Zeroizing Attacks on Cryptographic Multilinear Maps

Name: Zeroizing Attacks on Cryptographic Multilinear Maps
Uploaded: 2017-08-21T05:09:41+00:00
Duration: PTM33S19
Channel: Karin Elliott
Description: Zeroizing Attacks on Cryptographic Multilinear Maps

Zeroizing Attacks on Cryptographic Multilinear Maps
Mariana Raykova SRI and Yale University Joint work with Jean-Sébastien Coron, Craig Gentry, Shai Halevi, Tancréde Lepoint, Hemata Maji, Eric Miles, Amit Sahai, Mehdi Tibouchi *thanks Eric Miles for some slides

CRYPTOGRAPHIC Multilinear MAPs (MMAPS)
Goal: compute on encoded data that is secret Not fully homomorphic encryption (FHE) Similarity: Encode values E(a) Evaluate polynomials p(x) over the encoded values E(p(a)) Difference: FHE: cannot learn anything about encoded values without secret key MMAPS: zero-test - reveal whether the encoded value is zero using public parameters (for some types of encodings) Introduced by Boneh, Silverberg 2003 Generalization of bilinear maps that “would have far-reaching consequences in cryptography” Compute beyond quadratic functions on the encoded data

MMAPS Applications Bilinear maps: Multilinear maps [BS03]:
identity-based encryption (IBE), attribute-based encryption for formulas (ABE), predicate encryption (simple predicates), efficient non-interactive zero-knowledge proofs… Multilinear maps [BS03]: one round n-way Diffie-Hellman Key exchange, unique signatures and verifiable pseudorandom functions, broadcast encryption with short keys and transmissions Last few years – explosion of applications: functional encryption for all circuits, witness encryption, program obfuscation, … “We hope this ample motivation will eventually lead to an efficient construction for a cryptographic multilinear map. We also give evidence that such maps might have to either come from outside the realm of algebraic geometry or occur as "unnatural” computable maps arising from geometry.” [BS03]

Road of mmap constructions
First generation [Garg-Gentry-Halevi’13] – from ideal lattices [Coron-Lepoint-Tibouchi’13] – from Chienese Remainder Theorem [Gentry-Gorbunov-Halevi’15] – from standard lattices Second generation [Coron-Lepoint-Tibouchi’15] – modification of [CLT13] in response to zeroizing attacks [Cheon-Han-Lee-Rye-Stehlé-14] [Boneh-Wu-Zimmerman-14] [CGHLMMRST15] [Gentry-Halevi-Lepoint’15] - modification of [GGH13] in response to zeroizing attack [GGH13], [CGHLMMRST15], [Hu-Jia-15] recent attack: Brakerski-Gentry-Halevi-Lepoint-Sahai-Tibouchi

MMAP Definition [BS03] Given groups G1 and G2 of the same prime order p, e: G1n → G2 is a multilinear maps if e(ga1, …, gan) = e(g, …, g)a1*…*an if g1,…, gn ∈G1 e is non-degenerate: if g is the generator of G1, then e(g, …, g) is the generator of G2 Bilinear map when n = 2 MMP = (InstGen, Encode, GroupOp, Mmap) InstGen: public param = (p, g1, …, gk+1, G1, …, Gk+1, e) Encode: unique encoding Encode(param, i, x) = gix GroupOp: add(gix, giy) = gix+y Mmap: e(g1a1, …, gnan) = e(g1, …, gn)a1…an Asymmetric setting: e : G1×…× Gk → Gk+1 Prime order

Hardness Assumptions Discrete log is hard
Pr[A(param, i, gir) = r : param← InstGen; r ← Zp] < negl Hardness Assumption – multilinear DDH assumption {ga1, …, gan, gan+1, e(g, …, g)a1…anan+1} ≈ {ga1, …, gan, gan+1, e(g, …, g)random}

Graded Encodings Randomized encoding algorithm: not unique encodings but sets of possible encodings k-graded encoding system: a ring R and a system of sets { Si(a) } such that { Si(a) : a∈R } are disjoint Addition: if u1∈Si(a1) and u2∈Si(a2), then u1+u2∈Si(a1+a2) Multiplication: if u1∈Si1(a1) and u2∈Si2(a2), then u1×u2∈Si1+i2(a1×a2) Zero-testing – a procedure that allows to check whether u1∈Sk(0) for a fixed zero-testing level k Associative, commutative

Graded encodings Instance Generation: generate
secret param – description of k-graded encoding system public pzt – zero-testing parameter for level k Encoding – given param, level i and a∈R outputs level-i encoding of a: ui∈Si(a) Addition and multiplication - u1∈Si(a1), u2∈Si(a2) , u3∈Sj(a3) Addition of encodings at the same level: u1+u2∈Si(a1+a2) Multiplication of any encodings: u1×u3∈Si+j(a1×a3) Zero-testing – given pzt and u, output 1 if u∈Sk(0) , and 0 otherwise Enables equality testing at level k

Attacks on [clt13]

[CLT13] Multilinear maps
System parameters Primes: p1, ..., pn g1, …, gn (gi << pi for all i) Level parameter: z∈Zx0 Modulus: x0 = p1 . … . pn pi : “big primes” gi : “small primes” Secret parameters Different encoding using different zi ∈Zx0 Public parameter

[CLT13] Encoding Plaintext space: m = (m1,…,mn)∈Zg1× Zg2 ×…×Zgn
Encode: via Chinese remainder theorem (CRT) in Zx0 To encode message (m1, …, mn) at level j ∀i≤n compute ei = mi + rigi for random ri << pi Output more general level z1…zm

[CLT13] arithmetic properties
Addition Multiplication Bounded noise growth (mi + rigi)(m’i + r’igi) < pi for all i

[CLT13] Zero testing Let pi’ = x0/ pi = ∏j≠i pj for all i≤n
Property for any e1, …, en CRT(p1’ . e1, …, pn’ . en) = ∑1≤i≤n pi’ei mod x0 Zero-test parameter: random hi << pi for all i≤n pzt = CRT(p1’h1g1-1, …, pn’hngn-1) . zk mod x0 k is zero test level gi-1 are computed mod pi

How to zero-test? Level-k encoding
a = z-k . CRT(m1 + r1g1, …, mn + rngn) mod x0 Zero-test parameter for level k pzt = zk . CRT(p1’h1g1-1, …, pn’hngn-1) mod x0 Zero-testing: check whether |a.pzt| is small a.pzt mod x0 = CRT(pi’(higi-1mi + hiri)) 1≤i≤n = ∑1≤i≤n pi’(higi-1mi + hiri ) mod x0 If a encodes 0, then the equality holds over the integers a.pzt= ∑1≤i≤n pi’hiri since |hiri| << pi If a does not encode 0, or it is not at the zero-testing level |a.pzt| ≈ x0

Attacks on [CLT13] [CLT13] seemed immune to the weak DL attacks on [GGH13] Until… [CHLRS15] gave the first attack on [CLT13] Based on zeroizing techniques: rely on low level 0-endoings Complete break: recovers private parameters [BWZ14] and [GGHZ14] proposed attempted fixes [CGHLMRST15] extend attacks on [CLT13] Attacks without low level 0s (appeared also in [BWZ14]) Attack on proposed fixes of [BWZ14] and [GGHZ14] Attacks on simplified versions of obfuscation constructions Chean-Han-Lee-Ryu-Stehle

[CHLRS15] attack n - # of primes pi; K- zero-testing level
Ingredients: three sets of encodings {Ai} 1≤i≤n , {B0, B1}, {Ci} 1≤i≤n mod x0 n encodings of 0 two encodings “target of the attack” Every Ai1Bi2Ci3 is zero-test level encoding n encodings

[CHLRS15] attack Simple example: n=2, K=3 Multiply:
A1 . B . C1 = z-3 . CRT(g1a1,1b1c1,1, g1a1,2b1c1,2)

[CHLRS15] attack Zero-test pzt = z3 . CRT(p1’h1g1-1, p2’h2g2-1) mod x0
A1 . B . C1 = z-3 . CRT(g1a1,1b1c1,1, g1a2,1b2c2,1) Set W1,1 = pzt . A1 . B . C1 mod x0 = p1’h1a1,1b1c1,1 + p2’h2a1,2b2c1,2 The equality holds over the integers (without modular reduction) α1 α2 α1b 0 α2b2 c1,1 c1,2 W1,1 = a1,1 a1,2 × ×

[CHLRS15] attack Use the rest of the sets A = {A1, A2} and C = {C1, C2} W1,2 = pzt . A1 . B . C2 = α1a1,1b1c2,1 + α2a1,2b2c2,2 W2,1 = pzt . A2 . B . C1 = α1a2,1b1c1,1 + α2a2,2b2c1,2 W2,2 = pzt . A2 . B . C2 = α1a2,1b1c2,1 + α2a2,2b2c2,2 Set new matrix W1,1 W1,2 W2,1 W2,2 a1, a1,2 a2, a2,2 α1b 0 α2b2 c1, c2,1 c1, c2,2 W = = × ×

[CHLRS15] attack W = A C W’ = A C (W’)-1 = C-1 A-1
α1b 0 α2b2 W = A C × × Compute similarly W’ using the sets {A1, A2}, {C1, C2} and B’ α1b’ 0 α2b’2 W’ = A C × × Compute over Q 1/α1b 0 1/α2b2 (W’)-1 = C-1 × × A-1

[CHLRS15] attack So far we computed W, (W’)-1
Multiply W × (W’)-1 over Q Recover b1/b’1 and b2/b’2 computing the eigenvalues Use the above values to factor x0 b1/b’ b2/b’2 A A-1 W × (W’)-1 = × ×

No low level zero encodings
Attack extension #1

Attack sets Ingredients:
three sets of encodings {Ai} 1≤i≤n , {B0, B1}, {Ci} 1≤i≤n Not necessarily encodings of 0 n encodings two encodings “target of the attack” Every Ai1Bi2Ci3 is zero-test level encoding n encodings

Each 3-wise product encodes 0 at the zero-testing level: Ai . B . Cj , Ai . B’ . Cj for all i, j g1 divides ai,1 . b . cj,1 , ai,1 . b’ . cj,1 for all i, j g2 divides ai,2 . b . cj,2 , ai,2 . b’ . cj,2 for all i, j a1, a1,2 a2, a2,2 α1b1/g α2b2/g2 c1, c2,1 c1, c2,2 W = × × Equalities hold over Q a1, a1,2 a2, a2,2 α1b’1/g α2b’2/g2 c1, c2,1 c1, c2,2 W’ = × ×

α1b1/g α2b2/g2 W’ = A C × × α1b’1/g α2b’2/g2 (W’)-1 = C-1 × × A-1 b1/b’ b2/b’2 W × (W’)-1 = A × A-1 × compute eigenvalues

Multiple monomials Attack extension #2

[BWZ14] immunization of [CLT13]
Encoding (m1, m2) is (a, a’): α, β1, β2,β3,β4 - random a is a [CLT13] encoding of (m1, m2, α, β1) a’ is a [CLT13] encoding of (β2,β3, α,β4) Encodings can be added and multiplied Zero-testing parameters [CLT13] zero test parameter pzt tL: encoding of (1, 1, 1, 0) tR: encoding of (0, 0, 1, 0) Zero-testing (a, a’): pzt (tLa – tRa’)

Multiple monomials Top level zero can be obtained only in the form
a.b.c – a’.b’.c’ Attack sets ai 0 a’i ai = CRT(ai,1, ai,2)/z a’i = CRT(a’i,1, a’i,2)/z Ai = b 0 b’1 b 0 b’2 B = B’ = ci 0 c’i ci = CRT(ci,1, ci,2)/z c’i = CRT(c’i,1, c’i,2)/z Ci =

Multiple monomials Wi,j = pzt ((Ai × B × Cj) . [tL, -tR]) A A-1
α1b1,1/g1 -α1b’1,1 /g1 α2b1,2 /g2 -α2b’1,2 /g2 ci,1 c’i,1 ci,2 c’i,2 Wi,j = ai,1 , a’i,1 , ai,1 , a’i,1 × × Increased dimension b1,1/b2,1 b’1,1/b’2,1 b1,2/b2,2 b’1,2/b’2,2 A-1 W × (W’)-1 = A × ×

Matrix Encodings Attack extension #3

[GGHZ14] fix for [CLT13] Encoding of a value m is C = T × × T-1 mod x0
CLT encoding of independent random value at level z CLT encoding of 0 at level z Enc($) Enc(0) … Enc(0) Enc(0) Enc($) … Enc(0) Enc(0) Enc(0) … Enc(m) C = T × × T-1 mod x0 Secret matrix; uniformly random in Zx0d×d CLT encoding of m at level z

[GGHZ14] fix for [CLT13] Zero-test parameters Zero-testing
s = [Enc($) … Enc($) Enc(0) … Enc(0) Enc($)] × T-1 mod x0 t = pzt . T × [Enc(0) … Enc(0) Enc($) … Enc($) Enc($)]T mod x0 Zero-testing s × C × t mod x0 = (Enc($).Enc(m)+Enc(0)).pzt mod x0 CLT encodings at level 0 Whp small relative to x0 if C encodes 0

Matrix Encodings Attack sets Ai = T × Ai* × T-1 i ∈[nd]
Wi,j = s × Ai × B0 × Cj × t = s × T × Ai × B0 × Cj × T-1 × t Ai = T × Ai* × T-1 i ∈[nd] Bi = T × Bi* × T-1 i ∈[0,1] Ci = T × Ci* × T-1 i ∈[nd] ai cj

Matrix Encodings (B0 mod p1) (B1 mod p1)-1 A (B0 mod p2) (B1 mod p2)-1
CharPoly(W × (W’)-1) = ∏i CharPoly((B0 mod p1) (B1 mod p1)-1) Factor CharPoly(W × (W’)-1) and use Cayley-Hamilton theorem to recover the primes pi (B0 mod p1) (B1 mod p1)-1 (B0 mod p2) (B1 mod p2)-1 W × (W’)-1 = A × × A-1 f_i((B mod p1)(B1 mod pi)^-1) = 0 mod p_1 GCD(x_0, f_i(B x B’^-1)[0,0]) = p1 [Kuba’09] polys with coefficients of |size|<t , about 1/t irreducible Hansen and Schmutz relationsship between random polynomial and characteristic polynomial

ATTACK on simplified [GGHRSW13] obfuscation
Branching program obfuscation

(Oblivious) Branching Programs [Barrington86]
BP of length m with n input bits is defined as (inp(1), A1,0, A1,1), (inp(2), A2,0, A2,1), …, (inp(m), Am,0, Am,1) Ai,0, Ai,1 ∈ {0, 1}5×5 inp(x) : [m] → [n] BP for F evaluates on input x = (x1, …, xn) F (x) = 1, if ∏ni=1 Ai,inp(i) = I 0, otherwise.

(Oblivious) Branching Programs
Example: BP of length 9 with 4-bit inputs A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 A7,0 A8,0 A9,0 A1,1 A2,1 A3,1 A4,1 A5,1 A6,1 A7,1 A8,1 A9,1

Example: BP of length 9 with 4-bit inputs A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 A7,0 A8,0 A9,0 A1,1 A2,1 A3,1 A4,1 A5,1 A6,1 A7,1 A8,1 A9,1 1

Example: BP of length 9 with 4-bit inputs Multiply the chosen 9 matrices. If the product is I, output 1. Otherwise, output 0. A1,0 A2,0 A3,0 A4,0 A5,0 A6,0 A7,0 A8,0 A9,0 A1,1 A2,1 A3,1 A4,1 A5,1 A6,1 A7,1 A8,1 A9,1 1 1

Barrington’s Theorem [B86]
Every function computable by depth-d circuit is computable by a branching program of length 4d. Corollary: every function in NC1 has a polynomial-length branching program

Randomized Branching Programs [Kilian88]
Randomized BP (RBP) construction of length m and input size n: BP: (inp(1), A1,0, A1,1), …, (inp(m), Am,0, Am,1) Sample invertible matrices R0, …, Rm ∈ {0, 1}5×5 Set Bi,0 = Ri-1 Am,0 Ri -1, Bi,1 = Ri-1 Am,1 Ri-1 Omitting several steps… Hide matrices with multilinear maps B1,0 B2,0 B3,0 B4,0 B5,0 B6,0 B7,0 B8,0 B9,0 B1,1 B2,1 B3,1 B4,1 B5,1 B6,1 B7,1 B8,1 B9,1

ATTACK on simplified obfuscation
There exist partitions on the input bits and the branching program Input bits: [l] = X ⋃ Y ⋃ Z BP positions: [L] = A ⋃ B ⋃ C inp(i)∈X ∀i∈A; inp(i)∈Y ∀i∈B; inp(i)∈Z ∀i∈C BP0 and BP1 where BPb = A(x) ∘ Bb(y) ∘ C(z) A(x) is a branching program over the positions of A depending on input x C(x) is a branching program over the positions of B depending on input y B0(z) and B1(z) are two different programs over the positions of B that depend on input z BP0 and BP1 compute the same constant function that outputs 1 B1,0 B2,0 B3,0 B4,0 B5,0 B6,0 B7,0 B8,0 B9,0 B1,1 B2,1 B3,1 B4,1 B5,1 B6,1 B7,1 B8,1 B9,1 A B C

ATTACK on simplified obfuscation
Attack sets Matrix dimension w Ai = { ∏i=1|A| Enc(Bi, inp(i)) } x∈ {0,1}|X| i ∈ [nw] MMAP parameter Bi = { ∏i=|A|+1|A∪B| Enc(Bi, inp(i)) } y∈ {0,1}|Y| i ∈ {0,1} Ci = { ∏i=|A∪B|+1|A∪B∪C| Enc(Bi, inp(i))} z ∈ {0,1}|Z| i ∈ [nw]

conclusions Zeroizing attacks on [CLT13] break completely the scheme
You do not need low level zero encodings for the attacks The attacks can be generalized to break the proposed fixes [BWZ14] and [GGHZ14] Obfuscation constructions are not broken We can attack only simplified obfuscation constructions [CLT15] – new candidate fix of [CLT13] that does not suffer from our zeroing attacks

Thank you!

Zeroizing Attacks on Cryptographic Multilinear Maps

Similar presentations

Presentation on theme: "Zeroizing Attacks on Cryptographic Multilinear Maps"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Zeroizing Attacks on Cryptographic Multilinear Maps

Similar presentations

Presentation on theme: "Zeroizing Attacks on Cryptographic Multilinear Maps"— Presentation transcript:

Similar presentations

About project

Feedback