 Hello, hello, okay Welcome everyone This is the first session on zero knowledge and the first paper in this session is online offline or a composition of Sigma protocols By Michele Ciampi, Pino Bersiano, Alessandro Scafuro, Luisa Sinkalki and Ivan Visconti and Michele will give the talk Thank you for the introduction Okay Proof of knowledge Proof of knowledge is a fundamental crypto tool with many applications and in particular in cryptography is useful when There is a witness that needs to be protected When Wi is needed is an example of that That is we have a prover that wants to prove the knowledge of a secret X or a secret Y or a secret C To implement proof of knowledge we can use basically two approaches That is a theoretical approach and a more practical and efficient approach From the theoretical side, we we know that proof of knowledge exists for graph and milton ISTI This means that we construct proof of knowledge for our languages in NP From the practical side, we can use a Sigma protocol For an NP relation are here. We have an example of of digital protocol That is a really efficient Actually, the prover Only needs one modular Exponential to complete the execution while in the other side in the theoretical side we we need to Compute an NP reduction that is really expensive an observation that we That will be useful thereafter in this presentation is that when the proof of knowledge is Implemented by using L s 90 lipid of Shamir 90 and Also in the snort protocol to compute the first round both theorem and witness are not needed by by the prover Okay, but what is it a Sigma protocol for a relation are Is a three round public coin that? Protocol that enjoys completeness that is if the prover and verifier follow the protocol then verifier always accepts Special on a certified zero knowledge that is there exists an efficient simulator that takes as input theorem X and the challenge C and output Atrascript that is this identically distributed to the real transcript and special soundness that it's There exists an efficient algorithm that takes as input to two accepting transcripts With respect to the same theorem X that share the first round and outputs a witness for for the theorem X In this presentation, we are interested in a prover that takes as input to theorem and Won't want to prove the knowledge of arm of a witness such that this witness and one out of two of this Theorem belongs to a relation r0 or the relation r1 also in this case we can We can see the theoretical and the practical approach the theoretical approach is the same As before the only thing that changes is the theorem Involved in the np reduction From Practical side that we can we need to assume that they that there exist Sigma protocol sigma zero sigma one for the relations are zero and are one and use the construction proposed in a 94 by cram crammer dumb guard and schoon makers That takes as input to two sigma protocols and outputs three round the wi proof of knowledge At this point one can ask why we don't use always the practical the eddy efficient approach The reason is that there is a gap If we implement the proof of knowledge by using LS 90 as I said before And we have that the prover does not need the theorem to complete the first round But unfortunately this property is not enjoyed by CDS Okay, let me more Specific let me more precise about the gap between CDS and LS on the left LS enjoys delayed input completeness. What is it? That is that prove an amplifier can compute The first two round interaction of the protocol without any additional input without theorem and witness as input witness Oh only for the prove a cleaning And only to compute the third round the prover needs the needs the witness Adaptive input to proof of knowledge is enjoyed by LS the by LS standard proof of knowledge by CDS Protocol is adaptive input proof of knowledge if there exists such a simulator. We have an That interacts with the malicious prover that can adapt to which choose the theorem to be proved in the last round Okay, at this point the extractor rewinds the malicious prover and gets another transcript that could be Accepting with respect to another another theorem X prime and also in this in this scenario Can I am the extractor can outputs the witness for for X? Adaptive input witness indistinguishability is enjoyed by LS standard Wi by CDS a Protocol is adaptive input Wi if the probability that a malicious adversary wins is this game is less than one half plus negligible. What is the game? we have the first two round in two rounds interaction between proven and verified and At this point after the second round Has been sent by the malicious verifier The theorem and the witness are adaptively chosen and at this point the prover tosses a coin and use the witness WB to compute the third round the zip the malicious verifier wins if guests the the bit used and in this competition In LS one-way permutation is needed no assumption No assumptions are required for CDS. Also with LS We obtain only computational Wi with CDS. We get perfect Wi LS is for all NAP as I said and but CD CDS works only Taking as input Sigma protocols Why is this gap so important and the reason is that a protocol that uses CDS Instead of LS may have worse round complexity even if is is more efficient Here we have some example of paper data decision and Also delete input complete completeness is why widely used in recent works What are our result? Our first result is a is a compiler that takes as input a proof of knowledge and outputs an adaptive input proof of knowledge Why is this so important because Sigma protocol in general Sigma protocols in general are not adaptive input proof of knowledge For example, it is to see that in the general protocol if the prover can choose Adaptively the CRM X to be proved then then The proof of knowledge property property is lost these these This issue was observed in a work of Bernard Pereira Walinski About the weak FFS transform but in that context They solved this problem in the random oracle model But what can we do in the standard model? The idea is to have the Here I Continue the my example by using the snorke protocol. The idea is to have the snorke protocol the black one and to run in parallel another protocol the purple one that Necessary to prove the knowledge of the randomness used by the prover to compute the first round This means that we have a Fixed theorem and then the extractor can extract this value are and Actually can extract the witness why used in the snorke protocol the black protocol this Transform applied to a large class of sigma protocol protocols discussed that in this work that The most used the sigma protocols actually Okay, now we can talk about our second result that is about bridging the gap in the wi property and the completeness property okay Here we are we have a comparison between a less. Yes, and our previous work accepted at TCC that That is in the middle between a less and CDS This work is with this work. We actually beat this gap by obtaining Delayed input completeness We have proof of knowledge that can be turned on adaptive input proof of knowledge by using the construction that I Said before we obtain adaptive input wi like LS Unfortunately, we did an additional assumption the decision of the Fielman assumption That is standard anyway works with multiple or composition and No, NP reduction is needed. But as a drawback we obtain computational wi Computational wi like LS and our cost action is restricted to The same class of sigma protocol that time that I briefly described before summary In our walk the only real drawback is that the assumption that is a digital Fielman and also we made a comparison of efficiency between all of these works in in a context where the computation can be seen in divided into phases an off an offline phase where Where all the computation can be done without using the theorem and witness and the online phase where The the theorem witness become available become available and in our result is Have an online phase that is As efficient as the CDS 94 How about our construction as a main tool we use? KN tractor commitment that is We have a center that computes and commitment and we have a protocol pi That proved that at least k out of n of this commitment are perfectly binding Also for for the rest of the commitment we can equate to any value that we want to buy the opening procedure by Specifying which message we want to open with respect to the commitments that are not perfectly binding as a second Component we use a delayed the input signal protocol and the honest special honest verify the knowledge associated Okay Our construction works For simplicity I I show only a construction With the n equals to and k equals one Here we have a prove it that runs The the honest procedure to compute two first round with the respect to the protocol sigma I recall that this can be done without any theorem as input and then a Commitment a KN tractor commitment is is computed The idea is that we can equivocate one out of two a one or a two and Once that we have a witness WB we can actually Complete and a trusted with respect to xb By running the honest procedure of the sigma protocol of the input sigma protocol and For the theorem for which no witness has been provided We run the honest verify zero knowledge simulator obtaining an a star and at this point as I said we can Open one out of two of the value on the first round a one a two to another value That is a star so we have a one and a star and at this point the verify Checks that always is correct Okay, but how can we construct an efficient KN tractor commitment as our first ingredient? We use the regional the decision of the film and assumption I will refer to this such of top all as the h top all and To this type of table as known the h top all We also as a second ingredient ingredient ingredient we use an instance dependent tractor commitment that is a commitment where if the table user to compute the commitment is no and non-dh we obtain a perfect binding and competition adding commitment and If the table T is the H we obtain we obtain a Computational binding and an equi bookable commit. Okay, so how? We mix these ingredients together We have a sender that Needs to compute and commitment As a first things he selects and top all Run the instance dependent tractor commitment by using as input H top all once And commitment to a message M. I and this is How these commitments are constructed and then? the proven needs to compute these This protocol pi With this protocol pi we the prover the sender proves that at least K out of N this T1 Tn Table are known the H Okay Can we construct this? As before I made an example with the K equals one and then equals two So we have two only two apples that are known the H The first things that the prove does is Modify the third element of each table to obtain T1 prime that is the H and T to prime that is still non-dh and At this point the prove runs CDS 94 to prove that T1 prime is the H or T2 prime is the H and This protocol ends with the Observation that is we accept if and only if one out of two of the starting Tapples Is a non non-dh Okay As I as I said my first My previous the previous construction that I showed to you Was only an example actually and works with any K and any N In our paper we also have a construction that work for different and for different NP relation In our cost the previous construction works only with Taking a single to sigma one sigma product for a relation R And also we give a compiler that transform a sigma protocol belonging belonging to to this class and And we can transform it in an adaptive input Proof of knowledge A super problem we live we live the possibility to extend Our our compiler that is Can we extend the class of sigma protocol that that our compiler can take such input to transform on perform knowledge into an adaptive input perform knowledge Okay, and that's it. Thanks. Thanks, Michaela. Are there any questions if you go back to the Slide where you did the the construction base. Yes this one So what was the so you say that you prove that that the modified things you put something about the modified things Okay, right so so but there doesn't seem to be a connection to the original T1 and T2 So why why do you conclude anything about okay? We are okay. Do you want to our both? No, no, no defilement and Then we have that if we change the third element of this Staple and then prove That at least one is is the H of this of this sample then for sure if we change The last element the sample one out of two of T1 or T2 for sure is None of the H actually any more questions. Okay, then let's thank the speaker