 Okay, so as it was said, this is a merge talk, but as the two talks, so we're going to present you two attacks against obfuscators, branching program obfuscators. And as the two talks are very similar, they have the, sorry, two articles share, two attacks share the same structure. We decided with Minky, so I'm to share the talk, so I'm going to do the introduction and then Minky is going to do more into the details. So there is only one talk. So let's start with what is this talk about, so what we're going to present you are two attacks against some candidate branching program when they are built upon the GDH certain multilayer map. And so they are partial attack in the sense that the first attack works only for a specific set of parameters and the second attack works only in the quantum setting. So yes, so the two attacks have a, as I said, a similar structure where we both use weaknesses of the underlying GDH certain multilayer map to construct a concrete attacks against the candidate obfuscators. So let me start by defining what is an obfuscation scheme. So from a functionality point of view, an obfuscator is simply an efficient, an efficiently computable function, transforming a circuit into an equivalent circuit, that means a circuit that computes the same function as the first circuit. And in this talk, we will be interested in obfuscator for the class of all polynomial size circuits or all polynomial branching program, but I'm going to define what it is later. And so that's for functionality of a branching program and what are the security requirements of the more natural definition we would like. It's called virtual black box BBB and it basically requires that the obfuscated program should reveal nothing about the initial circuit except it's input-output behavior. So we want the obfuscated program to act as a black box. The problem is that it has been showed to be impossible to achieve, so that's a result of Barak et al. in 2001. And so in the same article, they also propose a new security definition, which is called indistinguishability obfuscation. And so this definition just requires that for any two equivalent circuits, so circuits that compute the same function, we want that the obfuscated version of the two circuits are computationally indistinguishable. So all the obfuscator we are going to describe in this talk are indistinguishability obfuscators. So this second definition may seem a bit strange because what we already want is that the obfuscated program hides the circuits, but it still has a lot of application to cryptographic construction, so function and encryption for instance, but also a lot of other applications. Okay, so the fact is that almost all candidate obfuscators we currently have rely on cryptographic mutinary maps. And we have only three main candidate cryptographic mutinary maps, which are GGH 13, CIT 13, and GGH 15. And the problem is that all these three candidate mutinary maps have been shown to suffer from weaknesses, basically because of the encoding of zeros. And so these weaknesses of the mutinary maps does not directly imply attack on the obfuscator using it, but still so all the attacks we have on candidate obfuscators relies on the weaknesses of the mutinary maps. And so in this talk we are going to use weaknesses of the GGH 13 map to attack the obfuscator, so we will consider only obfuscator built upon the GGH 13 map. Okay, so let me give you a bit of history of obfuscators, candidate branching program obfuscators, and some attacks. So in this history we focus on branching program obfuscators. So there are other candidate obfuscators which are not branching program ones, but we will focus in this talk on the branching program obfuscators. So the first candidate obfuscator was proposed in 2013. And it was a branching program obfuscator. But so all the candidates we have have no security proof and this one so didn't have any security proof. So after this candidate was proposed, other candidates have been proposed also. So a lot, this is not exhaustive, I don't think so. But so they try to prove security of the obfuscator in some idealized model. So where the underlying multinar map is supposed to be somehow ideal. So in 2013 there was a first attack against, so all the obfuscators previously mentioned except the first one. So by my side in 2016, sorry. So which relied on the fact that the GGH map was not ideal. So they were able to attack all the obfuscators. Except the first one. So after this attack was proposed, a new candidate have been proposed in a weaker model. So this model captures the attack. And so we cannot extend the attack to attack this new obfuscator. And so more recently, there was a new attack by Shane Gentry-Alevi and the first candidate obfuscator, which works only for specific type of inputs. And there was a counter-measure proposed a bit later to try to prevent this attack. Okay, so let me sum this up in a big table. So the first two lines of the tables are the two attacks I already mentioned. So in this table, we also mentioned some circuits obfuscator, but we're not going to speak of them later in the talk. And so what we are going to describe you are the two last lines of the table, the two attacks in the last lines. So the first attack works against all branching program obfuscators. In particular, it works for the GMM plus obfuscator, which was not attacked previously. But it works only in the specific regime of parameters. And the second attack works only for the more recent branching program obfuscator and for circuit obfuscators. But again, it's only in the quantum setting. Okay, so that's what we're going to describe in this talk. So in order to describe the two attack, let me first describe, so give you a simplified explanation of how the obfuscators work. So we are going to focus on the branching program obfuscators. And they are very similar in structure. So I'm going to define a very simple obfuscator which captures, so not all of the branching program obfuscators, but the more recent one. And then Minky is going to describe you how the attack works on this simple obfuscator. Okay, so because we're going to speak of branching program obfuscator, let me first define what is a branching program. So it's simply a way of representing and computing a function. And so how does it work? We have a collection of matrices. So let me show you in the example. So a branching program consists of a collection of two L matrices. So in my example, L is six. We have also two vectors, A0 and A7. And we have an input selection function, which goes. So the input selection function goes from 1, 6. So 6 is the number of pairs of matrices in the branching program. Into 1, 3, where 3 is the bit length of the input. And so how do we evaluate? So let me show you how we evaluate. Sorry, the branching program on this input X. So we're going to multiply the matrices and pick only one matrix per column. So do we choose it? We first pick A0 because there is no choice. Then for the first column, we will look at the input selection function of 1, which is 1. So we're going to look at the first bit of X. It's 0. So we're going to pick the matrix with a 0 here. So this is 1. We look at the first bit. We do the same for the second column. So imp of 2 is 1 again. So we look at the first bit of X. It's still 0. So we pick the matrix with a 0. For the third one, it's a 1. So we pick the matrix with a 1, et cetera, et cetera. And so we multiply all these matrices. And we obtain something which is either 0, in which case we say that the output of the branching program is 0, or 1, no, sorry, non-zero. And in which case, we say that the output of the branching program is 1. So this is it for our branching program. So let me give you also a brief definition of what is a cryptographic multilayer map. So a cryptographic multilayer map is indexed. So there is some parameter kappa, which will denote the maximum level of the encoding. And so we will have encodings with levels from 0 to kappa. And we want three public procedures to be available on these encodings. We want to be able to add two encodings at the same level and get an encoding of the sum at the same level. We want to be able to multiply two encodings and get an encoding of the product. But whose level is the sum of the two levels? So when we multiply, we add the levels. And when we add, we keep the same level. And finally, we want a public zero test procedure. So we want to be able to determine whether an encoding at the maximum level is an encoding of zero or not. So that's what the functionality we would like for our multilayer map. And Minky is going to describe later how does the GDH map achieve this functionality. But we just need that. So now I can define, I can present to you the simple obfuscator. So how does it work? It takes, as input, a branching program. Then the first step will be to randomize the branching program. So there is three main procedures to do that. The first one is adding a diagonal block to the matrices. But we put a block of zeros here. So when we multiply everything, the B blocks get cancelled out. And so it's just the A block that remains. The second randomization technique is multiplying by random matrices. But in such a way that when we multiply something, so R1 will be cancelled by R1 minus 1, R2 by R2 minus 1, et cetera. And so at the end, we still get a product of the A matrices. And finally, the last possibility is to multiply everything by random scalars. Because at the end, we only check whether something is zero or non-zero. So if we multiply by random non-zero scalars, there is no problem. So you have these three randomization techniques. You can pick any subset of them. And you will get different obfuscators. But basically, all the obfuscators, the branching program of obfuscators, use some subset of these randomization techniques. And then we just uncode all the matrices. And we just uncode them using a multi-linear map. And so because it's a multi-linear map, we can multiply the encodings. We get an encoding at the maximum level. And we can test whether it's zero or not. So these encodings are the output of the obfuscator. So that's the obfuscated branching program. So that's all for the definition of the simple obfuscator. So I hope it's clear. And so now Minki is going to give you more details about the attacks. Thank you, Alice. Now we will see the GJ13 multi-linear map simply and talk about the contributions, details, and remarks. GJ13 multi-linear map usually defined on the link Z text over x to the n plus 1 for power of 20 to the n. And it takes the plaintext space, p, which is equal to r over the ideal g, for a small element g in r. Here, small means that every coefficient of g is sufficiently small. And it's not work. Ah, work. Its encoding space is rq, which is equal to r over qr, for a large integer q. And we usually like x bracket q to denote the representative of x in rq. To initiate the GJ13 multi-linear map, we should sample z10h, which have a heartbeat size of q. And an encoding of a at level i is defined by a plus rg over z to the i. Here, r is also a small element in r, in the link r. Then it's easy to verify that it satisfies the addition and multiplication condition of the multi-linear map. And to check the zero testing, we should define a zero testing parameter, which is equal to some value. And satisfy the following property. For a time-level encoding u, the product of u and zero testing parameter, modulus q, is more than the time-level encoding of zero. We are ready to see the contributions. Let's begin with replacing the main idea. Most of our tech brings the known mechanisms of GJ13 multi-linear map into the concrete techs for the obfuscation cases. More concretely, the first tech, suggest by Chun, Kim, Lee, and me, used the entero tech. Previously, for the suggested parameter of GJ13, the underlying entero problem is served in polynomial time using soft field techs. But this entero tech is not linked to a concrete tech of GJ13. In this work, we show that using entero server, principle of obfuscation over GJ13 can be broken in polynomial time. And the second tech, so this by Alice Pellamari, used the short principle idea of problem server, which is known to learn in quantum polynomial time. In other words, she showed that many obfuscations and circuit obfuscations can be broken in quantum polynomial time. Now, we will see the tech in detail. Let's consider two level one encoding A1 over G and A2 over G. Then by dividing them, we can obtain A1 over A2, which is an entero instance. Then, thanks to this soft field of tech, we can obtain C A1 and C A2 in the ring R. Moreover, for the other encoding A3 over G, we can compute C A3 in the ring R in some arithmetic way. Then, combining this, we can obtain some kind of simultaneous entero server, that is, for given many encoding A1 over G, we can obtain C A1 in the ring R simultaneously. And in other words, for given encoding of matrix A, we can obtain another form of encoding of A. Yes. The thing is, every element we obtain this R in the ring R rather than Q. In other words, we have removed the modulus Q. Now, we will see the attack. We take an obfuscated program of P and a plain program Q as an input. And the purpose of the attack is to distinguish whether P is Q or not. Note that it is suffice to break the indistinguishability of the obfuscation. Then, for each given branching program matrices, obfuscated branching program matrices, we serve the entero problem simultaneously. Then, we obtain a new matrices, which are all in the ring R. And it is also of the form of branching program. Then, let's consider the evaluation of the branching program. For the plain program output 0, then obfuscated program outputs time-level encoding of 0 of the form RGO budgeted kappa. And in R program, it is correspond to multiple of G by some computations. In other words, we can compute many multiple of G using the evaluation of branching programs. Then, by collecting this, using hominomal form, we can recover the ideal G and then compute the Ca till the modulus G. Note that Ca till the modulus G do not contain randomness R and level parameter G and the modulus Q. Moreover, we can remove the effect of scalar bundlings in this setting. But we omit this in detail because it is case by case study and somewhat complex. Then, we can learn the mixed input attack. Mixed input attack is the distinguishing attack on branching programs or obfuscated branching program using invalid inputs. Let's see the example. Consider an input function with output 1, 1, 2, and 2 functionally equivalent branching program. For a valid input, these two branching programs should output the same value. However, consider this invalid input indices, 0, 1, 1. It is invalid because first two indices are not equal, which violates the constraint from the input function. So for this invalid input, these two branching program may have different value. Say A outputs 0, whereas B outputs non-zero. So we can distinguish A and B by evaluating this invalid inputs. In fact, this is not permitted in the obfuscated mode because many randomizing values such as scalar bundlings, but we have removed many randoms. So we can learn this. And another in fact, in the paper, we have learned the metric sterilizing attack rather than mixed input attack, which is the generalization of mixed input attack. This is the sum of many evaluations rather than one invalid input, but we skip it here. Now let's see the second attack. For every evaluation with output 0, we always compute the time-level encoding of 0 for the zero-testing parameter model skew. And it is a value correspond to multiple of h in the ring R. Then by collecting these many values, many multiple of h, we can compute h itself in quantum polynomial time using short principle idea problem server. And then using this, we can manipulate some kind of double-zero testing at level 2 kappa using this value. In other words, we can learn the 2 kappa-level obfuscated program. The second step is the mixed input attack. However, for the kappa-level mixed input attack for this invalid input, it is not permitted because we do nothing about the randomizers, so it is ruled out. Instead, we construct the 2 kappa-level obfuscated program by duplicating the original one. And then for a sophisticated choosing invalid input, which output some kind of double-zero, we can learn the mixed input attack. And then attack is done. Now let's see the table showing the research. In the first attack, we show that in the entry server parameterism, all branching program obfuscators are vulnerable to enter attack. And in the second attack, many obfuscations over gg13 is not secure in the quantum world. This table lays two natural questions. At first, how about the first obfuscation gghrsw in the quantum world? And how about the circuit obfuscation for entry server parameterism? Actually, we have made many progress this in this regard while we are preparing the presentation. For the first obfuscation gghrsw, it is broken in quantum world by combining our work. In other word, at first, manipulating double-zero testing and then learn the metric-serizing attack. And for the circuit obfuscation in entry server parameterism, some of the circuit obfuscation is broken using enter attack. Now we leave open problems and remark. Our attack heavily relies on the time-level encoding of 0. However, evasive functions do not output such values. So we do not know how to attack special obfuscation for evasive functions. And we are really curious about the countermeasures. For the classical attack, it is easy to prevent by increasing the dimension n to prevent the enter attack. However, for the quantum attack, we do not know how to prevent it. And we guess that it is very hard to modify the CG certain to prevent the quantum attack. At last, we give an important implication of the work. Many schemes, especially recent obfuscations, are proven in their security in the idealized model or somewhat nuclear model. But their real construction heavily relies on the concrete other schemes or mere candidates. However, these candidates may not fit in the idealized model or nuclear model. In fact, this work, we show that this gap can cause a significant weakness of the concrete schemes. In other words, we should pay attention on this gap if the concrete schemes are proven in their security in only in the idealized model. Thank you for your attention.