Implementing Candidate Graded Encoding Schemes from Ideal Lattices

International audienceMultilinear maps have become popular tools for designing cryptographic schemes since a first approximate realisation candidate was proposed by Garg, Gentry and Halevi (GGH). This construction was later improved by Langlois, Stehlé and Steinfeld who proposed GGHLite which offers smaller parameter sizes. In this work, we provide the first implementation of such approximate multilinear maps based on ideal lattices. Implementing GGH-like schemes naively would not allow instantiating it for non-trivial parameter sizes. We hence propose a strategy which reduces parameter sizes further and several technical improvements to allow for an efficient implementation. In particular, since finding a prime ideal when generating instances is an expensive operation, we show how we can drop this requirement. We also propose algorithms and implementations for sampling from discrete Gaussians, for inverting in some Cyclotomic number fields and for computing norms of ideals in some Cyclotomic number rings. Due to our improvements we were able to compute a multilinear jigsaw puzzle for κ " 52 (resp. κ " 38) and λ " 52 (resp. λ " 80)

5Gen: A Framework for Prototyping Applications Using Multilinear Maps and Matrix Branching Programs

Secure multilinear maps (mmaps) have been shown to have remarkable applications in cryptography, such as program obfuscation and multi-input functional encryption (MIFE). To date, there has been little evaluation of the performance of these applications. In this paper we initiate a systematic study of mmap-based constructions. We build a general framework, called 5Gen, to experiment with these applications. At the top layer we develop an optimizing compiler that takes in a high-level program and compiles it to an optimized matrix branching program needed for the applications we consider. Next, we optimize and experiment with several obfuscators and MIFE constructions and evaluate their performance. The 5Gen framework is modular and can easily accommodate new mmap constructions as well as new obfuscators and MIFE constructions. 5Gen is an open-source tool that can be used by other research groups to experiment with a variety of mmap-based constructions

Cryptanalysis of CLT13 Multilinear Maps with Independent Slots

Many constructions based on multilinear maps require independent slots in the plaintext, so that multiple computations can be performed in parallel over the slots. Such constructions are usually based on CLT13 multilinear maps, since CLT13 inherently provides a composite encoding space. However, a vulnerability was identified at Crypto 2014 by Gentry, Lewko and Waters, with a lattice-based attack in dimension 2, and the authors have suggested a simple countermeasure. In this paper, we identify an attack based on higher dimension lattice reduction that breaks the author’s countermeasure for a wide range of parameters. Combined with the Cheon et al. attack from Eurocrypt 2015, this leads to a total break of CLT13 multilinear maps with independent slots. We also show how to apply our attack against various constructions based on composite-order CLT13. For the [FRS17] construction, our attack enables to recover the secret CLT13 plaintext ring for a certain range of parameters; however, breaking the indistinguishability of the branching program remains an open problem

Cryptanalysis of Middle Lattice on the Overstretched NTRU Problem for General Modulus Polynomial

The overstretched NTRU problem, which is the NTRU problem with super-polynomial size q in n, is one of the most important candidates for higher level cryptography. Unfortunately, Albrecht et al. in Crypto 2016 and Cheon et al. in ANTS 2016 proposed so-called subfield attacks which demonstrate that the overstretched NTRU problems with power-of-two cyclotomic modulus are not secure enough with given parameters in GGH multilinear map and YASHE/LTV fully homomorphic encryption. Moreover, Kirchner and Fouque presented new cryptanalysis of the overstretched NTRU problem over general modulus in Eurocrypt 2017. They showed that a lattice basis reduction algorithm upon middle lattice, which is first presented by Howgrave-Graham in Crypto 2007, experimentally recover secret parameters of the overstretched NTRU problem. In this paper, we revisit the middle lattice technique on the overstretched NTRU problem. This analysis show that the optimized middle lattice technique has same complexity to subfield attacks, but threaten more general base ring with poly(n) expansion factor as common in suggested schemes like original GGH, YASHE scheme and NTRU prime rings. Our new analysis implies that cryptosystem related to the overstretched NTRU problem cannot be secured by changing base ring. In addition, we present an extended (trace/norm) subfield attack for the power-of-two cyclotomic modulus, which is also one of the middle lattice technique. This extended subfield attack has a similar asymptotic complexity to the previous subfield attacks, but with smaller constant in the exponent term

A Primer on Cryptographic Multilinear Maps and Code Obfuscation

The construction of cryptographic multilinear maps and a general-purpose code obfuscator were two long-standing open problems in cryptography. It has been clear for a number of years that constructions of these two primitives would yield many interesting applications. This thesis describes the Coron-Lepoint-Tibouchi candidate construction for multilinear maps, as well as new candidates for code obfuscation. We give an overview of current multilinear and obfuscation research, and present some relevant applications. We also provide some examples and warnings regarding the inefficiency of the new constructions. The presentation is self-contained and should be accessible to the novice reader

Optimizing Cryptographic Obfuscation

Cryptographic obfuscation is a powerful tool that makes programs “unintelligible” yet still runnable. It essentially gives programs the ability to keep secrets. The practical applications of obfuscation range from keeping secrets in banking applications to preventing software theft to providing secure messaging applications. The cryptographic applications of obfuscation are also vast – a tool that hides secrets in programs essentially enables all other cryptographic constructions. Despite (or perhaps due to) its power, obfuscation is currently wildly inefficient and on shaky theoretical ground. Its shaky theoretical ground in particular has resulted in a lack of engineering effort at making it more efficient. In this work, we focus largely on efficiency. We explore the concrete efficiency of multilinear maps, which are the basis of many cryptographic obfuscation constructions. Multilinear maps are mathematical objects that allow oblivious addition and multiplication of encrypted values. Using multilinear maps, we give the first ever implementations of obfuscation and multi-input functional encryption (MIFE: a variant of obfuscation) for branching programs. Along the way, we create the 5Gen framework for implementations of multilinear map-based applications. We apply the 5Gen framework to experiment with obfuscating point functions and MIFE of order-revealing encryption. We also explore efficiency in the context of obfuscators and MIFE for circuits. Circuits are more efficient than branching programs for many functions. We give the first MIFE construction for circuits and prove its security in an ideal model. Our scheme is efficient. To compare, we implement all known circuit obfuscation schemes using the 5Gen framework, and experiment with obfuscating a PRF. This results in the most complex PRF obfuscated to date – with 12 bits of security. Finally, recently Bishop et al. showed an obfuscation scheme for the specific functionality of wildcard pattern-matching [BKM+18]. This is a simple type of string matching where strings must match a pattern exactly except where there are wildcards. This obfuscation scheme simply relies on the generic group model, with no multilinear maps. Inspired by their work, and the deep connection of functional encryption to obfuscation, we give a function-private, public-key functional encryption scheme for the same wildcard pattern-matching functionality. Our scheme is the first such scheme and we prove its security in a generic model