 OK, we can start. So welcome in the multi-linear map session. So the first talk is cryptanalysis of the new CLT multi-linear map over the integer. And Sol is going to give the talk. Thank you for your introduction. I will talk about cryptanalysis or the new CLT multi-linear map over the integers. This is a joint work with Jeong Hee-cheon, Pierre Allen, Buk-gu, Chang-min Lee, and Bryce Minoan. And first, let me define a multi-linear map. A copper multi-linear map is a map from a product of group GI to a group GT, which satisfies a linearity in each component. Its security is based on MD-DH problem, which is given copper plus one encodings of MI and encoding of M, determine whether M is a product of MI or not. Multi-linear maps have lots of applications. Basically, it is used in multi-party key exchange with providing low-level encodings of zero. Another crucial important application is indistinguishability of classification. When it is used in IO, it does not need to publish its low-level encodings of zero. Currently, construction and analysis of multi-linear maps are being repeated. Among them, we looked through multi-linear maps over the integers. In 2013, Corona, Rufo, and Tibuship proposed a multi-linear map over the integers. But it turned out to be insecure by so-called CHLRS attack using low-level encodings of zero. After then, there are several attempts to make it repair, but they were quickly proven to be insecure. At Crypto 15, the same asserts set out to repair their scheme. It retained the structure of the encodings from 2013, but it added a new type of noise to sort CHLRS approach. So it has conceptual simplicity, relative efficiency, and wide range of pre-sumed hard problems such as subgroup membership and decision-linear problem. However, CHLRS 15 is not secure anymore, in the sense that we can find all secret parameters in polynomial time with list packed to security parameter lambda. Until now, CHLRS 13 looks secure without providing low-level encodings of zero. But CHLRS 15 is fully broken for all possible applications due to low-level encodings zero are provided by the letter. Before describing our attack, let me sketch first the CHLRS 15 multi-linear map scheme. The construction of CHLRS 15 is as follows. Choose distinct secret primes, PI and GI, with GI is much smaller than PI. Let XRL be the product of PI, and choose invertible G in mode X0, and keep these values secret. The public parameter is N, which is used in zero testing. A level K encoding of MI is defined using CRT, and it is similar to a cybertext of integer homomorphic encryption scheme. Now we move on to the crucial zero testing procedure. We define UI as follows. Then UI equals GI over GI kappa in mode PI, and it equals to zero in mode PJ. And we define also VI as a product of zero testing parameter and UI in mode N. And V0 be the product of PGT and X0 in mode N. Then the top level of encoding E can be rewritten as a linear combination of these constants UI and X0. And the size of VI is similar to N over PI, and V0 is much smaller than N. Therefore, the zero testing value of E can be written as a linear combination of VI and V0 over N. The important point is this. If E is an encoding of zero, our eyes are small enough so that the right-hand side of the zero testing value is much smaller than N. In this case, this equation holds over the integers, not mode GN, and the reduction does not happen. Once X0 is known, the scan becomes equivalent to CRT13 in terms of security. So CHLRS attack is applied well in this case. Suppose X is an encoding of zero, and Y and C be some encoding. Then we can multiply these three encodings and reduce its size using mode X0. Then the zero testing value can be written as linear combination of VI and V0. From X0, we can also compute V0. If you view these zero testing values as in V0, then it can be written as a matrix expression as follows. Remark that the VI is a regardless of an encoding. So by varying X and Y, we can obtain the matrix equation as follows. And it includes some diagonal matrix which is related to an encoding C. Therefore, some eigenvalue computation of related matrix, we can have CI. Then C minus CI is a multiple of PI. By repeating this procedure for another choice of C prime, we can have PI. However, X0 is secure in CRT15. So we can now reduce the size of encoding after the multiplication. Remark that the size of E is deeply related to the size of A. So if E is large, then A is large. So A V0 exists the modulus N. Therefore, the right-hand side of the zero testing value goes over N, despite E is an encoding of zero. From this reason, the previous attack does not work. More serious problem is that the correctness of testing does not work. Therefore, we need to reduce the size of encodings in order to perform zero testing. Let me explain how to reduce the size of the encodings in CRT15. When two encodings are multiplied under X0, the correctness comes naturally as long as the numerator does not go over PI. However, X0 is secret, and the size of encoding is growing. So to reduce the size of encoding, CRT15 publishes letters in each level, which are encodings of zero of increasing size. The size of the smallest letter is about secret modulus X0, and the largest one is about X0 square. This explains how the size reduction process works. Using the letter, the size of encoding can be recursively reduced under the size of X0. The right is corresponding encrypted values. Since letters are encodings of zero, the size reduction does not alter the encoded value. So we can multiply encodings while maintaining each size under X0. Let me explain the effect of letter in the aspect of CHLRS approach. As in previous, we are given encodings X, Y, and C. Then we multiply these encodings and reduce its size using letters. To compare with previous, there are two additional terms, TI and A prime. By varying X and Y, we can obtain the metricization as follows. But there are NAR unknown matrices. So it looks hard to obtain secret information as before. Now I give a brief description on how to resolve this problem. The goal of our attack is to compute V0 and so recover X0. This starts from the observation of the equation, and it consists of two steps. The first step is to remove TI using the zero setting value of letter. And then we compute V0 from several equations module unknown V0. Let me explain the first step. For a time-level encoding of zero E, the zero testing is done after the size reduction process. So it can be written as follows. And the goal of the first step is remove the box indication. If we define a map pi using constants VI and V0, then the box value equals pi value of some letter-related one. Moreover, the function pi has two good properties. The first proposition indicates that pi is the same as the zero testing value of E when E is an encoding of zero and E is small. The second proposition says that pi is an additive homomorphic as long as the associated allies do not go over PI. The conditions on allies are also required for the correctness of the scheme. So we may regard pi as an additive homomorphism. Now we can remove TI. From the additive homomorphic property of pi, we deduce this equation. Therefore, it is enough to compute individual pi xj. Pi x0 can be computed directly from zero testing procedure. For the next one, we may reduce its size using x0 and apply the additive homomorphic property. Continuing this process, we can get all pi xj's and so pi values of any time-level encoding of zero, even though its size is large. This completes the process step. I remind you that CHLRS approach gives this matrix equation with additional two matrices, T and A prime. Through the process step, we remove matrix T in this equation. Now we move on to the second step. As I mentioned before, once x is known, the CLT15 is not secure anymore. So the goal of the second step is to compute v0 and so x0. Similar in previous, we will build a matrix which consists of pi values of some product of encoding. Suppose x be an encoding of zero and y be some encoding. Then by the process step, we can compute pi xy and it is written as a linear combination of vi and v0 over the integers. If we view this value in mode v0, everything behaves as like in CLT13 since the additional noise av0 disappear. So it can be written as a matrix equation includes some n-dimensional diagonal matrix vi in mode v0. Remark that we are regardless of an encoding, so we can vary x and y and build a matrix equation. Unlike the CHLRS approach, we made a matrix with dimension n plus 1. Then it spreads into lower-dimension matrices in mode v0. Therefore, it is not a full length when embedded into Gv0. So v0 divides a determinant of w when the determinant is computed over the integer. By repeating this procedure for another choice of y prime, we can compute v0 and so x0. It leaves all secret parameters in CLT15. Our attack consists of computing many values of pi and computing some determinant of matrix and GCD. So it takes polynomial time in security parameter. Until now, there are three types of multilinear maps are suggested, but they were all proven in SQL when used in key exchange. Specifically, for GJC13, we understood well after y. Recently, three papers are published to crypto-analysed GJC13 without low-level encodings of 0. One is applied only for a basic IO scheme. The others are applicable for all IO, but they break quantumly or only for up to degree lambda Q. Therefore, crypto-analysed multilinear maps without low-level encodings of 0 and design a new multilinear map with reduction to standard hard-problem style, worthwhile. Thank you for your attention. So while the next speaker is getting ready at the end, searching for his mic, is there any question? So congratulations for your attack. And when we designed the scheme, we did not expect that it could be broken like this. And yeah, the technique is very clever, the technique of extending the evaluation of the encoding over the integers instead of only modulo n. So this is very clever. And my question is, do you think that it should be possible to again repair the scheme or doing the CLT scheme for key exchange? Because for obfuscation, it seems to be fine. But for key exchange, do you think that it should be possible to again repair the scheme? Pre-repair? Then I try to analyze. OK. Other questions? So I actually have one. Did you try to implement it in practice on the servers like this parameter set with the CLT-15 paper? Did you try to implement it in practice? We only implemented on very small parameters. OK. OK. OK, so another question. Let's thank the speaker again. OK, so second talk of the session, it's a crypt analysis of GGH map by Yupu and Yujinja. And Yupu, who is giving the talk? No. Thank you very much. The title is Crypt Analysis of GGH Map Background. Multiliner map is a leveled encoding system. Can multiply but cannot divide back and goes further to extract limited information. We know that this can be achieved by zero testing. And it is a solution of a longstanding open problem and a novel primitive which has many cryptographic applications. GGH map is the first candidate of K-linear maps for K larger than 2. It is from ideal lattice structure. It is a major candidate of multiliner maps and the best paper of Eurocrypt 2030, two classes of applications of GGH map are applications with public tools for encoding and applications with hidden tools for encoding. In this paper, we show that applications of GGH map with public tools for encoding are not secure and that one application of GGH map with hidden tools for encoding is not secure. On the basis of weak DL attack presented by the authors themselves, we present several efficient attacks on GGH map aiming at multi-parted key exchange MKE. We know that this is an open problem. And the instance of weakness encryption, WE, based on the hardness of exact three-cover X3C problem. A note, WE is another novel cryptographic primitive published on stock 2030. And the instance of WE based on the hardness of X3C problem is its first instance. This is the situation about major candidates of multiliner maps, GGH, CLT, and GGH-15. I should say that GGH-15 and GGH are quite different from different structures. Then here is our work. Now, our contributions. Contribution one, we use special modular operations, which we call modified encoding, zero testing, to dramatically reduce the noise. Such reduction is enough to break MKE. Moreover, such reduction negates KGMDDH assumption, which is a basic security assumption. Notes, the procedure involves mostly simple algebra manipulations, and rarely needs to use any lattice reduction tools. The key point is our special tools for modular operations, contribution two. Under the condition of public tools for encoding, we break the instance of WE based on the hardness of X3C problem. Notes, to do so, we not only use modified encoding, zero testing, but also introduce and solve combined X3C problem, which is not difficult to solve. In contrast with the assumption that multiliner map cannot be divided back, this attack includes a division operation. That is, solving an equivalent secret from a linear equation modular some principle ideal. The quotient, the equivalent secret, is not small, so that modified encoding, zero testing, is needed to reduce the size. This attack is under an assumption that two vectors are co-prime, which seems to be plausible. Contribution three, for hidden tools for encoding, we also break the same instance of WE based on the hardness of X3C problem. Notes, to do so, we construct level two encodings of zero, which are used as alternative tools for encoding. Then we break the scheme by applying modified encoding zero testing and combined X3C, where the modified encoding zero testing is an extended version. This attack is under two assumptions, which seem to be plausible. Contribution four, we check whether GGH structure can be simply revised to avoid our attack. We present cryptanalysis of two simple revisions of GGH map. Aiming at MKE, we show that MKE on these two revisions can be broken under the assumption that 2 to K is polynomially large. Notes, to do so, we further extend our modified encoding zero testing. These two simple revisions are natural revisions and cover neighboring structures of GGH structure. What is main techniques of our attack? Main technique one, modified encoding zero testing. For the secret of each user, we have an equivalent secret, which is the sum of original secrets under noise. These equivalent secrets cannot be encoded because they are not small. Then we compute the product of these equivalent secrets rather than computing their modular product. Then our modified encoding zero testing is quite simple. It contains three simple operations, avoiding computing original secrets of users and extracting same information. That is, it extracts same high order bits of zero tested message. The following table is a comparison between processing routines of GGH map and our work. It is a note of our claim that we can achieve the same purpose without knowing the secret of any user. Now, this is the table illustrating processing routines of GGH map and our work. We can see that there are several differences, same purpose, main technique two, solving combined X3C problem. The reason that X3C problem can be transformed into a combined X3C problem is that the special structure of GGH map sometimes makes division possible. Now, here is a simple illustration. If we have equation A times B equals C, then we can solve B to be equal to A to minus 1 times C. We can solve combined X3C problem with non-negligible probability and break the instance of WE based on the hardness of X3C problem for public truth of encoding. Main technique three, finding alternative encoding tools. When encoding tools are hidden, we can use redundant information to construct alternative encoding tools. For example, there are many redundant pieces beside X3C. Encodings of these redundant pieces can be composed into several level two encodings of 0. Suppose that this is a product of two encodings and this is another product of another two encodings. If their positions are intersected, then the subtraction is the level two encoding of 0. Only one level two encoding of 0 is enough to break the instance of WE based on the hardness of X3C problem for hidden truth of encoding. Also, this technique can be adapted to other applications of GGH map, where although encoding tools are hidden, a large number of redundant information are needed to protect some secrets. Now, GGH map and two applications. First, parameter setting. Here we can see that R is a polynomial ring. RQ is another polynomial ring for integral Q. Mod Q operation is redefined. Then I emphasize that six elements G, Z, A, B1, B2, H from R are kept from all users, where G, A, B1, B2 are small. H is somewhat small, somewhat small. Z is random. Then we use principle ideal generated by G. Y is level one encoding of 1. XI, I equals one or two, are level one encodings of 0. PZT is level K, zero testing parameter. PZT is always public. Y and XI are called tools for encoding. For MKE, they are public. While for WE, they can be either public or hidden. Suppose a user has a secret V from R, which is a short element. He encodes V into capital V, and he publishes capital V. Then GGH K linear map includes K, Y, XI, PZT, and all noise encoding capital V for all users. Application 1, MKE, suppose that K plus one users want to generate K, E, Y, a common shared key by public discussion. We know that this is a public open problem. To do so, each user K, zero uses his secret V, K, zero, and other users encodings capital V, K to compute such a modular product. We can see that this is a zero tested message. Then K, E, Y is its high order bits with no relation with K, zero. Application 2, the instance of WE based on the hardness of X3C problem. A piece is a subset of the set 1, 2, 3K, containing three integers. X3C is a collection of K pieces without intersection. The X3C problem is such a problem. For arbitrarily given, many different pieces with an X3C. Find it in encryption. The encryptor generates E, K, E, Y as follows. He samples short elements V1, V2, V3K from R, computes the modular product V1, V2, V3K, Y2K, PZT, ModQ takes E, K, E, Y as its high order bits. Then he can use E, K, E, Y as the key to encrypt any plain test. Then he hides E, K, E, Y into pieces as follows. He randomly generates many different pieces of 1, 2, 3K with an X3C. For each piece, I1, I2, I3 encodes the product, V1, V2, V3, into capital V, I1, I2, I3. And publishes all capital V, I1, I2, I3. Decryption. The one who knows X3C computes the zero test of such a modular product. Then E, K, E, Y is its high order bits. Then the detail of our modified encoding zero testing. Now, here is our special tools for modular operations. And here are our three steps and our conclusions. Then other details of our work on our manuscript. I think they are a little bit, a little bit. And my time is coming. So thank you all. Is there any question? OK, so I have one question. So you have one attack when no public encoding is given for publicly encoding value and for witness encryption. So did you try to look at obfuscation because there is no public value to encode? It's also already encoded as for the X3C. Yes, I tried, but not successful. Yeah, any other question? OK, so let's thank the speaker again.