Abstract
In this paper, we propose cryptanalyses of all existing indistinguishability obfuscation (iO) candidates based on branching programs (BP) over GGH13 multilinear map for all recommended parameter settings. To achieve this, we introduce two novel techniques, program converting using NTRU-solver and matrix zeroizing, which can be applied to a wide range of obfuscation constructions and BPs compared to previous attacks. We then prove that, for the suggested parameters, the existing general-purpose BP obfuscations over GGH13 do not have the desired security. Especially, the first candidate indistinguishability obfuscation with input-unpartitionable branching programs (FOCS 2013) and the recent BP obfuscation (TCC 2016) are not secure against our attack when they use the GGH13 with recommended parameters. Previously, there has been no known polynomial time attack for these cases.
Our attack shows that the lattice dimension of GGH13 must be set much larger than previous thought in order to maintain security. More precisely, the underlying lattice dimension of GGH13 should be set to \(n=\tilde{\varTheta }( \kappa ^2 \lambda )\) to rule out attacks from the subfield algorithm for NTRU where \(\kappa \) is the multilinearity level and \(\lambda \) the security parameter.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Constructing a general-purpose program obfuscation has been a long standing coveted open problem [8, 9] in spite of their fruitful applications. At FOCS 2013, Garg et al. suggested the first plausible candidate general-purpose indistinguishability obfuscation (GGHRSW) [23] using branching program (BP) representation of functions [10]. This first candidate of iO has ignited the various subsequent studies [3, 5,6,7, 15, 24, 30, 32, 34] on obfuscations, all of which stand on the cryptographic multilinear maps.
To date, there are three plausible candidates of multilinear map; the first is due to Garg, Gentry, and Halevi [22] (GGH13), the second is due to Coron, Lepoint, and Tibouchi [19] and the last is due to Gentry, Gorbunov, and Halevi [25]. The security of three candidates are not well clarifed, whereas some works [3, 7, 15, 30, 34] claim the security under the idealized model, so-called the generic multilinear map model.
Recently several works try to overcome this gap [6, 24, 29]. In particular, Garg et al. proved the security of the slightly modified first candidate iO construction (GMMSSZ) under the weak multilinear map model of GGH13, which captures all existing polynomial time attacks on BP obfuscations over GGH13 multilinear map [24]. Despite the provable security under these models, the practical security of obfuscations over GGH13 is still in dubious nature.
Direct attack to GGH13.As a direct method of analyzing obfuscations over GGH13, we may consider attacks on the GGH13 encoding scheme. The latent hardness problems of GGH13 are the (overstretched) NTRU problem and the short generator of principal ideal generator problem (SPIP).
The subfield attacks, proposed by Albrecht et al. and Cheon et al. independently [1, 18], are the most notable algorithms to solve the NTRU problem. These attacks shows that the underlying NTRU problem of GGH13-based obfuscation is solved in polynomial time whenever the multilinear level \(\kappa \) is larger than the security parameter \(\lambda \). By combining this with the algorithms to solve SPIP [12,13,14, 20], GGH13 is broken in classical subexponential time on security parameter \(\lambda \) for the instantiations in [2, 27] or quantum polynomial time. This work shows that the parameters of GGH13 should be set to prevent either the algorithms for NTRU or PIP.Footnote 1
Attacks on BP Obfuscations over GGH13. For obfuscations over GGH13 multilinear map, several cryptanalyses have also been suggested. The annihilation attack introduced by Miles et al. [31] showed that some constructions of single/dual input BP obfuscations [3, 6, 7, 30] do not have the desired security when they are used for general-purpose and implemented with GGH13. The authors presented a very simple example of BPs which are threatened by annihilation attacks. Soon after, Apon et al. [4] extended the range of annihilation attacks to BPs generated by Barrington’s theorem [10] which is the fundamental method to transform \(\mathcal {NC}^1\) circuits into bounded width BPs.
Chen et al. [16] presented another attack on BP obfuscation over GGH13 multilinear map. They showed that there exist two functionally equivalent programs with a special property called input-partitionable, and their obfuscated programs by GGHRSW can be efficiently distinguished.
Limitations of Previous Works. Despite the diverse attacks on BP obfuscations over GGH13 multilinear map, GGHRSW remains secure against all known PPT attack when it only takes input-unpartitionable BPs as input, such as BPs generated by Barrington’s theorem. Meanwhile, there is no known polynomial time attack for multi-input branching program obfuscations including GMMSSZ. We also remark that the direct approach [1], with the current best algorithm to solve SPIP [13, 20], has the classical exponential running time with respect to security parameter \(\lambda \) when the dimension n of the base number field satisfies \(n=\varOmega (\lambda ^2)\).
Our Contribution. We present distinguishing attacks on candidates BP iO over GGH13 multilinear map based on the algorithm to solve the NTRU problem. With the novel two techniques, program converting and matrix zeroizing attack, we show that existing general-purpose BP obfuscations cannot achieve the desired security when the obfuscations use GGH13 with proposed parameters in [2, 22, 27]. In other words, there are two functionally equivalent BPs with same length such that their obfuscations obtained by an existing BP obfuscations over GGH13 can be distinguished in polynomial time for the suggested parameters.
Our attack is applicable to wide range of obfuscations and BPs compared to the previous attacks. In particular, we show that multi-input BP obfuscations such as GMMSSZ construction are insecure in the NTRU-solvable parameter regime. Further, we show that the first candidate indistinguishability obfuscation GGHRSW based on GGH13 with current parameters also does not have the desired security even if it only obfuscates input-unpartitionable BPs including branching programs generated by Barrington’s theorem. Although a new property of BPs called linear relationally inequivalence is exploited in our attack, we show that various pairs of BPs satisfy this property.
As a result, we show that the BP obfuscations based on GGH13 multilinear map with suggested parameters are broken using the algorithm for NTRU solely. Therefore the underlying lattice dimension n of GGH13 should be set to \(n=\tilde{\varTheta }(\kappa ^2 \lambda )\) to maintain \(2^\lambda \) security of obfuscation schemes. This implies the iO based on GGH13 is even much inefficient than the previous results [1, 28].
1.1 Technical Overview
Here we briefly show how our attack is applied to simplified GGHRSW.
Simplified GGHRSW Obfuscation. Let \(P=\{ \varvec{M}_{i,b}\in {\mathbb {Z}}^{d\times d} \}_{b\in \{0,1\},1\le i\le \ell }\) be a set of matrices corresponding to a single input BP such that
where \(x_i\) is the i-th bit of \(\varvec{x}\). The obfuscator randomizes the given BP over several steps.
-
1.
Sample random and independent scalars \(\{\alpha _{i,b},\alpha '_{i,b}\}_{b\in \{0,1\},1\le i\le \ell }\) such that \(\prod _{i=1}^\ell \alpha _{i,x_i } = \prod _{i=1}^\ell \alpha '_{i,x_i}\) for all \(\varvec{x} \in \{0,1\}^\ell \).Footnote 2
-
2.
Sample bookend vectors \(\{\varvec{s},\varvec{t},\varvec{s}',\varvec{t}'\}\) such that \(\varvec{s}\cdot \varvec{t}= \varvec{s}'\cdot \varvec{t}'\).
-
3.
Sample invertible matrices \(\{\varvec{K}_i,\varvec{K}_i' \in {\mathbb {Z}}^{d \times d}\}_{0\le i \le \ell }\) and set
$$\begin{aligned} \begin{array}{ll} \varvec{R}_0 = \varvec{s} \cdot \varvec{{K}}^{-1}_0, &{} \quad \varvec{R}'_0 = \varvec{s}' \cdot \varvec{K}'^{-1}_0\\ \varvec{R}_{i, b} = \varvec{\alpha }_{i,\varvec{b}}\cdot \varvec{K}_{i-1} \cdot \varvec{M}_{i, b} \cdot \varvec{K}^{-1}_{i},&{} \quad \varvec{R}'_{i, b} = \varvec{\alpha }'_{i, b}\cdot \varvec{K}'_{i-1} \cdot \varvec{I}_{d} \cdot \varvec{K}'^{-1}_{i}\\ \varvec{R}_{\ell +1} = \varvec{K}_{\ell } \cdot \varvec{t},&{}\quad \varvec{R}'_{\ell +1} = \varvec{K}'_{\ell } \cdot \varvec{t}'. \end{array} \end{aligned}$$
For the sake of simplicity, we write \(\varvec{R}_{0,b}\), \(\varvec{R}_{\ell +1,b}\), \(\varvec{R}'_{0,b}\), and \(\varvec{R}'_{\ell +1,b}\) to denote \(\varvec{R}_0\), \(\varvec{R}_{\ell +1}\), \(\varvec{R}'_0\), and \(\varvec{R}'_{\ell +1}\), respectively. The randomized BP can then maintain the same functionality as the following evaluation, where \(x_0 ,x_{\ell +1}\) are 0.
As a final step, each entry of the \(\varvec{R}_i\) and \(\varvec{R}'_i\) is encoded through the GGH13 multilinear map. Let \(\mathcal {R}={\mathbb {Z}}[X]/\langle X^n+1\rangle \). The plaintext space and encoding space of GGH13 multilinear map is specified by \(\mathcal R_{\varvec{g}}=\mathcal R/\langle \varvec{g} \rangle \) with some small element \(\varvec{g}\in \mathcal R\) and \(\mathcal R_q=R/\langle q \rangle \) with some large integer \(q\in {\mathbb {Z}}\), respectively. In GGH13 multilinear map, a random and invertible element \(\varvec{z}\in \mathcal R_q\) is sampled. Then the encoding of m is of the form \(\mathsf{enc}(m) = [({\varvec{r}\cdot \varvec{g} + m})/{\varvec{z}}]_q\) for some small random element \(\varvec{r}\in \mathcal R\). The smallness of \(\varvec{g}\) and \(\varvec{r}\) implies that the size of the numerator is quite smaller than q. We write \(\mathsf{enc}(\varvec{R}_{i,b})\) to denote the matrix whose entries are encoding of entries of \(R_{i,b}\).
Then, in the case of \(P(\varvec{x})=0\), evaluation of the encoded BP over input \(\varvec{x}\) can be computed as follows:
where the term \(\varvec{e}\) is the small noise element of \(\mathcal R\). If it is evaluated for another input \(\varvec{x}\), the numerator of the evaluated value cannot be a multiple of \(\varvec{g}\).
In order to check whether the numerator of the evaluation value of the encoded BP is a zero or not, the GGH13 multilinear map provide a zerotesting parameter \(\varvec{p}_{zt}= [(\varvec{h}\cdot \varvec{z}^{\ell +2})/\varvec{g}]_q\) for some element \(\varvec{h}\in \mathcal R\) of size \(\approx \sqrt{q}\). More precisely, when the \(\varvec{p}_{zt}\) is multiplied by the evaluated value, it is of the form \(\varvec{h}\cdot \varvec{r}'\) and its size is much smaller than q if the numerator is a multiple of \(\varvec{g}\). Otherwise it is a large value. Hence, one can publicly test that whether the plaintext of the encoding is zero or not and an encoded BP give the same functionality with the original BP by employing the zerotesting parameter \(\varvec{p}_{zt}\).
In summary, the GGHRSW obfuscator outputs the following set as an obfuscated BP.
Goal of Cryptanalysis on Simplified GGHRSW Obfuscation. The simplified GGHRSW obfuscation given above is called indistinguishability obfuscation if the following statement holds: For every two BPs \(P^0 = \{ \varvec{M}^0_{i,b}\}\), and \(P^1 = \{ \varvec{M}^1_{i,b}\}\) with the same size and the same functionality and randomly chosen \(c \in \{0,1\}\), any PPT adversary cannot recover c from the given obfuscated program \(\{\mathsf{enc}(\varvec{R}^c_{i,b}), \mathsf{enc}(\varvec{R}'^c_{i,b}), {\varvec{p}}_{zt} \}\).
In other words, our purpose of the cryptanalysis is to recover such c for appropriately given \(P^0,P^1\) and its obfuscation.
Program Converting Technique. In the first step, we remove the modulus q using the algorithm for NTRU. The (1, 1) and (1, 2) components of the \(\mathsf{enc}(\varvec{R}_{1,1})\) are of the form \([(\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1})/\varvec{z}]_q\) and \([(\varvec{r}_{1,2}\cdot \varvec{g}+ m_{1,2})/\varvec{z}]_q\), respectively. The ratio \([(\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1})/(\varvec{r}_{1,2}\cdot \varvec{g}+ m_{1,2})]_q\) of two encodings can be understood as an instance of the NTRU problem.
By solving the NTRU problem, we can obtain multiples of the denominator and numerator
for some small element \(\varvec{\beta }\in \mathcal R\). Further, dividing \(\varvec{\beta }\cdot (\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1})\) by a \([(\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1})/\varvec{z}]_q\), we can compute \([\varvec{\beta }\cdot \varvec{z}]_q\). By multiplying this value to all entries of \(\mathsf{enc}(\varvec{R}_ {i, b})\) and \(\mathsf{enc}(\varvec{R}'_ {i, b})\), we replace \(1/\varvec{z}\) with a small element \(\varvec{\beta }\). The obtained entries are of the form \(\varvec{\beta }\cdot (\varvec{r}_{j,k} \cdot \varvec{g} + m_{j,k})\), which can be understood as an element defined in \(\mathcal R\), not \(\mathcal R_q\) due to its small size. We denote these new BP matrices with entries in \(\mathcal {R}\) by \(\{\varvec{D}_{i,b}\}\) and \(\{\varvec{D}'_{i,b}\}\), respectively.
Next we consider an input \(\varvec{x}\) such that \(P(\varvec{x})=0\).Footnote 3 The corresponding computation of matrices \(\varvec{R}\) is zero, thus the following equation holds over \(\mathcal {R}\) for such input.
Hence, the term is a multiple of \(\varvec{g}\). Using the same procedure for other zeros of P, one can recover several multiples of \(\varvec{g}\) and then we can recover a basis of ideal \(\langle \varvec{g} \rangle \) using lattice algorithms.
Then we can do a plain-like procedure using the above results. More precisely, the following equations hold.
Removing Scalars. In the above step, we removed the modulus q using the solutions of the NTRU problem and obtained matrices \(\{\varvec{D}_{i,b}, \varvec{D}'_{i,b}\}\) and a basis of ideal \(\langle \varvec{g} \rangle \). We now remove the effects of scalars \(\varvec{\alpha }\). \(Eval_{{\varvec{D}}}(\varvec{x})\) and \(Eval'_{{\varvec{D}}}(\varvec{x})\) share the same scalar \(\prod _{i=0}^{\ell +1} \alpha _{i,x_i } = \prod _{i=0}^{\ell +1} \alpha '_{i,x_i }\) due to its definition. Thus, we can compute
We note that these values \(Eval_{ {\varvec{D}}}(\varvec{x})/Eval'_{ {\varvec{D}}}(\varvec{x})\) all share the same scalar \(1/(\varvec{s}'\cdot \varvec{t}') \pmod {\varvec{g}}\).
Matrix Zeroizing Attack. At last we introduce the matrix zeroizing attack. We denote \(Eval_{\varvec{M}^0}(\varvec{x})\) and \(\widetilde{Eval}_{\varvec{D}}(\varvec{x})\) as \(\prod _{i=1}^\ell \varvec{M}^0_{i, x_i}\) and \(Eval_{ {\varvec{D}}}(\varvec{x})/Eval'_{ {\varvec{D}}}(\varvec{x})\), respectively.
Then, for several \(Eval_{\varvec{M}^0}(\varvec{x}_j) \) for \(1\le j\le \tau \), we can find a vector \(\varvec{q}=(q_1,\cdots , q_\tau )\) such that \(\sum _{j=1}^\tau q_j \cdot Eval_{\varvec{M}^0}(\varvec{x}_j)=\varvec{0}_d\), where \(\varvec{0}_d\) is a zero matrix. If \(c=1\) so that the obfuscated BP is derived from \(P^0\), the following equation also holds.
Otherwise, it would not be zero\(\pmod {\varvec{g}}\).
As a result, we can distinguish two obfuscated program efficiently when we know corresponding branching programs. We remark that the matrix zeroizing attack and removing scalars step are slightly different for the other BP obfuscations.
Organization. In Sect. 2, we introduce the indistinguishability obfuscation, matrix branching program and GGH13 multilinear map. In Sect. 3, we show main results of our cryptanalyses on BP obfuscations over GGH13 multilinear map. We describe the attackable BP obfuscation Model over GGH13 throughout the Sect. 4. In addition, we present the algorithm called program converting technique in Sect. 5. We last propose the matrix zeroizing attack in Sect. 6.
2 Preliminaries
Notations. The set \(\{1,\cdots ,n \}\) is denoted by [n] for a positive integer n. The set of integers modulo p is denoted by \({\mathbb {Z}}_p:={\mathbb {Z}}/p{\mathbb {Z}}\). All elements in \({\mathbb {Z}}_p\) are considered as integers in \((-p/2,p/2]\). We use the bold letters to denote matrices, vectors and elements of ring. For \(\varvec{a} = a_{0} + \cdots +a_{n-1} \cdot X^{n-1} \in \mathcal {R}= {\mathbb {Z}}[X]/\langle X^n +1 \rangle \), the size of \(\varvec{a}\) means the Euclidean norm of the coefficient vector \(( a_ 0,\cdots , a_{n-1})\). We denote (j, k)-th entry of matrix \(\varvec{M}\) by \(\varvec{M}[j,k]\).
2.1 Matrix Branching Program
A branching program consists of several matrix chains and input functions with indices of input bit. To evaluate a matrix branching program, we multiply all matrices and output 0 or 1 depending on whether the product of the matrices is the same as a given matrix or not. We briefly review matrix branching programs.
Definition 1
(w-ary Matrix Branching Programs). Let \(\varvec{A}_0\) be a \(d_1 \times d_{\ell +1}\) matrix and w, \(\ell \), d, and N be natural numbers. A w-ary matrix branching program BP with length \(\ell \) over N-bit inputs consists of the following data; a set of input functions \(\{\mathsf{inp}_\mu :[\ell ]\rightarrow [N]\}_{\mu \in [w]}\), a set of matrices \(\{\varvec{M}_{i,\varvec{b}} \in {\mathbb {Z}}^{d_i \times d_{i+1}} \}_{i\in [\ell ], \varvec{b}\in \{0,1\}^w}\). It has a domain for evaluations \(\{0,1\}^N\), and evaluation of BP at \( {\varvec{x}} = ( x^v)_{v \in [w]}\) is computed by
When w is set to 1 and \(\ge 2\), the matrix branching program is called a single-input and a multi-input matrix branching program, respectively. Throughout this paper, a matrix \(\varvec{A}_0\) is used as the zero matrix \(\varvec{0}\) or the identity matrix \(\varvec{I}_d\) if \(d_i = d\) for all i. Moreover, we simplify the notation \((x^\mu _{\mathsf{inp}_\mu (i)})_{\mu \in [w]}\) as \(\varvec{x}_{\mathsf{inp}(i)}\).
Barrington proved all boolean functions can be expressed in the form of matrix branching program with bounded width [10]. The first candidate for iO [23] and following obfuscations [7, 15, 30, 32] exploit Barrington’s theorem to transform circuits into BPs.
We also note that there are other methods to convert circuits into branching programs. Ben-Or and Cleve proved that the similar result to Barrington’s theorem for arithmetic circuits [11]. Follow-up studies such as [3, 6] suggest more efficient methods for transformation. Their methods bypass the Barrington’s theorem and make a circuit into a branching program directly. However, they still preserve the length of program, in other words, the length of branching program is equal to or larger than the size of circuit (number of gates).
We assume a mild condition on the branching programs: The length of branching program is \(\varOmega (N)\) for the number of input bits N. This is plausible since all input bits may affect the program, and the existing methods give much longer lengths. On the other hand, we do not restrict that the width/properties of the matrices in branching programs and the input function (such as single or dual input).
2.2 Indistinguishability Obfuscation
Definition 2
(Indistinguishability Obfuscation (iO)). A PPT algorithm iO is an indistinguishability obfuscation for a circuit class \(\mathcal C\) if the following conditions are satisfied:
-
For all security parameters \(\lambda \in \mathbb N\), for all circuits \(C\in \mathcal C\), for all inputs \(\varvec{x}\), the following probability holds:
$$\Pr \left[ C'({\varvec{x}})= C({\varvec{x}}) : C' \leftarrow iO(\lambda ,C)\right] =1.$$ -
For any PPT distinguisher \(\mathcal D\), there exists a negligible function \(\alpha \) satisfying the following statement: For all security parameters \(\lambda \in \mathbb N\) and all pairs of circuits \(C_0\), \(C_1\in \mathcal C\), \(C_0(\varvec{x})=C_1(\varvec{x})\) for all inputs \(\varvec{x}\) implies
$$|\Pr \left[ D(iO(\lambda , C_0))=1\right] - \Pr \left[ D(iO(\lambda , C_1))=1\right] | \le \alpha (\lambda ).$$
Hereafter, we denote iO(P) by an obfuscated program or obfuscation of a program, or a branching program P.
2.3 GGH13 Multilinear Map
Garg et al. suggest a candidate of multilinear map based on ideal lattice [22]. It is used to realize the indistinguishable obfuscation [23]. In this section, we briefly describe the GGH13 multilinear map. For more details, we recommend readers to refer [22]. Any parameters of multilinear maps are induced by the multilinearity parameter \(\kappa \) and the security parameters \(\lambda \). For the sake of simplicity, we denote the multilinear maps which has the previous mentioned parameter as \((\kappa ,\lambda )\)-GGH multilinear map.
The multilinear map is sometimes called the graded encoding scheme. i.e., All encodings of message have corresponding levels. Let \(\varvec{g}\) be a secret element in \(\mathcal {R}={\mathbb {Z}}[X]/\langle X^n+1\rangle \) and q a large integer. Then, the message space and encoding space are set by \(\mathcal {M}=\mathcal {R}/\langle \varvec{g} \rangle \) and \(\mathcal {R}_q= \mathcal {R}/\langle q \rangle \), respectively. In order to represent a level of encodings, the set of secret invertible elements \(\mathbb L = \{ \varvec{z}_i \}_{1\le i \le \kappa } \subset \mathcal {R}_q\) is chosen. We call a subset of \(\mathbb L\) level set and elements in \(\mathbb L\) level parameters.
For a small message \(\varvec{m}\in \mathcal {M}\), level-\(L (\subset \mathbb L)\) encoding of \(\varvec{m}\) is:
where \(\varvec{r} \in \mathcal {R}\) is a small random element. We call \(\mathsf{enc}_{\mathbb L}(\varvec{m})\), \(\mathsf{enc}_{\{\varvec{z}_i \}} (\varvec{m})\) a top-level and level 1 encoding of \(\varvec{m}\), respectively. In addition, for a matrix \(\varvec{M}\), we denote a matrix whose entries are level-L encodings of corresponding entries of \(\varvec{M}\) by \(\mathsf{enc}_{L}(\varvec{M})\).
The arithmetic operations between encodings are defined as follows:
Additionally, the \((\kappa ,\lambda )\)-GGH scheme provides a zerotesting parameter which can be used to determine whether a hidden message of a top-level encoding is zero or not. The zerotesting parameter \(\varvec{p}_{zt}\) is of the form:
where \(\varvec{h}\) is an \(O(\sqrt{q})\)-size element of \(\mathcal {R}\). Given a top-level encoding of zero \(\mathsf{enc}_{\mathbb L}(\mathbf {0})= {[{\varvec{r}}\cdot \varvec{g} /\prod _{i\in \mathbb L}\varvec{z}_i]}_q\), a zerotesting value is:
We remark that a zerotesting value for a top-level encoding of nonzero gives an element of the form \([\varvec{h}\cdot (\varvec{r} +\varvec{m}\cdot \varvec{g}^{-1})]_q\), which is not small by Lemma 4 in [22]. Thus one can decide whether a message is zero or not by the zerotesting value.
Several papers [2, 22, 27] proposed the parameters of \((\kappa ,\lambda )\)-GGH13 multilinear map. Here we introduce the minimum conditions that satisfy the three works.
-
\(\log q= \tilde{\varTheta }(\kappa \cdot \log n)\)
-
\(n=\tilde{\varTheta }( \kappa ^\epsilon \cdot \lambda ^\delta )\) for constants \(\delta ,\epsilon \)
-
\(M=\tilde{O}(n^{\varTheta (1)})\)
Here M is the size bound of numerators \(\varvec{r} \cdot \varvec{g} + \varvec{m}\) of level 1 encodings.Footnote 4 We note that the suggested parameters in [2, 27] choose \(\delta =\epsilon =1\), which enables the subexponential attack with respect to \(\lambda \) for small \(\kappa \) [1, 13]. When \(\delta \ge 2\), all known direct attacks on GGH13 multilinear map require exponential time for classical adversary.
3 Main Theorem
In this section, we present the results from our attacks. We denote the obfuscation within our attack range as the attackable obfuscation, which is formally defined by the attackable model in the next section. The attackable obfuscation model encompasses all suggested BP obfuscations based on GGH13 multilinear map.
Proposition 1
(Universality of the Attackable Model). BP obfuscations [3, 6, 7, 23, 24, 30, 32] satisfy all the constraints of the attackable model.Footnote 5
As a result, we obtain the following main theorem.
Theorem 1
Let \(\mathcal {O}\) be an attackable obfuscator, \(\kappa , \lambda \) be the multilinearity level and the security parameter of underlying GGH13 multilinear map. Suppose that the modulus q, dimension n, size bound M of numerators of level 1 encoding of underlying GGH13 satisfy \(\log q= \tilde{\varTheta }(\kappa \cdot \log n), M=\tilde{O}(n^{\varTheta (1)})\). Then the following propositions hold:
-
1.
For \(n = \tilde{\varTheta }(\kappa \cdot \lambda ^\delta )\) for a constant \(\delta \) as in [2, 22, 27], there exist two functionally equivalent branching programs with \(\varOmega (\lambda ^\delta )\)-length such that their obfuscated programs by \(\mathcal {O}\) can be distinguished with high probability in polynomial time with respect to \(\lambda \).
-
2.
Moreover, for new parameter constraints \(n=\tilde{\varTheta }(\kappa ^\epsilon \cdot \lambda ^\delta )\) for constants \(\epsilon <2,\delta \), there exist two functionally equivalent branching programs with \(\varOmega (\lambda ^{\delta /(2-e)})\)-length such that their obfuscated programs by \(\mathcal {O}\) can be distinguished with high probability in polynomial time with respect to \(\lambda \).
The main theorem is proven by combining converting program technique and matrix zeroizing attack which are described in Sects. 5 and 6. The bottleneck of the attack is the algorithm for NTRU, which is exploited in the middle step of converting technique; the other process can be done in polynomial time, while the time complexity to solve the NTRU problem relies on the parameters. The detailed analysis for the time complexity will be discussed in Sect. 5.3.
4 Attackable BP Obfuscations
In this section, we present a new BP obfuscation model which is attackable by our attack, the attackable model. We call a BP obfuscation captured by our model an attackable BP obfuscation.
The attackable model is composed of two steps; for a given BP, randomize BP, and encode randomized BPs by GGH13 multilinear map. More precisely, for a given branching program BP of the form
we randomize P by several methods satisfying Definition 3 which will be described later. And then we encode each entries of randomized matrices and outputs the obfuscated program as the set
and the public parameters of GGH13 multilinear map. \(\varvec{S},\varvec{T}\) denote bookend matrices, and matrices with apostrophe mean the matrices of dummy program. In the attackable model, we specify the following property instead of establishing how to evaluate the program exactly. To evaluate the input value, a new function \(Eval_{{\widetilde{\varvec{M}}}} : \{0,1\}^{N} \rightarrow \mathcal {R}_q^{d_0 \times d_{\ell +2}}\) is computed as follows:
Proposition 2
(Evaluation of Obfuscation). For a program P and program \(\mathcal O(P)\) obfuscated by the attackable model, the evaluation of \(\mathcal O(P)\) at a root \(\varvec{x}\) of P yields a top-level GGH13 encoding of zero in specific entry of the matrix \(Eval_{{\widetilde{\varvec{M}}}}(\varvec{x}).\) In other words, there are two integers u, v such that \(Eval_{{\widetilde{\varvec{M}}}}(\varvec{x})[u,v]\) is an encoding of zero at level \(\mathbb L\) for every input \(\varvec{x}\) satisfying \(P(\varvec{x})=0\).
In the rest of this section, we explain specified descriptions of the attackable model in Sects. 4.1 and 4.2, and present a constraint of BPs to execute our attack in Sect. 4.3.
4.1 Randomization for Attackable Obfuscation Model
We introduce the conditions for BP randomization of attackable obfuscation model. These conditions for randomization covers all of the BP randomization methods suggested in the first candidate iO [23] and its subsequent works [3, 6, 7, 24, 30, 32]. In other words, higher dimension embedding, scalar bundling, Kilian randomization, bookend matrices (vectors), and dummy programs are captured by the attackable conditions.
Definition 3
(Attackable Conditions for Randomization). For a branching program \(P = \left\{ \varvec{M}_{i,\varvec{b}} \in {\mathbb {Z}}^{d_i \times d_{i+1}}\right\} _{i \in [\ell ], \varvec{b} \in \{0,1\}^w}\), the attackable randomized branching program is the set
satisfying the following properties, where \(d_0, d_{\ell +2},e_i\)’s are integers.
-
1.
There exist matrices \(\varvec{S}_0 ,\varvec{S}'_0 \in {\mathbb {Z}}^{d_0 \times d_1} , \varvec{T}_0,\varvec{T}'_0 \in {\mathbb {Z}}^{d_\ell \times d_{\ell +1}}\) and scalars \(\varvec{\alpha }_{\varvec{S}}, \varvec{\alpha }'_{\varvec{S}}\), \(\varvec{\alpha }_{\varvec{T}}, \varvec{\alpha }_{\varvec{T}}'\), \(\{\varvec{\alpha }_{i,\varvec{b}},\varvec{\alpha }'_{i,\varvec{b}}\}_{i \in [\ell ], \varvec{b} \in \{0,1\}^w}\) such that the following equations hold for all \(\{ \varvec{b}_i \in \{0,1\}^w \}_{i \in [\ell ]}\):
$$\begin{aligned}&\varvec{R}_S \cdot \prod _{i=1}^\ell \varvec{R}_{i,\varvec{b}_i} \cdot \varvec{R}_T =\varvec{\alpha }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }_{i,\varvec{b}_i} \cdot \varvec{\alpha }_{\varvec{T}} \cdot \left( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\right) ,\\&\varvec{R}'_S \cdot \prod _{i=1}^\ell \varvec{R}'_{i,\varvec{b}_i}\cdot \varvec{R}'_T =\varvec{\alpha }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }'_{i,\varvec{b}_i} \cdot \varvec{\alpha }'_{\varvec{T}} \cdot \left( \varvec{S}'_0 \cdot \prod _{i=1}^\ell \varvec{M}'_{i,\varvec{b}_i} \cdot \varvec{T}'_0\right) . \end{aligned}$$ -
2.
The evaluation of randomized program is done by checking whether the fixed entries of \(RP(\varvec{x}) := \varvec{R}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{R}_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot \varvec{R}_{\varvec{T}} - \varvec{R}'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{R}'_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot \varvec{R}'_{\varvec{T}}\) are zero or not. Especially, there are two integers u, v such that \(P(\varvec{x})=0 \Rightarrow RP(\varvec{x})[u,v] = 0\).
Matrices with apostrophe are called dummy matrices, \(\varvec{R}_{\varvec{S}},\varvec{R}_{\varvec{S}}',\varvec{R}_{\varvec{T}},\varvec{R}_{\varvec{T}}'\) bookend matrices (vectors), and \(\alpha \)’s bundling scalars. When some elements of Rand(P) (or bundling scalars) are trivial elements, we say that there is no such element.
4.2 Encoding by Multilinear Map
After the randomization, we encode the randomized matrix branching program by GGH13 multilinear map. We stress that we do not encode dummy/bookend matrices if there are no dummy/bookends, respectively.
For each randomized matrices, \(\varvec{R}_{i,\varvec{b}}, \varvec{R}'_{i,\varvec{b}}\) and randomized bookend matrices \(\varvec{R}_{\varvec{S}}, \varvec{R}'_{\varvec{S}}, \varvec{R}_{\varvec{T}},\varvec{R}'_{\varvec{T}}\), we obtain the encoded matrices \(\mathsf{enc}_{L_{i,\varvec{b}}} (\varvec{R}_{i,\varvec{b}} )\) whose entries are encoding of corresponding entries of randomized matrix \(\varvec{R}_{i,\varvec{b}}\). For brevity we write \(\widetilde{\varvec{M}}_{i,\varvec{b}}\) to denote \(\mathsf{enc}_{L_{i,\varvec{b}}} (\varvec{R}_{i,\varvec{b}} )\), and the other matrices \(\widetilde{\varvec{M}}'_{i,\varvec{b}}\), \(\widetilde{\varvec{S}}\), \(\widetilde{\varvec{S}}'\), \(\widetilde{\varvec{T}},\widetilde{\varvec{T}}'\) are defined in similar manner.
Two conditions should hold in the attackable model
-
1.
the evaluation of valid input is top-level, in other words, for all input \(\varvec{x}\), \(\left( \large \cup _{i=1}^\ell L_{i,\varvec{x}_{\mathsf{inp}(i)}}\right) \cup L_{\varvec{S}} \cup L_{\varvec{T}} =\mathbb L\) where \(\mathbb L\) denotes top-level set,
-
2.
the sizes of set L’s are all similar, that is, there is a constant C such that \(|L_{i,\varvec{b}}|/|L_{j,\varvec{b}'}| \le C\) for all \(i,j,\varvec{b},\varvec{b}'\) and similar inequalities hold for \(L_{\varvec{S}}, L_{\varvec{T}}\).
In practice, the level L’s is determined by the straddling set system introduced in [7, 30], and these constructions satisfy our conditions. Using the condition 1 and Definition 3, Proposition 2 can be easily verified. We also note that the condition 2 implies \(\ell =\varTheta (\kappa )\), where \(\kappa \) is the level of underlying multilinear map.
4.3 Linear Relationally Inequivalent Branching Programs
At last, we explain the condition, linear relationally inequivalence, for branching programs of attackable BP obfuscation. This condition is used at the last section, but we note that there are several linear relationally inequivalence BPs as stated in Proposition 3.
To define the linear relationally inequivalence, we consider evaluations of invalid inputs of branching program and denote \(\prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i}\) by \(\varvec{M}(\varvec{b})\) for \(\varvec{b} = (\varvec{b}_1,\cdots ,\varvec{b}_\ell )\). We define linear relations of two BPs and the linear relationally inequivalence of BPs as
Definition 4
(Linear Relations of Branching Program). For a given branching program
the set of linear relations of \(P_{\varvec{M}} \) is
Definition 5
(Linear Relationally Inequivalence). We say that two branching programs \(P_{\varvec{M}}\) and \(P_{\varvec{N}}\) with the same length are linear relationally inequivalent if \(L_{\varvec{M}} \ne L_{\varvec{N}}\).
The set of linear relations of a given BP is easily computed by computing the kernel, considering BP matrices as vectors. It is clear that \(L_{\varvec{M}}\) is a lattice. We note that the set of linear relations of BP is not determined by the functionality of BP, and indeed it seems that they are irrelevant.
Further, one can observe that if \(P_{\varvec{M}}, P_{\varvec{N}}\) are linear relationally inequivalent BPs, then so do two extended BPs \(P_{\varvec{M}}', P_{\varvec{N}}'\) which are obtained by concatenating some other (functionally equivalent) BPs on the right (or left) of \(P_{\varvec{M}}, P_{\varvec{N}}\). Therefore we can show that there exist arbitrary large two functionally equivalent BPs which are linear relationally inequivalent.
We conclude this section by presenting a proposition that shows concrete examples of linear relationally inequivalent BPs, which are placed in Appendix C.
Proposition 3
There are two functionally equivalent, but linear relationally inequivalent branching programs. Especially, there are examples satisfying the linear relationally inequivalence which are
-
(1)
generated by Barrington’s theorem and input-unpartitionable or
-
(2)
from non-deterministic finite automata and read-once, in other words, \(\mathsf {inp}\) is a bijection.
5 Program Converting Technique
In this section, we describe the program converting technique, which remove the hindrance of modulus q and \(\varvec{g}\). We first define new notion \(\varvec{Y}\) program (of P) if all entries of branching program matrices corresponding a program P are in a space \(\varvec{Y}\) while preserving many properties. For example, the obfuscated program \(\mathcal {O}(P)\) is \(\mathcal {R}_q\) program. Suppose that the obfuscated program \(\mathcal O(P)\) of program P is given.
We will convert given obfuscated program \(\mathcal O(P)\) into \(\mathcal {R}\) and \(\mathcal {R}/\langle \varvec{g} \rangle \) program using the algorithm to solve the NTRU problem, especially subfield attacks [1, 18] which solves the problem with large modulus q.
Proposition 4
([1, 17, 18, 26]). Let q be a large integer, n a power of two, M a constant much smaller than q, \(\mathcal {R}= {\mathbb {Z}}[X]/\langle X^n +1\rangle \) and \(\mathcal {R}_q = \mathcal {R}/ q\mathcal {R}\). For a given \([\varvec{f}_1/\varvec{f}_2]_q \in \mathcal {R}_q \) for \(\varvec{f}_1,\varvec{f}_2 \in \mathcal {R}\) with size smaller than M, there is an algorithm to compute \((\varvec{c} \cdot \varvec{f}_2, \varvec{c} \cdot \varvec{f}_1)\in \mathcal {R}^2 \) such that sizes of \(\varvec{c}\), \(\varvec{c} \cdot \varvec{f}_1\) and \(\varvec{c} \cdot \varvec{f}_2\) are much smaller than q in time \(2^{O(\beta )} \cdot poly(n)\) for a constant \(\beta \) satisfying \(\beta /\log \beta = \varTheta ( n \log M / \log ^2 q)\).
We note that the similar results hold for other non-cyclotomic ring [17, 26] or for \(\varvec{f}_1 ,\varvec{f}_2\) from certain distribution [1]. Throughout in this paper, we only consider the bounded coefficient \(\varvec{f}_1 \varvec{f}_2\) in cyclotomic ring for brevity.
For given obfuscated program in \(\mathcal {R}_q\), we first make the NTRU instances and solve the problem, and then convert to \(\mathcal {R}\) program by some computations on obfuscated matrices. This procedure replaces the level parameter \(\varvec{z}_i\) with a small element \(\varvec{c}_{i}\). The \(\mathcal {R}\) program preserves same functionality with the \(\mathcal {R}_q\) program. Subsequently, we convert this \(\mathcal {R}\) program to \(\mathcal {R}/\langle \varvec{g}\rangle \) program by recovering the ideal \(\langle \varvec{g} \rangle \).
5.1 Converting to \(\mathcal {R}\) Program
In order to remove the modulus q, we employ the algorithm for solving NTRU problem. Let \(\widetilde{\varvec{M}}_{i,\varvec{b}}\) be the obfuscated matrix of \({\varvec{R}}_{i,\varvec{b}}\). Then, each (j, k)-th entries of obfuscated matrix \(\widetilde{\varvec{M}}_{i,\varvec{b}}\) is of the form
where \(\varvec{a}_{j,k,\varvec{b}}\) is the (j, k)-th entry of the matrix \({\varvec{R}}_{i,\varvec{b}}\) and \(\varvec{r}_{j,k,\varvec{b}} \in \mathcal {R}\) are random small elements. Consider an element \(\varvec{v}= [\varvec{d}_{1,1,\varvec{0}} / \varvec{d}_{1,2,\varvec{0}} ]_q = [(\varvec{r}_{1,1,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,1,\varvec{0}})/(\varvec{r}_{1,2,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,2,\varvec{0}}) ]_q\). Then, \(\varvec{v}\) is the instance of the NTRU problem since the size of denominator and numerator of \(\varvec{v}\) is much smaller than q in the parameter setup of GGH13 multilinear map.
Applying Proposition 4 to an instance \(\varvec{v}\), one can find a pair \((\varvec{c}_{i} \cdot (\varvec{r}_{1,1,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,1,\varvec{0}}),~\varvec{c}_{i}\cdot (\varvec{r}_{1,2,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,2,\varvec{0}}))\in \mathcal {R}^2\) with relatively small \(\varvec{c}_{i} \in \mathcal {R}\). Further, for any element \(\varvec{d}_{j,k,\varvec{b}} \in {\widetilde{\varvec{M}}}_{i,\varvec{b}}\), we can remove the modulus q by computing
because of the small size of \(\varvec{c}_{i}\). Consequently, one can obtain a new matrix \(\varvec{D}_{i,\varvec{b}}\) over \(\mathcal {R}\) whose (j, k)-th entry is \(\varvec{c}_{i}\cdot ({\varvec{r}_{j,k,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{j,k,\varvec{0}}})\).
Similarly, a new dummy matrix \(\varvec{D}'_{i,\varvec{b}}\) over \(\mathcal {R}\) can be obtained because \(\widetilde{\varvec{M}}'_{i,\varvec{b}}\) shares the level parameter \(\varvec{z}_{i}\) with \(\widetilde{\varvec{M}}_{i,\varvec{b}}\) by multiplying \(\varvec{c}_{i} \cdot (\varvec{r}_{j,k,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{j,k,\varvec{0}})\) to \([\varvec{d}'_{j,k,\varvec{b}}/ \varvec{d}_{1,1,\varvec{0}}]_q\) where \( \varvec{d}'_{j,k,\varvec{b}}\) is a (j, k)-th entry of \(\widetilde{\varvec{S}}'_{i,\varvec{b}}\). We easily observe that \(2\cdot 2^w\) matrices \(\varvec{D}_{i,\varvec{b}}\) and \(\varvec{D}'_{i,\varvec{b}}\) share the parameter \(\varvec{c}_{i}\).
For all matrices \({\widetilde{\varvec{M}}}_{i,\varvec{b}}\) and \({\widetilde{\varvec{M}}}'_{i,\varvec{b}}\) with \(i\in [\ell ]\) and \(\varvec{b}\in \{0,1\}^w\), we can obtain new matrices \(\varvec{D}_{i,\varvec{b}}\) and \(\varvec{D}'_{i,\varvec{b}}\) over \(\mathcal {R}\). In the case of bookend matrices \(\widetilde{\varvec{S}}\) and \(\widetilde{\varvec{T}}\), they are converted into matrices over \(\mathcal {R}\) with small constants \(\varvec{c}_{\varvec{S}}\) and \(\varvec{c}_{\varvec{T}}\), respectively. Note that this step runs in polynomial time if \(\kappa \) is large [1, 17, 18, 26]. Detailed analysis of this part is discussed in Sect. 5.3.
Therefore, we can convert \(\mathcal {R}_q\)-program \(\mathcal {O}( {P})\) into a new program, \(\mathcal {R}\)-program of P:
Note that the matrix \(\varvec{D}_{i,\varvec{b}}\) of \(\mathcal {R}(P)\) is of the form \(\varvec{c}_{i} \cdot \varvec{R}_{i,\varvec{b}}\pmod {\langle \varvec{g}\rangle } \) in \(\mathcal {R}/\langle \varvec{g} \rangle \).
Dummy and bookend matrices satisfies similar relations. We denote \(\varvec{c}_{i}\cdot {\varvec{\alpha }}_{i,\varvec{b}}\) and \(\varvec{c}_{i}\cdot {\varvec{\alpha }}'_{i,\varvec{b}}\) by \(\varvec{\rho }_{i,\varvec{b}}\), \(\varvec{\rho }'_{i,\varvec{b}}\) for simplicity. The properties of Definition 3 is naturally extended to the following. The Proposition 5 means an evaluation of \(\mathcal {R}(P)\) preserves the functionality up to constant on the valid input \(\varvec{x}\).
Proposition 5
(Evaluation of \(\mathcal {R}\) and \(\mathcal {R}/\langle \varvec{g} \rangle \) Branching Program). For a \(\mathcal {R}\) program given in this section, the following propositions holds:
-
1.
The higher dimension embedding matrices \(\varvec{U}\)’s are eliminated in the product of randomized matrix branching program, that is, there are matrices \(\varvec{S}_0,\varvec{S}'_0 \in {\mathbb {Z}}^{d_0 \times d_1}, \varvec{T}_0,\varvec{T}'_0 \in {\mathbb {Z}}^{d_{\ell +1} \times d_{\ell +2}}\) such that the following equations hold for all input x:
$$\begin{aligned} \varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{b}_i} \cdot \varvec{D}_{\varvec{T}}&=\varvec{\rho }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{b}_i} \cdot \varvec{\rho }_{\varvec{T}} \cdot \left( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\right) \pmod {\langle \varvec{g}\rangle },\\ \varvec{D}'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}'_{i,\varvec{b}_i}\cdot \varvec{D}'_{\varvec{T}}&=\varvec{\rho }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }'_{i,\varvec{b}_i} \cdot \varvec{\rho }'_{\varvec{T}} \cdot \left( \varvec{S}'_0 \cdot \prod _{i=1}^\ell \varvec{M}'_{i,\varvec{b}_i} \cdot \varvec{T}'_0\right) \pmod {\langle \varvec{g}\rangle }. \end{aligned}$$ -
2.
The evaluation of \(\mathcal {R}\) program is done by checking whether the fixed entries of \(Eval_{\varvec{D}}(\varvec{x}) :={\varvec{D}}_{\varvec{S}} \cdot \prod _{i=1}^{\ell } \varvec{D}_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot {\varvec{D}}_{\varvec{T}} - {\varvec{D}}'_{\varvec{S}} \cdot \prod _{i=1}^{\ell } {\varvec{D}}'_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot {\varvec{D}}'_{\varvec{T}}\) is multiple of \(\varvec{g}\) or not. Especially, there are two integers u, v such that \(P(\varvec{x})=0 \Rightarrow Eval_{\varvec{D}}(\varvec{x})[u,v] = 0\pmod {\langle \varvec{g} \rangle }\)
5.2 Recovering \(\langle G \rangle \) and Converting to \(\mathcal {R}/ \langle {\varvec{g}}\rangle \) Program
Next, we will compute a basis of the plaintext space \(\langle \varvec{g}\rangle \) to transform \(\mathcal {R}\) program into \(\mathcal {R}/\langle \varvec{g}\rangle \)-program. Unlike other attacks, we do not use the assumption ‘input partitionability’. We exploits the fact that \(\mathcal {R}\) program which comes from \(\mathcal {R}_q\) program has the same functionality up to constant. However, existing attacks with input partitionable assumption and our cryptanalysis cannot be applied to a BP program for an ‘evasive function’ since it does not output multiples of \(\varvec{g}\). It consists of following two steps:
Finding a multiple of \(\varvec{g}\). This step is done by computing \(Eval_{\varvec{D}}\) at the zeros of program P. We compute \(Eval_{\varvec{D}}(\varvec{x})\) for \(\mathcal {R}\) program \(\mathcal {R}(P)\) at \(\varvec{x}\) satisfying \(P(\varvec{x})=0\). Then, Proposition 5 implies that \(Eval_{\varvec{D}} (\varvec{x}) [u,v]\) is a multiple of \(\varvec{g}\). More precisely, \(Eval_{\varvec{D}}(\varvec{x})[u,v]\) is of the form
when \( \varvec{p}_{zt}\cdot Eval_{{\widetilde{\varvec{M}}}}(\varvec{x})[u,v] = \varvec{a} \cdot \varvec{h} \pmod {q} \) for some \(\varvec{a} \in \mathcal {R}\) such that \(\Vert \varvec{a} \cdot \varvec{h}\Vert _2 \) is less than \(q^{3/4}\).
This procedure outputs the value which is not only multiple of \(\varvec{g}\) but also \(\varvec{c}_i\)’s. However, we can generate several different \(\mathcal R\) program from \(\mathcal O(P)\) for different solutions of Proposition 4. We assume that the multiples of \(\varvec{g}\) from different \(\mathcal {R}\) program are independent multiples of \(\varvec{g}\), with the randomized lattice reduction algorithm as in [21].
Computing Hermite Normal Form of \(\langle \varvec{g}\rangle \). For given several random multiples \(\varvec{f}_i \cdot \varvec{g}\) of \(\varvec{g}\), we can recover a basis of \(\langle \varvec{g}\rangle \) by computing sum of sufficiently many ideal \(\langle \varvec{f} \cdot \varvec{g}\rangle \) represented by a lattice with basis \(\{ \varvec{f} \cdot \varvec{g}, \varvec{f} \cdot \varvec{g}\cdot X , \cdots , \varvec{f} \cdot \varvec{g}\cdot X^{n-1}\}\) or computing the Hermite Normal Form of union of their generating sets by applying the lemma [1, Lemma 1].
Both computations are done in polynomial time in \(\lambda \) and \(\kappa \), since the evaluations and computing the Hermite normal form has a polynomial time complexity. Eventually, we recover the basis of ideal lattice \(\langle \varvec{g} \rangle \) and we can efficiently compute the arithmetics in \(\mathcal {R}/ \langle \varvec{g} \rangle \). In other words, we get a \(\mathcal {R}/\langle \varvec{g} \rangle \) program corresponding to \(\mathcal O(P)\) (or P), whose properties are characterized by Proposition 5. For convenience, we abuse the notation; from now, \(\mathcal {R}({P})\) is the \(\mathcal {R}/ \langle \varvec{g}\rangle \) program and \(\varvec{D}_{\varvec{S}}, \varvec{D}_{\varvec{T}}\) and \(\varvec{D}_{i,\varvec{b}}\) for all \(i \in [\ell ], \varvec{b} \in \{0,1\}^w\) are matrices over \(\mathcal {R}/ \langle \varvec{g}\rangle \).
5.3 Analysis of the Converting Technique
We discuss the time complexity of our program converting technique. The program converting consists of converting to \(\mathcal {R}\) program, evaluating of \(\mathcal {R}\) program, computing a Hermite Normal Form of an ideal lattice \(\langle \varvec{g}\rangle \). The last two steps take polynomial time complexity, so the total cost is dominated by the first step. More precisely, solving the NTRU problem for each encoded matrix is the dominant part of the program converting.
To estimate the cost of solving the NTRU problem, we assume that each component of branching program is encoded by GGH13 multilinear map in level-1. The general cases are similar but a bit more complex when we assume that the size of level sets are not too different so that \(\ell = \varTheta (\kappa )\).
Suppose that an obfuscated branching program \(\mathcal O({P})\) over \((\kappa ,\lambda )\)-GGH13 multilinear map is given. As we written in Sect. 2.3, for constants \(\delta , e\) and security parameter \(\lambda \), multilinearity level \(\kappa \), n, M, and \(\log q\) are set to be \(\tilde{\varTheta }(\kappa ^e \cdot \lambda ^\delta )\), \(n^{\varTheta (1)}\), and \(\tilde{\varTheta }(\kappa \cdot \log n)\), respectively. Proposition 4 implies that one can convert the program in \(2^{O(\beta )}\cdot poly(\lambda ,\kappa )\) time for \(\frac{\beta }{\log \beta }= \varTheta (\frac{n\log M}{\log ^2 q})= \tilde{\varTheta }\left( \frac{\lambda ^\delta }{ \kappa ^{2-e}}\right) \). Therefore, the program converting technique is done in polynomial time for \(\kappa =\tilde{\varOmega }(\lambda ^{\delta /(2-e)})\). Alternatively, the program converting technique is done in polynomial time for obfuscated programs with length \(\ell = \tilde{\varOmega }(\lambda ^{\delta /(2-e)})\).
We note that choosing large n to make the subfield attack work in exponential time rules out our attack as well. More concretely, if one chooses \(n=\tilde{\varTheta }(\kappa ^2 \lambda )\) then the underlying NTRU problem is hard enough to block known subexponential time attacks.
6 Matrix Zeroizing Attack
In this section, we present a distinguishing attack on \(\mathcal {R}\) programs to complete our cryptanalysis of attackable BP obfuscation model. We note that we can evaluate the \(\mathcal {R}\) program at invalid inputs, or mixed input, since the multilinearity level which was the obstacle of mixed inputs is removed in the previous step. We recall that \(\varvec{M}(\varvec{b})\) denotes \(\prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i}\) for \(\varvec{b} = (\varvec{b}_1,\cdots ,\varvec{b}_\ell )\) and the set of linear relations
which was defined in Sect. 4.3. We also recall that the two program \(\varvec{M}\) and \(\varvec{N}\) are linear relationally inequivalent if \(L_{\varvec{M}} \ne L_{\varvec{N}}\).
For two functionally equivalent but linear relationally inequivalent BPs \(P_{\varvec{M}}\) and \(P_{\varvec{N}}\), we will zeroize the \(\varvec{R}\) program corresponding to \(P_{\varvec{M}}\) by exploiting the linear relation, whereas \(\varvec{R}\) program corresponding to \(P_{\varvec{N}}\) would not be a zero matrix. The result of the matrix zeroizing attack is as follows.
Proposition 6
(Matrix Zeroizing Attack). For functionally equivalent but linear relationally inequivalent branching programs \(P_{\varvec{M}},P_{\varvec{N}}\), there is a PPT algorithm which can distinguish between two \(\mathcal {R}\) programs \(\mathcal {R}(P_{\varvec{M}})\) and \(\mathcal {R}(P_{\varvec{N}})\) obtained by the method in Sect. 5 with non-negligible probability.
Now we explain how to distinguish two \(\mathcal R\) programs using linear relationally inequivalence. Despite the absence of multilinearity level, we still have obstacles to directly exploit linear relationally inequivalence: scalar bundlings. To explain the main idea of the attack, we assume that, for the time being, all scalar bundling are trivial in the obtained program in Sect. 5. We later explain how to deal the scalar bundlings.
Suppose that two BPs \(P_{\varvec{M}}, P_{\varvec{N}}\) and an \(\varvec{R}\) program
are given. Our goal is to determine \(\varvec{X} = \varvec{N}\) or \(\varvec{X} = \varvec{M}\). We can compute a linear relation \(\left( q_{\varvec{b}}\right) \) which is an element of \(L_{\varvec{M}}\setminus L_{\varvec{N}}\) in polynomial timeFootnote 6 by computing a basis of kernel, and solve the membership problems of lattice for each vector in the basis. Then the following equation holds
when \(\varvec{X} = \varvec{M}\) whereas this is not hold when \(\varvec{X} = \varvec{N}\). Therefore, the matrix zeroizing attack works when the scalar bundlings are all trivial.
When the scalar bundlings are not trivial, we can do the similar computation after recovering ratios of bundling scalars. Assume that we know \(\varvec{\rho }_{i,\varvec{u}}/\varvec{\rho }_{i,\varvec{v}}\) for every \(1 \le i \le \ell \) and \(\varvec{u},\varvec{v} \in \{0,1\}^w\). Consequently, for \(\varvec{r}(\varvec{b}) := \prod _{i \in [\ell ]} \varvec{\rho }_{i,\varvec{b}_{i}}\) where \(\varvec{b} = (\varvec{b}_1 ,\cdots ,\varvec{b}_\ell )\), we can compute \(\varvec{r} (\varvec{b}) / \varvec{r} (\varvec{c})\) for \(\varvec{b}, \varvec{c} \in \{0,1\}^{w \times \ell }\) by multiplying ratios of bundling scalars. Then, we can calculate
which is a zero matrix if and only if \(\varvec{X} = \varvec{M}\).
Accordingly, we should remove the scalar bundlings or recover ratios of scalar bundlings to execute the matrix zeroizing attack. In the rest of this section, we show how to recover or remove (ratios of) scalar bundlings in several cases. In Sect. 6.2, we explain how to recover all ratios in general cases by complex techniques.
6.1 Existing BP Obfuscations
In this section, we show how to apply the matrix zeroizing attack on two remarkable obfuscations, GGHRSW and GMMSSZ. The other examples on obfuscations [6, 32] are placed in Appendix B.
GGHRSW. As the first case, we consider the first BP obfuscation, GGHRSW, which has the identity dummy program. We note that the attack for this case works for the attackable BP obfuscations with fixed dummy program as well. For this case, a constraint on the bundling scalars \(\varvec{\alpha }_{\varvec{x}} = \varvec{\alpha }'_{\varvec{x}} \) for every input \(\varvec{x}\) is given where \(\varvec{\alpha }_{\varvec{x}} = \varvec{\alpha }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }_{i,{\varvec{x}}_{\mathsf{inp}(i)}} \cdot \varvec{\alpha }_{\varvec{T}},~\varvec{\alpha }'_{\varvec{x}} = \varvec{\alpha }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }'_{i,{\varvec{x}}_{\mathsf{inp}(i)}} \cdot \varvec{\alpha }'_{\varvec{T}}\). Suppose \(\mathcal {R}\) program of P is given by
By Proposition 5, the following equations hold
Here we assume that each \(\varvec{M}'_ {i, \varvec{x}_{\mathsf{inp }(i)}}\) are identity matrices. Now we consider the two quantity of evaluations \(Plain_{\varvec{D}}(\varvec{x}):={\varvec{D}}_{\varvec{S}} \cdot \prod _{i=1}^{\ell } \varvec{D}_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot {\varvec{D}}_{\varvec{T}}\) and \(Dummy_{\varvec{D}}(\varvec{x}):= {\varvec{D}}'_{\varvec{S}} \cdot \prod _{i=1}^{\ell } {\varvec{D}}'_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot {\varvec{D}}'_{\varvec{T}}\).
According to the condition of scalar bundlings, \( \varvec{\rho }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{\rho }_{\varvec{T}}=\varvec{\rho }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }'_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{\rho }'_{\varvec{T}} \) since the value \(\varvec{c}\)’s are shared for plain and dummy program. It is possible to remove scalar bundlings by dividing \(Plain_{\varvec{D}}(\varvec{x})\) by \(Dummy_{\varvec{D}}(\varvec{x})\). In other words, we can get \(\varvec{d}\cdot \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{T}_0 \) for some fixed \(\varvec{d}\) from the above division. Since we know all \(\varvec{M}\)’s, the matrix zeroizing attack works well for the computed quantities.
We remark that the previous analysis [16] analyzed the first candidate iO [23]. Whereas the work in [16] heavily relies on the input partitionable property of the single input branching program, our algorithm do not need this property. Moreover, our algorithm can be applied to dual input branching program, so this attack can be applied to wider range of branching programs.
GMMSSZ. Most notable result for BP obfuscation, GMMSSZ, is suggested by Garg et al. in TCC 2016 [24]. The authors claim the security of their construction against all known attack. Nevertheless, the matrix zeroizing attack can be applied to their obfuscation.
GMMSSZ obfuscates low-rank matrix branching program, which is evaluated by checking whether the product \(\varvec{M}_0 \cdot \prod _{i \in [\ell ]} \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{M}_{\ell +1}\) is zero or not. There are two distinctive property of the obfuscation; the uniform random higher dimension embedding and given bookend vectors as inputs. Let \(\varvec{M}_0 = (\beta _1 ,\cdots , \beta _{d_1}) , \varvec{M}_{\ell +1} = (\gamma _1 ,\cdots ,\gamma _{d_{\ell +1}})^T\) are the given bookend vectors. The bookend vectors are also extended as \(\varvec{H}_0 = (\varvec{M}_0 || \mathbf {0} ), \varvec{H}_{\ell +1 } = (\varvec{M}_{\ell +1} || \varvec{U}_{\ell +1})^T\) for randomly chosen \(\varvec{U}_{\ell +1 }\) in the higher dimension embedding step to remove the higher dimension embedding matrices. Note that the branching programs of this obfuscation are square, we do not restrict the shape of matrices in this section.
For the evaluation, one compute \(\widetilde{\varvec{M}}_0 \cdot \prod _{i \in [\ell ]} \widetilde{\varvec{M}}_{i, \varvec{b}_i} \cdot \widetilde{\varvec{M}}_{\ell +1}\), which is corresponding to
in \(\mathcal {R}\) program by Proposition 5. Since we know all \(\varvec{M}\)’s, we can compute the ratios of scalar bundlings by
for \(\varvec{b},\varvec{b}'\) which are same at all but j-th bit. Therefore, the matrix zeroizing attack well works for the construction of [24]. We remark that this method works for unknown bookend matrices with more complicated technique, see Sect. 6.2.
6.2 Attackable BP Obfuscation, General Case
Now we consider the attackable BP obfuscations in general. We note that an attackable obfuscation without bookends can be considered as the obfuscation with bookends by re-naming the matrices. For example, if we name \(\varvec{D}_{\varvec{S}} := \varvec{D}_{1, \varvec{0}} = \varvec{\rho }_{1,\varvec{0}} \cdot \varvec{D}_1\), then we can regard that \(\varvec{D}_{\varvec{S}}\) is a left bookend matrix and \(\varvec{\rho }_{1,\varvec{0}}\) the corresponding scalar bundling.
The case of obfuscation with bookend matrices is most complex, and requires complicated technique. We will recover the bookend matrices up to constant multiplication, and proceed the algorithm similar to the case of [24].
Recovering the Bookends. For the sake of simplicity, we only consider the case of bookend vectors. To tackle constructions using bookend matrices, it is suffice to consider a fixed (u, v)-entry of output matrix given in Proposition 2.
If the obfuscation has bookend vectors, then the evaluation of \(\mathcal {R}\) program is computed by
for some vectors \(\varvec{S}_0 \in (\mathcal {R}/\langle \varvec{g} \rangle )^{1 \times d_1}\) and \(\varvec{T}_0\in (\mathcal {R}/\langle \varvec{g} \rangle )^{d_{\ell +1} \times 1}\). Let \(\varvec{S}_0 = (\varvec{\beta }_1, \cdots ,\) \(\varvec{\beta }_{d_1}),\) \(\varvec{T}_0 = (\varvec{\gamma }_1,\cdots ,\varvec{\gamma }_{d_{\ell +1}})\) and the evaluation \(\varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{b}_i} \cdot \varvec{D}_{\varvec{T}}\) is denoted by \(Eval_{\varvec{D}}(\varvec{b}_1 ,\cdots , \varvec{b}_\ell )\).
Our idea is removing \(\varvec{\rho }\)’s to make equations over \(\varvec{S}_0 ,\varvec{T}_0\). Let \(\varvec{b}_{i,t} \in \{0,1\}^w\) for \(1 \le i \le \ell \) and \(t \in \{0,1\}\) and \(\varvec{t} = (t_1 ,\cdots ,t_\ell ) \in \{0,1\}^w\). Then the following two values share the same \(\varvec{\rho }\)’s, precisely \((\varvec{\rho }_{\varvec{S}} \varvec{\rho }_{\varvec{T}})^2 \cdot \prod _{i \in [\ell ]} \varvec{\rho }_{i,\varvec{b}_{i,0}} \varvec{\rho }_{i,\varvec{b}_{i,1}}\):
We denote \( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\) by \(Eqn_{\varvec{M}} (\varvec{b}_1, \cdots ,\varvec{b}_\ell )\). Then, by the above relations, we get a equation for \(\varvec{\beta }_1, \cdots , \varvec{\beta }_{d_1},\varvec{\gamma }_1 ,\cdots ,\varvec{\gamma }_{d_{\ell +1}}\):
Both side of the equation is homogeneous polynomial of degree 4. If we substitute each degree 4 monomials by another variables, this equation become a homogeneous linear equation of new variables. The number of new variable is \(O(d_1^2 d_{\ell +1}^2)\).
Now we assume that we can obtain sufficient number of linearly independent equations generated by the explained way. Then, since the system of linear equations can be solved in \(O(M^3)\) time by Gaussian elimination for the number of variable M, we can find all ratios of degree 4 monomials.Footnote 7 In other words, we can compute \(\varvec{\delta }\varvec{\beta }_1, \cdots , \varvec{\delta }\varvec{\beta }_{d_1},\varvec{\delta }\varvec{\gamma }_1,\cdots ,\varvec{\delta }\varvec{\gamma }_{d_{\ell +1}}\) for some constant \(\varvec{\delta }\).
Matrix Zeroizing Attack. The remaining part of the attack is exactly same with the attack on GMMSSZ. Precisely, we can recover the ratios of scalar bundlings by computing
for \(\varvec{b},\varvec{b}'\) which are same at all but j-th bits. We note that we do not know exact values of \(\varvec{S}_0,\varvec{T}_0\), but we recovered \(\varvec{\delta }\varvec{S}_0, \varvec{\delta }\varvec{T}_0\) in the above step. Thus we can compute \(\varvec{\rho }_{j,\varvec{b}_j}/\varvec{\rho }_{j,\varvec{b}'_j}\) by
Therefore the matrix zeroizing attack can be applied to the attackable BP obfuscations, which include all existing BP obfuscations over GGH13.
Notes
- 1.
- 2.
In fact \(\alpha _{i,b} = \alpha '_{i,b}\) should holds in this simplified setting, but we do not use this equality to give the idea of our attack.
- 3.
Because of this step, our attack cannot be applied to BP obfusaction for evasive functions.
- 4.
The coefficients of random values are usually sampled from the Gaussian distribution. This do not hurt the result of this paper because the coefficients are bounded with overwhelming probability.
- 5.
- 6.
The dimension of \((q_{\varvec{b}})_{\varvec{b} \in \{0,1\}^{w\times \ell }}\) is \(2^{w\times \ell }\), which is exponentially large. However, we can reduce this exponential part by considering a polynomial number of \(\varvec{b}\) so that there are linear relations.
- 7.
Here we assume that \({\varvec{g}}\) is hard to factorize. If \(\varvec{g}\) is factorized in the Gaussian elimination procedure, we can proceed the algorithm for a factor of \(\varvec{g}\).
- 8.
- 9.
References
Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_6
Albrecht, M.R., Cocis, C., Laguillaumie, F., Langlois, A.: Implementing candidate graded encoding schemes from ideal lattices. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 752–775. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_31
Prabhanjan, A., Gupta, D., Ishai, Y., Sahai, A.: Optimizing obfuscation: avoiding Barrington’s theorem. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 646–658. ACM (2014)
Apon, D., Döttling, N., Garg, S., Mukherjee, P.: Cryptanalysis of indistinguishability obfuscations of circuits over GGH13. In: LIPIcs-Leibniz International Proceedings in Informatics, vol. 80. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2017)
Applebaum, B., Brakerski, Z.: Obfuscating circuits via composite-order graded encoding. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 528–556. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_21
Badrinarayanan, S., Miles, E., Sahai, A., Zhandry, M.: Post-zeroizing obfuscation: new mathematical tools, and the case of evasive circuits. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 764–791. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_27
Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_13
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM (JACM) 59(2), 6 (2012)
Barrington, D.A.: Bounded-width polynomial-size branching programs recognize exactly those languages in NC 1. In: Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, pp. 1–5. ACM (1986)
Ben-Or, M., Cleve, R.: Computing algebraic formulas using a constant number of registers. In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, pp. 254–257 (1988)
Biasse, J.-F.: Subexponential time relations in the class group of large degree number fields. Adv. Math. Commun. 8(4), 407–425 (2014)
Biasse, J.-F., Espitau, T., Fouque, P.-A., Gélin, A., Kirchner, P.: Computing generator in cyclotomic integer rings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 60–88. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_3
Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 893–902. SIAM (2016)
Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_1
Chen, Y., Gentry, C., Halevi, S.: Cryptanalyses of candidate branching program obfuscators. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 278–307. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_10
Cheon, J.H., Hhan, M., Lee, C.: Cryptanalysis of the overstretched NTRU problem for general modulus polynomial. IACR Cryptology ePrint Archive, 2017:484 (2017)
Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero. LMS J. Comput. Math. 19(A), 255–266 (2016)
Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_26
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20
Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: Proceedings of the 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pp. 40–49. IEEE Computer Society (2013)
Garg, S., Miles, E., Mukherjee, P., Sahai, A., Srinivasan, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 241–268. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_10
Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_20
Kirchner, P., Fouque, P.-A.: Revisiting lattice attacks on overstretched NTRU parameters. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 3–26. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_1
Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_14
Lewi, K., Malozemoff, A.J., Apon, D., Carmer, B., Foltzer, A., Wagner, D., Archer, D.W., Boneh, D., Katz, J., Raykova, M.: 5Gen: a framework for prototyping applications using multilinear maps and matrix branching programs. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 981–992. ACM (2016)
Ma, F., Zhandry, M.: The MMAP strikes back: obfuscation and new multilinear maps immune to CLT13 Zeroizing attacks. Cryptology ePrint Archive, Report 2017/946 (2017). https://eprint.iacr.org/2017/946
Miles, E., Sahai, A., Weiss, M.: Protecting obfuscation against arithmetic attacks. IACR Cryptology ePrint Archive, 2014:878 (2014)
Miles, E., Sahai, A., Zhandry, M.: Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 629–658. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_22
Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semantically-secure multilinear encodings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 500–517. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_28
Sahai, A., Zhandry, M.: Obfuscating low-rank matrix branching programs. IACR Cryptology ePrint Archive, 2014:773 (2014)
Zimmerman, J.: How to obfuscate programs directly. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 439–467. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_15
Acknowledgement
We sincerely thank the anonymous reviewers of Crypto 2018 for their fruitful comments. This work was supported by Institute for Information & communication Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2016-6-00598, The mathematical structure of functional encryption and its analysis) and was based upon work supported by the ARO and DARPA under Contract No. W911NF-15-C-0227.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Extended Attackable BP Obfuscation Model
In this section we introduce an extended model of attackable BP obfuscation by our attack. The extended attackable BP obfuscation is modified in the randomization step to embraces the obfuscation in [15]. The definition of extended attackable conditions for randomization is as follows, which is similar to Definition 3:
Definition 6
(Extended Attackable Conditions for Randomization). For a branching program \(P = \left\{ \varvec{M}_{i,\varvec{b}} \in {\mathbb {Z}}^{d_i \times d_{i+1}}\right\} _{i \in [\ell ], \varvec{b} \in \{0,1\}^w}\), the extended attackable randomized branching program is the set
satisfying the following properties, where \(d_0, d_{\ell +2},e_i\)’s are integers.
-
1.
There exist matrices \(\varvec{S}_0 ,\varvec{S}'_0 \in {\mathbb {Z}}^{d_0 \times d_1} , \varvec{T}_0,\varvec{T}'_0 \in {\mathbb {Z}}^{d_\ell \times d_{\ell +1}}\) and scalars \(\varvec{\alpha }_{\varvec{S}}, \varvec{\alpha }'_{\varvec{S}}\), \(\varvec{\alpha }_{\varvec{T}}, \varvec{\alpha }_{\varvec{T}}'\), \(\{\varvec{\alpha }_{i,\varvec{b}},\varvec{\alpha }'_{i,\varvec{b}}\}_{i \in [\ell ], \varvec{b} \in \{0,1\}^w}\) such that the following equations hold for all \(\{ \varvec{b}_i \in \{0,1\}^w \}_{i \in [\ell ]}\):
$$\begin{aligned} \varvec{R}_S \cdot \prod _{i=1}^\ell \varvec{R}_{i,\varvec{b}_i} \cdot \varvec{R}_T&=\varvec{\alpha }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }_{i,\varvec{b}_i} \cdot \varvec{\alpha }_{\varvec{T}} \cdot \left( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\right) ,\\ \varvec{R}'_S \cdot \prod _{i=1}^\ell \varvec{R}'_{i,\varvec{b}_i}\cdot \varvec{R}'_T&=\varvec{\alpha }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }'_{i,\varvec{b}_i} \cdot \varvec{\alpha }'_{\varvec{T}} \cdot \left( \varvec{S}'_0 \cdot \prod _{i=1}^\ell \varvec{M}'_{i,\varvec{b}_i} \cdot \varvec{T}'_0\right) . \end{aligned}$$ -
2.
The evaluation of randomized program is done by checking whether the fixed entries of
$$RP(\varvec{x}) = \prod _{J \subset [N]} \mathsf{aux}_{J,\varvec{x}|_{J}} \cdot \varvec{R}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{R}_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot \varvec{R}_{\varvec{T}} - \prod _{J \subset [N]} \mathsf{aux}'_{J,\varvec{x}|_{J}} \cdot \varvec{R}'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{R}'_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot \varvec{R}'_{\varvec{T}}$$is zero or not. Especially, there are two integers u, v such that \(P(\varvec{x})=0 \Rightarrow RP(\varvec{x})[u,v] = 0\).
After randomizing matrices, we encode every entries and scalars of Rand(P) separately by GGH13 multilinear map with respect to the level corresponding to the first index of elements. We denote \(\mathsf{enc}(\mathsf{aux}_{J,\varvec{a}})\) by \(\widetilde{\mathsf{aux}}_{J,\varvec{a}}\) for each \(J \subset [N]\) and \(\varvec{a} \in \{0,1\}^{w \times |J|}\).
We note that \(\mathsf{aux}\)’s were not discussed in the main body of our paper. However, our program converting technique is applied with small modification for auxiliary scalars as well. More precisely, for each \(\widetilde{\mathsf{aux}}_{J,\varvec{a}}, \widetilde{\mathsf{aux}}_{J,\varvec{b}}\), we compute \(\varvec{h} = \widetilde{\mathsf{aux}}_{J,\varvec{a}}/\widetilde{\mathsf{aux}}_{J,\varvec{b}}\) and solve the NTRU problem for the instance \(\varvec{h}\). Then we obtain \(\varvec{c}_J \cdot ( \mathsf{aux}_{J,\varvec{a}}+ \varvec{r}_{\varvec{a}} \cdot \varvec{g})\) for small \(\varvec{c}_J\). For an auxiliary scalar \(\widetilde{\mathsf{aux}}_{J,\varvec{c}}\) corresponding to J, we compute \(\varvec{c}_J \cdot (\mathsf{aux}_{J,\varvec{c}} + \varvec{r}_{\varvec{c}} \cdot \varvec{g}) = \varvec{c}_J \cdot ( \mathsf{aux}_{J,\varvec{a}}+ \varvec{r}_{\varvec{a}} \cdot \varvec{g}) \cdot \widetilde{\mathsf{aux}}_{J,\varvec{c}}/\widetilde{\mathsf{aux}}_{J,\varvec{a}}\). We can recover dummy auxiliaries as well.
From this calculation, \(\mathcal R\) program is obtained for extended model. the other step such as recovering the ideal \(\langle \varvec{g} \rangle \) and the matrix zeroizing attack work correctly as well.
B Examples of Matrix Zeroizing Attack
Obfuscation in [32]. In this section, we prove that obfuscation in [32] cannot be iO for general-purpose. This scheme is characterized by several special randomizations; converting to merged branching program which consists of permutation matrices, and choose the right bookend vector \(\varvec{T} = \varvec{e}_1\) and no left bookend vector, and then choose identity Kilian matrix \(\varvec{K}_0 = \varvec{I}\) at the first left position. It implies that, by Proposition 5, the evaluation of the program is of the form:
where k is an integer computed by \(\varvec{M}\)’s. Therefore, we can compute \(\varvec{\rho }_{\varvec{T}}\cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{b}_i}\) from the computed value. As a next step, we recover ratios of scalar bundlings \(\varvec{\rho }_{j,\varvec{b}_j}/\varvec{\rho }_{j,\varvec{b}'_j}\) for \(\varvec{b},\varvec{b}'\) which satisfies \(\varvec{b}_i =\varvec{b}'_i\) for all \(i \in [\ell ]\) except j by computing the ratio \(\varvec{\rho }_{\varvec{T}}\cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{b}_i}/\varvec{\rho }_{\varvec{T}}\cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{b}'_i}\). Finally, we can run the matrix zeroizing attack.
Obfuscation in [6]. Badrinarayanan et al. suggest a construction for obfuscation based on branching program, especially for evasive functions [6].Footnote 8. In this section, we prove that obfuscation of Badrinarayanan et al. cannot be a general-purpose iO. This construction is for low-rank branching program, thus it do not have dummy matrices and also does not apply higher dimension embeddings.
The original method for their construction is in the bookend; the authors use no bookend matrices and use special form of Kilian randomization at the first and last matrices. The first and last Kilian matrices are given as follows:
where \(\beta _u, \gamma _v\) are randomly chosen scalars.
To evaluate the obfuscated program, we see \(\left( \prod _{i=1}^\ell \widetilde{M}_{i,\varvec{b}_i} \right) [u,v]\) for some u, v. This is corresponding to the following value, which is computed by Proposition 5,
since \(\varvec{S}_0, \varvec{T}_0\) are exactly \(\varvec{K}_0, \varvec{K}_{\ell +1}^{-1}\). We then can recover the ratio of scalar bundlings by computing \(\prod _{i \in [\ell ]} \varvec{D}_{i, \varvec{b}_i} [u,v]/\prod _{i \in [\ell ]} \varvec{D}_{i, \varvec{b}'_i} [u,v]\) for \(\varvec{b},\varvec{b}'\) which satisfies \(\varvec{b}_i =\varvec{b}'_i\) for all \(i \in [\ell ]\) except j. Since we computed ratios of scalar bundlings \(\varvec{\rho }_{j,\varvec{b}_j}/\varvec{\rho }_{j,\varvec{b}'_j}\), we can run the matrix zeroizing attack.
C Examples of Linear Relationally Inequivalent BPs
We exhibit two examples of two functionally equivalent but linear relationally inequivalent branching programs here. This examples also certify Proposition 3. The first simple example from nondeterministic finite automata is read-once BPs, and the second example comes from Barrington’s theorem and thus input-unpartitionable.
1.1 C.1 Read-Once BPs from NFA
Two read-once BPs in Table 1 are from non-deterministic finite automata and linear relationally inequivalent.
These two BPs are the point function which output 1 only for input 01, but they are linear relationally inequivalent. For example,
We note that the matrix \(\varvec{M}_{i,b}\) is the adjacent matrix between \(\{A_{i,c}\}_{c \in \{0,1\}}\) and \(\{A_{i+1,c}\}_{c \in \{0,1\}}\), and \(\varvec{N}\)’s are defined similarly.
1.2 C.2 Input-Unpartionable BPs from Barrington’s Theorem
In the case of Barrington’s theorem, the linear relationally inequivalent matrix BPs are more complex. We consider the following two functionally equivalent circuits:
We transform two circuits into the following BPs by Barrington theorem as followFootnote 9:
where \(\tau _\sigma \) denotes \(\sigma \tau \sigma ^{-1}\) for permutations \(\tau , \sigma \in S_5\). In the matrix representation, the permutations \(\alpha , \beta , \gamma , \rho ,\delta \) are of the form
We note that two functionally equivalent branching programs \(P_{C_0}\) and \(P_{C_1}\) are clearly input-unpartitionable. Now if we consider two (invalid) inputs \(\varvec{x}=0110110111111111\) and \(\varvec{y}=1111101011111111\). These yield, for example, \(P_{C_0}(\varvec{x}) = \alpha _{\rho } \cdot e \cdot e \cdot \beta ^{-1}_\rho \cdot \alpha _\delta \cdot e \cdot e \cdot e \cdot \cdots = \alpha _\rho \cdot \beta ^{-1}_\rho \cdot \alpha _\delta = \beta \). The terms in the right \(\cdots \) are canceled. Then the equation
hold. Thus two branching programs \(P_{C_0}\) and \(P_{C_1}\) are functionally equivalent but linear relationally inequivalent.
Rights and permissions
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Cheon, J.H., Hhan, M., Kim, J., Lee, C. (2018). Cryptanalyses of Branching Program Obfuscations over GGH13 Multilinear Map from the NTRU Problem. In: Shacham, H., Boldyreva, A. (eds) Advances in Cryptology – CRYPTO 2018. CRYPTO 2018. Lecture Notes in Computer Science(), vol 10993. Springer, Cham. https://doi.org/10.1007/978-3-319-96878-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-96878-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-96877-3
Online ISBN: 978-3-319-96878-0
eBook Packages: Computer ScienceComputer Science (R0)