e t a d i d n a c f o s r s o e t s a y c l s a u n f a b
play

e t a d i d n a c f o s r s o e t s a y c l s - PowerPoint PPT Presentation

Apr 10, 2024 •364 likes •1k views

e t a d i d n a c f o s r s o e t s a y c l s a u n f a b t o p m y r a C r g o r p g n i h c n a r b Yilei Chen Craig Gentry Shai Halevi @Eurocrypt 2017 1976, Diffie, Hellman: We stand

  1. e t a d i d n a c f o s r s o e t s a y c l s a u n f a b t o p m y r a C r g o r p g n i h c n a r b Yilei Chen Craig Gentry Shai Halevi @Eurocrypt 2017

  2. 1976, Diffie, Hellman: “We stand today on the brink of a revolution in cryptography” 2

  3. 1976, Diffie, Hellman: “We stand today on the brink of a revolution in cryptography” 2013, Garg, Gentry, Halevi, Raykova, Sahai, Waters: We didn’t say “we stand today on the brink of another revolution in cryptography”, but it is happening. 3

  4. iO 4

  5. iO => fancy applications, new ways of thinking in cryptography OWF, TDP, full-domain hash, NIKE, traitor tracing, FE, adaptive FE, multi-input FE, MPC, adaptive MPC, communication-efficient MPC, better MPC, deniable encryption, garbled Turing machine, Succinct RE, garbled ram, succinct garbled ram, polynomially-many hardcore bits for any OWF, ZAPs and NIWI, constant-round zero-knowledge proofs, traitor tracing, PPAD hardness, watermarking, Fully-homomorphic encryption, 5 self-bilinear maps, multilinear maps, correlation intractability, Fiat-Shamir, UCE, counterexamples for UCE, Adaptive succinct garbled ram, Time-lock puzzle, iO combiner

  6. ??????? => iO candidates 6

  7. Candidate multilinear maps => iO candidates 7

  8. How much do we know about multilinear maps, and the iO candidates based on them? 8

  9. Multilinear maps in cryptography 2003 Boneh, Silverberg: motives 2013 Garg, Gentry, Halevi: first candidate 2013 Coron, Lepoint, Tibouchi: second candidate 2015 Gentry, Gorbunov, Halevi: third candidate 9

  10. Status of candidate multilinear maps GGH13, CLT13, GGH15: Even the ``one-wayness’’ of these schemes is not understood. 10

  11. Status of candidate multilinear maps GGH13, CLT13, GGH15: Even the ``one-wayness’’ of these schemes is not understood. 2 Benchmarks: key exchange and indistinguishability Obfuscation Key Exchange iO [GGHRSW ‘13] (need public sample) (do not need public sample) GGH13 CLT13 GGH15 11

  12. Status of candidate multilinear maps GGH13, CLT13, GGH15: Even the ``one-wayness’’ of these schemes is not understood. 2 Benchmarks: key exchange and indistinguishability Obfuscation Key Exchange iO [GGHRSW ‘13] (need public sample) (do not need public sample) Broken Broken for simpler variants GGH13 [Hu, Jia ‘16] [ Miles et al ‘16 ] CLT13 Broken Broken for some program [Cheon et al ‘15] [Coron et al ‘15] GGH15 Broken ? [Coron et al ‘16] 12

  13. In this work we show new attacks: Key Exchange iO [GGHRSW ‘13] (need public sample) (do not need public sample) Broken GGH13 New attack [ CGH ‘17 ] [Hu, Jia ‘16] CLT13 Broken Broken for some program [Cheon et al ‘15] [Coron et al ‘15] Broken GGH15 New attack [ CGH ‘17 ] [Coron et al ‘16] 13

  14. In this work we show new attacks: Key Exchange iO [GGHRSW ‘13] (need public sample) (do not need public sample) Broken GGH13 New attack [ CGH ‘17 ] [Hu, Jia ‘16] CLT13 Broken Broken for some program [Cheon et al ‘15] [Coron et al ‘15] Broken GGH15 New attack [ CGH ‘17 ] [Coron et al ‘16] Feature of the new attacks: zeroizing attack [ Cheon et al ‘15 ] + exploiting the weakness inside the obfuscation 14

  15. Plan for the rest of the talk Review GGHRSW13 obfuscation Analyze GGHRSW + GGH15 Analyze GGHRSW + GGH13 (very briefly) 15

  16. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] 16

  17. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program. (1) Safeguard 1 (2) Safeguard 2 (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) Safeguards aim at randomizing the plaintext program, preventing illegal operations; mmaps is the source of “computational hardness” 17

  18. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1 (2) Safeguard 2 (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) 18

  19. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1 (2) Safeguard 2 (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) 1 B 1,1 B 2,1 B 3,1 B 4,1 “function branch” 0 B 1,0 B 2,0 B 3,0 B 4,0 i 1 2 1 2 Evaluate: ∏ B = I ? 1 B’ 1,1 B’ 2,1 B’ 3,1 B' 4,1 “Dummy branch” 0 B’ 1,0 B’ 2,0 B’ 3,0 B’ 4,0 All B' u,v = I i 1 2 1 2 19

  20. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization [Kilian 88] (2) Safeguard 2 (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) -1 B 2,1 K 2 -1 B 3,1 K 3 -1 B 4,1 1 B 1,1 K 1 K 1 K 2 K 3 -1 B 2,0 K 2 -1 B 3,0 K 3 -1 B 4,0 0 B 1,0 K 1 K 1 K 2 K 3 i 1 2 1 2 Random matrix K, K’ -1 B’ 2,1 K’ 2 -1 B’ 3,1 K’ 3 -1 B’ 4,1 1 B’ 1,1 K’ 1 K’ 1 K’ 2 K’ 3 -1 B’ 2,0 K’ 2 -1 B’ 3,0 K’ 3 -1 B’ 4,0 0 B’ 1,0 K’ 1 K’ 1 K’ 2 K’ 3 i 1 2 1 2 20

  21. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (against mix-input attack) (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) -1 B 2,1 K 2 a 3,1 K 2 -1 B 3,1 K 3 a 4,1 K 3 -1 B 4,1 1 a 1,1 B 1,1 K 1 a 2,1 K 1 a 1,1 a 3,1 = a’ 1,1 a’ 3,1 a 1,0 a 3,0 = a’ 1,0 a’ 3,0 -1 B 2,0 K 2 a 3,0 K 2 -1 B 3,0 K 3 a 4,0 K 3 -1 B 4,0 0 a 1,0 B 1,0 K 1 a 2,0 K 1 a 2,1 a 4,1 = a’ 2,1 a’ 4,1 i 1 2 1 2 a 2,0 a 4,0 = a’ 2,0 a’ 4,0 -1 B’ 2,1 K’ 2 a’ 3,1 K’ 2 -1 B’ 3,1 K’ 3 a’ 4,1 K’ 3 -1 B’ 4,1 1 a’ 1,1 B’ 1,1 K’ 1 a’ 2,1 K’ 1 -1 B’ 2,0 K’ 2 a’ 3,0 K’ 2 -1 B’ 3,0 K’ 3 a’ 4,0 K’ 3 -1 B’ 4,0 0 a’ 1,0 B’ 1,0 K’ 1 a’ 2,0 K’ 1 i 1 2 1 2 21

  22. Spoiler: the scalar is the “Achilles’ heel” exploited in our attack 22

  23. 23

  24. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (against mix-input attack) (3) Safeguard 3 (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) -1 B 2,1 K 2 a 3,1 K 2 -1 B 3,1 K 3 a 4,1 K 3 -1 B 4,1 1 a 1,1 B 1,1 K 1 a 2,1 K 1 a 1,1 a 3,1 = a’ 1,1 a’ 3,1 a 1,0 a 3,0 = a’ 1,0 a’ 3,0 -1 B 2,0 K 2 a 3,0 K 2 -1 B 3,0 K 3 a 4,0 K 3 -1 B 4,0 0 a 1,0 B 1,0 K 1 a 2,0 K 1 a 2,1 a 4,1 = a’ 2,1 a’ 4,1 i 1 2 1 2 a 2,0 a 4,0 = a’ 2,0 a’ 4,0 -1 B’ 2,1 K’ 2 a’ 3,1 K’ 2 -1 B’ 3,1 K’ 3 a’ 4,1 K’ 3 -1 B’ 4,1 1 a’ 1,1 B’ 1,1 K’ 1 a’ 2,1 K’ 1 -1 B’ 2,0 K’ 2 a’ 3,0 K’ 2 -1 B’ 3,0 K’ 3 a’ 4,0 K’ 3 -1 B’ 4,0 0 a’ 1,0 B’ 1,0 K’ 1 a’ 2,0 K’ 1 i 1 2 1 2 24

  25. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (against mix-input attack) (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) -1 B 2,1 K 2 -1 B 3,1 K 3 -1 B 4,1 L 1 a 1,1 J B 1,1 K 1 a 2,1 K 1 a 3,1 K 2 a 4,1 K 3 -1 B 2,0 K 2 -1 B 3,0 K 3 -1 B 4,0 L 0 a 1,0 J B 1,0 K 1 a 2,0 K 1 a 3,0 K 2 a 4,0 K 3 i 1 2 1 2 -1 B’ 2,1 K’ 2 -1 B’ 3,1 K’ 3 a’ 4,1 K’ 3 -1 B’ 4,1 L’ 1 a’ 1,1 J’B’ 1,1 K’ 1 a’ 2,1 K’ 1 a’ 3,1 K’ 2 -1 B’ 2,0 K’ 2 -1 B’ 3,0 K 3 -1 B’ 4,0 L’ 0 a’ 1,0 J’B’ 1,0 K’ 1 a’ 2,0 K’ 1 a’ 3,0 K’ 2 a’ 4,0 K’ 3 i 1 2 1 2 25

  26. Zoom in: random diagonal entries and bookends U -1 V a 2,1 K 1 K 2 B 2,1 J L S 1,1 = a 1,1 J[ vB 1,1 ]K 1 1 S 1,1 S 2,1 ... S h,1 -1 [ vB 2,1 ]K 2 0 S 1,0 S 2,0 ... S h,0 S 2,1 = a 2,1 K 1 i i 1 i 2 ... i h -1 [ vB h,1 ]L S h,1 = a h,1 K h-1 26

  27. Spoiler: the random diagonal entries were thought to be what stops the previous attack on GGH13-based candidates. 27

  28. Candidate iO from [ Garg-Gentry-Halevi-Raykova-Sahai-Waters ’13 ] (0) Representation of plaintext program: Oblivious branching program (1) Safeguard 1: Kilian randomization (2) Safeguard 2: Bundling scalars (3) Safeguard 3: random diagonal entries and bookends (4) Wrap (0-3) by multilinear maps (GGH13, CLT13, or GGH15) -1 B 2,1 K 2 -1 B 3,1 K 3 -1 B 4,1 L 1 a 1,1 J B 1,1 K 1 a 2,1 K 1 a 3,1 K 2 a 4,1 K 3 -1 B 2,0 K 2 -1 B 3,0 K 3 -1 B 4,0 L 0 a 1,0 J B 1,0 K 1 a 2,0 K 1 a 3,0 K 2 a 4,0 K 3 i 1 2 1 2 -1 B’ 2,1 K’ 2 -1 B’ 3,1 K’ 3 -1 B’ 4,1 L’ 1 a’ 1,1 J’B’ 1,1 K’ 1 a’ 2,1 K’ 1 a’ 3,1 K’ 2 a’ 4,1 K’ 3 -1 B’ 2,0 K’ 2 -1 B’ 3,0 K 3 -1 B’ 4,0 L’ 0 a’ 1,0 J’B’ 1,0 K’ 1 a’ 2,0 K’ 1 a’ 3,0 K’ 2 a’ 4,0 K’ 3 i 1 2 1 2 28

Recommend

More recommend