Cryptanalyses of Branching Program Obfuscations over GGH13 Multilinear Map from the NTRU Problem

In this paper, we propose cryptanalyses of all existing indistinguishability obfuscation ($iO$) candidates based on branching programs (BP) over GGH13 multilinear map for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroizing, which can be applied to a wide range of obfuscation constructions and BPs compared to previous attacks. We then prove that, for the suggested parameters, the existing general-purpose BP obfuscations over GGH13 do not have the desired security. Especially, the first candidate indistinguishability obfuscation with input-unpartitionable branching programs (FOCS 2013) and the recent BP obfuscation (TCC 2016) are not secure against our attack when they use the GGH13 with recommended parameters. Previously, there has been no known polynomial time attack for these cases. Our attack shows that the lattice dimension of GGH13 must be set much larger than previous thought in order to maintain security. More precisely, the underlying lattice dimension of GGH13 should be set to $n=\tilde\Theta( \kappa^2 \lambda)$ to rule out attacks from the subfield algorithm for NTRU where $\kappa$ is the multilinearity level and $\lambda$ the security parameter

On the statistical leak of the GGH13 multilinear map and some variants

At EUROCRYPT 2013, Garg, Gentry and Halevi proposed a candidate construction (later referred as GGH13) of cryptographic multilinear map (MMap). Despite weaknesses uncovered by Hu and Jia (EUROCRYPT 2016), this candidate is still used for designing obfuscators.The naive version of the GGH13 scheme was deemed susceptible to averaging attacks, i.e., it could suffer from a statistical leak (yet no precise attack was described). A variant was therefore devised, but it remains heuristic. Recently, to obtain MMaps with low noise and modulus, two variants of this countermeasure were developed by Döttling et al. (EPRINT:2016/599).In this work, we propose a systematic study of this statistical leakage for all these GGH13 variants. In particular, we confirm the weakness of the naive version o

Large FHE Gates from tensored homomorphic accumulator

The main bottleneck of all known Fully Homomorphic Encryption schemes lies in the bootstrapping procedure invented by Gentry (STOC’09). The cost of this procedure can be mitigated either using Homomorphic SIMD techniques, or by performing larger computation per bootstrapping procedure.In this work, we propose new techniques allowing to perform more operations per bootstrapping in FHEW-type schemes (EUROCRYPT’13). While maintaining the quasi-quadratic Õ(n2) complexity of the whole cycle, our new scheme allows to evaluate gates with Ω(log n) input bits, which constitutes a quasi-linear speed-up. Our scheme is also very well adapted to large threshold gates, natively admitting up to Ω(n) inputs. This could be helpful for homomorphic evaluation of neural networks.Our theoretical contribution is backed by a preliminary prototype implementation, which can perform 6-to-6 bit gates in less than 10s on a single core, as well as threshold gates over 63 input bits even faster.<p

Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE

We introduce models of computation that enable direct comparisons between classical and quantum algorithms. Incorporating previous work on quantum computation and error correction, we justify the use of the gate-count and depth-times-width cost metrics for quantum circuits. We demonstrate the relevance of these models to cryptanalysis by revisiting, and increasing, the security estimates for the Supersingular Isogeny Diffie--Hellman (SIDH) and Supersingular Isogeny Key Encapsulation (SIKE) schemes. Our models, analyses, and physical justifications have applications to a number of memory intensive quantum algorithms

An objective method for the production of isopach maps and implications for the estimation of tephra deposit volumes and their uncertainties

Characterization of explosive volcanic eruptive processes from interpretation of deposits is a key for assessing volcanic hazard and risk, particularly for infrequent large explosive eruptions and those whose deposits are transient in the geological record. While eruption size—determined by measurement and interpretation of tephra fall deposits—is of particular importance, uncertainties for such measurements and volume estimates are rarely presented. Here, tephra volume estimates are derived from isopach maps produced by modeling raw thickness data as cubic B-spline curves under tension. Isopachs are objectively determined in relation to original data and enable limitations in volume estimates from published maps to be investigated. The eruption volumes derived using spline isopachs differ from selected published estimates by 15–40 %, reflecting uncertainties in the volume estimation process. The formalized analysis enables identification of sources of uncertainty; eruptive volume uncertainties (>30 %) are much greater than thickness measurement uncertainties (~10 %). The number of measurements is a key factor in volume estimate uncertainty, regardless of method utilized for isopach production. Deposits processed using the cubic B-spline method are well described by 60 measurements distributed across each deposit; however, this figure is deposit and distribution dependent, increasing for geometrically complex deposits, such as those exhibiting bilobate dispersion. ELECTRONIC SUPPLEMENTARY MATERIAL: The online version of this article (doi:10.1007/s00445-015-0942-y) contains supplementary material, which is available to authorized users