 Hello, everyone. I'm going to present you a joint work with Shweta Agrawal called Indi-singlishability Obfuscation without Maps, Attacks and Fixes for Noisy Linear FE. This talk is going to be an obfuscation, and more precisely, what we did is we studied some construction, some IO construction Indi-singlishability Obfuscation Construction, proposed by Shweta Agrawal at Eurocrypt last year. And what we found with this study is that we found two attacks on the construction and we proposed a fix that prevents these two attacks. So let me briefly start with IO. So you probably already know that IO is a very useful tool for constructing cryptographic primitives. And there has been multiple candidate IO that have been proposed so far, which can be roughly grouped into two categories. The first one is what I'm going to call direct constructions of IO using multinar maps. And the second category, which is the one that we're going to be interested in in this talk, is constructions that use bootstrapping from some variants of functional encryption and use that to construct IO in a provable way. The construction we're going to be interested in here is one of this new generation of IO. And so more precisely, as I already said, this is a construction from Shweta last year, and she showed that if you have a primitive called Noisy Linear Functional Encryption with LWE, you can use that to construct indi-singlishability obfuscation in a provable way. And so together with this bootstrapping, she also proposed a direct construction of NLINE FE, which is the one we're going to study in this talk. Let me just mention that there has been a very long line of work on bootstrapping variants of FE to construct IO. And there has been a recent, very interesting recent work which can build IO from pairings and a weak and leaky variant of LWE. Okay, so let's go back to our focus here, which is the direct construction of Noisy Linear FE from Shweta last year. And so let me just say a few words about NLINE FE. It's not going to be needed for the rest of the talk, so you can skip it if you don't want to know about it. And let me first say a few words about LINEAR FE, Functional Encryption. So in LINEAR FE, you have ciphertext that corresponds to vector, a message which is a vector. Secret key also derived with respect to a vector. And when you decrypt a ciphertext with a secret key, what you recover is the inner product between the vector corresponding to the secret key and the vector corresponding to the ciphertext. And the property of the NLINE FE should be that this secret key and ciphertext hides everything about the secret message X except this inner product. Now if you consider Noisy Linear FE, it's almost the same except that instead of recovering the inner product, you recover this inner product plus some noise. And so like previously, you would like that ciphertext and secret key hides everything except this approximation of the inner product. And you also would like that the last bit of the inner product are hidden. Meaning that if you have two inner products that are roughly the same, you should not know which one it is. The last bit should be hidden by the noise. So about the NLINE FE construction we will be interested in, the one by Shweta. She already did some analysis of the construction and she proved that under non-standard assumption, if the adversary has only access to one ciphertext, then the scheme should be secure. So this assumption that the adversary can only access one ciphertext is a bit problematic here because for concrete application when you want to bootstrap Noisy Linear FE to obfuscation, the adversary has access to more than one ciphertext. And so what we did is that we studied this construction in more details and we found two attacks on the construction. Both attacks use at least two ciphertexts. So it's not a contradiction with Shweta's proof. And so these two attacks, we call them multi ciphertext attack and the wrong attack. And then so we also derived the fixed construction which prevents the two attacks and on this construction we also studied other possible attacks and we didn't find any attack against this new construction and we propose a set of parameters for which we believe the scheme is secure. The plan of the talk now is to present the two attacks and how we can fix them. And you can see that I'm not going to present the construction of the Noisy Linear FE because it would be too long so I will just describe the parts that are needed for both attacks when they are needed. So let's start with the multi ciphertext attack. So in this attack we're going to focus on the ciphertext that are used in the scheme, just the ciphertext. And these ciphertexts, they are kind of ring LWE elements that have been slightly modified. So I'm going first to review the ring LWE problem. And so let's start with just few notation. RQ is going to be the ring of polynomials with coefficient mod Q and polynomials mod X to the n plus 1 for n or power of 2. And in blue I'm going to write small element in blue. So ring LWE, at least its small secret and multiple secret variant is the following. You would like to distinguish pairs of uniform elements mod Q from pairs of elements of this form. So AI is a label which is going to be uniform mod Q. And BIJ is computed by multiplying AI by some secret small sj plus some secret small noise. And small here you can imagine being drawn from a Gaussian distribution. And so the ring LWE assumption is that this is hard to distinguish from a pair of uniform elements mod Q. I mean this is a multiple small secret ring LWE problem, but it's known to be equivalent to the usual ring LWE assumption with only one secret and not small secret. So this is a nice problem, but for technical reasons in Schvetter's construction you would like to be able to multiply two B elements to get something of the following form. So here is the product. The first term is the product of the two labels times the product of the two secrets. And then plus the other term and we would like that all these other terms are small. So the product of the two secrets of the two errors, sorry, is going to be small, but the cross terms between labels with secrets and errors are going to be large because of the label. And so we would like to change slightly the distribution so that these terms are small. And so what Schvetter did is that she chose some specific label so she changed the problem slightly and now we're going to call this ring LWE with quality noise. And so the first change, as I said, is that the label now is going to be an entry element. So it's going to be something small divided by something small. And the entry assumption tells us that this should look uniform mod Q. So if this was the only change, it would be okay. It would just be a combination of entry and ring LWE. But there is another change here, which is that the secret now, sorry, the error now is also a multiple of G. So that's why we call it ring LWE with correlated noise because now the noise is correlated with the label. And so thanks to this error being a multiple of G, now when we compute the product of two B elements and we look at the cross terms that were too large for us, we see that they are multiplied by G because the error is now a multiple of G. And since the label is of the form something small divided by G, when we multiply this by G, we get something small. And so the middle terms now are small and we have what we want for the scheme. But now the assumption we are making here is that this ring LWE with correlated noise distribution is indistinguishable from uniform in RQ, in pairs of elements in RQ. And actually if we can distinguish this from uniform, we can break the construction. And so that's what I'm going to show you in the next slide. How can we distinguish this from uniform? So let's start with a very simple attack which can be easily fixed. So I'm going to take two pairs of elements with the two different labels and one secret, one common secret. What I would like to do here is multiply A1 by B2 and A2 by B1 so that the large terms are going to be the same. If I do the cross product, I get two large terms which are the same. And so if I subtract the two things, the large terms disappear and I'm left with A1G E2 minus A2G E1. And here, because of the shape of A1 and A2, this is again going to be small because it's multiplied by G. And so I get something small and I can distinguish that from uniform because if I were in the case where A and B were uniform, the resulting A1B2 minus A2B1 would be large with good probability. So I can distinguish, I can use this to distinguish this from uniform. So as I said, this can be easily fixed by just not publishing the labels A1 and A2. In the scheme, we don't need them to be public so we can just don't publish them. And then this attack cannot be made anymore. So now let me present you the second attack, a bit more of all, which is called multi-sifer text attack. And so now we only have elements without the label. We only have the B part of the elements. But we are going to consider, so here we have two labels and one secret, but we're going to consider now another secret, two labels and two secrets. So this is where the name multi-sifer text attack comes from because in fact every cipher text is going to be a combination, a collection of Bs for one secret and different labels. And when you ask for a new cipher text, you get the same label but with different secrets. And so here by asking for two cipher texts, we can get these two pairs of elements. So now what we would like to do is the same thing as before. We would like to multiply B11 by B22 and abstract B21 times B12 so that the large terms are cancelled and we hope that the other cross terms are going to be small. So we can either write everything and see that it's indeed going to be small or I want to present it to you in a slightly different way because this way can be generalized, this abstract view of the attack can be generalized to more sophisticated context. And in particular here, the context I've described to you is a bit simplified context. The true ring LWE with corollating noise problem is slightly different from that. So I want to describe you the attack in full generality. Okay, so let's consider this matrix B and the quantity we would like to compute is the determinant of B and we would like to show that this is small. So let me just rewrite B as the product of the A vector times the S vector plus the noise matrix. Using the definition of A, I can write it as 1 over G times vector F. And so here what I get now is 1 over G, which is the only thing in large here, times a matrix with small coefficient of rank 1 plus G times a matrix of small coefficient of rank 2. I just need to know that so I can forget about how the matrices are constructed. And now I'm going to compute the determinant of B and by linearity of the determinant with respect to the column of the matrix I can write it as the determinant of the two column of C plus the determinant of one column of C and one column of E, etc. And when doing so, I observe that all the 1 over G here are multiplied by G here except in the determinant of the two column of C. All those are determinants. There is no 1 over G left. So all the rest, the three last determinants are going to be small and the only thing that is going to be large is this first term. But since we know that the rank of C is 1, the determinant of C is 0 and so everything is going to be small. And since it's small, it can be distinguished from uniform at Q. So that's the multisypher text attack. Now if we want to prevent this attack, the natural way is to make the matrix C of rank 2 instead of rank 1. So if we go back to the attack I'm just rewriting everything and if the rank of C becomes 2 and the determinant of C is non-zero and when it's multiplied by 1 over G, it's going to be large and so we cannot distinguish that from something uniform anymore. So how do we make C of rank 2? Let's go back to where C comes from. C is the product of the vector F times the vector S. So if we want to make it rank 2 we should increase the dimension of these matrices and so we should take vectors F and vectors S and if we do that then we are going to multiply two matrices of rank 2 and so the product is going to be a rank 2 with high probability. So this means that now instead of taking rank elements A, I and S, I I'm going to take vectors and when I multiply them for creating the B elements I'm just going to take inner products instead of rank multiplication. And so this gives us a new problem which we call module LWE with correlated noise because now we have vectors with elements in the number field. And so taking vectors sufficiently long prevents the attack and so we believe that if the vectors have a dimension that is sufficient then this module LWE with correlated noise problem is hard to solve. So here just a few words on why we need the vectors to be large enough so why for instance F and S of dimension 2 are not sufficient. So you can see when we present the attack this way that you can generalize it by taking more than two levels and more than two secrets. You can make these matrices taller here and wider here until you get a matrix which is not full-run anymore. So you can always get a matrix which is not full-run by taking sufficiently many levels and sufficiently many secrets and you can still do the attack this way but if your matrix is becoming... I mean your matrix is going to become at least the dimension of F and S and if this dimension is large enough then when you are going to take the determinant of a matrix of this dimension even if all the entries of the matrix are small the determinant is going to be a product of a large number of small terms and this is not going to be small anymore so that's why for large enough vectors we hope that the attack is prevented and that the problem is actually hard to solve. So that was it for the Militiai Vertex attack let me now just say a few words about the wrong attack. So I didn't describe the security game that is used in 1909 FE so you will have to trust me here but what I claim is that when following these games the adversary can honestly play the following game on this slide so where the adversary chooses a small noise mu sends it to the challenger the challenger computes a larger noise N and sends back to the adversary either N or N plus mu and then the adversary has to guess which is the case and so if the adversary can win this game then it can also win the game related to the security of the Nlinafi scheme so that's the game we would like to win now and so let's have a look at the noise term N so this noise term is the following which is quite complicated it involves things coming from CypherTex and from SecretKids and the only thing I would like to tell you now is that this noise term here there is in the noise term some moduli and parts of the noise term are multiplied by different modulis which are public and which have the following properties that P1 is significantly larger than P0 which is significantly larger than all the black terms so using this property we can actually split the noise term into different rows here by doing the following so for instance if I just look at N mod P1 squared the first row is going to be 0 and all the rest is much smaller than P1 squared so I'm going to recover it exactly and if I recover it exactly it means that I can also recover the first line exactly and if I can continue like that now if I do mod P1 P0 I remove the second line etc etc so in the end I can split my noise term into 5 different noise terms each one multiplied by a different moduli and so I can forget the moduli they are public so I know I have 5 noise terms instead of some of a big noise term and each of these noise terms are somehow simpler than the first one and in fact when we analyzed them we saw that some of them are good meaning that if you add the noise to these noise terms your noise is probably hidden but some other noise terms are bad so they do not hide the noise at all and the bad news is that when you split your noise term N plus the challenge so you have to guess whether it was added 0 or mu the mu you chose this challenge is in fact added to the last noise term here so when you split everything you can recover your challenge just here in this sliced noise term and this is a bad noise term so you can actually distinguish whether you have 0 or mu in the challenge and so that's the idea of the wrong attack and to prevent it we just remove the moduli so the moduli were there for some technical reasons but what we show is that we don't need them so we can just remove them completely and if we do so then we cannot split the noise term anymore and if we don't split the noise term then we are going to have some of some bad noise terms but some of them are going to be good and to hide the challenge so it should prevent the wrong attack so let me now conclude we have seen the two main attacks and how we fix them and as I said we also discussed other potential attacks on the new construction we propose and for these different attacks some of them are classical some of them are more specific to this construction and we discussed what we can do with this attack so if we can recover some elements and if these elements can lead to a break or not I mean either we don't know how to use this attack to completely break the scheme or sometimes we know how to use them to break the scheme but only for some set of parameters in which case it gives us some constraints on the parameters that can be used to prevent the attack so the conclusion is that we have some set of parameters for which we know no attack against the scheme and so let me just mention that we also tried quantum attacks against the scheme but it does not seem that having a quantum computer would help break this scheme which is actually quite nice for a candidate I.O. so a lot of candidate I.O.s are broken by a quantum computer if you use pairing for instance you cannot be post-quantum so this is nice that this construction seems to be post-quantum and so as I said we have some range of parameters for which we know no attack so we propose them as concrete parameters so asymptotically meaning that we have some security parameter and we derive the other parameter as a function of the security parameter and so if you want to try some cryptonalysis on this scheme just have a look at the parameters and if you can find an attack within these parameters then that's nice and so let me conclude with some open problems so what we have so far is a new scheme that is hopefully secure so at least we have done more analysis on this scheme and we have more confidence in the security of this scheme but it's not proven so we have open questions in both like can we prove it or can we find attacks against this scheme so on the proving side it would be nice if we could extract simpler assumptions from the construction and prove the construction secure from this simpler assumption even even if they are not sorry even if they are not standard assumptions so one example of such assumption could be the module LWE with correlated noise we have seen but it's not sufficient to prove the security of the scheme so can we extract other assumptions and that's one open question and on the other side the open question could be can we find significantly different attacks on the scheme and the main question here is the observation that even though the noisy linearity construction is quite different from the multinational maps constructions and obfuscators based on multinational maps the attacks we found they share some similarities with the attacks on obfuscators based on multinational maps so basically we construct a matrix and then we look at properties like determinant or rank of the matrix to distinguish some cases and so it's curious to wonder why we have these similarities between the attacks so one possibility could be that the noisy linearity scheme is in fact in a sense similar to the multinational maps construction and one other explanation could also be that we know now we have seen a lot of attacks on multinational maps and obfuscators based on multinational maps so we know these attacks quite well and maybe that's why the two attacks we found on these schemes are of the same shape because we know them and we find them more easily but maybe there are some different attacks on these different schemes that we missed because we are less used to them so that would be interesting to see if we can find different attacks and that's all from me, thank you for your attention