Quantum Attacks Against Indistinguishablility Obfuscators Proved Secure in the Weak Multilinear Map Model [chapter]

Alice Pellet-Mary
2018 Lecture Notes in Computer Science  
We present a quantum polynomial time attack against the GMMSSZ branching program obfuscator of Garg et al. (TCC'16), when instantiated with the GGH13 multilinear map of Garg et al. . This candidate obfuscator was proved secure in the weak multilinear map model introduced by Miles et al. (CRYPTO'16). Our attack uses the short principal ideal solver of Cramer et al. , to recover a secret element of the GGH13 multilinear map in quantum polynomial time. We then use this secret element to mount a
more » ... assical) polynomial time mixed-input attack against the GMMSSZ obfuscator. The main result of this article can hence be seen as a classical reduction from the security of the GMMSSZ obfuscator to the short principal ideal problem (the quantum setting is then only used to solve this problem in polynomial time). As an additional contribution, we explain how the same ideas can be adapted to mount a quantum polynomial time attack against the DG-GMM obfuscator of Döttling et al. (ePrint 2016), which was also proved secure in the weak multilinear map model. under these weaker security notions. In addition to their impossibility result, the authors of [BGI + 01] proposed such a weaker security notion, called indistinguishablility obfuscation (or iO). Indistinguishability obfuscation requires that it should be hard to distinguish between the obfuscation of two equivalent circuits, i.e., circuits that compute the same function. Even if iO security is weaker than VBB security, achieving iO for all circuits would have a lot of applications (see, e.g., [GGH + 13b, SW14]). The first candidate obfuscator for iO security was proposed in 2013 by Garg, Gentry, Halevi, Raykova, Sahai and Waters [GGH + 13b], based on the GGH13 approximate multilinear map [GGH13a] . They showed that iO for the class of polynomial-size branching programs 2 could be bootstrapped to iO for all polynomial-size circuits, 3 and they then described a candidate iO obfuscator for polynomial-size branching programs (without a security proof). Since 2013, numerous candidate obfuscators for polynomial-size branching programs have been proposed, all relying on one of the three candidate cryptographic multilinear map constructions [GGH13a,CLT13,GGH15]. 4 However, none of these candidate obfuscators could be proven secure under classical hardness assumptions. The main security weakness of these candidate obfuscators stems from the underlying candidate multilinear maps. Indeed, all candidate multilinear maps have been shown to suffer from so-called zeroizing attacks [CHL + 15, HJ16], and these zeroizing attacks and their generalizations have made it difficult to design potentially secure iO obfuscators. In the following, we will instantiate all the obfuscators with the GGH13 [GGH13a] multilinear map, 5 as our attack exploits a weakness of this specific multilinear map. In order to improve security confidence, recent obfuscator constructions carefully instantiate the underlying multilinear map (to try to avoid zeroizing attacks) and prove VBB security of their obfuscator in some idealised model. First, the authors of [BR14, BGK + 14, AGIS14] proved VBB security of their obfuscators in the so-called ideal graded encoding model, introduced in [BR13]. But zeroizing attacks against multilinear maps and the resulting annihilation attacks against obfuscators [MSZ16, CGH17, ADGM17] showed that this model was not adapted to capture potential attacks against obfuscators. Another model was then proposed in [MSZ16]: the weak multilinear map model. This model captures all the attacks mentioned above, and two candidate obfuscators were proved secure in this model [GMM + 16, DGG + 16]. Previous work. The annihilation attack of Miles, Sahai and Zhandry [MSZ16] already impacted many obfuscators: [BR14, BGK + 14, PST14, AGIS14, BMSZ16, 2 See Section 2.3 for the definition of a matrix branching program. 3 The proof relies on Barrington's theorem [Bar86], and on a bootstrapping procedure enabled by fully homomorphic encryption. 4 The GGH15 multilinear map is a restricted multilinear map that cannot be used for all obfuscator constructions. 5 Some obfuscators, like [DGG + 16] are specifically designed to work with the GGH13 multilinear map. Some others can be instantiated with either GGH13 or CLT13 multilinear map. For those, we only consider the GGH13 instantiation. 2 MSW14]. One limitation of this attack is that it is captured by the weak multilinear map model and so cannot apply against the recent obfuscators of [GMM + 16, DGG + 16]. A formalisation and generalisation of this attack was then proposed by [ADGM17]. This attack enables to distinguish a larger class of circuits than the one of [MSZ16], but applies to the same candidate obfuscators. Moreover, it only works for single-input branching programs. In a parallel work, Chen, Gentry and Halevi [CGH17], proposed an attack against the original obfuscator of [GGH + 13b], and a quantum attack against the GGH15 construction [GGH15], that were both unbroken so far. These attacks rely on specific branching programs, namely input partitionable branching programs. Since then, Fernando, Rasmussen and Sahai [FRS17] proposed a technique to transform any branching program into an equivalent branching program which is not input partitionable. This transformation can be used either with the GGH13 map or with the CLT map. Hence, using the [GGH + 13b] obfuscator combined with the technique of [FRS17] prevents the attack of [CGH17].
doi:10.1007/978-3-319-96878-0_6 fatcat:rbkrpz57i5eh7hlkpdqrfdqgqm