ZEROIZING ATTACKS ON CRYPTOGRAPHIC MULTILINEAR MAPS
advertisement
ZEROIZING ATTACKS ON
CRYPTOGRAPHIC MULTILINEAR
MAPS
MARIANA RAYKOVA
SRI AND YALE UNIVERSITY
Joint work with Jean-Sébastien Coron, Craig Gentry, Shai Halevi,
Tancréde Lepoint, Hemata Maji, Eric Miles, Amit Sahai, Mehdi Tibouchi
*thanks Eric Miles for some slides
CRYPTOGRAPHIC MULTILINEAR MAPS
(MMAPS)
• Goal: compute on encoded data that is secret
• Not fully homomorphic encryption (FHE)
• Similarity:
• Encode values E(a)
• Evaluate polynomials p(x) over the encoded values E(p(a))
• Difference:
• FHE: cannot learn anything about encoded values without secret key
• MMAPS: zero-test - reveal whether the encoded value is zero using public
parameters (for some types of encodings)
• Introduced by Boneh, Silverberg 2003
• Generalization of bilinear maps that “would have far-reaching
consequences in cryptography”
• Compute beyond quadratic functions on the encoded data
MMAPS APPLICATIONS
• Bilinear maps:
•
•
•
•
identity-based encryption (IBE),
attribute-based encryption for formulas (ABE),
predicate encryption (simple predicates),
efficient non-interactive zero-knowledge proofs…
• Multilinear maps [BS03]:
•
•
•
one round n-way Diffie-Hellman Key exchange,
unique signatures and verifiable pseudorandom functions,
broadcast encryption with short keys and transmissions
• Last few years – explosion of applications:
•
•
•
functional encryption for all circuits,
witness encryption,
program obfuscation, …
• “We hope this ample motivation will eventually lead to an efficient construction for
a cryptographic multilinear map. We also give evidence that such maps might
have to either come from outside the realm of algebraic geometry or occur as
"unnatural” computable maps arising from geometry.” [BS03]
ROAD OF MMAP CONSTRUCTIONS
• First generation
• [Garg-Gentry-Halevi’13]
– from ideal lattices
• [Coron-Lepoint-Tibouchi’13] – from Chienese Remainder
Theorem
• [Gentry-Gorbunov-Halevi’15] – from standard lattices
• Second generation
• [Coron-Lepoint-Tibouchi’15] – modification of [CLT13] in
response to zeroizing attacks
[Cheon-Han-Lee-Rye-Stehlé-14]
[Boneh-Wu-Zimmerman-14]
[CGHLMMRST15]
• [Gentry-Halevi-Lepoint’15] - modification of [GGH13] in
response to zeroizing attack
recent attack:
[GGH13], [CGHLMMRST15],
Brakerski-Gentry-Halevi[Hu-Jia-15]
Lepoint-Sahai-Tibouchi
MMAP DEFINITION
• [BS03] Given groups G1 and G2 of the same prime order p,
e: G1n → G2 is a multilinear maps if
• e(ga1, …, gan) = e(g, …, g)a1*…*an if g1,…, gn ∈G1
• e is non-degenerate: if g is the generator of G1, then e(g, …, g) is
the generator of G2
• Bilinear map when n = 2
Asymmetric setting:
e : G1×…× Gk → Gk+1
• MMP = (InstGen, Encode, GroupOp, Mmap)
•
•
•
•
InstGen: public param = (p, g1, …, gk+1, G1, …, Gk+1, e)
Encode: unique encoding Encode(param, i, x) = gix
GroupOp: add(gix, giy) = gix+y
Mmap: e(g1a1, …, gnan) = e(g1, …, gn)a1…an
HARDNESS ASSUMPTIONS
• Discrete log is hard
Pr[A(param, i, gir) = r : param← InstGen; r ← Zp] < negl
• Hardness Assumption – multilinear DDH assumption
{ga1, …, gan, gan+1, e(g, …, g)a1…anan+1}
≈
{ga1, …, gan, gan+1, e(g, …, g)random}
GRADED ENCODINGS
• Randomized encoding algorithm: not unique encodings
but sets of possible encodings
• k-graded encoding system: a ring R and a system of sets
{ Si(a) } such that
• { Si(a) : a∈R } are disjoint
• Addition:
if u1∈Si(a1) and u2∈Si(a2), then u1+u2∈Si(a1+a2)
• Multiplication:
if u1∈Si1(a1) and u2∈Si2(a2), then u1×u2∈Si1+i2(a1×a2)
• Zero-testing – a procedure that allows to check whether
u1∈Sk(0) for a fixed zero-testing level k
GRADED ENCODINGS
• Instance Generation: generate
• secret param – description of k-graded encoding system
• public pzt – zero-testing parameter for level k
• Encoding – given param, level i and a∈R outputs
• level-i encoding of a: ui∈Si(a)
• Addition and multiplication - u1∈Si(a1), u2∈Si(a2) , u3∈Sj(a3)
• Addition of encodings at the same level: u1+u2∈Si(a1+a2)
• Multiplication of any encodings:
u1×u3∈Si+j(a1×a3)
• Zero-testing – given pzt and u, output
• 1 if u∈Sk(0) , and 0 otherwise
• Enables equality testing at level k
ATTACKS ON [CLT13]
[CLT13] MULTILINEAR MAPS
• System parameters
pi : “big primes”
gi : “small primes”
• Primes: p1, ..., pn
g1, …, gn (gi << pi for all i)
Secret parameters
• Level parameter: z∈Zx0
Different encoding
using different zi ∈Zx0
• Modulus: x0 = p1 . … . pn
Public parameter
[CLT13] ENCODING
• Plaintext space: m = (m1,…,mn)∈Zg1× Zg2 ×…×Zgn
• Encode: via Chinese remainder theorem (CRT) in Zx0
• To encode message (m1, …, mn) at level j
• ∀i≤n compute ei = mi + rigi for random ri << pi
• Output
CRT(e ,...,en )
1
mod x
0
j
z
more general
level z1…zm
[CLT13] ARITHMETIC PROPERTIES
• Addition
mi +rigi
z
j
mod pi +
m'i +r'igi
z
j
mod pi =
(mi +m'i )+(ri +r'i )gi
z
j
mod pi
• Multiplication
mi +rigi
z
j
mod pi *
m'i +r'igi
z
k
mod pi =
• Bounded noise growth
• (mi + rigi)(m’i + r’igi) < pi for all i
mim'i +(rim'i +r'imi + rir'igi )gi
z
j+k
mod pi
[CLT13] ZERO TESTING
• Let pi’ = x0/ pi = ∏j≠i pj for all i≤n
• Property for any e1, …, en
CRT(p1’ . e1, …, pn’ . en) = ∑1≤i≤n pi’ei mod x0
• Zero-test parameter:
• random hi << pi for all i≤n
k is zero test level
pzt = CRT(p1’h1g1-1, …, pn’hngn-1) . zk mod x0
gi-1 are computed mod pi
HOW TO ZERO-TEST?
• Level-k encoding
a = z-k . CRT(m1 + r1g1, …, mn + rngn) mod x0
• Zero-test parameter for level k
pzt = zk . CRT(p1’h1g1-1, …, pn’hngn-1) mod x0
• Zero-testing: check whether |a.pzt| is small
a.pzt mod x0 = CRT(pi’(higi-1mi + hiri)) 1≤i≤n
= ∑1≤i≤n pi’(higi-1mi + hiri ) mod x0
• If a encodes 0, then the equality holds over the integers
a.pzt= ∑1≤i≤n pi’hiri since |hiri| << pi
• If a does not encode 0, or it is not at the zero-testing level
|a.pzt| ≈ x0
ATTACKS ON [CLT13]
• [CLT13] seemed immune to the weak DL attacks on [GGH13]
• Until… [CHLRS15] gave the first attack on [CLT13]
• Based on zeroizing techniques: rely on low level 0-endoings
• Complete break: recovers private parameters
• [BWZ14] and [GGHZ14] proposed attempted fixes
• [CGHLMRST15] extend attacks on [CLT13]
• Attacks without low level 0s (appeared also in [BWZ14])
• Attack on proposed fixes of [BWZ14] and [GGHZ14]
• Attacks on simplified versions of obfuscation constructions
[CHLRS15] ATTACK
• n - # of primes pi; K- zero-testing level
• Ingredients:
CRT(m1+r1g1,...,mn +rngn )
zj
mod x0
• three sets of encodings {Ai} 1≤i≤n , {B0, B1}, {Ci} 1≤i≤n
Ai =
Bi =
CRT(g1ai,1,...,gnai,n )
z
k
CRT(bi,1,...,bi,n )
Ci =
z
j
CRT(ci,1,...,ci,n )
z
l
n encodings of 0
two encodings
“target of the attack”
n encodings
k + j+l = K
Every Ai1Bi2Ci3 is
zero-test level
encoding
[CHLRS15] ATTACK
• Simple example: n=2, K=3
A1=
B=
CRT(g1a1,1, g2a1,2 )
z
CRT(b1,b2 )
C1=
z
CRT(c1,1, c1,2 )
z
A2 =
B'=
CRT(g1a2,1, g2a2,2 )
z
CRT(b'1,b'2 )
C2 =
z
CRT(c2,1, c2,2 )
z
• Multiply:
A1 . B . C1 = z-3 . CRT(g1a1,1b1c1,1, g1a1,2b1c1,2)
[CHLRS15] ATTACK
• Zero-test
pzt = z3 . CRT(p1’h1g1-1, p2’h2g2-1) mod x0
A1 . B . C1 = z-3 . CRT(g1a1,1b1c1,1, g1a2,1b2c2,1)
• Set
W1,1 = pzt . A1 . B . C1 mod x0
The equality holds over the
= p1’h1a1,1b1c1,1 + p2’h2a1,2b2c1,2
integers (without modular
reduction)
α2
α1
W1,1 = a1,1 a1,2 ×
α1b1
0
0
α2b2
×
c1,1
c1,2
[CHLRS15] ATTACK
• Use the rest of the sets A = {A1, A2} and C = {C1, C2}
W1,2 = pzt . A1 . B . C2 = α1a1,1b1c2,1 + α2a1,2b2c2,2
W2,1 = pzt . A2 . B . C1 = α1a2,1b1c1,1 + α2a2,2b2c1,2
W2,2 = pzt . A2 . B . C2 = α1a2,1b1c2,1 + α2a2,2b2c2,2
• Set new matrix
W=
W1,1 W1,2
W2,1 W2,2
=
a1,1
a1,2
a2,1
a2,2
×
α1b1
0
0
α2b2
×
c1,1
c2,1
c1,2
c2,2
[CHLRS15] ATTACK
W = A
×
α1b1
0
0
α2b2
C
×
• Compute similarly W’ using the sets {A1, A2}, {C1, C2} and B’
W’ = A
×
Compute
over Q
(W’)-1
= C-1
×
α1b’1
0
0
α2b’2
1/α1b1
0
0
1/α2b2
C
×
×
A-1
[CHLRS15] ATTACK
• So far we computed W, (W’)-1
• Multiply W × (W’)-1 over Q
W × (W’)-1 = A
×
b1/b’1
0
0
b2/b’2
×
A-1
• Recover b1/b’1 and b2/b’2 computing the
eigenvalues
• Use the above values to factor x0
NO LOW LEVEL ZERO
ENCODINGS
ATTACK EXTENSION #1
ATTACK SETS
• Ingredients:
• three sets of encodings {Ai} 1≤i≤n , {B0, B1}, {Ci} 1≤i≤n
Ai =
Bi =
CRT(ai,1,...,ai,n )
z
k
CRT(bi,1,...,bi,n )
Ci =
z
j
CRT(ci,1,...,ci,n )
z
l
n encodings
two encodings
“target of the attack”
n encodings
Not necessarily
encodings of 0
k + j+l = K
Every Ai1Bi2Ci3 is
zero-test level
encoding
NO LOW LEVEL ZERO ENCODINGS
• Each 3-wise product encodes 0 at the zero-testing
level: Ai . B . Cj , Ai . B’ . Cj for all i, j
• g1 divides ai,1 . b . cj,1 , ai,1 . b’ . cj,1 for all i, j
• g2 divides ai,2 . b . cj,2 , ai,2 . b’ . cj,2 for all i, j
W=
Equalities
hold over Q
W’ =
a1,1
a1,2
a2,1
a2,2
a1,1
a1,2
a2,1
a2,2
×
×
α1b1/g1
0
0
α2b2/g2
α1b’1/g1
0
0
α2b’2/g2
×
×
c1,1
c2,1
c1,2
c2,2
c1,1
c2,1
c1,2
c2,2
NO LOW LEVEL ZERO ENCODINGS
W’ = A
×
(W’)-1 = C-1
W × (W’)-1 = A
compute
eigenvalues
×
×
α1b1/g1
0
0
α2b2/g2
α1b’1/g1
0
0
α2b’2/g2
b1/b’1
0
0
b2/b’2
×
C
×
A-1
×
A-1
MULTIPLE MONOMIALS
ATTACK EXTENSION #2
[BWZ14] IMMUNIZATION OF [CLT13]
• Encoding (m1, m2) is (a, a’):
• α, β1, β2,β3,β4 - random
• a is a [CLT13] encoding of (m1, m2, α, β1)
• a’ is a [CLT13] encoding of (β2,β3, α,β4)
• Encodings can be added and multiplied
• Zero-testing parameters
• [CLT13] zero test parameter pzt
• tL: encoding of (1, 1, 1, 0)
• tR: encoding of (0, 0, 1, 0)
• Zero-testing (a, a’):
pzt (tLa – tRa’)
MULTIPLE MONOMIALS
• Top level zero can be obtained only in the form
a.b.c – a’.b’.c’
• Attack sets
Ai =
B=
Ci =
ai
0
b1
0
ci
0
0
ai = CRT(ai,1, ai,2)/z
a’i
a’i = CRT(a’i,1, a’i,2)/z
0
b’1
B’ =
b2
0
0
b’2
0
ci = CRT(ci,1, ci,2)/z
c’i
c’i = CRT(c’i,1, c’i,2)/z
MULTIPLE MONOMIALS
• Wi,j = pzt ((Ai × B × Cj) . [tL, -tR])
α1b1,1/g1
Wi,j =
ai,1 , a’i,1 , ai,1 , a’i,1 ×
ci,1
-α1b’1,1 /g1
c’i,1
×
ci,2
α2b1,2 /g2
Increased
dimension
c’i,2
-α2b’1,2 /g2
b1,1/b2,1
W × (W’)-1 = A
b’1,1/b’2,1
×
b1,2/b2,2
b’1,2/b’2,2
×
A-1
MATRIX ENCODINGS
ATTACK EXTENSION #3
[GGHZ14] FIX FOR [CLT13]
• Encoding of a value m is
CLT encoding of independent
random value at level z
CLT encoding of 0 at level z
Enc($) Enc(0) … Enc(0)
C =
T ×
Secret matrix;
uniformly random in
Zx0d×d
Enc(0) Enc($) … Enc(0)
×
T-1 mod x0
Enc(0) Enc(0) … Enc(m)
CLT encoding of m at level z
[GGHZ14] FIX FOR [CLT13]
• Zero-test parameters
s=
[Enc($) … Enc($) Enc(0) … Enc(0) Enc($)] × T-1 mod x0
t = pzt . T × [Enc(0) … Enc(0) Enc($) … Enc($) Enc($)]T
mod x0
CLT encodings at level 0
• Zero-testing
Whp small relative to x0 if C
encodes 0
s × C × t mod x0 = (Enc($).Enc(m)+Enc(0)).pzt mod x0
MATRIX ENCODINGS
• Attack sets
Ai = T × Ai* × T-1
i ∈[nd]
Bi = T × Bi* × T-1
i ∈[0,1]
Ci = T × Ci* × T-1
i ∈[nd]
• Wi,j = s × Ai × B0 × Cj × t = s × T × Ai × B0 × Cj × T-1 × t
ai
cj
MATRIX ENCODINGS
(B0 mod p1) (B1 mod p1)-1
W × (W’)-1 = A
×
×
(B0 mod p2) (B1 mod p2)-1
• CharPoly(W × (W’)-1) =
∏i CharPoly((B0 mod p1) (B1 mod p1)-1)
• Factor CharPoly(W × (W’)-1) and use Cayley-Hamilton
theorem to recover the primes pi
A-1
ATTACK ON SIMPLIFIED
[GGHRSW13] OBFUSCATION
BRANCHING PROGRAM OBFUSCATION
(OBLIVIOUS) BRANCHING
PROGRAMS [BARRINGTON86]
• BP of length m with n input bits is defined as
(inp(1), A1,0, A1,1), (inp(2), A2,0, A2,1), …, (inp(m), Am,0, Am,1)
• Ai,0, Ai,1 ∈ {0, 1}5×5
• inp(x) : [m] → [n]
• BP for F evaluates on input x = (x1, …, xn)
F (x) =
1, if
n
∏ i=1
Ai,inp(i) = I
0, otherwise.
(OBLIVIOUS) BRANCHING
PROGRAMS
• Example: BP of length 9 with 4-bit inputs
A1, A2, A3, A4, A5, A6, A7, A8, A9,
0
0
0
0
0
0
0
0
0
1
1
1
1
1
1
1
1
1
A1, A2, A3, A4, A5, A6, A7, A8, A9,
0
(OBLIVIOUS) BRANCHING
PROGRAMS
• Example: BP of length 9 with 4-bit inputs
A1, A2, A3, A4, A5, A6, A7, A8, A9,
0
0
0
0
0
0
0
0
0
1
1
1
1
1
1
1
1
1
A1, A2, A3, A4, A5, A6, A7, A8, A9,
0 1
(OBLIVIOUS) BRANCHING
PROGRAMS
• Example: BP of length 9 with 4-bit inputs
A1, A2, A3, A4, A5, A6, A7, A8, A9,
0
0
0
0
0
0
0
0
0
1
1
1
1
1
1
1
1
1
A1, A2, A3, A4, A5, A6, A7, A8, A9,
0 1 1 0
• Multiply the chosen 9 matrices.
• If the product is I, output 1. Otherwise, output 0.
BARRINGTON’S THEOREM [B86]
Every function computable by depth-d circuit is
computable by a branching program of length 4d.
• Corollary: every function in NC1 has a polynomiallength branching program
RANDOMIZED BRANCHING
PROGRAMS [KILIAN88]
• Randomized BP (RBP) construction of length m
and input size n:
• BP: (inp(1), A1,0, A1,1), …, (inp(m), Am,0, Am,1)
• Sample invertible matrices R0, …, Rm ∈ {0, 1}5×5
• Set Bi,0 = Ri-1 Am,0 Ri -1, Bi,1 = Ri-1 Am,1 Ri-1
Omitting several steps…
Hide matrices with multilinear maps
B1,0 B2,0 B3,0 B4,0 B5,0 B6,0 B7,0 B8,0 B9,0
B1,1 B2,1 B3,1 B4,1 B5,1 B6,1 B7,1 B8,1 B9,1
ATTACK ON SIMPLIFIED
OBFUSCATION
• There exist partitions on the input bits and the branching
program
• Input bits: [l] = X ⋃ Y ⋃ Z
• BP positions: [L] = A ⋃ B ⋃ C
• inp(i)∈X ∀i∈A; inp(i)∈Y ∀i∈B; inp(i)∈Z ∀i∈C
B1,0
B2,0
B3,0
B4,0
B5,0
B6,0
B7,0
B8,0
B9,0
B1,1
B2,1
B3,1
B4,1
B5,1
B6,1
B7,1
B8,1
B9,1
A
B
• BP0 and BP1 where BPb = A(x) ∘ Bb(y) ∘ C(z)
C
• A(x) is a branching program over the positions of A depending on input
x
• C(x) is a branching program over the positions of B depending on input y
• B0(z) and B1(z) are two different programs over the positions of B that
depend on input z
• BP0 and BP1 compute the same constant function that outputs 1
ATTACK ON SIMPLIFIED
OBFUSCATION
• Attack sets
Matrix
dimension w
Ai = { ∏i=1|A| Enc(Bi, inp(i)) }
Bi = { ∏i=|A|+1|A∪B| Enc(Bi, inp(i)) }
Ci = { ∏i=|A∪B|+1|A∪B∪C| Enc(Bi, inp(i))}
x∈ {0,1}|X|
i ∈ [nw]
MMAP
parameter
y∈ {0,1}|Y|
z ∈ {0,1}|Z|
i ∈ {0,1}
i ∈ [nw]
CONCLUSIONS
• Zeroizing attacks on [CLT13] break completely the scheme
• You do not need low level zero encodings for the attacks
• The attacks can be generalized to break the proposed
fixes [BWZ14] and [GGHZ14]
• Obfuscation constructions are not broken
• We can attack only simplified obfuscation constructions
• [CLT15] – new candidate fix of [CLT13] that does not suffer
from our zeroing attacks
THANK YOU!
