cryptanalysis of branching program obfuscators
play

Cryptanalysis of branching program obfuscators Jung Hee Cheon 1 , - PowerPoint PPT Presentation

Oct 03, 2022 •443 likes •1.41k views

Cryptanalysis of branching program obfuscators Jung Hee Cheon 1 , Minki Hhan 1 , Jiseung Kim 1 , Changmin Lee 1 , Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program

  1. Cryptanalysis of branching program obfuscators Jung Hee Cheon 1 , Minki Hhan 1 , Jiseung Kim 1 , Changmin Lee 1 , Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 1/23

  2. What is this talk about Two partial attacks against some candidate obfuscators built upon the GGH13 multilinear map [GGH13a] an attack for specific choices of parameters a quantum attack Main idea of the two attacks Transform known weaknesses of the GGH13 map into concrete attacks against the candidate obfuscators M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 2/23

  3. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  4. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits Security. VBB: O ( C ) acts as a black box computing C M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  5. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits Security. VBB: O ( C ) acts as a black box computing C (impossible, [BGI + 01]) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  6. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits Security. VBB: O ( C ) acts as a black box computing C (impossible, [BGI + 01]) iO: ∀ C 1 ≡ C 2 , i.e. C 1 ( x ) = C 2 ( x ) ∀ x , O ( C 1 ) ≃ c O ( C 2 ) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  7. Obfuscation Obfuscator An obfuscator O for a class of circuits C is an efficiently computable function over C such that ∀ C ∈ C , ∀ x , C ( x ) = O ( C )( x ) In this talk, C = polynomial size circuits Security. VBB: O ( C ) acts as a black box computing C (impossible, [BGI + 01]) iO: ∀ C 1 ≡ C 2 , i.e. C 1 ( x ) = C 2 ( x ) ∀ x , O ( C 1 ) ≃ c O ( C 2 ) Many cryptographic constructions from iO: functional encryption, deniable encryption, NIZKs, oblivious transfer, . . . M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 3/23

  8. Multilinear maps (mmaps) and iO Observation Almost all iO constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 4/23

  9. Multilinear maps (mmaps) and iO Observation Almost all iO constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13, CLT13, GGH15 Caution All these candidate multilinear maps suffer from weaknesses (e.g. encodings of zero, zeroizing attacks, . . . ). ⇒ all current attacks against iO rely on the underlying mmap M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 4/23

  10. Multilinear maps (mmaps) and iO Observation Almost all iO constructions for all circuits rely on multilinear maps (mmap). Three main candidate multilinear maps: GGH13 , CLT13, GGH15 Caution All these candidate multilinear maps suffer from weaknesses (e.g. encodings of zero, zeroizing attacks, . . . ). ⇒ all current attacks against iO rely on the underlying mmap In this talk: we exploit known weaknesses of GGH13 to mount concrete attacks against some iO using it. M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 4/23

  11. History (branching program obfuscators based on GGH13) Some candidate iO for all circuits and attacks: 2013: [GGH + 13b], first candidate 2014-2016: [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 5/23

  12. History (branching program obfuscators based on GGH13) Some candidate iO for all circuits and attacks: 2013: [GGH + 13b], first candidate 2014-2016: [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) 2016: [MSZ16], attack against all candidates above except [GGH + 13b] 2016: [GMM + 16], proof in a weaker idealized model (captures [MSZ16]) M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 5/23

  13. History (branching program obfuscators based on GGH13) Some candidate iO for all circuits and attacks: 2013: [GGH + 13b], first candidate 2014-2016: [AGIS14, BGK + 14, BR14, MSW14, PST14, BMSZ16], with proofs in idealized models (the mmap is supposed to be somehow ideal) 2016: [MSZ16], attack against all candidates above except [GGH + 13b] 2016: [GMM + 16], proof in a weaker idealized model (captures [MSZ16]) 2017: [CGH17], attack against [GGH + 13b] (in input-partitionable case) 2017: [FRS17], prevent [CGH17] attack M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 5/23

  14. State of the art and contributions Circuit iO (using Branching program obfuscators obfuscators GGH13) [AGIS14, MSW14] [GMM + 16] [Zim15, AB15] [GGH + 13b] [BR14] [PST14, BGK + 14] Attacks [DGG + 16] [BMSZ16] [MSZ16] � � [CGH17] ⋆ � This work 1 † � � � � [CHKL18] This work 2 ‡ � � � [Pel18] ⋆ for input-partitionable branching programs ‡ in the quantum setting † for specific choices of parameters M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 6/23

  15. Outline Simple obfuscator 1 GGH13 multilinear map 2 Contributions 3 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 7/23

  16. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  17. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 inp( i ) 1 1 2 1 3 2 A 1 , 1 A 2 , 1 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 A 7 A 1 , 0 A 2 , 0 A 3 , 0 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  18. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 inp( i ) 1 1 2 1 3 2 A 1 , 1 A 2 , 1 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 A 7 A 1 , 0 A 2 , 0 A 3 , 0 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  19. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 ↑ inp( i ) 1 1 2 1 3 2 A 1 , 1 A 2 , 1 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 × A 1 , 0 A 7 A 2 , 0 A 3 , 0 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  20. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 ↑ inp( i ) 1 1 2 1 3 2 A 1 , 1 × A 2 , 0 A 2 , 1 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 × A 1 , 0 A 7 A 3 , 0 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

  21. Branching programs A branching program is a way of representing a function (like a Turing machine, or a circuit). A Branching Program (BP) is a collection of 2 ℓ matrices A i , b (for i ∈ { 1 , . . . , ℓ } and b ∈ { 0 , 1 } ), two vectors A 0 and A ℓ +1 , a function inp : { 1 , . . . , ℓ } → { 1 , . . . , r } (where r is the size of the input). x = 0 1 1 i 1 2 3 4 5 6 ↑ inp( i ) 1 1 2 1 3 2 A 1 , 1 × A 2 , 0 A 2 , 1 × A 3 , 0 A 3 , 1 A 4 , 1 A 5 , 1 A 6 , 1 A 0 × A 1 , 0 A 7 A 4 , 0 A 5 , 0 A 6 , 0 M. Hhan, A. Pellet-Mary Cryptanalysis of branching program obfuscators Crypto 2018 8/23

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Program control constructs Branching using if endif and select case loops (repeated

Program control constructs Branching using if endif and select case loops (repeated

Program control constructs Branching using if endif and select case loops (repeated execution of code segments); do enddo Jumps with goto label# Branching with if endif if endif If (logical_a) then

420 views • 11 slides
CHAPTER XIV PROGRAM CONTROL, JUMPING, AND BRANCHING READ BRANCHING FREE-DOC ON COURSE WEBPAGE

CHAPTER XIV PROGRAM CONTROL, JUMPING, AND BRANCHING READ BRANCHING FREE-DOC ON COURSE WEBPAGE

INTRO. TO COMP. ENG. CHAPTER XIV CHAPTER XIV-1 PROGRAM CONTROL CHAPTER XIV PROGRAM CONTROL, JUMPING, AND BRANCHING READ BRANCHING FREE-DOC ON COURSE WEBPAGE R.M. Dansereau; v.1.0 PROGRAM CONTROL INTRO. TO COMP. ENG. PROGRAM CONTROL

383 views • 36 slides
Branching Announcements HW0 is due Thursday: - Make sure program looks exactly like sample

Branching Announcements HW0 is due Thursday: - Make sure program looks exactly like sample

Branching Announcements HW0 is due Thursday: - Make sure program looks exactly like sample output (scripts will do grading) - Also follow proper naming - MAKE SURE IT COMPILES ON CSELABS MACHINE Labs : - Normal problems: Worth 1 point -

647 views • 54 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Tecniche di Specifica e di Verifica Branching Time Temporal Logics I 1 Outline CTL ( C

Tecniche di Specifica e di Verifica Branching Time Temporal Logics I 1 Outline CTL ( C

Tecniche di Specifica e di Verifica Branching Time Temporal Logics I 1 Outline CTL ( C omputation T ree L ogic) Branching Time Unwindings --- computation trees Syntax and semantics of CTL. 2 Branching Time Structures

1.49k views • 112 slides
Conflict-Based Selection Conflict-Based Selection of Branching Rules in of Branching Rules in

Conflict-Based Selection Conflict-Based Selection of Branching Rules in of Branching Rules in

Conflict-Based Selection Conflict-Based Selection of Branching Rules in of Branching Rules in SAT Algorithms SAT Algorithms Marc Herbstritt Bernd Becker Institute of Computer Science Albert-Ludwigs-Universitt Freiburg im Breisgau Where

623 views • 26 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Branching Program size lower bounds via Projective Dimension Sajin Koroth (joint work with

Branching Program size lower bounds via Projective Dimension Sajin Koroth (joint work with

Branching Program size lower bounds via Projective Dimension Sajin Koroth (joint work with Krishnamoorthy Dinesh and Jayalal Sarma) Indian Institute of Technology, Madras Theory Lunch, Technion Sajin Koroth (joint work with Krishnamoorthy

1.2k views • 103 slides
Branching within branching: a general model for host-parasite co-evolution Gerold Alsmeyer (joint

Branching within branching: a general model for host-parasite co-evolution Gerold Alsmeyer (joint

Model The ABPRE Extinction results Survival case Branching within branching: a general model for host-parasite co-evolution Gerold Alsmeyer (joint work with S oren Gr ottrup) May 15, 2017 Gerold Alsmeyer Host-parasite co-evolution 1

538 views • 26 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Branching for PDEs Xavier Warin CEMRACS July Xavier Warin Branching for PDEs

Branching for PDEs Xavier Warin CEMRACS July Xavier Warin Branching for PDEs

Branching for PDEs Xavier Warin CEMRACS July Xavier Warin Branching for PDEs CEMRACS July 1 / 94 The StOpt Library Table of contents 1 The StOpt Library 2 Branching for KPP equations 3 Generalization of KPP

1.2k views • 96 slides
Branching type processes with Stationary Ergodic Immigration Eitan Altman MAESTRO group,

Branching type processes with Stationary Ergodic Immigration Eitan Altman MAESTRO group,

E. Altman: Branching Processes with Non-Markov Migration 1 Branching type processes with Stationary Ergodic Immigration Eitan Altman MAESTRO group, INRIA, France Dec 2008 E. Altman: Branching Processes with

1.17k views • 61 slides
Ch.3: Functions and branching Ole Christian Lingjrde, Dept of Informatics, UiO September 4-8,

Ch.3: Functions and branching Ole Christian Lingjrde, Dept of Informatics, UiO September 4-8,

Ch.3: Functions and branching Ole Christian Lingjrde, Dept of Informatics, UiO September 4-8, 2017 (PART 2) Todays agenda A small quiz Live-programming of exercises 3.20, 3.23, 3.28 More about functions + branching Quiz 1 If a =

519 views • 38 slides
Branching and Merging SWEN-610 Introduction to Software Engineering Department of Software

Branching and Merging SWEN-610 Introduction to Software Engineering Department of Software

Branching and Merging SWEN-610 Introduction to Software Engineering Department of Software Engineering Rochester Institute of Technology Version control branching supports the ability to manage software releases. At the end of a sprint,

411 views • 12 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Git Branching for Continuous Delivery Sarah Goff-Dupont Developer Advocate & Agile Delivery

Git Branching for Continuous Delivery Sarah Goff-Dupont Developer Advocate & Agile Delivery

extreme ^ Git Branching for Continuous Delivery Sarah Goff-Dupont Developer Advocate & Agile Delivery Nerd @DevToolSuperFan not afraid to ham it up in photos Agenda Git + CD = BFFs 1 Branching models 2 Pointers & pro-tips 3

609 views • 36 slides

More recommend