Preventing CLT Attacks on Obfuscation with Linear Overhead

We describe a defense against zeroizing attacks on indistinguishability obfuscation (iO) over the CLT13 multilinear map construction that only causes an additive blowup in the size of the branching program. This defense even applies to the most recent extension of the attack by Coron et al. (ePrint 2016), under which a much larger class of branching programs is vulnerable. To accomplish this, we describe an attack model for the current attacks on iO over CLT13 by distilling an essential common component of all previous attacks. This leads to the notion of a function being input partionable, meaning that the bits of the function’s input can be partitioned into somewhat independent subsets. We find a way to thwart these attacks by requiring a “stamp” to be added to the input of every function. The stamp is a function of the original input and eliminates the possibility of finding the independent subsets of the input necessary for a zeroizing attack. We give three different constructions of such “stamping functions” and prove formally that they each prevent any input partition. We also give details on how to instantiate one of the three functions efficiently in order to secure any branching program against this type of attack. The technique presented alters any branching program obfuscated over CLT13 to be secure against zeroizing attacks with only an additive blowup of the size of the branching program that is linear in the input size and security parameter. We can also apply our defense to a recent extension of annihilation attacks by Chen et al. (EUROCRYPT 2017) on obfuscation over the GGH13 multilinear map construction

Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations

We extend the recent zeroizing attacks of Cheon, Han, Lee, Ryu and Stehlé (Eurocrypt\u2715) on multilinear maps to settings where no encodings of zero below the maximal level are available. Some of the new attacks apply to the CLT13 scheme (resulting in a total break) while others apply to (a variant of) the GGH13 scheme (resulting in a weak-DL attack). We also note the limits of these zeroizing attacks

Multilinear Map via Scale-Invariant FHE: Enhancing Security and Efficiency

Cryptographic multilinear map is a useful tool for constructing numerous secure protocols and Graded Encoding System (GES) is an {\em approximate} concept of multilinear map. In multilinear map context, there are several important issues, mainly about security and efficiency. All early stage candidate multilinear maps are recently broken by so-called zeroizing attack, so that it is highly required to develop reliable mechanisms to prevent zeroizing attacks. Moreover, the encoding size in all candidate multilinear maps grows quadratically in terms of multilinearity parameter $\kappa$ and it makes them less attractive for applications requiring large $\kappa$. In this paper, we propose a new integer-based multilinear map that has several advantages over previous schemes. In terms of security, we expect that our construction is resistant to the zeroizing attack. In terms of efficiency, the bit-size of an encoding grows sublinearly with $\kappa$, more precisely $O((\log_2\kappa)^2)$. To this end, we essentially utilize a technique of the multiplication procedure in {\em scale-invariant} fully homomorphic encryption (FHE), which enables to achieve sublinear complexity in terms of multilinearity and at the same time security against the zeroizing attacks (EUROCRYPT 2015, IACR-Eprint 2015/934, IACR-Eprint 2015/941), which totally broke Coron, Lepoint, and Tibouchi\u27s integer-based construction (CRYPTO 2013, CRYPTO2015). We find that the technique of scale-invariant FHE is not very well harmonized with previous approaches of making GES from (non-scale-invariant) FHE. Therefore, we first devise a new approach for approximate multilinear maps, called {\em Ring Encoding System (RES)}, and prove that a multilinear map built via RES is generically secure. Next, we propose a new efficient scale-invariant FHE with special properties, and then construct a candidate RES based on a newly proposed scale-invariant FHE. It is worth noting that, contrary to the CLT multilinear map (CRYPTO 2015), multiplication procedure in our construction does not add hidden constants generated by ladders of zero encodings, but mixes randoms in encodings in non-linear ways without using ladders of zero encodings. This feature is obtained by using the scale-invariant FHE and essential to prevent the Cheon et al.\u27s zeroizing attack

Notes On GGH13 Without The Presence Of Ideals

We investigate the merits of altering the Garg, Gentry and Halevi (GGH13) graded encoding scheme to remove the presence of the ideal $\langle g \rangle$. In particular, we show that we can alter the form of encodings so that effectively a new $g_i$ is used for each source group $\mathbb{G}_i$, while retaining correctness. This would appear to prevent all known attacks on indistinguishability obfuscation (IO) candidates instantiated using GGH13. However, when analysing security in simplified branching program and obfuscation security models, we present branching program (and thus IO) distinguishing attacks that do not use knowledge of $\langle g \rangle$. This result opens a counterpoint with the work of Halevi (EPRINT 2015) which stated that the core computational hardness problem underpinning GGH13 is computing a basis of this ideal. Our attempts seem to suggest that there is a structural vulnerability in the way that GGH13 encodings are constructed that lies deeper than the presence of $\langle g \rangle$

Cryptanalysis of FRS Obfuscation based on the CLT13 Multilinear Map

We present a classical polynomial time attack against the FRS branching program obfuscator of Fernando-Rasmussen-Sahai (Asiacrypt’17) (with one zerotest parameter), which is robust against all known classical cryptanalyses on obfuscators, when instantiated with the CLT13 multilinear map. The first step is to recover a plaintext modulus of CLT13 multilinear map. To achieve the goal, we apply the Coron and Notarnicola (Asiacrypt\u2719) algorithm. However, because of parameter issues, the algorithm cannot be used directly. In order to detour the issue, we convert a FRS obfuscator into a new program containing a small message space. Through the conversion, we obtain two zerotest parameters and encodings of zero except for two nonzero slots. Then, they are used to mitigate parameter constraints of the message space recovering algorithm. Then, we propose a cryptanalysis of the FRS obfuscation based on the recovered message space. We show that there exist two functionally equivalent programs such that their obfuscated programs are computationally distinguishable. Thus, the FRS scheme does not satisfy the desired security without any additional constraints

Cryptanalysis of CLT13 Multilinear Maps with Independent Slots

Many constructions based on multilinear maps require independent slots in the plaintext, so that multiple computations can be performed in parallel over the slots. Such constructions are usually based on CLT13 multilinear maps, since CLT13 inherently provides a composite encoding space. However, a vulnerability was identified at Crypto 2014 by Gentry, Lewko and Waters, with a lattice-based attack in dimension 2, and the authors have suggested a simple countermeasure. In this paper, we identify an attack based on higher dimension lattice reduction that breaks the author’s countermeasure for a wide range of parameters. Combined with the Cheon et al. attack from Eurocrypt 2015, this leads to a total break of CLT13 multilinear maps with independent slots. We also show how to apply our attack against various constructions based on composite-order CLT13. For the [FRS17] construction, our attack enables to recover the secret CLT13 plaintext ring for a certain range of parameters; however, breaking the indistinguishability of the branching program remains an open problem

A Primer on Cryptographic Multilinear Maps and Code Obfuscation

The construction of cryptographic multilinear maps and a general-purpose code obfuscator were two long-standing open problems in cryptography. It has been clear for a number of years that constructions of these two primitives would yield many interesting applications. This thesis describes the Coron-Lepoint-Tibouchi candidate construction for multilinear maps, as well as new candidates for code obfuscation. We give an overview of current multilinear and obfuscation research, and present some relevant applications. We also provide some examples and warnings regarding the inefficiency of the new constructions. The presentation is self-contained and should be accessible to the novice reader

Candidate Obfuscation via Oblivious LWE Sampling

We present a new, simple candidate construction of indistinguishability obfuscation (iO). Our scheme is inspired by lattices and learning-with-errors (LWE) techniques, but we are unable to prove security under a standard assumption. Instead, we formulate a new falsifiable assumption under which the scheme is secure. Furthermore, the scheme plausibly achieves post-quantum security. Our construction is based on the recent split FHE framework of Brakerski, Döttling, Garg, and Malavolta (EUROCRYPT \u2720), and we provide a new instantiation of this framework. As a first step, we construct an iO scheme that is provably secure assuming that LWE holds \emph{and} that it is possible to obliviously generate LWE samples without knowing the corresponding secrets. We define a precise notion of oblivious LWE sampling that suffices for the construction. It is known how to obliviously sample from any distribution (in a very strong sense) using iO, and our result provides a converse, showing that the ability to obliviously sample from the specific LWE distribution (in a much weaker sense) already also implies iO. As a second step, we give a heuristic contraction of oblivious LWE sampling. On a very high level, we do this by homomorphically generating pseudoradnom LWE samples using an encrypted pseudorandom function

Optimizing Cryptographic Obfuscation

Cryptographic obfuscation is a powerful tool that makes programs “unintelligible” yet still runnable. It essentially gives programs the ability to keep secrets. The practical applications of obfuscation range from keeping secrets in banking applications to preventing software theft to providing secure messaging applications. The cryptographic applications of obfuscation are also vast – a tool that hides secrets in programs essentially enables all other cryptographic constructions. Despite (or perhaps due to) its power, obfuscation is currently wildly inefficient and on shaky theoretical ground. Its shaky theoretical ground in particular has resulted in a lack of engineering effort at making it more efficient. In this work, we focus largely on efficiency. We explore the concrete efficiency of multilinear maps, which are the basis of many cryptographic obfuscation constructions. Multilinear maps are mathematical objects that allow oblivious addition and multiplication of encrypted values. Using multilinear maps, we give the first ever implementations of obfuscation and multi-input functional encryption (MIFE: a variant of obfuscation) for branching programs. Along the way, we create the 5Gen framework for implementations of multilinear map-based applications. We apply the 5Gen framework to experiment with obfuscating point functions and MIFE of order-revealing encryption. We also explore efficiency in the context of obfuscators and MIFE for circuits. Circuits are more efficient than branching programs for many functions. We give the first MIFE construction for circuits and prove its security in an ideal model. Our scheme is efficient. To compare, we implement all known circuit obfuscation schemes using the 5Gen framework, and experiment with obfuscating a PRF. This results in the most complex PRF obfuscated to date – with 12 bits of security. Finally, recently Bishop et al. showed an obfuscation scheme for the specific functionality of wildcard pattern-matching [BKM+18]. This is a simple type of string matching where strings must match a pattern exactly except where there are wildcards. This obfuscation scheme simply relies on the generic group model, with no multilinear maps. Inspired by their work, and the deep connection of functional encryption to obfuscation, we give a function-private, public-key functional encryption scheme for the same wildcard pattern-matching functionality. Our scheme is the first such scheme and we prove its security in a generic model

How to Watermark Cryptographic Functions

We introduce a notion of watermarking for cryptographic functions and propose a concrete scheme for watermarking cryptographic functions. Informally speaking, a digital watermarking scheme for cryptographic functions embeds information, called a \textit{mark}, into functions such as one-way functions and decryption functions of public-key encryption. There are two basic requirements for watermarking schemes. (1) A mark-embedded function must be functionally equivalent to the original function. (2) It must be difficult for adversaries to remove the embedded mark without damaging the original functionality. In spite of its importance and usefulness, there have only been a few theoretical works on watermarking for functions (or programs). Furthermore, we do not have rigorous definitions of watermarking for cryptographic functions and concrete constructions. To solve the above problem, we introduce a notion of watermarking for cryptographic functions and define its security. Furthermore, we present a lossy trapdoor function (LTF) based on the decisional linear (DLIN) problem and a watermarking scheme for the LTF. Our watermarking scheme is secure under the DLIN assumption in the standard model. We use techniques of dual system encryption and dual pairing vector spaces (DPVS) to construct our watermarking scheme. This is a new application of DPVS. Our watermarking for cryptographic functions is a generalized notion of copyrighted functions introduced by Naccache, Shamir, and Stern (PKC 1999) and our scheme is based on an identity-based encryption scheme whose private keys for identities (i.e., decryption functions) are marked, so our technique can be used to construct black-box traitor tracing schemes