Yilei Chen Craig Gentry Shai 2017

Transcription

1 e t a d i d n a c f s o r s o e t s a y c l s a u n f a b t o p y m r a C r g o r p g n i h c n a br Yilei Chen Craig Gentry Shai 07

2 976, Diffie, Hellman: We stand today on the brink of a revolution in cryptography

3 976, Diffie, Hellman: We stand today on the brink of a revolution in cryptography 03, Garg, Gentry, Halevi, Raykova, Sahai, Waters: We didn t say we stand today on the brink of another revolution in cryptography, but it is happening. 3

4 io 4

5 io => fancy applications, new ways of thinking in cryptography OWF, TDP, full-domain hash, NKE, traitor tracing, FE, adaptive FE, multi-input FE, MPC, adaptive MPC, communication-efficient MPC, better MPC, deniable encryption, garbled Turing machine, Succinct RE, garbled ram, succinct garbled ram, polynomially-many hardcore bits for any OWF, ZAPs and NW, constant-round zero-knowledge proofs, traitor tracing, PPAD hardness, watermarking, Fully-homomorphic encryption, self-bilinear maps, multilinear maps, correlation intractability, Fiat-Shamir, UCE, counterexamples for UCE,5 Adaptive succinct garbled ram, Time-lock puzzle, io combiner

6 ??????? => io candidates 6

7 Candidate multilinear maps => io candidates 7

8 How much do we know about multilinear maps, and the io candidates based on them? 8

9 Multilinear maps in cryptography 003 Boneh, Silverberg: motives 03 Garg, Gentry, Halevi: first candidate 03 Coron, Lepoint, Tibouchi: second candidate 05 Gentry, Gorbunov, Halevi: third candidate 9

10 Status of candidate multilinear maps GGH3, CLT3, GGH5: Even the ``one-wayness of these schemes is not understood. 0

11 Status of candidate multilinear maps GGH3, CLT3, GGH5: Even the ``one-wayness of these schemes is not understood. Benchmarks: key exchange and indistinguishability Obfuscation Key Exchange io [GGHRSW 3] (need public sample) (do not need public sample) GGH3 CLT3 GGH5

12 Status of candidate multilinear maps GGH3, CLT3, GGH5: Even the ``one-wayness of these schemes is not understood. Benchmarks: key exchange and indistinguishability Obfuscation Key Exchange io [GGHRSW 3] (need public sample) (do not need public sample) GGH3 Broken [Hu, Jia 6] Broken for simpler variants [ Miles et al 6 ] CLT3 Broken [Cheon et al 5] Broken for some program [Coron et al 5] GGH5 Broken [Coron et al 6]?

13 n this work we show new attacks: Key Exchange io [GGHRSW 3] (need public sample) (do not need public sample) GGH3 Broken [Hu, Jia 6] New attack [ CGH 7 ] CLT3 Broken [Cheon et al 5] Broken for some program [Coron et al 5] GGH5 Broken [Coron et al 6] New attack [ CGH 7 ] 3

14 n this work we show new attacks: Key Exchange io [GGHRSW 3] (need public sample) (do not need public sample) GGH3 Broken [Hu, Jia 6] New attack [ CGH 7 ] CLT3 Broken [Cheon et al 5] Broken for some program [Coron et al 5] GGH5 Broken [Coron et al 6] New attack [ CGH 7 ] Feature of the new attacks: zeroizing attack [ Cheon et al 5 ] + exploiting the weakness inside the obfuscation 4

15 Plan for the rest of the talk Review GGHRSW3 obfuscation Analyze GGHRSW + GGH5 Analyze GGHRSW + GGH3 (very briefly) 5

16 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] 6

17 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program. () Safeguard () Safeguard (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) Safeguards aim at randomizing the plaintext program, preventing illegal operations; mmaps is the source of computational hardness 7

18 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard () Safeguard (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) 8

19 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard () Safeguard (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) B, B, B3, B4, 0 B,0 B,0 B3,0 B4,0 i B, B, B 3, B'4, 0 B,0 B,0 B 3,0 B 4,0 i function branch Evaluate: B =? Dummy branch All B'u,v = 9

20 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization [Kilian 88] () Safeguard (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) B,K K-B,K K-B3,K3 K3-B4, 0 B,0K K-B,0K K-B3,0K3 K3-B4,0 i B,K K -B,K K -B 3,K 3 K 3-B 4, 0 B,0K K -B,0K K -B 3,0K 3 K 3-B 4,0 i Random matrix K, K 0

21 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (against mix-input attack) (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) 0 i a,b,k a,k-b,k a3,k-b3,k3 a4,k3-b4, a a =, 3, a,0b,0k a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0 a,0a3,0 = a,a4, = a,0a4,0 = a,a 3, a,0a 3,0 a,a 4, a,0a 4,0 a,b,k a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4, 0 a,0b,0k a,0k -B,0K a 3,0K -B 3,0K 3 a 4,0K 3-B 4,0 i

22 Spoiler: the scalar is the Achilles heel exploited in our attack

23 3

24 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (against mix-input attack) (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) 0 i a,b,k a,k-b,k a3,k-b3,k3 a4,k3-b4, a a =, 3, a,0b,0k a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0 a,0a3,0 = a,a4, = a,0a4,0 = a,a 3, a,0a 3,0 a,a 4, a,0a 4,0 a,b,k a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4, 0 a,0b,0k a,0k -B,0K a 3,0K -B 3,0K 3 a 4,0K 3-B 4,0 i 4

25 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (against mix-input attack) (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) a,j B,K a,k-b,k a3,k-b3,k3 a4,k3-b4,l 0 a,0j B,0K a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0l i a,j B,K a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4,L 0 a,0j B,0K a,0k -B,0K i a 3,0K -B 3,0K3 a 4,0K 3-B 4,0L 5

26 Zoom in: random diagonal entries and bookends U J a,k - B, S,= a,k [ B, ]K K L S,= a, J[ vb, ]K - v V Sh,= ah,kh--[ vbh, ]L S, S,... Sh, 0 S,0 S,0... Sh,0 i i i... ih 6

27 Spoiler: the random diagonal entries were thought to be what stops the previous attack on GGH3-based candidates. 7

28 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) a,j B,K a,k-b,k a3,k-b3,k3 a4,k3-b4,l 0 a,0j B,0K a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0l i a,j B,K a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4,L 0 a,0j B,0K a,0k -B,0K i a 3,0K -B 3,0K3 a 4,0K 3-B 4,0L 8

29 Candidate io from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters 3 ] (0) Representation of plaintext program: Oblivious branching program () Safeguard : Kilian randomization () Safeguard : Bundling scalars (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH3, CLT3, or GGH5) More candidates for branching programs: [Canetti-Vaikuntanathan about B.C. 6-5], [Barak-Garg-Kalai-Paneth-Sahai 4], [Brakerski-Rothblum 4], [Pass-Seth-Telang 4], [Gentry-Lewko-Sahai-Waters 5], [Badrinarayanan-Miles-Sahai-Zhandry 6], [Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry 6] Other candidates in the circuit model or bootstrapped from FE or hybrid: [Zimmerman 5], [Applebaum-Brakerski 5], [Ananth-Jain 5], [Bitansky-Vaikuntanathan 5], [Lin 6], [Lin-Vaikuntanathan 6], etc. Candidates for BP requires degree of multilinearity = length of BP (poly) The smallest known multilinearity that implies io is 5 (assuming some PRG with locality 5) 9

30 Easier to break <<<<<<<<<<<<< harder to break GGH3 CLT3 GGH5 Candidates without GGHRSW3 the diagonal padding [any BP + diagonal] GMRSSZ6 Broken [Miles et al 6] Secure in an idealized model? Broken [Cheon et al 5, Coron et al 5]?? [dual-input + diagonal]?? Status of BP obfuscation candidates before this work 30

31 Plan for the rest of the talk Review GGHRSW3 obfuscation Analyze GGHRSW + GGH5 Analyze GGHRSW + GGH3 (very briefly) 3

32 Review of GGH5 encoding [Gentry, Gorbunov, Halevi 5] 3

33 Goal: Multiply these S matrices without revealing them, and test equality at the end S,= a,k-[ vb, ]K S,= a, J[ vb, ]K Sh,= ah,kh--[ vbh, a,j B,K a,k-b,k a3,k-b3,k3 a4,k3-b4,l 0 a,0j B,0K a,0k-b,0k a3,0k-b3,0k3 a4,0k3-b4,0l i a,j B,K a,k -B,K a 3,K -B 3,K 3 a 4,K 3-B 4,L 0 a,0j B,0K a,0k -B,0K i a 3,0K -B 3,0K3 a 4,0K 3-B 4,0L 33 ]L

34 GGH5 encoding for the ith hop: Si, Ai Si,0 Ai+ 34

35 GGH5 encoding for the ith hop: Yi, = si, Ai++Ei, Si, Ai Si,0 Ai+ Yi,0 = si,0 Ai++Ei,0 Encode(si,b): steps. Yi,b = si,b Ai++Ei,b 35

36 GGH5 encoding for the ith hop: Ai Di, Di,0 Yi, = si, Ai++Ei, Si, Si,0 Ai+ Yi,0 = si,0 Ai++Ei,0 Encode(si,b): steps. Yi,b = si,b Ai++Ei,b. Sample (by the trapdoor of Ai) small Di,b s.t. AiDi,b=Yi,b Di,b = Encoding( Si,b ) 36

37 37 D, D,... D,0 D,0... A S,= a, J[ vb, ]K D, A D,0 D, D, Dh, Dh,0 D h, AL D h,0 [GGHRSW3]+[GGH5]

38 Setting for the cryptanalysts 38

39 Target: Branching programs that always compute the identity matrix (corresponds to 0), with an input partitioning feature 0 i Goal: extract the scalars there, run the mixed-input attack. versus 0 P P- i X zone Z zone Where P 39

40 Step, honestly evaluate many inputs that lead to zero outputs 40

41 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations that yields zero. A A D, D,... Dh-, Dh, D,0 D,0... Dh-,0 Dh,0 D, D,... D h-, D h, D,0 D,0... D h-, D h,0 X zone 0 w, w,v w, w,v wu, wu,v Z zone wi,j= A DxiDzj - A D xid zj 4

42 Step, compute the left-kernel 4

43 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W (n the rest of the analysis in this talk, will ignore the dummy branch. ) Sx Ex Sx Ex Sxu Exu X zone SzvA0+Ezv SzA0+Ez x Dz Dzv w, w,v w, w,v = wu, wu,v Z zone wi,j= A DxiDzj - A D xid zj 43

44 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W (n the rest of the analysis in this talk, will ignore the dummy branch. ) Sx Ex Sx Ex Sxu X Exu SzvA0+Ezv SzA0+Ez x Dz ZD w, w,v w, w,v = zv F W = F X Z = 0 => F X=0 W wu, wu,v 44

45 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W (n the rest of the analysis in this talk, will ignore the dummy branch. ) First two steps are taken from the previous zeroizing attack [CLLT6], the next few steps will be more involved. 45

46 Step, from the left-kernel F, extract information about scalars 46

47 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars f,, f,,..., f,k... fd,, fd,,..., fd,k The useful equations: g in [,d] ki= fg,i xiai,xi=0 what we have what we want x Sx Ex Sx Ex Sxk =0 Exk Sxi = axi J diag(uxi, vxi, xi) K 47

48 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars The useful equations: g in [,d] ki= fg,i xiai,xi=0 Challenge: solve the non-linear equations. 48

49 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars The useful equations: g in [,d] ki= fg,i xiai,xi=0 Challenge: solve the non-linear equations. Solution: use the homogeneous feature, possible to get partial relations of some ai,xi/aj,xj 49

50 Step V, wait, more? 50

51 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars What we can get: a,a3,/a,0a3,0 a,a3,/a,a4, a,a3,/a,0a4,0 What we want: each of them a,, a3,, a,0, a3,0.. 0 i P P- i

52 Attack GGHRSW3+GGH5 Step : Accumulate a matrix W via honest evaluations. Step : Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars What we can get: a,a3,/a,0a3,0 a,a3,/a,a4, a,a3,/a,0a4,0 What we want: each of them a,, a3,, a,0, a3,0.. Possible to get some pairs via PP solver and factoring oracles. 0 i P P- i

53 f you have a quantum computer (or willing to spend subexponential time classically), you have PP and factoring oracles 53

54 Attack GGHRSW3+GGH5: summary Step : (Evaluate, reorganize results) Accumulate equations to get a matrix W Step : (linear algebra) Compute the left-kernel F of W Step 3: (alternative linear algebra) From F, find out ratios of scalars from X zone Step 4: (Quantum polynomial or subexponential classical) From the ratios of scalars, find the small representations, and run the mixed-input attack 0 i X zone Z zone 0 P P- i

55 Plan for the rest of the talk Review GGHRSW3 obfuscation How to break GGHRSW + GGH5 How to break GGHRSW + GGH3 (very briefly) 55

56 GGH3 quick recap Base ring: R = Z[x]/(xn+) Master secret: a small g in R deal generated by g: = <g> = { gu, u R } B(g) = { g, Xg,..., Xn-g } Plaintext space: R/ Zero-test parameter: hzk/g Encode(m): (m+gr)/z 56

57 GGHRSW+GGH3 attack overview Step : Using zeroizing attack to recover = <g> (f you have a quantum computer or willing to spend subexponential time, can get g itself from ; yield a total break) Step : compute ratios of scalars in some form Step : Once you have the ratios of scalars, can use a simplified version of annihilation attack [MSZ 6] 0 P i 3 4 X zone P Y zone 4 Z zone 57

58 Summary of the status of BP obfuscation some single input BPs with input partition some single input BPs without input partition* all BPs (esp. Dual-input) GGH3 Classical polynomial time Candidates without [ CGH7 ] diagonal paddings [ MSZ6, ADGM7 ]??????? CLT3 Classical poly [ CHLRS5 ] Quantum [Factoring] GGH5 Quantum polynomial or? classical Subexponential time [ CGH7 ] Classical poly [ CLLT 7 ]??????? * Missing details of the exact statements. For the exact parameters see the references. Blue: concurrent works that use the tensoring method. 58

59 The next benchmark for cryptanalyst: [ Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry 6 ] (0) Dual-input branching program () Bundling scalars (against mixed-input attacks) () Kilian randomization (against partial evaluation) (3) Adding random diagonal matrices and bookends (4) Wrap (0-3) by multilinear maps For this candidate no attack is published for GGH3, CLT3, GGH5 With idealized-model-type security proof for GGH3 Another direction for cryptanalyst: Attack without using encodings of zero (e.g. targeting obfuscation for evasive functions) 59

60 The next benchmark for cryptanalyst: [ Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry 6 ] (0) Dual-input branching program () Bundling scalars (against mixed-input attacks) () Kilian randomization (against partial evaluation) (3) Adding random diagonal matrices and bookends (4) Wrap (0-3) by multilinear maps For this candidate no attack is published for GGH3, CLT3, GGH5 With idealized-model-type security proof for GGH3 Another direction for cryptanalyst: Attack without using encodings of zero (e.g. targeting obfuscation for evasive functions) For counter-cryptanalyst: can identify secure mode for GGH5 that can be based on LWE: Constraint-hiding constrained PRFs for NC from LWE Ran Canetti, Yilei Chen Separating Semantic and Circular Security for Symmetric-Key Bit Encryption from the Learning with Errors Assumption Rishab Goyal, Venkata Koppula, Brent Waters And more on eprint recently, possibly more safe applications. 60

61 A story of pursuing the truth and happiness in the crusade of postmodern cryptography. 6

62 Thanks for your time. Bye! 6