 Hi, everyone. I'm Lolly Davos. And today, I'll be talking about succinct LWB sampling, random polynomials, and obfuscation. This is joint work with my advisor, Vinod Vaikunjanathan, at MIT, with Iqwaka at Northeastern, Daniel Wicks at Northeastern at NTT, and also Hotei Kwi at NTT. Let's start by talking about indistinguishability obfuscation. We generally think of an indistinguishable obfuscation scheme as some randomized compiler that takes a circuit C and computes some obfuscation of that circuit. There's two properties that we want from this scheme. First, being correctness, we want that the obfuscated circuit will compute the same function as C, basically so that we can use it in the same way that we would use the circuit C just without leaking any information, which is the second property. We want security, which means that the obfuscated circuit should hide everything about the implementation of the function. This means that if we have two functionally equivalent circuits, C1 and C2, which basically means that they have the same truth table, then we just have that the obfuscation of C1 is computationally indistinguishable from the obfuscation of C2. IO, especially in recent years, has been shown to imply most main cryptographic primitives that we are trying to build today, which means that it's become even more and more important for us to try to construct IO with a security proof. As we'll see in a second, most of the current state-of-the-art IO either relies on assumptions such as bilinear maps, which are not known to be post-quantum secure, or on very complicated, interactive, non-falsifiable assumptions, which we'll see in a second. But first, to talk about some current constructions, state-of-the-art IO schemes, a recent one by JLS used the external LDP helmet assumption, LPN over finite fields, gold rake, and LWE, and then later managed to remove LWE using only the first three assumptions. Again, we're unhappy with these just because they're not post-quantum secure. We are going to try to base IO solely on LWE-like assumptions, which are believed to be post-quantum secure. What is LWE? The LWE assumption parameterized by some parameters N, Q, and chi basically states that these two distributions, some matrix A or some matrix A multiplied by a secret S plus an error vector E, is indistinguishable from the matrix A and a truly uniform vector. Here we have that A, S, A, and S and U are all drawn uniformly from their distributions and E is drawn from chi. We also have that just in terms of the parameters, we usually think about M and N as being poly and lambda, Q as being two to the poly and lambda, and chi is B bounded with B small enough that you know is basically a very, very small error that we're seeing in terms of Q being the whole modulus. We do believe this to be post-quantum secure. So if we manage to build IO from LWE, then we will have plausibly post-quantum secure IO. What are the current constructions that I mentioned that are based on LWE-ish assumptions? So we have some based on GGH 15 encodings. The problem with these is just that we don't have a proof of security. On the other hand, we have this other line of work very recent, including work by Romain Gay and Raphael Pass and then a work from last year by Botek and Daniel. Here we do have security proofs, but we have these very complicated, sometimes interactive or non-possifiable LWE-like assumptions that involve randomness leakage and other things that aren't well-studied. We would really like to base IO on an LWE-like assumption that is well-studied and falsifiable and non-interactive, which is the main goal of this work. How are we gonna do this? So we will use succinct randomized encodings. What is succinct randomized encoding? A succinct randomized encoding of some function which maps L bits to N bits is an efficient probabilistic algorithm encode such that here are the three properties you want. First of all, correctness. Given the CRS, we're working in the CRS model here. The function F and the encoding, we should be able to efficiently recover f of x security. So for any two inputs, x0 and x1, such that f of x0 is equal to f of x1, we should have that their encodings are computationally indistinguishable. And lastly, succinctness. We need a pretty strong bound on succinctness here. We want that the encoding has bit length N to the one minus delta for some delta less than one. I'm ignoring here factors that are polynomial in the security parameter or L, et cetera, since they're not that important. We already know that SRE, as defined before, suffices for IO. This is from work from a couple of years ago. I'm not gonna get into it, but basically you can think about the input x as being the description of a circuit and f being the universal function. So f is basically just going to compute the truth table of x. I evaluate circuit x on all possible inputs. We'll now turn to actually constructing such an SRE scheme. Okay, here's our first try based on some homework for commitment schemes. GSW and GVW, if you're familiar. So we'll have some commitment C. This commitment C will consist of a matrix A, a tall, skinny matrix A. Here we have that W much, much smaller than M. We're going to multiply by some randomness R at an area E, and then finally our encoding of the input will be X tensor G, where G is the gadget matrix. We can perform homomorphic evaluation on this commitment to get C sub f. Note that this homomorphic evaluation only requires knowledge of the function f and not of the input X. However, the two matrices that we see here are sub f of X and E sub f of X. They do depend on X. And after doing this homomorphic evaluation, we can recover f of X by simply subtracting A times R sub f of X and then rounding because E sub f of X will still be small. However, revealing R sub f X is semantically insecure. Just to clarify in this picture, what we see in orange are the things that are released publicly and what we see in blue are the things that are either computed by the person who's trying to evaluate the circuit or they're not given at all and they're just kind of implicit in the construction. So this is basically the issue with our first try. We have syncing this here. We managed to get syncing this basically by the fact that C will be much smaller than C sub f. However, revealing R sub f X is not actually going to give us security. So what are we gonna do? Again, committing to X using homomorphic commitment scheme. What if we now also generate some new LWE instance, B star, in terms of the same A as in our commitment? So we'll have B stars equal to A S star plus E star. In this ideal world, this is basically just a straw man. We're thinking of S as being random and E as being Gaussian, like how we would really want an LWE sample to be. The SRE will be A, C, so this is the same as before. B star, so that's new, we're adding that into the SRE now and then R sub f X plus S star. So the point of this here is that we're going to basically mask any information that R sub f X might leak by adding the truly random S star. To decode, you start by homomorphically evaluating C to get C sub f, then you add B star and subtract A times R sub f X plus S star. This basically works out to what you would expect and eventually you get that all of the terms except for the errors cancel and then you can just round to recover f of X. However, this doesn't work either because this is not succinct. B star has the same size as C sub f. Remember the reason why we got succinctness in the first try was because we weren't giving C sub f for just giving C and then asking the evaluator to do homomorphic evaluation. In this case, because B star is actually just as big as C f, it just gets added to it, it has bit length N and we no longer have succinctness. Our third try, again, committing to accessing a homomorphic commitment scheme. Now we're going to sample a short seed for B star. The SRE will be just replacing B star with a short seed. And to decode, we're just going to expand the seed to the full matrix B star and proceed as decoding used to happen. This one, this is really what we want. This is the point of this work. Basically what we're gonna see is this new notion of succinct LWB sampling where we have some two functions, gen and expand. Gen will sample some short seed sub B star and expand taking the CRS and the seed can give us back B star. We'll now define what we actually mean by succinct LWB sampler. So there's three properties we want. First being correctness. We basically, so we'll often write it as B star is equal to A star S star plus E star. However, just to define correctness this way, basically what we want is that B star is approximately A star S star. Security we'll get to in a second because it's very non-trivial. Intuitively we basically want to be as close to the ideal world as possible. Again, the ideal world being where S star is truly random and E star is Gaussian. However, this is not really achievable. And so I'll talk in the next couple of minutes about what we actually do manage to achieve in terms of security. The last property that we want is succinctness. So succinctness states that the seed should have bit length and to the one minus delta where again N is a bit length of B star for some delta less than one. Okay, let's revisit the security notion now that we've covered correctness and succinctness which are pretty simple to define. The question is what security guarantee do we really need in order to be able to upgrade this and use it to create a semantically secure SRE in the way that I just described. So first, we'll remember the definition from WW which basically asked that even if you're given the seed, B star still looks indistinguishable from fresh LTV samples. Here, by fresh LTV samples, we mean like ideal ones with truly random S and Gaussian E. Unfortunately, this definition requires simulator. It depends on the circuit implementation by which you mean basically you're homomorphically evaluating and the way that that evaluation is implemented actually affects the security of the scheme. There was a paper last year also showing that for a specific circuit implementation this is actually broken. There's other circuit implementations for which is not broken but the point being this assumption is too complicated and we want something much simpler and easier to work with. Really, all we need from E star is that we want E star to mask E sub FX. If you call, this is kind of the error term that gets left added onto our, well, we eventually are going to decode. And so what we want is that E star is going to mask this E sub FX which is dependent on X and therefore something that we don't wanna leak. Okay, so let's take another stab at defining what exactly you mean by security. Basically, what we want is that E star is a good flooding distribution and then it's able to flood E sub FX in the way that I said before. How could we quantify this? We could say that for all F X zero and X one such that F of X zero is equal to F of X one. So basically taking the same approach for security as in the security definition for SRE we can state that we want given the seed and some encryption of the two inputs that we basically have the property that E star is going to flood the error. This error is what we think of as the error that's created by homomorphically evaluating F on the encryption of X. Unfortunately, we're still not happy with this. This quantifies over all F, it's not falsifiable. It's hard to work with. We really want something that's gonna be much easier to analyze. But we want that notion to imply this one, right? Because this is pretty much the weakest security notion that we feel comfortable with but we wanna make sure that we're going to get this but we don't wanna have to necessarily analyze it. So what can we do? This is basically the main punchline of our paper. We show that it suffices to protect a single and operation which means that all we need to show is that given seed for B star if you have an encryption of zero and one and encryption of zero and zero and then you homomorphically evaluate and on these cipher texts that the resulting error can be flooded by E star. We use a hybrid argument and a flagtrack that's implicit in NWW but not really abstracted out or specified well. And this gives us what we want, which is strong security. I'll very briefly outline the construction just in a small case. The entries of E star end up being low degree multilinear polynomials in the entries of the original E's which I'll show in a second. This is where the part of the head of our paper random polynomials comes in. So for D equals two, we basically have that the seed for B star will be two LWB samples for A one and A two. We'll compute B star by taking the tensor of these two samples using the mixed product property. We can simplify this until we get something that looks kind of like what we want LWB sample to look like. This strange thing with A's and I's is going to become our A star. This term that depends on S, B and E will become our S star and then E one, tensor E two will become our E star. This is why the entries of E star are low degree polynomials. It's worth noting we actually are multiplying like B star is actually going to be P times B one, tensor B two times P prime. These are large matrices that we keep in the CRS. Without getting into too much detail, we're also going to re-randomize A star and S star using Killian randomization just to ensure that they don't leak anything more than the product. This allows us to focus solely on E star. In the paper, we also do some crypt analysis showing that some attacks like such as linearization, some of squares, covariance attacks won't work on E star. And there's also been some recent work showing that we cannot actually hope for E star to look pseudo IID on its own. However, again, we don't need that. All we need is for E star to flood the error from one and operation. So we still have confidence in our scheme and I think that's my time. So thank you.