Immunizing Multilinear Maps Against Zeroizing Attacks

In recent work Cheon, Han, Lee, Ryu, and Stehle presented an attack on the multilinear map of Coron, Lepoint, and Tibouchi (CLT). They show that given many low-level encodings of zero, the CLT multilinear map can be completely broken, recovering the secret factorization of the CLT modulus. The attack is a generalization of the “zeroizing” attack of Garg, Gentry, and Halevi. We first strengthen the attack of Cheon, Han, Lee, Ryu, and Stehle by showing that CLT can be broken even without low-level encodings of zero. This strengthening is sufficient to show that the subgroup elimination assumption does not hold for the CLT multilinear map. We then present a generic defense against this type of “zeroizing” attack. For an arbitrary asymmetric composite-order multilinear map (including CLT), we give a functionality-preserving transformation that ensures that no sequence of map operations will produce valid encodings (below the zero-testing level) whose product is zero. We prove security of our transformation in a generic model of composite-order multilinear maps. Our new transformation rules out “zeroizing” leaving no currently known attacks on the decision linear assumption, subgroup elimination assumption, and other related problems for the CLT multilinear map. Of course, in time, it is possible that different attacks on CLT will emerge. Update: Since the publication of this work, Coron, Lepoint, and Tibouchi [CLT14] have further strengthened the original attacks of Cheon et al. With the stregthened attack, the mitigations we describe in this work no longer suffice to secure the original CLT multilinear map. However, we have preserved the original exposition of our zero-immunizing transformation (Section 3), since this transformation is of independent interest. Notably, our transformation still rules out low-level zero encodings (Theorem 3.14), and thus provides robustness in the setting of deterministic encodings.

[1]  Jean-Sébastien Coron,et al.  Practical Multilinear Maps over the Integers , 2013, CRYPTO.

[2]  Dan Boneh,et al.  Applications of Multilinear Forms to Cryptography , 2002, IACR Cryptol. ePrint Arch..

[3]  G. B. Price Bounds for determinants with dominant principal diagonal , 1951 .

[4]  Allison Bishop,et al.  Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption , 2015, 2015 IEEE 56th Annual Symposium on Foundations of Computer Science.

[5]  Allison Bishop,et al.  Witness Encryption from Instance Independent Assumptions , 2014, IACR Cryptol. ePrint Arch..

[6]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[7]  Brice Minaud,et al.  Cryptanalysis of the New CLT Multilinear Map over the Integers , 2016, EUROCRYPT.

[8]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[9]  Richard J. Lipton,et al.  Effect of operators on straight line complexity , 1997, Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems.

[10]  Alex J. Malozemoff,et al.  Implementing Cryptographic Program Obfuscation , 2014, IACR Cryptol. ePrint Arch..

[11]  A. Ostrowski Note on bounds for determinants with dominant principal diagonal , 1952 .

[12]  Joe Zimmerman,et al.  How to Obfuscate Programs Directly , 2015, EUROCRYPT.

[13]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[14]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[15]  Guy N. Rothblum,et al.  Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding , 2014, TCC.

[16]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[17]  Craig Gentry,et al.  Fully Secure Attribute Based Encryption from Multilinear Maps , 2014, IACR Cryptol. ePrint Arch..

[18]  Jean-Sébastien Coron,et al.  Cryptanalysis of Two Candidate Fixes of Multilinear Maps over the Integers , 2014, IACR Cryptol. ePrint Arch..

[19]  J. Varah A lower bound for the smallest singular value of a matrix , 1975 .

[20]  Jung Hee Cheon,et al.  Cryptanalysis of the Multilinear Map over the Integers , 2014, EUROCRYPT.

[21]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[22]  Yael Tauman Kalai,et al.  Protecting Obfuscation against Algebraic Attacks , 2014, EUROCRYPT.

[23]  Craig Gentry,et al.  Graph-Induced Multilinear Maps from Lattices , 2015, TCC.