suffer from weaknesses (e.g. encodings of zero, zeroizing attacks,... ). all current attacks against io rely on the underlying mmap In this talk: we exploit known weaknesses of GGH13 to mount concrete attacks against some io using it. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

11 History (branching program obfuscators based on GGH13) Some candidate io for all circuits and attacks: 2013: [GGH + 13b], first candidate : [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

12 History (branching program obfuscators based on GGH13) Some candidate io for all circuits and attacks: 2013: [GGH + 13b], first candidate : [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) 2016: [MSZ16], attack against all candidates above except [GGH + 13b] 2016: [GMM + 16], proof in a weaker idealized model (captures [MSZ16]) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

13 History (branching program obfuscators based on GGH13) Some candidate io for all circuits and attacks: 2013: [GGH + 13b], first candidate : [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) 2016: [MSZ16], attack against all candidates above except [GGH + 13b] 2016: [GMM + 16], proof in a weaker idealized model (captures [MSZ16]) 2017: [CGH17], attack against [GGH + 13b] (in input-partitionable case) 2017: [FRS17], prevent [CGH17] attack M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

14 State of the art and contributions Attacks io (using GGH13) Branching program obfuscators [GGH + 13b] [BR14] [AGIS14, MSW14] [PST14, BGK + 14] [BMSZ16] [GMM + 16] Circuit obfuscators [Zim15, AB15] [DGG + 16] [MSZ16] [CGH17] This work 1 [CHKL18] This work 2 [Pel18] for input-partitionable branching programs for specific choices of parameters in the quantum setting M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

15 Outline 1 Simple obfuscator 2 GGH13 multilinear map 3 Contributions M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

16 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

17 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 0 A A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

18 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 0 A A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

19 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

20 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A2,0 A 3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

21 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A2,0 A3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

22 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A2,0 A3,0 A4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

23 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A2,0 A3,0 A4,0 A5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

24 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 7 A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

25 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 7 A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

26 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 = 0 0 A 7 A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 0 1 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

27 Cryptographic multilinear maps Definition: κ-multilinear map Different levels of encodings, from 1 to κ. Denote by Enc(a, i) a level-i encoding of the message a. Addition: Add(Enc(a 1, i), Enc(a 2, i)) = Enc(a 1 + a 2, i). Multiplication: Mult(Enc(a 1, i), Enc(a 2, j)) = Enc(a 1 a 2, i + j). Zero-test: Zero-test(Enc(a, κ)) = True iff a = 0. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

28 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors A 1,1 A 2,1 A 3,1 A 0 A 4 A 1,0 A 2,0 A 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

29 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors B 1,1 B 2,1 B 3,1 0 A 0 A 1,1 B 1,0 A 2,1 B 2,0 A 3,1 B 3,0 A 4 A 1,0 A 2,0 A 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

30 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors R A 1 1 1,1 R 2 R A 2 1 2,1 R 3 R A 3 1 3,1 R 4 A 0 R 1 R 1 4 A 4 R A 1 1 1,0 R 2 R A 2 1 2,0 R 3 R A 3 1 3,0 R 4 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

31 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors α 1,1 A 1,1 α 2,1 A 2,1 α 3,1 A 3,1 A 0 A 4 α 1,0 A 1,0 α 2,0 A 2,0 α 3,0 A 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

32 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors à 1,1 à 2,0 à 2,0 à 0 à 4 à 1,0 à 2,0 à 2,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

33 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors Enc( Ã 0 ) Enc( ) Ã 1,1 Enc( ) Ã 2,0 Enc( ) Ã 2,0 Enc( Ã 4 ) Enc( ) Ã 1,0 Enc( ) Ã 2,0 Enc( ) Ã 2,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

34 Outline 1 Simple obfuscator 2 GGH13 multilinear map 3 Contributions M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

35 The GGH13 multilinear map Define R = Z[X ]/(X n + 1) with n = 2 k. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

36 The GGH13 multilinear map Define R = Z[X ]/(X n + 1) with n = 2 k. The plaintext space is P = R/ g for a small element g in R. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

37 The GGH13 multilinear map Define R = Z[X ]/(X n + 1) with n = 2 k. The plaintext space is P = R/ g for a small element g in R. The encoding space is R q = R/(qR) = Z q [X ]/(X n + 1) for a large integer q. We write [x] q the elements in R q for x R. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

38 The GGH13 multilinear map: encodings and zero-test Sample z uniformly in R q and h in R of the order of q 1/2. Encoding: An encoding of a at level i is u = [(a + rg)z i ] q where a + rg is a small element in a + g. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

39 The GGH13 multilinear map: encodings and zero-test Sample z uniformly in R q and h in R of the order of q 1/2. Encoding: An encoding of a at level i is u = [(a + rg)z i ] q where a + rg is a small element in a + g. Zero-testing: A zero-testing parameter is defined by p zt = [z κ hg 1 ] q. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

40 The GGH13 multilinear map: encodings and zero-test Sample z uniformly in R q and h in R of the order of q 1/2. Encoding: An encoding of a at level i is u = [(a + rg)z i ] q where a + rg is a small element in a + g. Zero-testing: A zero-testing parameter is defined by p zt = [z κ hg 1 ] q. Zero-test To test if u = [cz κ ] q is an encoding of zero (i.e. c = 0 mod g), compute [u p zt ] q = [chg 1 ] q. This is small iff c is a small multiple of g. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

41 Outline 1 Simple obfuscator 2 GGH13 multilinear map 3 Contributions M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

42 Global ideas of the two attacks Main idea Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators. 1 or classical sub-exponential time [BEF + 17] for specific (unused) parameters M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

43 Global ideas of the two attacks Main idea Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators. Attack 1 [CHKL18]: NTRU attack [ABD16, CJL16, KF17] classical polynomial time, for specific choices of parameters 1 or classical sub-exponential time [BEF + 17] for specific (unused) parameters M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

44 Global ideas of the two attacks Main idea Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators. Attack 1 [CHKL18]: NTRU attack [ABD16, CJL16, KF17] classical polynomial time, for specific choices of parameters Attack 2 [Pel18]: short principal ideal problem algorithm [CDPR16] quantum polynomial time [BS16] 1 1 or classical sub-exponential time [BEF + 17] for specific (unused) parameters M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

45 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

46 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q Using the NTRU solver [ABD16, CJL16, KF17], we can obtain (c a 1, c a 2 ) R 2 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

47 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q Using the NTRU solver [ABD16, CJL16, KF17], we can obtain (c a 1, c a 2 ) R 2 For another encoding [a 3 z 1 ] q, compute [a 3 z 1 ] q /[a 1 z 1 ] q (c a 1 ) = c a 3 R. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

48 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q Using the NTRU solver [ABD16, CJL16, KF17], we can obtain (c a 1, c a 2 ) R 2 For another encoding [a 3 z 1 ] q, compute Simultaneous NTRU solver [a 3 z 1 ] q /[a 1 z 1 ] q (c a 1 ) = c a 3 R. ([a i z 1 ] q ) i (c a i R) i or, for GGH13 encodings, Enc(A) c (A + R g) Mat(R) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

49 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q Using the NTRU solver [ABD16, CJL16, KF17], we can obtain (c a 1, c a 2 ) R 2 For another encoding [a 3 z 1 ] q, compute Simultaneous NTRU solver [a 3 z 1 ] q /[a 1 z 1 ] q (c a 1 ) = c a 3 R. ([a i z 1 ] q ) i (c a i R) i or, for GGH13 encodings, Enc(A) c (A + R g) Mat(R) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

50 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? Enc(Ã0) Enc(Ã1,1) Enc(Ã2,1) Enc(Ã3,1) Enc(Ã4) Enc(Ã1,0) Enc(Ã2,0) Enc(Ã3,0) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

51 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? c 0(Ã0 + R0g) c 1,1(Ã1,1 + R1,1g) c 2,1(Ã2,1 + R2,1g) c 3,1(Ã3,1 + R3,1g) c 4(Ã4 + R4g) c 1,0(Ã1,0 + R1,0g) c 2,0(Ã2,0 + R2,0g) c 3,0(Ã3,0 + R3,0g) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

52 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? c 0(Ã0 + R0g) c 1,1(Ã1,1 + R1,1g) c 2,1(Ã2,1 + R2,1g) c 3,1(Ã3,1 + R3,1g) c 4(Ã4 + R4g) c 1,0(Ã1,0 + R1,0g) c 2,0(Ã2,0 + R2,0g) c 3,0(Ã3,0 + R3,0g) These matrices R rather than R q M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

53 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

54 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q c(ã + Rg) c rg M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

55 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q c(ã + Rg) c rg Collecting several top level zeros, recover g M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

56 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q c(ã + Rg) c rg cã mod g Collecting several top level zeros, recover g M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

57 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q c(ã + Rg) c rg cã mod g cã mod g do not contain the randomness r and level parameter z M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

58 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

59 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

60 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

61 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

62 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs i inp(i) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

63 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs i inp(i) Ã 1,1 Ã 2,1 Ã 3,1 B 1,1 B 2,1 B 3,1 Ã 0 B0 Ã 4 B 4 Ã 1,0 Ã 2,0 Ã 3,0 B 1,0 B 2,0 B 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

64 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 B 1,1 B 2,1 B 3,1 à 0 B0 à 4 B 4 à 1,0 à 2,0 à 3,0 B 1,0 B 2,0 B 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

65 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 B 1,1 B 2,1 B 3,1 à 0 à 4 B 0 B 4 à 1,0 à 2,0 à 3,0 B 1,0 B 2,0 B 3,0 outputs zero outputs non-zero M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

66 Attack 1: Matrix Zeroizing Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Matrix-zeroizing attack: extended mixed-input attack Invalid inputs can induce the different outputs of equivalent BPs Summation of mixed-input can yield the different outputs of BPs i inp(i) invalid input 010, 011, 100, 101, Ã0 Ã 4 B 0 B 4 Ã 1,1 Ã 2,1 Ã 3,1 B 1,1 B 2,1 B 3,1 Ã 1,0 Ã 2,0 Ã 3,0 B 1,0 B 2,0 B 3,0 outputs zero outputs non-zero M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

67 Attack 2: Starting point = Principal Ideal Problem We compute for evaluation of program with output 0 [up zt ] q = rh R M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

68 Attack 2: Starting point = Principal Ideal Problem We compute for evaluation of program with output 0 [up zt ] q = rh R Using SPIP solver, we obtain h R in quantum polytime [BS16, CDPR16] M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

69 Attack 2: Starting point = Principal Ideal Problem We compute for evaluation of program with output 0 [up zt ] q = rh R Using SPIP solver, we obtain h R in quantum polytime [BS16, CDPR16] We can compute the double-zero testing parameter at level 2κ: [(p zt /h) 2 ] q = [z 2κ g 2 ] q M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

70 Attack 2: Starting point = Principal Ideal Problem We compute for evaluation of program with output 0 [up zt ] q = rh R Using SPIP solver, we obtain h R in quantum polytime [BS16, CDPR16] We can compute the double-zero testing parameter at level 2κ: [(p zt /h) 2 ] q = [z 2κ g 2 ] q New Zerotesting Procedure We can run 2κ level zerotest, or 2κ level obfuscated program M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

71 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ i inp(i) Ã 1,1 Ã 2,1 Ã 3,1 Ã 0 Ã 4 Ã 1,0 Ã 2,0 Ã 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

72 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 0 à 4 à 1,0 à 2,0 à 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

73 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ We cannot evaluate it in obfuscated program due to constructions 2 i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 0 à 4 à 1,0 à 2,0 à 3,0 2 level parameters, scalar bundlings M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

74 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ We cannot evaluate it in obfuscated program due to constructions 2 i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 0 à 4 à 1,0 à 2,0 à 3,0 2 level parameters, scalar bundlings M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

75 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ We cannot evaluate it in obfuscated program due to constructions 2 Construct 2κ-level obfuscated program i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 1,1 à 2,1 à 3,1 à 0 à 4 à 0 à 4 à 1,0 à 2,0 à 3,0 à 1,0 à 2,0 à 3,0 2 level parameters, scalar bundlings M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

76 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ We cannot evaluate it in obfuscated program due to constructions 2 Construct 2κ-level obfuscated program Run mixed-input attack on obfuscated program at level 2κ i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 1,1 à 2,1 à 3,1 à 0 à 4 à 0 à 4 à 1,0 à 2,0 à 3,0 à 1,0 à 2,0 à 3,0 2 level parameters, scalar bundlings M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

77 Summary and work in progress Attacks io (using GGH13) Branching program obfuscators [GGH + 13b] [BR14] [AGIS14, MSW14] [PST14, BGK + 14] [BMSZ16] [GMM + 16] Circuit obfuscators [Zim15, AB15] [DGG + 16] [MSZ16] [CGH17] This work 1 [CHKL18] This work 2 [Pel18] for input-partitionable branching programs for specific choices of parameters in the quantum setting M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

78 Summary and work in progress Attacks io (using GGH13) Branching program obfuscators [GGH + 13b] [BR14] [AGIS14, MSW14] [PST14, BGK + 14] [BMSZ16] [GMM + 16] Circuit obfuscators [Zim15, AB15] [DGG + 16] [MSZ16] [CGH17] This work 1 [CHKL18]? This work 2 [Pel18]? for input-partitionable branching programs for specific choices of parameters in the quantum setting M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

79 Work in progress [GGH + 13b] in quantum world M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

80 Work in progress [GGH + 13b] in quantum world Combination! =Double-zero testing + Matrix-zeroizing attack M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

81 Work in progress [GGH + 13b] in quantum world Combination! =Double-zero testing + Matrix-zeroizing attack Circuit obfuscations in classical world M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

82 Work in progress [GGH + 13b] in quantum world Combination! =Double-zero testing + Matrix-zeroizing attack Circuit obfuscations in classical world Extending the NTRU attack! M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

83 Perspectives / Open problems Obfuscation for evasive functions Countermeasure on the attacks Parameter constraints to prevent our classical attack 3 : n = Ω(κ 2 λ) 3 n: dimension of space, κ: multilinearity level, λ: security parameter To prevent classical PIP attack and our attack: n = Ω(max(κ 2 λ, λ 2 )) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

84 Perspectives / Open problems Obfuscation for evasive functions Countermeasure on the attacks Parameter constraints to prevent our classical attack 3 : n = Ω(κ 2 λ) Remark Proofs in idealized models VS Constructions with concrete schemes 3 n: dimension of space, κ: multilinearity level, λ: security parameter To prevent classical PIP attack and our attack: n = Ω(max(κ 2 λ, λ 2 )) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

85 Perspectives / Open problems Obfuscation for evasive functions Countermeasure on the attacks Parameter constraints to prevent our classical attack 3 : n = Ω(κ 2 λ) Remark Proofs in idealized models VS Constructions with concrete schemes Many concrete schemes are not fit in the idealized model 3 n: dimension of space, κ: multilinearity level, λ: security parameter To prevent classical PIP attack and our attack: n = Ω(max(κ 2 λ, λ 2 )) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

86 Perspectives / Open problems Obfuscation for evasive functions Countermeasure on the attacks Parameter constraints to prevent our classical attack 3 : n = Ω(κ 2 λ) Remark Proofs in idealized models VS Constructions with concrete schemes Many concrete schemes are not fit in the idealized model This gap can cause a significant weakness of the concrete scheme! 3 n: dimension of space, κ: multilinearity level, λ: security parameter To prevent classical PIP attack and our attack: n = Ω(max(κ 2 λ, λ 2 )) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

87 Thank you! 감사합니다! Merci! For more details, see papers or eprint reports Quantum attack: ia.cr/2018/533 Classical attack: ia.cr/2018/408 Combined/Extended work: Coming Soon..? M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

88 References I Benny Applebaum and Zvika Brakerski. Obfuscating circuits via composite-order graded encoding. In TCC 2015, pages , Martin R. Albrecht, Shi Bai, and Léo Ducas. A subfield lattice attack on overstretched NTRU assumptions - cryptanalysis of some FHE and graded encoding schemes. In Crypto 2016, pages , Prabhanjan Ananth, Divya Gupta, Yuval Ishai, and Amit Sahai. Optimizing obfuscation: Avoiding barrington s theorem. In CCS 2014, pages ACM, Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque, Alexandre Gélin, and Paul Kirchner. Computing generator in cyclotomic integer rings. In Eurocrypt 2017, pages Springer, Boaz Barak, Oded Goldreich, Rusell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang. On the (im) possibility of obfuscating programs. In Crypto 2001, pages Springer, Boaz Barak, Sanjam Garg, Yael Tauman Kalai, Omer Paneth, and Amit Sahai. Protecting obfuscation against algebraic attacks. In Eurocrypt 2014, pages , Saikrishna Badrinarayanan, Eric Miles, Amit Sahai, and Mark Zhandry. Post-zeroizing obfuscation: New mathematical tools, and the case of evasive circuits. In Eurocrypt 2016, pages , M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

89 References II Zvika Brakerski and Guy N Rothblum. Obfuscating conjunctions. Crypto 2014, Jean-François Biasse and Fang Song. Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In SODA 2016, pages Society for Industrial and Applied Mathematics, Ronald Cramer, Léo Ducas, Chris Peikert, and Oded Regev. Recovering short generators of principal ideals in cyclotomic rings. In Eurocrypt 2016, pages , Yilei Chen, Craig Gentry, and Shai Halevi. Cryptanalyses of candidate branching program obfuscators. In Eurocrypt 2017, pages Springer, Jung Hee Cheon, Jinhyuck Jeong, and Changmin Lee. An algorithm for ntru problems and cryptanalysis of the ggh multilinear map without a low-level encoding of zero. LMS Journal of Computation and Mathematics, 19(A): , Nico Döttling, Sanjam Garg, Divya Gupta, Peihan Miao, and Pratyay Mukherjee. Obfuscation from low noise multilinear maps. eprint, Report 2016/599, Rex Fernando, Peter Rasmussen, and Amit Sahai. Preventing CLT attacks on obfuscation with linear overhead. In Asiacrypt 2017, pages , M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

90 References III Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In Eurocrypt 2017, pages Springer, Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. FOCS 2013, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan, and Mark Zhandry. Secure obfuscation in a weak multilinear map model. In TCC 2016, pages , Paul Kirchner and Pierre-Alain Fouque. Revisiting lattice attacks on overstretched ntru parameters. In Eurocrypt 2017, pages Springer, Eric Miles, Amit Sahai, and Mor Weiss. Protecting obfuscation against arithmetic attacks. eprint, Report 2014/878, Eric Miles, Amit Sahai, and Mark Zhandry. Annihilation attacks for multilinear maps: Cryptanalysis of indistinguishability obfuscation over GGH13. In Crypto 2016, pages , Rafael Pass, Karn Seth, and Sidharth Telang. Indistinguishability obfuscation from semantically-secure multilinear encodings. In Crypto 2014, pages , M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

91 References IV Joe Zimmerman. How to obfuscate programs directly. In Eurocrypt 2015, pages , M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23

Similar documents

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Eric Miles UCLA enmiles@cs.ucla.edu Amit Sahai UCLA sahai@cs.ucla.edu Mark Zhandry MI mzhandry@gmail.com

More information

Zeroizing Attacks on Indistinguishability Obfuscation over CLT13

Zeroizing Attacks on Indistinguishability Obfuscation over CLT13 Zeroizing Attacks on Indistinguishability Obfuscation over CLT13 Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 SRI International 3 NTT Secure

More information

Obfuscation without Multilinear Maps

Obfuscation without Multilinear Maps Obfuscation without Multilinear Maps Dingfeng Ye Peng Liu DCS Center Cyber Security Lab nstitute of nformation Engineering College of nformation Sciences and Technology Chinese Academy of Sciences Pennsylvania

More information

Obfuscation and Weak Multilinear Maps

Obfuscation and Weak Multilinear Maps Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan Obfuscation

More information

Cryptanalysis of GGH15 Multilinear Maps

Cryptanalysis of GGH15 Multilinear Maps Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 CryptoExperts 3 NTT Secure Platform Laboratories June

More information

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13

Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Eric Miles Amit Sahai Mark Zhandry Abstract In this work, we present a new class of polynomial-time

More information

Post-Zeroizing Obfuscation: The case of Evasive Circuits

Post-Zeroizing Obfuscation: The case of Evasive Circuits Post-Zeroizing Obfuscation: The case of Evasive Circuits Saikrishna Badrinarayanan UCLA saikrishna@cs.ucla.edu Eric Miles UCLA enmiles@cs.ucla.edu Mark Zhandry Stanford University mzhandry@stanford.edu

More information

Cryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13

Cryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13 Cryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13 Daniel Apon 1, Nico Döttling 2, Sanjam Garg 2, and Pratyay Muherjee 2 1 University of Maryland, College Par, USA 2 University of

More information

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators

More information

On Kilian s Randomization of Multilinear Map Encodings

On Kilian s Randomization of Multilinear Map Encodings On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions

More information

Computing Generator in Cyclotomic Integer Rings

Computing Generator in Cyclotomic Integer Rings A subfield algorithm for the Principal Ideal Problem in L 1 K 2 and application to the cryptanalysis of a FHE scheme Jean-François Biasse 1 Thomas Espitau 2 Pierre-Alain Fouque 3 Alexandre Gélin 2 Paul

More information

Post-Zeroizing Obfuscation: The case of Evasive Circuits

Post-Zeroizing Obfuscation: The case of Evasive Circuits Post-Zeroizing Obfuscation: The case of Evasive Circuits Saikrishna Badrinarayanan UCLA saikrishna@cs.ucla.edu Eric Miles UCLA enmiles@cs.ucla.edu Mark Zhandry Stanford University mzhandry@stanford.edu

More information

A Simple Obfuscation Scheme for Pattern-Matching with Wildcards

A Simple Obfuscation Scheme for Pattern-Matching with Wildcards A Simple Obfuscation Scheme for Pattern-Matching with Wildcards Allison Bishop 1,2, Lucas Kowalczyk 2, Tal Malkin 2, Valerio Pastro 2,3, Mariana Raykova 3, and Kevin Shi 2 1 IEX 2 Columbia University 3

More information

An Algorithm for NTRU Problems

An Algorithm for NTRU Problems An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems 2016. 8. 29. 1 / 27 Introduction The NTRU

More information

Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1

Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1 Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1 Jean-Sébastien Coron 2 Craig Gentry 3 Shai Halevi 3 Tancrède Lepoint 4 Hemanta K. Maji 5,6 Eric Miles 6 Mariana Raykova 7 Amit

More information

On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input

On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input Sanjam Garg Craig Gentry Shai Halevi Daniel Wichs June 13, 2014 Abstract The notion of differing-inputs

More information

A Comment on Gu Map-1

A Comment on Gu Map-1 A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices

More information

Protecting obfuscation against arithmetic attacks

Protecting obfuscation against arithmetic attacks Protecting obfuscation against arithmetic attacks Eric Miles UCLA enmiles@cs.ucla.edu Amit Sahai UCLA sahai@cs.ucla.edu Mor Weiss Technion morw@cs.technion.ac.il November 23, 2015 Abstract Obfuscation,

More information

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Bootstrapping Obfuscators via Fast Pseudorandom Functions Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator

More information

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,

More information

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Recovering Short Generators of Principal Ideals in Cyclotomic Rings Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of

More information

Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall

Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall Nir Bitansky Ran Canetti Omer Paneth Alon Rosen June 3, 2014 This is an out of date draft. The paper was merged

More information

Cryptanalyses of Candidate Branching Program Obfuscators

Cryptanalyses of Candidate Branching Program Obfuscators Cryptanalyses of Candidate Branching Program Obfuscators ilei Chen Craig Gentry Shai Halevi February 16, 2017 Abstract We describe new cryptanalytic attacks on the candidate branching program obfuscator

More information

Obfuscation for Evasive Functions

Obfuscation for Evasive Functions Obfuscation for Evasive Functions Boaz Barak Nir Bitansky Ran Canetti Yael Tauman Kalai Omer Paneth Amit Sahai October 18, 2013 Abstract An evasive circuit family is a collection of circuits C such that

More information

Secure Obfuscation in a Weak Multilinear Map Model

Secure Obfuscation in a Weak Multilinear Map Model Secure Obfuscation in a Weak Multilinear Map Model Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan, and Mark Zhandry Abstract. All known candidate indistinguishibility obfuscation(io)

More information

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015 Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear

More information

An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero

An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University (SNU), Republic of Korea Abstract.

More information

Differing-Inputs Obfuscation and Applications

Differing-Inputs Obfuscation and Applications Differing-Inputs Obfuscation and Applications Prabhanjan Ananth Dan Boneh Sanjam Garg Amit Sahai Mark Zhandry Abstract In this paper, we study of the notion of differing-input obfuscation, introduced by

More information

Graded Encoding, Variations on a Scheme

Graded Encoding, Variations on a Scheme Graded Encoding, Variations on a Scheme Shai Halevi IBM October 30, 2015 Update (Oct 2015): The key-agreement protocols that are described (or alluded to) in sections 6,7 are broken. Thanks to Yupu Hu

More information

Statistical Zeroizing Attack: Cryptanalysis of Candidates of BP Obfuscation over GGH15 Multilinear Map

Statistical Zeroizing Attack: Cryptanalysis of Candidates of BP Obfuscation over GGH15 Multilinear Map Statistical Zeroizing Attack: Cryptanalysis of Candidates of BP Obfuscation over GGH15 Multilinear Map Jung Hee Cheon 1, Wonhee Cho 1, Minki Hhan 1, Jiseung Kim 1, and Changmin Lee 2 1 Seoul National University,

More information

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh Yuval Ishai Amit Sahai David J. Wu Abstract Succinct non-interactive arguments (SNARGs) enable verifying NP computations

More information

Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption

Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp

More information

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

GGHLite: More Efficient Multilinear Maps from Ideal Lattices GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease

More information

An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero

An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero Jung Hee Cheon Jinhyuck Jeong Changmin Lee Seoul National University (SNU) Republic of Korea

More information

Practical Order-Revealing Encryption with Limited Leakage

Practical Order-Revealing Encryption with Limited Leakage Practical Order-Revealing Encryption with Limited Leakage Nathan Chenette 1, Kevin Lewi 2, Stephen A. Weis 3, and David J. Wu 2 1 Rose-Hulman Institute of Technology 2 Stanford University 3 Facebook, Inc.

More information

Shai Halevi IBM August 2013

Shai Halevi IBM August 2013 Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation

More information

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Practical Analysis of Key Recovery Attack against Search-LWE Problem Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate

More information

Open problems in lattice-based cryptography

Open problems in lattice-based cryptography University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear

More information

Revisiting Lattice Attacks on overstretched NTRU parameters

Revisiting Lattice Attacks on overstretched NTRU parameters Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring

More information

Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps

Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are

More information

Lattice-Based Non-Interactive Arugment Systems

Lattice-Based Non-Interactive Arugment Systems Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover

More information

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Zvika Brakerski Guy N. Rothblum Abstract We present a new general-purpose obfuscator for all polynomial-size circuits. The obfuscator

More information

Immunizing Multilinear Maps Against Zeroizing Attacks

Immunizing Multilinear Maps Against Zeroizing Attacks Immunizing Multilinear Maps Against Zeroizing Attacks Dan Boneh Stanford University David J. Wu Stanford University Joe Zimmerman Stanford University Abstract In recent work Cheon, Han, Lee, Ryu, and Stehlé

More information

Fully Homomorphic Encryption and Bootstrapping

Fully Homomorphic Encryption and Bootstrapping Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded

More information

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Zvika Brakerski 1 and Guy N. Rothblum 2 1 Weizmann Institute of Science 2 Microsoft Research Abstract. We present a new general-purpose

More information

Lecture 2: Program Obfuscation - II April 1, 2009

Lecture 2: Program Obfuscation - II April 1, 2009 Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]

More information

Obfuscating Compute-and-Compare Programs under LWE

Obfuscating Compute-and-Compare Programs under LWE 58th Annual IEEE Symposium on Foundations of Computer Science Obfuscating Compute-and-Compare Programs under LWE Daniel Wichs Northeastern University wichs@ccs.neu.edu Giorgos Zirdelis Northeastern University

More information

Classical hardness of Learning with Errors

Classical hardness of Learning with Errors Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our

More information

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry Allison ewko Amit Sahai Brent Waters November 4, 2014 Abstract We revisit the question of constructing

More information

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based

More information

A subfield lattice attack on overstretched NTRU assumptions

A subfield lattice attack on overstretched NTRU assumptions A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes Martin R. Albrecht, Shi Bai and Léo Ducas London-ish Lattice Coding and Cryptography Meeting,

More information

CS Topics in Cryptography January 28, Lecture 5

CS Topics in Cryptography January 28, Lecture 5 CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems

More information

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator Nir Bitansky 1,, Ran Canetti 1,2,,HenryCohn 3, Shafi Goldwasser 4,5, Yael Tauman Kalai 3,OmerPaneth 2,,andAlonRosen 6, 1 Tel

More information

Computing generator in cyclotomic integer rings

Computing generator in cyclotomic integer rings Computing generator in cyclotomic integer rings Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque, Alexandre Gélin, Paul Kirchner To cite this version: Jean-François Biasse, Thomas Espitau, Pierre-Alain

More information

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry

More information

Bounded KDM Security from io and OWF

Bounded KDM Security from io and OWF Bounded KDM Security from io and OWF Antonio Marcedone 1, Rafael Pass 1, and abhi shelat 2 1 Cornell University, {marcedone,rafael}@cs.cornell.edu 2 University of Virginia, abhi@virginia.edu July 5, 2016

More information

Practical Order-Revealing Encryption with Limited Leakage

Practical Order-Revealing Encryption with Limited Leakage Practical Order-Revealing Encryption with Limited Leakage Nathan Chenette 1, Kevin Lewi 2, Stephen A. Weis 3, and David J. Wu 2 1 Rose-Hulman Institute of Technology 2 Stanford University 3 Facebook, Inc.

More information

Gentry s SWHE Scheme

Gentry s SWHE Scheme Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.

More information

Parameter selection in Ring-LWE-based cryptography

Parameter selection in Ring-LWE-based cryptography Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and

More information

What are we talking about when we talk about post-quantum cryptography?

What are we talking about when we talk about post-quantum cryptography? PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography

More information

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de

More information

Publicly Verifiable Software Watermarking

Publicly Verifiable Software Watermarking Publicly Verifiable Software Watermarking Aloni Cohen Justin Holmgren Vinod Vaikuntanathan December 7, 2015 Abstract Software Watermarking is the process of transforming a program into a functionally equivalent

More information

Offline Witness Encryption

Offline Witness Encryption Offline Witness Encryption Hamza Abusalah, Georg Fuchsbauer, and Krzysztof Pietrzak IST Austria {habusalah, gfuchsbauer, pietrzak}@ist.ac.at Abstract. Witness encryption (WE) was introduced by Garg et

More information

Limits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation

Limits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation Limits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation Alex Lombardi MIT Vinod Vaikuntanathan MIT Abstract Lin and Tessaro (eprint 2017) recently proposed

More information

Solving LWE with BKW

Solving LWE with BKW Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March

More information

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table

More information

Non-Interactive Secure Multiparty Computation

Non-Interactive Secure Multiparty Computation Non-Interactive Secure Multiparty Computation Amos Beimel 1, Ariel Gabizon 2, Yuval Ishai 2, Eyal Kushilevitz 2, Sigurd Meldgaard 3, and Anat Paskin-Cherniavsky 4 1 Dept. of Computer Science, Ben Gurion

More information

Lattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018

Lattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018 Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform

More information

Practical Fully Homomorphic Encryption without Noise Reduction

Practical Fully Homomorphic Encryption without Noise Reduction Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme

More information

Function-Hiding Inner Product Encryption

Function-Hiding Inner Product Encryption Function-Hiding Inner Product Encryption Allison Bishop Columbia University allison@cs.columbia.edu Abhishek Jain Johns Hopkins University abhishek@cs.jhu.edu Lucas Kowalczyk Columbia University luke@cs.columbia.edu

More information

Multi-key fully homomorphic encryption report

Multi-key fully homomorphic encryption report Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been

More information

Masking the GLP Lattice-Based Signature Scheme at any Order

Masking the GLP Lattice-Based Signature Scheme at any Order Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin

More information

Classical hardness of Learning with Errors

Classical hardness of Learning with Errors Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our

More information

Cryptology. Scribe: Fabrice Mouhartem M2IF

Cryptology. Scribe: Fabrice Mouhartem M2IF Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description

More information

Somewhat Practical Fully Homomorphic Encryption

Somewhat Practical Fully Homomorphic Encryption Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be

More information

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute

More information

Low Overhead Broadcast Encryption from Multilinear Maps

Low Overhead Broadcast Encryption from Multilinear Maps Low Overhead Broadcast Encryption from Multilinear Maps Dan Boneh Stanford University dabo@cs.stanford.edu Mark Zhandry Stanford University zhandry@cs.stanford.edu Brent Waters University of Texas at Austin

More information

Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes

Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes Huijia Lin University of California, Santa Barbara Abstract. We construct an indistinguishability obfuscation (IO) scheme for

More information

Algebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps

Algebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps Algebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps Michel Abdalla 1,2, Fabrice Benhamouda 3, and Alain Passelègue 4 1 Département d informatique de l ENS École normale

More information

Graded Encoding Schemes from Obfuscation

Graded Encoding Schemes from Obfuscation Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research

More information

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017

More information

Adaptively Secure Constrained Pseudorandom Functions

Adaptively Secure Constrained Pseudorandom Functions Adaptively Secure Constrained Pseudorandom Functions Dennis Hofheinz dennis.hofheinz@kit.edu Venkata Koppula University of Texas at Austin kvenkata@cs.utexas.edu Akshay Kamath University of Texas at Austin

More information

Sum-of-Squares Meets Program Obfuscation, Revisited

Sum-of-Squares Meets Program Obfuscation, Revisited Sum-of-Squares Meets Program Obfuscation, Revisited Boaz Barak, Samuel B. Hopkins, Aayush Jain, Pravesh Kothari, and Amit Sahai. Abstract We develop attacks on the security of variants of pseudorandom

More information

Polynomial Functional Encryption Scheme with Linear Ciphertext Size

Polynomial Functional Encryption Scheme with Linear Ciphertext Size Polynomial Functional Encryption Scheme with Linear Ciphertext Size Jung Hee Cheon, Seungwan Hong, Changmin Lee, Yongha Son Seoul National University (SNU), Republic of Korea bstract. In this paper, we

More information

Classical hardness of the Learning with Errors problem

Classical hardness of the Learning with Errors problem Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness

More information

Determination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes

Determination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes Determination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes Vincent Migliore, Guillaume Bonnoron, Caroline Fontaine To cite this version: Vincent

More information

Graded Encoding Schemes from Obfuscation

Graded Encoding Schemes from Obfuscation Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA

More information

Graph-Induced Multilinear Maps from Lattices

Graph-Induced Multilinear Maps from Lattices Graph-Induced Multilinear Maps from Lattices Craig Gentry IBM Sergey Gorbunov MIT November 11, 2014 Shai Halevi IBM Abstract Graded multilinear encodings have found extensive applications in cryptography

More information

Obfuscating Compute-and-Compare Programs under LWE

Obfuscating Compute-and-Compare Programs under LWE Obfuscating Compute-and-Compare Programs under LWE Daniel Wichs Giorgos Zirdelis August 15, 2017 Abstract We show how to obfuscate a large and expressive class of programs, which we call compute-andcompare

More information

New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation

New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation Shweta Agrawal Abstract Constructing indistinguishability obfuscation io [BGI + 01] is a central open question in cryptography.

More information

Some security bounds for the DGHV scheme

Some security bounds for the DGHV scheme Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of

More information

Ideal Lattices and NTRU

Ideal Lattices and NTRU Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative

More information

Weaknesses in Ring-LWE

Weaknesses in Ring-LWE Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:

More information

Short Stickelberger Class Relations and application to Ideal-SVP

Short Stickelberger Class Relations and application to Ideal-SVP Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland

More information

CRYPTANALYSIS OF COMPACT-LWE

CRYPTANALYSIS OF COMPACT-LWE SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption

More information

Multilinear Maps from Obfuscation

Multilinear Maps from Obfuscation Multilinear Maps from Obfuscation Martin R. Albrecht (RHUL) Pooya Farshim (QUB) Shuai Han (SJTU) Dennis Hofheinz (KIT) Enrique Larraia (RHUL) Kenneth G. Paterson (RHUL) December 18, 2017 Abstract We provide

More information

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication

More information

More Annihilation Attacks

More Annihilation Attacks More Annihilation Attacks an extension of MSZ16 Charles Jin Yale University May 9, 2016 1 Introduction MSZ16 gives an annihilation attack on candidate constructions of indistinguishability obfuscation

More information

Computing generator in cyclotomic integer rings

Computing generator in cyclotomic integer rings Computing generator in cyclotomic integer rings A L K (1/2) algorithm for the Principal Ideal Problem and application to the cryptanalysis of a FHE scheme Thomas Espitau 1, Pierre-Alain Fouque 2, Alexandre

More information

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012 Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback