{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T03:41:47Z","timestamp":1767930107657,"version":"3.49.0"},"reference-count":37,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2025,10,7]],"date-time":"2025-10-07T00:00:00Z","timestamp":1759795200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,2]]},"abstract":"<jats:p>The evasive learning with errors (evasive LWE) assumption is a new assumption recently introduced by Wee [Wee22] and Tsabary [Tsa22] independently, as a significant strengthening of the standard LWE assumption. While the assumption is known to imply various strong primitives including witness encryption [Tsa22, VWW22], the assumption in the most general case (i.e., the private coin variant) is considered quite implausible due to the obfuscation based attack mentioned in [Wee22]. This obfuscation based attack is then later formalized by Vaikuntanathan, Wee, and Wichs [VWW22]. In this note, we revisit their attack and show that the attack actually does not work by showing a concrete counterexample. While various attacks against private-coin evasive LWE are now known, the attack of [VWW22] is the only one that applies in the setting where the sampler is oblivious to the LWE secret, which we call the S-oblivious regime. Therefore, our refutation closes the only known avenue for attacking the assumption in the S-oblivious regime. To complement the above refutation of this attack, we also present a variant of the counterexample assuming the existence of instance-hiding witness encryption. However, our sampler is not S-oblivious, and thus we do not fully recover the attack considered in [VWW22]. Taken together, these results indicate that the security of private-coin evasive LWE in the S-oblivious regime remains open.<\/jats:p>","DOI":"10.62056\/a39qudy6b","type":"journal-article","created":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:39:47Z","timestamp":1767915587000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["A Note on Obfuscation-Based Attacks on Private-Coin Evasive LWE"],"prefix":"10.62056","volume":"2","author":[{"given":"Tzu-Hsiang","family":"Huang","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/047426m28","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Illinois Urbana-Champaign","place":["Urbana, USA"]}]},{"given":"Wei-Hsiang","family":"Hung","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/00z83z196","id-type":"ROR","asserted-by":"publisher"}],"name":"Institute of Information Science, Academia Sinica","place":["Taipei, Taiwan"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7338-686X","authenticated-orcid":false,"given":"Shota","family":"Yamada","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/01703db54","id-type":"ROR","asserted-by":"publisher"}],"name":"National Institute of Advanced Industrial Science and Technology (AIST)","place":["Tokyo, Japan"]}]}],"member":"48349","published-online":{"date-parts":[[2026,1,8]]},"reference":[{"key":"ref1:EC:Wee22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/978-3-031-07085-3_8","article-title":"Optimal Broadcast Encryption and CP-ABE from Evasive\n  Lattice Assumptions","volume":"13276","author":"Hoeteck Wee","year":"2022"},{"key":"ref2:C:Tsabary22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"535","DOI":"10.1007\/978-3-031-15802-5_19","article-title":"Candidate Witness Encryption from Lattice Techniques","volume":"13507","author":"Rotem Tsabary","year":"2022"},{"key":"ref3:AC:VaiWeeWic22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"195","DOI":"10.1007\/978-3-031-22963-3_7","article-title":"Witness Encryption and Null-IO from Evasive LWE","volume":"13791","author":"Vinod Vaikuntanathan","year":"2022"},{"key":"ref4:EC:Shoup97","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"256","DOI":"10.1007\/3-540-69053-0_18","article-title":"Lower Bounds for Discrete Logarithms and Related Problems","volume":"1233","author":"Victor Shoup","year":"1997"},{"key":"ref5:IMA:Maurer05","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/11586821_1","article-title":"Abstract Models of Computation in Cryptography (Invited\n  Paper)","volume":"3796","author":"Ueli M. Maurer","year":"2005"},{"key":"ref6:TCC:WatWeeWu22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"651","DOI":"10.1007\/978-3-031-22318-1_23","article-title":"Multi-authority ABE from Lattices Without Random Oracles","volume":"13747","author":"Brent Waters","year":"2022"},{"key":"ref7:C:ARYY23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"532","DOI":"10.1007\/978-3-031-38551-3_17","article-title":"Constant Input Attribute Based (and Predicate) Encryption\n  from Evasive and Tensor LWE","volume":"14084","author":"Shweta Agrawal","year":"2023"},{"key":"ref8:FOCS:HsiLinLuo23","doi-asserted-by":"publisher","first-page":"415","DOI":"10.1109\/FOCS57990.2023.00031","article-title":"Attribute-Based Encryption for Circuits of Unbounded Depth\n  from Lattices","author":"Yao-Ching Hsieh","year":"2023"},{"key":"ref9:EC:HsiLinLuo24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"433","DOI":"10.1007\/978-3-031-58723-8_15","article-title":"A General Framework for Lattice-Based ABE Using Evasive\n  Inner-Product Functional Encryption","volume":"14652","author":"Yao-Ching Hsieh","year":"2024"},{"key":"ref10:C:AgrKumYam24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"352","DOI":"10.1007\/978-3-031-68382-4_11","article-title":"Attribute Based Encryption for Turing Machines from\n  Lattices","volume":"14922","author":"Shweta Agrawal","year":"2024"},{"key":"ref11:C:MatpetVai24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"38","DOI":"10.1007\/978-3-031-68403-6_2","article-title":"Adaptively Sound Zero-Knowledge SNARKs for UP","volume":"14929","author":"Surya Mathialagan","year":"2024"},{"key":"ref12:EPRINT:AgrKumYam24a","volume-title":"Compact Pseudorandom Functional Encryption from Evasive\n  LWE","author":"Shweta Agrawal","year":"2024"},{"key":"ref13:EPRINT:AgrKumYam24b","volume-title":"Pseudorandom Multi-Input Functional Encryption and\n  Applications","author":"Shweta Agrawal","year":"2024"},{"key":"ref14:C:BDJMMP25","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"663","DOI":"10.1007\/978-3-032-01901-1_21","article-title":"Pseudorandom Obfuscation and Applications","volume":"16004","author":"Pedro Branco","year":"2025"},{"key":"ref15:FOCS:GGHRSW13","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1109\/FOCS.2013.13","article-title":"Candidate Indistinguishability Obfuscation and Functional\n  Encryption for all Circuits","author":"Sanjam Garg","year":"2013"},{"key":"ref16:STOC:JaiLinSah21","doi-asserted-by":"publisher","first-page":"60","DOI":"10.1145\/3406325.3451093","article-title":"Indistinguishability obfuscation from well-founded\n  assumptions","author":"Aayush Jain","year":"2021"},{"key":"ref17:EC:JaiLinSah22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"670","DOI":"10.1007\/978-3-031-06944-4_23","article-title":"Indistinguishability Obfuscation from LPN over\n  $\\mathbb{F}_p$, DLIN, and PRGs in ${NC}^0$","volume":"13275","author":"Aayush Jain","year":"2022"},{"key":"ref18:TCC:RagVafVai24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-78023-3_1","article-title":"Indistinguishability Obfuscation from Bilinear Maps and\n  LPN Variants","volume":"15367","author":"Seyoon Ragavan","year":"2024"},{"key":"ref19:EC:BDGM20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1007\/978-3-030-45721-1_4","article-title":"Candidate iO from Homomorphic Encryption Schemes","volume":"12105","author":"Zvika Brakerski","year":"2020"},{"key":"ref20:STOC:GayPas21","doi-asserted-by":"publisher","first-page":"736","DOI":"10.1145\/3406325.3451070","article-title":"Indistinguishability obfuscation from circular security","author":"Romain Gay","year":"2021"},{"key":"ref21:EC:WeeWic21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"127","DOI":"10.1007\/978-3-030-77883-5_5","article-title":"Candidate Obfuscation via Oblivious LWE Sampling","volume":"12698","author":"Hoeteck Wee","year":"2021"},{"key":"ref22:TCC:DQVWW21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"256","DOI":"10.1007\/978-3-030-90453-1_9","article-title":"Succinct LWE Sampling, Random Polynomials, and\n  Obfuscation","volume":"13043","author":"Lalita Devadas","year":"2021"},{"key":"ref23:C:HopJaiLin21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"673","DOI":"10.1007\/978-3-030-84245-1_23","article-title":"Counterexamples to New Circular Security Assumptions\n  Underlying iO","volume":"12826","author":"Samuel B. Hopkins","year":"2021"},{"key":"ref24:EC:JLLS23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"205","DOI":"10.1007\/978-3-031-30545-0_8","article-title":"Polynomial-Time Cryptanalysis of the Subspace Flooding\n  Assumption for Post-quantum $i\\mathcal{O}$","volume":"14004","author":"Aayush Jain","year":"2023"},{"key":"ref25:C:Wee21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1007\/978-3-030-84259-8_6","article-title":"Broadcast Encryption with Size ${N}^{1\/3}$ and More from\n  $k$-Lin","volume":"12828","author":"Hoeteck Wee","year":"2021"},{"key":"ref26:FOCS:WicZir17","doi-asserted-by":"publisher","first-page":"600","DOI":"10.1109\/FOCS.2017.61","article-title":"Obfuscating Compute-and-Compare Programs under LWE","author":"Daniel Wichs","year":"2017"},{"key":"ref27:FOCS:GoyKopWat17","doi-asserted-by":"publisher","first-page":"612","DOI":"10.1109\/FOCS.2017.62","article-title":"Lockable Obfuscation","author":"Rishab Goyal","year":"2017"},{"key":"ref28:AC:BrzUnaWoo24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"418","DOI":"10.1007\/978-981-96-0894-2_14","article-title":"Evasive LWE Assumptions: Definitions, Classes, and\n  Counterexamples","volume":"15487","author":"Chris Brzuska","year":"2024"},{"key":"ref29:AMYY","isbn-type":"print","doi-asserted-by":"publisher","first-page":"259","DOI":"10.1007\/978-3-032-12293-3_9","article-title":"Zeroizing Attacks Against Evasive and Circular Evasive LWE","author":"Shweta Agrawal","year":"2025","ISBN":"https:\/\/id.crossref.org\/isbn\/9783032122926"},{"key":"ref30:C:DJMMV25","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"73","DOI":"10.1007\/978-3-032-01907-3_3","article-title":"Simple and General Counterexamples for Private-Coin Evasive\n  LWE","volume":"16006","author":"Nico D\u00f6ttling","year":"2025"},{"key":"ref31:C:HsiJaiLin25","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-032-01907-3_1","article-title":"Lattice-Based Post-quantum iO from Circular Security with\n  Random Opening Assumption","volume":"16006","author":"Yao-Ching Hsieh","year":"2025"},{"key":"ref32:EC:CinWee25","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"94","DOI":"10.1007\/978-3-031-91131-6_4","article-title":"Faster ABE for Turing Machines from Circular Evasive\n  LWE","volume":"15603","author":"Valerio Cini","year":"2025"},{"key":"ref33:Reg05","doi-asserted-by":"publisher","DOI":"10.1145\/1568318.1568324","article-title":"On lattices, learning with errors, random linear codes, and\n  cryptography","volume":"56","author":"Oded Regev","year":"2009","journal-title":"J. ACM","ISSN":"https:\/\/id.crossref.org\/issn\/0004-5411","issn-type":"electronic"},{"key":"ref34:FOCS:MicReg04","doi-asserted-by":"publisher","first-page":"372","DOI":"10.1109\/FOCS.2004.72","article-title":"Worst-Case to Average-Case Reductions Based on Gaussian\n  Measures","author":"Daniele Micciancio","year":"2004"},{"key":"ref35:AC:KatYamYam18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"253","DOI":"10.1007\/978-3-030-03329-3_9","article-title":"Tighter Security Proofs for GPV-IBE in the Quantum\n  Random Oracle Model","volume":"11273","author":"Shuichi Katsumata","year":"2018"},{"key":"ref36:EC:MicPei12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"700","DOI":"10.1007\/978-3-642-29011-4_41","article-title":"Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller","volume":"7237","author":"Daniele Micciancio","year":"2012"},{"key":"ref37:STOC:GGSW13","doi-asserted-by":"publisher","first-page":"467","DOI":"10.1145\/2488608.2488667","article-title":"Witness encryption and its applications","author":"Sanjam Garg","year":"2013"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:40:34Z","timestamp":1767915634000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/4\/20"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,8]]},"references-count":37,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2026,1,8]]}},"URL":"https:\/\/doi.org\/10.62056\/a39qudy6b","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,8]]},"assertion":[{"value":"2025-10-07","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-4-42"}}