 So, my name is Ile, I recently graduated from Boston University and moved to Visa Research. So, today I'm going to talk about the work I've done back in Boston with Vinod and Hottak about GJ-15 multi-linear map with permutation branching program. August the 21st, 2018, Palo Alto, heavy snow. Alice finds a public encryption scheme which is post quantum secure based on Schrodinger's equation. Alice finds out that she missed a post quantum cryptography competition round one, but she still finds it interesting to share the idea and let everybody join the attack. So, she does it by posting it on the blockchain and offers 100 bitcoins to whoever breaks it. Not only does Alice post the scheme on the blockchain, she does it cool by encrypting the 100 bitcoins using Wynn's encryption. So, what is a Wynn's encryption? So, Wynn's encryption is, it takes an MP instance X and a message M. It has the functionality that if it is a satisfiable instance, then anyone who has the potential Wynn's can use the Wynn's to decrypt the message. And the secret is that if X turns out to be unsatisfiable, which means nobody can find any Wynn's, then the message is hidden under the encryption. So, in this case, you can think about Alice encrypting the statement. There is an attack to Alice's PKE scheme based on Schrodinger's encryption. And if someone finds a polynomial time attack, it can be the Wynn's. And if nobody finds the attack, then the 100 bitcoins as the message will be hidden forever in the Wynn's encryption. So, what do we know about Wynn's encryption at today? So, just as a quick summary of the current status, we have several Wynn's encryption candidates more or less based on multi-linear maps. None of them are based on established cryptographic assumptions. So, these are the citations. You can look at them afterwards. So, what's the relation of Wynn's encryption into the title GJS-15 Beyond Promotation Branching Programs? So, GJ-15 is one of the leading, not the leading, one of the candidate multi-linear maps. And from multi-linear maps, and especially GJ-15, we know how to build a lot of cryptographic applications, such as constrained PIF, various forms of auscultions, and multi-linear, multi-party key agreement. But it turns out that multi-linear maps, and also including GJ-15, it's a design framework. So, it does not guarantee that whatever you build from GJ-15 or multi-linear map, it satisfies the security you want. So, it gives you construction, and in fact, each construction we need to analyze in a different way to understand whether the actual construction is secure or not, depending on the application. So, this is on the board. It summarizes something we have known about what multi-linear maps or GJ-15 can imply. And it turns out they live in different spectrums. So, some of them can be proven as secure as LWE. Some of them we have explicit attack, and some of them we don't know how to prove, we don't know how to attack. So, we call them candidates in this talk. So, the main motivation of this work is we want to systematically study GJ-15 in a systematic way. And the goal is to try to discover new attacks and, more like, say, more insights, say, how to prove how to attack this GJ-15 kind of framework to show what we can build more or what we can break from the previous constructions. And maybe I would just go through this kind of, like, give some intuition via the lens of witness encryption. So, maybe we can build it. Maybe we can break all of the candidates. Something would happen. With this motivation, let me come to the summarize of this, our result. So, we have a lot of results. So, let me try to pick the highlights. It turns out we have new insights as the results in all the three spectrums. But more, I think, more kind of meaningful or more results we can abstract, it turns out to be on the proof side. So, this will be the focus of my talk, that we introduce new lattice tools and the new analysis techniques for GJ-15 multi-linear map, such that they lead to better, they lead to different private constraint, PIF, and lockable obfuscation for general branching program. So, the immediate consequence is improving the efficiency, and I think there's more interesting property we can dig into that. So, also, we propose new attack to the existing IO candidates on GJ-15. So, we end up seeing, like, the encryption still stands as candidate, and sort of like another way to say is, this result should be written as, we try to build a lot of technique to imply witness encryption. We didn't make it, but we provide a lot of insights, and hopefully I can convey some of them during this talk. So, before I start the technical part, I want to just relieve myself because GJ-15 multi-linear map, it's a very beautiful object, but it's a little bit hard to understand for people who first see it for the first time. So, in this talk, I will just sketch the surface of, give you a flavor of what's going on, and hopefully it can convey as much idea as we hope for. So, multi-linear map, just a brief recall, it's motivated by Bonnet and Silverberg. So, you can think about if you have a lot of group elements like the S1, G2, S2, G2, S3, if there's some magical way to compute the product of the secret in the exponent without revealing them in the middle, then this is kind of the easiest way to think about multi-linear map. Or you can think about multi-linear map as homomorphic encryption plus public zero test. So, this makes a clear distinction because homomorphic encryption, I suppose, secret decryption functionality. So, we have a few candidates for multi-linear map. We know how to do a bilinear map which takes one product in the exponent 30 years ago by the way-pairing algorithm of Miller. For M multi-linear map with M bigger or equal to 3, we only have the first candidate since the first breakthrough of Gaugatour at 2013. And now we have three candidates they are all based on non-standard use of lattices, which means we don't know how to base the security on sort of like the shortest vector problem in general. Among the three candidates, the one of JJJ15 is mostly, this is the one which is close to LWB, which I'm going to focus in this talk. So, think about, so let me give you my understanding of JJJ15. So, think about the ring LWB analogy of this idea of multi-linear map. So, you put all the secrets as the LWB secret. So, here we think about the secret. It lives in the space where it's commuted. So, for example, the secret is a matrix, it's not a vector, or it's just a ring element in the ring LWB setting. And somehow we want to have a way to magically map the exponent together without rebuilding them in the middle. So, this is the difficult part. So, JJJ15, this concept is also appeared as cascaded LWB in actually different works. Actually, after you draw it clear, it's kind of like a chain in all these LWB samples in some special way. So, you can also think about it as the blockchain in the multi-linear maps. In the end, you will see a chain, and each chain has like two slots. It's not like a blockchain which only have one line. You can, if you focus, it sucks, this is only like a, this is a general blockchain. So, how to do it? So, let me start the example by just doing the chaining for two chains. So, to connect to LWB sample, we will use the public matrix of the left sample to also trap the sample some preimage which connects to the next sample. So, this is the brief idea. How to do it? We need to use the trap the sampling algorithm. It has the functionality that, given any image Y, given the trapdoor of, given A and this trapdoor, you can sample a small preimage such that A times D equals to Y. And if you sample the D matrices as the preimage of LWB sample SA plus E, and you publish the D matrices essentially as the encoding of the LWB secrets, then to evaluate, you just take the product of A0 and D1, D2, evaluate, it will give you something like, the functional part has the product of S times A and the rest of the part are all small, small noise, relatively small compared with the modulus Q such that it realized the functionality in some sense. So, before talking about the witnessing question of the multi-linear map, I want to mention briefly what's the harness of arguing security of a multi-linear map. So, because we are using trapdoor sampling, so therefore the LWBness of the left sample is not guaranteed in the beginning. So, just to keep it in mind, I will mention it later in the discussion of how to prove anything meaningful. So, as I mentioned in the beginning, we want to talk about witness encryption together with multi-linear map. So, the brief idea of building witness encryption for multi-linear map is you encrypt the instance, you encrypt the message, and homomorphically evaluate it to make a public test whether the potential witness satisfied the instance. But this is kind of saying nothing, it's like for most of the application you can think in this way. So, it in turn shows multi-linear map is very powerful. What I want to highlight for a particular witness encryption constructed by Gentry at all is just to forget about all the details, it can magically turn the witness encryption into a multi-linear map candidate, into a witnessing candidate such that you can think about the resulting plain text can be modeled by a read once branching program. And this branching program is also low rank. Think about the matrix branching program. If you represent it by matrices, it's the low rank matrices. So, in some sense, low rank matrices are bad news for multi-linear maps because something I didn't put on the slides that the previous provable case I showed for logable obfuscation and the private construction PIF they're all based on permutation branching program. So, low rank branching program is something that we haven't studied like whether it's secure or not. The good news is the resulting plain text you can think about is a read once branching program. So, it's potentially much easier to think about. And it has other nice structure which I didn't kind of abstract here. All right. So, so far I've concluded that there is a witness encryption candidate for GJJ15 it can be resulting to a low rank matrix branching program as the secret. So, in some sense, if we can prove GJJ15 works for all the low rank branching program, then in some sense we are done like this, like prove the theorem. So, we ask can we show anything special can we show anything secure for low rank branching program used together with GJJ15 and in this work we say yes in some limited case. What we will show is there is a special case of low rank branching program when it is used together with GJJ15 it can be proved as secure as ALWE. So, this special instance is when there's one slot that is always random, for example where the zoom is at the bottom right diagonal, if this slot is always occupied on all the matrices then our theorem shows this kind of branching program can be proven as secure as ALWE. So, the top right part can be anything even zero or whatever you want. So, before telling you how to prove anything let me tell you a little bit about where can this special type of branching program be useful. In fact, we don't know how to build a witness encryption or IO from this type of branching program. Our candidates are only a stone's throw from this type of branching program. What we do know is how to simplify the private constraint PRF and the locable obfuscation using this framework. Let me just give you one example. So, if you take the private punctual PRF constructed by Bonnet, Louis and Wu which is described under the multi-linear subgroup decision assumption. If you instantiate in GJJ15 you can instantiate in the following way so that there's a right bottom slot is the always random slot which will guarantee that you get a PRF and the top right part will be a punctual slot where you embed all the functionality you want. Just to give you a brief flavor in fact you can prove it from LWE. So, now let's come into the proof and first let's formalize what we are trying to prove. What we are trying to prove is what we call semantic security all the way back from like the semantic security encryption. We also want to broad idea here. In some things we want to say the top part is the real instantiation like all the AS you see these are using capital sampling and all the secrets they contain the plain text they contain the dangerous thing you want to hide. We want to show that under some situation the real construction is indistinguishable from sort of a simulated construction where everything is like A matrix is random you make sure it's random D is like a random Gaussian it doesn't contain anything about the secrets on the top. So this is the goal of the proof. So, in fact before telling you the proof of GG15 with low rank branching program it's worth to take a quick overview of GG15 used together with permutation branching program. It will be helpful. So, on a high level GG15 with permutation branching program is so we need to start a proof strategy from the right-hand side of the LW sample to the left-hand side. Because the right-hand side is the only A matrix which we didn't use it to do a capital sampling. So, first we need to use a lemma of a permutation branching program LWE which says if the S secret looks like a permutation branching program tensoring some random Gaussian matrix S, then you can prove LW sample with this structure kind of matrix is indistinguishable from random. So, this is the special part where we use where the previous works use permutations. So, with this strategy you can go one step left by turning LW samples to random and then you use the GPV chapter sampling lemma to close the chapter because the purpose is like all the way back we want to use the fact that the chapter of A is not used to go all the way left and using GPV. So, GPV says if the image is random then there is an oblivious way to sample it without using the chapter of A. Alright, so using LW plus GPV LW plus GPV again and again again we go all the way from right to left and eventually we can close all the chapter and it turns out to be a simulated distribution. So, this is the end of the replay of the previous proof technique. So, you may ask, so now what's the difference for LW matrix branching program? So, now we will see the difference. So, to see the difference let's zoom in the even the first chunk of the chapter sampling and eventually we will get LW matrix let's just think about like two block LW matrix and it's now useful to actually separate the public A matrix into a top part and the bottom part. So, the bottom part is still nice as we guarantee that we put a random matrix on all the lower right diagonal of all the secret matrix. So, we can also still guarantee that the wide bottom part looks like random. But to record to trigger GPV we need to show that the entire matrix is uniform which is not the case here. So, the real problem is like how do we go left to try to close the chapter of something on the left. So, to handle this kind of like a half scenario we need to introduce a new lattice chapter lemma which says if you have an image where the top part is anything the bottom part is uniform then you can use half of the chapter sorry, you can close the bottom part the chapter of the bottom part and use the chapter of the top part to sample a prime image of Z and you can pretend still this D lives in the right distribution. In fact, these two distributions are statistically close. So, using our first lattice lemma we can at least do one step left and since we guarantee that all the matrices has the right bottom part being a random so all the way to the left closing the chapter of the bottom part. So, this is kind of halfway done and to show the entire semantic security we still need to handle the top part and in fact the most interesting information is usually on the top part because we are going to encode whatever we want on the top or left matrix. So, how do we handle the upper matrix? So, it turns out I sneak a little bit of the construction I haven't told you that in the actual construction what we publish is the top plus bottom A matrix. So, we don't separate them you can say that if you separate them the secret can be actually explicitly reviewed. So, if you only publish the sum of all the left matrix which in other terminology you can think about is as the left bookend in the traditional obfuscation from JJJ15 then we are going to use the second property that if you assemble the preimage of anything plus small error and if you are just a sample it directly and you watch this D matrix this is clearly a preimage of Y under the function A. But we have a funny observation that if we can hide the A matrix and the Z plus E matrix then you can actually show this D matrix the preimage is indistinguishable from a random Gaussian matrix. So, this is like a new lattice lemma that if you assemble a preimage and also hide the functionality in some sense then it gives you a preimage which is indistinguishable from some canonical distribution. So, with the second lattice lemma we can actually go all the way right because first we had the left matrix, the A top it's using trapdoor as fine so it can be hidden by the bottom part you turn this D matrix into Gaussian and you can use this strategy all the way to the right. So, let's review the proof again. So, it's kind of like two steps so the first step is more complicated the permutation branching program in the sense that the permutation branching program you only need to do one way. So now we first close the trapdoor of the bottom and then handle the top part using the second lattice lemma. So using these two tools we can show that this type of branching program used together with GJS-15 is as secure as the SWE. Right? So, this summarized the proof part and all the interesting technique in the proofs. So, let me just say a little bit about attacks. I say we can only prove certain type of low rank branching program but what about the rest of them? So, for the rest of them we show that some of them can be broken. In fact instead of telling you like what's the theory behind the attack let me just tell you that attack algorithm is very simple. So, you first compute a matrix by collecting a lot of evaluations on the potential IO candidate then you test the rank of this matrix. So, this is the analysis by picture for a read once branching program. The analysis is going to be very, very complicated if you work with a read many times branching program. In fact we also published the stage code of just demonstrated how to attack and I also run the attack on the code of written by Shai at all and you can also try it by yourself. So, okay, so in the end what about witness encryption? So in some sense we don't know how to we don't know how to make a witness encryption which falls into the categories that we can prove anything and in fact which I didn't say is like the attack can be also used to break all the assumption we make towards the witness encryption but still we get some witness encryption we don't know how to break and we believe it's kind of a stone throw from provable one so it's leaving as a candidate I hope people are interested to look at it and also we also write an IO candidate which demonstrate what we don't know how to prove. So this honestly I have a little bit less confidence but still even after this summer I don't know how to break it. And these are the related works so the two lattice lemmas are also mentioned in the concurrent work in fact they appeared earlier they just didn't publish an e-print of Goya Toa to build Trader Tracing from ALWE and also there's another work by they illustrate the limitation of our attack on digit 15 based IO candidates what I think about one of the interesting future direction is you can still try to build applications using the simple multi-linear map framework I think about you are using subgroup decision assumption or slots or something like that and try to instantiate using digit 15 because I believe there's something to explore in this direction and try to see if it can be proven from ALWE so that's it thanks for your time