using GGH13 without ideals
Gu Chunsheng
School of Computer Engineering, Jiangsu University of Technology, China
{chunsheng_gu}@163.com
Abstract. Recently, Albrecht, Davidson and Larraia described a variant of the GGH13 without ideals and presented the distinguishing attacks in simplified branching program security model. Their result partially demonstrates that there seems to be a structural defect in the GGH13 encoding that is not related to the ideal hgi. However, it is not clear whether a variant of the CGH attack described by Chen, Gentry and Halevi can be used to break a branching program obfuscator instantiated by GGH13 without ideals. Consequently this is left as an open problem by Albrecht, Davidson and Larraia. In this paper, we describe a variant of the CGH attack which breaks the branching program obfuscator using GGH13 without ideals. To achieve this goal, we introduce matrix approx-imate eigenvalues and build a relationship between the determinant and the rank of a matrix with noise. Our result further strengthens the work of Albrecht, Davidson and Larraia that there is a structural weakness in ‘GGH13-type’ encodings beyond the presence ofhgi.
Keywords: Cryptanalysis, obfuscation, multilinear maps, approximate eigenvalue, determinant estimate
1
Introduction
Program obfuscation in cryptography makes programs unintelligible and keeps their functionality. In 2013, Garg et al. [20] described the first candidate con-struction for a general-purpose obfuscation. Since then many different obfus-cators are constructed [20,7,9,5,22,30,22], and they are all based on the three candidate graded encoding schemes (GES) (resp. GGH13, CLT13 and GGH15) [19,15,21,16,24]. Unfortunately, the GGH13, CLT13 and GGH15 have been proven to be vulnerable to zero attacks [19,13,10,6,25,17,14], attacks on the overstretched NTRU [1,12,26], and annihilation attacks [28,11].
Sahai [18] recently described a defense against input partitioning by applying stamping functions. On the other hand, Albrecht, Davidson and Larraia (ADL) [2] (added Pellet-Mary as author in the updated version in EPRINT [3]) investi-gated a structural vulnerability of the GGH13 encoding scheme. They proposed a variant of the GGH13 without ideals and presented the distinguishing attacks in simplified branching program and obfuscation security models. However, it is not clear whether a variant of the CGH annihilation attack by Chen, Gen-try and Halevi can be used to break a candidate branching program obfuscator instantiate by GGH13 without ideals [2,3].
1.1 Our work
Our main contribution is to describe a variant of the CGH attack which breaks a branching program obfuscator using GGH13 without ideals. The framework of our attack directly follows that of the CGH attack. The core step in the CGH attack is to solve a basis of ideal hgi, but we cannot perform this step since there are no ideals in the ADL-based obfuscator [2]. Moreover, we cannot find some exact ratios of the bundling scalars and distinguish the ADL-based BP obfuscator by using the rank of a matrix. This is because each entry of the matrix has noise. In order to implement the attack, we solve some approximate ratios of the bundling scalars and build a relationship between the determinant and the rank of a matrix with noise. Therefore, our result further indicates that the structural vulnerability of GGH13 encodings are beyond the presence of ideal.
Our second contribution is to introduce approximate eigenvalues of a matrix to solve the approximate ratios of the bundling scalars used in the ADL-based BP obfuscator. In the BP obfuscator using GGH13 without ideals [2], the multiplica-tive bundling scalars appear as an approximation factor. That is, when solving the ratios of these bundling scalars in this variant obfuscator, there are noises in the diagonal matrix consisting of the elements returned by the zero-testing procedure. Consequently we can not directly apply the characteristic polynomi-al of matrix to get the ratios of the bundling scpolynomi-alars, and polynomi-also can no longer compute their exact ratios. However, we observe that these matrices are diago-nal dominated matrix with noise and their inverses are also diagodiago-nal dominated matrix with noise. Using this matrix property, we can compute the approximate eigenvalue of the diagonally dominant matrix with noise, and consider them as the approximate ratio of the bundling scalars.
In addition, in the process of attacking a branching program obfuscator us-ing GGH13 without ideals, some matrix properties that we prove might be of independent interest.
Organization.In Section 2 we first recall some preliminaries. In Section 3 we give a branching program obfuscator using GGH13 without ideals. In Section 4 we provide some matrix properties. In Section 5 we describe cryptanalysis of the BP obfuscator using GGH13 without ideals. Finally we conclude the results in this paper.
2
Preliminaries
2.1 Notations
Let Z,Q,R denote the ring of integers, the field of rational numbers, and the
field of real numbers. Let a positive integer n be a power of 2. Notation [n] denotes the set {1,2, ..., n}. Let R =Z[x]/hxn+ 1i, R
q =Zq[x]/hxn+ 1i, and
K=Q[x]/hxn+ 1i. Vectors are denoted in bold lowercase (e.g.a), and matrices
in bold uppercase (e.g. A). We denote by a[j] the j-th entry of a, and A[i, j] the element of the i-th row and j-th column of A. We denote by kakp thep
-norm ofa and bykak the∞-norm. Similarly, fora∈Rwe letkakp (resp.kak)
denote the p-norm (resp.∞-norm) of the coefficient vector corresponding to a. ForA∈Rd×d, we define kAk
∞= max{kA[i, j]k, i, j∈[d]}.
Let [a]q = a mod q ∈ (−q/2, q/2]. Similarly, for a ∈ Zn (or a ∈ R ), [a]q
denotes each entry (or each coefficient)a[j]∈(−q/2, q/2] ofa (ora).
Given c ∈ Rn , σ > 0, the Gaussian distribution of a lattice L is defined
as DL,σ,c =ρσ,c(x)/ρσ,c(L) forx∈L , whereρσ,c(x) = exp(−πkx−ck22/σ 2)),
ρσ,c(L) = X
x∈Lρσ,c(x). In the following, we will write DL,σ,0 as DL,σ . We
denote a Gaussian sample as x← DL,σ (or d← DI,σ ) over the lattice L (or
ideal lattice I).
An elementa∈Ris calledη-bounded ifkak∞≤η. Moreover, it is easy to
ver-ify that for anyη-bounded elementsa1,· · ·ak ∈R, the elementa=
Yk
i=1ai is
(nk−1η)-bounded. By the work in [27], the elementx←D
Zn,σ,cisσ √
n-bounded with overwhelming probability. Therefore, we define the truncated Gaussian dis-tributionDZn,σ,cby sampling elements fromDZn,σ,c and repeating any samples that are notσ√n-bounded.
2.2 Branching programs
Let λ be the security parameter, κ = κ(λ), l = l(λ) and d = d(λ). Let inp : [κ]→[l]d be some fixed ‘input’ function. All current obfuscators only consider branching programs withd= 1 ord= 2 [20,7].
Definition 2.1.A matrix branching program BP of length κ, input length
l and aritydis defined as follows:
whereAk,xinp(k) ∈ {0,1}
w×w and|inp(k)|=d.
The branching program is associated with the functionfBP :{0,1}l→ {0,1},
which is defined as
fBP(x) =
0, if Yκ
k=1Axk,inp(k) =I;
1, if Yκ
k=1Axk,inp(k) 6=I.
A branching program BP is input partionable if its input bits can be parti-tioned into two or more independent subsets. We need the following observation in [11].
Lemma 2.2 (Lemma 2.2 [11]).Let BP be an input-partitioned branching program, [κ] =X||Y. Ifx, x0 ∈ {0,1}lare two zeros off
BPthat differ only in bits
that are mapped to steps inX. Then the product of the matrices corresponding to X generates the same result in the evaluation of BP on x and x0, namely
Y
k∈XAk,xinp(k) =
Y
k∈XAk,x
0
inp(k).
Similarly, ifx, x0 ∈ {0,1}l are two zeros of f
BP that differ only in bits that
are mapped to steps inY, then Y
k∈YAk,xinp(k) =
Y
k∈Y Ak,x
0
inp(k).
2.3 GGH13 without ideals
GGH13 overview. The encoding space of GGH13 is Rq =R/qR where q is
some big integer, and its plaintext space Rg = R/gR such that g is a small
element in R and is kept secret. An encoding of GGH13 takes the form y = (e+rg)/z modq, wherez is a random secret element inRq,eis the plaintext
element andr is some small random element.
The denominator z enables the levels of the GGH13 scheme. In this paper, we only consider the asymmetric case of GGH13 that uses many different de-nominatorszi. We say the encoding y is encoded at levelSi if the denominator
of y is zi. It is easy to see that additions and multiplications of encodings can
be carried out if they satisfy some level restriction. Namely, adding encodings indexed at the same levelSi generates an encoding at the levelSi, and
multiply-ing two encodmultiply-ings, indexed at the disjoint levelsSi, Sj, generates an encoding at
levelSi∪Sj.
The GGH13 scheme also provides a public zero-testing parameter pzt =
h· Yκ
i=1zi/g, where h ∈ R such that khk q. Given a top-level encoding
u indexed at level [κ], one can determine whether u encodes zero or not by computingpzt·uand checking if the result is small.
program has input partitioning. These works are all first to find a basis of the secret elementhgi.
GGH13 without ideals.We adaptively describe a variant of GGH13 without ideals in [2]. Let χ=DZn,σ be the error distribution. Let e∈R be a non-zero element with small coefficients, andr←χa random element sampled from the distributionχ. We sample zi uniformly fromRq for 1 ≤i≤κ, and sampleβi
such that κ+1√q <kβ
ik< κ
√
q.
An encoding ofeindexed at levelSitakes the formy= (e+r/βi)/zi modq,
where zi, βi enables the level structure. Obviously, the encodings also supports
addition and multiplication operations. For addition, lety1, y2be two encodings
indexed at same levelS⊂[κ], then their sum results in the encodingy=y1+y2
at the levelS. For multiplication, given two encodingsy1, y2at levelS1, S2⊂[κ]
respectively, their product generatesy=y1·y2 at the levelS1∪S2.
In this variant, the zero-test parameter is defined aspzt=
Yκ
i=1βizi.
Sim-ilarly, given a top-level encoding u, one can determine whetheruencodes zero or not by computingδ=pzt·uand checking if the resultδ is small.
3
BP Obfuscator using GGH13 without Ideals
Let BP := (κ, l, d,inp,{Ak,b}k∈[κ],b∈{0,1}) be the branching program to be
ob-fuscated, where directly usingd= 1 for notational simplicity. We obfuscate BP by GGHRSW [20] using instantiation of GGH13 without ideals as follows:
Step 1: Dummy branch.We introduce a “dummy branching program”:
BP0 := (κ, l, d,inp,{A0k,b}k∈[κ],b∈{0,1}),
where everyA0k,b=Iis the identity matrix in{0,1}w×w.
Step 2: Random diagonal entries and bookends. Let s = 2m+w, wherem=l+ 3 in the original GGHRSW scheme.
Fork ∈ [κ], we extend w×w-dimensional matrices into s×s-dimensional matrices
b
Ak,b =
Ek,b 0
0 Ak,b
, Ab
0
k,b =
E0k,b 0 0 A0k,b
,
where the diagonal matricesEk,b,E0k,b ∈R2σm×2m are chosen uniformly at
ran-dom from the plaintext space.
We also choose four “bookend” vectors as follows:
b
A0=0m,e
0,s
,
b
A00=
0m,e0
0,s0
,
b
Aκ+1=
eκ+1,0m,t
T
,
b
A0κ+1=e0κ+1,0m,t0
T
wheree0,e00,eκ+1,e0κ+1∈Rσm, ands,s0,t,t0 ∈Rwσ such thats·t
T =s0·t0T.
Step 3: Kilian randomization and bundling scalars.We first sample random scalars{0, 00, κ+1, 0κ+1, k,b, 0k,b←Rσ :k∈[κ], b∈ {0,1}}such that
αj,b=
Y
inp(k)=jk,b =
Y
inp(k)=j
0
k,b,
α0=0κ+1=000κ+1.
Then, we choose randomly unimodular matricesP0,P00,Pk,P0k∈Rsσ×s, k∈
[κ], and generate randomized matrices as follows:
e
A0=0Ab0P0
e
Ak,b=k,bP−k−11Abk,bPk
e
Aκ+1=κ+1P−κ1Abκ+1
,
e
A00=0
0Ab
0
0P
0
0,
e
A0k,b=0k,bP
0−1
k−1Ab
0
k,bP0k,
e
A0κ+1=0κ+1P0−κ 1Ab
0
κ+1
,
wherek∈[κ], b∈ {0,1}.
Step 4: Encoding using GGH13 without ideals.Fork= 0,· · · , κ+ 1, we sample uniformly invertible random elementszk∈Rq, andβk ∈Rsuch that
κ+3√q <kβkk< κ+2√q. We then choose at random vectorsR0,R0
0,Rκ+1,R0κ+1∈
Rσs, and matricesRk,b,R0k,b ∈R s×s
σ , and set
A0= (A0e +R0/β0)/z0
Ak,b= (Aek,b+Rk,b/βk)/zk
Aκ+1= (Aeκ+1+Rκ+1/βκ+1)/zκ+1·pzt
,
A00= (Ae
0
0+R
0
0/β0)/z0 A0k,b= (Ae
0
k,b+R
0
k,b/βk)/zk
A0κ+1= (Ae
0
κ+1+R0κ+1/βκ+1)/zκ+1·pzt
,
wherek∈[κ], b∈ {0,1}, andpzt=
Yκ+1
k=0βkzk.
Step 5: Output the obfuscation of BP.The obfuscation BP consists of the following matrices and vectors:
(
A0,{Ak,b}k∈[κ],b∈{0,1},Aκ+1 ,
A00,{A0k,b}k∈[κ],b∈{0,1},A 0
κ+1 .
Remark 3.1.(1) To perform Kilian randomization, we use the unimodular matricesPk,P0k. Since if choosingPk randomly, thenkP−k1 modβkk∞≈ kβkk
for k∈[κ]. Namely, by a change of variable transformation, we cannot rewrite the encodings as
Ak,b= (k,bP−k−11Abk,bPk+Rk,b/βk)/zk
= (k,bP−k−11(Abk,b+R0k,b/βk)Pk)/zk,
Because in this case kR0k,bk∞ = k−k,b1Pk−1Rk,bP−k1 modβkk∞ ≈ kβkk.
This point is different from the GGH13 encoding since g is small and hence so kP−k1 modgk∞. However for the elements returned by zero-testing, we can
writeR0k,b =−
1
k,bPk−1Rk,bP−k1 since now all the operations are in the fieldK.
(2) Alternatively, when choosing randomlyPk we can also take its adjugate
matrix adj(Pk) instead ofP−k1.
Evaluation.Given the obfuscation BP and an arbitrary input x∈ {0,1}l,
we compute an honest evaluation as follows:
δ=A0· Yκ
k=1Ak,xinp(k)·Aκ+1
= (β0A0e +R0)· Yκ
k=1(βkAek,xinp(k)+Rk,xinp(k))·(βκ+1Aeκ+1+Rκ+1),
=αβ·sYκ
k=1Ak,xinp(k)t
T +o(β)
δ0 =A00· Yκ
k=1A
0
k,xinp(k)·A
0
κ+1
= (β0Ae
0
0+R
0
0)·
Yκ
k=1(βkAe
0
k,xinp(k)+R
0
k,xinp(k))·(βκ+1Ae
0
κ+1+R
0
κ+1),
=αβ·s0t0T +o(β)
whereα= Yl
j=1αj,xj andβ=
Yκ+1
j=0βj.
If Yκ
k=1Ak,xinp(k) =I, then kδ−δ
0k < qκκ+1+2 and BP(x) = 1. Otherwise,
BP(x) = 0.
4
Matrix Properties
In this section, we give some matrix properties. Let γ, δ be positive numbers such that δ/γ≤2−O(λ). For simplicity,we denoteR
A[i] = X
j6=i|A[i, j]| in the
following.
A permutation p = (p1, p2,· · ·, pn) of the numbers (1,2,· · · , n) is any
re-arrangement. The parity of a permutationpis the one of the number of inter-changes to restorepto natural order. Consequently, the sign of a permutationp
is defined to be the number
π(p) = (
+1 if the parity ofpis even, −1 if the parity ofpis odd.
Given a n×n-dimensional matrix A = (A[i, j]), the determinant of A is defined to be the scalar
det(A) = X
p
π(p)
n
Y
i=1
where the sum is taken over then! permutationspof (1,2,· · · , n).
Lemma 4.1 Determinant Inequality.Suppose thatAis ann×n-dimensional matrix overQsuch thatγ≤ |A[i, j]| ≤cγ fori, j∈[n], whereγ >2λandc >1.
Then with overwhelming probability
γn≤ |det(A)| ≤n!(cγ)n.
Proof.According to the definition of determinant (1),
|det(A)|=
X
p
π(p)
n
Y
i=1
A[i, pi]
=γn·
X
p
π(p)
n
Y
i=1
A[i, pi]
γ
=γn·
X
p
π(p)Ap
,
whereAp= n
Q
i=1
A[i,pi]
γ .
Byγ≤ |A[i, j]| ≤cγ, we obtain|A[i,pi]
γ | ≥1 and 1≤ |Ap| ≤cn. According to
Chernoff-Hoefding inequality, X
p
π(p)Ap
≥1 with overwhelming probability.
On the other hand,
X
p
π(p)Ap
≤
X
p
|π(p)|cn=n!cn.
Definition 4.2 Matrix Decomposition (MDγ,δ). The decomposition
A=A1+Aδ is called MDγ,δ ifA1,Aδ are satisfied
|A1[i, j]|=Θ(γ),for alli, j∈[n]
|Aδ[i, j]|=O(δ),for alli, j∈[n].
Lemma 4.3 Determinant Estimate I. Suppose that A = A1+Aδ is
MDγ,δ and rank(A1) < n. Then |det(A)| ≤ O(n·n!·δγn−1). In particular,
|det(A)|=O(δγn−1) whennis constant.
Proof.By the definition of determinant (1),
det(A) = X
p
π(p)
n
Y
i=1
A[i, pi] =
X
p
π(p)
n
Y
i=1
(A1[i, pi] +Aδ[i, pi])
By rank(A1)< n, det(A1) = 0. That is,
X
p
π(p)
n
Q
i=1
We expand det(A) as follows:
det(A) = X
p
π(p)
n
Y
i=1
(A1[i, pi] +Aδ[i, pi])
= X
p
π(p)(
n
X
j=1
Aδ[j, pj]
Y
i6=j
A1[i, pi]
| {z }
Bp
+o(Bp))
So,|det(A)| ≤ X
p
π(p)
n
P
j=1
O(|Aδ[j, pj]Q i6=j
A1[i, pi]|)≤O(n·n!·δγn−1).
Furthermore,|det(A)| ≤O(δγn−1) whennis constant.
Remark 4.4.The result of Lemma 4.3 does not contradict that of Lemma 4.1. Because the former matrixAis randomly selected, and the latter matrixA
has a special structure such that the rank of the dominant matrix corresponding to its decomposition is less thann.
Moreover, if we assume that the square submatrix obtained by the linearly independent vectors ofA1 in Lemma 4.3 satisfies the condition of Lemma 4.1.
Namely, the determinant of the square submatrix can be estimated by applying Lemma 4.1. Accordingly, we can further improve the determinant estimation in Lemma 4.3. Note that the following Lemma 4.5 is not used in this paper.
Lemma 4.5 Determinant Estimate II.Suppose that A = A1+Aδ is
MDγ,δ and rank(A1) = k < n. Then |det(A)| ≤ n!(γ+δ 0
)k(δ0)n−k, where
δ0 = nk!ckδ and c is a constant that depends on A. Furthermore, |det(A)| ≤
O(δn−kγk) whennis constant.
Proof.For brevity, A[i//j] represents the matrix of the i-th tok-th rows of
A, andA[i:j] the matrix of the i-th tok-th columns of A.
Without loss of generality, assume that the first k rows of A1 are linearly independent since rank(A1) = k. So, the last n−k rows of A1 are linearly dependent with its firstkrows. That is, forj ∈ {k+ 1,· · ·, n},
A1[j,·] =
k
X
i=1
yj[i]A1[i,·].
Now, we write this relationship as matrix-vector form
A1[j,·] =yjA
0
1=yj(B1,B2),
whereA01=A1[1//k],B1=A 0
1[1 :k],B2=A 0
1[k+ 1 :n].
By Cramer’s rule, we compute
yj[i] =
det(B1,i)
det(B1),
where fori∈[k],B1,i= B1[1//i−1]//A1[j,·]//B1[i+ 1//k]
By|A1[i, j]|=Θ(γ), we have c1γ≤ |A1[i, j]| ≤c2γ.
Using Lemma 4.1, we yield
(c1γ)k ≤ |det(B1)| ≤k!(c2γ)k,
(c1γ)k ≤ |det(B1,i)| ≤k!(c2γ)k.
Letc=c2/c1. Forj ∈ {k+ 1,· · ·, n}, i∈[k], we get
1
k!ck < yj[i]< k!c k.
Now, we set
Y=
yk+1[1]yk+1[2]· · · yk+1[k]
yk+2[1]yk+2[2]· · · yk+2[k]
..
. ... · · · ...
yn[1] yn[2] · · · yn[k]
,
P=
Ik 0
−Y In−k
.
Therefore,
PA=PA1+PAδ=
A01 0
+Aδ0,
ByAδ0 =PAδ, we obtain
|Aδ0[i, j]|=|
n
X
k=1
P[i, k]Aδ[k, j]| ≤nk!ckδ
So,δ0 =nk!ckδ.
By the definition of determinant (1),
det(A) = det(PA)
= det A
0
1 0
+Aδ0
= X
p
π(p)
k
Y
i=1
(A1[i, pi] +Aδ0[i, pi]) n
Y
i=k+1
Aδ0[i, pi]
Since|A1[i, pi]| ≤γ andAδ0[i, pi]≤δ
0
, thus
|det(A)| ≤n!(γ+δ0)k(δ0)n−k.
Definition 4.6 Approximate Eigenvalue.LetA=A1+Aδ be a (γ, δ
)-matrix decomposition. The eigenvalues of A are called the approximate eigen-values ofA1.
Definition 4.7 Diagonally Dominant Matrix (DDM).Ann×n-dimensional matrixAis diagonally dominant if for alli∈[k],
|A[i, i]| ≥ X
j6=i|A[i, j]|.
If using a strict inequality (>) instead (≥) in the above definition, thenAis called strict diagonally dominant matrix (SDDM).
Definition 4.8 (γ, δ)-Diagonally Dominant Matrix (DDMγ,δ). Ais a
(γ, δ)-diagonally dominant matrix ifAis satisfied
|A[i, j]|= (
O(γ), ifi=j O(δ), ifi6=j.
Note that we only consider the approximate eigenvalue of diagonally domi-nant matrix in this paper. In the following we will prove the inverse of a DDMγ,δ
matrix is a DDMγ0,δ0 matrix. Moreover, it is not difficult to verify that the
prod-uct of two DDMγi,δi, i∈ [2] matrices is a DDMγ1γ2,δ1γ2+δ2γ1 matrix. By using these properties we can compute the eigenvalues of a DDMγ,δ matrix as the
approximate eigenvalues of its diagonal dominant matrix.
Lemma 4.9.Suppose thatAis a DDMγ,δmatrix. ThenA−1is a DDMγ−1,nδ/γ−2 matrix.
Proof. SinceA is a DDMγ,δ matrix, we can write A=A1+Aδ such that
A1 is a diagonal matrix and
|A1[i, i]|=O(γ), i∈[n]
|Aδ[i, j]|=O(δ), i, j∈[n].
So,A−11= Diag(A−1[1,1],· · ·, A−1[n, n]).
Again sinceAis a DDMγ,δ matrix, we have|A[i, i]|=O(γ). Without loss of
generality, assumeγmax−1 = max
i∈[n]{A
−1[i, i]}=O(γ−1).
BykA−11Aδk ≤ kA−11kkAδk ≤O(nγmax−1 δ) =O(nγ−1δ)1, we have
A−1= (A1+Aδ)−1
= (I+A−11Aδ)−1A−11
= (I−A−11Aδ+ (A1−1Aδ)2− · · ·)A−11
=A−11+Aδ0
Again,
kAδ0k ≤(kA1−1Aδk+k(A−11Aδ)2k+· · ·)kA−11k
=
∞
X
i=1
(O(nγ−1δ))iO(γ−1)
= O(nγ
−1δ)
1−O(nγ−1δ)O(γ
−1)
=O(nδγ−2).
Consequently,|Aδ0[i, j]|=O(nδγ−2) for all i, j∈[n], and hence
|A−1[i, j]|= (
O(γ−1), ifi=j O(nδγ−2), ifi6=j .
Therefore,A−1is a DDMγ−1,nδ/γ−2 matrix.
Remark 4.10.Although the results of all the lemmas above are given over the field Q, they can be directly extended to the field K= Q[x]/hf(x)i. Note
that in this case we require to use the norm of the elements in K, instead of
using the absolute value inQ.
5
Cryptanalysis
Since the BP obfuscator using GGH13 without ideals [2] no longer uses ideals, we cannot obtain a basis of the ideal βk as that of the CGH attack. Also, we
cannot find some exact representatives of the bundling scalars due to the noise. However, we can recover some approximate ratios of the bundling scalars by applying the matrix properties described in the above section. Applying these approximate ratios, we present a variant of the CGH attack to break the BP obfuscator using GGH13 without ideals.
5.1 Branching program with input partitioning
We first adaptively recall the branching program with input partitioning in [11]. Let X||Y||Z = [κ] be a partition of the branching program steps. For a 3-partition inputf =xyz, we useSx(resp.Sy,Sz) to denote the plaintext product
matrix of function branch in theX (resp.Y, Z) interval, andS0x (resp.S0y,S0z)
For the function branch, it is easy to obtain
Sx=A0e Y
k∈XAek,uinp(k) =0αxA0b ×
Y
k∈XAbk,uinp(k)×Py1
=0αxAb0×Abx×Py1,
Sy=
Y
k∈Y Aek,uinp(k) =αyP
−1
y1 × Y
k∈Y Abk,uinp(k)×Pz1 =αyP−y11×Aby×Pz1,
Sz=
Y
k∈ZAek,uinp(k)×Aeκ+1=κ+1αzP
−1
z1 × Y
k∈ZAbk,uinp(k)×Abκ+1
=κ+1αzPz−11×Abz×Abκ+1.
Similarly, for the dummy branch we have
S0x=Ae
0
0
Y
k∈XAe
0
k,uinp(k) =
0
0α0xAb
0
0×
Y
k∈XAb
0
k,uinp(k)×P
0
y1 =00α0xAb
0
0×Ab
0
x×P
0
y1,
S0y = Y
k∈YAe
0
k,uinp(k)=α
0
yP
0−1
y1 × Y
k∈YAb
0
k,uinp(k)×P
0
z1 =α0yP0−y11×Ab
0
y×P
0
z1,
S0z= Y
k∈ZAe
0
k,uinp(k)×Ae
0
κ+1=0κ+1α0zP
0−1
z1 × Y
k∈ZAb
0
k,uinp(k)×Ab
0
κ+1
=0κ+1α0zP0−z11×Ab
0
z×Ab
0
κ+1,
where the scalars αx, αy, αz, etc. are the product of all the k,b in the
corre-sponding branch, andy1=|X|,z1=|(X||Y)|.
For these bundling scalars αx, αy, αz, etc., our attack requires to use the
following results in [11].
Lemma 5.1 (Lemma 2.3 [11]). Suppose that f(i,j,t) = x(i)y(j)z(t) are some 3-partition inputs that are all zeros of the function. Then αx(1)/αx0(1) =
αx(2)/αx0(2) =· · ·, and similarlyαy(1)/αy0(1)=αy(2)/αy0(2)=· · · andαz(1)/αz0(1) =
αz(2)/αz0(2) =· · ·.
5.2 Generating approximate ratios of the bundling scalars
Without loss of generality, we assume that the branching program is 3-partitioned. Let f(i,b,j) =x(i)y(b)z(j) be a 3-partition input of the formX||Y||Z that is an
input of a zero of the function. Leti, j range over 2s inputs and forb∈ {0,1}, then we first obtain the matrices:
Wb=XYbZ
=
· · ·
βXSx(i)+Rx(i),−βXS0x(i)+R0x(i) · · ·
×
β
YSy(b)+Ry(b), 0 0 βYS0y(b)+R
0
y(b)
×
· · ·, βZSz(j)+Rz(j),· · ·
βZS0z(j)+R
0
z(j),
where X,Yb,Z∈R2s×2s are full rank with high probability, and βX (resp.βY
andβZ ) is equal to the product
Y
k∈Xβk (resp.
Y
k∈Y βk and
Y
k∈Zβk).
Then, we compute the characteristic polynomial ofW1W−01 overKthat is
equal to the characteristic polynomial ofY1Y−01.
Now we analyzeY1Y−01 overKas follows:
Y1Y−01= β
YSy(1)+Ry(1), 0 0 βYS0y(1)+R
0
y(1)
βYSy(0)+Ry(0), 0 0 βYS0y(0)+R
0
y(0) −1
According to the BP obfuscator construction, we have
βYSy(0)+Ry(0) =βYαy(0)P−y1
1Aby(0)Pz1+Ry(0) =P−y11(βYαy(0)Aby(0)
| {z }
A1
+Py1Ry(0)P
−1
z1
| {z }
Aδ
)Pz1,
whereA1 is a diagonal matrix.
By the parameter settings, it is easy to verify thatδ=kAδk=O(s2n1.5σ3)
andγ= max
i∈[n]kA1[i, i]k ≈O(βYαy
(0)) such thatδ/γ≤2−O(λ). So, by Lemma 4.9 we get
(βYSy(0)+Ry(0))−1=P−z1 1 (A
−1
1 +Aδ0)Py
1,
whereδ0=nδ/γ2.
Thus, we can compute the function branching part ofY1Y−01as follows:
(βYSy(1)+Ry(1))(βYSy(0)+Ry(0))−1 = (βYαy(1)P−y1
1Aby(1)Pz1+Ry(1))P−z1 1 (A
−1
1 +Aδ0)Py1
=αy(1)
αy(0)
P−y11(Aby(1)Ab
−1
y(0))Py1+R
=αy(1)
αy(0)
P−y11
Ey(1) 0 0 Ay(1)
Ey(0) 0 0 Ay(0)
−1
Py1+R
=αy(1)
αy(0)
P−y1
1
Ey(1)E−y(0)1 0 0 Ay(1)A−y(0)1
!
Py1+R
≈αy(1)
αy(0)
P−y1
1
Ey(1)E−1
y(0) 0 0 Ay(1)A−1
y(0) !
Py1,
whereR=βYαy(1)Py−11Aby(1)Aδ0Py
1+Ry(1)P−z11(A−11+Aδ0)Py
1such thatkRk ≈
O(βY−1).
By Lemma 2.2, we haveAy(1)A−y(0)1 =I
w×w
. As a consequence, αy(1)
α
y(0) ∈Kis
an approximate eigenvalue of the function branch part of multiplicity at least
w. Likewise, α
0
y(1)
α0
y(0)
multiplicity at leastw. Again by Lemma 5.1, αy(1)
αy(0) =
α0
y(1)
α0
y(0)
, and therefore αy(1)
αy(0) is the approximate eigenvalue ofY1Y−01of multiplicity at least 2w.
Thus, we can find all roots of the characteristic polynomial ofW1W−01 over
Kand consider at least 2wapproximately equal roots as the approximate value
of αy(1)
α
y(0) .
Remark 5.2.We observe that for two inputsx,x0∈ {0,1}lthat differ only
in xj = 1 and x0j = 0, if the branching program evaluates to zero for them,
namely δx =αxβ·stT +o(β) and δx0 =αx0β·stT +o(β). As a consequence,
if we take the setting of parameters with kδxk,kδx0k < q according to [2], then
αj,1
αj,0 ≈
δx
δx0. The advantage of this simple attack method is that it has not related
to the input-partition of the branching program. However, it is not difficult to avoid this attack by setting kβk ≥q. Note that its updated version [3] has set the parameters such thatkδxk,kδx0k> q.
5.3 Annihilation attack
Chen, Gentry and Halevi [11] have extended the annihilation attack introduced by Miles, Sahai and Zhandry [28] to break the GGH13-based branching program obfuscators with the padded random diagonal entries by using the ratios of the bundling scalars. However, it is not clear whether the CGH attack can be extended to attack the BP obfuscators over GGH13 without ideals [2]. Here we further generalize the CGH attack to break this candidate IO over GGH13 without ideals by applying the approximate ratios of the bundling scalars.
To simplify our attack description, we use the same running example used by Chen, Gentry and Halevi [11].
Example 5.3 (Example 3.1 [11]).The two programsB, B0 have the iden-tity matrix for both 0 and 1 in all the steps except for the two stepsu, wthat are a permutation matrix P and its inverseP−1 forB0. Here we require the steps
u, v, w belong to the intervalY such that u < v < w and the input bitj2 does
not control any steps beforeuor afterw. The programsB, B0 that compute the constant-zero function concretely define as follows:
B= 0: I · · · I I I I I · · · I
1: I · · · I I I I I · · · I
B’= 0: I · · · I I I I I · · · I
1: I · · · I P I P−1 I · · · I
Steps 0: X u v w Z
Input bits 1: * · · · * j1 j2 j1 * · · · *
Unlike [11], in the above subsection we can only compute the approximate ratios ofα1/α0 andα01/α00, not their exact ratios. Since these ratios are
approx-imate, consequently we cannot compute four scalarsv0, v1, ζ00, ζ11 ∈R as that
in [11]. However, we here are working onK, not modhgiand hence we can take
We letfµν(i,j)=x(i)µνz(j)be an input for a zero of the function, wherex(i)is
the bits controlled in the step intervalX,µνthe two distinguished bits controlled in the step interval Y, and z(j) the bits controlled in the step interval Z. We
denote by Eval(fµν(i,j)) the value returned by honest evaluating the obfuscated
BP on the inputfµν(i,j):
Eval(fµν(i,j)) =A0· Yκ
k=1Ak,xinp(k)·Aκ+1−A
0
0·
Yκ
k=1A
0
k,xinp(k)·A
0
κ+1
= (β0Ae0+R0)·
Yκ
k=1(βkAek,xinp(k)+Rk,xinp(k))·(βκ+1Aeκ+1+Rκ+1) −(β0Ae
0
0+R
0
0)·
Yκ
k=1(βkAe
0
k,xinp(k)+R
0
k,xinp(k))·(βκ+1Ae
0
κ+1+R
0
κ+1)
To perform our attack, we select many different inputsfµν(i,j)that are all zeros
of the function, and for eachi, j we set
A[i, j] = Eval(f11(i,j))·ζ00·v1v0−Eval(f (i,j)
10 )·ζ00·v1v1
−Eval(f01(i,j))·ζ11·v0v0−Eval(f (i,j)
00 )·ζ11·v0v1,
where all the computations are operated in K. Choosing enough inputs fµν(i,j),
we can obtain a matrixA.
In the following, we first analyze the rank of the submatrix corresponding to the intervalY in the matrixA. Then we show thatAhas a non-full rank matrix decomposition for the programB, whereas for the program B0, there is no such decomposition with high probability. Finally, we describe a distinguishing attack between the programsB andB0.
5.4 Analysis
5.4.1 The Matrix DY
Assume that the step intervalY only consists of the stepsu, v, w, namely|Y|= 3, and µν ∈ {0,1}2 are any two input bits corresponding toY. For simplicity, let
β = max
0≤k≤κ+1{βk} such thatkβk =0≤maxk≤κ+1{kβkk}. We write βuv =βuβv, and
Then the matrix in the function branch ofY has the form
AµνY = Y
k∈Y(βkAek,xinp(k)+Rk,xinp(k))
= (βuAeu,µ+Ru,µ)(βvAev,ν+Rv,ν)(βwAew,µ+Rw,µ)
=αµα0ν·P
−1
u−1· βuAbu,µ+
1
u,µ
Pu−1Ru,µP−u1
| {z }
:=bRu,µ
βvAbv,ν+
1
v,ν
PuRv,νP−v1
| {z }
:=bRv,ν
βwAbw,µ+
1
w,µ
PvRw,µP−w1
| {z }
:=bRw,µ
·Pw
=αµα0ν·P
−1
u−1·
βYAbu,µAbv,νAbw,µ
| {z }
:=CµνY
+ βuwAbu,µRbv,νAbw,µ+βuvAbu,µAbv,νRbw,µ+βvwRbu,µAbv,νAbw,µ
| {z }
:=DµνY
+O(β|Y|−2)EµνY
·Pw
=αµα0ν·P
−1
u−1·
CµνY +DµνY +O(β)EµνY
·Pw,
where all the computations above are operated in K. Notice that in the above kEµνY k=λO(1), andα
µ=u,µw,µ, α0ν =v,ν.
ByDµνY we define
DY =D11Y −D
10
Y −D
01
Y +D
00
Y
= βuwAbu,1Rbv,1Abw,1+βuvAbu,1Abv,1Rbw,1+βvwRbu,1Abv,1Abw,1
− βuwAbu,1Rbv,0Abw,1+βuvAbu,1Abv,0Rbw,1+βvwRbu,1Abv,0Abw,1
− βuwAbu,0Rbv,1Abw,0+βuvAbu,0Abv,1Rbw,0+βvwRbu,0Abv,1Abw,0
+ βuwAbu,0Rbv,0Abw,0+βuvAbu,0Abv,0Rbw,0+βvwRbu,0Abv,0Abw,0.
(2)
Now it is completely analogous to the method in [11] to showDY ∈
∗ ∗ ∗0w×w
when evaluatingB, but not with high probability when evaluatingB0.
Similarly, we can define the matrix D0Y in the dummy branch for the step
interval Y, and use the same method to prove D0Y ∈
∗ ∗ ∗0w×w
regardless of
whether the branching program isB orB0.
To analyzeA, we letX={x1, x2,· · · , xx},Y ={u, v, w},Z ={z1, z2,· · ·, zz}.
We denote byαx(i) (resp.αz(j) ) the product of the bundling scalars of the func-tion branch corresponding toX (resp.Z), and similarly for α0x(i), α0z(j) corre-sponding to the dummy branch. Moreover by Lemma 5.1, we have αx(i)αz(j) =
α0x(i)α0z(j) and denote this product byα(i,j). We also write βXk =βX/βk and
βZk=βZ/βk.
Similar to the simplification ofAµνY in the function branch corresponding to
Y, it is easy to simplify all the matrices associated to the intervals X, Y, Z as follows:
AXi =αx(i)·P0−1 CiX+DiX+O(β
|X|−2
)EiX
Pu−1,
AµνY =αµα0ν·P
−1
u−1
CµνY +DµνY +O(β|Y|−2)EµνY
Pw
AjZ =αz(j)·P−w1 C
j Z+D
j Z+O(β
|Z|−2
)EjZ
Pκ,
A0iX =α0x(i)·P0−
1 0 C0
i X+D0
i
X+O(β
|X|−2
)E0iX
P0u−1,
A0µνY =αµα0ν·P0−
1
u−1
C0µνY +D0µνY +O(β|Y|−2)E0µνY
P0w
A0jZ =α0z(j)·P0−
1
w C0 j Z+D0
j Z+O(β
|Z|−2
)E0jZP0κ.
(3)
In Equ. (3), except for the unspecified small noise matricesEiX,E0Xi ,EjZ,E0jZ, we also use the following notations
CiX=βX·
Y
k∈X
b
Ak,uinp(k), C
0i
X =βX·
Y
k∈X
b
A0k,u
inp(k),
CjZ =βZ·
Y
k∈Z
b
Ak,uinp(k), C
0j Z=βZ·
Y
k∈Z
b
A0k,u
inp(k),
DiX= X
k∈X
βXkAbx1,uinp(x1 )· · ·Abk−1,uinp(k−1)Rbk,uinp(k)Abk+1,uinp(k+1)· · ·Abxx,uinp(xx),
D0iX= X
k∈X
βXkAb
0
x1,uinp(x1 )· · ·Ab
0
k−1,uinp(k−1)Rb
0
k,uinp(k)Ab
0
k+1,uinp(k+1)· · ·Ab
0
xx,uinp(xx),
DjZ =X
k∈Z
βZkAbz1,uinp(z1 )· · ·Abk−1,uinp(k−1)Rbk,uinp(k)Abk+1,uinp(k+1)· · ·Abzz,uinp(zz),
D0jZ =X
k∈Z
βZkAb
0
z1,uinp(z1 )· · ·Ab
0
k−1,uinp(k−1)Rb
0
k,uinp(k)Ab
0
k+1,uinp(k+1)· · ·Ab
0
zz,uinp(zz),
where
b
Rk,uinp(k) =
1
k,uinp(k)
Pk−1Rk,uinp(k)P−k1,
b
R0k,u
inp(k) = 1
k,uinp(k)
P0k−1R0k,uinp(k)P
0−1
k .
Eval(fµν(i,j))
=α0α(i,j)αµα0ν·
β0Ab0
| {z }
:=C0 +Rb0
CiX+DiX+O(β|X|−2)EiX
CµνY +DµνY +O(β|Y|−2)EµνY
CjZ+DjZ+O(β|Z|−2)EjZ
βκ+1Abκ+1
| {z }
:=Cκ+1
+Rbκ+1
− β0Ab
0
0
| {z }
:=C00 +Rb
0
0
C0iX+D0iX+O(β|X|−2)E0iX C0µνY +D0µνY +O(β|Y|−2)E0µνY
C0jZ+D0jZ+O(β|Z|−2)E0jZ
βκ+1Ab
0
κ+1
| {z }
:=C0κ+1 +Rb
0
κ+1
=α0α(i,j)αµα0ν·
C0 CiX+DiX
CµνY +DµνY
CjZ+DjZ
Cκ+1
+R0Cb
i XC
µν Y C
j
ZCκ+1+C0CiXC µν Y C
j ZRbκ+1
−C00 C0iX+D0iX C0µνY +D0µνY C0jZ+D0jZC0κ+1
−Rb
0 0C 0i XC 0µν Y C 0j ZC 0
κ+1−C
0 0C 0i XC 0µν Y C 0j ZRb
0
κ+1+O(β
κ
)
=α0α(i,j)αµα0ν·
C0 CiXC µν Y D
j Z+C
i XD
µν Y C
j Z+D
i XC µν Y C j Z
Cκ+1
+Rb0CiXC µν Y C
j
ZCκ+1+C0CiXC µν Y C
j ZRbκ+1
−C00 C0iXC0µνY D0jZ+C0iXD0µνY C0jZ+D0iXC0µνY C0jZ
C0κ+1
−Rb
0 0C 0i XC 0µν Y C 0j ZC 0
κ+1−C
0 0C 0i XC 0µν Y C 0j ZRb
0
κ+1+O(β
κ ) , where b
R0= 1
0
R0P−01, Rc00= 1
0
0
R00P0−01,
b
Rκ+1=
1
κ+1
Pκ+1Rκ+1, Rc0κ+1= 1
0
κ+1
P0κ+1R0κ+1.
To further simplifyA[i, j], we define
CY =C11Y −C
10
Y −C
01
Y +C
00
Y, C0Y =C0
11
Y −C0
10
Y −C0
01
Y +C0
00
Y
xi=C0CiX, x0i=C
0
0C
0i
X, zj=C j
ZCκ+1, z0j=C
0j ZC
0
κ+1 ei=C0DiX, e
0
i=C
0
0D
0i
X, fj=DjZCκ+1, f0j =D
0j ZC
0
κ+1 ri=Rb0CiX, r0i=Rb
0
0C
0i
X, wj=C j
ZRbκ+1, w0j=C
0j ZRb
0
By the definition of the bundling scalars and their approximate ratios that solve in the above subsection, it is easy to verify that
α1α01·ζ00·v1v0≈α1α00·ζ00·v1v1≈α0α01·ζ11·v0v0≈α0α00·ζ11·v0v1,
where the approximate accuracy isO(β−1).
As a consequence, we can incorporate these approximate scalars into the matrices corresponding to x(i) and z(j) respectively and can rewrite A[i, j] as follows:
A[i, j] = xiCYzj+xiDYzj+eiCYzj+riCYzj+xiCYwj
| {z }
:=F[i,j]
− x0iC0Yz0j+x0iD0Yz0j+e0iC0Yz0j+x0iC0Yz0j+x0iC0Yw0j
| {z }
:=F0[i,j]
+O(βκ),
In the following we first analyze the matrixFgenerated by the termF[i, j] from the function branch withi, j∈[ξ], whereξ≥2m+ 1.
According to the construction structure of the obfuscated BP, for program
B we have the vectorsxi,x0i,ei,e0i = 0m$m$w
, zj,z0j,fj,f0j = $m0m$w
T , and the matrices
CY,C0Y ∈
$m×m0m×m0m×w 0m×m$m×m0m×w 0m×m0m×m0w×w
, DY,D0Y ∈
$m×m$m×m$m×w $m×m$m×m$m×w $m×m$m×m0w×w
.
Moreover, for the programB0 everything else is the same except thatDY is
arbitrary by the analysis of DY in the previous subsection.
Thus for B we can write F by the block form and simplify it to determine its rank as follows:
F=XCYZ+XDYZ+ECYZ+RCYZ+XCYW
= 0X2X3
C1,1 0 0
0 C2,20
0 0 0
Z1 0 Z3
+ 0X2X3
D1,1D1,2D1,3 D2,1D2,2D2,3 D3,1D3,2 0
Z1 0 Z3
+ 0E2E3
C1,1 0 0
0 C2,20
0 0 0
Z1 0 Z3
+ R1R2R3
C1,1 0 0
0 C2,20
0 0 0
Z1 0 Z3
+ 0X2X3
C1,1 0 0
0 C2,20
0 0 0
W1 W2 W3
= X2D2,1+X3D3,1+R1C1,1
Z1+X2 D2,3Z3+C2,2W2
(4)
However, the rank ofFforB0 is at least 2m+ 1 with high probability. Since
D3,3 is a non-zero block matrix, as a result with high probabilityFcan not be
decomposed into the sum of two matrices with rankm.
Furthermore, the rank ofF0 forB andB0 is at most 2m. The analysis ofF0
is exactly similar to the analysis ofFforB.
Theorem 5.4. Letξ = 4m+ 1,γ =kβκ+1k andδ =kβκk. Suppose there exist sufficiently many inputs ui,j
µν that are all the zero of the function. Then
whenmis constant, with high probability
the program is (
B0, ifkdet(A)k=O(γξ);
B, ifkdet(A)k=O(γξ−1δ).
Whenm= poly(λ), using heuristical assumption
the program is (
B0, ifkdet(A)k=O(ξ!·γξ);
B, ifkdet(A)k=O(ξ!·ξγξ−1δ).
Proof.According to the analysis ofA, for the programB we have
A=F−F0
| {z }
:=A1
+O(βκ)E
| {z }
:=Aδ
,
whereE is a matrix whose entries are polynomials with small norm overK.
Thus, for the program B there exists a (γ, δ)-matrix decomposition A =
A1+Aδ. Since the rank of A1 is at most 4m < ξ, consequently when m is
constant we havekdet(A)k=O(γξ−1δ) by Lemma 4.3.
However, for the programB0 with high probability there is no such (γ, δ )-matrix decomposition with a non-full rank A1. Therefore when m is constant
we getkdet(A)k=O(γξ) forB0 by Lemma 4.1.
Whenm= poly(λ) we heuristically assume thatkdet(A)kis approximately equal to O(ξ!·γξ) if A has no (γ, δ)-matrix decomposition such thatA
1 is a
non-full rank matrix. Note that this heuristic assumption is supported by our computation experiment.
ForB, therefore, we havekdet(A)k=O(ξ!·ξγξ−1δ) by Lemma 4.3, and for
B0 the result directly follows the heuristic assumption.
5.5 Analysis of Recent Immunization
Similarly, we can also extend our attack to this immunized variant using instantiation of GGH13 without ideals. In this case, the variant uses fully random 2m×2mmatricesEk,b,E0k,b instead of the diagonal ones, and takes the bookend
vectors asA0b ,Ab
0
0= 02m,$w
andAbκ+1,Ab
0
κ+1= $2m,$w
.
Observe that the algorithm that solves approximate ratios of the bundling scalars still works. Moreover, the analysis of the matrixDY in Equ. (2) remains
the same. For the rank of F in Equ. (4), we analyze F for the program B in Example 5.3 as follows:
F=XCYZ+XDYZ+ECYZ+RCYZ+XCYW
= 0X2
C1,10
0 0
Z1 Z2
+ 0X2
D1,1D1,2 D2,1 0
Z1 Z2
+ 0E2
C1,10
0 0
Z1 Z2
+ R1R2
C1,10
0 0
Z1 Z2
+ 0X2
C1,10
0 0
W1 W2
= X2D2,1+R1C1,1
Z1,
(5)
where {Ci,j,Di,j}i,j∈[2] are blocks of the matrices CY,DY with
dimension-s (2m|w)×(2m|w), {Xi,Ei,Ri}i∈[2] are blocks of the matrices X,E,R with
dimensionsξ×(2m|w), and{Zj,Wj}j∈[2]are blocks of the matricesZ,Wwith
dimensions (2m|w)×ξ. It is easy to verify that the rank ofFis at most 2m. On the other hand, for the programB0 we will add another matrixX2D2,2Z2 toF
in Equ. (5) since with high probabilityD2,2 is not a “0” matrix. Therefore, we
can use the same algorithm in Section 5.3 to distinguish betweenB andB0. As well, we can also adapt the original variant proposed by Garg et al. [23] to a new variant using GGH13 without ideals using β2
i instead of g2. It is not
difficult to verify that our attack can still generalize to this new immunized variant instantiated by GGH13 without ideals if the branching program is input-partitioning.
6
Conclusions
In this paper, we show how to break a branching program obfuscator using G-GH13 without ideals by extending the CGH attack when the branching program is input partionable. Consequently, we solve an open problem in [2] presented by Albrecht, Davidson and Larraia. Our work demonstrates that the security of the obfuscator using GGH13 without ideals [2] is essentially equivalent to that of the GGH13-based obfuscator [20]. Furthermore, our work further strengthens the work in [2,3] that there is a structural weakness in ‘GGH13-type’ encodings beyond the presence ofhgi.
an open problem how to construct a branching program obfuscator with input-partitioning or improve the weakened graded encoding model to enable this input requirement.
References
1. M. Albrecht, S. Bai, and L. Ducas. A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes. CRYPTO 2016, LNCS 9814, pp.153-178.
2. M. Albrecht, A. Davidson, E. Larraia. Notes On GGH13 Without The Presence Of Ideals. IMACC 2017, LNCS 10655, pp. 135-158.
3. M. Albrecht, A. Davidson, E. Larraia, and A. Pellet–Mary. Notes On GGH13 With-out The Presence Of Ideals. http://eprint.iacr.org/2017/906.
4. D. Apon, N. D¨ottling, S. Garg, and P. Mukherjee. Cryptanalysis of indistinguisha-bility obfuscations of circuits over GGH13. http://eprint.iacr.org/2016/1003. 5. Prabhanjan Vijendra Ananth, Divya Gupta, Yuval Ishai, and Amit Sahai.
Optimiz-ing obfuscation: AvoidOptimiz-ing BarrOptimiz-ington’s theorem. ACM CCS 2014, pp. 646-658. 6. Z. Brakerskiy, C. Gentry, S. Halevi, T. Lepoint, A. Sahai, M. Tibouchi.
Cryptanal-ysis of the Quadratic Zero-Testing of GGH. http://eprint.iacr.org/2015/845. 7. B. Barak, S. Garg, Y. T. Kalai, O. Paneth, and A. Sahai. Protecting obfuscation
against algebraic attacks. EUROCRYPT 2014, LNCS 8441, pp. 221-238.
8. D. Boneh and A. Silverberg. Applications of multilinear forms to cryptography. Contemporary Mathematics, 324:71-90, 2003.
9. D. Boneh and M. Zhandry. Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. CRYPTO 2014, LNCS 8616, pp. 480-499.
10. J. S. Coron, C. Gentry, S. Halevi, T. Lepoint, H. K. Maji, E. Miles, M. Raykova, A. Sahai, M. Tibouchi. Zeroizing Without Low-Level Zeroes New MMAP Attacks and Their Limitations. http://eprint.iacr.org/2015/596.
11. Yilei Chen, C. Gentry, and S. Halevi. Cryptanalyses of candidate branching pro-gram obfuscators. EUROCRYPT 2017, pp. 278-307, 2017.
12. J. H. Cheon, J. Jeong, and C. Lee. An algorithm for ntru problems and cryptanal-ysis of the GGH multilinear map without a low-level encoding of zero. LMS Journal of Computation and Mathematics 2016, 19(A):255-266.
13. J. H. Cheon, K. Han, C. Lee, H. Ryu, and D. Stehle. Cryptanalysis of the Multi-linear Map over the Integers. EUROCRYPT 2015, Part I, LNCS 9056, pp. 3-12. 14. J. H. Cheon, P. A. Fouque, C. Lee, B. Minaud, H. Ryu. Cryptanalysis of the New
CLT Multilinear Map over the Integers. EUROCRYPT 2016, LNCS 9665, pp.509-536.
15. J. S. Coron, T. Lepoint, and M. Tibouchi. Practical multilinear maps over the integers. CRYPTO 2013, LNCS 8042, pp. 476-493.
16. J. S. Coron, T. Lepoint, and M. Tibouchi. New Multilinear Maps over the Integers. CRYPTO 2015, LNCS 9215, pp. 267-286.
17. J. S. Coron, M. S. Lee, T. Lepoint, and M. Tibouchi. Cryptanalysis of GGH15 Multilinear Maps. CRYPTO 2016, LNCS 9815, pp. 607-628.
19. S. Garg, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices. EUROCRYPT 2013, LNCS 7881, pp. 1-17.
20. S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. FOCS 2013, pp.40-49.
21. C. Gentry, S. Gorbunov, and S. Halevi. Graph-induced multilinear maps from lattices. TCC 2015, Part II, LNCS 9015, pp. 498-527.
22. S. Garg, E. Miles, P. Mukherjee, A. Sahai, A. Srinivasan, and M. Zhandry. Secure obfuscation in a weak multilinear map model. TCC 2016, LNCS 9986, pp. 241-268. 23. S. Garg, P. Mukherjee, and A. Srinivasan. Obfuscation without the vulnerabilities
of multilinear maps. http://eprint.iacr.org/2016/390.
24. S. Halevi. Graded Encoding, Variations on a Scheme. http://eprint.iacr.org/2015/866.
25. Yupu Hu and Huiwen Jia. Cryptanalysis of GGH Map. EUROCRYPT 2016, LNCS 9665, pp. 537-565.
26. P. Kirchner and P. Fouque. Revisiting lattice attacks on overstretched NTRU pa-rameters. EUROCRYPT 2017, LNCS 10210, pp. 3-26.
27. D. Micciancio and O. Regev. Worst-Case to Average-Case Reductions Based on Gaussian Measures, SIAM Journal on Computing, 37(1):267-302, 2007.
28. E. Miles, A. Sahai, and M. Zhandry. Annihilation attacks for multilinear maps: Cryptanalysis of indistinguishability obfuscation over GGH13. CRYPTO 2016, Part II, LNCS 9815, pp. 629-658.
29. E. Miles, A. Sahai, and M. Zhandry. Secure obfuscation in a weak multi-linear map model: A simple construction secure against all known attacks. http://eprint.iacr.org/2016/588.
