Cryptanalysis of branching program obfuscators
|
|
- Sherman Marsh
- 5 years ago
- Views:
Transcription
1 Cryptanalysis of branching program obfuscators Jung Hee Cheon 1, Minki Hhan 1, Jiseung Kim 1, Changmin Lee 1, Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
2 What is this talk about Two partial attacks against some candidate obfuscators built upon the GGH13 multilinear map [GGH13a] an attack for specific choices of parameters a quantum attack Main idea of the two attacks Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
3 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
4 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits Security. VBB: O(C) acts as a black box computing C M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
5 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits Security. VBB: O(C) acts as a black box computing C (impossible, [BGI + 01]) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
6 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits Security. VBB: O(C) acts as a black box computing C (impossible, [BGI + 01]) io: C 1 C 2, i.e. C 1 (x) = C 2 (x) x, O(C 1 ) c O(C 2 ) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
7 Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that C C, x, C(x) = O(C)(x) In this talk, C = polynomial size circuits Security. VBB: O(C) acts as a black box computing C (impossible, [BGI + 01]) io: C 1 C 2, i.e. C 1 (x) = C 2 (x) x, O(C 1 ) c O(C 2 ) Many cryptographic constructions from io: functional encryption, deniable encryption, NIZKs, oblivious transfer,... M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
8 Multilinear maps (mmaps) and io Observation Almost all io constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
9 Multilinear maps (mmaps) and io Observation Almost all io constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 Caution All these candidate multilinear maps suffer from weaknesses (e.g. encodings of zero, zeroizing attacks,... ). all current attacks against io rely on the underlying mmap M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
10 Multilinear maps (mmaps) and io Observation Almost all io constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 Caution All these candidate multilinear maps suffer from weaknesses (e.g. encodings of zero, zeroizing attacks,... ). all current attacks against io rely on the underlying mmap In this talk: we exploit known weaknesses of GGH13 to mount concrete attacks against some io using it. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
11 History (branching program obfuscators based on GGH13) Some candidate io for all circuits and attacks: 2013: [GGH + 13b], first candidate : [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
12 History (branching program obfuscators based on GGH13) Some candidate io for all circuits and attacks: 2013: [GGH + 13b], first candidate : [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) 2016: [MSZ16], attack against all candidates above except [GGH + 13b] 2016: [GMM + 16], proof in a weaker idealized model (captures [MSZ16]) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
13 History (branching program obfuscators based on GGH13) Some candidate io for all circuits and attacks: 2013: [GGH + 13b], first candidate : [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) 2016: [MSZ16], attack against all candidates above except [GGH + 13b] 2016: [GMM + 16], proof in a weaker idealized model (captures [MSZ16]) 2017: [CGH17], attack against [GGH + 13b] (in input-partitionable case) 2017: [FRS17], prevent [CGH17] attack M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
14 State of the art and contributions Attacks io (using GGH13) Branching program obfuscators [GGH + 13b] [BR14] [AGIS14, MSW14] [PST14, BGK + 14] [BMSZ16] [GMM + 16] Circuit obfuscators [Zim15, AB15] [DGG + 16] [MSZ16] [CGH17] This work 1 [CHKL18] This work 2 [Pel18] for input-partitionable branching programs for specific choices of parameters in the quantum setting M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
15 Outline 1 Simple obfuscator 2 GGH13 multilinear map 3 Contributions M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
16 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
17 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 0 A A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
18 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 0 A A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
19 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
20 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A2,0 A 3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
21 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A2,0 A3,0 A 4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
22 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A2,0 A3,0 A4,0 A 5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
23 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A A1,0 A2,0 A3,0 A4,0 A5,0 A 7 6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
24 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 7 A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
25 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 7 A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
26 Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2l matrices A i,b (for i {1,..., l} and b {0, 1}), two vectors A 0 and A l+1, a function inp : {1,..., l} {1,..., r} (where r is the size of the input). i inp(i) x = A A 0 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 = 0 0 A 7 A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 0 1 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
27 Cryptographic multilinear maps Definition: κ-multilinear map Different levels of encodings, from 1 to κ. Denote by Enc(a, i) a level-i encoding of the message a. Addition: Add(Enc(a 1, i), Enc(a 2, i)) = Enc(a 1 + a 2, i). Multiplication: Mult(Enc(a 1, i), Enc(a 2, j)) = Enc(a 1 a 2, i + j). Zero-test: Zero-test(Enc(a, κ)) = True iff a = 0. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
28 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors A 1,1 A 2,1 A 3,1 A 0 A 4 A 1,0 A 2,0 A 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
29 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors B 1,1 B 2,1 B 3,1 0 A 0 A 1,1 B 1,0 A 2,1 B 2,0 A 3,1 B 3,0 A 4 A 1,0 A 2,0 A 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
30 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors R A 1 1 1,1 R 2 R A 2 1 2,1 R 3 R A 3 1 3,1 R 4 A 0 R 1 R 1 4 A 4 R A 1 1 1,0 R 2 R A 2 1 2,0 R 3 R A 3 1 3,0 R 4 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
31 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors α 1,1 A 1,1 α 2,1 A 2,1 α 3,1 A 3,1 A 0 A 4 α 1,0 A 1,0 α 2,0 A 2,0 α 3,0 A 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
32 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors à 1,1 à 2,0 à 2,0 à 0 à 4 à 1,0 à 2,0 à 2,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
33 Simple obfuscator Input: A branching program Randomize the branching program Add random diagonal blocks Killian s randomization Multiply by random (non zero) bundling scalars Encode the matrices using GGH13 Output: The encoded matrices and vectors Enc( Ã 0 ) Enc( ) Ã 1,1 Enc( ) Ã 2,0 Enc( ) Ã 2,0 Enc( Ã 4 ) Enc( ) Ã 1,0 Enc( ) Ã 2,0 Enc( ) Ã 2,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
34 Outline 1 Simple obfuscator 2 GGH13 multilinear map 3 Contributions M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
35 The GGH13 multilinear map Define R = Z[X ]/(X n + 1) with n = 2 k. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
36 The GGH13 multilinear map Define R = Z[X ]/(X n + 1) with n = 2 k. The plaintext space is P = R/ g for a small element g in R. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
37 The GGH13 multilinear map Define R = Z[X ]/(X n + 1) with n = 2 k. The plaintext space is P = R/ g for a small element g in R. The encoding space is R q = R/(qR) = Z q [X ]/(X n + 1) for a large integer q. We write [x] q the elements in R q for x R. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
38 The GGH13 multilinear map: encodings and zero-test Sample z uniformly in R q and h in R of the order of q 1/2. Encoding: An encoding of a at level i is u = [(a + rg)z i ] q where a + rg is a small element in a + g. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
39 The GGH13 multilinear map: encodings and zero-test Sample z uniformly in R q and h in R of the order of q 1/2. Encoding: An encoding of a at level i is u = [(a + rg)z i ] q where a + rg is a small element in a + g. Zero-testing: A zero-testing parameter is defined by p zt = [z κ hg 1 ] q. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
40 The GGH13 multilinear map: encodings and zero-test Sample z uniformly in R q and h in R of the order of q 1/2. Encoding: An encoding of a at level i is u = [(a + rg)z i ] q where a + rg is a small element in a + g. Zero-testing: A zero-testing parameter is defined by p zt = [z κ hg 1 ] q. Zero-test To test if u = [cz κ ] q is an encoding of zero (i.e. c = 0 mod g), compute [u p zt ] q = [chg 1 ] q. This is small iff c is a small multiple of g. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
41 Outline 1 Simple obfuscator 2 GGH13 multilinear map 3 Contributions M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
42 Global ideas of the two attacks Main idea Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators. 1 or classical sub-exponential time [BEF + 17] for specific (unused) parameters M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
43 Global ideas of the two attacks Main idea Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators. Attack 1 [CHKL18]: NTRU attack [ABD16, CJL16, KF17] classical polynomial time, for specific choices of parameters 1 or classical sub-exponential time [BEF + 17] for specific (unused) parameters M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
44 Global ideas of the two attacks Main idea Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators. Attack 1 [CHKL18]: NTRU attack [ABD16, CJL16, KF17] classical polynomial time, for specific choices of parameters Attack 2 [Pel18]: short principal ideal problem algorithm [CDPR16] quantum polynomial time [BS16] 1 1 or classical sub-exponential time [BEF + 17] for specific (unused) parameters M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
45 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
46 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q Using the NTRU solver [ABD16, CJL16, KF17], we can obtain (c a 1, c a 2 ) R 2 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
47 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q Using the NTRU solver [ABD16, CJL16, KF17], we can obtain (c a 1, c a 2 ) R 2 For another encoding [a 3 z 1 ] q, compute [a 3 z 1 ] q /[a 1 z 1 ] q (c a 1 ) = c a 3 R. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
48 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q Using the NTRU solver [ABD16, CJL16, KF17], we can obtain (c a 1, c a 2 ) R 2 For another encoding [a 3 z 1 ] q, compute Simultaneous NTRU solver [a 3 z 1 ] q /[a 1 z 1 ] q (c a 1 ) = c a 3 R. ([a i z 1 ] q ) i (c a i R) i or, for GGH13 encodings, Enc(A) c (A + R g) Mat(R) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
49 Attack 1: Starting point = NTRU For two encodings [a 1 z 1 ] q, [a 2 z 1 ] q for small a 1, a 2, we can compute [a 1 z 1 ] q [a 2 z 1 ] 1 q = [a 1 /a 2 ] q Using the NTRU solver [ABD16, CJL16, KF17], we can obtain (c a 1, c a 2 ) R 2 For another encoding [a 3 z 1 ] q, compute Simultaneous NTRU solver [a 3 z 1 ] q /[a 1 z 1 ] q (c a 1 ) = c a 3 R. ([a i z 1 ] q ) i (c a i R) i or, for GGH13 encodings, Enc(A) c (A + R g) Mat(R) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
50 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? Enc(Ã0) Enc(Ã1,1) Enc(Ã2,1) Enc(Ã3,1) Enc(Ã4) Enc(Ã1,0) Enc(Ã2,0) Enc(Ã3,0) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
51 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? c 0(Ã0 + R0g) c 1,1(Ã1,1 + R1,1g) c 2,1(Ã2,1 + R2,1g) c 3,1(Ã3,1 + R3,1g) c 4(Ã4 + R4g) c 1,0(Ã1,0 + R1,0g) c 2,0(Ã2,0 + R2,0g) c 3,0(Ã3,0 + R3,0g) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
52 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? c 0(Ã0 + R0g) c 1,1(Ã1,1 + R1,1g) c 2,1(Ã2,1 + R2,1g) c 3,1(Ã3,1 + R3,1g) c 4(Ã4 + R4g) c 1,0(Ã1,0 + R1,0g) c 2,0(Ã2,0 + R2,0g) c 3,0(Ã3,0 + R3,0g) These matrices R rather than R q M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
53 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
54 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q c(ã + Rg) c rg M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
55 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q c(ã + Rg) c rg Collecting several top level zeros, recover g M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
56 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q c(ã + Rg) c rg cã mod g Collecting several top level zeros, recover g M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
57 Attack 1 Input: An obfuscated program O(P) and plain program Q De-randomize the branching program Solve NTRU simultaneously Recover g using zero of program Distinguish by Matrix Zeroizing Attack Result: Distinguishing Attack: P = Q? BP matrix output 0 Enc(Ã) enc(0)= [rg/z κ ] q c(ã + Rg) c rg cã mod g cã mod g do not contain the randomness r and level parameter z M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
58 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
59 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
60 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
61 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
62 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs i inp(i) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
63 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs i inp(i) Ã 1,1 Ã 2,1 Ã 3,1 B 1,1 B 2,1 B 3,1 Ã 0 B0 Ã 4 B 4 Ã 1,0 Ã 2,0 Ã 3,0 B 1,0 B 2,0 B 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
64 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 B 1,1 B 2,1 B 3,1 à 0 B0 à 4 B 4 à 1,0 à 2,0 à 3,0 B 1,0 B 2,0 B 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
65 Attack 1: Mixed-input Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Mixed-input attack can be carried out! Invalid inputs can induce the different outputs of equivalent BPs i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 B 1,1 B 2,1 B 3,1 à 0 à 4 B 0 B 4 à 1,0 à 2,0 à 3,0 B 1,0 B 2,0 B 3,0 outputs zero outputs non-zero M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
66 Attack 1: Matrix Zeroizing Attack We remove the effects of scalar bundlings using algebraic ways (omitted) Matrix-zeroizing attack: extended mixed-input attack Invalid inputs can induce the different outputs of equivalent BPs Summation of mixed-input can yield the different outputs of BPs i inp(i) invalid input 010, 011, 100, 101, Ã0 Ã 4 B 0 B 4 Ã 1,1 Ã 2,1 Ã 3,1 B 1,1 B 2,1 B 3,1 Ã 1,0 Ã 2,0 Ã 3,0 B 1,0 B 2,0 B 3,0 outputs zero outputs non-zero M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
67 Attack 2: Starting point = Principal Ideal Problem We compute for evaluation of program with output 0 [up zt ] q = rh R M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
68 Attack 2: Starting point = Principal Ideal Problem We compute for evaluation of program with output 0 [up zt ] q = rh R Using SPIP solver, we obtain h R in quantum polytime [BS16, CDPR16] M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
69 Attack 2: Starting point = Principal Ideal Problem We compute for evaluation of program with output 0 [up zt ] q = rh R Using SPIP solver, we obtain h R in quantum polytime [BS16, CDPR16] We can compute the double-zero testing parameter at level 2κ: [(p zt /h) 2 ] q = [z 2κ g 2 ] q M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
70 Attack 2: Starting point = Principal Ideal Problem We compute for evaluation of program with output 0 [up zt ] q = rh R Using SPIP solver, we obtain h R in quantum polytime [BS16, CDPR16] We can compute the double-zero testing parameter at level 2κ: [(p zt /h) 2 ] q = [z 2κ g 2 ] q New Zerotesting Procedure We can run 2κ level zerotest, or 2κ level obfuscated program M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
71 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ i inp(i) Ã 1,1 Ã 2,1 Ã 3,1 Ã 0 Ã 4 Ã 1,0 Ã 2,0 Ã 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
72 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 0 à 4 à 1,0 à 2,0 à 3,0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
73 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ We cannot evaluate it in obfuscated program due to constructions 2 i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 0 à 4 à 1,0 à 2,0 à 3,0 2 level parameters, scalar bundlings M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
74 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ We cannot evaluate it in obfuscated program due to constructions 2 i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 0 à 4 à 1,0 à 2,0 à 3,0 2 level parameters, scalar bundlings M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
75 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ We cannot evaluate it in obfuscated program due to constructions 2 Construct 2κ-level obfuscated program i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 1,1 à 2,1 à 3,1 à 0 à 4 à 0 à 4 à 1,0 à 2,0 à 3,0 à 1,0 à 2,0 à 3,0 2 level parameters, scalar bundlings M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
76 Attack 2: Mixed-input Attack Run mixed-input attack on obfuscated program at level κ We cannot evaluate it in obfuscated program due to constructions 2 Construct 2κ-level obfuscated program Run mixed-input attack on obfuscated program at level 2κ i inp(i) invalid input indices à 1,1 à 2,1 à 3,1 à 1,1 à 2,1 à 3,1 à 0 à 4 à 0 à 4 à 1,0 à 2,0 à 3,0 à 1,0 à 2,0 à 3,0 2 level parameters, scalar bundlings M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
77 Summary and work in progress Attacks io (using GGH13) Branching program obfuscators [GGH + 13b] [BR14] [AGIS14, MSW14] [PST14, BGK + 14] [BMSZ16] [GMM + 16] Circuit obfuscators [Zim15, AB15] [DGG + 16] [MSZ16] [CGH17] This work 1 [CHKL18] This work 2 [Pel18] for input-partitionable branching programs for specific choices of parameters in the quantum setting M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
78 Summary and work in progress Attacks io (using GGH13) Branching program obfuscators [GGH + 13b] [BR14] [AGIS14, MSW14] [PST14, BGK + 14] [BMSZ16] [GMM + 16] Circuit obfuscators [Zim15, AB15] [DGG + 16] [MSZ16] [CGH17] This work 1 [CHKL18]? This work 2 [Pel18]? for input-partitionable branching programs for specific choices of parameters in the quantum setting M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
79 Work in progress [GGH + 13b] in quantum world M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
80 Work in progress [GGH + 13b] in quantum world Combination! =Double-zero testing + Matrix-zeroizing attack M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
81 Work in progress [GGH + 13b] in quantum world Combination! =Double-zero testing + Matrix-zeroizing attack Circuit obfuscations in classical world M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
82 Work in progress [GGH + 13b] in quantum world Combination! =Double-zero testing + Matrix-zeroizing attack Circuit obfuscations in classical world Extending the NTRU attack! M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
83 Perspectives / Open problems Obfuscation for evasive functions Countermeasure on the attacks Parameter constraints to prevent our classical attack 3 : n = Ω(κ 2 λ) 3 n: dimension of space, κ: multilinearity level, λ: security parameter To prevent classical PIP attack and our attack: n = Ω(max(κ 2 λ, λ 2 )) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
84 Perspectives / Open problems Obfuscation for evasive functions Countermeasure on the attacks Parameter constraints to prevent our classical attack 3 : n = Ω(κ 2 λ) Remark Proofs in idealized models VS Constructions with concrete schemes 3 n: dimension of space, κ: multilinearity level, λ: security parameter To prevent classical PIP attack and our attack: n = Ω(max(κ 2 λ, λ 2 )) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
85 Perspectives / Open problems Obfuscation for evasive functions Countermeasure on the attacks Parameter constraints to prevent our classical attack 3 : n = Ω(κ 2 λ) Remark Proofs in idealized models VS Constructions with concrete schemes Many concrete schemes are not fit in the idealized model 3 n: dimension of space, κ: multilinearity level, λ: security parameter To prevent classical PIP attack and our attack: n = Ω(max(κ 2 λ, λ 2 )) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
86 Perspectives / Open problems Obfuscation for evasive functions Countermeasure on the attacks Parameter constraints to prevent our classical attack 3 : n = Ω(κ 2 λ) Remark Proofs in idealized models VS Constructions with concrete schemes Many concrete schemes are not fit in the idealized model This gap can cause a significant weakness of the concrete scheme! 3 n: dimension of space, κ: multilinearity level, λ: security parameter To prevent classical PIP attack and our attack: n = Ω(max(κ 2 λ, λ 2 )) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
87 Thank you! 감사합니다! Merci! For more details, see papers or eprint reports Quantum attack: ia.cr/2018/533 Classical attack: ia.cr/2018/408 Combined/Extended work: Coming Soon..? M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
88 References I Benny Applebaum and Zvika Brakerski. Obfuscating circuits via composite-order graded encoding. In TCC 2015, pages , Martin R. Albrecht, Shi Bai, and Léo Ducas. A subfield lattice attack on overstretched NTRU assumptions - cryptanalysis of some FHE and graded encoding schemes. In Crypto 2016, pages , Prabhanjan Ananth, Divya Gupta, Yuval Ishai, and Amit Sahai. Optimizing obfuscation: Avoiding barrington s theorem. In CCS 2014, pages ACM, Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque, Alexandre Gélin, and Paul Kirchner. Computing generator in cyclotomic integer rings. In Eurocrypt 2017, pages Springer, Boaz Barak, Oded Goldreich, Rusell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang. On the (im) possibility of obfuscating programs. In Crypto 2001, pages Springer, Boaz Barak, Sanjam Garg, Yael Tauman Kalai, Omer Paneth, and Amit Sahai. Protecting obfuscation against algebraic attacks. In Eurocrypt 2014, pages , Saikrishna Badrinarayanan, Eric Miles, Amit Sahai, and Mark Zhandry. Post-zeroizing obfuscation: New mathematical tools, and the case of evasive circuits. In Eurocrypt 2016, pages , M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
89 References II Zvika Brakerski and Guy N Rothblum. Obfuscating conjunctions. Crypto 2014, Jean-François Biasse and Fang Song. Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In SODA 2016, pages Society for Industrial and Applied Mathematics, Ronald Cramer, Léo Ducas, Chris Peikert, and Oded Regev. Recovering short generators of principal ideals in cyclotomic rings. In Eurocrypt 2016, pages , Yilei Chen, Craig Gentry, and Shai Halevi. Cryptanalyses of candidate branching program obfuscators. In Eurocrypt 2017, pages Springer, Jung Hee Cheon, Jinhyuck Jeong, and Changmin Lee. An algorithm for ntru problems and cryptanalysis of the ggh multilinear map without a low-level encoding of zero. LMS Journal of Computation and Mathematics, 19(A): , Nico Döttling, Sanjam Garg, Divya Gupta, Peihan Miao, and Pratyay Mukherjee. Obfuscation from low noise multilinear maps. eprint, Report 2016/599, Rex Fernando, Peter Rasmussen, and Amit Sahai. Preventing CLT attacks on obfuscation with linear overhead. In Asiacrypt 2017, pages , M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
90 References III Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In Eurocrypt 2017, pages Springer, Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. FOCS 2013, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan, and Mark Zhandry. Secure obfuscation in a weak multilinear map model. In TCC 2016, pages , Paul Kirchner and Pierre-Alain Fouque. Revisiting lattice attacks on overstretched ntru parameters. In Eurocrypt 2017, pages Springer, Eric Miles, Amit Sahai, and Mor Weiss. Protecting obfuscation against arithmetic attacks. eprint, Report 2014/878, Eric Miles, Amit Sahai, and Mark Zhandry. Annihilation attacks for multilinear maps: Cryptanalysis of indistinguishability obfuscation over GGH13. In Crypto 2016, pages , Rafael Pass, Karn Seth, and Sidharth Telang. Indistinguishability obfuscation from semantically-secure multilinear encodings. In Crypto 2014, pages , M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
91 References IV Joe Zimmerman. How to obfuscate programs directly. In Eurocrypt 2015, pages , M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto /23
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Eric Miles UCLA enmiles@cs.ucla.edu Amit Sahai UCLA sahai@cs.ucla.edu Mark Zhandry MI mzhandry@gmail.com
More informationZeroizing Attacks on Indistinguishability Obfuscation over CLT13
Zeroizing Attacks on Indistinguishability Obfuscation over CLT13 Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 SRI International 3 NTT Secure
More informationObfuscation without Multilinear Maps
Obfuscation without Multilinear Maps Dingfeng Ye Peng Liu DCS Center Cyber Security Lab nstitute of nformation Engineering College of nformation Sciences and Technology Chinese Academy of Sciences Pennsylvania
More informationObfuscation and Weak Multilinear Maps
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan Obfuscation
More informationCryptanalysis of GGH15 Multilinear Maps
Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 CryptoExperts 3 NTT Secure Platform Laboratories June
More informationAnnihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Eric Miles Amit Sahai Mark Zhandry Abstract In this work, we present a new class of polynomial-time
More informationPost-Zeroizing Obfuscation: The case of Evasive Circuits
Post-Zeroizing Obfuscation: The case of Evasive Circuits Saikrishna Badrinarayanan UCLA saikrishna@cs.ucla.edu Eric Miles UCLA enmiles@cs.ucla.edu Mark Zhandry Stanford University mzhandry@stanford.edu
More informationCryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13
Cryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13 Daniel Apon 1, Nico Döttling 2, Sanjam Garg 2, and Pratyay Muherjee 2 1 University of Maryland, College Par, USA 2 University of
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationComputing Generator in Cyclotomic Integer Rings
A subfield algorithm for the Principal Ideal Problem in L 1 K 2 and application to the cryptanalysis of a FHE scheme Jean-François Biasse 1 Thomas Espitau 2 Pierre-Alain Fouque 3 Alexandre Gélin 2 Paul
More informationPost-Zeroizing Obfuscation: The case of Evasive Circuits
Post-Zeroizing Obfuscation: The case of Evasive Circuits Saikrishna Badrinarayanan UCLA saikrishna@cs.ucla.edu Eric Miles UCLA enmiles@cs.ucla.edu Mark Zhandry Stanford University mzhandry@stanford.edu
More informationA Simple Obfuscation Scheme for Pattern-Matching with Wildcards
A Simple Obfuscation Scheme for Pattern-Matching with Wildcards Allison Bishop 1,2, Lucas Kowalczyk 2, Tal Malkin 2, Valerio Pastro 2,3, Mariana Raykova 3, and Kevin Shi 2 1 IEX 2 Columbia University 3
More informationAn Algorithm for NTRU Problems
An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems 2016. 8. 29. 1 / 27 Introduction The NTRU
More informationZeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1
Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1 Jean-Sébastien Coron 2 Craig Gentry 3 Shai Halevi 3 Tancrède Lepoint 4 Hemanta K. Maji 5,6 Eric Miles 6 Mariana Raykova 7 Amit
More informationOn the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input
On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input Sanjam Garg Craig Gentry Shai Halevi Daniel Wichs June 13, 2014 Abstract The notion of differing-inputs
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationProtecting obfuscation against arithmetic attacks
Protecting obfuscation against arithmetic attacks Eric Miles UCLA enmiles@cs.ucla.edu Amit Sahai UCLA sahai@cs.ucla.edu Mor Weiss Technion morw@cs.technion.ac.il November 23, 2015 Abstract Obfuscation,
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationIndistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall
Indistinguishability Obfuscation vs. Auxiliary-Input Extractable Functions: One Must Fall Nir Bitansky Ran Canetti Omer Paneth Alon Rosen June 3, 2014 This is an out of date draft. The paper was merged
More informationCryptanalyses of Candidate Branching Program Obfuscators
Cryptanalyses of Candidate Branching Program Obfuscators ilei Chen Craig Gentry Shai Halevi February 16, 2017 Abstract We describe new cryptanalytic attacks on the candidate branching program obfuscator
More informationObfuscation for Evasive Functions
Obfuscation for Evasive Functions Boaz Barak Nir Bitansky Ran Canetti Yael Tauman Kalai Omer Paneth Amit Sahai October 18, 2013 Abstract An evasive circuit family is a collection of circuits C such that
More informationSecure Obfuscation in a Weak Multilinear Map Model
Secure Obfuscation in a Weak Multilinear Map Model Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan, and Mark Zhandry Abstract. All known candidate indistinguishibility obfuscation(io)
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationAn Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University (SNU), Republic of Korea Abstract.
More informationDiffering-Inputs Obfuscation and Applications
Differing-Inputs Obfuscation and Applications Prabhanjan Ananth Dan Boneh Sanjam Garg Amit Sahai Mark Zhandry Abstract In this paper, we study of the notion of differing-input obfuscation, introduced by
More informationGraded Encoding, Variations on a Scheme
Graded Encoding, Variations on a Scheme Shai Halevi IBM October 30, 2015 Update (Oct 2015): The key-agreement protocols that are described (or alluded to) in sections 6,7 are broken. Thanks to Yupu Hu
More informationStatistical Zeroizing Attack: Cryptanalysis of Candidates of BP Obfuscation over GGH15 Multilinear Map
Statistical Zeroizing Attack: Cryptanalysis of Candidates of BP Obfuscation over GGH15 Multilinear Map Jung Hee Cheon 1, Wonhee Cho 1, Minki Hhan 1, Jiseung Kim 1, and Changmin Lee 2 1 Seoul National University,
More informationLattice-Based SNARGs and Their Application to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh Yuval Ishai Amit Sahai David J. Wu Abstract Succinct non-interactive arguments (SNARGs) enable verifying NP computations
More informationIndistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationAn Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero Jung Hee Cheon Jinhyuck Jeong Changmin Lee Seoul National University (SNU) Republic of Korea
More informationPractical Order-Revealing Encryption with Limited Leakage
Practical Order-Revealing Encryption with Limited Leakage Nathan Chenette 1, Kevin Lewi 2, Stephen A. Weis 3, and David J. Wu 2 1 Rose-Hulman Institute of Technology 2 Stanford University 3 Facebook, Inc.
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationProjective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationVirtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding
Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Zvika Brakerski Guy N. Rothblum Abstract We present a new general-purpose obfuscator for all polynomial-size circuits. The obfuscator
More informationImmunizing Multilinear Maps Against Zeroizing Attacks
Immunizing Multilinear Maps Against Zeroizing Attacks Dan Boneh Stanford University David J. Wu Stanford University Joe Zimmerman Stanford University Abstract In recent work Cheon, Han, Lee, Ryu, and Stehlé
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationVirtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding
Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Zvika Brakerski 1 and Guy N. Rothblum 2 1 Weizmann Institute of Science 2 Microsoft Research Abstract. We present a new general-purpose
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationObfuscating Compute-and-Compare Programs under LWE
58th Annual IEEE Symposium on Foundations of Computer Science Obfuscating Compute-and-Compare Programs under LWE Daniel Wichs Northeastern University wichs@ccs.neu.edu Giorgos Zirdelis Northeastern University
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationIndistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption
Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry Allison ewko Amit Sahai Brent Waters November 4, 2014 Abstract We revisit the question of constructing
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationA subfield lattice attack on overstretched NTRU assumptions
A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes Martin R. Albrecht, Shi Bai and Léo Ducas London-ish Lattice Coding and Cryptography Meeting,
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationThe Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator
The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator Nir Bitansky 1,, Ran Canetti 1,2,,HenryCohn 3, Shafi Goldwasser 4,5, Yael Tauman Kalai 3,OmerPaneth 2,,andAlonRosen 6, 1 Tel
More informationComputing generator in cyclotomic integer rings
Computing generator in cyclotomic integer rings Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque, Alexandre Gélin, Paul Kirchner To cite this version: Jean-François Biasse, Thomas Espitau, Pierre-Alain
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationBounded KDM Security from io and OWF
Bounded KDM Security from io and OWF Antonio Marcedone 1, Rafael Pass 1, and abhi shelat 2 1 Cornell University, {marcedone,rafael}@cs.cornell.edu 2 University of Virginia, abhi@virginia.edu July 5, 2016
More informationPractical Order-Revealing Encryption with Limited Leakage
Practical Order-Revealing Encryption with Limited Leakage Nathan Chenette 1, Kevin Lewi 2, Stephen A. Weis 3, and David J. Wu 2 1 Rose-Hulman Institute of Technology 2 Stanford University 3 Facebook, Inc.
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de
More informationPublicly Verifiable Software Watermarking
Publicly Verifiable Software Watermarking Aloni Cohen Justin Holmgren Vinod Vaikuntanathan December 7, 2015 Abstract Software Watermarking is the process of transforming a program into a functionally equivalent
More informationOffline Witness Encryption
Offline Witness Encryption Hamza Abusalah, Georg Fuchsbauer, and Krzysztof Pietrzak IST Austria {habusalah, gfuchsbauer, pietrzak}@ist.ac.at Abstract. Witness encryption (WE) was introduced by Garg et
More informationLimits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation
Limits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation Alex Lombardi MIT Vinod Vaikuntanathan MIT Abstract Lin and Tessaro (eprint 2017) recently proposed
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationNon-Interactive Secure Multiparty Computation
Non-Interactive Secure Multiparty Computation Amos Beimel 1, Ariel Gabizon 2, Yuval Ishai 2, Eyal Kushilevitz 2, Sigurd Meldgaard 3, and Anat Paskin-Cherniavsky 4 1 Dept. of Computer Science, Ben Gurion
More informationLattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018
Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationFunction-Hiding Inner Product Encryption
Function-Hiding Inner Product Encryption Allison Bishop Columbia University allison@cs.columbia.edu Abhishek Jain Johns Hopkins University abhishek@cs.jhu.edu Lucas Kowalczyk Columbia University luke@cs.columbia.edu
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationSomewhat Practical Fully Homomorphic Encryption
Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationLow Overhead Broadcast Encryption from Multilinear Maps
Low Overhead Broadcast Encryption from Multilinear Maps Dan Boneh Stanford University dabo@cs.stanford.edu Mark Zhandry Stanford University zhandry@cs.stanford.edu Brent Waters University of Texas at Austin
More informationIndistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes
Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes Huijia Lin University of California, Santa Barbara Abstract. We construct an indistinguishability obfuscation (IO) scheme for
More informationAlgebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps
Algebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps Michel Abdalla 1,2, Fabrice Benhamouda 3, and Alain Passelègue 4 1 Département d informatique de l ENS École normale
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationAdaptively Secure Constrained Pseudorandom Functions
Adaptively Secure Constrained Pseudorandom Functions Dennis Hofheinz dennis.hofheinz@kit.edu Venkata Koppula University of Texas at Austin kvenkata@cs.utexas.edu Akshay Kamath University of Texas at Austin
More informationSum-of-Squares Meets Program Obfuscation, Revisited
Sum-of-Squares Meets Program Obfuscation, Revisited Boaz Barak, Samuel B. Hopkins, Aayush Jain, Pravesh Kothari, and Amit Sahai. Abstract We develop attacks on the security of variants of pseudorandom
More informationPolynomial Functional Encryption Scheme with Linear Ciphertext Size
Polynomial Functional Encryption Scheme with Linear Ciphertext Size Jung Hee Cheon, Seungwan Hong, Changmin Lee, Yongha Son Seoul National University (SNU), Republic of Korea bstract. In this paper, we
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationDetermination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes
Determination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes Vincent Migliore, Guillaume Bonnoron, Caroline Fontaine To cite this version: Vincent
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA
More informationGraph-Induced Multilinear Maps from Lattices
Graph-Induced Multilinear Maps from Lattices Craig Gentry IBM Sergey Gorbunov MIT November 11, 2014 Shai Halevi IBM Abstract Graded multilinear encodings have found extensive applications in cryptography
More informationObfuscating Compute-and-Compare Programs under LWE
Obfuscating Compute-and-Compare Programs under LWE Daniel Wichs Giorgos Zirdelis August 15, 2017 Abstract We show how to obfuscate a large and expressive class of programs, which we call compute-andcompare
More informationNew Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation
New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation Shweta Agrawal Abstract Constructing indistinguishability obfuscation io [BGI + 01] is a central open question in cryptography.
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationMultilinear Maps from Obfuscation
Multilinear Maps from Obfuscation Martin R. Albrecht (RHUL) Pooya Farshim (QUB) Shuai Han (SJTU) Dennis Hofheinz (KIT) Enrique Larraia (RHUL) Kenneth G. Paterson (RHUL) December 18, 2017 Abstract We provide
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationMore Annihilation Attacks
More Annihilation Attacks an extension of MSZ16 Charles Jin Yale University May 9, 2016 1 Introduction MSZ16 gives an annihilation attack on candidate constructions of indistinguishability obfuscation
More informationComputing generator in cyclotomic integer rings
Computing generator in cyclotomic integer rings A L K (1/2) algorithm for the Principal Ideal Problem and application to the cryptanalysis of a FHE scheme Thomas Espitau 1, Pierre-Alain Fouque 2, Alexandre
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption
More information