1 Introduction

Constructing a general-purpose program obfuscation has been a long standing coveted open problem [8, 9] in spite of their fruitful applications. At FOCS 2013, Garg et al. suggested the first plausible candidate general-purpose indistinguishability obfuscation (GGHRSW) [23] using branching program (BP) representation of functions [10]. This first candidate of iO has ignited the various subsequent studies [3, 5,6,7, 15, 24, 30, 32, 34] on obfuscations, all of which stand on the cryptographic multilinear maps.

To date, there are three plausible candidates of multilinear map; the first is due to Garg, Gentry, and Halevi [22] (GGH13), the second is due to Coron, Lepoint, and Tibouchi [19] and the last is due to Gentry, Gorbunov, and Halevi [25]. The security of three candidates are not well clarifed, whereas some works [3, 7, 15, 30, 34] claim the security under the idealized model, so-called the generic multilinear map model.

Recently several works try to overcome this gap [6, 24, 29]. In particular, Garg et al. proved the security of the slightly modified first candidate iO construction (GMMSSZ) under the weak multilinear map model of GGH13, which captures all existing polynomial time attacks on BP obfuscations over GGH13 multilinear map [24]. Despite the provable security under these models, the practical security of obfuscations over GGH13 is still in dubious nature.

Direct attack to GGH13.As a direct method of analyzing obfuscations over GGH13, we may consider attacks on the GGH13 encoding scheme. The latent hardness problems of GGH13 are the (overstretched) NTRU problem and the short generator of principal ideal generator problem (SPIP).

The subfield attacks, proposed by Albrecht et al. and Cheon et al. independently [1, 18], are the most notable algorithms to solve the NTRU problem. These attacks shows that the underlying NTRU problem of GGH13-based obfuscation is solved in polynomial time whenever the multilinear level \(\kappa \) is larger than the security parameter \(\lambda \). By combining this with the algorithms to solve SPIP [12,13,14, 20], GGH13 is broken in classical subexponential time on security parameter \(\lambda \) for the instantiations in [2, 27] or quantum polynomial time. This work shows that the parameters of GGH13 should be set to prevent either the algorithms for NTRU or PIP.Footnote 1

Attacks on BP Obfuscations over GGH13. For obfuscations over GGH13 multilinear map, several cryptanalyses have also been suggested. The annihilation attack introduced by Miles et al. [31] showed that some constructions of single/dual input BP obfuscations [3, 6, 7, 30] do not have the desired security when they are used for general-purpose and implemented with GGH13. The authors presented a very simple example of BPs which are threatened by annihilation attacks. Soon after, Apon et al. [4] extended the range of annihilation attacks to BPs generated by Barrington’s theorem [10] which is the fundamental method to transform \(\mathcal {NC}^1\) circuits into bounded width BPs.

Chen et al. [16] presented another attack on BP obfuscation over GGH13 multilinear map. They showed that there exist two functionally equivalent programs with a special property called input-partitionable, and their obfuscated programs by GGHRSW can be efficiently distinguished.

Limitations of Previous Works. Despite the diverse attacks on BP obfuscations over GGH13 multilinear map, GGHRSW remains secure against all known PPT attack when it only takes input-unpartitionable BPs as input, such as BPs generated by Barrington’s theorem. Meanwhile, there is no known polynomial time attack for multi-input branching program obfuscations including GMMSSZ. We also remark that the direct approach [1], with the current best algorithm to solve SPIP [13, 20], has the classical exponential running time with respect to security parameter \(\lambda \) when the dimension n of the base number field satisfies \(n=\varOmega (\lambda ^2)\).

Our Contribution. We present distinguishing attacks on candidates BP iO over GGH13 multilinear map based on the algorithm to solve the NTRU problem. With the novel two techniques, program converting and matrix zeroizing attack, we show that existing general-purpose BP obfuscations cannot achieve the desired security when the obfuscations use GGH13 with proposed parameters in [2, 22, 27]. In other words, there are two functionally equivalent BPs with same length such that their obfuscations obtained by an existing BP obfuscations over GGH13 can be distinguished in polynomial time for the suggested parameters.

Our attack is applicable to wide range of obfuscations and BPs compared to the previous attacks. In particular, we show that multi-input BP obfuscations such as GMMSSZ construction are insecure in the NTRU-solvable parameter regime. Further, we show that the first candidate indistinguishability obfuscation GGHRSW based on GGH13 with current parameters also does not have the desired security even if it only obfuscates input-unpartitionable BPs including branching programs generated by Barrington’s theorem. Although a new property of BPs called linear relationally inequivalence is exploited in our attack, we show that various pairs of BPs satisfy this property.

As a result, we show that the BP obfuscations based on GGH13 multilinear map with suggested parameters are broken using the algorithm for NTRU solely. Therefore the underlying lattice dimension n of GGH13 should be set to \(n=\tilde{\varTheta }(\kappa ^2 \lambda )\) to maintain \(2^\lambda \) security of obfuscation schemes. This implies the iO based on GGH13 is even much inefficient than the previous results [1, 28].

1.1 Technical Overview

Here we briefly show how our attack is applied to simplified GGHRSW.

Simplified GGHRSW Obfuscation. Let \(P=\{ \varvec{M}_{i,b}\in {\mathbb {Z}}^{d\times d} \}_{b\in \{0,1\},1\le i\le \ell }\) be a set of matrices corresponding to a single input BP such that

$$\begin{aligned} P({\varvec{x}}):= {\left\{ \begin{array}{ll} 0&{}\text {if }{\mathop {\prod }\nolimits _{i=1}^\ell } \varvec{M}_{i,x_i}=\varvec{I}_d\\ 1&{}\text {if }{\mathop {\prod }\nolimits _{i=1}^\ell } \varvec{M}_{i,x_i}\ne \varvec{I}_d, \end{array}\right. } \end{aligned}$$

where \(x_i\) is the i-th bit of \(\varvec{x}\). The obfuscator randomizes the given BP over several steps.

  1. 1.

    Sample random and independent scalars \(\{\alpha _{i,b},\alpha '_{i,b}\}_{b\in \{0,1\},1\le i\le \ell }\) such that \(\prod _{i=1}^\ell \alpha _{i,x_i } = \prod _{i=1}^\ell \alpha '_{i,x_i}\) for all \(\varvec{x} \in \{0,1\}^\ell \).Footnote 2

  2. 2.

    Sample bookend vectors \(\{\varvec{s},\varvec{t},\varvec{s}',\varvec{t}'\}\) such that \(\varvec{s}\cdot \varvec{t}= \varvec{s}'\cdot \varvec{t}'\).

  3. 3.

    Sample invertible matrices \(\{\varvec{K}_i,\varvec{K}_i' \in {\mathbb {Z}}^{d \times d}\}_{0\le i \le \ell }\) and set

    $$\begin{aligned} \begin{array}{ll} \varvec{R}_0 = \varvec{s} \cdot \varvec{{K}}^{-1}_0, &{} \quad \varvec{R}'_0 = \varvec{s}' \cdot \varvec{K}'^{-1}_0\\ \varvec{R}_{i, b} = \varvec{\alpha }_{i,\varvec{b}}\cdot \varvec{K}_{i-1} \cdot \varvec{M}_{i, b} \cdot \varvec{K}^{-1}_{i},&{} \quad \varvec{R}'_{i, b} = \varvec{\alpha }'_{i, b}\cdot \varvec{K}'_{i-1} \cdot \varvec{I}_{d} \cdot \varvec{K}'^{-1}_{i}\\ \varvec{R}_{\ell +1} = \varvec{K}_{\ell } \cdot \varvec{t},&{}\quad \varvec{R}'_{\ell +1} = \varvec{K}'_{\ell } \cdot \varvec{t}'. \end{array} \end{aligned}$$

For the sake of simplicity, we write \(\varvec{R}_{0,b}\), \(\varvec{R}_{\ell +1,b}\), \(\varvec{R}'_{0,b}\), and \(\varvec{R}'_{\ell +1,b}\) to denote \(\varvec{R}_0\), \(\varvec{R}_{\ell +1}\), \(\varvec{R}'_0\), and \(\varvec{R}'_{\ell +1}\), respectively. The randomized BP can then maintain the same functionality as the following evaluation, where \(x_0 ,x_{\ell +1}\) are 0.

$$\begin{aligned} P({\varvec{x}})= {\left\{ \begin{array}{ll} 0&{}\text {if } {\mathop {\prod }\nolimits _{i=0}^{\ell +1}} \varvec{R}_{i,x_i}-{\mathop {\prod }\nolimits _{i=0}^{\ell +1}} \varvec{R}'_{i,x_i}=0\\ 1&{}\text {if } {\mathop {\prod }\nolimits _{i=0}^{\ell +1}} \varvec{R}_{i,x_i}-{\mathop {\prod }\nolimits _{i=0}^{\ell +1}} \varvec{R}'_{i,x_i}\ne 0. \end{array}\right. } \end{aligned}$$

As a final step, each entry of the \(\varvec{R}_i\) and \(\varvec{R}'_i\) is encoded through the GGH13 multilinear map. Let \(\mathcal {R}={\mathbb {Z}}[X]/\langle X^n+1\rangle \). The plaintext space and encoding space of GGH13 multilinear map is specified by \(\mathcal R_{\varvec{g}}=\mathcal R/\langle \varvec{g} \rangle \) with some small element \(\varvec{g}\in \mathcal R\) and \(\mathcal R_q=R/\langle q \rangle \) with some large integer \(q\in {\mathbb {Z}}\), respectively. In GGH13 multilinear map, a random and invertible element \(\varvec{z}\in \mathcal R_q\) is sampled. Then the encoding of m is of the form \(\mathsf{enc}(m) = [({\varvec{r}\cdot \varvec{g} + m})/{\varvec{z}}]_q\) for some small random element \(\varvec{r}\in \mathcal R\). The smallness of \(\varvec{g}\) and \(\varvec{r}\) implies that the size of the numerator is quite smaller than q. We write \(\mathsf{enc}(\varvec{R}_{i,b})\) to denote the matrix whose entries are encoding of entries of \(R_{i,b}\).

Then, in the case of \(P(\varvec{x})=0\), evaluation of the encoded BP over input \(\varvec{x}\) can be computed as follows:

$$\begin{aligned} \prod _{i=0}^{\ell +1} \mathsf{enc}(\varvec{R}_{i,x_i})-\prod _{i=0}^{\ell +1} \mathsf{enc}(\varvec{R}'_{i,x_i})=\left[ \frac{\varvec{e}\cdot \varvec{g}}{\varvec{z}^{\ell +2}}\right] _q \end{aligned}$$

where the term \(\varvec{e}\) is the small noise element of \(\mathcal R\). If it is evaluated for another input \(\varvec{x}\), the numerator of the evaluated value cannot be a multiple of \(\varvec{g}\).

In order to check whether the numerator of the evaluation value of the encoded BP is a zero or not, the GGH13 multilinear map provide a zerotesting parameter \(\varvec{p}_{zt}= [(\varvec{h}\cdot \varvec{z}^{\ell +2})/\varvec{g}]_q\) for some element \(\varvec{h}\in \mathcal R\) of size \(\approx \sqrt{q}\). More precisely, when the \(\varvec{p}_{zt}\) is multiplied by the evaluated value, it is of the form \(\varvec{h}\cdot \varvec{r}'\) and its size is much smaller than q if the numerator is a multiple of \(\varvec{g}\). Otherwise it is a large value. Hence, one can publicly test that whether the plaintext of the encoding is zero or not and an encoded BP give the same functionality with the original BP by employing the zerotesting parameter \(\varvec{p}_{zt}\).

In summary, the GGHRSW obfuscator outputs the following set as an obfuscated BP.

$$\{ \mathsf{enc}(\varvec{R}_{i,b}), \mathsf{enc}(\varvec{R}'_{i,b}), {\varvec{p}}_{zt}\}$$

Goal of Cryptanalysis on Simplified GGHRSW Obfuscation. The simplified GGHRSW obfuscation given above is called indistinguishability obfuscation if the following statement holds: For every two BPs \(P^0 = \{ \varvec{M}^0_{i,b}\}\), and \(P^1 = \{ \varvec{M}^1_{i,b}\}\) with the same size and the same functionality and randomly chosen \(c \in \{0,1\}\), any PPT adversary cannot recover c from the given obfuscated program \(\{\mathsf{enc}(\varvec{R}^c_{i,b}), \mathsf{enc}(\varvec{R}'^c_{i,b}), {\varvec{p}}_{zt} \}\).

In other words, our purpose of the cryptanalysis is to recover such c for appropriately given \(P^0,P^1\) and its obfuscation.

Program Converting Technique. In the first step, we remove the modulus q using the algorithm for NTRU. The (1, 1) and (1, 2) components of the \(\mathsf{enc}(\varvec{R}_{1,1})\) are of the form \([(\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1})/\varvec{z}]_q\) and \([(\varvec{r}_{1,2}\cdot \varvec{g}+ m_{1,2})/\varvec{z}]_q\), respectively. The ratio \([(\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1})/(\varvec{r}_{1,2}\cdot \varvec{g}+ m_{1,2})]_q\) of two encodings can be understood as an instance of the NTRU problem.

By solving the NTRU problem, we can obtain multiples of the denominator and numerator

$$\varvec{\beta }\cdot (\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1},\varvec{r}_{1,2}\cdot \varvec{g}+ m_{1,2})\in \mathcal {R}^2$$

for some small element \(\varvec{\beta }\in \mathcal R\). Further, dividing \(\varvec{\beta }\cdot (\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1})\) by a \([(\varvec{r}_{1,1}\cdot \varvec{g}+ m_{1,1})/\varvec{z}]_q\), we can compute \([\varvec{\beta }\cdot \varvec{z}]_q\). By multiplying this value to all entries of \(\mathsf{enc}(\varvec{R}_ {i, b})\) and \(\mathsf{enc}(\varvec{R}'_ {i, b})\), we replace \(1/\varvec{z}\) with a small element \(\varvec{\beta }\). The obtained entries are of the form \(\varvec{\beta }\cdot (\varvec{r}_{j,k} \cdot \varvec{g} + m_{j,k})\), which can be understood as an element defined in \(\mathcal R\), not \(\mathcal R_q\) due to its small size. We denote these new BP matrices with entries in \(\mathcal {R}\) by \(\{\varvec{D}_{i,b}\}\) and \(\{\varvec{D}'_{i,b}\}\), respectively.

Next we consider an input \(\varvec{x}\) such that \(P(\varvec{x})=0\).Footnote 3 The corresponding computation of matrices \(\varvec{R}\) is zero, thus the following equation holds over \(\mathcal {R}\) for such input.

$$\prod _{i=0}^{\ell +1} {\varvec{D}}_{i,x_i}-\prod _{i=0}^{\ell +1} {\varvec{D}}'_{i,x_i}={\varvec{e}\cdot \varvec{g}}\cdot {\varvec{\beta }^{\ell +2}}$$

Hence, the term is a multiple of \(\varvec{g}\). Using the same procedure for other zeros of P, one can recover several multiples of \(\varvec{g}\) and then we can recover a basis of ideal \(\langle \varvec{g} \rangle \) using lattice algorithms.

Then we can do a plain-like procedure using the above results. More precisely, the following equations hold.

$$\begin{aligned} Eval_{ {\varvec{D}}}(\varvec{x}):= & {} \prod _{i=0}^{\ell +1} {\varvec{D}}_{i,x_i}=\prod _{i=0}^{\ell +1} \alpha _{i,x_i}\cdot \varvec{s}\cdot \prod _{i=1}^\ell \varvec{M}^c_{i,x_i} \cdot \varvec{t} \pmod {\varvec{g}}\\ Eval'_{ {\varvec{D}}}(\varvec{x}):= & {} \prod _{i=0}^{\ell +1} {\varvec{D}}'_{i,x_i}=\prod _{i=0}^{\ell +1} \alpha '_{i,x_i}\cdot \varvec{s}'\cdot \prod _{i=1}^\ell \varvec{I}_d \cdot \varvec{t}'\pmod {\varvec{g}} \end{aligned}$$

Removing Scalars. In the above step, we removed the modulus q using the solutions of the NTRU problem and obtained matrices \(\{\varvec{D}_{i,b}, \varvec{D}'_{i,b}\}\) and a basis of ideal \(\langle \varvec{g} \rangle \). We now remove the effects of scalars \(\varvec{\alpha }\). \(Eval_{{\varvec{D}}}(\varvec{x})\) and \(Eval'_{{\varvec{D}}}(\varvec{x})\) share the same scalar \(\prod _{i=0}^{\ell +1} \alpha _{i,x_i } = \prod _{i=0}^{\ell +1} \alpha '_{i,x_i }\) due to its definition. Thus, we can compute

$$Eval_{ {\varvec{D}}}(\varvec{x})/Eval'_{ {\varvec{D}}}(\varvec{x})= 1/(\varvec{s}' \cdot \varvec{t}') \cdot \left( \varvec{s}\cdot \prod _{i=1}^\ell \varvec{M}^c_{i,x_i} \cdot \varvec{t} \right) \pmod {\varvec{g}}.$$

We note that these values \(Eval_{ {\varvec{D}}}(\varvec{x})/Eval'_{ {\varvec{D}}}(\varvec{x})\) all share the same scalar \(1/(\varvec{s}'\cdot \varvec{t}') \pmod {\varvec{g}}\).

Matrix Zeroizing Attack. At last we introduce the matrix zeroizing attack. We denote \(Eval_{\varvec{M}^0}(\varvec{x})\) and \(\widetilde{Eval}_{\varvec{D}}(\varvec{x})\) as \(\prod _{i=1}^\ell \varvec{M}^0_{i, x_i}\) and \(Eval_{ {\varvec{D}}}(\varvec{x})/Eval'_{ {\varvec{D}}}(\varvec{x})\), respectively.

Then, for several \(Eval_{\varvec{M}^0}(\varvec{x}_j) \) for \(1\le j\le \tau \), we can find a vector \(\varvec{q}=(q_1,\cdots , q_\tau )\) such that \(\sum _{j=1}^\tau q_j \cdot Eval_{\varvec{M}^0}(\varvec{x}_j)=\varvec{0}_d\), where \(\varvec{0}_d\) is a zero matrix. If \(c=1\) so that the obfuscated BP is derived from \(P^0\), the following equation also holds.

$$ \sum _{j=1}^\tau c_j\cdot \widetilde{Eval}_{\varvec{D}}(\varvec{x}_j)= \varvec{0}_d \pmod {\varvec{g}}$$

Otherwise, it would not be zero\(\pmod {\varvec{g}}\).

As a result, we can distinguish two obfuscated program efficiently when we know corresponding branching programs. We remark that the matrix zeroizing attack and removing scalars step are slightly different for the other BP obfuscations.

Organization. In Sect. 2, we introduce the indistinguishability obfuscation, matrix branching program and GGH13 multilinear map. In Sect. 3, we show main results of our cryptanalyses on BP obfuscations over GGH13 multilinear map. We describe the attackable BP obfuscation Model over GGH13 throughout the Sect. 4. In addition, we present the algorithm called program converting technique in Sect. 5. We last propose the matrix zeroizing attack in Sect. 6.

2 Preliminaries

Notations. The set \(\{1,\cdots ,n \}\) is denoted by [n] for a positive integer n. The set of integers modulo p is denoted by \({\mathbb {Z}}_p:={\mathbb {Z}}/p{\mathbb {Z}}\). All elements in \({\mathbb {Z}}_p\) are considered as integers in \((-p/2,p/2]\). We use the bold letters to denote matrices, vectors and elements of ring. For \(\varvec{a} = a_{0} + \cdots +a_{n-1} \cdot X^{n-1} \in \mathcal {R}= {\mathbb {Z}}[X]/\langle X^n +1 \rangle \), the size of \(\varvec{a}\) means the Euclidean norm of the coefficient vector \(( a_ 0,\cdots , a_{n-1})\). We denote (jk)-th entry of matrix \(\varvec{M}\) by \(\varvec{M}[j,k]\).

2.1 Matrix Branching Program

A branching program consists of several matrix chains and input functions with indices of input bit. To evaluate a matrix branching program, we multiply all matrices and output 0 or 1 depending on whether the product of the matrices is the same as a given matrix or not. We briefly review matrix branching programs.

Definition 1

(w-ary Matrix Branching Programs). Let \(\varvec{A}_0\) be a \(d_1 \times d_{\ell +1}\) matrix and w, \(\ell \), d, and N be natural numbers. A w-ary matrix branching program BP with length \(\ell \) over N-bit inputs consists of the following data; a set of input functions \(\{\mathsf{inp}_\mu :[\ell ]\rightarrow [N]\}_{\mu \in [w]}\), a set of matrices \(\{\varvec{M}_{i,\varvec{b}} \in {\mathbb {Z}}^{d_i \times d_{i+1}} \}_{i\in [\ell ], \varvec{b}\in \{0,1\}^w}\). It has a domain for evaluations \(\{0,1\}^N\), and evaluation of BP at \( {\varvec{x}} = ( x^v)_{v \in [w]}\) is computed by

$$ BP( {\varvec{x}})=BP_{(\mathsf{inp}_\mu )_{\mu \in [w]},\varvec{M}} (\varvec{x})= {\left\{ \begin{array}{ll} 0&{}\text {if }{\mathop {\prod }\nolimits _{i=1}^\ell } \varvec{M}_{i,(x^\mu _{\mathsf{inp}_\mu (i)})_{\mu \in [w]}}=\varvec{A}_0\\ 1 &{} \text {if } {\mathop {\prod }\nolimits _{i=1}^\ell } \varvec{M}_{i,(x^\mu _{\mathsf{inp}_\mu (i)})_{\mu \in [w]}}\ne \varvec{A}_0 \end{array}\right. }. $$

When w is set to 1 and \(\ge 2\), the matrix branching program is called a single-input and a multi-input matrix branching program, respectively. Throughout this paper, a matrix \(\varvec{A}_0\) is used as the zero matrix \(\varvec{0}\) or the identity matrix \(\varvec{I}_d\) if \(d_i = d\) for all i. Moreover, we simplify the notation \((x^\mu _{\mathsf{inp}_\mu (i)})_{\mu \in [w]}\) as \(\varvec{x}_{\mathsf{inp}(i)}\).

Barrington proved all boolean functions can be expressed in the form of matrix branching program with bounded width [10]. The first candidate for iO [23] and following obfuscations [7, 15, 30, 32] exploit Barrington’s theorem to transform circuits into BPs.

We also note that there are other methods to convert circuits into branching programs. Ben-Or and Cleve proved that the similar result to Barrington’s theorem for arithmetic circuits [11]. Follow-up studies such as [3, 6] suggest more efficient methods for transformation. Their methods bypass the Barrington’s theorem and make a circuit into a branching program directly. However, they still preserve the length of program, in other words, the length of branching program is equal to or larger than the size of circuit (number of gates).

We assume a mild condition on the branching programs: The length of branching program is \(\varOmega (N)\) for the number of input bits N. This is plausible since all input bits may affect the program, and the existing methods give much longer lengths. On the other hand, we do not restrict that the width/properties of the matrices in branching programs and the input function (such as single or dual input).

2.2 Indistinguishability Obfuscation

Definition 2

(Indistinguishability Obfuscation (iO)). A PPT algorithm iO is an indistinguishability obfuscation for a circuit class \(\mathcal C\) if the following conditions are satisfied:

  • For all security parameters \(\lambda \in \mathbb N\), for all circuits \(C\in \mathcal C\), for all inputs \(\varvec{x}\), the following probability holds:

    $$\Pr \left[ C'({\varvec{x}})= C({\varvec{x}}) : C' \leftarrow iO(\lambda ,C)\right] =1.$$

  • For any PPT distinguisher \(\mathcal D\), there exists a negligible function \(\alpha \) satisfying the following statement: For all security parameters \(\lambda \in \mathbb N\) and all pairs of circuits \(C_0\), \(C_1\in \mathcal C\), \(C_0(\varvec{x})=C_1(\varvec{x})\) for all inputs \(\varvec{x}\) implies

    $$|\Pr \left[ D(iO(\lambda , C_0))=1\right] - \Pr \left[ D(iO(\lambda , C_1))=1\right] | \le \alpha (\lambda ).$$

Hereafter, we denote iO(P) by an obfuscated program or obfuscation of a program, or a branching program P.

2.3 GGH13 Multilinear Map

Garg et al. suggest a candidate of multilinear map based on ideal lattice [22]. It is used to realize the indistinguishable obfuscation [23]. In this section, we briefly describe the GGH13 multilinear map. For more details, we recommend readers to refer [22]. Any parameters of multilinear maps are induced by the multilinearity parameter \(\kappa \) and the security parameters \(\lambda \). For the sake of simplicity, we denote the multilinear maps which has the previous mentioned parameter as \((\kappa ,\lambda )\)-GGH multilinear map.

The multilinear map is sometimes called the graded encoding scheme. i.e., All encodings of message have corresponding levels. Let \(\varvec{g}\) be a secret element in \(\mathcal {R}={\mathbb {Z}}[X]/\langle X^n+1\rangle \) and q a large integer. Then, the message space and encoding space are set by \(\mathcal {M}=\mathcal {R}/\langle \varvec{g} \rangle \) and \(\mathcal {R}_q= \mathcal {R}/\langle q \rangle \), respectively. In order to represent a level of encodings, the set of secret invertible elements \(\mathbb L = \{ \varvec{z}_i \}_{1\le i \le \kappa } \subset \mathcal {R}_q\) is chosen. We call a subset of \(\mathbb L\) level set and elements in \(\mathbb L\) level parameters.

For a small message \(\varvec{m}\in \mathcal {M}\), level-\(L (\subset \mathbb L)\) encoding of \(\varvec{m}\) is:

$$ \mathsf{enc}_{L}(\varvec{m})= \left[ \frac{\varvec{r}\cdot \varvec{g} +\varvec{m}}{\prod _{i\in L}\varvec{z}_i} \right] _q, $$

where \(\varvec{r} \in \mathcal {R}\) is a small random element. We call \(\mathsf{enc}_{\mathbb L}(\varvec{m})\), \(\mathsf{enc}_{\{\varvec{z}_i \}} (\varvec{m})\) a top-level and level 1 encoding of \(\varvec{m}\), respectively. In addition, for a matrix \(\varvec{M}\), we denote a matrix whose entries are level-L encodings of corresponding entries of \(\varvec{M}\) by \(\mathsf{enc}_{L}(\varvec{M})\).

The arithmetic operations between encodings are defined as follows:

$$\begin{aligned}\mathsf{enc}_{L}(\varvec{m}_1) + \mathsf{enc}_{L}(\varvec{m}_2)= & {} \mathsf{enc}_{L}(\varvec{m}_1 +\varvec{m}_2), \\ \mathsf{enc}_{L_1}(\varvec{m}_1) \cdot \mathsf{enc}_{L_2}(\varvec{m}_2)= & {} \mathsf{enc}_{L_1 \sqcup L_2}(\varvec{m}_1\cdot \varvec{m}_2).\end{aligned}$$

Additionally, the \((\kappa ,\lambda )\)-GGH scheme provides a zerotesting parameter which can be used to determine whether a hidden message of a top-level encoding is zero or not. The zerotesting parameter \(\varvec{p}_{zt}\) is of the form:

$$\varvec{p}_{zt}= \left[ \varvec{h}\cdot \frac{\prod _{i\in \mathbb L} \varvec{z}_i}{\varvec{g}}\right] _q , $$

where \(\varvec{h}\) is an \(O(\sqrt{q})\)-size element of \(\mathcal {R}\). Given a top-level encoding of zero \(\mathsf{enc}_{\mathbb L}(\mathbf {0})= {[{\varvec{r}}\cdot \varvec{g} /\prod _{i\in \mathbb L}\varvec{z}_i]}_q\), a zerotesting value is:

$$\begin{aligned} {[}\varvec{p}_{zt}\cdot \mathsf{enc}_{\mathbb L} (\mathbf {0})]_q= & {} \left[ \varvec{h}\cdot \frac{\prod _{i\in \mathbb L} \varvec{z}_i}{\varvec{g}} \cdot \frac{\varvec{r}\cdot \varvec{g}}{\prod _{i\in \mathbb L}\varvec{z}_i}\right] _q = {[\varvec{h}\cdot \varvec{r}]}_q= \varvec{h}\cdot \varvec{r} \in \mathcal {R}. \end{aligned}$$

We remark that a zerotesting value for a top-level encoding of nonzero gives an element of the form \([\varvec{h}\cdot (\varvec{r} +\varvec{m}\cdot \varvec{g}^{-1})]_q\), which is not small by Lemma 4 in [22]. Thus one can decide whether a message is zero or not by the zerotesting value.

Several papers [2, 22, 27] proposed the parameters of \((\kappa ,\lambda )\)-GGH13 multilinear map. Here we introduce the minimum conditions that satisfy the three works.

  • \(\log q= \tilde{\varTheta }(\kappa \cdot \log n)\)

  • \(n=\tilde{\varTheta }( \kappa ^\epsilon \cdot \lambda ^\delta )\) for constants \(\delta ,\epsilon \)

  • \(M=\tilde{O}(n^{\varTheta (1)})\)

Here M is the size bound of numerators \(\varvec{r} \cdot \varvec{g} + \varvec{m}\) of level 1 encodings.Footnote 4 We note that the suggested parameters in [2, 27] choose \(\delta =\epsilon =1\), which enables the subexponential attack with respect to \(\lambda \) for small \(\kappa \) [1, 13]. When \(\delta \ge 2\), all known direct attacks on GGH13 multilinear map require exponential time for classical adversary.

3 Main Theorem

In this section, we present the results from our attacks. We denote the obfuscation within our attack range as the attackable obfuscation, which is formally defined by the attackable model in the next section. The attackable obfuscation model encompasses all suggested BP obfuscations based on GGH13 multilinear map.

Proposition 1

(Universality of the Attackable Model). BP obfuscations [3, 6, 7, 23, 24, 30, 32] satisfy all the constraints of the attackable model.Footnote 5

As a result, we obtain the following main theorem.

Theorem 1

Let \(\mathcal {O}\) be an attackable obfuscator, \(\kappa , \lambda \) be the multilinearity level and the security parameter of underlying GGH13 multilinear map. Suppose that the modulus q, dimension n, size bound M of numerators of level 1 encoding of underlying GGH13 satisfy \(\log q= \tilde{\varTheta }(\kappa \cdot \log n), M=\tilde{O}(n^{\varTheta (1)})\). Then the following propositions hold:

  1. 1.

    For \(n = \tilde{\varTheta }(\kappa \cdot \lambda ^\delta )\) for a constant \(\delta \) as in [2, 22, 27], there exist two functionally equivalent branching programs with \(\varOmega (\lambda ^\delta )\)-length such that their obfuscated programs by \(\mathcal {O}\) can be distinguished with high probability in polynomial time with respect to \(\lambda \).

  2. 2.

    Moreover, for new parameter constraints \(n=\tilde{\varTheta }(\kappa ^\epsilon \cdot \lambda ^\delta )\) for constants \(\epsilon <2,\delta \), there exist two functionally equivalent branching programs with \(\varOmega (\lambda ^{\delta /(2-e)})\)-length such that their obfuscated programs by \(\mathcal {O}\) can be distinguished with high probability in polynomial time with respect to \(\lambda \).

The main theorem is proven by combining converting program technique and matrix zeroizing attack which are described in Sects. 5 and 6. The bottleneck of the attack is the algorithm for NTRU, which is exploited in the middle step of converting technique; the other process can be done in polynomial time, while the time complexity to solve the NTRU problem relies on the parameters. The detailed analysis for the time complexity will be discussed in Sect. 5.3.

4 Attackable BP Obfuscations

In this section, we present a new BP obfuscation model which is attackable by our attack, the attackable model. We call a BP obfuscation captured by our model an attackable BP obfuscation.

The attackable model is composed of two steps; for a given BP, randomize BP, and encode randomized BPs by GGH13 multilinear map. More precisely, for a given branching program BP of the form

$$\begin{aligned} P = \left\{ \varvec{M}_{i,\varvec{b}} \in {\mathbb {Z}}^{d_i \times d_{i+1}}\right\} _{i \in [\ell ], \varvec{b} \in \{0,1\}^w}, \end{aligned}$$

we randomize P by several methods satisfying Definition 3 which will be described later. And then we encode each entries of randomized matrices and outputs the obfuscated program as the set

$$\begin{aligned} \mathcal O(P) =&\left\{ \widetilde{\varvec{S}},\widetilde{\varvec{S}}'\in \mathcal {R}_q^{d_0 \times (d_1+e_1)}\right\} \\ \cup&\left\{ \{ \widetilde{\varvec{M}}_{i,\varvec{b}},\widetilde{\varvec{M}}'_{i,\varvec{b}} \in \mathcal {R}_q^{(d_i +e_i ) \times (d_{i+1}+e_{i+1})}\}_{i \in [\ell ], \varvec{b} \in \{0,1\}^w}, \right\} \\ \cup&\left\{ \widetilde{\varvec{T}},\widetilde{\varvec{T}}'\in \mathcal {R}_q^{(d_{\ell +1}+e_{\ell +1}) \times d_{\ell +2}} \right\} \end{aligned}$$

and the public parameters of GGH13 multilinear map. \(\varvec{S},\varvec{T}\) denote bookend matrices, and matrices with apostrophe mean the matrices of dummy program. In the attackable model, we specify the following property instead of establishing how to evaluate the program exactly. To evaluate the input value, a new function \(Eval_{{\widetilde{\varvec{M}}}} : \{0,1\}^{N} \rightarrow \mathcal {R}_q^{d_0 \times d_{\ell +2}}\) is computed as follows:

$$ Eval_{{\widetilde{\varvec{M}}}}(\varvec{x}) = \widetilde{\varvec{S}} \cdot \prod _{i=1}^\ell \widetilde{\varvec{M}}_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot \widetilde{\varvec{T}} -\widetilde{\varvec{S}}' \cdot \prod _{i=1}^\ell \widetilde{\varvec{M}}'_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot \widetilde{\varvec{T}}' \in \mathcal {R}_q^{d_0 \times d_{\ell +2}}. $$

Proposition 2

(Evaluation of Obfuscation). For a program P and program \(\mathcal O(P)\) obfuscated by the attackable model, the evaluation of \(\mathcal O(P)\) at a root \(\varvec{x}\) of P yields a top-level GGH13 encoding of zero in specific entry of the matrix \(Eval_{{\widetilde{\varvec{M}}}}(\varvec{x}).\) In other words, there are two integers uv such that \(Eval_{{\widetilde{\varvec{M}}}}(\varvec{x})[u,v]\) is an encoding of zero at level \(\mathbb L\) for every input \(\varvec{x}\) satisfying \(P(\varvec{x})=0\).

In the rest of this section, we explain specified descriptions of the attackable model in Sects. 4.1 and 4.2, and present a constraint of BPs to execute our attack in Sect. 4.3.

4.1 Randomization for Attackable Obfuscation Model

We introduce the conditions for BP randomization of attackable obfuscation model. These conditions for randomization covers all of the BP randomization methods suggested in the first candidate iO [23] and its subsequent works [3, 6, 7, 24, 30, 32]. In other words, higher dimension embedding, scalar bundling, Kilian randomization, bookend matrices (vectors), and dummy programs are captured by the attackable conditions.

Definition 3

(Attackable Conditions for Randomization). For a branching program \(P = \left\{ \varvec{M}_{i,\varvec{b}} \in {\mathbb {Z}}^{d_i \times d_{i+1}}\right\} _{i \in [\ell ], \varvec{b} \in \{0,1\}^w}\), the attackable randomized branching program is the set

$$\begin{aligned} Rand(P) =&\left\{ \varvec{R}_{\varvec{S}},\varvec{R}_{\varvec{S}}'\in {\mathbb {Z}}^{d_0 \times (d_1+e_1)}\right\} \\ \cup&\left\{ \{ {\varvec{R}}_{i,\varvec{b}},{\varvec{R}}'_{i,\varvec{b}} \in {\mathbb {Z}}^{(d_i +e_i ) \times (d_{i+1}+e_{i+1})}\}_{i \in [\ell ], \varvec{b} \in \{0,1\}^w}, \right\} \\ \cup&\left\{ \varvec{R}_{\varvec{T}},\varvec{R}_{\varvec{T}}'\in {\mathbb {Z}}^{(d_{\ell +1}+e_{\ell +1}) \times d_{\ell +2}} \right\} \end{aligned}$$

satisfying the following properties, where \(d_0, d_{\ell +2},e_i\)’s are integers.

  1. 1.

    There exist matrices \(\varvec{S}_0 ,\varvec{S}'_0 \in {\mathbb {Z}}^{d_0 \times d_1} , \varvec{T}_0,\varvec{T}'_0 \in {\mathbb {Z}}^{d_\ell \times d_{\ell +1}}\) and scalars \(\varvec{\alpha }_{\varvec{S}}, \varvec{\alpha }'_{\varvec{S}}\), \(\varvec{\alpha }_{\varvec{T}}, \varvec{\alpha }_{\varvec{T}}'\), \(\{\varvec{\alpha }_{i,\varvec{b}},\varvec{\alpha }'_{i,\varvec{b}}\}_{i \in [\ell ], \varvec{b} \in \{0,1\}^w}\) such that the following equations hold for all \(\{ \varvec{b}_i \in \{0,1\}^w \}_{i \in [\ell ]}\):

    $$\begin{aligned}&\varvec{R}_S \cdot \prod _{i=1}^\ell \varvec{R}_{i,\varvec{b}_i} \cdot \varvec{R}_T =\varvec{\alpha }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }_{i,\varvec{b}_i} \cdot \varvec{\alpha }_{\varvec{T}} \cdot \left( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\right) ,\\&\varvec{R}'_S \cdot \prod _{i=1}^\ell \varvec{R}'_{i,\varvec{b}_i}\cdot \varvec{R}'_T =\varvec{\alpha }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }'_{i,\varvec{b}_i} \cdot \varvec{\alpha }'_{\varvec{T}} \cdot \left( \varvec{S}'_0 \cdot \prod _{i=1}^\ell \varvec{M}'_{i,\varvec{b}_i} \cdot \varvec{T}'_0\right) . \end{aligned}$$
  2. 2.

    The evaluation of randomized program is done by checking whether the fixed entries of \(RP(\varvec{x}) := \varvec{R}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{R}_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot \varvec{R}_{\varvec{T}} - \varvec{R}'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{R}'_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot \varvec{R}'_{\varvec{T}}\) are zero or not. Especially, there are two integers uv such that \(P(\varvec{x})=0 \Rightarrow RP(\varvec{x})[u,v] = 0\).

Matrices with apostrophe are called dummy matrices, \(\varvec{R}_{\varvec{S}},\varvec{R}_{\varvec{S}}',\varvec{R}_{\varvec{T}},\varvec{R}_{\varvec{T}}'\) bookend matrices (vectors), and \(\alpha \)’s bundling scalars. When some elements of Rand(P) (or bundling scalars) are trivial elements, we say that there is no such element.

4.2 Encoding by Multilinear Map

After the randomization, we encode the randomized matrix branching program by GGH13 multilinear map. We stress that we do not encode dummy/bookend matrices if there are no dummy/bookends, respectively.

For each randomized matrices, \(\varvec{R}_{i,\varvec{b}}, \varvec{R}'_{i,\varvec{b}}\) and randomized bookend matrices \(\varvec{R}_{\varvec{S}}, \varvec{R}'_{\varvec{S}}, \varvec{R}_{\varvec{T}},\varvec{R}'_{\varvec{T}}\), we obtain the encoded matrices \(\mathsf{enc}_{L_{i,\varvec{b}}} (\varvec{R}_{i,\varvec{b}} )\) whose entries are encoding of corresponding entries of randomized matrix \(\varvec{R}_{i,\varvec{b}}\). For brevity we write \(\widetilde{\varvec{M}}_{i,\varvec{b}}\) to denote \(\mathsf{enc}_{L_{i,\varvec{b}}} (\varvec{R}_{i,\varvec{b}} )\), and the other matrices \(\widetilde{\varvec{M}}'_{i,\varvec{b}}\), \(\widetilde{\varvec{S}}\), \(\widetilde{\varvec{S}}'\), \(\widetilde{\varvec{T}},\widetilde{\varvec{T}}'\) are defined in similar manner.

Two conditions should hold in the attackable model

  1. 1.

    the evaluation of valid input is top-level, in other words, for all input \(\varvec{x}\), \(\left( \large \cup _{i=1}^\ell L_{i,\varvec{x}_{\mathsf{inp}(i)}}\right) \cup L_{\varvec{S}} \cup L_{\varvec{T}} =\mathbb L\) where \(\mathbb L\) denotes top-level set,

  2. 2.

    the sizes of set L’s are all similar, that is, there is a constant C such that \(|L_{i,\varvec{b}}|/|L_{j,\varvec{b}'}| \le C\) for all \(i,j,\varvec{b},\varvec{b}'\) and similar inequalities hold for \(L_{\varvec{S}}, L_{\varvec{T}}\).

In practice, the level L’s is determined by the straddling set system introduced in [7, 30], and these constructions satisfy our conditions. Using the condition 1 and Definition 3, Proposition 2 can be easily verified. We also note that the condition 2 implies \(\ell =\varTheta (\kappa )\), where \(\kappa \) is the level of underlying multilinear map.

4.3 Linear Relationally Inequivalent Branching Programs

At last, we explain the condition, linear relationally inequivalence, for branching programs of attackable BP obfuscation. This condition is used at the last section, but we note that there are several linear relationally inequivalence BPs as stated in Proposition 3.

To define the linear relationally inequivalence, we consider evaluations of invalid inputs of branching program and denote \(\prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i}\) by \(\varvec{M}(\varvec{b})\) for \(\varvec{b} = (\varvec{b}_1,\cdots ,\varvec{b}_\ell )\). We define linear relations of two BPs and the linear relationally inequivalence of BPs as

Definition 4

(Linear Relations of Branching Program). For a given branching program

$$P_{\varvec{M}} = \left\{ \varvec{M}_{i,\varvec{b}} \in {\mathbb {Z}}^{d_i \times d_{i+1}}\right\} _{i \in [\ell ], \varvec{b} \in \{0,1\}^w},$$

the set of linear relations of \(P_{\varvec{M}} \) is

$$ L_{\varvec{M}} := \left\{ \left( q_{\varvec{b}}\right) _{{\varvec{b} \in \{0,1\}^{w\times \ell }}}:\displaystyle {\sum _{\varvec{b} \in \{0,1\}^{w\times \ell }} q_{\varvec{b}} \cdot \varvec{M}(\varvec{b}) = \varvec{0}^{d_1 \times d_{\ell +1}}}\right\} $$

Definition 5

(Linear Relationally Inequivalence). We say that two branching programs \(P_{\varvec{M}}\) and \(P_{\varvec{N}}\) with the same length are linear relationally inequivalent if \(L_{\varvec{M}} \ne L_{\varvec{N}}\).

The set of linear relations of a given BP is easily computed by computing the kernel, considering BP matrices as vectors. It is clear that \(L_{\varvec{M}}\) is a lattice. We note that the set of linear relations of BP is not determined by the functionality of BP, and indeed it seems that they are irrelevant.

Further, one can observe that if \(P_{\varvec{M}}, P_{\varvec{N}}\) are linear relationally inequivalent BPs, then so do two extended BPs \(P_{\varvec{M}}', P_{\varvec{N}}'\) which are obtained by concatenating some other (functionally equivalent) BPs on the right (or left) of \(P_{\varvec{M}}, P_{\varvec{N}}\). Therefore we can show that there exist arbitrary large two functionally equivalent BPs which are linear relationally inequivalent.

We conclude this section by presenting a proposition that shows concrete examples of linear relationally inequivalent BPs, which are placed in Appendix C.

Proposition 3

There are two functionally equivalent, but linear relationally inequivalent branching programs. Especially, there are examples satisfying the linear relationally inequivalence which are

  1. (1)

    generated by Barrington’s theorem and input-unpartitionable or

  2. (2)

    from non-deterministic finite automata and read-once, in other words, \(\mathsf {inp}\) is a bijection.

5 Program Converting Technique

In this section, we describe the program converting technique, which remove the hindrance of modulus q and \(\varvec{g}\). We first define new notion \(\varvec{Y}\) program (of P) if all entries of branching program matrices corresponding a program P are in a space \(\varvec{Y}\) while preserving many properties. For example, the obfuscated program \(\mathcal {O}(P)\) is \(\mathcal {R}_q\) program. Suppose that the obfuscated program \(\mathcal O(P)\) of program P is given.

We will convert given obfuscated program \(\mathcal O(P)\) into \(\mathcal {R}\) and \(\mathcal {R}/\langle \varvec{g} \rangle \) program using the algorithm to solve the NTRU problem, especially subfield attacks [1, 18] which solves the problem with large modulus q.

Proposition 4

([1, 17, 18, 26]). Let q be a large integer, n a power of two, M a constant much smaller than q, \(\mathcal {R}= {\mathbb {Z}}[X]/\langle X^n +1\rangle \) and \(\mathcal {R}_q = \mathcal {R}/ q\mathcal {R}\). For a given \([\varvec{f}_1/\varvec{f}_2]_q \in \mathcal {R}_q \) for \(\varvec{f}_1,\varvec{f}_2 \in \mathcal {R}\) with size smaller than M, there is an algorithm to compute \((\varvec{c} \cdot \varvec{f}_2, \varvec{c} \cdot \varvec{f}_1)\in \mathcal {R}^2 \) such that sizes of \(\varvec{c}\), \(\varvec{c} \cdot \varvec{f}_1\) and \(\varvec{c} \cdot \varvec{f}_2\) are much smaller than q in time \(2^{O(\beta )} \cdot poly(n)\) for a constant \(\beta \) satisfying \(\beta /\log \beta = \varTheta ( n \log M / \log ^2 q)\).

We note that the similar results hold for other non-cyclotomic ring [17, 26] or for \(\varvec{f}_1 ,\varvec{f}_2\) from certain distribution [1]. Throughout in this paper, we only consider the bounded coefficient \(\varvec{f}_1 \varvec{f}_2\) in cyclotomic ring for brevity.

For given obfuscated program in \(\mathcal {R}_q\), we first make the NTRU instances and solve the problem, and then convert to \(\mathcal {R}\) program by some computations on obfuscated matrices. This procedure replaces the level parameter \(\varvec{z}_i\) with a small element \(\varvec{c}_{i}\). The \(\mathcal {R}\) program preserves same functionality with the \(\mathcal {R}_q\) program. Subsequently, we convert this \(\mathcal {R}\) program to \(\mathcal {R}/\langle \varvec{g}\rangle \) program by recovering the ideal \(\langle \varvec{g} \rangle \).

5.1 Converting to \(\mathcal {R}\) Program

In order to remove the modulus q, we employ the algorithm for solving NTRU problem. Let \(\widetilde{\varvec{M}}_{i,\varvec{b}}\) be the obfuscated matrix of \({\varvec{R}}_{i,\varvec{b}}\). Then, each (jk)-th entries of obfuscated matrix \(\widetilde{\varvec{M}}_{i,\varvec{b}}\) is of the form

$$ \varvec{d}_{j,k,\varvec{b}}=\left[ \frac{\varvec{r}_{j,k,\varvec{b}}\cdot \varvec{g} + \varvec{a}_{j,k,\varvec{b}}}{\varvec{z}_{i}}\right] _q, $$

where \(\varvec{a}_{j,k,\varvec{b}}\) is the (jk)-th entry of the matrix \({\varvec{R}}_{i,\varvec{b}}\) and \(\varvec{r}_{j,k,\varvec{b}} \in \mathcal {R}\) are random small elements. Consider an element \(\varvec{v}= [\varvec{d}_{1,1,\varvec{0}} / \varvec{d}_{1,2,\varvec{0}} ]_q = [(\varvec{r}_{1,1,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,1,\varvec{0}})/(\varvec{r}_{1,2,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,2,\varvec{0}}) ]_q\). Then, \(\varvec{v}\) is the instance of the NTRU problem since the size of denominator and numerator of \(\varvec{v}\) is much smaller than q in the parameter setup of GGH13 multilinear map.

Applying Proposition 4 to an instance \(\varvec{v}\), one can find a pair \((\varvec{c}_{i} \cdot (\varvec{r}_{1,1,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,1,\varvec{0}}),~\varvec{c}_{i}\cdot (\varvec{r}_{1,2,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,2,\varvec{0}}))\in \mathcal {R}^2\) with relatively small \(\varvec{c}_{i} \in \mathcal {R}\). Further, for any element \(\varvec{d}_{j,k,\varvec{b}} \in {\widetilde{\varvec{M}}}_{i,\varvec{b}}\), we can remove the modulus q by computing

$$ \varvec{c}_{i} \cdot (\varvec{r}_{1,1,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{1,1},\varvec{0}) \cdot [\varvec{d}_{j,k,\varvec{b}}/ \varvec{d}_{1,1,\varvec{0}}]_q = \varvec{c}_{i} \cdot (\varvec{r}_{j,k,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{j,k,\varvec{0}}) \in \mathcal {R}$$

because of the small size of \(\varvec{c}_{i}\). Consequently, one can obtain a new matrix \(\varvec{D}_{i,\varvec{b}}\) over \(\mathcal {R}\) whose (jk)-th entry is \(\varvec{c}_{i}\cdot ({\varvec{r}_{j,k,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{j,k,\varvec{0}}})\).

Similarly, a new dummy matrix \(\varvec{D}'_{i,\varvec{b}}\) over \(\mathcal {R}\) can be obtained because \(\widetilde{\varvec{M}}'_{i,\varvec{b}}\) shares the level parameter \(\varvec{z}_{i}\) with \(\widetilde{\varvec{M}}_{i,\varvec{b}}\) by multiplying \(\varvec{c}_{i} \cdot (\varvec{r}_{j,k,\varvec{0}}\cdot \varvec{g} + \varvec{a}_{j,k,\varvec{0}})\) to \([\varvec{d}'_{j,k,\varvec{b}}/ \varvec{d}_{1,1,\varvec{0}}]_q\) where \( \varvec{d}'_{j,k,\varvec{b}}\) is a (jk)-th entry of \(\widetilde{\varvec{S}}'_{i,\varvec{b}}\). We easily observe that \(2\cdot 2^w\) matrices \(\varvec{D}_{i,\varvec{b}}\) and \(\varvec{D}'_{i,\varvec{b}}\) share the parameter \(\varvec{c}_{i}\).

For all matrices \({\widetilde{\varvec{M}}}_{i,\varvec{b}}\) and \({\widetilde{\varvec{M}}}'_{i,\varvec{b}}\) with \(i\in [\ell ]\) and \(\varvec{b}\in \{0,1\}^w\), we can obtain new matrices \(\varvec{D}_{i,\varvec{b}}\) and \(\varvec{D}'_{i,\varvec{b}}\) over \(\mathcal {R}\). In the case of bookend matrices \(\widetilde{\varvec{S}}\) and \(\widetilde{\varvec{T}}\), they are converted into matrices over \(\mathcal {R}\) with small constants \(\varvec{c}_{\varvec{S}}\) and \(\varvec{c}_{\varvec{T}}\), respectively. Note that this step runs in polynomial time if \(\kappa \) is large [1, 17, 18, 26]. Detailed analysis of this part is discussed in Sect. 5.3.

Therefore, we can convert \(\mathcal {R}_q\)-program \(\mathcal {O}( {P})\) into a new program, \(\mathcal {R}\)-program of P:

$$ \mathcal {R}({P})=\{{\varvec{D}}_{\varvec{S}},{\varvec{D}}_{\varvec{T}},{\varvec{D}}'_{\varvec{S}},{\varvec{D}}'_{\varvec{T}},\{{\varvec{D}}_{i,\varvec{b}},{\varvec{D}}'_{i,\varvec{b}}\}_{i\in [\ell ], \varvec{b}\in \{0,1\}^w}\}. $$

Note that the matrix \(\varvec{D}_{i,\varvec{b}}\) of \(\mathcal {R}(P)\) is of the form \(\varvec{c}_{i} \cdot \varvec{R}_{i,\varvec{b}}\pmod {\langle \varvec{g}\rangle } \) in \(\mathcal {R}/\langle \varvec{g} \rangle \).

Dummy and bookend matrices satisfies similar relations. We denote \(\varvec{c}_{i}\cdot {\varvec{\alpha }}_{i,\varvec{b}}\) and \(\varvec{c}_{i}\cdot {\varvec{\alpha }}'_{i,\varvec{b}}\) by \(\varvec{\rho }_{i,\varvec{b}}\), \(\varvec{\rho }'_{i,\varvec{b}}\) for simplicity. The properties of Definition 3 is naturally extended to the following. The Proposition 5 means an evaluation of \(\mathcal {R}(P)\) preserves the functionality up to constant on the valid input \(\varvec{x}\).

Proposition 5

(Evaluation of \(\mathcal {R}\) and \(\mathcal {R}/\langle \varvec{g} \rangle \) Branching Program). For a \(\mathcal {R}\) program given in this section, the following propositions holds:

  1. 1.

    The higher dimension embedding matrices \(\varvec{U}\)’s are eliminated in the product of randomized matrix branching program, that is, there are matrices \(\varvec{S}_0,\varvec{S}'_0 \in {\mathbb {Z}}^{d_0 \times d_1}, \varvec{T}_0,\varvec{T}'_0 \in {\mathbb {Z}}^{d_{\ell +1} \times d_{\ell +2}}\) such that the following equations hold for all input x:

    $$\begin{aligned} \varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{b}_i} \cdot \varvec{D}_{\varvec{T}}&=\varvec{\rho }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{b}_i} \cdot \varvec{\rho }_{\varvec{T}} \cdot \left( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\right) \pmod {\langle \varvec{g}\rangle },\\ \varvec{D}'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}'_{i,\varvec{b}_i}\cdot \varvec{D}'_{\varvec{T}}&=\varvec{\rho }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }'_{i,\varvec{b}_i} \cdot \varvec{\rho }'_{\varvec{T}} \cdot \left( \varvec{S}'_0 \cdot \prod _{i=1}^\ell \varvec{M}'_{i,\varvec{b}_i} \cdot \varvec{T}'_0\right) \pmod {\langle \varvec{g}\rangle }. \end{aligned}$$
  2. 2.

    The evaluation of \(\mathcal {R}\) program is done by checking whether the fixed entries of \(Eval_{\varvec{D}}(\varvec{x}) :={\varvec{D}}_{\varvec{S}} \cdot \prod _{i=1}^{\ell } \varvec{D}_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot {\varvec{D}}_{\varvec{T}} - {\varvec{D}}'_{\varvec{S}} \cdot \prod _{i=1}^{\ell } {\varvec{D}}'_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot {\varvec{D}}'_{\varvec{T}}\) is multiple of \(\varvec{g}\) or not. Especially, there are two integers uv such that \(P(\varvec{x})=0 \Rightarrow Eval_{\varvec{D}}(\varvec{x})[u,v] = 0\pmod {\langle \varvec{g} \rangle }\)

5.2 Recovering \(\langle G \rangle \) and Converting to \(\mathcal {R}/ \langle {\varvec{g}}\rangle \) Program

Next, we will compute a basis of the plaintext space \(\langle \varvec{g}\rangle \) to transform \(\mathcal {R}\) program into \(\mathcal {R}/\langle \varvec{g}\rangle \)-program. Unlike other attacks, we do not use the assumption ‘input partitionability’. We exploits the fact that \(\mathcal {R}\) program which comes from \(\mathcal {R}_q\) program has the same functionality up to constant. However, existing attacks with input partitionable assumption and our cryptanalysis cannot be applied to a BP program for an ‘evasive function’ since it does not output multiples of \(\varvec{g}\). It consists of following two steps:

Finding a multiple of \(\varvec{g}\). This step is done by computing \(Eval_{\varvec{D}}\) at the zeros of program P. We compute \(Eval_{\varvec{D}}(\varvec{x})\) for \(\mathcal {R}\) program \(\mathcal {R}(P)\) at \(\varvec{x}\) satisfying \(P(\varvec{x})=0\). Then, Proposition 5 implies that \(Eval_{\varvec{D}} (\varvec{x}) [u,v]\) is a multiple of \(\varvec{g}\). More precisely, \(Eval_{\varvec{D}}(\varvec{x})[u,v]\) is of the form

$$\varvec{c}_{\varvec{S}} \cdot \varvec{c}_{\varvec{T}} \cdot \prod _{i=1}^{\ell } \varvec{c}_{i} \cdot \varvec{a}\cdot \varvec{g}$$

when \( \varvec{p}_{zt}\cdot Eval_{{\widetilde{\varvec{M}}}}(\varvec{x})[u,v] = \varvec{a} \cdot \varvec{h} \pmod {q} \) for some \(\varvec{a} \in \mathcal {R}\) such that \(\Vert \varvec{a} \cdot \varvec{h}\Vert _2 \) is less than \(q^{3/4}\).

This procedure outputs the value which is not only multiple of \(\varvec{g}\) but also \(\varvec{c}_i\)’s. However, we can generate several different \(\mathcal R\) program from \(\mathcal O(P)\) for different solutions of Proposition 4. We assume that the multiples of \(\varvec{g}\) from different \(\mathcal {R}\) program are independent multiples of \(\varvec{g}\), with the randomized lattice reduction algorithm as in [21].

Computing Hermite Normal Form of \(\langle \varvec{g}\rangle \). For given several random multiples \(\varvec{f}_i \cdot \varvec{g}\) of \(\varvec{g}\), we can recover a basis of \(\langle \varvec{g}\rangle \) by computing sum of sufficiently many ideal \(\langle \varvec{f} \cdot \varvec{g}\rangle \) represented by a lattice with basis \(\{ \varvec{f} \cdot \varvec{g}, \varvec{f} \cdot \varvec{g}\cdot X , \cdots , \varvec{f} \cdot \varvec{g}\cdot X^{n-1}\}\) or computing the Hermite Normal Form of union of their generating sets by applying the lemma [1, Lemma 1].

Both computations are done in polynomial time in \(\lambda \) and \(\kappa \), since the evaluations and computing the Hermite normal form has a polynomial time complexity. Eventually, we recover the basis of ideal lattice \(\langle \varvec{g} \rangle \) and we can efficiently compute the arithmetics in \(\mathcal {R}/ \langle \varvec{g} \rangle \). In other words, we get a \(\mathcal {R}/\langle \varvec{g} \rangle \) program corresponding to \(\mathcal O(P)\) (or P), whose properties are characterized by Proposition 5. For convenience, we abuse the notation; from now, \(\mathcal {R}({P})\) is the \(\mathcal {R}/ \langle \varvec{g}\rangle \) program and \(\varvec{D}_{\varvec{S}}, \varvec{D}_{\varvec{T}}\) and \(\varvec{D}_{i,\varvec{b}}\) for all \(i \in [\ell ], \varvec{b} \in \{0,1\}^w\) are matrices over \(\mathcal {R}/ \langle \varvec{g}\rangle \).

5.3 Analysis of the Converting Technique

We discuss the time complexity of our program converting technique. The program converting consists of converting to \(\mathcal {R}\) program, evaluating of \(\mathcal {R}\) program, computing a Hermite Normal Form of an ideal lattice \(\langle \varvec{g}\rangle \). The last two steps take polynomial time complexity, so the total cost is dominated by the first step. More precisely, solving the NTRU problem for each encoded matrix is the dominant part of the program converting.

To estimate the cost of solving the NTRU problem, we assume that each component of branching program is encoded by GGH13 multilinear map in level-1. The general cases are similar but a bit more complex when we assume that the size of level sets are not too different so that \(\ell = \varTheta (\kappa )\).

Suppose that an obfuscated branching program \(\mathcal O({P})\) over \((\kappa ,\lambda )\)-GGH13 multilinear map is given. As we written in Sect. 2.3, for constants \(\delta , e\) and security parameter \(\lambda \), multilinearity level \(\kappa \), n, M, and \(\log q\) are set to be \(\tilde{\varTheta }(\kappa ^e \cdot \lambda ^\delta )\), \(n^{\varTheta (1)}\), and \(\tilde{\varTheta }(\kappa \cdot \log n)\), respectively. Proposition 4 implies that one can convert the program in \(2^{O(\beta )}\cdot poly(\lambda ,\kappa )\) time for \(\frac{\beta }{\log \beta }= \varTheta (\frac{n\log M}{\log ^2 q})= \tilde{\varTheta }\left( \frac{\lambda ^\delta }{ \kappa ^{2-e}}\right) \). Therefore, the program converting technique is done in polynomial time for \(\kappa =\tilde{\varOmega }(\lambda ^{\delta /(2-e)})\). Alternatively, the program converting technique is done in polynomial time for obfuscated programs with length \(\ell = \tilde{\varOmega }(\lambda ^{\delta /(2-e)})\).

We note that choosing large n to make the subfield attack work in exponential time rules out our attack as well. More concretely, if one chooses \(n=\tilde{\varTheta }(\kappa ^2 \lambda )\) then the underlying NTRU problem is hard enough to block known subexponential time attacks.

6 Matrix Zeroizing Attack

In this section, we present a distinguishing attack on \(\mathcal {R}\) programs to complete our cryptanalysis of attackable BP obfuscation model. We note that we can evaluate the \(\mathcal {R}\) program at invalid inputs, or mixed input, since the multilinearity level which was the obstacle of mixed inputs is removed in the previous step. We recall that \(\varvec{M}(\varvec{b})\) denotes \(\prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i}\) for \(\varvec{b} = (\varvec{b}_1,\cdots ,\varvec{b}_\ell )\) and the set of linear relations

$$ L_{\varvec{M}} = \left\{ \left( q_{\varvec{b}}\right) _{{\varvec{b} \in \{0,1\}^{w\times \ell }}}:\displaystyle {\sum _{\varvec{b} \in \{0,1\}^{w\times \ell }} q_{\varvec{b}} \cdot \varvec{M}(\varvec{b}) = \varvec{0}^{d_1 \times d_{\ell +1}}}\right\} $$

which was defined in Sect. 4.3. We also recall that the two program \(\varvec{M}\) and \(\varvec{N}\) are linear relationally inequivalent if \(L_{\varvec{M}} \ne L_{\varvec{N}}\).

For two functionally equivalent but linear relationally inequivalent BPs \(P_{\varvec{M}}\) and \(P_{\varvec{N}}\), we will zeroize the \(\varvec{R}\) program corresponding to \(P_{\varvec{M}}\) by exploiting the linear relation, whereas \(\varvec{R}\) program corresponding to \(P_{\varvec{N}}\) would not be a zero matrix. The result of the matrix zeroizing attack is as follows.

Proposition 6

(Matrix Zeroizing Attack). For functionally equivalent but linear relationally inequivalent branching programs \(P_{\varvec{M}},P_{\varvec{N}}\), there is a PPT algorithm which can distinguish between two \(\mathcal {R}\) programs \(\mathcal {R}(P_{\varvec{M}})\) and \(\mathcal {R}(P_{\varvec{N}})\) obtained by the method in Sect. 5 with non-negligible probability.

Now we explain how to distinguish two \(\mathcal R\) programs using linear relationally inequivalence. Despite the absence of multilinearity level, we still have obstacles to directly exploit linear relationally inequivalence: scalar bundlings. To explain the main idea of the attack, we assume that, for the time being, all scalar bundling are trivial in the obtained program in Sect. 5. We later explain how to deal the scalar bundlings.

Suppose that two BPs \(P_{\varvec{M}}, P_{\varvec{N}}\) and an \(\varvec{R}\) program

$$\mathcal {R}(P_{\varvec{X}})= \{{\varvec{D}}_{\varvec{S}},{\varvec{D}}_{\varvec{T}},{\varvec{D}}_{\varvec{S}'},{\varvec{D}}_{\varvec{T}'}, \{{\varvec{D}}_{i, \varvec{b}},{\varvec{D}}'_{i, \varvec{b}}\}_{i\in [\ell ], \varvec{b}\in \{0,1\}^w}\}$$

are given. Our goal is to determine \(\varvec{X} = \varvec{N}\) or \(\varvec{X} = \varvec{M}\). We can compute a linear relation \(\left( q_{\varvec{b}}\right) \) which is an element of \(L_{\varvec{M}}\setminus L_{\varvec{N}}\) in polynomial timeFootnote 6 by computing a basis of kernel, and solve the membership problems of lattice for each vector in the basis. Then the following equation holds

$$\begin{aligned} \sum _{\varvec{b} \in \{0,1\}^{w\times \ell }}\left( q_{\varvec{b}} \cdot \varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{b}_i} \cdot \varvec{D}_{\varvec{T}}\right) =&\sum _{\varvec{b} \in \{0,1\}^{w\times \ell }}\left( q_{\varvec{b}} \cdot \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0 \right) \\ = \varvec{S}_0 \cdot \sum _{\varvec{b} \in \{0,1\}^{w\times \ell }} \left( q_{\varvec{b}} \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \right) \cdot \varvec{T}_0 =\,&\varvec{S}_0 \cdot \varvec{0}^{d_1 \times d_{\ell +1}} \cdot \varvec{T}_0 = \mathbf {0}^{{d}_0 \times d_{\ell +2}} \pmod {\langle \varvec{g}\rangle } \end{aligned}$$

when \(\varvec{X} = \varvec{M}\) whereas this is not hold when \(\varvec{X} = \varvec{N}\). Therefore, the matrix zeroizing attack works when the scalar bundlings are all trivial.

When the scalar bundlings are not trivial, we can do the similar computation after recovering ratios of bundling scalars. Assume that we know \(\varvec{\rho }_{i,\varvec{u}}/\varvec{\rho }_{i,\varvec{v}}\) for every \(1 \le i \le \ell \) and \(\varvec{u},\varvec{v} \in \{0,1\}^w\). Consequently, for \(\varvec{r}(\varvec{b}) := \prod _{i \in [\ell ]} \varvec{\rho }_{i,\varvec{b}_{i}}\) where \(\varvec{b} = (\varvec{b}_1 ,\cdots ,\varvec{b}_\ell )\), we can compute \(\varvec{r} (\varvec{b}) / \varvec{r} (\varvec{c})\) for \(\varvec{b}, \varvec{c} \in \{0,1\}^{w \times \ell }\) by multiplying ratios of bundling scalars. Then, we can calculate

$$\begin{aligned}&\sum _{\varvec{b} \in \{0,1\}^{w\times \ell }}\left( q_{\varvec{b}} \cdot \frac{\varvec{r}({\varvec{0}})}{\varvec{r}({\varvec{b}})} \cdot \varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{b}_i} \cdot \varvec{D}_{\varvec{T}}\right) \\&=\sum _{\varvec{b} \in \{0,1\}^{w\times \ell }}\left( q_{\varvec{b}} \cdot \varvec{\rho }_{\varvec{S}} \cdot \varvec{r}({\varvec{0}})\cdot \varvec{\rho }_{\varvec{T}} \cdot \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\right) \\&=\varvec{\rho }_{\varvec{S}} \cdot \varvec{r}({\varvec{0}}) \cdot \varvec{\rho }_{\varvec{T}} \cdot \varvec{S}_0 \cdot \sum _{\varvec{b} \in \{0,1\}^{w\times \ell }}\left( q_{\varvec{b}} \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \right) \cdot \varvec{T}_0 \pmod {\langle \varvec{g}\rangle },\\ \end{aligned}$$

which is a zero matrix if and only if \(\varvec{X} = \varvec{M}\).

Accordingly, we should remove the scalar bundlings or recover ratios of scalar bundlings to execute the matrix zeroizing attack. In the rest of this section, we show how to recover or remove (ratios of) scalar bundlings in several cases. In Sect. 6.2, we explain how to recover all ratios in general cases by complex techniques.

6.1 Existing BP Obfuscations

In this section, we show how to apply the matrix zeroizing attack on two remarkable obfuscations, GGHRSW and GMMSSZ. The other examples on obfuscations [6, 32] are placed in Appendix B.

GGHRSW. As the first case, we consider the first BP obfuscation, GGHRSW, which has the identity dummy program. We note that the attack for this case works for the attackable BP obfuscations with fixed dummy program as well. For this case, a constraint on the bundling scalars \(\varvec{\alpha }_{\varvec{x}} = \varvec{\alpha }'_{\varvec{x}} \) for every input \(\varvec{x}\) is given where \(\varvec{\alpha }_{\varvec{x}} = \varvec{\alpha }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }_{i,{\varvec{x}}_{\mathsf{inp}(i)}} \cdot \varvec{\alpha }_{\varvec{T}},~\varvec{\alpha }'_{\varvec{x}} = \varvec{\alpha }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\alpha }'_{i,{\varvec{x}}_{\mathsf{inp}(i)}} \cdot \varvec{\alpha }'_{\varvec{T}}\). Suppose \(\mathcal {R}\) program of P is given by

$$ \mathcal {R}({P})=\{{\varvec{D}}_{\varvec{S}},{\varvec{D}}_{\varvec{T}},{\varvec{D}}_{\varvec{S}'},{\varvec{D}}_{\varvec{T}'},\{{\varvec{D}}_{i,\varvec{b}},{\varvec{D}'}_{i,\varvec{b}}\}_{i\in [\ell ], \varvec{b}\in \{0,1\}^w}\}. $$

By Proposition 5, the following equations hold

$$\begin{aligned} \varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{D}_{\varvec{T}}&=\varvec{\rho }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{\rho }_{\varvec{T}} \cdot \left( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{T}_0\right) \bmod {\langle \varvec{g}\rangle },\\ \varvec{D}'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}'_{i,\varvec{x}_{\mathsf{inp }(i)}}\cdot \varvec{D}'_{\varvec{T}}&=\varvec{\rho }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }'_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{\rho }'_{\varvec{T}} \cdot \left( \varvec{S}'_0 \cdot \prod _{i=1}^\ell \varvec{M}'_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{T}'_0\right) \bmod {\langle \varvec{g}\rangle }. \end{aligned}$$

Here we assume that each \(\varvec{M}'_ {i, \varvec{x}_{\mathsf{inp }(i)}}\) are identity matrices. Now we consider the two quantity of evaluations \(Plain_{\varvec{D}}(\varvec{x}):={\varvec{D}}_{\varvec{S}} \cdot \prod _{i=1}^{\ell } \varvec{D}_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot {\varvec{D}}_{\varvec{T}}\) and \(Dummy_{\varvec{D}}(\varvec{x}):= {\varvec{D}}'_{\varvec{S}} \cdot \prod _{i=1}^{\ell } {\varvec{D}}'_{i,\varvec{x}_{\mathsf{inp}(i)}} \cdot {\varvec{D}}'_{\varvec{T}}\).

According to the condition of scalar bundlings, \( \varvec{\rho }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{\rho }_{\varvec{T}}=\varvec{\rho }'_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }'_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{\rho }'_{\varvec{T}} \) since the value \(\varvec{c}\)’s are shared for plain and dummy program. It is possible to remove scalar bundlings by dividing \(Plain_{\varvec{D}}(\varvec{x})\) by \(Dummy_{\varvec{D}}(\varvec{x})\). In other words, we can get \(\varvec{d}\cdot \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{x}_{\mathsf{inp }(i)}} \cdot \varvec{T}_0 \) for some fixed \(\varvec{d}\) from the above division. Since we know all \(\varvec{M}\)’s, the matrix zeroizing attack works well for the computed quantities.

We remark that the previous analysis [16] analyzed the first candidate iO [23]. Whereas the work in [16] heavily relies on the input partitionable property of the single input branching program, our algorithm do not need this property. Moreover, our algorithm can be applied to dual input branching program, so this attack can be applied to wider range of branching programs.

GMMSSZ. Most notable result for BP obfuscation, GMMSSZ, is suggested by Garg et al. in TCC 2016 [24]. The authors claim the security of their construction against all known attack. Nevertheless, the matrix zeroizing attack can be applied to their obfuscation.

GMMSSZ obfuscates low-rank matrix branching program, which is evaluated by checking whether the product \(\varvec{M}_0 \cdot \prod _{i \in [\ell ]} \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{M}_{\ell +1}\) is zero or not. There are two distinctive property of the obfuscation; the uniform random higher dimension embedding and given bookend vectors as inputs. Let \(\varvec{M}_0 = (\beta _1 ,\cdots , \beta _{d_1}) , \varvec{M}_{\ell +1} = (\gamma _1 ,\cdots ,\gamma _{d_{\ell +1}})^T\) are the given bookend vectors. The bookend vectors are also extended as \(\varvec{H}_0 = (\varvec{M}_0 || \mathbf {0} ), \varvec{H}_{\ell +1 } = (\varvec{M}_{\ell +1} || \varvec{U}_{\ell +1})^T\) for randomly chosen \(\varvec{U}_{\ell +1 }\) in the higher dimension embedding step to remove the higher dimension embedding matrices. Note that the branching programs of this obfuscation are square, we do not restrict the shape of matrices in this section.

For the evaluation, one compute \(\widetilde{\varvec{M}}_0 \cdot \prod _{i \in [\ell ]} \widetilde{\varvec{M}}_{i, \varvec{b}_i} \cdot \widetilde{\varvec{M}}_{\ell +1}\), which is corresponding to

$$ \varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{b}_i} \cdot \varvec{D}_{\varvec{T}} =\varvec{\rho }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{b}_i} \cdot \varvec{\rho }_{\varvec{T}} \cdot \left( \varvec{M}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{M}_{\ell +!}\right) \pmod {\langle \varvec{g}\rangle } $$

in \(\mathcal {R}\) program by Proposition 5. Since we know all \(\varvec{M}\)’s, we can compute the ratios of scalar bundlings by

$$\varvec{\rho }_{j,\varvec{b}_j}/\varvec{\rho }_{j,\varvec{b}'_j}= \dfrac{\varvec{D}_{\varvec{S}} \cdot \prod _{i \in [\ell ]} \varvec{D}_{i, \varvec{b}_i}\cdot \varvec{D}_{\varvec{T}}/\varvec{M}_{0}\prod _{i\in [\ell ]} \varvec{M}_{i,\varvec{b}_i}\cdot \varvec{M}_{\ell +1}}{\varvec{D}_{\varvec{S}} \cdot \prod _{i \in [\ell ]} \varvec{D}_{i, \varvec{b}'_i}\cdot \varvec{D}_{\varvec{T}} /\varvec{M}_{0}\prod _{i\in [\ell ]} \varvec{M}_{i,\varvec{b}'_i}\cdot \varvec{M}_{\ell +1}}$$

for \(\varvec{b},\varvec{b}'\) which are same at all but j-th bit. Therefore, the matrix zeroizing attack well works for the construction of [24]. We remark that this method works for unknown bookend matrices with more complicated technique, see Sect. 6.2.

6.2 Attackable BP Obfuscation, General Case

Now we consider the attackable BP obfuscations in general. We note that an attackable obfuscation without bookends can be considered as the obfuscation with bookends by re-naming the matrices. For example, if we name \(\varvec{D}_{\varvec{S}} := \varvec{D}_{1, \varvec{0}} = \varvec{\rho }_{1,\varvec{0}} \cdot \varvec{D}_1\), then we can regard that \(\varvec{D}_{\varvec{S}}\) is a left bookend matrix and \(\varvec{\rho }_{1,\varvec{0}}\) the corresponding scalar bundling.

The case of obfuscation with bookend matrices is most complex, and requires complicated technique. We will recover the bookend matrices up to constant multiplication, and proceed the algorithm similar to the case of [24].

Recovering the Bookends. For the sake of simplicity, we only consider the case of bookend vectors. To tackle constructions using bookend matrices, it is suffice to consider a fixed (uv)-entry of output matrix given in Proposition 2.

If the obfuscation has bookend vectors, then the evaluation of \(\mathcal {R}\) program is computed by

$$\varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{b}_i} \cdot \varvec{D}_{\varvec{T}} =\varvec{\rho }_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{\rho }_{i,\varvec{b}_i} \cdot \varvec{\rho }_{\varvec{T}} \cdot \left( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\right) \pmod {\langle \varvec{g}\rangle }$$

for some vectors \(\varvec{S}_0 \in (\mathcal {R}/\langle \varvec{g} \rangle )^{1 \times d_1}\) and \(\varvec{T}_0\in (\mathcal {R}/\langle \varvec{g} \rangle )^{d_{\ell +1} \times 1}\). Let \(\varvec{S}_0 = (\varvec{\beta }_1, \cdots ,\) \(\varvec{\beta }_{d_1}),\) \(\varvec{T}_0 = (\varvec{\gamma }_1,\cdots ,\varvec{\gamma }_{d_{\ell +1}})\) and the evaluation \(\varvec{D}_{\varvec{S}} \cdot \prod _{i=1}^\ell \varvec{D}_{i,\varvec{b}_i} \cdot \varvec{D}_{\varvec{T}}\) is denoted by \(Eval_{\varvec{D}}(\varvec{b}_1 ,\cdots , \varvec{b}_\ell )\).

Our idea is removing \(\varvec{\rho }\)’s to make equations over \(\varvec{S}_0 ,\varvec{T}_0\). Let \(\varvec{b}_{i,t} \in \{0,1\}^w\) for \(1 \le i \le \ell \) and \(t \in \{0,1\}\) and \(\varvec{t} = (t_1 ,\cdots ,t_\ell ) \in \{0,1\}^w\). Then the following two values share the same \(\varvec{\rho }\)’s, precisely \((\varvec{\rho }_{\varvec{S}} \varvec{\rho }_{\varvec{T}})^2 \cdot \prod _{i \in [\ell ]} \varvec{\rho }_{i,\varvec{b}_{i,0}} \varvec{\rho }_{i,\varvec{b}_{i,1}}\):

$$\begin{aligned} Eval_{\varvec{D}}(\varvec{b}_{1,0},\cdots , \varvec{b}_{\ell ,0}) \cdot&Eval_{\varvec{D}}(\varvec{b}_{1,1},\cdots , \varvec{b}_{\ell ,1}),\\ Eval_{\varvec{D}}(\varvec{b}_{1,t_{1}},\cdots , \varvec{b}_{\ell , t_\ell }) \cdot&Eval_{\varvec{D}}(\varvec{b}_{1,1-t_{1}},\cdots , \varvec{b}_{\ell , 1-t_\ell }). \end{aligned}$$

We denote \( \varvec{S}_0 \cdot \prod _{i=1}^\ell \varvec{M}_{i,\varvec{b}_i} \cdot \varvec{T}_0\) by \(Eqn_{\varvec{M}} (\varvec{b}_1, \cdots ,\varvec{b}_\ell )\). Then, by the above relations, we get a equation for \(\varvec{\beta }_1, \cdots , \varvec{\beta }_{d_1},\varvec{\gamma }_1 ,\cdots ,\varvec{\gamma }_{d_{\ell +1}}\):

$$\begin{aligned}&\dfrac{Eqn_{\varvec{M}}(\varvec{b}_{1,0},\cdots , \varvec{b}_{\ell ,0}) \cdot Eqn_{\varvec{M}}(\varvec{b}_{1,1},\cdots , \varvec{b}_{\ell ,1})}{Eval_{\varvec{D}}(\varvec{b}_{1,0},\cdots , \varvec{b}_{\ell ,0}) \cdot Eval_{\varvec{D}}(\varvec{b}_{1,1},\cdots , \varvec{b}_{\ell ,1})}\\&=\dfrac{Eqn_{\varvec{M}} (\varvec{b}_{1,t_{1}},\cdots , \varvec{b}_{\ell , t_\ell }) \cdot Eqn_{\varvec{M}}(\varvec{b}_{1,1-t_{1}},\cdots , \varvec{b}_{\ell , 1-t_\ell })}{Eval_{\varvec{D}}(\varvec{b}_{1,t_{1}},\cdots , \varvec{b}_{\ell , t_\ell }) \cdot Eval_{\varvec{D}}(\varvec{b}_{1,1-t_{1}},\cdots , \varvec{b}_{\ell , 1-t_\ell })}. \end{aligned}$$

Both side of the equation is homogeneous polynomial of degree 4. If we substitute each degree 4 monomials by another variables, this equation become a homogeneous linear equation of new variables. The number of new variable is \(O(d_1^2 d_{\ell +1}^2)\).

Now we assume that we can obtain sufficient number of linearly independent equations generated by the explained way. Then, since the system of linear equations can be solved in \(O(M^3)\) time by Gaussian elimination for the number of variable M, we can find all ratios of degree 4 monomials.Footnote 7 In other words, we can compute \(\varvec{\delta }\varvec{\beta }_1, \cdots , \varvec{\delta }\varvec{\beta }_{d_1},\varvec{\delta }\varvec{\gamma }_1,\cdots ,\varvec{\delta }\varvec{\gamma }_{d_{\ell +1}}\) for some constant \(\varvec{\delta }\).

Matrix Zeroizing Attack. The remaining part of the attack is exactly same with the attack on GMMSSZ. Precisely, we can recover the ratios of scalar bundlings by computing

$$\varvec{\rho }_{j,\varvec{b}_j}/\varvec{\rho }_{j,\varvec{b}'_j}= \dfrac{\varvec{D}_{\varvec{S}} \cdot \prod _{i \in [\ell ]} \varvec{D}_{i, \varvec{b}_i}\cdot \varvec{D}_{\varvec{T}}/\varvec{S}_{0}\prod _{i\in [\ell ]} \varvec{M}_{i,\varvec{b}_i}\cdot \varvec{T}_{0}}{\varvec{D}_{\varvec{S}} \cdot \prod _{i \in [\ell ]} \varvec{D}_{i, \varvec{b}'_i}\cdot \varvec{D}_{\varvec{T}} /\varvec{S}_{0}\prod _{i\in [\ell ]} \varvec{M}_{i,\varvec{b}'_i}\cdot \varvec{T}_{0}}$$

for \(\varvec{b},\varvec{b}'\) which are same at all but j-th bits. We note that we do not know exact values of \(\varvec{S}_0,\varvec{T}_0\), but we recovered \(\varvec{\delta }\varvec{S}_0, \varvec{\delta }\varvec{T}_0\) in the above step. Thus we can compute \(\varvec{\rho }_{j,\varvec{b}_j}/\varvec{\rho }_{j,\varvec{b}'_j}\) by

$$ \dfrac{\varvec{D}_{\varvec{S}} \cdot \prod _{i \in [\ell ]} \varvec{D}_{i, \varvec{b}_i}\cdot \varvec{D}_{\varvec{T}}/ (\varvec{\delta }\varvec{S}_{0})\prod _{i\in [\ell ]} \varvec{M}_{i,\varvec{b}_i}\cdot (\varvec{\delta }\varvec{T}_{0})}{\varvec{D}_{\varvec{S}} \cdot \prod _{i \in [\ell ]} \varvec{D}_{i, \varvec{b}'_i} \cdot \varvec{D}_{\varvec{T}} / (\varvec{\delta }\varvec{S}_{0}) \prod _{i\in [\ell ]} \varvec{M}_{i,\varvec{b}'_i} \cdot (\varvec{\delta } \varvec{T}_{0})}.$$

Therefore the matrix zeroizing attack can be applied to the attackable BP obfuscations, which include all existing BP obfuscations over GGH13.