 Hello everyone, so thanks for coming to my session. I'm going to talk about a subfield that is a type for overstructured intro assumptions with some application for crypto analysis of some intro-based FHE schemes and GDH-like gradient encoding schemes. So this is a joint work with Martin Albrecht from Roy Hallow and Leo Ducat from CWR. So I'm going to give an introduction of overstructured intro assumption and then I'm going to talk about the method for the subfield lattice attack. So in the end I'm going to summarize and give some recommendations. So the problem we are facing is the intro problem where the general setup is that we are giving the security parameter lambda and we are working usually in sector-topic number fields defined by the sector-topic polynomial order m. So the ring of integers has a degree n which is phi m. So in this talk we will be focusing on power of two sector-topic number fields, so where m is a power of two. Also there are parameters modulus q where we are doing the arithmetic on and also we have another parameter which is called the width parameter for convenience. So this controls the size of the secret as we can see later. So both of the degree n and the width parameter sigma are newly polynomial parameters of the lambda. So in the intro key generation we started with two secret keys, f and g. We generated them from the ring according to some distribution. We are the size of f and g are controlled by the parameters sigma. So that's why I have set this width parameter here. And for the public key we generated by taking the reciprocal of two polynomials mod q. So the intro problem parameterized by the parameter tau is that given h public key h and modulus q such that we have the promise that h is a reciprocal of two secret polynomials we asked to find the nonzero vector in this R2 of Euclidean norm smaller than some other function of tau where tau is the definition in the intro problem in this R module. So it turns out that clearly f and g are in this R module. It turns out this R module is also a lattice. So to evaluate this to consider this intro problem I mean so in this talk we will be focusing on this overstracted intro problem. We are basically having the same setup but we have a super polynomial module q. So the intro has many applications for instance in the intro encrypt. It's also being used in signature schemes such as BLEASE. So this overstracted intro variance which has a larger modulus has been used in intro based FHG schemes also in JJH like gradient encoding schemes. So to evaluate the security of the intro it's to consider the lattice attack for intro problem where we mentioned before that this length h is a lattice of dimension 2n. It has a volume q to the n and the Gaussian heuristic states that for random lattice of volume qn the shortest vector the expected length of the shortest vector of this random lattice has norm approximately 2nq. So this happens if h were uniformly randomly generated. But clearly this is not the case in the intro if f and g are generated from a very small width parameter sigma. If this sigma is much smaller than q then the existence of these vectors f and g are much smaller than the Gaussian heuristic. So in such a case we say that the lattice has only a short vector. So to use the lattice reduction to solve this previously mentioned lattice problem for intro so in practice recovering a short enough vector of some target to the norm for this parameter tau is sometimes enough to solve the problem. So this tau parameter could be larger than sigma so for instance in intro based FHE schemes to find any vector of length of small order q would be considered a break for the scheme. And in practice and in theory these parameters nqn's sigma can be set to resist these attacks both asymptotically and in practice. Okay so that's the background so far. So in this talk we are going to talk about a subfueled lattice attack for this overstretched intro assumption. And we can see later that this attack is asymptotically faster than the full field attack as soon as q becomes super polynomial. So as soon as the modulus becomes larger our attack becomes more efficient. So our strategy can be summarized into three steps. So first of all we map the intro instance in the full field to some children subfield. And in the second step we use the lattice reduction in this subfield to cover some vectors which is hopefully helpful to solve the original problem. Since we are working a subfuel we are essentially working for a smaller dimensional lattice and hopefully this is easier to solve than the full field case. So in the end we leave the solution back to the full field. Okay and have a picturized proof for how does it work. So this is actually a terrorist field I think in China somewhere. And we consider this a tower of fields where the bottom is our full field. Suppose we want to dig for some goat in the bottom layer and we also consider this underground area for this layer. Then maybe in the full field the search engine is too large. So instead of doing that we climb up to some smaller upper layer of smaller area and we just dig for this layer. And hopefully the solution over here can help us to find the solution in the full field. So that's the philosophy idea of the attack. Okay so I'd like to mention that so the idea has also been found concretely and independently by Chen, Jun and Li. They also use a similar subfield idea for attacking JJH like we did in coding schemes. So the general approach is similar to us. But as we will see later that we use the normal map to go down to the subfield instead they use the trace map. Also they consider the power of two-cycle atomic fields but they also have a more powerful result against the gradient coding scheme by using the theoretical parameter. And this idea actually showed a few ideas that already appeared in the work of Gentry and Citero. And there they use the maximum real subfield for the cyclotomics. So therefore they consider a relative extension of D-Way 2. And in the works they also attribute the work idea further to Johnson, Noyan and Stur. So I'd just like to mention a little bit of background for this idea. Okay so for context of the attack so in my talk I will only consider power of two cyclotomics but the work is presented for more general number fields in our paper. So we have the full field K which is the cyclotomic extension where the N is the rank of the field and we denote the real integer to be ok. So that L be a subfield of K and actually we, I didn't put it here, I'm taking all L to be the real integers of L. So suppose that K and L has degrees N and N prime and their relative degree is R. So some fact is that K has got a group G and we let the G prime be the subgroup that's fixing this subfield L. So one thing that we will use is the norm length and the multiplicity might be defined by the product of all the conjugates of this element F where the conjugates are restricted to this subgroup. So this is the context. So this is a true picture of the overview of the attack. So we have the full field K over here and the subfield L and the real integers. So the relative degree is R and we start with some element public key H and some secret key G and F where G and F are secret. So these three elements are in the full field and we use the norm map to norm them down. Since we only know the public information we can know what is H prime but we don't know G prime and F prime. So here we use the lattice reduction in the subfield based on the information of H prime and we find some vectors X prime Y prime and hopefully there are some relations between X prime Y prime with G prime F prime. If that is true then we can further lift the solution up to the full field and since if there are some relations between X prime Y prime with G prime F prime we hope that we can also maintain this relation during the lifting. So that's the general idea of the attack. So the first step, we want to norm elements down so basically I'm using the notation F prime to be the norm of F and G prime to be the norm of G and similar for H prime. So the only thing we need for this talk is that we want to know approximately what is the side of the norm of these elements. So the rule of thumb is that the norm is approximately the function of the function of R where R is the extension degree, relative extension degree and also is relevant to the initial side of these polynomials F and G. And this norm is a vector in the subfield lattice and we can see from this quantity that for large enough modules and small enough R, this thing could be much smaller compared to Q and therefore there is a hope to still have some gap in the subfield lattice. And by having the gaps there is a hope to find F prime G prime or some related vectors in the subfield by using lattice reduction. So in the subfield we use the lattice reduction. So for instance we use the BKDA of block size beta in this subfield lattice. Then we can find a vector x prime y prime which is bounded by this approximation vector guarantee of the BKDA multiplied by this shorted vector of this subfield lattice. Since F prime G prime is a vector in the sub lattice it has to be larger than that. So the rule of thumb is that approximately we can find some vector x prime y prime upper bounded by this quantity which is hopefully not too large. So we want to further argue that if these vectors x prime y prime we found over here is short enough then it must be a O L multiple of the normed F prime G prime. So therefore we can find some relation between x prime y prime and F prime G prime. So this will further allow us to leave this solution actually back to this field to maintain this kind of relation. So this is the second part of this of the subfield. So we want to argue that if x prime y prime is not too large then it has to be an O L multiple of F prime G prime. So formally let F prime G prime be in the sub green such that they are co-prime and such that H prime is the normed public key from H. And if x prime y prime in this subfield lattice has upper bounded by Q divided by F prime G prime the norm of them then we will know that x prime y prime is a multiple of F prime G prime for some multiples within this sub green. So we will not give the full proof instead we will just give some ideas. So the point is in the central lattice is if there exists some dense sub lattices then if this elements the dense sub lattices formed by this F prime G prime they are pretty short. So if there are some vectors which are for instance much longer than this then basically this F prime y prime F prime G prime will actually form the generalize the whole lattice. So formally we apply a volume argument to prove this. So therefore a short enough vector x prime y prime in this sub lattice belongs to this. So it's a multiple of this our normed sequence. Okay. So in the end to the lifting in the previous slide we have found some element which is a multiple of the F prime G prime we will actually want to leave them back to the full field. So one way to do this is we can define this total F to be the product of all the counter base of this F which is an element of the inner ring of integers. Then I'm just taking the X to be the X prime which can be rewritten by using this counter base as the V times total F times F mod Q. And further this Y is defined to be Y prime times H divided by H prime. And if we expand H and H prime using the relation such that H equals to G or F mod P and then rewritten the formula then that eventually becomes V times total F times mod Q. And therefore we realize that X, Y is actually a okay multiple of F and G where this okay element is V times total F. So some further analysis show that not only X, Y is a okay multiple of F and G its sizes can also be upper bounded by these asymptotics. So where this approximation part are essentially from the previous deduction part over here and the second part actually from the, it's the loss on the side when we are doing the norming down. So for some asymptotics of this attack, so we are we take the relative degree R to be log Q divided by log N. So this value is set up in order to optimize the block size beta divided by log beta. So the subfield lattice attack can solve this over-straight integral assumptions or just integral assumptions in time to the theta beta with the block size beta such that beta divided by log beta is asymptotically N times log N divided by log Q squared. So by comparison if we do the direct lattice attack for the full field B divided by log beta is N divided by log Q. So therefore this attack is better as soon as Q gets super polynomial. So I'm going to talk about the impacts of this attack on entry-based FHE and multi-level maps. So for both stretchable entry-based FHE such as RTV and Yashi, so this subfield lattice attack gives a substantial attack with respect to the security parameter. And also for multi-level maps so the latest improvement of GGH which is given by the ACCL paper. So we can recover some partial information on the secrets by just having a polynomial attack. So this happens when we have a big enough multi-linear degree. But in order to finalize because we only recover multiple of these secrets we still have to use a quantum step to finalize the attack to solve some principle ideal problem. This becomes a quantum polynomial if we connect them together. If you want to use the attack by chain then this gives you a classical attack using the zero-testing parameter. So this attack does not need, because it's an algebraic attack for the assumption we don't need any encodings of zero nor the zero-testing parameter. So this is the some comparison of this subfield lattice attack. So this is the prior status of this. So in the x-axis we have the approximation factor function for n. And in the y-axis we have the time for attacking this problem. So for this multi-linear map we have the approximation factor already substantial. So therefore in terms of n, we already got a substantial attack with respect to the n. And this is also the case for yashi, but it is a slightly substantial. So for n-to-n bits the parameter setup such that the approximation factors are polynomial, therefore the attacks are exponential. And by the subfield lattice attack we can further reduce the time for this ggh by reducing it from subject-financial to polynomial. And also we can further reduce the run time on attacking yashi. But this reduces to running asymptotically running time for this is still substantial, but to a larger order. And this does not seem to affect intru and blis asymptotically. So I'm going to talk about in particular the intru encrypt and blis signature schemes. So if the norm of fg is not a very short vector in the subfield lattice then the lattice is reduct and wouldn't recover any information on this vector. So this happens if they are similar to the Gaussian heuristic which is square root of n prime times q. Because our attack is a subfield the minimum one we can take for the relative eccentric degree is 2 so we use that to test for the immunity of this intru parameters. So this intru 743 is a perfectly male which means that even getting down to a subfield of relative degree 2 it becomes close to that. So there's no way we can recover that using this method. And for intru 401 and blis so they are not I mean they are close to this but there are some constant facts seem to be some factors over there. So if they are enough to immune for this attack totally or not. So another observation is that theoretically if we are taking this width parameter to be big enough to be square root of q omega then this intru implies that it's doing a w problem because they are actually almost uniform. But in terms of this in terms of our attack actually the immunity comes from even by taking this signal to be this quarter root of this q because if we are going down by degree of 2 this becomes q. So therefore can we prove something of this or I don't know maybe next slide can give some extra things on this. So come to the conclusion of the talk initial recommendation is that we recommended that they set up so the intru assumption presents of subfields and with large modulus and small width parameters considered to be insecure. And actually there's a follow up work by Kershner and Fouk so in this eprint comparison between subfield and straight forward attacks on intru. So they instead of going down to the subfield they can do some straight forward attack by projecting to the subfield. So there are results using their method they can actually break actually in practice for some concrete parameters and they also realize that because they seem to be better for intru than the previous thought. And one big difference is that in their attack they don't need the subfields so they have the same asymptotic results but without the means for subfields. So their point works very generically. So and also they conclude that the intru seems to be weaker than Rw whatever the ring structure it is. So that concludes my talk. This is the paper. Thank you.