Zeroizing without zeroes: Cryptanalyzing multilinear maps without encodings of zero

Zeroizing without zeroes:

Cryptanalyzing multilinear maps without encodings of zero

Craig Gentry∗ _{Shai Halevi}∗ _{Hemanta K. Maji}† _{Amit Sahai}‡

Abstract

We extend the recent zeroizing attacks of Cheon et al. on multilinear maps to some settings where no encodings of zero below the maximal level are available. Some of the new attacks apply to the CLT scheme (resulting in total break) while others apply to the GGH scheme (resulting in a weak-DL attack).

Keywords: Cryptanalysis, Multilinear Maps.

∗_{IBM Research.}

†_{Department of Computer Science, and Center for Encrypted Functionalities, University of California, Los Angeles.}

[email protected].

‡_{Department of Computer Science, and Center for Encrypted Functionalities, University of California, Los Angeles.}

[email protected]. Research supported in part from a DARPA/ONR PROCEED award, NSF Frontier Award

1 Introduction

Recent candidates for approximate multilinear attacks [GGH13a, CLT13] have been shown to suer from zeroizing attacks, where the presence of encodings of zero at levels below the zero-test level can be exploited to mount attacks [GGH13a, CHL+_{14]. Such attacks have been particularly}

devastating in the context of the CLT candidate [CHL+_14].

However, some of the most prominent applications of multilinear maps, such as obfuscation [GGH+_13b],

do not require any encodings of zero below the zero-test level. (This setting is called the Multilinear Jigsaw Puzzle setting in [GGH+_{13b].) We could therefore optimistically hope that these zeroizing}

attacks do not apply to this setting.

In this work we show, however, that such the absence of low-level encoding of zero is not by itself a good enough defense against such zeroizing attacks. Specically, we extend the recent attacks of Cheon et al. [CHL+_{14], and show how to use them even in some settings where no encodings of}

zero below the zero-test level are available.

We stress that so far we do not have a working attack on current obfuscation candidates, but our attacks call for renewed eort to either attack these candidates or understand the source of hardness that underlie their security. In particular in this note we also propose a generic attack model which is closer to reality (and in particular captures the essence of our GGH-related attacks), we hope that analysis in this new model would be useful in this eort.

2 The Attack in the CLT setting

The setting. We consider a setting of the CLT multilinear maps, where only certain parameters and encodings are provided to the adversary, and these do not include encodings of zero below the maximal level.

Letp1, . . . , pnbe the secret primes numbers in the CLT scheme and letx0 =p1· · ·pn. This modulus

x0 is provided to the adversary, together with a single zero-testing parameterpzt, which is recalled

in greater detail below.

An encoding of (m1, . . . , mn) at levelt according to this scheme, where mi ∈[0, gi), is represented by an m ∈Zx0 such that: m = (rigi+mi)z−t mod pi, for all i∈ [n] and ri being small random integer in the range[−2ρ,2ρ)andz∈_Zx0 is a secret parameter. This set of equations is represented

tersely as: m = CRT_(pi)(m0_i), where m0_i = rigi+mi. We sometime refer informally to mi as the content of thei'th slot in the encoding.

Suppose the maximum level of supported multi-linearity (i.e. the zero-test level) is some κ∈[3, n].

Namely, we have a zero-testing parameterpzt=Pni=1hi·(zκgi−1 modpi)·(x0/pi) modx0.

1. Letaj ∈Zx0, for j∈[n], be such that: aj =CRT(pi)

_a0 i,j

z

,where:

◦ a0_i,j =ra,i,j ·gi+bai,j,

◦ _bai,j ∈[0, gi), and

◦ _ba1,j = 0and bai,j = 0, for all i > κ.

That is,aj is level 1 encoding of (0,ba2,j, . . . ,baκ,j,0, . . . ,0).

Remark. We note that in our setting, the 0s after aκ,j above are for padding. Our attack naturally extends to other cases where these0s are replaced with similar structures.

2. Letbk∈Zx0, for k∈[n], be such that: bk=CRT(pi)

b0_i,k z

!

,where:

◦ b0_i,k =rb,i,k·gi+bbi,k,

◦ bb_i,k ∈[0, g_i), and

◦ bb_2,k = 0 andbb_i,j = 0, for alli > κ.

That is,bk is level 1 encoding of(bb_1,k,0,bb_3,k, . . . ,bb_κ,k,0, . . . ,0).

3. Letc∈_Zx0 be such that: c=CRT(pi)

c0_i z

,where:

◦ c0_i =rc,i·gi+bci

◦ _bci ∈[0, gi), and

◦ _bc3 = 0 andbci = 0, for all i > κ.

That is,c is a level 1 encoding of(_bc1,bc2,0,bc4, . . . ,bcκ,0, . . . ,0).

4. Let˜c∈_Zx0 be such that: ˜c=CRT(pi)

˜

c0_i z

,where:

◦ ˜c0_i =rc,i˜ ·gi+b˜c_i

◦ b˜c_i ∈[0, g_i), and

◦ b˜c₃ = 0 andbc˜_i = 0, for all i > κ.

That is,c is a level 1 encoding of(b˜c₁,bc˜₂,0,b˜c₄, . . . ,b˜c_κ,0, . . . ,0).

5. Letdt∈Zx0, for46t6κ, be a level 1 encoding of(db_t,1, . . . ,db_t,t−1,0,db_t,t+1, . . . ,db_t,κ,0, . . . ,0). As above, we have dt =CRT(pi)

d0_t,i/z, where d0_t,i =rd,t,igi+dbt,i. We shall not need these parameters explicitly in our attack description and the proof presented below.

Note that given these encodings, it is not possible to create encodings of zero at any level below κ

The attack. Given, these parameters we present our attach which allows us to factorize x0 and

thereby achieve a total break of CLT. The attack proceeds along the same lines as [CHL+_14],

but we set up the attack in a dierent manner to avoid the need for zero encodings, and our algebraic manipulations exploit commutativity within the CRT representation to yield a dierent nal factorization of matrices, but in a manner that still allows to carry out the attack. We now give details of the attack.

We dene d:=d4· · ·dκ, which is a levelκ−3 encoding of a message of form: (db₁,db₂,db₃,0, . . . ,0). That is, d=CRT_(pi)(d0_i)whered0_i=rd,igi+dbi,db_i = 0 for alli6= 3.

Letλj,k := [ajbkd]x0. Note thatλj,kis a levelκ−1encoding of a message of form(0,0,bλ_j,k,0, . . . ,0).

Recalling that the zero-testing parameter is pzt=Pni=1hi·(zκgi−1 mod pi)·p−i mod x0 (where

p−i =x0/pi), we can compute for alli, k:

w(_j,kc):= [c·λj,k·pzt]x0 = n X

i=1

hi(cλj,kzκgi−1 mod pi)p−i

=

n X

i=1

c0_ia0_i,jb0_i,khid0ig

−1

i p−i | {z }

=h0_i

(modx0)

Below we denote h0_i := [hid0_ig_i−1p−i]x0 for i∈[n].

Note that in the above equations, h0₁, h0₂ and h₃0 contain multiplicative factors of g₁−1, g₂−1 and g−₃1, respectively, but these cancel out with the factors of g1, g2, g3 ina01,j, b02,k, c

0

3, respectively (and

similarly theg−_i 1 factors fori >3cancel out with thegifactors in thed0_i's). That is, we can re-write the above equation as:

w(_j,kc) = (a0_1,jg₁−1)

| {z }

=a00_1,j

·(h0₁g1)

| {z }

=h00 1

·c0₁b0_1,k+a0_2,j·(h0₂g2)

| {z }

=h00 2

·c0₂·(b0_2,kg₂−1)

| {z }

=b00_2,k

+a0_3,j·(h0₃g3)

| {z }

=h00 3

·(c0₃g₃−1)

| {z }

=c00₃

·b0_3,k

+

n X

i=4

a0_i,jh0_ic0_ib0_i,k (mod x0)

Crucially, the equalityw(_j,kc)=a00_1,jh₁00c0₁b0_1,k+a0_2,jh00₂c0₂b00_2,k+a0_3,jh00₃c00₃b0_3,k+P

i>3a0i,jh0ic0ib0i,k holds not just modulox0 but also overZ, because both sides are smaller than x0. To see that the right hand

side consists only of small terms, recall that we have

1. a00_1,j = [a0_1,jg₁−1]x0 =ra,1,j, for j∈[n](since theaj's have 0 in their rst slots).

2. b00_2,k = [b0_2,kg₂−1]x0 =rb,2,k, for k∈[n](since the bk's have 0 in their second slots).

3. c00₃ = [c0₃g₃−1]x0 =rc,3 (sincec's has 0 in its third slot).

4. h00₃ = [h0_igi]x0 =hidi0p−1 for i∈ {1,2,3}(by denition of h0i).

LetC(c):=diag(c0₁, c0₂, c00₃, c0₄, . . . , c0_n). LetH :=diag(h00₁, h00₂, h00₃, h0₄, . . . , h0_n). Now, we dene the

ma-trixW(c) =

w_j,k(c)

j,k∈[n]. Then, we can write the following matrix equations over Z:

W(c) =



 

a00_1,1 a0_2,1 a0_n,1

... ...

a00_1,n a0_2,n a0_n,n



 

| {z }

=A

×C(c)×H×

      

b0_1,1 · · · b0_1,n b00_2,1 · · · b00_2,n b0_3,1 b0_3,n

...

b0_n,1 b0_n,n

      

| {z }

=B

We can use the same procedure to obtain a similar matrixW(˜c), and we have the matrix equations W(˜c) = A×C(˜c) ×H×B, also over Z. With high probability over the randomness, both W(c)

and W(˜c) are invertible over Q. We now compute the matrix W = W(c)W(˜c)

−1

over Q and its

eigenvalues. We have:

W = (AC(c)HB)×(AC(˜c)HB)−1

= A×C(c)×(C(˜c))−1×A−1 = A×



 

c0₁/c˜0₁ 0

...

0 c0_n/c˜0_n



 ×A

−1_,

so the eigenvalues ofW are all the rational numbers c0_n/c˜0_n (which are distinct whp). Let αi/βi =

c0_i/c˜0_i be a simplied fraction (i.e. where αi, βi are relatively prime), then on one hand we have

βici−αi˜ci= 0, and on the other hand for alli6=iwe haveβici0−α_i˜c_i0 6= 0 (modp_i0) whp. Hence

βic−αi˜c will have non-trivial gcd with x0, namely pi. Running over all eigenvalues of W we can

recover all the prime factors of x0.

3 The Attack in the GGH setting

Given the GGH weak discrete logarithm attacks [GGH13a], previous works (e.g., [GGH+_13b])

employ some counter-measures to avoid providing encodings of zero. In this section we point out that these countermeasures may be insucient in some cases.

3.1 Counter-Measures to Zeroing Attacks

To avoid providing encoding of zero in the public parameters, it was suggested in some previous work to replace the bare encoding of the values of interest by encoding matrices related to these values (e.g. have the desired value as an eigenvalue). For concreteness, in this note we consider the ordered setting in which the public parameters include an encoding of various values and we know ahead of time the order in which these values can be multiplied.1 _{The attack below easily extends}

to other settings (in fact it may become a little easier).

1_{This is the case, for example, in the application for branching-program obfuscation, where these values of interest}

In more detail, we will assume a GGH-like scheme with plaintext space R/gR for some ring R

and element g ∈ R, and ciphertext space Rq for some integer q. We encode elements relative to subsets of [k] = {1, . . . , k}, and use [k] itself as our zero-test level. Suppose that our application

calls for publishing encoding of elements relative to the singleton sets {i} ⊂ [k] and only needs

to multiply elements in the natural order (with encoding relative to {1} on the left, followed by

encodings relative to {2}, {3}, etc.). Further, suppose that we need to re-randomize encodings (at

least) relative to the singletons {1} and {2}, so we would like to provide encodings of zero relative

to these singletons.

Trying to protect against zeroizing attacks, we could consider the following solution: we choose a random small vector s∗ ∈Rn and invertible matricesT0, T1, . . . , Tk ∈Rnq×n (for some n). We then encode α ∈R/gR relative to {i} by choosing a random small matrix A∗ such that s∗×A∗ =αs∗

(modgR), and publishing the matrix

A{i}=

Ti−1×A∗×Ti−1

q.

For the purpose of zero-test we choose another mid-size random vectort∗ ∈Rnand publish the two

vectorss= [g−1s∗×T₀−1]q and t= [Tk×t∗]q. It is easy to see that this provides the functionality of a graded-encoding scheme, where a level-[k]encodingA[k]can be tested for zero by checking that

h

s×A[k]×ti q

q.

On the other hand, it seems hard to obtain a native GGH-encoding of zero even if we are given matricesA{i} that encode zero, so we could naively hope that the zeroizing attacks from [GGH13a]

do not apply.

Where are the zi's? Note that the denominators zi of the native GGH encoding are absent from the description above, since they are absorbed into the matrices Ti. One can instead use A{i} =

z_i−1·Ti−1×A∗×Ti−1

q. and multiply s by z = Q

izi, and everything else in this section would remain unchanged (except the notations which would become a little more cumbersome by the need to specify all these zi's). Indeed it is easy to see that this does not change the scheme

at all. Similarly, the h element from GGH is implicitly dened as h = ht∗,s∗i, which is indeed a

mid-size element.

3.2 The Updated Weak-DL Attack

Unfortunately, we show that the counter-measures from above are insucient to thwart a weak-discrete-logarithm attack in the setting above. Specically, assume that we are given the following encoding matrices:

◦ Many level-{1} encoding of zero, A{_j1} =

h

T0×A∗_j×T₁−1

i

q, j = 1,2, . . ., s.t. s

∗_A∗

j = 0

(modgR).

◦ Many level-{2} encoding of zero, B_j{2} = hT1×B∗j ×T

−1 2

i

q, j = 1,2, . . ., s.t. s

∗_B∗

◦ A level-{2} encoding of one,C{2} =

T1×C∗×T2−1

q s.t. s

∗_C∗

j =s∗ (modgR).

◦ A level-{2} encoding of an unknown element, D{2} = T1×D∗×T2−1

q s.t. s

∗_D∗

j = δs∗

(modgR) for some small scalarδ ∈R.

◦ For S = {3, . . . , k}, many level-S encoding of nonzero elements, E_jS = hT2×Ej∗×T

−1

k i

q,

j= 1,2, . . ., s.t. s∗E_j∗ =εjs∗ (modgR) for small scalarsεj ∈R,εj ∈/ gR.

We now show an attack that recovers the coset δ+gR.

3.3 The Attack

Observe that since the A{_j1}'s are encoding of zero then they cancel the term g−1 in the vector s. Hence there exist small vectors uj ∈ Rn such that we have the equality s∗A∗j = g·uj in R, and therefore hs×A{_j1}×T1

i

q = s

∗_A∗

j/g = uj. Let us also denote below vj = h

T2×EjS×t i

q and notice thatvj is the small vector vj =E_j∗t∗ (equality inR). Then for allj1, j2, j3 we get

wj1,j2,j3 =: h

s×A{_j11}×B_j2{2}×E_j2S ×t i

q = uj1B

∗

j2vj3

xj1,j3 =: h

s×A{_j11}×C{2}×ES_j2×ti

q = uj1C

∗_v

j3

yj1,j3 =: h

s×A{_j11}×D{2}×E_j2S ×t i

q = uj1D

∗

vj3.

with equalities over R.

Let us now denote byU then×nmatrix overR with theuj's as rows and by V then×n matrix

with thevj's as columns, and also dene then×nmatricesW1, W2, . . .,X, and Y via:

Wj[j1, j3] =wj1,j,j3, X[j1, j3] =xj1,j3, and Y[j1, j3] =yj1,j3. Then by denition we have

Wj =U×Bj∗×V, X =U ×C

∗_{×V, and Y =U ×D}∗_×V,

again with equalities overR. Computing the determinant of all these matrices and taking the GCD,

we get w.h.p. the determinant ofU ×V, and by dividing it out we get the determinant of all the B_j∗'s. Sinces∗×B_j∗ ∈gRfor allj, thendet(B_j∗) is divisible bygfor allj. Hence w.h.p. the scalars det(B_j∗)span the idealgR, so we can compute this ideal and its order, let us denote this order byp

and we assume thatp is a prime integer.

Next, we consider the univariate matrix polynomial M(z) =z·X−Y =U ×(z·C∗−D∗)×V.

This is a matrix with linear polynomials (over R) in all its entries, and note that evaluating this

matrix polynomial atz =δ would give us a matrixM(δ) such thats∗×M(δ) =0 (modgR) and

thereforedet(M(δ)) = 0 (modgR).

Since M(z) has linear polynomials (over R) in all its entries, then its determinant is a

ideal gR and its order p, we can reduce all the coecients of P(X) modulo gR, using Zp as the canonical representation of gR. This yields a degree-n polynomial Q(X) over Zp such that

Q(X) =P(X) (mod gR). By the above we know thatP(δ) = 0 (mod gR), which means that ifδ∗

is the representative ofδ inZq thenQ(δ∗) = 0 (modp). We can therefore factor the polynomialQ over Zp, and recoverδ∗ as one of its roots, which would give us the cosetδ∗+gR=δ+gR.

3.4 Comments

We note that the attack above can of course be mounted to recover the coset of any encoding, not just at level-{2}. Also if the matrixC was an encoding of an arbitrary non-zero elementγ (rather

than an encoding of 1) then the only dierence would be that we would recover the coset up to multiplication by the xed factor γmod p. We also note that the zero-encodingAj need not be at level-{1}, this was only done to simplify the notations.

4 A Rened Generic Model

The attacks that we sketched above point to the inadequacy of the generic graded-encoding model as used in recent work. Indeed these attacks are highly algebraic and yet they are not captured by that generic model. The main dierence is that in the generic graded-encoding model the zero-test returns just a 0/1 bit, whereas in the GGH/CLT schemes this test returns a full ring element.

We therefore propose to augment this generic model as follows: In addition to the standard interfaces in the graded-encoding model (with some plaintext space R0 =R/gR, which we assume is a eld),

we will now also have a black-box-eld over the same space, except that we cannot directly obtain handles to this black-box eld. Instead, the zero-test would serve as a translation device, letting us move things from the graded-encoding oracle to the black-box-eld oracle.

In more detail, we would have the usual oracles to sample/encode elements in the graded-encoding scheme and to add and multiply them with the usual semantics. However, with each encoded element the graded-encoding oracle will also associate a random element ofR from the appropriate coset.

Namely, with each encoded valueα the oracle will also have an associatedrα∈Rand the intended semantics is that we use α+g·rα to represent the coset α+gR. The oracle keeps track of the representatives via the addition and multiplication operations of the graded-encoding scheme, by adding and multiplying the representatives in the ringR.

Then, if the zero-test is called on an encoding of zero with representativeg·r ∈R, then in addition

to the bit 1 the oracle will also give us a handle to an encoding of r+gR in the black-box eld.

Namely, if we call it on an element which is divisible by g then it will divide by g and move it to

References

[CHL+_{14] Jung Hee Cheon, Kyoohyung Han, Changmin Lee, Hansol Ryu, and Damien Stehlé.}

Cryptanalysis of the multilinear map over the integers. Cryptology ePrint Archive, Report 2014/906, 2014. http://eprint.iacr.org/.

[CLT13] Jean-Sébastien Coron, Tancrède Lepoint, and Mehdi Tibouchi. Practical multilinear maps over the integers. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part I, volume 8042 of Lecture Notes in Computer Science, pages 476493. Springer, 2013.

[GGH13a] Sanjam Garg, Craig Gentry, and Shai Halevi. Candidate multilinear maps from ideal lattices. In Thomas Johansson and Phong Q. Nguyen, editors, Advances in Cryptology - EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Ap-plications of Cryptographic Techniques, Athens, Greece, May 26-30, 2013. Proceedings, volume 7881 of Lecture Notes in Computer Science, pages 117. Springer, 2013. [GGH+_{13b] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent}