Zeroizing Attacks on Indistinguishability Obfuscation over CLT13

Abstract

In this work, we describe a new polynomial-time attack on the multilinear maps of Coron, Lepoint, and Tibouchi (CLT13), when used in candidate indistinguishability obfuscation (iO) schemes. More specifically, we show that given the obfuscation of the simple branching program that computes the always zero functionality previously considered by Miles, Sahai and Zhandry (Crypto 2016), one can recover the secret parameters of CLT13 in polynomial time via an extension of the zeroizing attack of Coron et al. (Crypto 2015). Our attack is generalizable to arbitrary oblivious branching programs for arbitrary functionality, and allows (1) to recover the secret parameters of CLT13, and then (2) to recover the randomized branching program entirely. Our analysis thus shows that almost all single-input variants of iO over CLT13 are insecure.

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Since their introduction, all candidates for multilinear maps [GGH13a, CLT13, GGH15] have been shown to suffer from zeroizing attacks [GGH13a, CHL+15, GGH15], sometimes even when no low-level encoding of zero was made available to the adversary [CGH+15]. However, the leading application of multilinear maps, indistinguishability obfuscation, has until now remained little affected by this kind of attacks. This resistance seemed to come from the fact that the particular combinations enforced in indistinguishability obfuscation constructions did not allow enough freedom to obtain a simple system of successful zero-tests that could be solved using linear algebraic techniques; see the discussion on the limitations of zeroizing attacks in [CGH+15, Sect. 1.2].

Attacks Against iO  (Related Work). Attacks against simplified variants of certain obfuscation schemes instantiated over the Coron-Lepoint-Tibouchi (CLT13) multilinear maps [CLT13] have been described in [CGH+15]. Firstly, the GGHRSW branching-program (BP) obfuscation procedure from [GGH+13b] has been shown to be broken for branching programs with a special “decomposable” structure where the inputs bits can be partitioned in three sets, and so that one set only affects the first steps of the BP, a second set the middle steps of the BP, and the last set the final steps of the BP. Secondly, the simple variants of the circuit obfuscation procedures from [Zim15, AB15] has been shown to be broken for simple circuits, such as point functions.

Recently in [MSZ16], Miles, Sahai and Zhandry introduced annihilation attacks against multilinear maps, and applied them to cryptanalyze in polynomial-time several candidate iO schemes [BGK+14, MSW14, AGIS14, PST14, BMSZ16] over the Garg-Gentry-Halevi (GGH13) multilinear maps [GGH13a]. The core idea of the attack against to differentiate whether an obfuscated program \(\mathcal O\) comes from a branching program \(\mathbf A\) or a branching program \(\mathbf A'\) is the following: evaluate specific inputs \(x_i\)’s that evaluate to 0 on \(\mathbf A\) and \(\mathbf A'\), get the zero-tested values \(y_i=O(x_i)\), and then evaluate an annihilating polynomial \(Q_{\mathbf A}\) constructed from \(\mathbf A\) over the \(y_i\)’s. When \(\mathbf A\) was obfuscated, \(Q_{\mathbf A}(y)\) belongs to an ideal \(\mathcal I\) independent of y and \(\mathbf A\); otherwise \(Q_{\mathbf A}(y)\not \in \mathcal I\) with high probability. Annihilation polynomials can also be used to attack the order revealing encryption scheme proposed in [BLR+15]. Concurrently to our work, Chen, Gentry and Halevi [CGH16] used annihilation polynomials to attack the initial GGHRSW candidate iO scheme [GGH+13b] and Apon et al. [ADGM16] introduced the notion of partially inequivalent branching programs, shown to be sufficient for annihilation attacks.

Our Contributions. In the remaining of the document, we cryptanalyze several constructions of indistinguishability obfuscation [GGH+13b, MSW14, AGIS14, PST14, BGK+14, BMSZ16] when instantiated over CLT13. More specifically, we show the following theorem.

Theorem 1

Let \(\mathcal O\) denote the single-input variant of the iO candidates in [GGH+13b, MSW14, AGIS14, PST14, BGK+14, BMSZ16] (over CLT13 multilinear maps). There exists a branching program \(\mathbf A\) such that, given \(\mathcal O(\mathbf A)\), one can break the CLT13 multilinear maps in polynomial-time.

To show this, we use the branching program \(\mathbf A\) that computes the always-zero function previously considered in [MSZ16], in which every matrix is simply the identity matrix. This branching program does not fit in the framework of the zeroizing attacks proposed in [CGH+15], but we show that one can reconstruct the three-ways structure required by the zeroizing attacks by using tensor products. More precisely, consider a branching program evaluation on input x

$$A(x) = {\widehat{\varvec{A}}}_0\times \prod _{i=1}^{2t} {\widehat{\varvec{A}}}_{i,x_{\mathsf{inp}(i)}} \times {\widehat{\varvec{A}}}_{2t+1}\times p_{zt}\bmod {x_0}\, , $$

where \(\textsf {inp}(i)=\min (i, 2t+1-i)\) denotes the input bit used at the i-th step of the computation and \(\widehat{\varvec{A}}=\{\widehat{\varvec{A}}_0, \widehat{\varvec{A}}_{2t+1}, \widehat{\varvec{A}}_{i,b}\mid i\in [2t], b\in \{0,1\}\}\) is the obfuscated branching program. We show that A(x) can be rewritten as a product of consecutive factors

$$\begin{aligned} A(x)&= {\varvec{B}(x)}\times {\varvec{C}(x)} \times {\varvec{D}(x)} \times {\varvec{C}'(x)}\times {\varvec{B}'(x)} \times p_{zt}\bmod {x_0}\\&= \big ({\varvec{B}'(x)}^T\otimes {\varvec{B}(x)}\big )\times \big ({\varvec{C}'(x)}^T\otimes {\varvec{C}(x)}\big )\times {{\mathrm{\textsf {vec}}}}\big ({\varvec{D}(x)}\big )\times p_{zt}\bmod {x_0}, \end{aligned}$$

where the factors \({\varvec{B}'(x)}^T\otimes {\varvec{B}(x)}, {\varvec{C}'(x)}^T\otimes {\varvec{C}(x)}\) and \({\varvec{D}(x)}\) that can be made to vary independently, and \({{\mathrm{\textsf {vec}}}}(\varvec{D})\) denotes the vector formed by stacking the columns of the matrix \(\varvec{D}\) on top of each other. We then show how to extend the zeroizing attack approach described in [CHL+15, CGH+15] to construct a block diagonal matrix, and apply the Cayley-Hamilton theorem to recover all the secrets embedded in the CLT13 public parameters. Once the multilinear map secret parameters have been recovered, one can then recover the randomized branching program \(\widetilde{\mathbf A}\) completely. Thus, one can distinguish between the obfuscation of two branching programs whenever they are inequivalent under Kilian’s randomization.

Our attack is applicable to the single-input version of the candidate obfuscators from [MSW14, AGIS14, PST14, BGK+14, BMSZ16], to the GGHRSW obfuscator [GGH+13b] (as opposed to annihilations attacks).

Last, but not least, we then show how to generalize our attack to branching programs with an essentially arbitrary structure, including oblivious branching programs, and to programs achieving essentially arbitrary functionalities. This shows that the previously mentioned single-input obfuscators should be considered broken when instantiated with CLT13.

2 Preliminaries

Notation. We use \([a]_n\) or \(a\bmod {n}\) to denote a unique integer \(x\in (-\frac{n}{2},\frac{n}{2}]\) which is congruent to a modulo n. A set \(\{1,2,\dots ,n\}\) is denoted by [n]. Vectors and matrices will be denoted by bold letters. The transpose of a matrix \({\varvec{A}}\) is denoted by \({\varvec{A}}^T\).

2.1 Kronecker Product of Matrices

For any two matrices \(\varvec{A}\in R^{m\times n}\) and \(\varvec{B}\in R^{p \times q}\), we define the Kronecker product (or tensor product) of \(\varvec{A}\) and \(\varvec{B}\) as the block matrix \({\varvec{A}}\otimes {\varvec{B}}\in R^{(mp)\times (nq)}\) given by:

$$ {\varvec{A}}\otimes {\varvec{B}} = \begin{bmatrix} a_{11}\varvec{B}&\cdots&a_{1n}\varvec{B} \\ \vdots&\ddots&\vdots \\ a_{m1}\varvec{B}&\cdots&a_{mn}\varvec{B} \end{bmatrix}, \quad \text {where} \, \varvec{A} = (a_{ij}). $$

We will be using the following important property of the Kronecker product. Consider a matrix \({\varvec{C}}\in R^{n\times m}\) and let \({\varvec{c}}_i\in R^n\), \(i=1,\dots ,m\) be its column vectors, so that \({\varvec{C}} = \big [{\varvec{c}}_1,\dots ,{\varvec{c}}_m\big ]\). We denote by \({{\mathrm{\textsf {vec}}}}({\varvec{C}})\) the column vector of dimension mn formed by stacking the columns \(\varvec{c}_i\) of \({\varvec{C}}\) on top of one another:

$$ {{\mathrm{\textsf {vec}}}}({\varvec{C}})= \begin{bmatrix} {\varvec{c}}_1 \\ \vdots \\ {\varvec{c}}_m \end{bmatrix} \in R^{mn}. $$

Now for any three matrices \({\varvec{A}}\), \({\varvec{B}}\), and \({\varvec{C}}\) for which the matrix product \({\varvec{A}}\cdot {\varvec{B}}\cdot {\varvec{C}}\) is defined, the following property holds [Lau04, Chap. 13]:

$$ {{\mathrm{\textsf {vec}}}}({\varvec{A}}\cdot {\varvec{B}}\cdot {\varvec{C}})=({\varvec{C}}^T\otimes {\varvec{A}})\cdot {{\mathrm{\textsf {vec}}}}({\varvec{B}}) $$

(this follows from the fact that \({{\mathrm{\textsf {vec}}}}({\varvec{x}}{\varvec{y}}^T) = {\varvec{y}} \otimes {\varvec{x}}\) for any two column vectors \({\varvec{x}}\) and \({\varvec{y}}\)). Note that for any column vector \({\varvec{c}}\), \({{\mathrm{\textsf {vec}}}}({\varvec{c}})={\varvec{c}}\). This property has concurrently and independently been used in the variant of annihilation attacks introduced by Apon et al. [ADGM16].

2.2 CLT13 Multilinear Map

We briefly recall the asymmetric CLT13 scheme; we refer to [CLT13] for a full description. The CLT13 scheme relies on the Chinese Remainder Theorem (CRT) representation. For large secret primes \(p_k\)’s, let \(x_0=\prod _{k=1}^n p_k\). We denote by \(\mathsf {CRT}(a_1,a_2,\dots ,a_n)\) or \(\mathsf {CRT}(a_k)_k\) the number \(a\in {\mathbb Z}_{x_0}\) such that \(a\equiv a_k\pmod {p_k}\) for all \(k\in [n]\). The plaintext space of CLT13 scheme is \({\mathbb Z}_{g_1}\times {\mathbb Z}_{g_2}\times \cdots \times {\mathbb Z}_{g_n}\) for small secret integers \(g_k\)’s. An encoding of a vector \(\mathbf{a}=(a_1,\dots ,a_n)\) at level set \(S=\{i_0\}\) is an integer \(\alpha \in {\mathbb Z}_{x_0}\) such that \(\alpha =[\mathsf {CRT}(a_1+g_1r_1,\dots ,a_n+g_nr_n)/z_{i_0}]_{x_0}\) for small \(r_k\)’s, and where \(z_{i_0}\) is a secret mask in \({\mathbb Z}_{x_0}\) uniformly chosen during the parameters generation procedure of the multilinear map. To support a \(\kappa \)-level multilinearity, \(\kappa \) distinct \(z_i\)’s are used. We do not consider the straddling set system [BGK+14] since it is not relevant to our attacks.

Additions between encodings in the same level set can be done by modular additions in \({\mathbb Z}_{x_0}\). Multiplication between encodings can be done by modular multiplication in \({\mathbb Z}_{x_0}\), only when those encodings are in disjoint level sets, and the resulting encoding level set is the union of the input level sets. At the top level set \([\kappa ]\), an encoding of zero can be tested by multiplying it by the zero-test parameter \(p_{zt}=[\prod _{i=1}^\kappa z_i\cdot \mathsf {CRT}(p_k^*h_kg_k^{-1})_k]_{x_0}\) in \({\mathbb Z}_{x_0}\) where \(p_k^*=x_0/p_k\), and comparing the result to \(x_0\). If the result is small, then the encoding encodes a zero vector.¹

2.3 Indistinguishability Obfuscation

We borrow the definition of indistinguishability obfuscation from [GGH+13b], where iO for circuits are defined.

Definition 1

(Indistinguishability Obfuscator \({\varvec{(}}{{\mathbf {\mathsf{{iO}}}}}{\varvec{)).}}\) A uniform PPT machine iO is called an indistinguishability obfuscator for a circuit class \(\{\mathcal {C}_\lambda \}\) if the following conditions are satisfied:

• For all security parameters \(\lambda \in {\mathbb N}\), for all \(C\in \mathcal {C}_\lambda \), for all inputs x, we have that

  $$\begin{aligned} Pr[C'(x)=C(x)\ :\ C'\leftarrow \textsf {iO} (\lambda ,C)]=1. \end{aligned}$$

• For any (not necessarily uniform) PPT distinguisher D, there exists a negligible function \(\alpha \) such that the following holds: For all security parameters \(\lambda \in {\mathbb N}\), for all pairs of circuits \(C_0,C_1\in \mathcal {C}_\lambda \), we have that if \(C_0(x) = C_1(x)\) for all inputs x, then

  $$\begin{aligned} | Pr[D({\textsf {iO}}(\lambda ,C_0))=1]-Pr[D(\textsf {iO} (\lambda ,C_1))=1] |\le \alpha (\lambda ). \end{aligned}$$

Circuits can be directly obfuscated using circuit obfuscators [Zim15, AB15, DGG+16]. However, most of the iO candidate obfuscators (see [GGH+13b, MSW14, AGIS14, PST14, BMSZ16, GMM+16]) first convert the circuits to matrix branching programs, randomize them, and then obfuscated them using a candidate multilinear maps scheme such as [GGH13a, CLT13, GGH15].

Obviously, for the converted branching program \({\varvec{B}}\), the iO obfuscator \(\mathcal O\) should preserve the functionality: \({\varvec{B}}(x)=\mathcal O({\varvec{B}})(x)\) for all x. Moreover, for two functionally-equivalent branching programs \({\varvec{B}}\) and \({\varvec{B}}'\), \(\mathcal O(\mathbf B )\) and \(\mathcal O(\mathbf B ')\) should be computationally indistinguishable, unless they have different length or types of matrices. The concrete instance of such branching programs and their obfuscations are described in Sects. 3.1 and 3.2, respectively.

Note that, while the candidate multilinear maps [GGH13a, CLT13, GGH15] have recently been found to fail to securely realize multi-party key exchanges (see [HJ16, CHL+15, CLLT16a]), few weaknesses were found in the iO candidates over CLT13 (and GGH15 [GGH15]), mainly due to the absence of the low-level encodings of zeroes in the public domain. In [CGH+15], Coron et al. described an attack against the circuit obfuscators for simple circuits, and the GGHRSW obfuscator for branching programs with a special decomposable structure (but not on oblivious branching programs). Annihilations attacks [MSZ16] were recently introduced and allowed to break many iO candidates over GGH13; however, they do not carry to obfuscators over CLT13 as far as we know.

3 Zeroizing Attack on Indistinguishability Obfuscation of Simple Branching Programs

For simplicity, we describe our attack on the simple single input branching program introduced in [MSZ16]. We will show how to generalize our attack to oblivious branching programs with arbitrary functionalities in Sect. 4.

3.1 Target Branching Program

We consider the following branching program \({\mathbf {A}}\) that evaluates to zero for all t-bit inputs. Let us first define the function which describes what input bit is examined at the i-th step:

$$\begin{aligned} \mathsf{inp}(i)=\min (i,2t+1-i)\text { for } i\in [2t]\,. \end{aligned}$$

Now, the branching program is defined as follows:

$$\begin{aligned} {\mathbf {A}} = \{\mathsf{inp}, {\varvec{A}}_0, {\varvec{A}}_{2t+1}, {\varvec{A}}_{i,b}\ |\ i\in [2t], b\in \{0, 1\}\}\,, \end{aligned}$$

where

$$\begin{aligned} {\varvec{A}}_0=[0\ 1],\ {\varvec{A}}_{2t+1}=[1\ 0]^T,\ {\varvec{A}}_{i,0}={\varvec{A}}_{i,1}=\begin{bmatrix} 1&0 \\ 0&1\end{bmatrix}\text { for } i\in [2t]. \end{aligned}$$

It is evaluated in the usual way on \(x\in \{0,1\}^t\):

$$\begin{aligned} \mathbf {A}(x):={\varvec{A}}_0\times \prod _{i=1}^{2t} {\varvec{A}}_{i,x_{\mathsf{inp}(i)}} \times {\varvec{A}}_{2t+1}. \end{aligned}$$

3.2 Obfuscation of Branching Programs

To obfuscate a branching program, we follow the standard recipe of indistinguishability obfuscation constructions: use Kilian style randomization with extra scalar multiplications by random numbers, and encode the resulting matrices with the candidate multilinear maps.

Let us describe the obfuscation procedure of the branching program \({\mathbf {A}}\) from Sect. 3.1, over the CLT13 multilinear map. Let \(\prod _{k=1}^n {\mathbb Z}_{g_k}\) be the plaintext space of the CLT13 map, and denote \(g=\prod _{k=1}^n g_k\). We first choose random invertible matrices \(\{{\varvec{R}}_i\in {\mathbb Z}_g^{2\times 2}\}_{i\in [2t+1]}\) and non-zero scalars \(\{\alpha _{i,b}\in {\mathbb Z}_g\}_{i\in [2t],b\in \{0,1\}}\). Then the matrices in the branching program \({\mathbf {A}}\) are randomized using Kilian randomization, and we define \(\widetilde{\mathbf {A}}\) the randomized branching program:

$$\begin{aligned} \widetilde{\mathbf {A}}=\{\mathsf{inp}, {\widetilde{\varvec{A}}}_0, {\widetilde{\varvec{A}}}_{2t+1}, \widetilde{{\varvec{A}}}_{i,b}\ |\ i\in [2t], b\in \{0, 1\}\} \end{aligned}$$

where

$$\begin{aligned} {\widetilde{\varvec{A}}}_0={\varvec{A}}_0\cdot {\varvec{R}}_1^{-1} ,\ {\widetilde{\varvec{A}}}_{2t+1}= {\varvec{R}}_{2t+1}\cdot {\varvec{A}}_{2t+1},\ \widetilde{{\varvec{A}}}_{i,b}=\alpha _{i,b}\cdot {\varvec{R}}_i \cdot {\varvec{A}}_{i,b}\cdot {\varvec{R}}_{i+1}^{-1}, \end{aligned}$$

for \(i\in [2t]\), \(b\in \{0,1\}\).

Next, the randomized branching program \({\widetilde{\mathbf {A}}}\) is encoded using the CLT13 scheme. In order to evaluate the randomized branching program, our multilinear map must accommodate \(\kappa =2t+2\) products, i.e. the multilinearity level is set to \([\kappa ]\). Each element \(\tilde{a}\in {\mathbb Z}_g\) of the matrices \(\widetilde{{\varvec{A}}}_{i,b}\)’s is considered as a vector \(([\tilde{a}]_{g_1},\dots ,[\tilde{a}]_{g_n})\in {\mathbb Z}_{g_1}\times \cdots \times {\mathbb Z}_{g_n}\), and encoded as an integer \(\hat{a}\in {\mathbb Z}_{x_0}\) at level \(S=\{i\}\). In particular, we have that \(\hat{a}=[\mathsf {CRT}([\tilde{a}]_{g_1}+g_1r_1,\dots ,[\tilde{a}]_{g_n}+g_nr_n)/z_{i}]_{x_0}\) for small random integers \(r_k\)’s. The matrices \(\widetilde{{\varvec{A}}}_0\) and \(\widetilde{{\varvec{A}}}_{2t+1}\) are encoded analogously.

The resulting obfuscated branching program is

$${\widehat{\mathbf {A}}}= \{\mathsf{inp}, {\widehat{\varvec{A}}}_0, {\widehat{\varvec{A}}}_{2t+1}, \widehat{{\varvec{A}}}_{i,b}\ |\ i\in [2t], b\in \{0, 1\}\}$$

where \(\widehat{{\varvec{A}}}_{i,b}\) is an entry-wise encoding of \(\widetilde{{\varvec{A}}}_{i,b}\). The obfuscated branching program \(\widehat{\mathbf {A}}\) can be evaluated in the usual way: define A(x) be

$$\begin{aligned} A(x):={\widehat{\varvec{A}}}_0\times \prod _{i=1}^{2t} {\widehat{\varvec{A}}}_{i,x_{\mathsf{inp}(i)}} \times {\widehat{\varvec{A}}}_{2t+1}\times p_{zt}\bmod {x_0}. \end{aligned}$$

Then \(\widehat{\mathbf {A}}(x)=0\) if and only if A(x) is small compared to \(x_0\).

3.3 Attack over CLT13 Encoding

As in the previous zeroizing attacks [CHL+15, CGH+15] against the CLT13 graded encoding scheme, our approach will be to decompose the zero-tested values A(x) into a product of several factors that can be made to vary independently. We then use those varying factors to construct a matrix that will reveal the factorization of the modulus \(x_0\), and hence entirely break the security of the scheme.

To obtain this decomposition, we will rely on the identity \({{\mathrm{\textsf {vec}}}}({\varvec{A}}{\varvec{B}}{\varvec{C}})=({\varvec{C}}^T\otimes {\varvec{A}}){{\mathrm{\textsf {vec}}}}({\varvec{B}})\) (see Sect. 2.1). First, we define several matrices \(\varvec{B}(x)\), \(\varvec{B}'(x)\), \(\varvec{C}(x)\), \(\varvec{C}'(x)\), and \(\varvec{D}(x)\) as products of consecutive factors appearing in the product A(x):

(1)

for a specific \(s\in [1, t-2]\). Using the identity above, we can then rewrite A(x) as follows:

$$\begin{aligned} A(x)&= {\varvec{B}(x)}\times ({\varvec{C}(x)} {\varvec{D}(x)} {\varvec{C}'(x)})\times {\varvec{B}'(x)} \times p_{zt}\bmod {x_0}\\&= {{\mathrm{\textsf {vec}}}}\Big ({\varvec{B}(x)}\times \big ({\varvec{C}(x)}{\varvec{D}(x)}{\varvec{C}'(x)}\big )\times {\varvec{B}'(x)}\Big ) \times p_{zt}\bmod {x_0}\\&= \big ({\varvec{B}'(x)}^T\otimes {\varvec{B}(x)}\big )\times {{\mathrm{\textsf {vec}}}}\big ({\varvec{C}(x)}{\varvec{D}(x)}{\varvec{C}'(x)}\big )\times p_{zt}\bmod {x_0}\\&= \big ({\varvec{B}'(x)}^T\otimes {\varvec{B}(x)}\big )\times \big ({\varvec{C}'(x)}^T\otimes {\varvec{C}(x)}\big )\times {{\mathrm{\textsf {vec}}}}\big ({\varvec{D}(x)}\big )\times p_{zt}\bmod {x_0}. \end{aligned}$$

Note that in the above equation, \({\varvec{B}'(x)}^T\otimes {\varvec{B}(x)}\) is a row vector of dimension 4, \({\varvec{C}'(x)}^T\otimes {\varvec{C}(x)}\) is a \(4 \times 4\) matrix, and \({{\mathrm{\textsf {vec}}}}\big ({\varvec{D}(x)}\big )\) is a column vector of dimension 4.

Furthermore, recall that CRT values have the property that \(\mathsf {CRT}(p^*_k\cdot u_k)_{k} = \sum _k p^*_k\cdot u_k \bmod x_0\) for any tuple \((u_k)_k\), and the relation holds over \({\mathbb Z}\) when the \(u_k\)’s are small compared to the \(p_k\)’s. Now, for a multilinear encoding \(\alpha \) with level set S, denote by \([\alpha ]^{(k)}\) its underlying CRT component modulo \(p_k\) (and similarly for vectors and matrices of encodings); in other words:

$$ \alpha = \mathsf {CRT}\big ([\alpha ]^{(1)},\dots ,[\alpha ]^{(n)}\big )\cdot \prod _{i\in S} z_i^{-1} \bmod x_0. $$

With that notation and since \(p_{zt}=\prod _{i=1}^\kappa z_i\cdot \sum _{k=1}^n h_kp^*_kg_k^{-1}\bmod {x_0}\), where n is the number of primes \(p_k\) in \(x_0\), the expression of A(x) can be extended further as:

(2)

where the three matrices are respectively of dimensions \(1\times 4n\), \(4n\times 4n\) and \(4n\times 1\). For all x, the fact that the branching program evaluates to zero (and hence A(x) is an encoding of zero) ensures that the relation holds over \({\mathbb Q}\) and not just modulo \(x_0\): indeed, it guarantees that the factor that each \(p^*_k\) gets multiplied with is small modulo \(p_k\).

Now the key point of the attack is that the first matrix in the relation above depends only on the first s bits of the input x, the second matrix only on the \((s+1)\)-st bit of x, and the third matrix on the remaining \((t-s-1)\) bits of x. Given integers i, j, b with \(0\le i<2^s\), \(0\le j<2^{t-s-1}\) and \(b\in \{0,1\}\), denote by \(W^{(b)}_{ij}\) the value \(A(x)\in {\mathbb Z}\) corresponding to the input x whose first s bits are the binary expansion of i, whose last \((t-s-1)\) bits are the binary expansion of j and whose \((s+1)\)-st bit is b. By the above, we can write \(W^{(b)}_{ij}\) in the form:

$$\begin{aligned} W^{(b)}_{ij} = \varvec{X}_i \cdot \varvec{U}^{(b)} \cdot \varvec{Y}_j \end{aligned}$$

where \(\varvec{X}_i\) is the row vector of size 4n, \(\varvec{Y}_j\) the column vector of size 4n and \(\varvec{U}^{(b)}\) the square matrix of size 4n that appear in Eq. (2).

Assuming that \(2^{\min (s,t-s-1)}\ge 4n\) (which can be achieved by taking \(s=\lfloor t/2 \rfloor \) as long as \(2^{t/2}\ge 8n\)), we can thus form two matrices \(\varvec{W}^{(0)}\), \(\varvec{W}^{(1)}\) with any choice of 4n indices i and j, and those matrices satisfy a relation of the form \(\varvec{W}^{(b)} = \varvec{X}\cdot \varvec{U}^{(b)}\cdot \varvec{Y}\) with \(\varvec{X}\), \(\varvec{Y}\) square matrices of dimension 4n independent of b. The attack strategy is then similar to [CGH+15]. With high probability on the sets of indices i and j, these matrices will be invertible over \({\mathbb Q}\), and we will have:

$$ \varvec{W}^{(0)}\big (\varvec{W}^{(1)}\big )^{-1} = \big (\varvec{X}\varvec{U}^{(0)}\varvec{Y}\big )\cdot \big (\varvec{X}\varvec{U}^{(1)}\varvec{Y}\big )^{-1} = \varvec{X}\cdot \varvec{U}^{(0)} \big (\varvec{U}^{(1)}\big )^{-1} \cdot \varvec{X}^{-1}. $$

In particular, the characteristic polynomials of the matrices \(\varvec{W}^{(0)}\big (\varvec{W}^{(1)}\big )^{-1}\) and \(\varvec{U}^{(0)} \big (\varvec{U}^{(1)}\big )^{-1}\) are equal, and since we know the \(\varvec{W}^{(b)}\), we can compute that common polynomial P in polynomial time, together with its factorization. Now the latter matrix is block diagonal, and satisfies:

$$ \varvec{U}^{(0)} \big (\varvec{U}^{(1)}\big )^{-1} \equiv \begin{bmatrix} \ddots&\\ {}&\varvec{\varGamma }\bmod p_k&\\&\ddots \end{bmatrix} \pmod {x_0} $$

where \(\varvec{\varGamma } = \big (\varvec{C}_0'^T\otimes \varvec{C}_0\big ) \cdot \big (\varvec{C}_1'^T\otimes \varvec{C}_1\big )^{-1}\) (with obvious definitions for \(\varvec{C}_0\), \(\varvec{C}_0'\), \(\varvec{C}_1\), \(\varvec{C}_1'\)). Therefore, P decomposes as a product of factors \(P_k\), \(k=1,\dots ,n\), such that \(P_k(\varvec{\varGamma }) \equiv 0 \pmod {p_k}\). Moreover, as characteristic polynomials over \({\mathbb Q}\) are essentially random matrices, the polynomials \(P_k\) should heuristically be irreducible with high probability, and hence occur directly in the factorization of P (that assumption, which is well verified in practice, appears as Conjecture 1 in [CGH+15, Sect. 3.3]). This yields to the complete recovery of the \(p_k\)’s as \(p_k = \gcd \big (x_0,P_k(\varvec{\varGamma })\big )\), where the \(P_k\) are the irreducible factors of P.

Clearly, once the \(p_k\)’s are found, it is straightforward to break indistinguishability obfuscation. Indeed, given any two multilinear encodings at level \(\{i\}\), applying rational reconstruction to their ratio modulo \(p_k\) reveals \(z_i\bmod p_k\), and hence the entire \(z_i\). Then, even if the \(g_k\)’s are kept secret, rational reconstruction again applied to \(p_{zt}\) allows to recover them. This makes it possible to completely “decrypt” multilinear encodings, and hence obtain the full original randomized branching program \(\widetilde{\mathbf {A}}\).

In particular, we can distinguish between the obfuscation of two branching programs whenever they are inequivalent under Kilian’s randomization.

3.4 Implementation of the Attack

Since the attack relies on some heuristic assumptions regarding e.g. the irreducibility of the factors of the characteristic polynomial of \(\varvec{U}^{(0)} \big (\varvec{U}^{(1)}\big )^{-1}\) corresponding to its block diagonal submatrices, we have written an implementation to check that these assumptions were indeed satisfied in practice. The source code in Sage [S+16] is provided in the full version [CLLT16b].

Running that implementation, we have verified that we could always recover the full factorization of \(x_0\) efficiently.

4 Generality of Our Attack

In the previous section, we have described a zeroizing attack that breaks CLT13-based indistinguishability obfuscation for a specific branching program (previously considered in [MSZ16]) for which no previous attack was known in the CLT13 setting. In particular, that program does not have the decomposable structure required to apply the attack of [CGH+15, Sect. 3.4]. In that sense, we do extend the scope of zeroizing attacks beyond the setting of [CGH+15].

However, our attack setting may seem quite special at first glance. In particular, the following aspects of our attack may seem to restrict its generality:

• we have described our attack against a somewhat simplified obfuscation construction, that yields \(2\times 2\) matrix encodings and does not include all the countermeasures against potential attacks suggested in [GGH+13b] and later papers;

• our attack appears to rely in a crucial way on the specific structure of the branching program \({\mathbf {A}}\) (and its \(\textsf {inp}\) function in particular) in order to achieve the partitioning necessary to apply zeroizing techniques;

• we only target a branching program for a very simple functionality (the identically zero function).

In this section, we show that all of these limitations can be overcome, so that our attack is in fact quite general:

• we can apply it to almost all proposed (single-input) iO candidates instantiated over CLT13 multilinear maps, including the single-input variants of [GGH+13b, MSW14, AGIS14, PST14, BGK+14, BMSZ16];

• we can extend it to branching programs with an essentially arbitrary structure, including oblivious branching programs;

• we can mount it with programs achieving essentially arbitrary functionalities.

4.1 Attacking Other Obfuscators

The attack of Sect. 3 targets a somewhat simplified obfuscator that takes a branching program, randomizes it using Kilian-style random matrices together with multiplicative bundling with random scalars \(\alpha _{i,b}\), and outputs multilinear encodings of the resulting randomized matrices directly. Actual candidate constructions of indistinguishability obfuscation in the literature, on the other hand, are usually more complicated, and typically involve extending the matrices in the original branching program using diagonal blocks that get canceled out when carrying out multilinear zero testing. The goal of these changes is usually to protect against classes of attacks that could exploit the particular algebraic structure of branching programs in undesirable ways—see e.g. [GMM+16] and references therein.

However, for the most part, these additional security features have no incidence on the applicability of our attack. This is because we only rely on the zero-testing of top-level multilinear encodings of zero being small—the precise algebraic structure of the matrices involved is essentially irrelevant for our purposes. This is in contrast, in particular, with Miles et al.’s annihilation attacks [MSZ16], which do exploit algebraic properties of the branching program matrices (such as low-degree polynomial relations they satisfy), and hence get thwarted by the submatrices used in [GGH+13b, GMM+16]. Recently, Chen, Gentry and Halevi extended annihilation attacks to [GGH+13b] using the “multiplicative bundling” scalars.

More precisely, the only difference between proposed obfuscators that matters in our attack is the dimension of the matrix encodings involved. If the obfuscated branching program \(\widehat{\mathbf {A}}\) consists of \(w\times w\) matrices instead of \(2\times 2\) matrices as in Sect. 3, \(\varvec{C}'(x)^T\otimes \varvec{C}(x)\) is of dimension \(w^2\). As a result, we need to construct matrices \(\varvec{W}^{(b)}\) of dimension \(w^2n\), and in particular the number t of input bits should satisfy \(2^{t/2}\ge 2w^2n\).

Note that this condition is never a restriction in non-trivial cases: this is because \(2^{t/2} < 2w^2 n\) implies that there is only a logarithmic number of input bits, or in other words a polynomial-size domain. But indistinguishability obfuscation for functions with a polynomial-size domain is trivial: it is equivalent to giving out the graph of the function in full, since it is a canonical (hence indistinguishable) representation, and anyone with access to an obfuscation can recover it in polynomial time.

We finish this paragraph by reviewing several candidate iO constructions and discussing how they fit within the argument above. This will prove Theorem 1, which we now recall.

Theorem 1

Let \(\mathcal O\) denote the single-input variant of the iO candidates in [GGH+13b, MSW14, AGIS14, PST14, BGK+14, BMSZ16] (over CLT13 multilinear maps). There exists a branching program \(\mathbf A\) such that, given \(\mathcal O(\mathbf A)\), one can break the CLT13 multilinear maps in polynomial-time.

[AGIS14, MSW14, BMSZ16]. The obfuscator described in Sect. 3.2 is essentially identical to the single-input versions of the constructions from [AGIS14, MSW14, BMSZ16]. The only difference is that those papers do not directly encode matrices at singleton multilinear levels \(\{i\}\), but use a more complicated level structure involving straddling sets. Since our attack relies on the honest evaluation of the obfuscated branching program, it automatically respects the multilinear level structure of any correct obfuscator. Therefore, it applies to those schemes without any change.

[GGH+13b]. The main difference between the obfuscator described in Sect. 3.2 and the one proposed in [GGH+13b] is that the latter extends the original branching program matrices \(\varvec{A}_{i,b}\) by random diagonal matrices \(\varvec{\varDelta }_{i,b}\) of dimension \(d=8t+10\) before applying Kilian’s randomization and multilinear encoding (and the matrices \(\varvec{A}_{i,b}\) themselves are assumed to be of dimension 5 instead of 2, to accommodate for the original formulation of Barrington’s theorem). In other words, the randomized branching program \(\widetilde{\mathbf {A}}\) has the form:

$$\begin{aligned} \widetilde{\varvec{A}}_{i,b} = \alpha _{i,b}\varvec{R}_i\cdot \begin{bmatrix} \varvec{A}_{i,b}&\\ {}&\varvec{\varDelta }_{i,b} \end{bmatrix}\cdot \varvec{R}_{i+1}^{-1}, \end{aligned}$$

with the bookend matrices \(\widetilde{\varvec{A}}_0\), \(\widetilde{\varvec{A}}_{2t+1}\) adapted in such a way that the condition:

$$ \mathbf {A}(x)=0 \quad \text {if and only if}\quad \widetilde{\varvec{A}}_0 \cdot \prod _i\widetilde{\varvec{A}}_{i,x_{\textsf {inp}(i)}} \cdot \widetilde{\varvec{A}}_{2t+1} = 0 $$

continues to hold. Because that condition holds, our attack applies in exactly the same way, except again for the fact that the dimension of encoded matrices \(\widetilde{\varvec{A}}_{i,b}\) increases from 2 to \(w=d+5=8t+15\). This means that the condition on t becomes \(2^{t/2}\ge 2(8t+15)^2n\), which is, again, not a meaningful restriction.

[PST14]. The situation for the obfuscator of [PST14] is similar. In that scheme, the randomized branching program \(\widetilde{\mathbf {A}}\) takes the form:

$$ \widetilde{\varvec{A}}_{i,b} = \alpha _{i,b}\varvec{R}_i\cdot \begin{bmatrix} \varvec{A}_{i,b}&\\ {}&\varvec{I}_5 \end{bmatrix}\cdot \varvec{R}_{i+1}^{-1}, $$

where \(\varvec{I}_5\) is simply the \(5\times 5\) identity matrix, and the original branching program matrices are also assumed to be of dimension 5. Again, our attack extends to that setting directly, the only difference being that the dimension of encoded matrices \(\widetilde{\varvec{A}}_{i,b}\) increases from 2 to \(w=10\). The fact that the scheme from [PST14] uses straddling sets has, again, no bearing on the applicability of our techniques.

[BGK+14]. In the [BGK+14] obfuscator, the shape of the obfuscated branching program and the zero-testing condition look a bit different. More precisely, in that scheme, the randomized branching program is basically the same as \(\widetilde{\mathbf {A}}\) from Sect. 3.2 together with the values \(\alpha _{i,b}\) of the scalar randomizers except that they use random vectors for \({\varvec{A}}_0\) and \({\varvec{A}}_{2t+1}\). And \(\alpha _{i,b}\) and \({\varvec{A}}_0\cdot {\varvec{A}}_{2t+1}\) are also included in the randomized branching program. Moreover, the zero-testing condition is modified: \(\widetilde{\mathbf {A}}(x)=0\) if and only if

$$\begin{aligned} \widetilde{\varvec{A}}_0 \cdot \prod _i\widetilde{\varvec{A}}_{i,x_{\textsf {inp}(i)}} \cdot \widetilde{\varvec{A}}_{2t+1} = \gamma \cdot \prod _i\alpha _{i,x_{\textsf {inp}(i)}}, \end{aligned}$$

(3)

where \(\gamma ={\varvec{A}}_0\cdot {\varvec{A}}_{2t+1}\). The output of the obfuscator is then essentially the same obfuscated branching program \(\widehat{\mathbf {A}}\) from Sect. 3.2 together with encodings \(\widehat{\alpha }_{i,b}\) of the values \(\alpha _{i,b}\) at the same multilinear level as \(\widehat{\varvec{A}}_{i,b}\) as well as the encoding \(\widehat{\gamma }\) of \(\gamma \). And the evaluation is carried out by applying zero-testing to Eq. (3), given multilinear encodings \(\widehat{\varvec{A}}_0\), \(\widehat{\varvec{A}}_{2t+1}\), \(\widehat{\varvec{A}}_{i,b}\), \(\widehat{\alpha }_{i,b}\), and \(\widehat{\gamma }\).

Our attack can be adapted to this construction. Since multiplication between scalars is commutative, the scalar values on the right-hand side of (3) can be freely decomposed into several parts. In view of (1), let us decompose the set [2t] into a partition: \(S_1=\{1,\dots ,s,2t-s+1,\dots ,2t\}\), \(S_2=\{s+1,2t-s\}\), and \(S_3=\{s+2,\dots ,2t-s-1\}\). Then we can decompose the above mentioned scalar values into three parts:

$$\begin{aligned} \gamma \prod _i\alpha _{i,x_{\textsf {inp}(i)}}=\gamma \prod _{i\in S_1}\alpha _{i,x_{\textsf {inp}(i)}} \times \prod _{i\in S_2}\alpha _{i,x_{\textsf {inp}(i)}} \times \prod _{i\in S_3}\alpha _{i,x_{\textsf {inp}(i)}}. \end{aligned}$$

Since the left hand side of (3) is the same as in Sect. 3.2, the expression in (2) can be extended to the zero-testing of (3) as follows:

$$\begin{aligned} \begin{aligned} A(x)&= \begin{bmatrix}\dots&\big [{\varvec{B}'(x)}^T\otimes {\varvec{B}(x)}\big ]^{(k)}&\big [ \delta _1\big ]^{(k)}&\dots \end{bmatrix} \\&\qquad \times \begin{bmatrix}\ddots&&\\&p_k^*h_kg_k^{-1}\cdot \big [{\varvec{C}'(x)}^T\otimes {\varvec{C}(x)} \big ]^{(k)}&\\&\qquad p_k^*h_kg_k^{-1}\cdot \big [ \delta _2\big ]^{(k)}&\\&&\ddots \end{bmatrix} \\&\qquad \qquad \times \begin{bmatrix} \vdots \\ \big [{{\mathrm{\textsf {vec}}}}({\varvec{D}(x)}) \big ]^{(k)}\\ -\big [ \delta _3\big ]^{(k)} \\ \vdots \end{bmatrix}, \end{aligned} \end{aligned}$$

where \(\delta _1=\widehat{\gamma }\prod _{i\in S_1}\widehat{\alpha }_{i,x_{\textsf {inp}(i)}}\), \(\delta _2=\prod _{i\in S_2}\widehat{\alpha }_{i,x_{\textsf {inp}(i)}}\), and \(\delta _3=\prod _{i\in S_3}\widehat{\alpha }_{i,x_{\textsf {inp}(i)}}\).

Here, the three matrices are respectively of dimensions \(1\times 5n\), \(5n\times 5n\) and \(5n\times 1\) when \(w=2\). And we can then complete the attack in a manner similar to Sect. 3.3. The condition for this attack to succeed becomes: \(2^{t/2}\ge 2(w^2+1)n\).

4.2 Attacking Branching Programs with Arbitrary Structure

Another apparent limitation of our attack is related to the particular structure of the branching program \(\mathbf {A}\), and in particular its \(\textsf {inp}\) function. Indeed, the key point of our attack is our ability to obtain a partitioning of the branching program, i.e. express the associated zero-test value A(x) as a product of three successive factors depending on disjoint subsets of input bits. We achieved this by observing that A(x) can be put in the form:

$$ A(x) = {\varvec{B}(x)}\cdot {\varvec{C}(x)} \cdot {\varvec{D}(x)} \cdot {\varvec{C}'(x)}\cdot {\varvec{B}'(x)} \times p_{zt}\bmod {x_0} $$

where \(\varvec{B}(x), \varvec{B}'(x)\) depend on one subset of input bits, \(\varvec{C}(x)\), \(\varvec{C}'(x)\) a different, disjoint subset, and \(\varvec{D}(x)\) on a third subset disjoint from the first two. We then used the tensor product identity mentioned in Sect. 2.1 to reorder those matrices so as to get a factor depending only on \(\varvec{B}(x)\) and \(\varvec{B}'(x)\) on the left, another one depending only on \(\varvec{C}(x)\) and \(\varvec{C}'(x)\) in the middle, and a last one depending only on \(\varvec{D}(x)\) on the right:

$$ A(x) = \big ({\varvec{B}'(x)}^T\otimes {\varvec{B}(x)}\big )\times \big ({\varvec{C}'(x)}^T\otimes {\varvec{C}(x)}\big )\times {{\mathrm{\textsf {vec}}}}\big ({\varvec{D}(x)}\big )\times p_{zt}\bmod {x_0}. $$

This technique seems to rely in an essential way on the order in which input bits are assigned to successive branching program layers, and although we did not come up with the branching program \(\mathbf {A}\) ourselves (as it was proposed earlier in [MSZ16]), we have to admit that it is rather special.

Indeed, proposed candidate iO constructions are often supposed to operate on oblivious branching programs, whose length is a multiple of the number t of input bits and whose \(\textsf {inp}\) function is fixed to \(\textsf {inp}(i) = (i\bmod t)+1\) (i.e. the input bits are associated to successive layers in cyclic order). This is natural, since all branching programs can be trivially converted to that form, and a canonical \(\textsf {inp}\) function is needed to ensure indistinguishability. However, the branching program \(\mathbf {A}\) above is not oblivious, and it is not immediately clear that our partitioning technique based on tensor products extends to that case.

Fortunately, it turns out that our technique does extend to oblivious (and hence to arbitrary) branching programs as well, at the cost of an increase in the dimension of the matrix encodings involved. There is in fact a simple greedy algorithm that will convert any scalar expression consisting of a product of three types of matrices \(\varvec{B}_i\), \(\varvec{C}_i\), \(\varvec{D}_i\) to an equal product of three factors, the first of which involves only the \(\varvec{B}_i\)’s, the second only the \(\varvec{C}_i\)’s and the third only the \(\varvec{D}_i\)’s. Writing down a description of the algorithm would be somewhat tedious, but it is easy to understand on an example.

If we consider for example an oblivious branching program \(\mathbf {A}_2\) of length 2t (i.e. with two groups of t layers associated with all successive input bits), the corresponding zero-test value can be put in the form:

$$ A(x) = {\varvec{B}}\cdot {\varvec{C}} \cdot {\varvec{D}} \cdot {\varvec{B}'}\cdot {\varvec{C}'} \cdot \varvec{D}'\cdot p_{zt}\bmod {x_0} $$

where, again, \(\varvec{B}, \varvec{B}'\) depend on one subset of input bits, \(\varvec{C}\), \(\varvec{C}'\) a different, disjoint subset, and \(\varvec{D}\), \(\varvec{D}'\) on a third subset disjoint from the first two (and we omit the dependence of these matrices on x to simplify notations). The matrices all have dimension \(w\times w\), except the first and the last, which are of dimension \(1\times w\) and \(w\times 1\) respectively. Denoting by \(A_{zt}\) the value such that \(A(x)=A_{zt}\cdot p_{zt}\bmod x_0\), we can then put \(A_{zt}\) in the desired partitioned form as follows:

$$\begin{aligned} A_{zt}&= \varvec{B}\varvec{C}\cdot {{\mathrm{\textsf {vec}}}}\big ( \varvec{D}\cdot (\varvec{B}'\varvec{C}')\cdot \varvec{D}'\big )\\&= \varvec{B}\varvec{C} \big (\varvec{D}'^T \otimes \varvec{D}\big ){{\mathrm{\textsf {vec}}}}(\varvec{I}_w\varvec{B}'\varvec{C}') \\&= \varvec{B}\varvec{C} \big (\varvec{D}'^T \otimes \varvec{D}\big ) \big (\varvec{C}'^T\otimes \varvec{I}_w\big ){{\mathrm{\textsf {vec}}}}(\varvec{B}') \\&= \big ({{\mathrm{\textsf {vec}}}}(\varvec{B}')^T\otimes \varvec{B}\big )\cdot {{\mathrm{\textsf {vec}}}}{\Big (\varvec{C} \big (\varvec{D}'^T \otimes \varvec{D}\big ) \big (\varvec{C}'^T\otimes \varvec{I}_w\big )\Big )}\\&= \big ({{\mathrm{\textsf {vec}}}}(\varvec{B}')^T\otimes \varvec{B}\big )\cdot \big (\varvec{C}'\otimes \varvec{I}_w\otimes \varvec{C}\big )\cdot {{\mathrm{\textsf {vec}}}}{\big (\varvec{D}'^T \otimes \varvec{D}\big )}, \end{aligned}$$

and clearly a similar procedure works for any number of layer groups, allowing us to adapt the attack to oblivious branching programs in general.

However, for an oblivious branching program of length mt (with m groups of t layers), we can see that the dimension of the resulting square matrix in the middle is given by \(w^{2m-1}\), and therefore, we need to have \(2^{t/2}\ge nw^{2m-1}\) to obtain sufficiently many zeros to apply the zeroizing technique. As a result, we can attack oblivious branching programs only when the number m of layer groups is not too large compared to the number t of input bits. In particular, we cannot break the obfuscation of oblivious branching programs with length greater than \(\omega (t^2)\) using that technique.

Thus, in principle, using oblivious branching programs whose length is quite large compared to the number of inputs might be an effective countermeasure against our attack. It remains to be seen whether further improvements could yield to a successful attack against oblivious branching programs of length \(\varOmega (t^c)\) for \(c>2\).

On the flip side, we will see below that by adding “dummy” input bits, we can pad essentially any oblivious branching program into another oblivious branching program that computes the same functionality (ignoring the dummy input bits), with the same number of layer groups, and whose obfuscation is broken using our techniques.

4.3 Attacking Arbitrary Functionalities

The attack on Sect. 3 was described against a branching program for the always-zero function. Since we do not use any property of the underlying matrices other than the fact that the program evaluates to zero on many inputs, it is clear that the attack should extend to branching programs for other functionalities as well. Describing the class of functionalities we can capture in that way is not easy, however.

If we take for example a branching program \(\mathbf {A''}\) with the same input size, the same length and the same \(\textsf {inp}\) function as \(\mathbf {A}\) (and with encoding matrices of dimension w, say), then a sufficient condition for the attack to apply to \(\mathbf {A''}\) is essentially that we can find sufficiently many “contiguous” inputs on which the program evaluates to zero. More precisely, suppose that we can find a subset R of the set [t] of input bit indices and an assignment \((y_r)_{r\in R}\in \{0,1\}^R\) of these input bits such that \(\mathbf {A''}\) evaluates to zero on all inputs \(x\in \{0,1\}^t\) that coincide with \((y_r)\) on R. In other words:

$$ \big (\forall r\in R,\ x_r=y_r\big )\Longrightarrow \mathbf {A''}(x)=0. $$

Then we can break the obfuscation of \(\mathbf {A''}\) using the obfuscator of Sect. 3.2 as soon as \(2^{(t-r)/2}\ge 2w^2n\). The idea is simply to apply the attack in Sect. 3.3 with s chosen in such a way that \(s+1\) is exactly the \((\lfloor (t-r)/2\rfloor +1)\)-st element of \([t]\setminus R\) (in increasing order). Then, A(x) satisfies Eq. (2) for all values of x with \(x_r=y_r\) for \(r\in R\). This provides at least \(2^{(t-r)/2-1}\) choices for \(\varvec{X}_i\), \(2^{(t-r)/2-1}\) for \(\varvec{Y}_j\) and two choices for \(\varvec{U}^{(b)}\), so we have enough zero values to apply the attack.

While the condition above is quite contrived, it should be satisfied by many branching programs (especially as \(t-r\) can be chosen to be logarithmic: it follows that almost all functionalities should satisfy the condition), including many natural examples (a branching program whose underlying circuit is the nontrivial conjunction of two sub-circuits, one of which depends only on \(t-r\) input bits would be an example). But it gives little insight into the class of functionalities we end up capturing.

A different angle of approach towards this problem is the padding technique already considered in [MSZ16, Sect. 3.3]. Given a branching program \(\mathbf {A}_0\) implementing any functionality and for which we can find an input where it evaluates to zero, we can convert it into another branching program \(\mathbf {A}_0^*\) with slightly more input bits, that implements the same functionality (it simply ignores the additional dummy input bits and evaluates to the same values as \(\mathbf {A}_0\) everywhere), and whose obfuscation is broken using our attack.

This is in fact trivial: take the branching program \(\mathbf {A}_0\), and append to it (before the final bookend matrix) additional layers associated with the new input bits consisting entirely of identity matrices, in the same order as the \(\textsf {inp}\) function of the branching program \(\mathbf {A}\) from Sect. 3.1. Since all the added layers contain only identity matrices, they do not change the functionality at all. Then, if we simply fix the non-dummy input bits to the value on which we know \(\mathbf {A}_0\) vanishes, we are exactly reduced to the setting of Sect. 3.3, and our attack applies directly.

This may be a bit too trivial, however, since we could just as well append a branching program with a “decomposable” structure in the sense of [CGH+15, Sect. 3.4], and the corresponding attack would apply already.

A less trivial observation is that we can start from any oblivious branching program \(\mathbf {A}_0\) (for which we know an input evaluating to zero), and convert it to another oblivious branching program \(\mathbf {A}_0^*\) with more input bits but the same number of layer groups, that implements the same functionality in the sense above, and whose obfuscation is, again, broken using our attack.

The idea this time is to add layers associated with the dummy input bits with all-identity matrices in each layer group. This does not change the functionality, and once we fix the original input bits to the input evaluating to zero, we are reduced to breaking an oblivious branching program for the always-zero function with a fixed number m of layer groups and a number of input bits that we can choose. By the discussion of Sect. 4.2 above, if the matrix encodings are of dimension w, it suffice to add t dummy inputs bits where \(2^{t/2}\ge nw^{2m-1}\), which is always achievable.

5 Conclusion

Our attack shows that the single-input candidate iO constructions for branching programs over the CLT13 multilinear map proposed in the literature should be considered insecure. We leave as a challenging open problem how to extend our attack to the dual-input iO schemes.