44 research outputs found
ꡬλΆλΆκ°λ₯ν λλ νμ μνμ λΆμμ κ΄ν μ°κ΅¬
νμλ
Όλ¬Έ(λ°μ¬)--μμΈλνκ΅ λνμ :μμ°κ³Όνλν μ리과νλΆ,2020. 2. μ²μ ν¬.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15.
In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13.
Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.κΈ°λ₯μ±μ΄ κ°μ λ νλ‘κ·Έλ¨κ³Ό, κ·Έ λλ
νλ νλ‘κ·Έλ¨λ€μ΄ μμ λ, λλ
νλ νλ‘κ·Έ λ¨λ€μ ꡬλΆν μ μλ€λ©΄ ꡬλΆλΆκ°λ₯ν λλ
νλΌκ³ νλ€. ꡬλΆλΆκ°λ₯ν λλ
νκ° μ‘΄μ¬νλ€λ©΄, λ€μ€μ νν¨μ, ν¨μμνΈ, λ€μκ° ν€κ΅ν λ± λ§μ μνΈνμ μΈ μμ©λ€μ΄ μ‘΄μ¬νκΈ° λλ¬Έμ, ꡬλΆλΆκ°λ₯ν λλ
νλ₯Ό μ€κ³νλ κ²μ λ§€μ° μ€μν λ¬Έμ μ€ νλ μ΄λ€. μΌλ°μ μΌλ‘, λ§μ ꡬλΆλΆκ°λ₯ν λλ
νλ€μ λ€μ€μ νν¨μ GGH13, CLT13, GGH15λ₯Ό κΈ°λ°μΌλ‘ νμ¬ μ€κ³λμλ€.
λ³Έ νμ λ
Όλ¬Έμμλ, λ€μ€μ νν¨μλ₯Ό κΈ°λ°μΌλ‘ νλ λλ
ν κΈ°μ λ€μ λν μ μ μ± λΆμμ μ§ννλ€. λ¨Όμ , GGH13 λ€μ€μ νν¨μλ₯Ό κΈ°λ°μΌλ‘ νλ λͺ¨λ λλ
ν κΈ°μ λ€μ νμ¬ νλΌλ―Έν° νμ μμ νμ§ μμμ 보μΈλ€. νλ‘κ·Έλ¨ λ³ν(program converting), νλ ¬ μ λ‘ν 곡격(matrix zeroizing attack)μ΄λΌλ λ κ°μ§ μλ‘μ΄ λ°© λ²μ μ μνμ¬ μμ μ±μ λΆμνμκ³ , κ·Έ κ²°κ³Ό, νμ‘΄νλ λͺ¨λ GGH13 λ€μ€μ νν¨μ κΈ°λ° λλ
ν κΈ°μ μ΄ λ€νμ μκ° λ΄μ NTRU λ¬Έμ λ‘ νμλ¨μ 보μΈλ€.
λν, GGH15 λ€μ€μ νν¨μλ₯Ό κΈ°λ°μΌλ‘ νλ λλ
ν κΈ°μ μ λν ν΅κ³μ μΈ κ³΅κ²©λ°©λ²μ μ μνλ€. ν΅κ³μ 곡격방λ²μ μ΅μ κΈ°μ μΈ CVW λλ
ν, BGMZ λλ
νμ μ μ©νμ¬, CVW λλ
νκ° νμ¬ νλΌλ―Έν°μμ μμ νμ§ μμμ 보μΈλ€. λν BGMZ λλ
νμμ μ μν λμμ μμ μ± λͺ¨λΈμ΄ μ΄μμ μΈ λλ
ν κΈ°μ μ μ€κ³ν λλ° μΆ©λΆνμ§ μλ€λ κ²μ 보μΈλ€. μ€μ λ‘, BGMZ λλ
νκ° μμ νμ§ μμ νΉμ΄ν νλΌλ―Έν°λ₯Ό μ μνμ¬, μ°λ¦¬ κ³΅κ²©μ΄ BGMZμμ μ μν μμ μ± λͺ¨λΈμ ν΄λΉνμ§ μ μμ 보μΈλ€.1. Introduction 1
1.1 Indistinguishability Obfuscation 1
1.2 Contributions 4
1.2.1 Mathematical Analysis of iO based on GGH13 4
1.2.2 Mathematical Analysis of iO based on GGH15 5
1.3 List of Papers 6
2 Preliminaries 7
2.1 Basic Notations 7
2.2 Indistinguishability Obfuscation 8
2.3 Cryptographic Multilinear Map 9
2.4 Matrix Branching Program 10
2.5 Tensor product and vectorization . 11
2.6 Background Lattices . 12
3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13
3.1 Preliminaries 14
3.1.1 Notations 14
3.1.2 GGH13 Multilinear Map 14
3.2 Main Theorem 17
3.3 Attackable BP Obfuscations 18
3.3.1 Randomization for Attackable Obfuscation Model 20
3.3.2 Encoding by Multilinear Map 21
3.3.3 Linear Relationally Inequivalent Branching Programs 22
3.4 Program Converting Technique 23
3.4.1 Converting to R Program 24
3.4.2 Recovering and Converting to R/ Program 27
3.4.3 Analysis of the Converting Technique 28
3.5 Matrix Zeroizing Attack 29
3.5.1 Existing BP Obfuscations 31
3.5.2 Attackable BP Obfuscation, General Case 34
4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37
4.1 Preliminaries 38
4.1.1 Notations 38
4.2 Statistical Zeroizing Attack . 39
4.2.1 Distinguishing Distributions using Sample Variance 42
4.3 Cryptanalysis of CVW Obfuscation 44
4.3.1 Construction of CVW Obfuscation 45
4.3.2 Cryptanalysis of CVW Obfuscation 48
4.4 Cryptanalysis of BGMZ Obfuscation 56
4.4.1 Construction of BGMZ Obfuscation 56
4.4.2 Cryptanalysis of BGMZ Obfuscation 59
5 Conclusions 65
6 Appendix 66
6.1 Appendix of Chapter 3 66
6.1.1 Extended Attackable Model 66
6.1.2 Examples of Matrix Zeroizing Attack 68
6.1.3 Examples of Linear Relationally Inequivalent BPs 70
6.1.4 Read-once BPs from NFA 70
6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71
6.2 Appendix of Chapter 5 73
6.2.1 Simple GGH15 obfuscation 73
6.2.2 Modified CVW Obfuscation . 75
6.2.3 Transformation of Branching Programs 76
6.2.4 Modification of CVW Obfuscation 77
6.2.5 Assumptions of lattice preimage sampling 78
6.2.6 Useful Tools for Computing the Variances 79
6.2.7 Analysis of CVW Obfuscation 84
6.2.8 Analysis of BGMZ Obfuscation 97
Abstract (in Korean) 117Docto
Cryptanalyses of Branching Program Obfuscations over GGH13 Multilinear Map from the NTRU Problem
In this paper, we propose cryptanalyses of all existing indistinguishability
obfuscation () candidates based on branching programs (BP) over GGH13
multilinear map for all recommended parameter settings.
To achieve this, we introduce two novel techniques, program converting using
NTRU-solver and matrix zeroizing, which can be applied to a wide range of
obfuscation constructions and BPs compared to previous attacks. We then prove
that, for the suggested parameters, the existing general-purpose BP
obfuscations over GGH13 do not have the desired security.
Especially, the first candidate indistinguishability obfuscation with
input-unpartitionable branching programs (FOCS 2013) and the recent BP
obfuscation (TCC 2016) are not secure against our attack when they use the
GGH13 with recommended parameters. Previously, there has been no known
polynomial time attack for these cases.
Our attack shows that the lattice dimension of GGH13 must be set much larger
than previous thought in order to maintain security. More precisely, the
underlying lattice dimension of GGH13 should be set to to rule out attacks from the subfield algorithm for NTRU
where is the multilinearity level and the security
parameter
Cryptanalysis of indistinguishability obfuscation using GGH13 without ideals
Recently, Albrecht, Davidson and Larraia described a variant of the GGH13 without ideals and presented the distinguishing attacks in simplified branching program security model. Their result partially demonstrates that there seems to be a structural defect in the GGH13 encoding that is not related to the ideal . However, it is not clear whether a variant of the CGH attack described by Chen, Gentry and Halevi can be used to break a branching program obfuscator instantiated by GGH13 without ideals. Consequently this is left as an open problem by Albrecht, Davidson and Larraia. In this paper, we describe a variant of the CGH attack which breaks the branching program obfuscator using GGH13 without ideals. To achieve this goal, we introduce matrix approximate eigenvalues and build a relationship between the determinant and the rank of a matrix with noise. Our result further strengthens the work of Albrecht, Davidson and Larraia that there is a structural weakness in `GGH13-type\u27 encodings beyond the presence of
Frontiers in Lattice Cryptography and Program Obfuscation
In this dissertation, we explore the frontiers of theory of cryptography along two lines. In the first direction, we explore Lattice Cryptography, which is the primary sub-area of post-quantum cryptographic research.
Our first contribution is the construction of a deniable attribute-based encryption scheme from lattices. A deniable encryption scheme is secure against
not only eavesdropping attacks as required by semantic security, but also stronger coercion attacks performed after the fact. An attribute-based encryption
scheme allows ``fine-grained'' access to ciphertexts, allowing for a decryption access policy to be embedded in ciphertexts and keys. We achieve both properties
simultaneously for the first time from lattices.
Our second contribution is the construction of a digital signature scheme that enjoys both short signatures and a completely tight security reduction from lattices. As a matter of independent interest, we give an improved method of randomized inversion of the G gadget matrix, which reduces the noise growth rate in homomorphic evaluations performed in a large number of lattice-based cryptographic schemes, without incurring the high cost of sampling discrete Gaussians.
In the second direction, we explore Cryptographic Program Obfuscation. A program obfuscator is a type of cryptographic software compiler that outputs executable code with the guarantee that ``whatever can be hidden about the internal workings of program code, is hidden.'' Indeed, program obfuscation can be viewed as a ``universal and cryptographically-complete'' tool.
Our third contribution is the first, full-scale implementation of secure program obfuscation in software. Our toolchain takes code written in a C-like programming
language, specialized for cryptography, and produces secure, obfuscated software.
Our fourth contribution is a new cryptanalytic attack against a variety of ``early'' program obfuscation candidates. We provide a general, efficiently-testable
property for any two branching programs, called partial inequivalence, which we show is sufficient for launching an ``annihilation attack'' against
several obfuscation candidates based on Garg-Gentry-Halevi multilinear maps
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
In this work, we present a new class of polynomial-time attacks on the original multilinear maps of Garg, Gentry, and Halevi (2013). Previous polynomial-time attacks on GGH13 were βzeroizingβ attacks that generally required the availability of low-level encodings of zero. Most significantly, such zeroizing attacks were not applicable to candidate indistinguishability obfuscation (iO) schemes. iO has been the subject of intense study.
To address this gap, we introduce annihilation attacks, which attack multilinear maps using non-linear polynomials. Annihilation attacks can work in situations where there are no low-level encodings of zero. Using annihilation attacks, we give the first polynomial-time cryptanalysis of candidate iO schemes over GGH13. More specifically, we exhibit two simple programs that are functionally equivalent, and show how to efficiently distinguish between the obfuscations of these two programs.
Given the enormous applicability of iO, it is important to devise iO schemes that can avoid attack. We discuss some initial directions for safeguarding against annihilating attacks
Zeroizing Attacks on Indistinguishability Obfuscation over CLT13
In this work, we describe a new polynomial-time attack on the multilinear maps of Coron, Lepoint, and Tibouchi (CLT13), when used in candidate iO schemes. More specifically, we show that given the obfuscation of the simple branching program that computes the always zero functionality previously considered by Miles, Sahai and Zhandry (Crypto 2016), one can recover the secret parameters of CLT13 in polynomial time via an extension of the zeroizing attack of Coron et al. (Crypto 2015). Our attack is generalizable to arbitrary oblivious branching programs for arbitrary functionality, and allows (1) to recover the secret parameters of CLT13, and then (2) to recover the randomized branching program entirely. Our analysis thus shows that several of the single-input variants of iO over CLT13 are insecure
An Alternative View of the Graph-Induced Multilinear Maps
In this paper, we view multilinear maps through the lens of ``homomorphic obfuscation . In specific, we show how to homomorphically obfuscate the kernel-test and affine subspace-test functionalities of high dimensional matrices. Namely, the evaluator is able to perform additions and multiplications over the obfuscated matrices, and test subspace memberships on the resulting code. The homomorphic operations are constrained by the prescribed data structure, e.g. a tree or a graph, where the matrices are stored. The security properties of all the constructions are based on the hardness of Learning with errors problem (LWE). The technical heart is to ``control the ``chain reactions\u27\u27 over a sequence of LWE instances.
Viewing the homomorphic obfuscation scheme from a different angle, it coincides with the graph-induced multilinear maps proposed by Gentry, Gorbunov and Halevi (GGH15). Our proof technique recognizes several ``safe modes of GGH15 that are not known before, including a simple special case: if the graph is acyclic and the matrices are sampled independently from binary or error distributions, then the encodings of the matrices are pseudorandom
Cryptanalyses of Candidate Branching Program Obfuscators
We describe new cryptanalytic attacks on the candidate branching program obfuscator proposed by Garg, Gentry, Halevi, Raykova, Sahai and Waters (GGHRSW) using the GGH13 graded encoding, and its variant using the GGH15 graded encoding as specified by Gentry, Gorbunov and Halevi. All our attacks require very specific structure of the branching programs being obfuscated, which in particular must have some input-partitioning property. Common to all our attacks are techniques to extract information about the ``multiplicative bundling\u27\u27 scalars that are used in the GGHRSW construction.
For GGHRSW over GGH13, we show how to recover the ideal generating the plaintext space when the branching program has input partitioning. Combined with the information that we extract about the ``multiplicative bundling\u27\u27 scalars, we get a distinguishing attack by an extension of the annihilation attack of Miles, Sahai and Zhandry. Alternatively, once we have the ideal we can solve the principle-ideal problem (PIP) in classical subexponential time or quantum polynomial time, hence obtaining a total break.
For the variant over GGH15, we show how to use the left-kernel technique of Coron, Lee, Lepoint and Tibouchi to recover ratios of the bundling scalars. Once we have the ratios of the scalar products, we can use factoring and PIP solvers (in classical subexponential time or quantum polynomial time) to find the scalars themselves, then run mixed-input attacks to break the obfuscation
Indistinguishability Obfuscation Without Maps: Attacks and Fixes for Noisy Linear FE
Candidates of Indistinguishability Obfuscation (iO) can be categorized as ``direct\u27\u27 or ``bootstrapping based\u27\u27. Direct constructions rely on high degree multilinear maps [GGH13,GGHRSW13] and provide heuristic guarantees, while bootstrapping based constructions [LV16,Lin17,LT17,AJLMS19,Agr19,JLMS19] rely, in the best case, on bilinear maps as well as new variants of the Learning With Errors (LWE) assumption and pseudorandom generators. Recent times have seen exciting progress in the construction of indistinguishability obfuscation (iO) from bilinear maps (along with other assumptions) [LT17,AJLMS19,JLMS19,Agr19].
As a notable exception, a recent work by Agrawal [Agr19] provided a construction for iO without using any maps. This work identified a new primitive, called Noisy Linear Functional Encryption (NLinFE) that provably suffices for iO and gave a direct construction of NLinFE from new assumptions on lattices. While a preliminary cryptanalysis for the new assumptions was provided in the original work, the author admitted the necessity of performing significantly more cryptanalysis before faith could be placed in the security of the scheme. Moreover, the author did not suggest concrete parameters for the construction.
In this work, we fill this gap by undertaking the task of thorough cryptanalytic study of NLinFE. We design two attacks that let the adversary completely break the security of the scheme. To achieve this, we develop new cryptanalytic techniques which (we hope) will inform future designs of the primitive of NLinFE.
From the knowledge gained by our cryptanalytic study, we suggest modifications to the scheme. We provide a new scheme which overcomes the vulnerabilities identified before. We also provide a thorough analysis of all the security aspects of this scheme and argue why plausible attacks do not work. We additionally provide concrete parameters with which the scheme may be instantiated. We believe the security of NLinFE stands on significantly firmer footing as a result of this work
Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations
We extend the recent zeroizing attacks of Cheon, Han, Lee, Ryu and StehlΓ© (Eurocrypt\u2715) on multilinear maps to settings where no encodings of zero below the maximal level are available. Some of the new attacks apply to the CLT13 scheme (resulting in a total break) while others apply to (a variant of) the GGH13 scheme (resulting in a weak-DL attack). We also note the limits of these zeroizing attacks