cryptanalysis of branching program obfuscators
play

Cryptanalysis of branching program obfuscators Jung Hee Cheon 1 , - PowerPoint PPT Presentation

Oct 03, 2022 •443 likes •1.41k views

Cryptanalysis of branching program obfuscators Jung Hee Cheon 1 , Minki Hhan 1 , Jiseung Kim 1 , Changmin Lee 1 , Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program

  1. Cryptanalysis of branching program obfuscators Jung Hee Cheon 1 , Minki Hhan 1 , Jiseung Kim 1 , Changmin Lee 1 , Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 1/23

  2. What is this talk about Two partial attacks against some candidate obfuscators built upon the GGH13 multilinear map [GGH13a] an attack for specific choices of parameters a quantum attack Main idea of the two attacks Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 2/23

  3. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  4. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits Security. VBB: O ( C ) acts as a black box computing C M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  5. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits Security. VBB: O ( C ) acts as a black box computing C (impossible, [BGI + 01]) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  6. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits Security. VBB: O ( C ) acts as a black box computing C (impossible, [BGI + 01]) iO: ∀ C 1 ≡ C 2 , i.e. C 1 ( x ) = C 2 ( x ) ∀ x , O ( C 1 ) ≃ c O ( C 2 ) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  7. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits Security. VBB: O ( C ) acts as a black box computing C (impossible, [BGI + 01]) iO: ∀ C 1 ≡ C 2 , i.e. C 1 ( x ) = C 2 ( x ) ∀ x , O ( C 1 ) ≃ c O ( C 2 ) Many cryptographic constructions from iO: functional encryption, deniable encryption, NIZKs, oblivious transfer, . . . M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  8. Multilinear maps (mmaps) and iO Observation Almost all iO constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 4/23

  9. Multilinear maps (mmaps) and iO Observation Almost all iO constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 Caution All these candidate multilinear maps suffer from weaknesses (e.g. encodings of zero, zeroizing attacks, . . . ). ⇒ all current attacks against iO rely on the underlying mmap M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 4/23

  10. Multilinear maps (mmaps) and iO Observation Almost all iO constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13 , CLT13, GGH15 Caution All these candidate multilinear maps suffer from weaknesses (e.g. encodings of zero, zeroizing attacks, . . . ). ⇒ all current attacks against iO rely on the underlying mmap In this talk: we exploit known weaknesses of GGH13 to mount concrete attacks against some iO using it. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 4/23

  11. History (branching program obfuscators based on GGH13) Some candidate iO for all circuits and attacks: 2013: [GGH + 13b], first candidate 2014-2016: [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 5/23

  12. History (branching program obfuscators based on GGH13) Some candidate iO for all circuits and attacks: 2013: [GGH + 13b], first candidate 2014-2016: [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) 2016: [MSZ16], attack against all candidates above except [GGH + 13b] 2016: [GMM + 16], proof in a weaker idealized model (captures [MSZ16]) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 5/23

  13. History (branching program obfuscators based on GGH13) Some candidate iO for all circuits and attacks: 2013: [GGH + 13b], first candidate 2014-2016: [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) 2016: [MSZ16], attack against all candidates above except [GGH + 13b] 2016: [GMM + 16], proof in a weaker idealized model (captures [MSZ16]) 2017: [CGH17], attack against [GGH + 13b] (in input-partitionable case) 2017: [FRS17], prevent [CGH17] attack M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 5/23

  14. State of the art and contributions Circuit iO (using Branching program obfuscators obfuscators GGH13) [AGIS14, MSW14] [GMM + 16] [Zim15, AB15] [GGH + 13b] [BR14] [PST14, BGK + 14] Attacks [DGG + 16] [BMSZ16] [MSZ16] � � [CGH17] ⋆ � This work 1 † � � � � [CHKL18] This work 2 ‡ � � � [Pel18] ⋆ for input-partitionable branching programs ‡ in the quantum setting † for specific choices of parameters M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 6/23

  15. Outline Simple obfuscator 1 GGH13 multilinear map 2 Contributions 3 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 7/23

  16. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  17. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 inp( i ) 1 1 2 1 3 2 A 1 , 1 A 2 , 1 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 A 7 A 1 , 0 A 2 , 0 A 3 , 0 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  18. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 inp( i ) 1 1 2 1 3 2 A 1 , 1 A 2 , 1 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 A 7 A 1 , 0 A 2 , 0 A 3 , 0 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  19. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 ↑ inp( i ) 1 1 2 1 3 2 A 1 , 1 A 2 , 1 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 × A 1 , 0 A 7 A 2 , 0 A 3 , 0 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  20. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 ↑ inp( i ) 1 1 2 1 3 2 A 1 , 1 × A 2 , 0 A 2 , 1 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 × A 1 , 0 A 7 A 3 , 0 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  21. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 ↑ inp( i ) 1 1 2 1 3 2 A 1 , 1 × A 2 , 0 A 2 , 1 × A 3 , 0 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 × A 1 , 0 A 7 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Program control constructs Branching using if endif and select case loops (repeated

Program control constructs Branching using if endif and select case loops (repeated

Program control constructs Branching using if endif and select case loops (repeated execution of code segments); do enddo Jumps with goto label# Branching with if endif if endif If (logical_a) then

420 views • 11 slides
CHAPTER XIV PROGRAM CONTROL, JUMPING, AND BRANCHING READ BRANCHING FREE-DOC ON COURSE WEBPAGE

CHAPTER XIV PROGRAM CONTROL, JUMPING, AND BRANCHING READ BRANCHING FREE-DOC ON COURSE WEBPAGE

INTRO. TO COMP. ENG. CHAPTER XIV CHAPTER XIV-1 PROGRAM CONTROL CHAPTER XIV PROGRAM CONTROL, JUMPING, AND BRANCHING READ BRANCHING FREE-DOC ON COURSE WEBPAGE R.M. Dansereau; v.1.0 PROGRAM CONTROL INTRO. TO COMP. ENG. PROGRAM CONTROL

383 views • 36 slides
Branching Announcements HW0 is due Thursday: - Make sure program looks exactly like sample

Branching Announcements HW0 is due Thursday: - Make sure program looks exactly like sample

Branching Announcements HW0 is due Thursday: - Make sure program looks exactly like sample output (scripts will do grading) - Also follow proper naming - MAKE SURE IT COMPILES ON CSELABS MACHINE Labs : - Normal problems: Worth 1 point -

647 views • 54 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Tecniche di Specifica e di Verifica Branching Time Temporal Logics I 1 Outline CTL ( C

Tecniche di Specifica e di Verifica Branching Time Temporal Logics I 1 Outline CTL ( C

Tecniche di Specifica e di Verifica Branching Time Temporal Logics I 1 Outline CTL ( C omputation T ree L ogic) Branching Time Unwindings --- computation trees Syntax and semantics of CTL. 2 Branching Time Structures

1.49k views • 112 slides
Conflict-Based Selection Conflict-Based Selection of Branching Rules in of Branching Rules in

Conflict-Based Selection Conflict-Based Selection of Branching Rules in of Branching Rules in

Conflict-Based Selection Conflict-Based Selection of Branching Rules in of Branching Rules in SAT Algorithms SAT Algorithms Marc Herbstritt Bernd Becker Institute of Computer Science Albert-Ludwigs-Universitt Freiburg im Breisgau Where

623 views • 26 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Branching Program size lower bounds via Projective Dimension Sajin Koroth (joint work with

Branching Program size lower bounds via Projective Dimension Sajin Koroth (joint work with

Branching Program size lower bounds via Projective Dimension Sajin Koroth (joint work with Krishnamoorthy Dinesh and Jayalal Sarma) Indian Institute of Technology, Madras Theory Lunch, Technion Sajin Koroth (joint work with Krishnamoorthy

1.2k views • 103 slides
Branching within branching: a general model for host-parasite co-evolution Gerold Alsmeyer (joint

Branching within branching: a general model for host-parasite co-evolution Gerold Alsmeyer (joint

Model The ABPRE Extinction results Survival case Branching within branching: a general model for host-parasite co-evolution Gerold Alsmeyer (joint work with S oren Gr ottrup) May 15, 2017 Gerold Alsmeyer Host-parasite co-evolution 1

538 views • 26 slides
Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford

16 Oct 2012 Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford Willke Cyber Security Advisor, MidAtlantic Region National Cyber Security Division (NCSD) Office of Cybersecurity and Communications

443 views • 20 slides
Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard Institute for Computer Science Security instruments learned so far Symmetric and asymmetric cryptography confidentiality, integrity, non-repudiation

319 views • 29 slides
Investor Presentation FEBRUARY 2020 Forward looking Certain information regarding mCloud

Investor Presentation FEBRUARY 2020 Forward looking Certain information regarding mCloud

Investor Presentation FEBRUARY 2020 Forward looking Certain information regarding mCloud Technologies Corp. (hereinafter referred to as the Company), including managements assessment of the Companys future plans, operations, and

462 views • 18 slides
CWG on the use of country & territory names as TLDs (CWG UCTN) Presentation in Hyderabad,

CWG on the use of country & territory names as TLDs (CWG UCTN) Presentation in Hyderabad,

CWG on the use of country & territory names as TLDs (CWG UCTN) Presentation in Hyderabad, ICANN 57 Annebeth B. Lange, co-chair for ccNSO 1. Scope and Work Method q Only discussing TLDs at first level q Codes and names based on ISO 3166-1 q

305 views • 8 slides
Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001 ISA Board of Directors J. Michael Hickey, 1 st Vice Chair Ty Sagalow, Esq. Chair VP Government Affairs, Verizon President, Innovation

619 views • 33 slides
C2-SENSE Blazing the Semantic Trail from Sensors to Users Dr. Bojan Boi OGC TCM Calgary.

C2-SENSE Blazing the Semantic Trail from Sensors to Users Dr. Bojan Boi OGC TCM Calgary.

C2-SENSE Blazing the Semantic Trail from Sensors to Users Dr. Bojan Boi OGC TCM Calgary. 2014-09-15 Dr. Bojan Boi | Scientist, Safety & Security, Information Management Team: Crisis and Disaster Management Crisis management

460 views • 17 slides
OUTLINE 1-4 Introduction 5-11 Case Study 12 Problem Statement 13 Solution Statement 14-21

OUTLINE 1-4 Introduction 5-11 Case Study 12 Problem Statement 13 Solution Statement 14-21

E M V I E MAIL C ONTENT M ANAGEMENT S YSTEM CS 410 Orange Team www.cs.odu.edu/~410yello/ 1 April 9, 2013 OUTLINE 1-4 Introduction 5-11 Case Study 12 Problem Statement 13 Solution Statement 14-21 Historical Background 22-23 Current

1.01k views • 73 slides
ICANNs Identifier Systems Security, Stability and Resiliency Team ITU Workshop on Child Online

ICANNs Identifier Systems Security, Stability and Resiliency Team ITU Workshop on Child Online

ICANNs Identifier Systems Security, Stability and Resiliency Team ITU Workshop on Child Online Safety Lilongwe: July /20 /2016 bob.ochieng@icann.org What is ICANN? The Internet Corporation for Assigned Names and Numbers (ICANN) is a

543 views • 12 slides

More recommend