Cryptanalysis of the New Multilinear Map over the Integers

This article describes a polynomial attack on the new multilinear map over the integers presented by Coron, Lepoint and Tibouchi at CRYPTO 2015 (CLT15). This version is a fix of the first multilinear map over the integers presented by the same authors at CRYPTO 2013 (CLT13) and broken by Cheon et al. at EUROCRYPT 2015. The attack essentially downgrades CLT15 to its original version CLT13, and leads to a full break of the multilinear map for virtually all applications. In addition to the main attack, we present an alternate probabilistic attack underpinned by a different technique, as well as an instant-time attack on the optimized variant of the scheme

Cryptanalysis of the New CLT Multilinear Map over the Integers

Multilinear maps serve as a basis for a wide range of cryptographic applications. The first candidate construction of multilinear maps was proposed by Garg, Gentry, and Halevi in 2013, and soon afterwards, another construction was suggested by Coron, Lepoint, and Tibouchi (CLT13), which works over the integers. However, both of these were found to be insecure in the face of so-called zeroizing attacks, by Hu and Jia, and by Cheon, Han, Lee, Ryu and Stehlé. To improve on CLT13, Coron, Lepoint, and Tibouchi proposed another candidate construction of multilinear maps over the integers at Crypto 2015 (CLT15). This article presents two polynomial attacks on the CLT15 multilinear map, which share ideas similar to the cryptanalysis of CLT13. Our attacks allow recovery of all secret parameters in time polynomial in the security parameter, and lead to a full break of the CLT15 multilinear map for virtually all applications

Simultaneous Diagonalization of Incomplete Matrices and Applications

We consider the problem of recovering the entries of diagonal matrices $\{U_a\}_a$ for $a = 1,\ldots,t$ from multiple "incomplete" samples $\{W_a\}_a$ of the form $W_a=PU_aQ$, where $P$ and $Q$ are unknown matrices of low rank. We devise practical algorithms for this problem depending on the ranks of $P$ and $Q$. This problem finds its motivation in cryptanalysis: we show how to significantly improve previous algorithms for solving the approximate common divisor problem and breaking CLT13 cryptographic multilinear maps.Comment: 16 page

구분불가능한 난독화의 수학적분석에 관한 연구

학위논문(박사)--서울대학교 대학원 :자연과학대학 수리과학부,2020. 2. 천정희.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15. In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13. Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.기능성이 같은 두 프로그램과, 그 난독화된 프로그램들이 있을 때, 난독화된 프로그 램들을 구분할 수 없다면 구분불가능한 난독화라고 한다. 구분불가능한 난독화가 존재한다면, 다중선형함수, 함수암호, 다자간 키교환 등 많은 암호학적인 응용들이 존재하기 때문에, 구분불가능한 난독화를 설계하는 것은 매우 중요한 문제 중 하나 이다. 일반적으로, 많은 구분불가능한 난독화들은 다중선형함수 GGH13, CLT13, GGH15를 기반으로 하여 설계되었다. 본 학위 논문에서는, 다중선형함수를 기반으로 하는 난독화 기술들에 대한 안 전성 분석을 진행한다. 먼저, GGH13 다중선형함수를 기반으로 하는 모든 난독화 기술들은 현재 파라미터 하에 안전하지 않음을 보인다. 프로그램 변환(program converting), 행렬 제로화 공격(matrix zeroizing attack)이라는 두 가지 새로운 방 법을 제안하여 안전성을 분석하였고, 그 결과, 현존하는 모든 GGH13 다중선형함수 기반 난독화 기술이 다항식 시간 내에 NTRU 문제로 환원됨을 보인다. 또한, GGH15 다중선형함수를 기반으로 하는 난독화 기술에 대한 통계적인 공격방법을 제안한다. 통계적 공격방법을 최신 기술인 CVW 난독화, BGMZ 난독 화에 적용하여, CVW 난독화가 현재 파라미터에서 안전하지 않음을 보인다. 또한 BGMZ 난독화에서 제안한 대수적 안전성 모델이 이상적인 난독화 기술을 설계하 는데 충분하지 않다는 것을 보인다. 실제로, BGMZ 난독화가 안전하지 않은 특이한 파라미터를 제안하여, 우리 공격이 BGMZ에서 제안한 안전성 모델에 해당하지 않 음을 보인다.1. Introduction 1 1.1 Indistinguishability Obfuscation 1 1.2 Contributions 4 1.2.1 Mathematical Analysis of iO based on GGH13 4 1.2.2 Mathematical Analysis of iO based on GGH15 5 1.3 List of Papers 6 2 Preliminaries 7 2.1 Basic Notations 7 2.2 Indistinguishability Obfuscation 8 2.3 Cryptographic Multilinear Map 9 2.4 Matrix Branching Program 10 2.5 Tensor product and vectorization . 11 2.6 Background Lattices . 12 3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13 3.1 Preliminaries 14 3.1.1 Notations 14 3.1.2 GGH13 Multilinear Map 14 3.2 Main Theorem 17 3.3 Attackable BP Obfuscations 18 3.3.1 Randomization for Attackable Obfuscation Model 20 3.3.2 Encoding by Multilinear Map 21 3.3.3 Linear Relationally Inequivalent Branching Programs 22 3.4 Program Converting Technique 23 3.4.1 Converting to R Program 24 3.4.2 Recovering and Converting to R/ Program 27 3.4.3 Analysis of the Converting Technique 28 3.5 Matrix Zeroizing Attack 29 3.5.1 Existing BP Obfuscations 31 3.5.2 Attackable BP Obfuscation, General Case 34 4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37 4.1 Preliminaries 38 4.1.1 Notations 38 4.2 Statistical Zeroizing Attack . 39 4.2.1 Distinguishing Distributions using Sample Variance 42 4.3 Cryptanalysis of CVW Obfuscation 44 4.3.1 Construction of CVW Obfuscation 45 4.3.2 Cryptanalysis of CVW Obfuscation 48 4.4 Cryptanalysis of BGMZ Obfuscation 56 4.4.1 Construction of BGMZ Obfuscation 56 4.4.2 Cryptanalysis of BGMZ Obfuscation 59 5 Conclusions 65 6 Appendix 66 6.1 Appendix of Chapter 3 66 6.1.1 Extended Attackable Model 66 6.1.2 Examples of Matrix Zeroizing Attack 68 6.1.3 Examples of Linear Relationally Inequivalent BPs 70 6.1.4 Read-once BPs from NFA 70 6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71 6.2 Appendix of Chapter 5 73 6.2.1 Simple GGH15 obfuscation 73 6.2.2 Modified CVW Obfuscation . 75 6.2.3 Transformation of Branching Programs 76 6.2.4 Modification of CVW Obfuscation 77 6.2.5 Assumptions of lattice preimage sampling 78 6.2.6 Useful Tools for Computing the Variances 79 6.2.7 Analysis of CVW Obfuscation 84 6.2.8 Analysis of BGMZ Obfuscation 97 Abstract (in Korean) 117Docto

A Closer Look at the Multilinear Cryptography using Nilpotent Groups

In a previous paper we generalized the definition of a multilinear map to arbitrary groups and introduced two multiparty key-exchange protocols using nilpotent groups. In this paper we have a closer look at the protocols and will address some incorrect cryptanalysis which have been proposed

Mathematical Analysis of Multilinear Maps over the Integers

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2016. 8. 천정희.Multilinear maps have lots of cryptographic applications. Until now, there are three types of multilinear maps: the first is constructed using ideal lattices, the second is defined over the integers, and the last is graph-induced one. However none of them have reduction to well-known hard problems. More serious matter is that they are all proven insecure when low-level encodings of zero are provided . Especially, for multilinear maps over the integers, construction and analysis are being repeated. At {\sc Crypto} 2013, Coron, Lepoint, and Tibouchi proposed a multilinear map using CRT (CLT13). However, it was revealed to be insecure so-called CHLRS attack (CHL$^+$15). After then, several attempts have been made to repair the scheme, but quickly proven insecure by extended CHLRS attack. The same authors revised their scheme at {\sc Crypto} 2015 again. In this thesis, we describe attacks against CLT15. Our attacks share the essence of the cryptanalysis of CLT13 and exploits low level encodings of zero, provided by a ladder, as well as other public parameters. As in CHL$^+$15, this leads to finding all the secret parameters of $\kappa$-multilinear maps in polynomial time of the security parameter. As a result, CLT15 is fully broken for all possible applications, while the security of CLT13 is not known when low-level encodings are not provided.Chapter 1. Introduction 1 Chapter 2. Introduction to Multilinear Maps 8 2.1 Notation 8 2.2 Multilinear Maps and Graded Encoding Schemes 10 2.3 Multilinear Map Procedures 13 2.4 Related Problems 16 Chapter 3. Break and Repair 18 3.1 The CLT13 Multilinear Map and CHLRS Attack 20 3.1.1 The CLT13 Multilinear Map 20 3.1.2 Zeroizing Attacks on CLT13 25 3.2 The CLT15 Multilinear Map 30 Chapter 4. Main Attack 37 4.1 Computing $\phi$-values 38 4.2 Computing Matrix Equation over Q 42 Bibliography 46 국문 초록 50Docto

Obfuscating Conjunctions under Entropic Ring LWE

We show how to securely obfuscate conjunctions, which are functions f(x[subscript 1], . . . , x[subscript n]) = ∧[subscript i∈I] y[superscript i] where I ⊆ [n] and each literal y[subscript i] is either just x[subscript i] or ¬x[subscript i] e.g., f(x[subscript 1], . . . , x_n) = x[subscript 1] ⊆ ¬ x[subscript 3] ⊆ ¬ x[subscript 7] · · · ⊆ x[subscript n−1]. Whereas prior work of Brakerski and Rothblum (CRYPTO 2013) showed how to achieve this using a non-standard object called cryptographic multilinear maps, our scheme is based on an “entropic” variant of the Ring Learning with Errors (Ring LWE) assumption. As our core tool, we prove that hardness assumptions on the recent multilinear map construction of Gentry, Gorbunov and Halevi (TCC 2015) can be established based on entropic Ring LWE. We view this as a first step towards proving the security of additional multilinear map based constructions, and in particular program obfuscators, under standard assumptions. Our scheme satisfies virtual black box (VBB) security, meaning that the obfuscated program reveals nothing more than black-box access to f as an oracle, at least as long as (essentially) the conjunction is chosen from a distribution having sufficient entropy

Affine Determinant Programs: A Framework for Obfuscation and Witness Encryption

An affine determinant program ADP: {0,1}^n → {0,1} is specified by a tuple (A,B_1,...,B_n) of square matrices over F_q and a function Eval: F_q → {0,1}, and evaluated on x \in {0,1}^n by computing Eval(det(A + sum_{i \in [n]} x_i B_i)). In this work, we suggest ADPs as a new framework for building general-purpose obfuscation and witness encryption. We provide evidence to suggest that constructions following our ADP-based framework may one day yield secure, practically feasible obfuscation. As a proof-of-concept, we give a candidate ADP-based construction of indistinguishability obfuscation (iO) for all circuits along with a simple witness encryption candidate. We provide cryptanalysis demonstrating that our schemes resist several potential attacks, and leave further cryptanalysis to future work. Lastly, we explore practically feasible applications of our witness encryption candidate, such as public-key encryption with near-optimal key generation