Cryptanalysis of the CLT13 Multilinear Map
 73 Downloads
Abstract
In this paper, we describe a polynomial time cryptanalysis of the (approximate) multilinear map proposed by Coron, Lepoint, and Tibouchi in Crypto13 (CLT13). This scheme includes a zerotesting functionality that determines whether the message of a given encoding is zero or not. This functionality is useful for designing several of its applications, but it leaks unexpected values, such as linear combinations of the secret elements. By collecting the outputs of the zerotesting algorithm, we construct a matrix containing the hidden information as eigenvalues, and then recover all the secret elements of the CLT13 scheme via diagonalization of the matrix. In addition, we provide polynomial time algorithms to directly break the security assumptions of many applications based on the CLT13 scheme. These algorithms include solving subgroup membership, decision linear, and graded external Diffie–Hellman problems. These algorithms mainly rely on the computation of the determinants of the matrices and their greatest common divisor, instead of performing their diagonalization.
Keywords
Multilinear maps Graded encoding schemes Decision linear problem Subgroup membership problem Graded external Diffie–Hellman problem1 Introduction
Multilinear maps are very powerful tools in cryptography. Following their use in constructing two interesting applications: a oneround noninteractive multiparty key exchange protocol and a broadcast encryption scheme with short keys [7], multilinear maps have yielded many remarkable cryptographic applications. However, without the realization of multilinear maps, the promising applications would have been only ambiguous implementations. As a first breakthrough in the generation of multilinear maps, Garg, Gentry, and Halevi introduced the concept of graded encoding schemes as a variant of multilinear maps and described a candidate approximate construction (GGH13) using ideal lattices. Shortly after this, Coron, Lepoint, and Tibouchi [15] proposed another potential graded encoding scheme (CLT13) over integers. These graded encoding schemes expanded their applications such as generalpurpose obfuscation, functional encryption, and others [1, 3, 5, 6, 22, 24, 25, 26, 30, 36, 37].
The security of the applications based on the graded encoding schemes relies on the presumed hardness of the problems such as the graded decision Diffie–Hellman (GDDH), subgroup membership (SubM), decision linear (DLIN), and graded externaldecision Diffie–Hellman (GXDH) problems. However, it was showed that when instantiated in the GGH13 scheme with some distinct encodings termed as lowlevel encodings of zero, the SubM, DLIN, and GXDH problems could be solved in polynomial time by the socalled zeroizing attack [20, Sec. 6] (also called the weak discrete logarithm attack). Subsequently, this approach became potentially more powerful: Hu and Jia extended it and proved that the GDDH problem could also be solved in polynomial time [28].
In contrast, the CLT13 scheme was not apparently susceptible to the zeroizing attack. It was believed that the problems, including SubM, DLIN, GXDH, and GDDH, were hard problems in the CLT13 scheme. Thus, the CLT13 scheme is considered as the only candidate for implementing applications that require the presumed hardness of the problems as the security basis. Such applications include keyhomomorphic pseudorandom functions and a oneround group passwordbased authenticated key exchange [1, 3, 5, 6, 15, 22, 30, 36]: The widespread use of the CLT13 scheme has raised concerns about its security because its presumed hardness has not been proven for standard assumptions.
Our Contributions In this paper, we describe a polynomial time cryptanalysis of the CLT13 scheme. This algorithm employs lowlevel encodings of zero. Our algorithm is applicable until such encodings of zero are used for the “rerandomization procedure” in the CLT13 scheme. We then show that this algorithm allows the recovery of all the secret parameters. Using these secret parameters, we can eventually solve the SubM, DLIN, GXDH, and GDDH problems.
Apart from an indirect attack, we also provide polynomial time algorithms for analyzing three related problems in the CLT13 scheme: the SubM, DLIN, and GXDH problems. Although these polynomial time algorithms are not as efficient as the previous ones because of their computational complexity, they are of significance in that they can be directly applied to the problems.
Consequently, there is no direct construction of secure multilinear maps, for which any of the GDDH, SubM, DLIN, and GXDH problems are hard.^{1} Several cryptographic applications are impacted,e.g., all the constructions of [3, 22, 30, 36], GPAKE construction in [1] for more than three users, one of the two constructions of password hashing in [5], and one of the keyhomomorphic PRF constructions in [6].
Technical Overview We describe two independent methods for solving the problems associated with the CLT13 scheme. The first method allows for determining all the secret elements of the CLT13 scheme, and the second one solves each problem directly. We name these two techniques as the eigenvalue technique and determinant technique, respectively, because the main part of each algorithm is the computation of the eigenvalues and determinants, respectively.
Let \(p_i\) be the secret distinct primes for \(1\le i\le n\), and \(x_0\) equal \(\prod _{i=1}^n p_i\). We denote \({\hat{p}}_i=x_0/p_i\) for each i and \({\hat{P}}=\sum _{i=1}^n {\hat{p}}_i\). For integer vector \(\mathbf {r}=(r_i)\in {\mathbb {Z}}^n\) with \(r_i \ll p_i\), a Chinese remainder encoding of \(\mathbf {r}\) (referred as CRTencoding) is defined as an integer, denoted by \(\mathsf{CRT}_{(p_i)} (r_i)\in (x_0/2, x_0/2]\). This is congruent to integer \(r_i\) in each modulo \(p_i\). Informally, the setting of the CLT13 scheme is reduced to the following problem: when we are given \(x_0\), \({\hat{P}}\), and polynomially many CRTencodings of the integer vectors, recover all the secret primes.
In [19], Galbraith, Gebregiyorgis, and Murphy introduced a CRTapproximate greatest common divisor problem (CRTACD) problem. Herein, when given a multiple of \(x_0\), written as \(x_0\cdot q_0\), and variants of CRTencodings, \(x_0\cdot q_j + \mathsf{CRT}_{(p_i)} (r_{ij}),\) for polynomially many \(j\ge 1\), find the secret primes, for which integers \(q_j\) are sampled from some distribution. Compared to the CRTACD problem, we consider \(q_0=1\) and \(q_j=0\) for all \(j\ge 1\). In addition, integer \({\hat{P}}\) is given. Therefore, we call this problem as CRTACD with an auxiliary input.
(1) Eigenvalue Technique Our main technique is to construct a diagonalizable matrix in \({\mathbb {Q}}\) whose eigenvalues are \(r_{i}\) for some CRTencoding, \(\mathsf{CRT}_{(p_i)}(r_{i})\). Then, by computing the greatest common divisor (gcd) between \(x_0\) and \((\mathsf{CRT}_{(p_i)}(r_{i})  r_{i})\), we recover \(p_i\).
(2) Determinant Technique For the SubM, DLIN, and GXDH problems, the determinant technique could be directly used to analyze the problems instead of performing the eigenvaluebased analysis. For example, we consider a simplified SubM problem: given two CRTencodings \(A=\mathsf{CRT}_{(p_i)} (r_i )\) and \(B=\mathsf{CRT}_{(p_i)} ( r_{i}')\), where \(r_i\) and \(r_i'\) are \(\rho \)bit integers much smaller than \(p_i\). We need to distinguish whether \(r_i\) and \(r_i'\) are coprime for all i.
Given two CRTencodings \(A=\mathsf{CRT}_{(p_i)} (r_i )\) and \(B=\mathsf{CRT}_{(p_i)} ( r'_{i})\), our goal is to construct two matrices over \({\mathbb {Z}}\) whose determinants are multiples of \(\prod _{i=1}^n r_i\) and \(\prod _{i=1}^n r_i'\), respectively. Then, one can solve this problem by computing the gcd.
More precisely, in the construction of \(\mathbf{W}\), we can build two matrices \(\mathbf{W}_A\) and \(\mathbf{W}_B\) by replacing \(\mathsf{CRT}_{(p_i)} (r_{i,1})\) with A and B, respectively. Therefore, the determinants of these matrices are \(\det (\mathbf{W}_A)=\det (\mathbf{R})\cdot \det (\mathbf{R}')\cdot \prod _{i=1}^n r_i\) and \(\det (\mathbf{W}_B)=\det (\mathbf{R})\cdot \det (\mathbf{R}')\cdot \prod _{i=1}^n r'_i\), respectively. Next, we consider the value of \(\det (\mathbf{W}_A) / \gcd ( \mathbf{W}_A,~\mathbf{W}_B)\). If \(r_i\) and \(r'_i\) have a common factor for all i, then this term is smaller than \(2^{n\cdot (\rho 1)}\). Otherwise, this value is not smaller than \(2^{n\cdot (\rho 1)}\), and thus, we can solve the simplified SubM problem. This method can also be applied to the DLIN and GXDH problems. We refer to Sect. 4 for more details.
Related and Followup Works After the preliminary investigations of this work were published in the IACR Cryptology ePrint Archive and the proceedings of the Eurocrypt’15 conference, the attack was extended and the CLT13 scheme was transformed to prevent the attack. Our attack strongly relies on the fact that the lowlevel encodings of 0 are published. In [8], Boneh, Wu, and Zimmerman first extended our attack without giving the encoding of 0. Moreover, they described a modification of the CLT13 scheme to prevent the extended attack. Additionally, an independent approach to immunize the CLT13 scheme against our attack was proposed by Garg, Gentry, Halevi, and Zhandry [23].^{2} Since then, Coron et al. [13] have extended the attack by using the socalled orthogonal encodings. This work showed that the two immunizations were insecure. Apart from these immunization works, a further modification of CLT13 was proposed by Coron, Lepoint, and Tibouchi in Crypto’15 [17]. They claimed that our attack and the extended attack were prevented because the modified scheme maintained underlying modulus \(x_0\) a secret, such that the zerotesting procedure depended on the secret values nonlinearly. However, it was also shown to be insecure by Cheon, Fouque, Lee, Minaud, and Ryu in [10], who demonstrated the recovery of \(x_0\).
Nonetheless, for the security of the generalpurpose obfuscation schemes in the CLT13 scheme, one of the promising applications still remains an open problem because the schemes are neither given the encodings of zero nor are subjected to the extended attacks. Thereafter, Coron, Lepoint, and Tibouchi provided a new analysis result [14] that could enable one to break the polynomial time for several CLT13based candidate obfuscations with a distinct property called input partitionability in the CLT13 scheme [2, 4, 21, 32, 33]. However, this property of input partitionability is not typically satisfied. It was also suggested to convert any inputpartitionable obfuscation scheme in the CLT13 scheme to a noninputpartitionable scheme [18]. In summary, the security of the general obfuscations in the CLT13 scheme has not yet been clarified.
Notation. We use \(a\leftarrow A\) to denote the operation of uniformly choosing element a from finite set A. We define \([n] = \{1,2,\ldots ,n\}\). We let \({\mathbb {Z}}_q\) denote ring \({\mathbb {Z}}/(q{\mathbb {Z}})\). For pairwise coprime integers \(p_1,p_2,\ldots ,p_n\) and integers \(r_1,r_2,\ldots ,r_n\), we define \(\mathsf{CRT}_{(p_1,p_2,\ldots ,p_n)}(r_1,r_2,\ldots ,r_n)\) (abbreviated as \(\mathsf{CRT}_{(p_i)} (r_i)\)) as the unique integer in \(\left( \frac{1}{2} \prod _{i=1}^n p_{i},\frac{1}{2}\prod _{i=1}^n p_{i}\right] \) which is congruent to \(r_i \mod p_i\) for all \(i\in [n]\). We use notation \([t]_p\) for integers t and p to denote the reduction of t modulo p in the interval \((p/2,p/2]\).
We use lowercase bold letters to denote the vectors, whereas we use the uppercase bold letters to denote matrices. For matrix \(\mathbf{S}\), we denote the transpose of \(\mathbf{S}\) by \({\mathbf{S}}^T\). We define \(\Vert {\mathbf{S}}\Vert _{\infty } = \max _i \sum _{j \in [n]} s_{ij} \), where \(s_{ij}\) is the (i, j) component of \(\mathbf{S}\). Finally, we denote \(\mathsf{diag}(a_1,\ldots ,a_n)\) or \(\mathsf{diag}(a_i)\) in the diagonal matrix with diagonal coefficients equal to \(a_1,\ldots ,a_n\).
Organization In Sect. 2, we define the CRTACD problem and its analysis. In Sect. 3, we recall the CLT13 scheme and adapt the analysis to it. In Sect. 4, we introduce three related problems on the CLT13 scheme and their cryptanalyses. We conclude this paper in Sect. 5.
2 CRTACD with an Auxiliary Input
In this section, we introduce and analyze the CRTACD problem using an auxiliary input. The approximate greatest common divisor problem (ACD) was initially introduced by HowgraveGraham [27] as was the problem of finding secret prime p given many nearmultiples of p. One of the promising applications of this problem is a homomorphic encryption scheme [35]. The scheme offers conceptual simplicity compared to other homomorphic encryption schemes based on lattice problems.
The ACD problem is naturally extended by using multiple primes rather than a single one. Galbraith, Gebregiyorgis, and Murphy provided an informal definition of an extended ACD problem, which is called the CRTACD problem [19]. An instance of the problem is an integer of the form \(p_i q_i + r_i\) for several primes \(p_i\). Therefore, it can be defined by using the CRT. Cheon et al. provided a batchhomomorphic encryption [9] based on the CRTACD problem. For appropriate parameters, Galbraith et al. argued that “it is an open problem to give an algorithm to solve the CRTACD problem that exploits the CRT structure” [19].
In this section, however, we show that when some integer, called the auxiliary input, is given, the CRTACD problem can be solved in polynomial time. Now, we define the precise variant of the CRTACD we consider.
Definition 1
Auxiliary input \({\hat{P}}\) needs the distinct feature that it can be written as a summation of its CRT components in \(\mathbb Z_{x_0}\). A key observation is that the equation holds over the integers when \(n+\log n < \eta 1\). Extending this property, we obtain the following lemma.
Lemma 1
Proof
The first equality is clear by the definition of the CRT. To show that the second equality is correct, we consider the equation in each modulo \(p_i\). Then, the lefthand side is \( r_i\cdot {\hat{p}}_i\) and the righthand side is also \( r_i \cdot {\hat{p}}_i\) because \({\hat{p}}_j = 0 \mod p_i\) for \(j\ne i\). Finally, the magnitude of \(\sum \limits _{i=1}^n r_i\cdot {\hat{p}}_i \) is smaller than \(n\cdot 2^\varepsilon \cdot 2^{(n1)\cdot \eta }\), which is less than \(2^{n\cdot (\eta 1)1}\) under the condition, and thus, \(x_0/2\). Hence, based on the uniqueness of \(\mathsf{CRT}\), the second equality holds. \(\square \)
This lemma transforms the modulus equation to an integer equation of \(r_1,\ldots , r_n\) with unknown coefficients \({{\hat{p}}}_1, \ldots , {{\hat{p}}}_n\).
Our algorithm for solving CRTACD with an auxiliary input consists of two steps. The first step is to construct a diagonalizable matrix in \({\mathbb {Q}}\), whose eigenvalues are set \(\{r_{i}\}\) of some CRTACD sample \(\mathsf{CRT}_{(p_i)}(r_{i})\). The next step is to recover \(r_i\) by computing the eigenvalues. Then, by computing the common divisor of \(\mathsf{CRT}_{(p_i)}(r_{i})  r_{i}\) and \(x_0\), we can obtain all \(p_i\).
We now describe the complete details of solving CRTACD with an auxiliary input.
2.1 Constructing Matrix Equations in \({\mathbb {Q}}\)
2.2 Disclosing all the Secret Quantities
The eigenvalues of matrix \(\mathbf V\) discussed in Sect. 2.1 are exactly those in \(B=\{ b_1, \ldots , b_n\}\). Set B can be computed in polynomial time in \(\eta ,n,\) and \(\varepsilon \) from \(\mathbf V\) by computing the roots of the characteristic polynomial.
Prime \(p_i\) is a common factor to both \((b  b_i)\) and \(x_0\), which have other common factors if and only if \(b_j = b_i\) for some \(j \in \{1,\ldots ,n\}\). Hence, if \(b_i\)s are distinct, we can obtain all secret integers \(p_1,\ldots ,p_n\).
Remark Two conditions are required for our algorithm to work appropriately. The first is that matrices \(\mathbf A\) and \(\mathbf C\) are invertible, and the other is that \(b_i \ne b_j\) for all \( 1\le i< j\le n\). The probability that each condition is satisfied depends on distribution \(\chi _\varepsilon \) and matrix size n. Because the two conditions are independent and as they depend on different variables, our attack succeeds in obtaining the probability of the product of the two probabilities. For example, let \(\chi _\varepsilon \) be a uniform distribution in \((2^\varepsilon ,2^\varepsilon )\), and let n be asymptotically a polynomial of \(\varepsilon \), i.e., \(n=poly(\varepsilon )\). The first probability is overwhelming with respect to \(\varepsilon \) [31, Lem. 1], whereas the second probability is equal to \(\frac{n!\cdot \left( {\begin{array}{c}2\cdot 2^\varepsilon 1\\ n\end{array}}\right) }{{(2\cdot 2^\varepsilon 1)}^n}\), where ! is the factorial operator and \(\left( {\begin{array}{c}2\cdot 2^\varepsilon +1\\ n\end{array}}\right) \) is the binomial coefficient. The latter probability is also overwhelming with respect to \(\varepsilon \), where \(n=poly(\varepsilon )\).
Let \(f_\mathbf{V}\) be a characteristic polynomial of matrix \(\mathbf{V}\). Because each root \(b_i\) is less than \(2^\rho \), we consider prime \(p_0\) that is larger than \(2^\rho \) and find roots x such that \(f_\mathbf{V}(x) \bmod p_0\). This reveals the original roots of \(f_\mathbf{V}\) in \(O(M(n(\rho +\log n))\cdot (\rho +\log n)\cdot \log n) = \widetilde{{\mathcal {O}}} (n\cdot \rho ^2)\) by Rabin’s algorithm [34], where M(t) is an upper bound to the number of bit operations required to multiply two tbit numbers.
Because our attack consists of a matrix multiplication, computing a characteristic polynomial and finding the roots of the polynomial, the complexity of the first two algorithms is bounded by \(\widetilde{{\mathcal {O}}} (n^{\omega }\cdot \log x_0)=\widetilde{{\mathcal {O}}} (n^{\omega }\cdot n\cdot \eta )\) and that of the last one is bounded by \(\widetilde{{\mathcal {O}}} (n\cdot \rho ^2)\) with \(\omega \le 2.38\). This implies that the overall cost is bounded by \( \widetilde{{\mathcal {O}}} (n^{\omega +1}\cdot \eta )\), with \(\omega \le 2.38\).^{3} Hence, we obtain the following result:
Theorem 1
Let \(U_\varepsilon \) be the uniform distribution in \((2^{\varepsilon }, 2^{\varepsilon })\cap {\mathbb {Z}}\). When \(\varepsilon +n+\log n+1 < \eta \), \(n=poly(\varepsilon )\), and given O(n) CRTACD samples from \({\mathcal {D}}_{U_{\varepsilon },\eta }(p_1,\ldots ,p_n)\) with \(x_0=\prod \limits _{i=1}^n p_i\), and \({\hat{P}} =\mathsf{CRT}_{(p_i)} ({\hat{p}}_i)\), One can recover all secret primes \(p_1,\ldots , p_n\) in time \( \widetilde{{\mathcal {O}}} (n^{\omega +1}\cdot \eta )\) with \(\omega \le 2.38\) and the overwhelming probability with respect to \(\varepsilon \).
3 Application to the CLT13 Multilinear Map
We first recall the CLT13 multilinear map and then describe the attack. We refer to the original paper [15] for a complete description.
3.1 Candidate Multilinear Map Over the Integers

\(\lambda \): the security parameter

\(\kappa \): the multilinearity parameter

\(\rho \): the bit length of the randomness used for the encodings

\(\alpha \): the bit length of the message slots

\(\eta \): the bit length of secret primes \(p_i\)

n: the number of distinct secret primes

\(\tau \): the number of level1 encodings of zero in public parameters

\(\ell \): the number of level0 encodings in public parameters

\(\nu \): the bit length of the image of the multilinear map

\(\beta \): the bit length of the entries of the zerotest matrix H

\(\rho =\Omega (\lambda )\): to avoid a brute force attack (see also [29] for a constant factor improvement).

\(\alpha =\lambda \): so that the ring of messages \({\mathbb {Z}}_{g_1} \times \ldots \times {\mathbb {Z}}_{g_n}\) does not contain a small subring \({\mathbb {Z}}_{g_i}\).

\(n= \Omega (\eta \cdot \lambda )\): to prevent the lattice reduction attacks [15, Sec. 5].

\(\ell \ge n\cdot \alpha +2\lambda \): to be able to apply the leftover hash lemma from [15, Lem. 1].

\(\tau \ge n\cdot (\rho + \log _2(2n))+2\lambda \): to apply the leftover hash lemma from [15, Sec. 4].

\(\beta =\Omega (\lambda )\): to avoid the socalled gcd attack [29].

\(\eta \ge \rho _{\kappa } + \alpha +2\beta + \lambda +8\), where \(\rho _{\kappa }\) is the maximum bit size of the level\(\kappa \) encoding of random \(r_i\). When computing the product of \(\kappa \) level1 encodings and an additional level0 encoding, one obtains \(\rho _{\kappa } = \kappa \cdot (2\alpha +2\rho +\lambda +2\log _2n+2)+\rho +\log _2\ell +1\).

\(\nu =\eta \beta \rho _f \lambda 3\): to ensure the zerotest correctness.
Sampling levelzero encodings \(c \leftarrow \mathsf{samp(params)}\). For \(1 \le j \le \ell \), sample \(b_j\) \(\leftarrow \) \(\lbrace 0,1 \rbrace \) and compute \(c=\left[ \sum _{j=1}^{\ell }b_j \cdot x'_j\right] _{x_0}\). Note that the message of an encoding sampled from this procedure is unknown.
Encodings at level1 \(c' \leftarrow \mathsf{enc(params}, c)\). Given a levelzero encoding c, compute a level1 encoding of the same message by computing \(c'=[c\cdot y]_{x_0}\).
Rerandomizing level1 encodings \(c^\prime \leftarrow \mathsf{reRand(params}, c)\). For \(j \in [\tau ], i \in [n]\), sample \(b_j\) \(\leftarrow \) \(\lbrace 0,1 \rbrace \), \(b'_i\) \(\leftarrow \) \([0, 2^{\mu })\cap \mathbb {Z}\), with \(\mu = \rho + \alpha + \lambda \). Return \(c'=\big [c+\sum _{j \in [\tau ]} b_j \cdot x_j+\sum _{i \in [n]} b'_i \cdot \Pi _i\big ]_{x_0}\). Note that this is the only procedure in the CLT13 scheme that uses \(x_j\)’s.^{5}
Adding and multiplying encodings Add(\(c_1\), \(c_2\))=\([c_1 + c_2 ]_{x_0}\) and Mul(\(c_1\), \(c_2\))=\([c_1\cdot c_2]_{x_0}\).
Zerotesting \(\mathsf{isZero(params, } ~\mathbf{p}_{zt}, u_\kappa ){\mathop {=}\limits ^{?}}0/1\). Given a level\(\kappa \) encoding c, return 1 if \(\Vert [\mathbf{p}_{zt}\cdot c]_{x_0}\Vert _{\infty } < x_0\cdot 2^{\nu }\), and 0 otherwise.
Coron et al. also described a variant in which only one such zerotesting parameter, \(\mathbf{p}_{zt}\) was given rather than n of them (see [15, Se. 6]). In [26, App. B.3], Gentry, Lewko, and Waters described an asymmetric version of the construction, which we briefly recall in Sect. 4. Our attack can also be adapted to these variants.
3.2 Zeroizing Attack on CLT13
In this section, we adapt the analysis of CRTACD with an auxiliary input to the CLT13 scheme. The instances of the problem and CLT13 scheme are quite similar. The encodings of the CLT13 resemble the instances of the problem, except for secret constant z. Zerotesting parameters \((\mathbf{p}_{zt})_j\) are also similar to auxiliary input \({\hat{P}}\), except for constant \([z^{\kappa }/\mathsf{CRT}_{(p_i)}(g_i)]_{x_0}\). Therefore, we only consider the zerotesting value of the encodings of zero, such that the constant is canceled.
Consequently, we need \(\mathbf W'\) and \(\mathbf W\) to be invertible. We argue that this case has a high probability. We prove it for \(\mathbf W\). Note first that \(x'_{i1}\) and \(h'_i\) are all nonzero, with overwhelming probability (if the integers are zero, \(w_{j,k}\) is a multiple of \(p_i\), and thus, one can recover the factor via \(\gcd (x_0, w_{j,k})\)). However, matrix \(\mathbf{\Pi }\) is invertible by design [15, Fact 1].
Because our algorithm consists of computing an inverse matrix and eigenvalues, the total cost is bounded by \( \widetilde{{\mathcal {O}}} ( (n^{\omega } \log x_0)) = \widetilde{{\mathcal {O}}} ( \kappa ^{\omega +2} \lambda ^{2\omega +3})\), with \(\omega \le 2.38\).
After we know all the \(p_i\), we have \(x_j/y = r_{ij} g_i / (r_i g_i+1) \bmod p_i\). As the numerator and denominator are coprimes and very small compared to \(p_i\), they can be recovered by the rational reconstruction algorithm. Hence, we obtain \((r_{ij} g_i)\) for all j. The gcd of all the \((r_{ij}g_i)\) yields \(g_i\). Thus, we can also recover all the \(r_{ij}\) and \(r_i\). As \(x_1 = r_{i1} g_i / z \bmod p_i\) and the numerator is known, we can recover \(z \bmod p_i\) for all i. Hence, \(z \bmod x_0\). \(h_{ij}\) can then be recovered along with \(r'_{ij}\) and \(a_{ij}\).
4 Subgroup Membership, Decision Linear, and Graded External Diffie–Hellman Problems
We start by defining the SubM, DLIN, and GXDH problems associated with the CLT13 scheme. We then describe how to solve these problems in polynomial time. The attack procedure consists of two steps. First, in Sect. 4.1, we discuss how to recover \(\prod _i g_i\), which is an order of the message space. This is a common procedure for solving the SubM and DLIN problems. Next, in Sects. 4.2, 4.3 and 4.4, we present the value for solving the SubM, DLIN, and GXDH problems.
We recall primes \(\{g_i\}\) described in Sect. 3.1. Let \(G = {\mathbb {Z}}_{g_1} \times \ldots \times {\mathbb {Z}}_{g_n}\) and its subgroup \(G' = \{0\} \times {\mathbb {Z}}_{g_2}\times \ldots \times {\mathbb {Z}}_{g_n}\). We let \(\mathsf{enc}_1(m)\) denote a level1 encoding of \( m=(m_1,\ldots ,m_n) \in G\) generated by the procedure in Sect. 3.1. Then, it can be written as \(\mathsf{CRT}_{(p_i)}(\frac{r_i\cdot g_i + m_i}{z})\) for some integer \(r_i\). For integers \(L>0\), we let \(\mathsf{Rk}_j(G^{L\times L})\) denote the set of \(L\times L\) matrices over G of rank j. Here, we define rank of matrix \((m^{(u,v)})_{u,v}\in G^{L\times L}\) as the maximum of the ranks of matrices \((m_i^{(u,v)})_{u,v}\), where \(m_i^{(u,v)}\) is the ith entry of \(m^{(u,v)}\in G\). Then, the SubM and DLIN problems are defined as follows.
Definition 2
(Subgroup Membership Problem) Let \(I,\lambda \), and \(\kappa \) generate \(\mathsf{params}\), \(\mathbf{p}_{zt}\). \(\{ \mathsf{enc}_1 ( m'_i) : i \in [I] \}\), where the \( m'_i\)s are uniformly and independently sampled in strict subgroup \(G'\) of G. Given \(\mathsf{params}\), \(\mathbf{p}_{zt}\), \(\{ \mathsf{enc}_1 ( m'_i) : i \in [I] \}\), and \(\mathbf{M}=\mathsf{enc}_1( m)\), It is determined whether m is sampled uniformly in \(G'\) or G.
Definition 3
Definition 4
(Graded External DDH Problem) Given \(\lambda \) and \(\kappa \), \(\mathsf params\) and \(\mathbf{p}_{zt}\) are generated using \(\mathsf InstGen\). Given \(\mathsf params\), \(\mathbf{p}_{zt}\), and \(\mathsf{enc}_{t}(a),\mathsf{enc}_{t}(b)\) and \(\mathsf{enc}_{t}(c)\) with \(a,b\leftarrow G\) and for any integer \(t \in [\kappa ]\), the goal is to decide whether \(c=a\cdot b\) or c is uniformly and independently sampled in G.
Our main strategy to solve the three related problems in the CLT13 scheme is as follows: For a given level1 encoding \(\mathsf{enc}_1(m)= \mathsf{CRT}_{(p_i)}(r_i\cdot g_i + m_i)\) (or \(\mathsf{enc}_t(m)\) of the asymmetric multilinear map), we first suggest an approach for constructing integral matrix \(\mathbf{W}_m\in {\mathbb {Z}}^{n\times n} \), such that \(\mathbf{W}_m = \mathbf{X} \cdot \mathsf{diag}(r_1\cdot g_1+m_1,\ldots ,r_n\cdot g_n+m_n)\cdot \mathbf{R}\) for some invertible matrices \(\mathbf{X}\) and \(\mathbf{R}\in {\mathbb {Z}}^{n\times n}\). Then, by using matrix \(\mathbf{W}_m\), we construct a matrix whose determinant is related to an order of the message space, \(\prod _i g_i\). Hence, by computing the determinant of the matrix, we can solve each problem.

SubM: Given encoding \(\mathsf{enc}_1(m)\), it is determined whether \(m \leftarrow G'\) or not.

LDLIN: Given \(L\times L\) matrix of level1 encodings of \(({m}^{(i,j)})_{i,j}\), we determine whether the message matrix is of full rank or not.

GXDH: Given a \(2\times 2\) matrix of level1 encodings of \(\begin{pmatrix} c &{} a \\ b &{} 1 \\ \end{pmatrix}\), we determine whether the matrix is of full rank or not.
Remark. The important difference between the cryptanalysis of these related problems and that of the CLT13 scheme is the form of the middle matrix of \(\mathbf{W}\). The previous attack discussed in Sect. 3.2 is based on the fact that the middle matrix is diagonal. For example, in [8], the authors chose the middle matrix as a block diagonal matrix.^{6} However, the attack on the related problems in this section does not depend on it.
4.1 Computing \(\prod _i g_i\) from the CLT13 Instances
Lemma 2
(Heuristic). Let \(\pi _{ij}\) be an integer described in Sect. 3.1 for \(i,j\in [n]\) with \(n/(1+\log n)> s\) for some positive integer s. Then, \(\gcd (\prod _{i}{\pi _{i1}},\ldots , \prod _{i}{\pi _{im}})\) is (2n)smooth with probability \(\ge \zeta (s)^{1}\), where \(\zeta (\cdot )\) is the Riemann zeta function. The probability is \(\ge 0.9\) when \(s\ge 4\).
Proof
By Lemma 2, integer \(\Delta \) is (2n)smooth with probability \(>0.9\). We eliminate it by exhaustive division by all the integers, i.e., \(\le 2n\). This costs \(\widetilde{\mathcal {O}}(n\log x_0)=\widetilde{\mathcal {O}}(\kappa ^3\lambda ^5)\) bit operations. This is dominated by the cost of the operations described in Sect. 3.2, which is \(\widetilde{\mathcal {O}}(\kappa ^{\omega +2} \lambda ^{2\omega +3})\).
4.2 Solving the SubM Problem Over the CLT13
If m is uniformly sampled in G, then we expect the probability that \(m_i\) is zero for some i is at most \(n / 2^{\alpha }\), where \(\alpha \) is \(\log (g_i)\). Hence, in that case, we have \(\alpha n / 2^{\alpha }\) as an expected value of \(\log (\gcd (\det \mathbf{W}, \prod _i g_i))\). For the original setting of \(\alpha = \lambda \), this is negligible.
If m is uniformly sampled in \(G'\), then \(m_1\) is zero, and we expect the probability that the others are zero is \((n1)/2^{\alpha }\). Hence, in that case, we have \(\log (\gcd (\det \mathbf{W}, \prod _i g_i)) \approx \alpha + \alpha (nI) / 2^{\alpha }\), which is at least larger than \(\alpha 1\). Hence, this value is distinguished from the previous one.
4.3 Solving the DLIN Problem in CLT13
To distinguish between the instances of DLIN, we compute \(\det \mathbf{W}\) and check whether it is divisible by \(\prod _k g_k\). If \(\mathbf{E}\) is sampled from a fullrank matrix, the determinant of \({\mathbf{P}}_k\) is nonzero for some k. Hence, \(\det \mathbf{W}\) cannot be a multiple of \(\prod _k g_k\). In the other case, then \(\det \mathbf{P}_i = 0\) for all i. Hence, \(\det \mathbf {W}\) is a multiple of \(\prod _k g_k\) because \(\mathbf{Q}_k\) is congruent to \(\mathbf{P}_k\) in modulo \(g_k\). The total bitcomplexity of the attack is \(\widetilde{\mathcal {O}}(\kappa ^{\omega +2} \lambda ^{2\omega +3} + L^{\omega }\kappa ^{2} \lambda ^{3})\).
4.4 Solving the GXDH Problem in CLT13
5 Conclusion
This study exhibits a method to recover in polynomial time all the secret values in the CLT13 scheme with a lowlevel encoding of zero. In addition, we propose a direct algorithm to solve the problems associated with the CLT13 scheme. Consequently, several applications of the CLT13 scheme are impacted.
Because the security of the generalpurpose obfuscation schemes in the CLT13 scheme has not been yet clarified, a natural line of research is to extend the range of the attackable graded encoding schemes for the application.
In addition, as a main technique for solving the CLT13 scheme, we introduce a new problem CRTACD with an auxiliary input. Independently, solving the CRTACD problem is still an open problem. Hence, studying the relation between the two problems will also be an interesting topic.
Footnotes
 1.
For multilinear maps constructed by the candidate obfuscation schemes, assessing the hardness of these computational problems is an interesting open problem.
 2.
 3.
 4.
Matrix \(\mathbf{H}\) is generated in a specific approach. We refer to the original paper [15].
 5.
This procedure can be adapted to higher levels \(1<k\le \kappa \) by publishing the appropriate quantities in \(\mathsf{params}\).
 6.
Subsequently, it was also showed to be insecure by the extended attack of Coron et al. [13].
Notes
Acknowledgements
The authors would like to extend their gratitude to Michel Abdalla, JeanSébastien Coron, Shai Halevi, Adeline Langlois, Tancrède Lepoint, Benoît Libert, Alon Rosen, Gilles Villard, and Joe Zimmerman for constructive discussions. The authors from SNU received support from Institute for Information & communication Technology Promotion (IITP) grant funded by the Korea government (No. 2016600598, The mathematical structure of functional encryption and its analysis) and supported by the ARO and DARPA under Contract No. W911NF15C0227. The author from ENS de Lyon was supported by the ERC Starting Grant ERC2013StG335086LATTAC.
References
 1.M. Abdalla, F. Benhamouda, D. Pointcheval, Disjunctions for hash proof systems: New constructions and applications, in Advances in Cryptology—EUROCRYPT 2015 (2015), pp. 69–100Google Scholar
 2.P.V. Ananth, D. Gupta, Y. Ishai, A. Sahai, Optimizing obfuscation: Avoiding barrington’s theorem, in Proceedings of the 2014 ACM SIGSAC (2014), pp. 646–658Google Scholar
 3.N. Attrapadung, Fully secure and succinct attribute based encryption for circuits from multilinear maps. IACR Cryptology ePrint Archive (2014)Google Scholar
 4.S. Badrinarayanan, E. Miles, A. Sahai, M. Zhandry, Postzeroizing obfuscation: New mathematical tools, and the case of evasive circuits, in Advances in Cryptology—EUROCRYPT 2016 (2016), pp. 764–791Google Scholar
 5.F. Benhamouda, D. Pointcheval, Verifierbased passwordauthenticated key exchange: New models and constructions. IACR Cryptol. ePrint Arch. 2013, 833 (2013)Google Scholar
 6.D. Boneh, K. Lewi, H.W. Montgomery, A. Raghunathan, Key homomorphic prfs and their applications, in Advances in Cryptology—CRYPTO 2013 (2013), pp. 410–428Google Scholar
 7.D. Boneh, A. Silverberg, Applications of multilinear forms to cryptography. Contemp. Math. Am. Math. Soc. 324, 71–90 (2003)MathSciNetCrossRefGoogle Scholar
 8.D. Boneh, D.J. Wu, J. Zimmerman, Immunizing multilinear maps against zeroizing attacks. IACR Cryptology ePrint Archive (2014)Google Scholar
 9.J.H. Cheon, J. Coron, J. Kim, M.S. Lee, T. Lepoint, M. Tibouchi, A. Yun, Batch fully homomorphic encryption over the integers, in Advances in Cryptology—EUROCRYPT 2013 (2013), pp. 315–335Google Scholar
 10.J.H. Cheon, P. Fouque, C. Lee, B. Minaud, H. Ryu, Cryptanalysis of the new CLT multilinear map over the integers, in Advances in Cryptology—EUROCRYPT 2016 (2016), pp. 509–536Google Scholar
 11.J.H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehlé, Cryptanalysis of the multilinear map over the integers, in Advances in Cryptology—EUROCRYPT 2015 (2015), pp. 3–12Google Scholar
 12.J.H. Cheon, D. Kim, Probability that the kgcd of products of positive integers is bfriable. J. Number Theory 168, 72–80 (2016)MathSciNetCrossRefGoogle Scholar
 13.J. Coron, C. Gentry, S. Halevi, T. Lepoint, H.K. Maji, E. Miles, M. Raykova, A. Sahai, M. Tibouchi, Zeroizing without lowlevel zeroes: New MMAP attacks and their limitations, in Advances in Cryptology—CRYPTO 2015 (2015), pp. 247–266Google Scholar
 14.J. Coron, M.S. Lee, T. Lepoint, M. Tibouchi, Zeroizing attacks on indistinguishability obfuscation over CLT13, in PublicKey Cryptography—PKC 2017 (2017), pp. 41–58Google Scholar
 15.J. Coron, T. Lepoint, M. Tibouchi, Practical multilinear maps over the integers, in Advances in Cryptology—CRYPTO 2013 (2013), pp. 476–493Google Scholar
 16.J. Coron, T. Lepoint, M. Tibouchi, Cryptanalysis of two candidate fixes of multilinear maps over the integers. IACR Cryptol. ePrint Arch. 2014, 975 (2014)Google Scholar
 17.J. Coron, T. Lepoint, M. Tibouchi, New multilinear maps over the integers, in Advances in Cryptology—CRYPTO 2015 (2015), pp. 267–286Google Scholar
 18.R. Fernando, P.M.R. Rasmussen, A. Sahai, Preventing CLT attacks on obfuscation with linear overhead, in Advances in Cryptology—ASIACRYPT 2017 (2017), pp. 242–271Google Scholar
 19.S.D. Galbraith, S.W. Gebregiyorgis, S. Murphy, Algorithms for the approximate common divisor problem. LMS J. Comput. Math. 19(A), 58–72 (2016)MathSciNetCrossRefGoogle Scholar
 20.S. Garg, C. Gentry, S. Halevi, Candidate multilinear maps from ideal lattices. in Advances in Cryptology—EUROCRYPT 2013 (2013), pp. 1–17Google Scholar
 21.S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in IEEE Symposium on Foundations of Computer Science, FOCS (2013), pp. 40–49Google Scholar
 22.S. Garg, C. Gentry, S. Halevi, M. Zhandry, Fully secure attribute based encryption from multilinear maps. IACR Cryptology ePrint Archive (2014)Google Scholar
 23.S. Garg, C. Gentry, S. Halevi, M. Zhandry, Fully secure functional encryption without obfuscation. IACR Cryptology ePrint Archive (2014)Google Scholar
 24.S. Garg, C. Gentry, S. Halevi, M. Zhandry. Functional encryption without obfuscation, in Theory of Cryptography—13th International Conference, TCC 2016A (2016), pp. 480–511Google Scholar
 25.C. Gentry, A.B. Lewko, A. Sahai, B. Waters. Indistinguishability obfuscation from the multilinear subgroup elimination assumption. in Proceedings of FOCS 2015 (2015), pp. 151–170Google Scholar
 26.C. Gentry, A.B. Lewko, B. Waters, Witness encryption from instance independent assumptions, in Advances in Cryptology—CRYPTO 2014 (2014), pp. 426–443Google Scholar
 27.N. HowgraveGraham, Approximate integer common divisors, in Cryptography and Lattices, International Conference, CaLC 2001, Providence, RI, USA, March 29–30, 2001, Revised Papers (2001), pp. 51–66Google Scholar
 28.Y. Hu, H. Jia, Cryptanalysis of GGH map, in Advances in Cryptology—EUROCRYPT 2016 (2016), pp. 537–565Google Scholar
 29.H.T. Lee, J.H. Seo, Security analysis of multilinear maps over the integers, in Advances in Cryptology—CRYPTO 2014 (2014), pp. 224–240Google Scholar
 30.K. Lewi, H.W. Montgomery, A. Raghunathan, Improved constructions of prfs secure against relatedkey attacks, in Applied Cryptography and Network Security (2014), pp. 44–61Google Scholar
 31.G. Martin, E.B. Wong, Almost all integer matrices have no integer eigenvalues. Am. Math. Mon. 116(7), 588–597 (2009)MathSciNetCrossRefGoogle Scholar
 32.E. Miles, A. Sahai, M. Weiss, Protecting obfuscation against arithmetic attacks. IACR Cryptol. ePrint Arch., 2014, 878 (2014)Google Scholar
 33.R. Pass, K. Seth, S. Telang, Indistinguishability obfuscation from semanticallysecure multilinear encodings, in Advances in Cryptology—CRYPTO 2014 (2014), pp. 500–517Google Scholar
 34.M.O. Rabin, Probabilistic algorithms in finite fields. SIAM J. Comput. 9(2), 273–280 (1980)MathSciNetCrossRefGoogle Scholar
 35.M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, in Advances in Cryptology—EUROCRYPT 2010 (2010), pp. 24–43Google Scholar
 36.M. Zhandry, Adaptively secure broadcast encryption with small system parameters. IACR Cryptology ePrint Archive (2014)Google Scholar
 37.J. Zimmerman, How to obfuscate programs directly, in Advances in Cryptology—EUROCRYPT 2015 (2015), pp. 439–467Google Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.