 Thank you for introduction. I'll talk about statistical generalizing attack on obfuscations over GGH 50 multinational map. This is a joint work with Jeong Yi-chun, Won Yi-choo, Ming Gi-han, and Chang Mi-li. The outline consists of backgrounds, previous and our works, and further works. OK, I will start the background part. In this traditional obfuscation is a polynomial time algorithm that transforms the program P into an obfuscated program P, which preserves the functionality and gives one bit unintelligible. One bit unintelligible is to hide one bit information that one of two equivalent programs is obfuscated. Hereby, equivalent means both programs have the same functionality and have the same size. For such programs, their obfuscated programs are computationally indistinguishable. Although I only provide one bit information, it is very powerful to sense there are many cryptographic applications based on existence of obfuscations, such as functional encryptions and witness encryptions and multi-party key exchange. So constructing obfuscation is a challenging problem in cryptography. The goal of this field is to construct an obfuscation for NC1 circuit. Since it can be boosted up to IO for all circuits, when we have a homomorphic encryption with NC1 decryption circuit. There are two approaches to construct obfuscations. The first approach is called direct construction. It is based on cryptographic martinial maps represented by rather known three candidates, GGH-13, CH-13, and GGH-15. Also, it uses branching programs and arithmetic circuits as input program. And it is probably secure on the idealized martinial map. Idealized means martinial maps only provide the handlers of their operations instead of real computation. However, in the real world, it has been suffered from many zeroizing attacks. The other approach is construction via footstrapping. It is based on the functional encryptions and pseudorandom generators. Recently, sub-exponential CQRW, binary map, and weak pseudorandom generators are used to construct an obfuscation. This will be discussed in next talk. So I'll focus on the first approach which is direct construction. I introduced a brief history of obfuscations based on GGH-15 martinial map. The first two candidates called GGH-RW papers was proposed in 2013. It is based on any martinial maps. So it is natural to consider GGH-RSW obfuscation plus based on GGH-15 martinial map. And the first quantum attack was proposed in a few years later. By solving the principal ideal problems, they show the GGH-RSW obfuscation based on GGH-15 martinial map is not secure. In the same years, the implementation of obfuscations based on GGH-15 was proposed, but it was broken by the next paper called CBW-18. A paper CBW-18 proposes a new classical attack which targets on GGH-RSW and HHSS obfuscations. And it also presents a new secure obfuscation which is robust against or not attacks. In the same years, another paper called BGNG-18 proposes a provably secure obfuscation based on some algebraic borders. I'll talk about it later. So now, only two schemes are standing now. CBW and BGNG obfuscations are secure against or not attacks. Moreover, BGNG obfuscation is provably secure on the GGH-15 serializing model, which captures and generalizes or not algebraic serializing attacks on GGH-15. So in this situation, we naturally, in this situation, we have a natural two questions. Are they secure? And is the model enough to construction? Our work gives a partial answer to these two questions. In this work, we introduce a new cryptanalysis called the static-scargerizing attack on obfuscations based on GGH-15 martinium ag. We also apply the static-scarger attack to CBW and BGNG obfuscations. As a result, our attack breaks the CBW obfuscation for current parameters, and we show the algebraic security model is not enough to achieve an idea of obfuscations. Indeed, we break the BGNG obfuscation for year-to-parameters whose security proof still holds. So our attack is not captured by the algebraic model. To introduce our attack, we briefly reviewed the GGH-15 martinium ag. GGH-15 martinium ag supports additions, multiplications, and zero-test operations. All operations are defined on a graph whose vertices are random matrices, A i with an edge from A i to A j. The encoding of GGH-15 martinium ag has special structures. If this encoding of m with an edge from i to j, then A i d is approximately equal to m i j. And addition and multiplications are the same as matrix operations. And the last operations, the key operation of GGH-15 martinium map is zero-test. It is used to determine whether the matrix is zero or not. Indeed, if the double prime is the encoding of m with a special edge from 0 to h, then A sub 0, the double prime is approximately equal to m A sub h due to its construction. So we can determine whether m is or not by calculating the norm of the matrix A0 d double prime. If m is zero, then the matrix should be small. However, if m is not zero, then the norm is not small because h sub h is a random matrix. We now recall the definition of branching programs for Boolean functions. Branching program for Boolean functions consists of 2h binary matrices and function g. Evaluation at input x is to multiply these binary matrices in predetermined order. If a Boolean function outputs 0, then the result matrix is also 0. Otherwise, if Boolean function outputs 1, then the result matrix is non-zero matrix. Although we introduce a branching program for Boolean functions, any ancient circuits can be converted into branching programs. So branching program is used as an input program of obfuscations. So we are ready to describe how to construct obfuscations. First, I have consists of two algorithms called obfuscations and evaluations. Obfuscation has the third step. First, convert to a program into a branching program. And the next step is randomized branching programs while preserving the functionality. The first candidate, GGHRSW, you use a safeguard and a reset candidate. CVW and BGM obfuscations use a chronicle tensor product. Both randomizing techniques are used to prevent any invalid evaluations. The last step of obfuscation is to encode randomized matrices using GGH 15. Evaluation of obfuscation is simple. It is the same as the zero test of GGH 15. As an example, we introduce simplified BGM obfuscations. Our target program is the set of a matrix MI, which always up to zero. So we skip the subscript related to input X. For a matrix MI, we can calculate randomized matrix SI hat using a chronicle tensor product. And then using a GGH 15 martinial map, we compute d prime i, which is encoding of SI hat with an edge from i to i plus 1. And then BGM papers add extra long matrix called bi to prevent or algebraic attacks. Moreover, to hide the extra long matrix bi, they multiply two invertible matrices, ri inverse and ri plus 1. We call the result matrix di. Then the obfuscation of a program m is the set of a, which is a concatenation of a0 from GGH 15 martinial map and identity matrix and the set of encoded matrix di. As I already said, evaluation is almost the same as zero test of GGH 15. We just computed a norm of the matrix A product di's. Indeed, the matrix is approximately equal to the zero test of GGH 15 and the product of extra long matrix. The product of extra long matrix is much smaller than q. So evaluation preserves the functionality. Now I will talk about previous work. First, we record the security definition of IO. When you have two equivalent programs, m and n, and one obfuscated program of one of them called OP. Then security of IO is that no one can determine whether P is m or n in polynomial time. In other words, adversaries want to determine whether P is m or n. The observation of analysis of obfuscation is simple. We consider the simple branching programs which are set of zero. m is the set of two zero matrices and n is the set of one identity matrix and one zero matrix. Then two programs both are zero. And we also consider the simplest obfuscations called OP. The simplest means we skip the all-endomizing techniques for constructing obfuscations. Then we observe evaluation of OP depends on branching programs m or n. Moreover, evaluation of OP is the matrix of integers since all matrices are small. Therefore, all non-attacks have been using these algebraically different over integers. So the recent paper of BGMG-18 showed that all non-zeroing attacks can construct an algebraic relation between the result of zero tests and randomized matrices. And BGMG of obfuscation removed the algebraic relations by adding the extra-blown matrix VI. So we guess algebraic framework may not be useful anymore. Now I talk about our attacks. On the outside of algebraic framework, we employ the statistical properties from the same observations that evaluation of obfuscated program depends on branching programs m or n. So we can define two random variables x sub n. And we now consider all matrices as random variables. Then we can read the two random variables xm and xn are well-defined, which corresponds to evaluation of m and evaluation of n. Like previous attack, we observe that two distributions may be different because of the new term. The new term may perturbate distributions. To show this, we need to compute their expectations and variance. The simplest case of a statistical zeroizing attack is when the expectations of two distributions are different. Green graph is distributions for random variable xm. And red graph is distribution for random variables xn. Then we can easily find such a series of t. And if evaluation of obfuscated is smaller than p, then we know p equals n with overwhelming probability. Otherwise, p equals n. However, in our cases, both expectations are zero. So we need to consider another cases. If two variables are Gaussian, and their variance are different, then we also find such a series of t. And we know when evaluation of op is larger than t, then p equals n with overwhelming probability. Unfortunately, in our cases, two random variables are not Gaussian distributions. Actually, they are too much complex because of their summations and product of random variables. Moreover, the random variables have the dependency. So actual attacks requires a lot, a lot, a lot, a lot of computations. So we need to formally analyze it. We borrow some ingredient from the cryptography and statistics. They are sample variances and standard hybrid arguments. And here is the assumptions on product of dIs. The here is the assumption is verified using the implementation of HHSS. To sum up, our table also starts from the same observation that evaluation of two programs, evaluation of obfuscation, depends on branching programs. The difference of statistical properties show the weakness IO. As a result, we break the CBW obfuscation for current parameters. And the algebraic model proposed by BGMG is not enough to construct an ideal obfuscation. The implication of our attack is simple. All statistical properties should be the same regardless of branching programs. Therefore, when we use a permutation branch program, which is the set of all permutation matrices, it is a countermeasure of our attack. Moreover, if you can change parameters, it is also countermeasures. Now I'll talk about further works. The first further works is how to apply statistical zeroising attacks to other obfuscations based on GGG13 or CG13. To the best of our knowledge, it seems to be impossible because of their structure. It's too different. The next question is how to construct an obfuscation which is probably secure against zeroising attacks. Moreover, which class of attacks should be considered to construct an obfuscation? We need to construct at least two types of zeroising attacks, IJWH zeroising attacks and statistical zeroising attacks. However, we don't know any more. Nothing. The BGM of obfuscation for current parameter is still secure against original attacks. So our last question is, is the BGM of obfuscation secure? Thank you for listening. Any questions? OK, let's thank the speaker again.