 Hi everyone, I'm Liya, and today I will be talking about cryptanalysis of candidate obfuscators for fine determinant programs. It's a joint work with Eli Chen and my advisor Yu Yu. BIJ Plus 20 proposed candidate obfuscators whose computational model is not circuit or Turing machine but a fine determinant program. A fine determinant program has a strong connection with branching program, and I will explain the connection later. In this work, we show cryptanalytic attack on the candidates. We also give plausible fix which may defend against our attack. Let's start by talking about indistinguishability obfuscation. IO is a compiler whose input is a program P. It outputs a program P prime which computes the same function as P. Moreover, if we have two functionally equivalent programs P1 and P2, P1 prime and P2 prime are computationally indistinguishable. Now let me introduce the computational model used in the candidate IO which are branching program and fine determinant program. Both of them can compute some function F with n-bit input and 1-bit output. A BP is a DH with one source node and one sync node. The edges of the DH are labeled by xi, not xi, or 1. Here xi is some input bit of the function F. The BP is evaluated in two steps. First, we delete those edges whose label equals 0 according to the input x. For example, if the input is 111, then x2 equals 1 and not x2 equals 0. So we need to delete the edge labeled by not x2. Second, we count the path from the source node to the sync node. Since we set the DH carefully, the number of paths is either 0 or 1. For example, on input 111, the BP outputs 0 as there's no path from the source node to the sync node. An ADP consists of n plus 1 matrices along with an evaluate function. The ADP is also evaluated in two steps. First, it computes L of x which equals a plus sum of xi bi from i equals 1 to n. Second, it computes the determinant of L of x and feeds it to the evaluate function as the input. Here the evaluate function is the identity function, so we omit it. There's a transformation from BP's to ADP's. Let M of x denotes adjacency matrix of DAG. We can obtain L of x by deleting the first column and the last row of M of x minus identity matrix. Correctness is from IK97 which says that the determinant of L of x is equal to the number of paths from the first node to the last node. Since we can write xi as 0 plus xi times 1 and write not xi as 1 plus xi times minus 1, L of x can be written as a plus sum of xi bi from i equals 1 to n. For example, the node x to entry in L of x can be decomposed to 1 entry in matrix A and minus 1 entry in matrix B2. We can also observe that if L of x has nothing to do with some input xi, the bi matrix will be a 0 matrix. This observation is useful in our task. Now let me take a brief look at the BIG and MSI obfuscation scheme. The scheme consists of four different functionally preserving transformations. There are iOS, Ad Noise, Ad DAG, and REND. Ad DAG is designed to prevent dishonest evaluation, and REND is designed to help hide information except determinant and rank. Since our task never evaluates dishonestly and only uses determinant information, we can only focus on RLS and Ad Noise. Ad Noise will generate N noise matrices. Each entries of them are sampled from some noise distribution. We add two times of these matrices respectively to the matrices of ADP. To keep the correctness, the evaluate function also changes from identity function to module 2 function. BIJ plus 20 propose the mode 4 tag to show that the scheme cannot be secured without RLS. The tag works by computing the determinant mode 4. Since the program is chosen carefully by the adversary, the only unknown part is the noise added in this step. Therefore, the adversary could learn the parities of the noise terms. To prevent this, RLS is designed to inject randomness into the carefully chosen program before add noise. As a result, this part may become unknown, thus the parities are hidden successfully. I will explain RLS by showing subgraph of BP or the matrix of ADP. RLS works by adding an intermediate node between every two nodes. Let VJK denote the node between VJ and VK if there is no pass from VJ to VK. To keep the connectivity, we can add a pass between VJ and VJK or add a pass between VJK and VK or do nothing. Namely, we have three choices here. Similarly, if there is a pass from VJ to VK, we have four choices. Compared to the aforementioned case, we have one more choice as we can delete the H between VJ and VK, and let the pass across the intermediate node. If the label between VJ and VK is X i, we can decompose X i into X i equals 0, which has three choices and X i equals 1, which has four choices. Then we can compose them together. For example, this age appears if and only if X i equals 0. Thus, the label of the age should be not X i. Therefore, we have three times four, which has 12 choices. Here we show a complete example of RLS. One can easily check that the RLS does not change the connectivity between any two nodes. The key observation of our tech is that the RLS cannot always inject randomness into every matrix. To be specific, if Bi is a zero matrix, which means the program has nothing to do with X i, the resulting Bi prime matrix of RLS will also be a zero matrix. I will show our tech by two examples. Assume that we have ADP whose B1 and B2 matrix are all zero matrices. After RLS, the B1 prime and B2 prime are zero matrices too. Thus, when we compute L prime of X, which equals A prime plus sum of X i Bi prime from i equals 1 to n, we have L prime of 00 equals L prime of 01 equals L prime of 10 equals L prime of 11. Then we use the aforementioned mode for tech. We have the following four equations. Although the RLS helps hide the information of this term, we know that these four terms are equal to each other due to the property. Therefore, we can combine the noise terms which are marked in red color. Evidently, the summation of these terms congruent to zero mode 4. Thus, we can attack the scheme by choosing these two programs. For P1 prime, the equation always holds. While for P2 prime, the equation holds with probability one second. The aforementioned tech is quite restricted as it needs two zero matrices, which means the output must ignore two bits of its input. Therefore, a natural question is that can we generalize it such that it can work on more functionalities? When looking into the tech, we notice that we only need the equality of the minors. Since we do not necessarily require the entries in the matrix to be the same, we do not need two zero matrices anymore. But how can we achieve the equality of minors regardless of the randomness injected by the RLS? Here we need our second observation. RLS is a functionally preserving transformation, which means it will not change the determinant. Therefore, we can cancel RLS when computing the determinant. When it comes to minors, since the computations of minors are similar to the determinant, we can crazy cancel the RLS, which means the RLS will not bring much uncertainty to the minors. And by choosing ADP carefully, we can completely kill the uncertainty of minors brought by the RLS. The reason is that the intermediate nodes only connect with that most Q nodes, thus results or columns of them as paths. This property is helpful to analyze the minors. Let's start our advanced version attack by classifying the nodes and the minors. We have two kinds of nodes, original nodes and intermediate nodes. We have three kinds of minors, minors associated with two original nodes, minors associated with two repeated intermediate nodes, and others. The first case is minors associated with two original nodes. For example, when computing VS, VT-minor, or in other words computing the determinant of these metrics, we can add low VJ, VK to low VJ first. This recovers the value of VJK entry. The column VJK has only one non-zero entry. Therefore, when we do Laplace expansion by the column, the determinant equals minus 1 times the VJK, VJK-minor. Note that minus 2E is congruent to 2E-mod 4, and we can ignore the negative sign in the mod 4 attack. As we all know, computing the VJK, VJK-minor means computing determinant after deleting low VJK and column VJK. Up to now, we deleted the intermediate node VJK as well as recovered the value of VJK entry. We can perform similar operations on every intermediate node. As a result, we conclude that the VS, VT-minor of L prime of X is equal to VS, VT-minor of L of X. That is to say, ILS does not change the value of these minors. Thus, the equality of VJ, VK-minor of L of X implies the equality of VJ, VK-minor of L prime of X. However, ILS introduces additional nodes, which means the additional minors. The second case is minus associated with two repeated intermediate nodes. This case is a little bit different as computing the minor is equal to deleting the intermediate node without recovering the value of VJK entry. Notice that the entry of VJK may be changed from 1 to 0 by the ILS. Thus, the minor is equal to either the left term or the right term. In the left side, the entry of VJK is changed to 0, while in the right side, the entry of VJK remains unchanged. To kill the uncertainty, we want the equality of these two terms. In the third case, when we compute VS, VJK-minor, the row VJK has that most 1 non-zero entry. So, if the square equals 0, the minor should be 0. Else, if the square is 1, we can do Laplace expansion by row VJK, which is equal to deleting row VJK and column VK. Up to now, we delete row VS, column VK and the intermediate node VJK. So, this minor is equal to 0 or VS, VK-minor of L of X according to the first case. To kill the uncertainty, we want the VS, VK-minor of L of X equals 0. By further analyzing the three cases, we conclude that for L of X1 and L of X2 satisfying following three conditions. The minors of L prime of X1 and L prime of X2 are equal, regardless of the randomness injected by the RLS. We also give an example. Use the conclusion. One can easily check that for possible JK, the JK-minor of these four matrices are equal. Thus, our tag can apply on it. Note that the function F depends on all input bits. Which means we do break the limitation of base version attack. However, we feel difficult to figure out the exact scope of functionalities on which our tag could apply, because understanding functionality by ADP model is not intuitive. To fix the RLS candidate, we aim to break the first observation. For example, when VJ, VK entry is 0, apart from four mentioned three choices, we can have other choices which depend on some excise such like this. Since excise and not excise cannot be satisfied at the same time, there are still no parts from VJ to VK, and by labeling edges with excise or not excise, the matrix BI prime will not be a zero matrix. For future work, we are interested in the following two questions. Can we come up with some other candidates or revisions of the RLS? And can we achieve probable security in some restricted model which captures non-attacks? For example, can we prove security if the adversary can only perform mod for attack? That's all. Thank you for listening.