구분불가능한 난독화의 수학적분석에 관한 연구

학위논문(박사)--서울대학교 대학원 :자연과학대학 수리과학부,2020. 2. 천정희.Indistinguishability obfuscation (iO) is a weak notion of the program obfuscation which requires that if two functionally equivalent circuits are given, their obfuscated programs are indistinguishable. The existence of iO implies numerous cryptographic primitives such as multilinear map, functional encryption, non interactive multi-party key exchange. In gen- eral, many iO schemes are based on branching programs, and candidates of multilinear maps represented by GGH13, CLT13 and GGH15. In this thesis, we present cryptanalyses of branching program based iO over multilinear maps GGH13 and GGH15. First, we propose cryptanaly- ses of all existing branching program based iO schemes over GGH13 for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroiz- ing, which can be applied to a wide range of obfuscation constructions. We then show that there exists polynomial time reduction from the NTRU problem to all known branching program based iO over GGH13. Moreover, we propose a new attack on iO based on GGH15 which exploits statistical properties rather than algebraic approaches. We apply our attack to recent two obfuscations called CVW and BGMZ obfuscations. Thus, we break the CVW obfuscation under the current parameter setup, and show that algebraic security model of BGMZ obfuscation is not enough to achieve ideal security. We show that our attack is lying outside of the algebraic security model by presenting some parameters not captured by the proof of the model.기능성이 같은 두 프로그램과, 그 난독화된 프로그램들이 있을 때, 난독화된 프로그 램들을 구분할 수 없다면 구분불가능한 난독화라고 한다. 구분불가능한 난독화가 존재한다면, 다중선형함수, 함수암호, 다자간 키교환 등 많은 암호학적인 응용들이 존재하기 때문에, 구분불가능한 난독화를 설계하는 것은 매우 중요한 문제 중 하나 이다. 일반적으로, 많은 구분불가능한 난독화들은 다중선형함수 GGH13, CLT13, GGH15를 기반으로 하여 설계되었다. 본 학위 논문에서는, 다중선형함수를 기반으로 하는 난독화 기술들에 대한 안 전성 분석을 진행한다. 먼저, GGH13 다중선형함수를 기반으로 하는 모든 난독화 기술들은 현재 파라미터 하에 안전하지 않음을 보인다. 프로그램 변환(program converting), 행렬 제로화 공격(matrix zeroizing attack)이라는 두 가지 새로운 방 법을 제안하여 안전성을 분석하였고, 그 결과, 현존하는 모든 GGH13 다중선형함수 기반 난독화 기술이 다항식 시간 내에 NTRU 문제로 환원됨을 보인다. 또한, GGH15 다중선형함수를 기반으로 하는 난독화 기술에 대한 통계적인 공격방법을 제안한다. 통계적 공격방법을 최신 기술인 CVW 난독화, BGMZ 난독 화에 적용하여, CVW 난독화가 현재 파라미터에서 안전하지 않음을 보인다. 또한 BGMZ 난독화에서 제안한 대수적 안전성 모델이 이상적인 난독화 기술을 설계하 는데 충분하지 않다는 것을 보인다. 실제로, BGMZ 난독화가 안전하지 않은 특이한 파라미터를 제안하여, 우리 공격이 BGMZ에서 제안한 안전성 모델에 해당하지 않 음을 보인다.1. Introduction 1 1.1 Indistinguishability Obfuscation 1 1.2 Contributions 4 1.2.1 Mathematical Analysis of iO based on GGH13 4 1.2.2 Mathematical Analysis of iO based on GGH15 5 1.3 List of Papers 6 2 Preliminaries 7 2.1 Basic Notations 7 2.2 Indistinguishability Obfuscation 8 2.3 Cryptographic Multilinear Map 9 2.4 Matrix Branching Program 10 2.5 Tensor product and vectorization . 11 2.6 Background Lattices . 12 3 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH13 Multilinear Map 13 3.1 Preliminaries 14 3.1.1 Notations 14 3.1.2 GGH13 Multilinear Map 14 3.2 Main Theorem 17 3.3 Attackable BP Obfuscations 18 3.3.1 Randomization for Attackable Obfuscation Model 20 3.3.2 Encoding by Multilinear Map 21 3.3.3 Linear Relationally Inequivalent Branching Programs 22 3.4 Program Converting Technique 23 3.4.1 Converting to R Program 24 3.4.2 Recovering and Converting to R/ Program 27 3.4.3 Analysis of the Converting Technique 28 3.5 Matrix Zeroizing Attack 29 3.5.1 Existing BP Obfuscations 31 3.5.2 Attackable BP Obfuscation, General Case 34 4 Mathematical Analysis of Indistinguishability Obfuscation based on the GGH15 Multilinear Map 37 4.1 Preliminaries 38 4.1.1 Notations 38 4.2 Statistical Zeroizing Attack . 39 4.2.1 Distinguishing Distributions using Sample Variance 42 4.3 Cryptanalysis of CVW Obfuscation 44 4.3.1 Construction of CVW Obfuscation 45 4.3.2 Cryptanalysis of CVW Obfuscation 48 4.4 Cryptanalysis of BGMZ Obfuscation 56 4.4.1 Construction of BGMZ Obfuscation 56 4.4.2 Cryptanalysis of BGMZ Obfuscation 59 5 Conclusions 65 6 Appendix 66 6.1 Appendix of Chapter 3 66 6.1.1 Extended Attackable Model 66 6.1.2 Examples of Matrix Zeroizing Attack 68 6.1.3 Examples of Linear Relationally Inequivalent BPs 70 6.1.4 Read-once BPs from NFA 70 6.1.5 Input-unpartitionable BPs from Barringtons Theorem 71 6.2 Appendix of Chapter 5 73 6.2.1 Simple GGH15 obfuscation 73 6.2.2 Modified CVW Obfuscation . 75 6.2.3 Transformation of Branching Programs 76 6.2.4 Modification of CVW Obfuscation 77 6.2.5 Assumptions of lattice preimage sampling 78 6.2.6 Useful Tools for Computing the Variances 79 6.2.7 Analysis of CVW Obfuscation 84 6.2.8 Analysis of BGMZ Obfuscation 97 Abstract (in Korean) 117Docto

Obfuscating Conjunctions under Entropic Ring LWE

We show how to securely obfuscate conjunctions, which are functions f(x[subscript 1], . . . , x[subscript n]) = ∧[subscript i∈I] y[superscript i] where I ⊆ [n] and each literal y[subscript i] is either just x[subscript i] or ¬x[subscript i] e.g., f(x[subscript 1], . . . , x_n) = x[subscript 1] ⊆ ¬ x[subscript 3] ⊆ ¬ x[subscript 7] · · · ⊆ x[subscript n−1]. Whereas prior work of Brakerski and Rothblum (CRYPTO 2013) showed how to achieve this using a non-standard object called cryptographic multilinear maps, our scheme is based on an “entropic” variant of the Ring Learning with Errors (Ring LWE) assumption. As our core tool, we prove that hardness assumptions on the recent multilinear map construction of Gentry, Gorbunov and Halevi (TCC 2015) can be established based on entropic Ring LWE. We view this as a first step towards proving the security of additional multilinear map based constructions, and in particular program obfuscators, under standard assumptions. Our scheme satisfies virtual black box (VBB) security, meaning that the obfuscated program reveals nothing more than black-box access to f as an oracle, at least as long as (essentially) the conjunction is chosen from a distribution having sufficient entropy

Simultaneous Diagonalization of Incomplete Matrices and Applications

We consider the problem of recovering the entries of diagonal matrices $\{U_a\}_a$ for $a = 1,\ldots,t$ from multiple "incomplete" samples $\{W_a\}_a$ of the form $W_a=PU_aQ$, where $P$ and $Q$ are unknown matrices of low rank. We devise practical algorithms for this problem depending on the ranks of $P$ and $Q$. This problem finds its motivation in cryptanalysis: we show how to significantly improve previous algorithms for solving the approximate common divisor problem and breaking CLT13 cryptographic multilinear maps.Comment: 16 page

Variation of GGH15 Multilinear Maps

Recently, Coron presented an attack of GGH15 multilinear maps, which breaks the multipartite Diffie-Hellman key exchange protocol based on GGH15. In this paper, we describe a variation of GGH15, which seems to thwart known attacks

On the statistical leak of the GGH13 multilinear map and some variants

At EUROCRYPT 2013, Garg, Gentry and Halevi proposed a candidate construction (later referred as GGH13) of cryptographic multilinear map (MMap). Despite weaknesses uncovered by Hu and Jia (EUROCRYPT 2016), this candidate is still used for designing obfuscators.The naive version of the GGH13 scheme was deemed susceptible to averaging attacks, i.e., it could suffer from a statistical leak (yet no precise attack was described). A variant was therefore devised, but it remains heuristic. Recently, to obtain MMaps with low noise and modulus, two variants of this countermeasure were developed by Döttling et al. (EPRINT:2016/599).In this work, we propose a systematic study of this statistical leakage for all these GGH13 variants. In particular, we confirm the weakness of the naive version o

Multilinear maps via secret ring

Garg, Gentry and Halevi (GGH13) described the first candidate multilinear maps using ideal lattices. However, Hu and Jia recently presented an efficient attack on the GGH13 map, which breaks the multipartite key exchange (MPKE) and witness encryption (WE) based on GGH13. In this work, we describe a new variant of GGH13 using secret ring, which preserves the origin functionality of GGH13. The security of our variant depends upon the following new hardness problem. Given the determinant of the circular matrix of some element in a secret ring, the problem is to find this secret ring and reconstruct this element

Mathematical Analysis of Cryptographic Multilinear Maps

학위논문 (박사)-- 서울대학교 대학원 자연과학대학 수리과학부, 2017. 8. 천정희.Multilinear maps are a very powerful tool in cryptography. Nonetheless, to date, only three types of multilinear maps have been published relying on a graded encoding scheme. The first candidate is proposed by Garg, Gentry, and Halevi (GGH) relying on an ideal lattice [GGH13a], the second one is dened on integers as established by Coron, Lepoint, and Tibouchi (CLT) [CLT13], and the last one is provided by Gentry, Gorbunov, and Halevi (GGH15) relying on a graph induced graded encoding scheme [GGH15]. These multilinear maps have led to a number of applications in cryptography such as one round key exchange protocol, witness encryptions, and even indistinguishable obfuscations. The security of the applications depends on some hardness problems derived from a graded encoding scheme. However, none of them have reduction to well-known hard problems. For that reasons, many researches attempt to investigate the hardness of the problems. Actually, when low-level encodings of zero are given, the GGH scheme is known to be insecure by Hu and Jia [HJ16] and the last candidate of a multilinear map GGH15 is known to be insecure [CLLT16]. In the thesis, we describe an algebraic analysis on the hardness problems of two GGH and CLT multilinear maps. Common to two candidates are constructed by graded encoding schemes and provide an additional public information zerotesting parameter, which is used to determine whether the hidden message is zero or not. Exploiting the structure of graded encoding scheme and additional input, we study how to solve the hardness problems in three cases. First, we show another approach to break the GGH scheme with low level encodings of zero. According to the original GGH paper, finding a short vector for a given principal ideal lattice enables to break the scheme. Therefore, the parameters are set to be invulnerable to the best known algorithm for finding a short vector on ideal lattice. By proposing an improved lattice reduction algorithm to find a short vector, we prove that the multilinear map is broken within quasi polynomial time of the suggested parameters. Second, we describe that how to construct a level-0 encoding of zero from GGH public parameter without level encodings of zero in the quasi polynomial time of the suggested parameters. The obtained encoding of zero serves as a low level encoding of zero in the first study. Thus we also show that GGH without low level encodings of zero is insecure. Finally, for CLT scheme with low level encodings of zero, we attempt to reveal the all secret elements of scheme in polynomial time. By multiplying encodings of zero to zerotesting parameter appropriately, one can obtain an integer matrix of secret quantities. Next we recover the secret elements by computing eigenvalues.Abstract i 1 Introduction 1 1.1 Multilinear maps . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1 Analysis of the GGH scheme . . . . . . . . . . . . . . . 3 1.2.2 Analysis of the CLT scheme . . . . . . . . . . . . . . . 5 2 Preliminaries 7 2.1 Notations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Graded encoding Schemes and Multilinear map Procedure. . . 8 2.3 Hardness Problems. . . . . . . . . . . . . . . . . . . . . . . . . 11 3 Multilinear maps over the Ideal Lattices and Its Analysis 13 3.1 GGH13 Multilinear maps . . . . . . . . . . . . . . . . . . . . . 14 3.2 Basic Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.3 Attack on GGH with low level encodings of zero . . . . . . . . 19 3.3.1 Sublattice Algorithm . . . . . . . . . . . . . . . . . . . 21 3.4 Attack on GGH with top level encodings of zero . . . . . . . . 24 3.4.1 Overstretched NTRU Problem and Its Analysis . . . . 25 4 Multilinear Maps over the Integers and Its Analysis 38 4.1 The CLT13 Multilinear Map. . . . . . . . . . . . . . . . . . . 39 4.2 CRT-ACD with auxiliary input and Its Analysis . . . . . . . . 42 4.2.1 Application to CLT Schemes . . . . . . . . . . . . . . . 47 4.3 Analysis of the Related Problems. . . . . . . . . . . . . . . . . 50 4.3.1 Solving the CLT SubM Problem . . . . . . . . . . . . . 55 4.3.2 Solving the CLT DLIN Problem . . . . . . . . . . . . . 56 4.3.3 Solving the CLT GXDH Problem . . . . . . . . . . . . 57 5 Conclusions 59 Abstract (in Korean) 67 Acknowledgement (in Korean) 68Docto

A Subfield Lattice Attack on Overstretched NTRU Assumptions:Cryptanalysis of Some FHE and Graded Encoding Schemes

International audienc