e t a d i d n a c f o s r s o e t s a y c l s - - PowerPoint PPT Presentation
e t a d i d n a c f o s r s o e t s a y c l s a u n f a b t o p m y r a C r g o r p g n i h c n a r b Yilei Chen Craig Gentry Shai Halevi @Eurocrypt 2017 1976, Diffie, Hellman: We stand
2
1976, Diffie, Hellman: “We stand today on the brink of a revolution in cryptography”
3
1976, Diffie, Hellman: “We stand today on the brink of a revolution in cryptography” 2013, Garg, Gentry, Halevi, Raykova, Sahai, Waters: We didn’t say “we stand today on the brink of another revolution in cryptography”, but it is happening.
4
iO
5
iO => fancy applications, new ways of thinking in cryptography
OWF, TDP, full-domain hash, NIKE, traitor tracing, FE, adaptive FE, multi-input FE, MPC, adaptive MPC, communication-efficient MPC, better MPC, deniable encryption, garbled Turing machine, Succinct RE, garbled ram, succinct garbled ram, polynomially-many hardcore bits for any OWF, ZAPs and NIWI, constant-round zero-knowledge proofs, traitor tracing, PPAD hardness, watermarking, Fully-homomorphic encryption, self-bilinear maps, multilinear maps, correlation intractability, Fiat-Shamir, UCE, counterexamples for UCE, Adaptive succinct garbled ram, Time-lock puzzle, iO combiner
6
??????? => iO candidates
7
Candidate multilinear maps => iO candidates
8
9
10
Status of candidate multilinear maps GGH13, CLT13, GGH15: Even the ``one-wayness’’ of these schemes is not understood.
11
Status of candidate multilinear maps GGH13, CLT13, GGH15: Even the ``one-wayness’’ of these schemes is not understood. 2 Benchmarks: key exchange and indistinguishability Obfuscation Key Exchange
(need public sample)
iO [GGHRSW ‘13]
(do not need public sample)
GGH13 CLT13 GGH15
12
Status of candidate multilinear maps GGH13, CLT13, GGH15: Even the ``one-wayness’’ of these schemes is not understood. 2 Benchmarks: key exchange and indistinguishability Obfuscation Key Exchange
(need public sample)
iO [GGHRSW ‘13]
(do not need public sample)
GGH13
Broken [Hu, Jia ‘16] Broken for simpler variants [ Miles et al ‘16 ]
CLT13
Broken [Cheon et al ‘15] Broken for some program [Coron et al ‘15]
GGH15
Broken [Coron et al ‘16]
?
13
In this work we show new attacks: Key Exchange
(need public sample)
iO [GGHRSW ‘13]
(do not need public sample)
GGH13
Broken [Hu, Jia ‘16]
New attack [ CGH ‘17 ] CLT13
Broken [Cheon et al ‘15] Broken for some program [Coron et al ‘15]
GGH15
Broken [Coron et al ‘16]
New attack [ CGH ‘17 ]
14
Key Exchange
(need public sample)
iO [GGHRSW ‘13]
(do not need public sample)
GGH13
Broken [Hu, Jia ‘16]
New attack [ CGH ‘17 ] CLT13
Broken [Cheon et al ‘15] Broken for some program [Coron et al ‘15]
GGH15
Broken [Coron et al ‘16]
New attack [ CGH ‘17 ] Feature of the new attacks: zeroizing attack [ Cheon et al ‘15 ] + exploiting the weakness inside the obfuscation In this work we show new attacks:
15
Review GGHRSW13 obfuscation Analyze GGHRSW + GGH15 Analyze GGHRSW + GGH13 (very briefly)
16
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ]
17
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program. (1) Safeguard 1 (2) Safeguard 2 (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) Safeguards aim at randomizing the plaintext program, preventing illegal
18
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1 (2) Safeguard 2 (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15)
19
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1 (2) Safeguard 2 (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15)
1 B1,1 B2,1 B3,1 B4,1 B1,0 B2,0 B3,0 B4,0 i 1 2 1 2 1 B’1,1 B’2,1 B’3,1 B'4,1 B’1,0 B’2,0 B’3,0 B’4,0 i 1 2 1 2
20
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization [Kilian 88] (2) Safeguard 2 (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15)
1 B1,1K1 K1
K2
K3
B1,0K1 K1
K2
K3
i 1 2 1 2 1 B’1,1K’1 K’1
K’2
K’3
B’1,0K’1 K’1
K’2
K’3
i 1 2 1 2 Random matrix K, K’
21
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (against mix-input attack) (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15)
1 a1,1B1,1K1 a2,1K1
a1,0B1,0K1 a2,0K1
i 1 2 1 2 1 a’1,1B’1,1K’1 a’2,1K’1
a’1,0B’1,0K’1 a’2,0K’1
i 1 2 1 2 a1,1a3,1 = a’1,1a’3,1 a1,0a3,0 = a’1,0a’3,0 a2,1a4,1 = a’2,1a’4,1 a2,0a4,0 = a’2,0a’4,0
22
Spoiler: the scalar is the “Achilles’ heel” exploited in our attack
23
24
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (against mix-input attack) (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15)
1 a1,1B1,1K1 a2,1K1
a1,0B1,0K1 a2,0K1
i 1 2 1 2 1 a’1,1B’1,1K’1 a’2,1K’1
a’1,0B’1,0K’1 a’2,0K’1
i 1 2 1 2 a1,1a3,1 = a’1,1a’3,1 a1,0a3,0 = a’1,0a’3,0 a2,1a4,1 = a’2,1a’4,1 a2,0a4,0 = a’2,0a’4,0
25
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (against mix-input attack) (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15)
1 a1,1J B1,1K1 a2,1K1
a3,1K2
a4,1K3
a1,0J B1,0K1 a2,0K1
a3,0K2
a4,0K3
i 1 2 1 2 1 a’1,1J’B’1,1K’1 a’2,1K’1
a’3,1K’2
a’1,0J’B’1,0K’1 a’2,0K’1
a’3,0K’2
a’4,0K’3
i 1 2 1 2
26
1 S1,1 S2,1 ... Sh,1 S1,0 S2,0 ... Sh,0 i i1 i2 ... ih
U
V
Zoom in: random diagonal entries and bookends
27
Spoiler: the random diagonal entries were thought to be what stops the previous attack on GGH13-based candidates.
28
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15)
1 a1,1J B1,1K1 a2,1K1
a3,1K2
a4,1K3
a1,0J B1,0K1 a2,0K1
a3,0K2
a4,0K3
i 1 2 1 2 1 a’1,1J’B’1,1K’1 a’2,1K’1
a’3,1K’2
a’4,1K’3
a’1,0J’B’1,0K’1 a’2,0K’1
a’3,0K’2
a’4,0K’3
i 1 2 1 2
29
More candidates for branching programs:
[Canetti-Vaikuntanathan about B.C. 6-5], [Barak-Garg-Kalai-Paneth-Sahai ‘14], [Brakerski-Rothblum ‘14], [Pass-Seth-Telang ‘14], [Gentry-Lewko-Sahai-Waters ‘15], [Badrinarayanan-Miles-Sahai-Zhandry ‘16], [Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry ‘16]
Other candidates in the circuit model or bootstrapped from FE or hybrid:
[Zimmerman ‘15], [Applebaum-Brakerski ‘15], [Ananth-Jain ‘15], [Bitansky-Vaikuntanathan ‘15], [Lin ‘16], [Lin-Vaikuntanathan ‘16], etc. Candidates for BP requires degree of multilinearity = length of BP (poly) The smallest known multilinearity that implies iO is 5 (assuming some PRG with locality 5)
Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15)
30
Candidates without the diagonal padding GGHRSW13
[any BP + diagonal]
GMRSSZ16
[dual-input + diagonal]
GGH13 Broken [Miles et al 16] ? Secure in an idealized model CLT13 Broken [Cheon et al 15, Coron et al 15] ? GGH15 ? ? ?
Status of BP obfuscation candidates before this work Easier to break <<<<<<<<<<<<< harder to break
31
Review GGHRSW13 obfuscation Analyze GGHRSW + GGH15 Analyze GGHRSW + GGH13 (very briefly)
32
33
1 a1,1J B1,1K1 a2,1K1
a3,1K2
a4,1K3
a1,0J B1,0K1 a2,0K1
a3,0K2
a4,0K3
i 1 2 1 2 1 a’1,1J’B’1,1K’1 a’2,1K’1
a’3,1K’2
a’1,0J’B’1,0K’1 a’2,0K’1
a’3,0K’2
a’4,0K’3
i 1 2 1 2
Goal: Multiply these S matrices without revealing them, and test equality at the end
34
Ai Ai+1
Si,1 Si,0
35
Ai Encode(si,b): 2 steps
Ai+1
Si,1 Si,0
Yi,1 = si,1 Ai+1+Ei,1 Yi,0 = si,0 Ai+1+Ei,0
36
Ai
Encode(si,b): 2 steps
Ai+1
Si,1 Si,0
Yi,1 = si,1 Ai+1+Ei,1 Yi,0 = si,0 Ai+1+Ei,0
Si,b
37
1,1
38
39
Target: Branching programs that always compute the identity matrix I (corresponds to 0), with an input partitioning feature 1 I I I I I I I I I I I I I I I I i 1 2 1 2 3 4 3 4 Where P ≠ I 1 I I I I I I I I P I P-1 I I I I I i 1 2 1 2 3 4 3 4 versus Goal: extract the scalars there, run the mixed-input attack. Z zone X zone
40
41
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations that yields zero.
D1,1 D1,0 D2,1 D2,0 ... ... Dh-1,1 Dh-1,0 Dh,1 Dh,0
D’1,1 D’1,0 D’2,1 D’2,0 ... ... D’h-1,1 D’h-1, D’h,1 D’h,0
Z zone X zone
42
43
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations. Step 2: Compute the left-kernel of W (In the rest of the analysis in this talk, I will ignore the dummy branch. )
Z zone X zone
Sx1 Ex1 Sz1A0+Ez1
SzvA0+Ezv
Sx2 Ex2 Sxu Exu
44
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations. Step 2: Compute the left-kernel of W (In the rest of the analysis in this talk, I will ignore the dummy branch. )
Sx1 Ex1 Sz1A0+Ez1
SzvA0+Ezv
Sx2 Ex2 Sxu Exu
45
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations. Step 2: Compute the left-kernel of W (In the rest of the analysis in this talk, I will ignore the dummy branch. )
First two steps are taken from the previous zeroizing attack [CLLT16], the next few steps will be more involved.
46
47
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations. Step 2: Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars
Sx1 Ex1 Sx2 Ex2 Sxk Exk
f1,1, f1,2, ..., f1,k ... fd,1, fd,2, ..., fd,k
Sxi = axi⋅J⋅diag(uxi, vxi, Ixi)⋅K
i=1 fg,i ⋅ ∏xiai,xi=0
what we have what we want
48
The useful equations: ∀ g in [1,d]
i=1 fg,i ⋅ ∏xiai,xi=0
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations. Step 2: Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars
49
The useful equations: ∀ g in [1,d]
i=1 fg,i ⋅ ∏xiai,xi=0
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations. Step 2: Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars
50
51
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations. Step 2: Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars
1 I I I I I I I I I I I I I I I I i 1 2 1 2 3 4 3 4 1 I I I I I I I I P I P-1 I I I I I i 1 2 1 2 3 4 3 4 What we can get: a1,1a3,1/a1,0a3,0 a1,1a3,1/a2,1a4,1 a1,1a3,1/a2,0a4,0 1 2 3 4 What we want: each of them a1,1 , a3,1 , a1,0 , a3,0…..
52
Attack GGHRSW13+GGH15 Step 1: Accumulate a matrix W via honest evaluations. Step 2: Compute the left-kernel of W: FW = FXZ = 0 => FX=0 Step 3: From F, learn something about scalars
1 I I I I I I I I I I I I I I I I i 1 2 1 2 3 4 3 4 1 I I I I I I I I P I P-1 I I I I I i 1 2 1 2 3 4 3 4 What we can get: a1,1a3,1/a1,0a3,0 a1,1a3,1/a2,1a4,1 a1,1a3,1/a2,0a4,0 1 2 3 4 What we want: each of them a1,1 , a3,1 , a1,0 , a3,0….. Possible to get some pairs via PIP solver and factoring oracles.
53
54
Attack GGHRSW13+GGH15: summary Step 1: (Evaluate, reorganize results) Accumulate equations to get a matrix W Step 2: (linear algebra) Compute the left-kernel F of W Step 3: (alternative linear algebra) From F, find out ratios of scalars from X zone Step 4: (Quantum polynomial or subexponential classical) From the ratios of scalars, find the small representations, and run the mixed-input attack
1 I I I I I I I I I I I I I I I I i 1 2 1 2 3 4 3 4 1 I I I I I I I I P I P-1 I I I I I i 1 2 1 2 3 4 3 4 Z zone X zone
55
Review GGHRSW13 obfuscation How to break GGHRSW + GGH15 How to break GGHRSW + GGH13 (very briefly)
56
Base ring: R = Z[x]/(xn+1) Master secret: a small g in R Ideal generated by g: I = <g> = { gu, u∈ R } B(g) = { g, Xg, ..., Xn-1g } Plaintext space: R/I Zero-test parameter: hzk/g Encode(m): (m+gr)/z
57
Step I: Using zeroizing attack to recover I = <g>
(If you have a quantum computer or willing to spend subexponential time, can get g itself from I; yield a total break)
Step II: compute ratios of scalars “in some form” Step III: Once you have the ratios of scalars, can use a simplified version of annihilation attack [MSZ 16] 1 I I I I I I I I I I I I I I I I P I P-1 I I I I I i 1 2 1 2 3 4 3 4 5 6 5 6 Z zone Y zone X zone
58
some single input BPs with input partition some single input BPs without input partition* all BPs (esp. Dual-input) GGH13 Classical polynomial time [ CGH17 ] Candidates without diagonal paddings [ MSZ16, ADGM17 ] ??????? CLT13 Classical poly [ CHLRS15 ] Classical poly [ CLLT 17 ] Quantum [Factoring] GGH15 Quantum polynomial or classical Subexponential time [ CGH17 ] ? ???????
* Missing details of the exact statements. For the exact parameters see the references. Blue: concurrent works that use the tensoring method.
59
The next benchmark for cryptanalyst: [ Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry ‘16 ] (0) Dual-input branching program (1) Bundling scalars (against mixed-input attacks) (2) Kilian randomization (against partial evaluation) (3) Adding random diagonal matrices and bookends (4) Wrap (0-3) by multilinear maps For this candidate no attack is published for GGH13, CLT13, GGH15 With idealized-model-type security proof for GGH13 Another direction for cryptanalyst: Attack without using encodings of zero (e.g. targeting obfuscation for evasive functions)
60
The next benchmark for cryptanalyst: [ Garg-Miles-Mukherjee-Sahai-Srinivasan-Zhandry ‘16 ] (0) Dual-input branching program (1) Bundling scalars (against mixed-input attacks) (2) Kilian randomization (against partial evaluation) (3) Adding random diagonal matrices and bookends (4) Wrap (0-3) by multilinear maps For this candidate no attack is published for GGH13, CLT13, GGH15 With idealized-model-type security proof for GGH13 Another direction for cryptanalyst: Attack without using encodings of zero (e.g. targeting obfuscation for evasive functions) For counter-cryptanalyst: can identify secure mode for GGH15 that can be based on LWE: Constraint-hiding constrained PRFs for NC1 from LWE Ran Canetti, Yilei Chen Separating Semantic and Circular Security for Symmetric-Key Bit Encryption from the Learning with Errors Assumption Rishab Goyal, Venkata Koppula, Brent Waters And more on eprint recently, possibly more safe applications.
61
62