Cryptanalysis of the New CLT Multilinear Map over the Integers May 11, 2016 Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 1 / 26 Jung Hee Cheon 1 , Pierre-Alain Fouque 2 , 3 , Changmin Lee 1 , Brice Minaud 2 , Hansol Ryu 1 1 Seoul National University, Seoul, Korea 2 Université de Rennes 1, Rennes, France 3 Institut Universitaire de France, Paris, France
Multilinear Maps following property: Hardness Assumptions Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 2 / 26 A κ -multilinear map is a map e : G 1 × · · · × G κ → G T , which has the e ( g 1 , · · · , α · g i , · · · , g κ ) = α · e ( g 1 , · · · , g κ ) for 1 ≤ i ≤ κ. MDDH: Given ( κ + 1) encodings of m 0 , · · · , m κ and encoding of m , determine whether m = ∏ κ 0 m i .
Applications + Witness encryption, functional encryption, effjcient broadcast encryption, .... Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 3 / 26
Multilinear Maps over the Integers Scheme Attack CLT13 CHLRS15 GGHZ14, BWZ14 CLT15 Vs. from ideal lattices: Conceptual simplicity Relative effjciency Wide range of presumed hard problems Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 4 / 26 CGH + 15
Multilinear Maps over the Integers Vs. from ideal lattices: May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu Wide range of presumed hard problems Relative effjciency Conceptual simplicity Ours Scheme CLT15 GGHZ14, BWZ14 CHLRS15 CLT13 Attack 4 / 26 CGH + 15
Result Given instance of CLT15’s, one can fjnd all secret parameters of CLT15 scheme in polynomial time with overwhelming probability. Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 5 / 26
CLT15 Multilinear Map Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 6 / 26
CLT15: Construction Algebraic setting: May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu z k z k 7 / 26 Encoding: Secret: Primes p 1 , · · · , p n and g 1 , · · · , g n with g i ≪ p i x 0 = ∏ i p i and invertible z ∈ Z x 0 Public: Zero-testing modulus N with N ≫ x 0 Level- k encoding of ( m 1 , · · · , m n ) ∈ Z g 1 × · · · × Z g n is ( r i g i + m i + ax 0 ≡ r i g i + m i ) e = CRT ( p i ) mod p i .
CLT15: Zero-testing i May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu i N i If e is an encoding of zero, i 8 / 26 p i p i ) − 1 ] [ g i ( x 0 Defjne u i = p i , v i = [ p zt · u i ] N for i = 1 , · · · , n and x 0 z κ v 0 = [ p zt · x 0 ] N . Then ( r i g i + m i ) ∑ e = CRT ( p i ) = [ r i + m i / g i ] p i u i + ax 0 , z κ and | v i | ≈ N / p i , | v 0 | ≪ N . So [ ∑ ] [ p zt · e ] N = [ r i + m i / g i ] p i v i + av 0 N . [ ∑ ] [ p zt · e ] N = [ r i + 0/ g i ] p i v i + av 0 ∑ = r i v i + av 0 ≪ N .
9 / 26 x i May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu i y i c n v n ... i CHLRS Attack: When x 0 is Known Given x = CRT ( p i ) ( x i g i / z ) , y = CRT ( p i ) ( y i / z κ − 1 ) , c = CRT ( p i ) ( c i ) , compute e = xcy mod x 0 = CRT ( x i c i y i g i / z κ ) , ∑ [ p zt · e ] N = x i c i v i y i + av 0 , and ∑ [ p zt · e ] N ≡ v 0 x i c i v i y i . c 1 v 1 From this matrix equation, we can get c i . Then ( c − c i ) is a multiple of p i .
10 / 26 X May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu i Y c n v n ... i CHLRS Attack: When x 0 is Known Given x = CRT ( p i ) ( x i g i / z ) , y = CRT ( p i ) ( y i / z κ − 1 ) , c = CRT ( p i ) ( c i ) , compute e = xcy mod x 0 = CRT ( x i c i y i g i / z κ ) , ∑ [ p zt · e ] N = x i c i v i y i + av 0 , and ∑ [ p zt · e ] N ≡ v 0 x i c i v i y i . c 1 v 1 From this matrix equation, we can get c i . Then ( c − c i ) is a multiple of p i .
11 / 26 We can not reduce the size of encoding. May 11, 2016 Cryptanlysis of CLT15 Maps i Cheon, Fouque, Lee, Minuad, Ryu Need to reduce the size of encodings in order to performing zero-testing. Correctness of zero-testing does not hold. i Previous attack does not work. CHLRS Attack: When x 0 is Unknown ∑ e = xcy = x i c i y i u i + ax 0 , [ ∑ ] [ p zt · e ] N = x i c i y i v i + av 0 N , i x i c i y i v i + av 0 > N , since a ≈ x 2 and ∑ 0 .
CLT15: Multiplication using Ladder i May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu Ladder in each level: encodings of zero i , 12 / 26 z s and ( r i g i + m i ) Note that for given level- s encoding e = CRT ( p i ) level- ( κ − s ) encoding e ′ = CRT ( p i ) ( r ′ i g i + m ′ ) z κ − s ( r ′′ i g i + m i m ′ e · e ′ ≡ x 0 CRT ( p i ) ) . z κ However, the size of e · e ′ ≈ x 2 0 . X 0 < X 1 < · · · < X γ ′ with X j ≈ 2 j x 0 .
CLT15: Multiplication using Ladder z t May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu i j j 13 / 26 Multiplication of two encodings e and e ′ : ≡ ˜ r i g i + m i m ′ e mult = e · e ′ − b j X ( t ) ∑ b j ∈ { 0 , 1 } , mod p i , e mult ≈ x 0 .
CHLRS Attack: Using Ladder c n v n May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu T and A are unknown matrices, so it looks hard to obtain c i . A’ + T + Y ... X i 14 / 26 Given x = CRT ( p i ) ( x i g i / z ) , y = CRT ( p i ) ( y i / z κ − 1 ) , c = CRT ( p i ) ( c i ) , compute ∑ ∑ ( x i c i y i + t i ) u i + a ′ x 0 and e = xyc − b j X j = ∑ ( x i c i y i + t i ) v i + a ′ v 0 . [ p zt · e ] N = c 1 v 1 · v 0
Cryptanalysis of CLT15 Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 15 / 26
Attack Idea j i Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 16 / 26 Compute v 0 ∈ Z and recover x 0 . ∑ ∑ p zt · ( e − b j X j ) mod N = ( r i + t i ) v i + av 0 . 1 Remove t i using p zt · X j . 2 Compute v 0 ∈ Z from several equations modulo unknown v 0 .
Step 1: Remove t i i May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu i 17 / 26 j i ∑ ∑ p zt · ( e − b j X j ) mod N = ( r i + t i ) v i + ( a + a ′ ) v 0 ( ∑ ∑ ) t i v i + a ′ v 0 = r i v i + av 0 + Defjne a map φ , ∑ ∑ φ : r i u i + ax 0 �− → r i v i + av 0 , ∑ and compute φ ( − ∑ j b j X j ) = t i v i + a ′ v 0 .
Step 1: Remove t i i May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu i 17 / 26 j i ∑ ∑ p zt · ( e − b j X j ) mod N = ( r i + t i ) v i + ( a + a ′ ) v 0 ( ∑ ∑ ) t i v i + a ′ v 0 = r i v i + av 0 + Defjne a map φ , ∑ ∑ φ : r i u i + ax 0 �− → r i v i + av 0 , ∑ and compute φ ( − ∑ j b j X j ) = t i v i + a ′ v 0 .
Step 1: Remove t i Proposition 1 Proposition 2 The conditions in Proposition 2 are also required for the correctness of the scheme to hold. Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 18 / 26 If e is an encoding of zero and e ≈ x 0 , then φ ( e ) = p zt · e mod N . Let e = ∑ r i u i + ax 0 , e ′ = ∑ r ′ i u i + a ′ x 0 . If ∀ i , − p i /2 < r i + r ′ i ≤ p i /2 , then φ ( e + e ′ ) = φ ( e ) + φ ( e ′ ) .
Step 1: Remove t i b j X j Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 19 / 26 ( ∑ ∑ ) φ = b j · φ ( X j ) Compute individual φ ( X j ) . 1 φ ( X 0 ) = p zt · X 0 mod N by Prop 1. 2 φ ( X 1 − X 0 ) = φ ( X 1 ) − φ ( X 0 ) by Prop 2 since ( X 1 − X 0 ) is small. 3 Continue this process to get all φ ( X j ) ’s.
X ... c n v n Y + T + A’ Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 20 / 26 c 1 v 1 · v 0
X ... c n v n Y + A Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 21 / 26 c 1 v 1 · v 0
22 / 26 x i May 11, 2016 z Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu y i v n ... Step 2: Compute v 0 ( x i g i ) ( y i ) x = CRT , y = CRT z κ − 1 ∑ φ ( xy ) = x i v i y i + a ∗ v 0 v 1 in Z v 0
23 / 26 X May 11, 2016 z Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu Y v n ... Step 2: Compute v 0 ( x i g i ) ( y i ) x = CRT , y = CRT z κ − 1 ∑ φ ( xy ) = x i v i y i + a ∗ v 0 v 1 in Z v 0
24 / 26 Cheon, Fouque, Lee, Minuad, Ryu = X May 11, 2016 ... v n Y W Cryptanlysis of CLT15 Maps Step 2: Compute v 0 v 1 in Z v 0 W is not a full rank matrix when embedded into Z v 0 , then v 0 divides det ( W ) . Compute v 0 and x 0 = v 0 · p − 1 zt mod N
Summary of Current Multilinear Maps Attack May 11, 2016 Cryptanlysis of CLT15 Maps Cheon, Fouque, Lee, Minuad, Ryu Design a new multilinear map with reduction to standard hard problems. Cryptanalyze CLT13, GGH15 without low-level encoding of zero. Further works: MSZ16: only for a basic iO scheme ? CLLT15 GGH15 Graph-Induced Our work CLT15 ? CHLRS15 CLT13 Integers ABD16, CJL16, MSZ16 HJ16 GGH13 Ideal Lattice (w/o Lowlevel enc(0)) (w/ Lowlevel enc(0)) iO Key Exchange Scheme 25 / 26 ABD16, CJL16: break quantumly or upto degree λ 3 − ϵ in time < 2 λ
Thank you Cheon, Fouque, Lee, Minuad, Ryu Cryptanlysis of CLT15 Maps May 11, 2016 26 / 26
Recommend
More recommend