 Hi, good morning everyone, thanks for showing up this early. So I was fortunate to have, we were fortunate to have Shy give a great talk yesterday on the state of multilinear maps, so let me just start with a brief review of what multilinear maps are in case you weren't there. So this is a relatively new cryptographic tool that allows us to do computation on encoded data. So when you think of computation on encoded data, probably most people think of homomorphic encryption, but there's some key differences between multilinear maps and homomorphic encryption. And in particular, with multilinear maps, there's no real decryption. Instead of decrypting, what you can do is test if an encoded value is zero or not zero. But you can only do this on certain encodings, and I'll make that a bit more precise on the next slide. So at this point, there's a vast number of papers showing how to compute or how to construct very powerful cryptographic tools that we would like using multilinear maps. So a secure instantiation of these would be amazing for the field. Okay, so what do I mean by doing computation on encoded data? So for multilinear maps, we have some plain text m, and we encode it at some level i. And so on this slide, I'm just gonna denote e is an encoding of m at level i with these square brackets. Okay, and so the arithmetic you can do is addition and multiplication. And in particular, if you have two encodings at the same level i, you can add the encodings. And what you get is an encoding of the sum of the plain texts at the same level i that the original encodings were. For multiplication, you can multiply at different levels. So if you have an encoding at level i and encoding at level j, you can multiply them. The result is the product of the plain texts and the level sum. So now the new level is i plus j. Okay, and then the last thing that you can do with these is a zero test. Meaning if you have some encoding, you can check whether or not it's equal to zero. But you can only do this if it is at what's called the top level case. So there's some maximum level. And you can only test for zero when you're at that level k. Okay, so actually I should say that you can define more complex, more interesting level structures. But for this talk, I'm just gonna focus on this one through k or the levels. So basically all the multilinear map candidates we have have a common interface and there's three parts of this interface. The first is initialization. So for this, you choose a public and secret key pair. And this process also defines the space of plain text and the space of encodings. And then here, unlike fully homomorphic encryption, there's some difference between how we do the encoding and the operation. So for the encoding, you actually use the secret key to encode the plain text. So if you have the secret key, you can convert plain text to encodings. And then for the operations, the arithmetic and the zero test that I just showed, you use the public key to do this. Okay, and you can do these operations as long as the degree of the computation, the polynomial degree, doesn't grow too large. So in some sense, that part is similar to somewhat homomorphic encryption. Okay, so what are the candidates that we have at this point? So I'm calling these the first generation and second generation. In fact, the first two of the first generation came much closer together than the third. So the first one was due to Garg Gentry and Halevi. And this is a candidate whose security is based on ideal lattices. The second candidate is due to Koran Lapoint and Tabuchi. And this uses the Chinese remainder theorem. And then the third first generation candidate as due to Gentry, Gorbanov and Halevi, and this uses standard lattices as opposed to ideal lattices. So probably a lot of people in this room know that there were some very high profile attacks on the first two of these candidates. And as a result, there have been some modifications to them. And this is what I'm calling the second generation. So in response to the attacks on CLT 13, there was CLT 15, which modifies it to prevent the known attacks. And then much more recently, there was a new construction by Gentry, Halevi and Lapoint to modify the GGH 13 candidate also to resist these zeroizing attacks. And I'll say these modifications are fairly similar, at least have similar ideas behind them. So in this talk, I'm going to talk about the CLT 13 candidate, give an overview of how it works and mention what the attacks are. And the next talk, so don't leave your chair. The next talk, Tancred is going to describe the CLT 15 construction and how we resist these attacks. Okay, so the rest of the talk is here. I'm going to give an overview of CLT 13 and then describe the zeroizing attacks. Okay, so CLT 13, how does it work? So first, you initialize by generating these system parameters. So you have two sets of primes, P1 through PN and G1 through GN. And here the key thing is that the G primes are much smaller than the P primes. And so throughout this talk, if I say big primes or small primes, I mean the PIs are the big primes and the GIs are the small primes. There is an integer Z, which we're going to use to sort of denote the level in an encoding, and I'll make that more precise on the next slide. And those two things are secret. So the primes are secret and this value Z is secret. And the public key, or at least one part of the public key, is the modulus x0, which is the product of the big primes, P1 through PN. Okay, so these are the system parameters, except for how you do the zero test, which I'm saving for a couple slides. So this also defines the plain text space, which is namely, a plain text has n slots or n values. And the i-th slot lives in the space 1 through g i. So the plain text, the i-th slot is mod g i. And the encodings are gonna live mod x0, and we're gonna encode via the Chinese remainder theorem. Okay, so how does the encoding look like? So let's say you have a plain text, m1 through mn. And you wanna encode at level j. First, for each slot, you construct this value e i, which is the plain text value for that slot mi, plus a random multiple of the small prime for that slot. So g i is the small prime, we multiply it by a small random r i, and then add the plain text value. Okay, so you do this for all the slots 1 through n. You compute the CRT representation of these encoded values e i. And then to sort of put the level in there, you take the parameter z, which remember is a secret parameter, raise it to minus j, where j is the level that you want. And then you multiply this with the CRT representation. And this is all done mod x0, which recall is the product of the big primes. Okay, so some things to notice about the encoding. If you ignore the level part, the z to the minus j, in each component, the plain text is the encoding e i mod the small prime g i. And also these e i are all much smaller than the big primes, right? That's because g i and mi both were, and we choose r to be that way as well. To do arithmetic on the encodings, you just add and multiply mod x0. Recall x0 is public, and this maintains this second bullet as long as the number of operations is not too large. So as long as the e i values do not wrap modulo, the large primes p i, you still have the taking the i slot mod g i, gives you the plain text, preserves the plain text. Okay, so that's how the encodings work. Let's see how the zero test works. So for the zero test, I'm gonna define this value p i star, which is just the product of all of the primes except the ith. So another way you can think about it is the modulus x0 divided by the ith prime. And these are useful, so if you know the proof of the Chinese remainder theorem, these show up there too. And these are useful because if you wanna compute the CRT representation of n values where for all i, the ith value is divisible by p i star. This has a very simple form, which is just the sum of the values mod x0. So this is gonna be useful for analyzing the zero test. Okay, and so if we have this p i star, the zero test is defined as written there in the second bullet. Namely, it's the CRT representation of n values, where the ith value is p i star, some small random h i. And then the inverse of the small prime g i. Okay, and so here I wanna mention that the inverse here is taken mod the corresponding big prime. Okay, and so you take this CRT representation and then you multiply it with z, which is the level parameter, raised to the top level, which here I'm calling kappa. Okay, so I will grant you that this probably looks complicated and it's not clear why you would define it this way. So let's see how the zero test works in action. Okay, so let's say we have some level k in coding of zero, so I'm gonna call this a. And so we're calling it because in encoding of zero, each thing in the CRT representation is just a multiple of the small prime. So it would be plus mi, but here all the mi's are zero. And then we have the zero test parameter, which I just defined on the last slide. Okay, and to perform the zero test, what you do is you multiply your encoding with the zero test parameter, and you reduce mod x zero. So you do a times p z t mod x zero. And so what does this look like? Well, here you can see that the g i's cancel. So here the g i's cancel. And you're left with the CRT, and sorry, also the z to the minus k and z to the k cancel. So this is why we chose this like this, because we only want to zero test at the top level. So these cancel, the g i's cancel. And you're left with the CRT representation of these. And recall the p i's have this useful property, the p i stars have this useful property that because each slot is divisible by them, we get the CRT just by adding. And here, so this is the sum of the components. And the crucial thing here is that this is much less than our modulus x zero. And why is that the case? It's just because each of these components is much smaller than x zero. So of course, you have to set your parameters correctly, but you can trust me for this. So again, the key thing here, so this is gonna be key for the attacks, is that the quality between this and this holds over the integers. Which again is because each of these values over here is much smaller than x zero. So at this point, there's no mod x zero. Good, okay, and so that's how you determine if something is zero. You multiply it by the zero test, take it mod x zero, and you check if it's much smaller than x zero. And if a was not an encoding of zero, or if it was not at the top level k, you would be left with either some z here, or one of the gi inverses here. And these are large relative to x zero. And so the overall, where you would get is something very close to x zero. Okay, so this is how the zero test works. Okay, so now that we've given an overview of CLT, 13 let me describe the zeroizing attacks. And before I get into the technical parts, let me just say something high level. So the first sort of big attacks on CLT 13 were given by Chian at all, I guess the end of 2014. So these attacks relied on having some low level encodings of zero. So some values that were zero in every slot and were at a low level, much below the top level k. And these gave a complete break of CLT. So if you have these encodings and you perform their attack, you can essentially recover all of the secret parameters. So not just like decoding some value, you can recover the entire secret key. And so in this work, what we did is we extended these attacks to a number of other settings and in particular settings where there's no low level encodings of zero available. So I mentioned here that there was a concurrent work by Bonet, Wu, and Zimmerman in which they also showed that you don't need low level encodings of zero. Beyond this, so we showed how to break some proposed fixes to CLT 13. So very soon after the attacks by Chian at all came out, there were a couple of proposed immunizations to these attacks by Bonet, Wu, and Zimmerman and Garg Gentry, Halevian, Zandri. But these can also be broken by extending the Chian at all attacks, and I'm gonna talk about that. And then in addition, our attacks extend to simplified variants of schemes that use the multilinear maps. I'll mention briefly at the end what I mean by that. Okay, so let me go through the Chian at all attack. And I'm gonna show this with kind of a toy example. So the number of primes or the number of slots in each message is two. And the top level is gonna be three, okay, so very simple. And for the attack, you need three sets of encodings. And let's say these are all gonna be at level one, at the lowest level. Okay, so I'm gonna call these encodings A, B, and C. And because this is a toy example, I wanna mention what the size of these sets should actually be. So the first two sets, the A and the C encodings, you need N of these. So you need one for every slot in the plain text. And then for the middle set of encodings, you always have two. So no matter how big, even if N was a million, I would still just have two encodings here. And in some sense, these are the target of the attack. So the kind of first thing the attack is gonna recover are these encoded values, BI, okay. And so what property do we need these sets of encodings to satisfy? So in the Chian at all attack, the original attack, what they assumed is that the AI encodings are all encodings of zero. And so recall that this means that every slot in the CRT representation is divisible by the corresponding small prime. So I'm putting the GIs here just so you can see that these are encodings of zero. And one of our observations, again, Bonet at all concurrently made this, is that this is actually not necessary. And it's sufficient that instead you get zeros at the top level. So we don't need the encodings themselves to be zero. What we need are that for every way of choosing one from the first set, one from the second, and one from the third, when you multiply them you get zero at the top level. Obviously one way to do this is if all of the A encodings are zero themselves, but this isn't necessary. Okay, but now I'm gonna describe the original attack. So let's assume that indeed the AIs are all encodings of zero. Okay, so how do we start? Let's just take the first encoding from each of the sets. So A1, B, which is the first one in the B set, and C1. And we multiply these, okay? So what do we get? They were each at level one, so now they become at level three. And the CRT components just multiply. Okay, and recall that because the A's were divisible by G, we still have a G sitting there. Okay, and again, here is the zero test parameter. This is just what I showed before, but restricted to this kind of toy example. And now we're just gonna multiply the encoding A1, B, C1 with the zero test parameter, so we're gonna do a zero test of the encoding we just created. Okay, and let me call this W11. So, indeed, I'm just multiplying here. And so, just as the successful zero test I showed before, these cancel, and we are left with, sorry, in the G's cancel also. And we are left with the sum of the CRT components. Again, because we have these PI stars. Okay, and I'll remind you that the crucial thing here, so I mentioned it before, but this is crucial for the attacks, is that this equality holds over the integers without reducing mod X0. And again, this is because each of these are small relative to X0. Okay, so notice here that the parts in black are actually system parameters that don't depend at all on the specific encodings that I used. So I'm just gonna sort of sweep those up into these sigma. So there's some system parameters that don't depend on the encodings. Okay, so I have this equation, it's of a very nice form, and I can write it as a matrix multiplication. So I'm putting the A's over here, the C's over here, and the B's in the middle, and I'm gonna just stick the system parameters in there. So each of these is commutative, so I can move these around like this. Okay, so this was W11. And now I can do the same thing, but instead of choosing A1 and C1, I can vary over the A and the C sets. And I get an equation for each one of those. And again, they have this very nice form. So again, if I was doing A1, it would be this. A1 and C1 would be this. And this, A2 and C1 would be this, and so on. So we get this matrix equation with, it's essentially n squared equations here. But notice that the B matrix stayed the same from before. Okay, so I construct this matrix W with these encodings. I'm just moving it up there, I didn't do anything with that switch. I have this matrix W, okay? And now I'm gonna do the exact same thing. Sorry, let me just call the outer matrices A and C. I'm not too concerned about what's inside them for reasons that you'll see in a second. Okay, so now I can do the exact same thing using the other middle encoding. So instead of B, I'm gonna use B prime and do the exact same thing, right? And crucially here, the A and the C matrices are the same for both of those, okay? And now I wanna start to cancel things. Remember, I'm trying to attack these B's. I'm trying to get some of the values out of there. And so if I want things to cancel, let me take the inverse of W prime. And now things start to look pretty good. So if I multiply here, I can get these to cancel. And the system parameters here are gonna cancel too. So indeed, that's what I'm gonna do. I'm gonna take W times W prime inverse, and I get this very nice thing. So A, A and A inverse on the outside, and these ratios of the B's on the inside, okay? So notice that I actually don't have this decomposition. All I have is these. However, because these are similar matrices, I can recover these ratios just by computing the eigenvalues of the W's here, okay? And it turns out that if you recover the ratios bi over bi prime, you can actually use this to factor the modulus x0 and break the whole thing. So you can recover all the system parameters with these. Okay, so this was the, this was the Cheyenne et al attack. And now let me show our generalizations. So the first extension of their attack was, let's not assume that we have low level zeros. So again, now all we know is that each of these is divisible by G1, but not that the AIs themselves are divisible by G1 and G2. So what does the matrix equation look like here? Well, we actually now still have the GIs sitting there, okay? So that's kind of, it looks a little worrisome, but we still have equality over the rationals, because these things are divisible by G1 and G2. And actually, it turns out that when I do the same like invert and multiply trick, the Gs are gonna go away just like the system parameters did, right? The Gs are just more system parameters that are sitting in the middle. And so when I multiply, I get exactly the same thing. So essentially the same attack works even if you don't have low level zeros. Okay, our second extension is now let's say we don't get zeros in this easy way where we just multiply encodings and we get a zero. Now we have to do some slightly more complicated linear equation to get zero. So now let's say the set structure, instead of where before I had a single encoding, now I have a pair of encodings. And to get a top level zero, I have to multiply one thing from each set, and then subtract it by a different product of three things. So now let's say the only way we can get top level zeros is by this, okay? So this poses some slight problems, we can't do the same nice form that we have here, except that we can, we just need a larger dimension, okay? So you can write this in essentially the same way, where just the dimension now grows by essentially the number of terms that you need to get the top level zeros, okay? And this, as I mentioned, this breaks the proposed immunization, one of the proposed immunizations of CLT-13, okay? And the last extension I'll mention is sort of generalizes the linear equations from the last thing. So now let's say we are given matrices of CLT-13 encodings. So instead of just sort of basic products that we subtract, we're given matrices, and to get the top level encodings, we have to do some arithmetic on the matrices. So this was the immunization proposed by Gargadal, and yeah, again, we get zeros by more complex linear relations than the last setting. The result now is that the middle matrix, instead of being diagonal, it's actually block diagonal, because these are the encoding matrices, not just single encodings. Now we can recover the eigenvalues, but they may not be rational. So we may not have these nice ratios, and it's unclear how to use them. Can we still get any useful information? Well, in fact, we can because the characteristic polynomials are still the same. So I can still get the characteristic polynomial of this, with the characteristic polynomial here. And then I can use the Cayley-Hamilton theorem to recover the primes. Okay, so I'm omitting a lot of details here, as you can imagine, but they're in the paper. Okay, so just let me conclude briefly. So there are some consequences for obfuscation, at least for very simplified variants of obfuscation. So we can extend these attacks to break against very simplified variants of some of the proposed obfuscation candidates. But the real schemes actually are not susceptible to these attacks due to this dual input structure. So if you know these constructions, that seems to offer some resistance to these attacks. And again, I want to emphasize that none of the candidate obfuscators are known to be broken by these attacks, but the attacks do kind of point out somewhere where we think the security is coming from. Okay, so this is the conclusion slide. So CLT 13 suffers from zeroizing attacks. These can be applied in many settings, even without low level zeros, but not known in many others. And Tancred next is going to talk about a way to support these attacks. And I'll take questions, thank you.