 Thanks everyone for coming. So today I'm gonna talk about, so this talk is gonna be about crypto analysis of candidate branching program of skations And this is a joint work with crack gentry and the shy. Hello V 40 years ago If we have a maker announcement that we sent we stand today on the brick of a revolution in cryptography and And four years ago in the IO paper, they also still didn't say that we stand today on another break of Stained the on the break of another revolution in cryptography, but we feel like this is happening So with the power of IO as you can see from the several of the talks Industry or crypto and in the previous years you can build Fancy applications and I think more importantly it starts It gives us a new way of thinking in cryptography But as the people who maybe only have the elliptic curve on your hand or like the other tools and on your hand you can still think so what can IO candidates be built up from and Currently we kind of only know how to build IO candidates from candidate multi-linear maps and the question is going to be recursively come back say How much do we know about the candidate multi-linear maps and the IO candidates based on them? so a brief history about the multi-linear map and their relevance in cryptography so in 2003 Bonnet and Silverberg gives us the motive of thinking about multi-linear forms in cryptography and also they kind of envision Kind of there is maybe there are some possibilities to extend the very patterns elliptic curve to make it to multi-linear or higher degrees and 10 years later the candidates we have actually coming from a slightly different field which is really There are three proposals were from I will just abbreviate in this talk as GDG 13 CLT 13 and GDG 15 so they are all based on kind of the noisy based the lattices based For the homomorphic encryption idea and they tailor the decryption method to support some Equality test in the highest level So with these candidates so four years later how much do we know about these candidates? So kind of that's the status of the candidate multi-linear map if I summarize now There's something in the bottom that we still don't We are understood which is even the one wayness of the secrets in the encodings So they might be secure. They may be hidden in some situations They may not be hidden in some other situations So we still don't have a general kind of methodology to understood how much they're hidden and So we don't have really good examples, but we usually take two benchmarks of the Applications that are built from multi-linear maps So one application will be the multi-party non-interactive key exchange Which sort of needs to use the public sampling mode of multi-linear maps and the other branch mark is the Indistinguishability of skation which do not need the public sample motor Public sample of both feature and usually we try to analyze these two benchmarks to understand How much do we understand about the underlying multi-linear maps? so This is kind of the status before this work. So we kind of like The power for zero nizing attack kind of breaking the public mode, which is the key exchange application for all the three candidates and for IO we actually We actually don't know how to break off them and we have some hope of security on Maybe some candidates. So for CLT 13 the original zero nizing attack and then you can Basically use that to break some branching program of skation based based on the GJSW for GJS13 the work of myos at all can be used to they use the They can break for some simpler variants of the of skation candidates that I will mention later And the for GJS15 based Indistinguishability of skation candidate. We didn't know any analysis result before this work So in this work we basically show New analysis results on the GJS13 based IO and the GJS15 based IO so in a very high level our new tech combines the zero nizing idea from kind of the Attack of John at all two years ago, and then we also We also need to explore it the weakness inside of skation. So that's kind of the To the core of our new attack. So I will mention it later All right. So the plane of the rest of the talk is I'm gonna I'm gonna review the GJSW of skation candidate and Actually, I'm gonna spend most of the time to review that candidate because kind of the course to Extract the The feature of that candidate and then kind of analyzing the candidates on GJS15 and 13 It's gonna be following my explanations on that candidate And I choose to kind of spend more time on GJS15 because that candidate seems to be less familiar with people And in the end I will briefly mention how it applies to GJS13 So let me Review the candidate IO from GJSW. So in my point of view I kind of Split the construction into a layer and the layer fashion. So let me explain what I mean So to off-skate a program. So any program is any of skation of a program It's just gonna be another representation of the problem. It's just depending on the representation So what do you do? So what what is done in the GJS13? It's actually I Think of that in kind of four layers So first a zero layer you think about you first to choose a representation of the Plantex expansion program Then they add three safeguards or the randomize is Randomizing kind of process on the plain Plantex programs and then in the end they wrap the randomized the Plantex program using the Multilinear max Multilinear maps mechanism. So in some sense the safeguards are the randomizing steps that they sort of Intuitively give more trouble and the preventing illegal operations that I will also explain and The final multi-linear map is sort of like we think about this is the source of computational harness So that's the big picture So the truth of the Plantex program chosen by GJSW is Oblivious branching program. So basically you can represent arbitrary circuits by the subset products of a lot of In a concrete term the permutation matrices. So in this picture, these are all permutation matrices So the for the practical purpose for obfuscation We think about we have a functional branch Where if you selected the input so the input was selected the steps The first for example that the first input was selected the first step and the third step Second input for these so for any inputs the pet will look like something like that and You do the product of the selected matrix. You get either identity or non identity cycle So that will tell you zero and one and actually you always compare with a zero dummy branch So in this picture the dummy branch are all identity. So whatever you evaluate you got identity So you compare with these two and then you tell whether you're encoding a zero or not in this branching program representation So let me describe the safeguards right now. So the first safeguards is called Killian randomization. So you basically pick random Random matrix and it's inverse and then multiply them in the middle of each pair So therefore it's kind of randomized each of them, but still we evaluate everything is going to be the same because the K and the K inverse cancel out and Then you do another kind of different pairs of K prime in the branch dummy branch again So the second the safeguard is called They called the bundling scalars to protect the mix input attack. So what is mixing put attack? So observed the oblivious branching program to represent a circuit So some input each input can actually manipulate multiple steps So in some sense if I choose the first block in the first step and the second block in the second step Then you can actually compute something which you are not allowed to compute to so the scalars that random scalars a and a prime they are chosen to trying to kind of Enforced the consistency so you must choose the right scalars And in the functional branch in a dummy branch and then you subtract them They can cancel out if we do it illegally they want to cancel out so you will get always something you cannot recognize with So I'm trying to I'm going to remind you that actually the scalars are going to be the weakness kind of exploit in this attack so this is the right time to wake up and Let me do that this slides again. So observe. What's the kind of the intuitive weakness of the scalars? So the scalars chosen by them are kind of need to have some limited the community a community Property so in some sense, whatever a community is better for cryptography crypt analysis. It's easier to Extract with so I will come to that point when we want to scrub the attack So the third safeguard is called diagonal randomizations And on the diagonal entries on the the random mentions on the Diagnose and the bookends they put the bookends in the on the on the two sides So in this picture, it doesn't show us anything just to change the B and to change the The color. So let me do a zoom in so in each block You don't represent the permutation branch of program itself Also, you pad you and the V on the diagonal These are random and when you multiply together these you and the V are going to be multiplied on the position of you and the V So to cancel them out in the end What you do is you put the left the bookend which is zero on the first block and The right bookend which is zero on the second block so that the functionality still work and it gives you more randomness So this part don't have an intuitive explanation of what what it really prevents But somehow in the previous attack by Miles et al for digital 13 kind of if your Obscasion candidate don't have the random diagonal entries They can actually attack but with the diagonal entries. They don't have the attack So kind of this intuitively creates more problem even in a very concrete sense So let's summarize all the safeguards and in the end you just to apply the multi-linear map on whatever you have Got to know like the randomized the branching programs So this summarized the GGH ISW candidate and in fact many of the branching program candidates You can take an alternative view of these things as Having these components maybe put them differently Maybe throw away some of them maybe add something more or maybe choose a different representations So and there are other candidates based on circuit the model or they are both dropping from Function encryption or put them together So these will not be covered by the talk today, but I believe you can use the similar techniques to analyze yourselves So, okay, so that summarized the description and if we take a more Can kind of more deep view on the difference of other candidates? So the GGH ISW the status is in the middle if you use the candidates without the Certificate guard, which is the diagonal entries. We know how to break them for to just 13 digits 15 We still don't know and if you do it Kind of like even you you enforce the representation of the branching program to use the door input branching program that fits into the right side and They even have a security analysis the security proof in the idealized the model for GGH 13 So this kind of gave you a more concrete view of comparison with simpler and the candidates and even harder candidates so our work Our work is still focus in the middle, but let me continue So now let me move on to the GGH ISW if you are wrapped a multi-linear map with digits 15 So let's see what happened. So still brief review of digit 15 So the digit 15 if I capture it concretely, it will still take another 25 minutes So just let me do a one-shutter review So remember we are trying to wrap each of these square matrices randomized in the way that you can still multiply them and Do the zero test in the end So what digit 15 do is you think about each slot of these square matrix You sample an LW encoding of that Then use the aim matrices, which these are the digits 15 parameters. You sample a small Small matrix encoding so a matrix which encodes as these matrices are with small norms, but these details are not a I think these details are two details for this talk. So these are what the encodings look like and The whole branching program of skated a branching program. Let me give you a big view So remember there's a functional branch and there's a dummy branch the encoded the program is going to be look like this So you will start with the functional branches above and each of them is encoding each of the s and To evaluate you just to compute a dddd according to the input you are choosing and as there is a dummy branch You also multiply accordingly in the end you subtract So, okay, so let me describe the setting for the crypt analysis to now So to attack digit 15 we actually take four steps, but before I tell you the four steps Let me tell you what kind of branching program we can break So we are thinking for concrete examples, so you can extend them later actually so we're trying to distinguish program where all the branches are an edited matrix and We are trying to this Distinguish this with some other branching program. Maybe the these two blocks of the branches are no entities So they computed the same functionality, which is all identity But they are visually different from this slide at least and we are trying to break them after they are wrapped with all the safeguards and Okay, so how would we do so step one so step one is kind of easy We first honestly evaluate on essentially all the inputs and we need to organize them kind of smartly So you think about we drop a line on the branching program so we iterate many inputs on the left and the iterator many inputs on the right and do the evaluation and The compute w equals to a dddd on the functional branch and the a dddd on the dummy branch and a subtract them as the honest evaluation And we need to organize these matrices in a bigger square matrix, which I will call it w So why is that useful? We will explain later So you do a bunch of honest evaluations and then we are going to play with these evaluations So the second step is we're going to compute the left the kernel of that organized w So after you have this w matrix is you can rewrite it the expression into kind of the Product of two sub matrices. So the first one will be having These s as a secret concatenate with all the error matrices and the the Z branch will be Also, what you can see from the Z branch So the important observation now is Let's just take a kind of a general view of both of them So the Z branch is very likely the Z box you take it as a square matrix It's very likely to be for rank in the basis in the basering So it's not any multi queue anywhere. It's in the basering So therefore if you computed the left the kernel of w it will be the left the kernel of x actually So these two steps are kind of the standard zero-nising attack by the previous work of corn at all and then the next few steps is going to be involving the obfuscation features So step three and the step four are gonna be Extracting the information about the scalars from the left the kernel So this is actually a very complicated steps but I kind of summarized the result of analyzing this step by the Communitivity of the scalars you can rewrite each Subset product of s in that way. So therefore a can be pop out in the beginning and You just a cut off all the randomized Things you can organize the equations about ace In this way so that if it's the left the kernel computed in the previous step and a the product of a in many kind of these samples are gonna be the Unknown variables that you're trying to solve. So this is what we have and this is what we want so the problem is this is kind of a bunch of nonlinear equations and you need to find a way to solve them and And so it's actually like we are using the homogeneous feature of these equations So it's a tricky step that but we guarantee after certain parameters You can still kind of solve these equations and to get to the relations of these scalars so Okay, so see in some sense if we get the relations of the scalar We should already do the kind of the mix input attack because we kind of already take out one of the safeguards and But it turns out to there's still more stuff we need to do Which in this case because we only get the ratios of the scalars and the these things are actually included in the ring of Cyclotomic integers. They are not in the ring of It's not it's it's in the fraction field of Cyclotomic integers. So what we have is the ratios and we want is each of them so in some sense In the last step we use a huge hammer that if you have the Principle idea of program principle principle idea of problem solver and the fractional oracles Then we can actually get some of these scalars So if you want to build a quantum computer or willing to spend some exponential time on your own Please try to build a principle idea so in the fractional oracles So to summarize after these four steps and in the in the last step using some Superior power you can extract the scalars and the conduct the mix input attack so Gigi 13 is very simple What you do is actually So I will skip the Gigi 13 recap the feature is also the similar since you get the ratio of the scalars And then try to do the kind of their use the simplified another Annihilation attack to extract to do the mixing put attack in the middle zone. So I will skip the details so to summarize this is the status and Kind of like I put something in the middle now. So this is the Gigi 13 Sorry, this is the Gigi s I SW status and this is the concurrent to work which there's Online concurrent with our proposal and I think still using all of these techniques breaking branching program candidates with dual input Protection and with all the safeguards is still difficult so These are the summarizing of the status and These are the direction for the new crypto analysis if you want to try and also we have some positive So for counter crypto analysis, you can also For limited use of Gigi 15. We already know something can be proved based on LWE so all of these stories are kind of the ongoing story of pursuing the truth and happiness in the crusade of post-modern Cryptography and I hope you enjoy the talk and the thanks for your time