GGH15 Beyond Permutation Branching Programs: Proofs, Attacks, and Candidates

We carry out a systematic study of the GGH15 graded encoding scheme used with general branching programs. This is motivated by the fact that general branching programs are more efficient than permutation branching programs and also substantially more expressive in the read-once setting. Our main results are as follows: Proofs. We present new constructions of private constrained PRFs and lockable obfuscation, for constraints (resp. functions to be obfuscated) that are computable by general branching programs. Our constructions are secure under LWE with subexponential approximation factors. Previous constructions of this kind crucially rely on the permutation structure of the underlying branching programs. Using general branching programs allows us to obtain more efficient constructions for certain classes of constraints (resp. functions), while posing new challenges in the proof, which we overcome using new proof techniques. Attacks. We extend the previous attacks on indistinguishability obfuscation (iO) candidates that use GGH15 encodings. The new attack simply uses the rank of a matrix as the distinguisher, so we call it a “rank attack”. The rank attack breaks, among others, the iO candidate for general read-once branching programs by Halevi, Halevi, Shoup and Stephens-Davidowitz (CCS 2017). Candidate Witness Encryption and iO. Drawing upon insights from our proofs and attacks, we present simple candidates for witness encryption and iO that resist the existing attacks, using GGH15 encodings. Our candidate for witness encryption crucially exploits the fact that formulas in conjunctive normal form (CNFs) can be represented by general, read-once branching programs.

[1]  Ronald Cramer,et al.  Recovering Short Generators of Principal Ideals in Cyclotomic Rings , 2016, EUROCRYPT.

[2]  Brent Waters,et al.  Lockable Obfuscation , 2017, 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS).

[3]  Dan Boneh,et al.  Private Puncturable PRFs from Standard Lattice Assumptions , 2017, EUROCRYPT.

[4]  Eric Miles,et al.  Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 , 2016, CRYPTO.

[5]  Nico Döttling,et al.  Cryptanalysis of Indistinguishability Obfuscations of Circuits over GGH13 , 2016, ICALP.

[6]  Eric Miles,et al.  Secure Obfuscation in a Weak Multilinear Map Model , 2016, TCC.

[7]  Rex Fernando,et al.  Preventing CLT Attacks on Obfuscation with Linear Overhead , 2017, ASIACRYPT.

[8]  Yael Tauman Kalai,et al.  Protecting Obfuscation against Algebraic Attacks , 2014, EUROCRYPT.

[9]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[10]  Yael Tauman Kalai,et al.  Public-Key Encryption Schemes with Auxiliary Inputs , 2010, TCC.

[11]  Shai Halevi,et al.  Graded Encoding, Variations on a Scheme , 2015, IACR Cryptol. ePrint Arch..

[12]  Jean-Sébastien Coron,et al.  Practical Multilinear Maps over the Integers , 2013, CRYPTO.

[13]  Chris Peikert,et al.  Three's Compromised Too: Circular Insecurity for Any Cycle Length from (Ring-)LWE , 2016, CRYPTO.

[14]  Chris Peikert,et al.  Generating Shorter Bases for Hard Random Lattices , 2009, Theory of Computing Systems.

[15]  Dan Boneh,et al.  Applications of Multilinear Forms to Cryptography , 2002, IACR Cryptol. ePrint Arch..

[16]  David A. Mix Barrington,et al.  Bounded-width polynomial-size branching programs recognize exactly those languages in NC1 , 1986, STOC '86.

[17]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[18]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[19]  Chris Peikert,et al.  Privately Constraining and Programming PRFs, the LWE Way , 2017, IACR Cryptol. ePrint Arch..

[20]  Guy N. Rothblum,et al.  Obfuscating Conjunctions , 2015, Journal of Cryptology.

[21]  Mehdi Tibouchi,et al.  Cryptanalysis of GGH15 Multilinear Maps , 2016, CRYPTO.

[22]  Dan Boneh,et al.  Key Homomorphic PRFs and Their Applications , 2013, CRYPTO.

[23]  Brent Waters,et al.  Collusion resistant traitor tracing from learning with errors , 2018, IACR Cryptol. ePrint Arch..

[24]  Allison Bishop,et al.  Witness Encryption from Instance Independent Assumptions , 2014, IACR Cryptol. ePrint Arch..

[25]  Claus Fieker,et al.  Subexponential class group and unit group computation in large degree number fields , 2014, LMS J. Comput. Math..

[26]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[27]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[28]  Craig Gentry,et al.  Graph-Induced Multilinear Maps from Lattices , 2015, TCC.

[29]  Dan Boneh,et al.  Constraining Pseudorandom Functions Privately , 2015, Public Key Cryptography.

[30]  Vinod Vaikuntanathan,et al.  Private Constrained PRFs (and More) from LWE , 2017, TCC.

[31]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[32]  Brent Waters,et al.  Circular Security Separations for Arbitrary Length Cycles from LWE , 2016, CRYPTO.

[33]  Craig Gentry,et al.  Zeroizing Without Low-Level Zeroes: New MMAP Attacks and their Limitations , 2015, CRYPTO.

[34]  Jung Hee Cheon,et al.  Cryptanalysis of the Multilinear Map over the Integers , 2014, EUROCRYPT.

[35]  Shai Halevi,et al.  Implementing BP-Obfuscation Using Graph-Induced Encoding , 2017, CCS.

[36]  Brice Minaud,et al.  Cryptanalysis of the New CLT Multilinear Map over the Integers , 2016, EUROCRYPT.

[37]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[38]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[39]  Kousha Etessami,et al.  Recursive Markov chains, stochastic grammars, and monotone systems of nonlinear equations , 2005, JACM.

[40]  Jean-Sébastien Coron,et al.  Zeroizing Attacks on Indistinguishability Obfuscation over CLT13 , 2017, Public Key Cryptography.

[41]  Craig Gentry,et al.  Cryptanalyses of Candidate Branching Program Obfuscators , 2017, EUROCRYPT.

[42]  Ran Canetti,et al.  Constraint-Hiding Constrained PRFs for NC1 from LWE , 2017, EUROCRYPT.

[43]  Miklós Ajtai,et al.  Generating Hard Instances of the Short Basis Problem , 1999, ICALP.

[44]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[45]  Chris Peikert,et al.  Pseudorandomness of ring-LWE for any ring and modulus , 2017, STOC.

[46]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[47]  Daniel Wichs,et al.  Obfuscating Compute-and-Compare Programs under LWE , 2017, 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS).

[48]  Brent Waters,et al.  Witness encryption and its applications , 2013, STOC '13.

[49]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[50]  Brent Waters,et al.  Separating Semantic and Circular Security for Symmetric-Key Bit Encryption from the Learning with Errors Assumption , 2017, EUROCRYPT.

[51]  Fang Song,et al.  Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields , 2016, SODA.

[52]  Vinod Vaikuntanathan,et al.  Obfuscating Conjunctions under Entropic Ring LWE , 2016, ITCS.