235 research outputs found
๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋ ํ์ ์ํ์ ๋ถ์์ ๊ดํ ์ฐ๊ตฌ
ํ์๋
ผ๋ฌธ(๋ฐ์ฌ)--์์ธ๋ํ๊ต ๋ํ์ :์์ฐ๊ณผํ๋ํ ์๋ฆฌ๊ณผํ๋ถ,2020. 2. ์ฒ์ ํฌ.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15.
In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13.
Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.๊ธฐ๋ฅ์ฑ์ด ๊ฐ์ ๋ ํ๋ก๊ทธ๋จ๊ณผ, ๊ทธ ๋๋
ํ๋ ํ๋ก๊ทธ๋จ๋ค์ด ์์ ๋, ๋๋
ํ๋ ํ๋ก๊ทธ ๋จ๋ค์ ๊ตฌ๋ถํ ์ ์๋ค๋ฉด ๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋
ํ๋ผ๊ณ ํ๋ค. ๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋
ํ๊ฐ ์กด์ฌํ๋ค๋ฉด, ๋ค์ค์ ํํจ์, ํจ์์ํธ, ๋ค์๊ฐ ํค๊ตํ ๋ฑ ๋ง์ ์ํธํ์ ์ธ ์์ฉ๋ค์ด ์กด์ฌํ๊ธฐ ๋๋ฌธ์, ๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋
ํ๋ฅผ ์ค๊ณํ๋ ๊ฒ์ ๋งค์ฐ ์ค์ํ ๋ฌธ์ ์ค ํ๋ ์ด๋ค. ์ผ๋ฐ์ ์ผ๋ก, ๋ง์ ๊ตฌ๋ถ๋ถ๊ฐ๋ฅํ ๋๋
ํ๋ค์ ๋ค์ค์ ํํจ์ GGH13, CLT13, GGH15๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ์ฌ ์ค๊ณ๋์๋ค.
๋ณธ ํ์ ๋
ผ๋ฌธ์์๋, ๋ค์ค์ ํํจ์๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ๋ ๋๋
ํ ๊ธฐ์ ๋ค์ ๋ํ ์ ์ ์ฑ ๋ถ์์ ์งํํ๋ค. ๋จผ์ , GGH13 ๋ค์ค์ ํํจ์๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ๋ ๋ชจ๋ ๋๋
ํ ๊ธฐ์ ๋ค์ ํ์ฌ ํ๋ผ๋ฏธํฐ ํ์ ์์ ํ์ง ์์์ ๋ณด์ธ๋ค. ํ๋ก๊ทธ๋จ ๋ณํ(program converting), ํ๋ ฌ ์ ๋กํ ๊ณต๊ฒฉ(matrix zeroizing attack)์ด๋ผ๋ ๋ ๊ฐ์ง ์๋ก์ด ๋ฐฉ ๋ฒ์ ์ ์ํ์ฌ ์์ ์ฑ์ ๋ถ์ํ์๊ณ , ๊ทธ ๊ฒฐ๊ณผ, ํ์กดํ๋ ๋ชจ๋ GGH13 ๋ค์ค์ ํํจ์ ๊ธฐ๋ฐ ๋๋
ํ ๊ธฐ์ ์ด ๋คํญ์ ์๊ฐ ๋ด์ NTRU ๋ฌธ์ ๋ก ํ์๋จ์ ๋ณด์ธ๋ค.
๋ํ, GGH15 ๋ค์ค์ ํํจ์๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ๋ ๋๋
ํ ๊ธฐ์ ์ ๋ํ ํต๊ณ์ ์ธ ๊ณต๊ฒฉ๋ฐฉ๋ฒ์ ์ ์ํ๋ค. ํต๊ณ์ ๊ณต๊ฒฉ๋ฐฉ๋ฒ์ ์ต์ ๊ธฐ์ ์ธ CVW ๋๋
ํ, BGMZ ๋๋
ํ์ ์ ์ฉํ์ฌ, CVW ๋๋
ํ๊ฐ ํ์ฌ ํ๋ผ๋ฏธํฐ์์ ์์ ํ์ง ์์์ ๋ณด์ธ๋ค. ๋ํ BGMZ ๋๋
ํ์์ ์ ์ํ ๋์์ ์์ ์ฑ ๋ชจ๋ธ์ด ์ด์์ ์ธ ๋๋
ํ ๊ธฐ์ ์ ์ค๊ณํ ๋๋ฐ ์ถฉ๋ถํ์ง ์๋ค๋ ๊ฒ์ ๋ณด์ธ๋ค. ์ค์ ๋ก, BGMZ ๋๋
ํ๊ฐ ์์ ํ์ง ์์ ํน์ดํ ํ๋ผ๋ฏธํฐ๋ฅผ ์ ์ํ์ฌ, ์ฐ๋ฆฌ ๊ณต๊ฒฉ์ด BGMZ์์ ์ ์ํ ์์ ์ฑ ๋ชจ๋ธ์ ํด๋นํ์ง ์ ์์ ๋ณด์ธ๋ค.1. Introduction 1
1.1 Indistinguishability Obfuscation 1
1.2 Contributions 4
1.2.1 Mathematical Analysis of iO based on GGH13 4
1.2.2 Mathematical Analysis of iO based on GGH15 5
1.3 List of Papers 6
2 Preliminaries 7
2.1 Basic Notations 7
2.2 Indistinguishability Obfuscation 8
2.3 Cryptographic Multilinear Map 9
2.4 Matrix Branching Program 10
2.5 Tensor product and vectorization . 11
2.6 Background Lattices . 12
3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13
3.1 Preliminaries 14
3.1.1 Notations 14
3.1.2 GGH13 Multilinear Map 14
3.2 Main Theorem 17
3.3 Attackable BP Obfuscations 18
3.3.1 Randomization for Attackable Obfuscation Model 20
3.3.2 Encoding by Multilinear Map 21
3.3.3 Linear Relationally Inequivalent Branching Programs 22
3.4 Program Converting Technique 23
3.4.1 Converting to R Program 24
3.4.2 Recovering and Converting to R/ Program 27
3.4.3 Analysis of the Converting Technique 28
3.5 Matrix Zeroizing Attack 29
3.5.1 Existing BP Obfuscations 31
3.5.2 Attackable BP Obfuscation, General Case 34
4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37
4.1 Preliminaries 38
4.1.1 Notations 38
4.2 Statistical Zeroizing Attack . 39
4.2.1 Distinguishing Distributions using Sample Variance 42
4.3 Cryptanalysis of CVW Obfuscation 44
4.3.1 Construction of CVW Obfuscation 45
4.3.2 Cryptanalysis of CVW Obfuscation 48
4.4 Cryptanalysis of BGMZ Obfuscation 56
4.4.1 Construction of BGMZ Obfuscation 56
4.4.2 Cryptanalysis of BGMZ Obfuscation 59
5 Conclusions 65
6 Appendix 66
6.1 Appendix of Chapter 3 66
6.1.1 Extended Attackable Model 66
6.1.2 Examples of Matrix Zeroizing Attack 68
6.1.3 Examples of Linear Relationally Inequivalent BPs 70
6.1.4 Read-once BPs from NFA 70
6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71
6.2 Appendix of Chapter 5 73
6.2.1 Simple GGH15 obfuscation 73
6.2.2 Modified CVW Obfuscation . 75
6.2.3 Transformation of Branching Programs 76
6.2.4 Modification of CVW Obfuscation 77
6.2.5 Assumptions of lattice preimage sampling 78
6.2.6 Useful Tools for Computing the Variances 79
6.2.7 Analysis of CVW Obfuscation 84
6.2.8 Analysis of BGMZ Obfuscation 97
Abstract (in Korean) 117Docto
On the statistical leak of the GGH13 multilinear map and some variants
At EUROCRYPT 2013, Garg, Gentry and Halevi proposed a candidate construction (later referred as GGH13) of cryptographic multilinear map (MMap). Despite weaknesses uncovered by Hu and Jia (EUROCRYPT 2016), this candidate is still used for designing obfuscators.The naive version of the GGH13 scheme was deemed susceptible to averaging attacks, i.e., it could suffer from a statistical leak (yet no precise attack was described). A variant was therefore devised, but it remains heuristic. Recently, to obtain MMaps with low noise and modulus, two variants of this countermeasure were developed by Dรถttling et al. (EPRINT:2016/599).In this work, we propose a systematic study of this statistical leakage for all these GGH13 variants. In particular, we confirm the weakness of the naive version o
A Survey on Homomorphic Encryption Schemes: Theory and Implementation
Legacy encryption systems depend on sharing a key (public or private) among
the peers involved in exchanging an encrypted message. However, this approach
poses privacy concerns. Especially with popular cloud services, the control
over the privacy of the sensitive data is lost. Even when the keys are not
shared, the encrypted material is shared with a third party that does not
necessarily need to access the content. Moreover, untrusted servers, providers,
and cloud operators can keep identifying elements of users long after users end
the relationship with the services. Indeed, Homomorphic Encryption (HE), a
special kind of encryption scheme, can address these concerns as it allows any
third party to operate on the encrypted data without decrypting it in advance.
Although this extremely useful feature of the HE scheme has been known for over
30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE)
scheme, which allows any computable function to perform on the encrypted data,
was introduced by Craig Gentry in 2009. Even though this was a major
achievement, different implementations so far demonstrated that FHE still needs
to be improved significantly to be practical on every platform. First, we
present the basics of HE and the details of the well-known Partially
Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which
are important pillars of achieving FHE. Then, the main FHE families, which have
become the base for the other follow-up FHE schemes are presented. Furthermore,
the implementations and recent improvements in Gentry-type FHE schemes are also
surveyed. Finally, further research directions are discussed. This survey is
intended to give a clear knowledge and foundation to researchers and
practitioners interested in knowing, applying, as well as extending the state
of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the
survey that is being submitted to ACM CSUR and has been uploaded to arXiv for
feedback from stakeholder
Variation of GGH15 Multilinear Maps
Recently, Coron presented an attack of GGH15 multilinear maps, which breaks the multipartite Diffie-Hellman key exchange protocol based on GGH15. In this paper, we describe a variation of GGH15, which seems to thwart known attacks
A Subfield Lattice Attack on Overstretched NTRU Assumptions:Cryptanalysis of Some FHE and Graded Encoding Schemes
International audienc
Hard isogeny problems over RSA moduli and groups with infeasible inversion
We initiate the study of computational problems on elliptic curve isogeny
graphs defined over RSA moduli. We conjecture that several variants of the
neighbor-search problem over these graphs are hard, and provide a comprehensive
list of cryptanalytic attempts on these problems. Moreover, based on the
hardness of these problems, we provide a construction of groups with infeasible
inversion, where the underlying groups are the ideal class groups of imaginary
quadratic orders.
Recall that in a group with infeasible inversion, computing the inverse of a
group element is required to be hard, while performing the group operation is
easy. Motivated by the potential cryptographic application of building a
directed transitive signature scheme, the search for a group with infeasible
inversion was initiated in the theses of Hohenberger and Molnar (2003). Later
it was also shown to provide a broadcast encryption scheme by Irrer et al.
(2004). However, to date the only case of a group with infeasible inversion is
implied by the much stronger primitive of self-bilinear map constructed by
Yamakawa et al. (2014) based on the hardness of factoring and
indistinguishability obfuscation (iO). Our construction gives a candidate
without using iO.Comment: Significant revision of the article previously titled "A Candidate
Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the
constructions by giving toy examples, added "The Parallelogram Attack" (Sec
5.3.2). 54 pages, 8 figure
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero
Let f and g be polynomials of a bounded Euclidean norm in the ring \Z[X]/.
Given the polynomial [f/g]_q\in \Z_q[X]/, the NTRU problem is to find a, b\in \Z[X]/ with a small Euclidean norm such that [a/b]_q = [f/g]_q.
We propose an algorithm to solve the NTRU problem, which runs in
2^{O(\log^{2} \lambda)} time
when ||g||, ||f||, and || g^{-1}|| are within some range. The main technique of our algorithm is the reduction of a problem on a field to one in a subfield.
Recently, the GGH scheme, the first candidate of a (approximate) multilinear map, was found to be insecure by the Hu--Jia attack using low-level encodings of zero,
but no polynomial-time attack was known without them.
In the GGH scheme without low-level encodings of zero,
our algorithm can be directly applied to attack this scheme
if we have some top-level encodings of zero and a known pair of plaintext and ciphertext.
Using our algorithm, we can construct a level-0 encoding of zero
and
utilize it to attack a security ground of this scheme in the quasi-polynomial time of its security parameter
using the parameters suggested by {GGH13}
- โฆ