 This talk is about constructions of statistical zero-knowledge. This is joint work with Benoit, Alain, and Hotec. The focus of this work is on non-interactive zero-knowledge, or NISIX. In a NISIX proof system, a prover tries to convince the verifier that some MP statement X is indeed contained in the language. NISIX just satisfy three main properties, the first of which is completeness, which essentially says that the honest prover should be able to convince the honest verifier of a true statement. Then we have soundness, which says that no prover should be able to convince the verifier of a false statement, except perhaps with small, possibly negligible, probability. Here we can consider two possible notions, computational soundness, where this property only needs to hold for computationally bounded provers, in which case we have an argument system, or statistical soundness, where soundness should hold even against computationally unbounded provers, in which case we have a proof system. The third property of a NISIX is zero-knowledge, which intuitively says that no verifier should be able to learn anything more about the statement being proved other than the fact that the statement is true. Once more, we can consider two possible notions, a computational variant, where zero-knowledge only holds against computationally bounded verifiers, and a statistical variant, where zero-knowledge should hold even against computationally unbounded verifiers. In all of this work, we are going to focus in the common reference string model, where first there is a trusted setup algorithm that generates a common reference string that is known to both the prover and the verifier. In addition, we will oftentimes consider a relaxation of this model, called the designated verifier model, where in addition to the CRS, the verifier also has access to a secret verification key that is not known to the prover. For now, we will assume that the secret verification key is also sampled by the setup algorithm. Once this one-time setup is complete, the prover can then noninteractively prove arbitrary statements of its choosing to the verifier. And if we are in the designated verifier model, we require that the verification key should be reusable, namely, the verifier should be able to use the same key to verify arbitrarily many proofs from the prover, and soundness should hold even if the prover has oracle access to the verification function. Noninteractive zero-knowledge has received extensive study, and today we know of many constructions from a wide range of assumptions. Publicly verifiable physics in the CRS model are known, for example, from assumptions like factoring, from pairing-based assumptions, from lattice-based assumptions, as well as from indistinguishability obfuscation. So all of these constructions provide statistical soundness, others provide statistical zero-knowledge. Notably, the constructions of Grosso-Straussky-Sahai based on pairings, as well as the Piker-Seachian assumption construction based on the athleticists, provide what's called a dual-mode property, where there are essentially two ways of constructing the common reference string, one of which gives statistical soundness, the other gives statistical zero-knowledge. Moreover, if we could further consider the relaxation to the designated verifier model, we have more constructions from even weaker assumptions, for instance, from the computational Diffie-Hellman assumption over a pairing-free group, from the learning parity with noise assumption, and more. However, if we restrict our focus and only consider those constructions that provide statistical zero-knowledge, far less is known. In a publicly verifiable setting, we have constructions from pairings, NLWE, while in a designated verifier setting, the only construction we have, other than the ones in the publicly verifiable setting is from the Decisional Composite Residuosity Assumption. So in this work, our focus is on developing new techniques and new approaches for realizing statistical zero-knowledge. From an application's perspective, whenever zero-knowledge is used to realize some type of privacy, statistical zero-knowledge provides an everlasting notion of privacy, where zero-knowledge will hold not only for the duration of the online protocol where the proof system is conveyed, but also for all time thereafter. This is a very appealing notion for many privacy-preserving applications. So in this work, we provide a new way of compiling noninteractive zero-knowledge in something called the hidden bits model, which I will introduce shortly, to realize new constructions of statistical designated verifier musics. In particular, we give the first constructions of statistical designated verifier musics from the DDH assumption in a pairing free group, as well as from the quadratic residuosity assumption. We also recover an instantiation from the Decisional Composite Residuosity Assumption. And more precisely though, our constructions actually provide a dual-mode property, namely, they can be instantiated to either provide statistical zero-knowledge and computational soundness, or they can be instantiated to provide computational zero-knowledge and statistical soundness. As I will also describe later on, these notions also satisfy a concept called malicious security, where security holds or zero-knowledge holds, even if the verifier samples its verification key in a malicious manner. Moreover, we show how to construct a statistical music from a pairing-based assumption in a publicly verifiable setting. Notably, our construction can be based on a weaker assumption compared to the previous constructions of statistical musics by Gross, Ostrowski, and Sahay. Our construction only requires a computational assumption in one of the base groups and a search assumption in the other, while the previous construction by Gross, Ostrowski, Sahay relied on a computational assumption in both of the underlying groups. So with this, we provide, our work provides new constructions of statistical musics from qualitatively weaker assumptions in a publicly verifiable setting, as well as new constructions in the designated verifier settings. So now, I will give a brief overview of our main constructions. The starting point of all of our constructions is a non-interactive zero-knowledge proof in what's called an idealized model called the hidden bits model introduced in the work of Fayyay Labhidat and Shamir. In this model, we assume that the prover has access to a uniform random bit string of length n. And given this uniform random bit string, the prover can now do the following. It can choose a subset of the bits and produce a proof pi. Both the subset as well as the proof pi is then given to the verifier. Moreover, the verifier is additionally given the values of the bits in the subset chosen by the prover. The remaining bits that are not chosen by the prover are completely hidden, hence the name hidden bit string. The verifier sees the subset of bits as well as the proof pi and now needs to decide whether to accept or reject. The work of Fayyay Labhidat and Shamir show that there exists an unconditional construction of a perfect Nizhik proof for any general MP language in this particular model. However, this is an idealized model and does not translate to something that we consider cryptographically like the CRS model. So the second ingredient is a compiler that takes any Nizhik in this hidden bits model and compiles it into one in the CRS model. The cryptographic compiler roughly proceeds as follows. First, we have a comment reference string and this comment reference string, in addition to a commitment chosen by the prover, will be used to define a hidden bit string. In addition, the prover can subsequently open the commitment to bits of its choosing and reveal them to the verifier, thus mimicking the operation in the hidden bits model. We require several properties from this type of commitment scheme. First, we require that the commitment be binding, namely once the prover has chosen its commitment, it can only open up the hidden bit string to a single value in each of the positions. Next, we require hiding, which says that after the prover chooses to open up a few bits of the hidden bit string, the verifier should not learn anything about the unopened bits. And finally, we require a succinctness property, which essentially says for simplicity that the length of the commitment should be much, much smaller than the length of the hidden bit string. So once we have these three properties from this type of commitment scheme, it is now fairly straightforward to argue security of a NISIC in the CRS model. Namely, soundness will be reduced to the binding and succinctness properties and roughly proceeds as follows. If the commitment is very short, and moreover, the NISIC is statistically sound in a hidden bits model, then there cannot be that many hidden bit strings that is able to fool the verifier. And if the commitment is much, much shorter than the length of the hidden bit string, then essentially by a union bound argument, we can argue that the prover will not be able to find a bad commitment that corresponds to a hidden bit string that is able to fool the verifier and soundness then follows. Zero knowledge then follows from the fact that if the commitment is hiding, all of the unopened bits are still hidden from the perspective of the verifier. And so we have effectively simulated the view of the verifier in the idealized hidden bits model. So in the work of Feige-Lapidat and Shamir, they show how to instantiate this type of commitment scheme and this type of transformation through trapdoor permutations, thus yielding the first construction of a computational NISIC proof from the factoring assumption. Subsequently, the work of Canetti-Hellevian cats show how to realize the same compiler starting from the CDH assumption over a pairing group, again giving us a construction of a computational NISIC proof. And finally, very recently in Eurocrypto last year, a sequence of independent works shows how to do something very similar by starting from the CDH assumption in a pairing-free group. Here, they work in a designated verifier setting and obtain computational designated verifier NISIC proofs from the standard CDH assumption without relying on pairings. One thing that to note about all of these existing instantiations of the FLS compiler and the FLS framework is that they only provide computational zero knowledge and for reasons I will describe shortly. A natural question to ask is whether it might be possible to use this same type of compiler but to obtain statistical zero knowledge. This is what we achieve in this work. In fact, we show a way to realize this compiler in a dual-mode fashion. In particular, there are two ways that we can sample this common reference string. In one mode called the binding mode, the common reference string will be able to induce a hidden bits model where we achieve computational zero knowledge and statistical soundness. Alternatively, if we switch to a different mode or a different way of constructing this or sampling the common reference string, we get what's called the hiding mode where the resulting construction actually provides statistical zero knowledge and computational soundness. To highlight how this construction works, let's begin by recalling the construction or the instantiation from the computational Diffie-Hellman assumption. Here, we're going to work in a primordial group with generator G. The common reference string in this case is going to consist of the generator G together with n random group elements whose secret exponents are w1 up to wn. These n random group elements will be used to define the hidden bit string. So in particular, every possible choice of exponent y in the underlying field will define a different hidden bit string where the i-th bit in the corresponding hidden bit string is exactly h of hi raised to the y power. And here, the bit will be defined by computing a hardcore function of hi to the y. This will be a hardcore for the CDH function. So what does a commitment look like? Well, the prover is essentially just going to compute g to the y. This will uniquely define a sequence of hidden bits because the value g to the y information theoretically determines the exponent y and the exponent y completely determines the sequence of bits b1 up to bn given the components in the common reference string. In order to open up a commitment, the prover will provide hi to the y. So the term that will be used to derive the hidden bit. So now what remains to show is that the prover used a common exponent y here to construct both the commitment as well as its opening. This is exactly proving that this two pole here, this gg to the y, which is the commitment, this hi, which is the base for the i's bit and hi to the y, the opening, actually constitutes a ddh tuple. There are several ways of proving that a particular two pole is a valid ddh two pole. One way is to use a pairing. This is the approach taken by Canetti-Hellevian cuts, which gives a publicly verifiable construction. And in the Eurocrypt papers from last year, they used a Kramer-Schrupp hash proof system to prove that this two pole is indeed a ddh two pole and this gives a designated verifier instantiation. Moreover, this construction is statistically binding. To see this, notice that the choice of the commitment here, g to the y, completely determines y and therefore the entire sequence of hidden bits. And as a result, the resulting non-interactive zero-knowledge proof that we obtain also satisfies statistical soundness. On the other hand, if we consider zero knowledge, we notice that because we rely on a hardcore bit, then the unopened bits will be computationally hidden from any efficient verifier, assuming the hardness of the cdh assumption. So here is this is where we need to make a computational assumption to argue that the unopened bits are hidden. As a result, we only achieve computational zero-knowledge. The question is whether we can replace this final component here to achieve statistical zero-knowledge. So the key idea in our work is instead of using scalars in that common reference string, and so we're going to replace them with vectors. So just as a notation, whenever we have a vector v, I will write the bracket v to denote a vector of group elements where each group element is performed by taking g raised to the corresponding component of the vector. So in our construction, the common reference string will consist of a collection of encoded vectors where vectors have dimension m plus one. Here we're going to start by sampling a random vector v, and the encoding of v here is going to play the role of the generator g in the basic construction from cdh. Then we have a collection of encoded vectors w1 up to wn, and this will play the role of the hs, the g to the wi to g to the wn before. So now the question is, how do we sample these w's? We're going to define two distributions from which we can sample these w's. The first distribution, which we will call the binding distribution for the binding mode, we're going to sample w to be a scalar multiple of v. Alternatively, we can also instead sample the w's uniformly and random from the full space. This will be used to define what we call the hiding mode. So another way that you can think about it is in the binding mode, all of the vectors v, w1 up to wn are linearly dependent. They span a subspace of rank one, which is exactly the space span by the vector v. While in hiding mode, since we are sampling all of these vectors uniformly at random and independently of each other with overwhelming probability over their randomness, the collection of vectors in the CRS actually are full rank. The key first observation that we will make is that assuming the ddh assumption hold, these two distributions, when we encode the w's in the exponents, are actually computationally indistinguishable. Under ddh, it is hard to distinguish a rank one matrix in the exponent from a full rank matrix in the exponent. That is exactly what we have here. And if you're familiar with constructions of lossy public key encryption and related primitives, this is conceptually very, very similar. So now, much like in the original CDH construction, we have to have a way for the CRS to induce a particular hidden bit string. Here, every vector y in zp to dn plus one will define a hidden bit string. So before it was just every exponent y, here, we're going to consider the vector generalization. How does it define a hidden bit string? We're going to take the corresponding component in the CRS, in this case, wi, compute the inner product between the vector y and w sub i, and hash it. Here, we require a universal hash. So recall that before, we were using a hard core function for ddh. Now, we're using a universal hash function. How does the prover commit to a particular hidden bit string? Well, the commitment is not going to be g to the y. So the g to the y is going to be very long. That does not provide succinctness. Instead, what the prover is going to do is the prover is going to compute the inner product between y and its vector v. So the commitment is, again, a single group element which is independent of the length of the overall hidden bit string. This is important for succinctness. Now, let's consider the main properties we care about, binding and hiding. So first, the binding property holds because if we sample the w i's in the binding mode, namely the w i is a scalar multiple of the vector v, notice that the value of y transpose times v, namely the prover's commitment, fully defines the value of the hidden bit. Namely, y transpose w i here is just y transpose times s i times v or y transpose v times the scalar s i. But y transpose times v is precisely the commitment. And so, once we have chosen y, we have completely defined the value of y transpose times w i and, thus, the value of the hidden bit. So this is why this particular construction provides statistical binding. Conversely, suppose instead that we had sampled the CRS in the hiding mode. In this case, the claim is that the value of y transpose w i is perfectly hidden or statistically hidden, even given the commitment as well as the openings to any other bit. And this again follows now by a linear independence argument. Namely, in the hiding mode, if all of the w's are uniformly random, then with overwhelming probability, all of these vectors in the CRS forms a full-rank collection of vectors. If we learn y transpose times any of these vectors, it does not reveal any information about y transpose times any of the other vectors just by the linear independence. So if we sample the w i's now in hiding mode, the values of the unopened bits are statistically hidden. So in particular, what this means is that if we now go through the standard FLS compiler with these two modes of sampling the CRS, if we use a binding mode, we get a sequence of hidden bits that are statistically binding. This provides statistical soundness for the resulting music. If instead we started with a sequence of vectors sampled in the hiding mode, we get a set of hidden bits that are statistically hidden from the perspective of the verifier and this provides us statistical zero knowledge. So the remaining ingredient that we need is a way for the prover to open up the commitments to each of these hidden bits. We can do something very similar to what was done in the CDH instantiation. The prover is going to first send the input to the universal hash that will allow the verifier to compute the corresponding hidden bit. And moreover, the prover needs to argue that it actually used something consistent to construct both the commitment as well as the opening, namely the same vector y was used in the both cases. This is an analog approving that something is a DDH tuple. We want to prove that the same vector was shared across two different quantities. This again, we can use the Kramer-Schup techniques to produce a designated verifier proof system to instantiate this. So with these constructions, we have now a fully specified construction where we have two different modes of generating a CRS. We have a way for the prover to commit to a particular choice of hidden bit string and a way for the prover to open up a hidden bit string to a particular value. To conclude then, by instantiating the hidden bit string in these two different modes, we essentially obtain a dual mode designated verifier music from the DDH assumption. In one mode, the binding mode, we get computational music proofs. In the hiding mode, we get statistical music arguments all in a designated verifier setting. There are several ways that we can extend this. So for instance, we can replace DDH with the general K-Lin family of assumptions for any K greater than or equal to one. So just recall, DDH is equivalent or the same as the one-lin assumptions. We can also replace the DDH assumption with subgroup indistinguishability type assumptions. This gives us dual mode designated verifier music starting from quadratic residuosity or the decisional composite residuosity assumptions. And we can also use a pairing to publicly implement this verification algorithm, much like the work of Kennedy, Hallevi and Katz. This allows us to obtain a statistical music argument, unfortunately, due to technical and algebraic details of the construction. This does not give us a full dual mode construction. So it does not give us the full expressivity of the construction of Grosso-Straussky-Sahai. But because we can now base hardness on a weaker assumption, this K-Colonel linear assumption in one of the subgroups, this gives an assumption that is qualitatively weaker than those previously used to construct statistical music in the publicly verifiable CRS model. So the one final extension that I want to mention is how we go from the standard designated verifier setting to what's called a malicious designated verifier setting introduced in the work of Quash-Ross Blumen Weeks. In this setting, there is only a single trusted setup that samples a common random string. Thereafter, any of the verifiers can come along and construct their own verification key. So in the previous, in the simple designated verifier model that I introduced at the beginning of this talk, we assume that a trusted setup also sampled the verification key. Here, we only require a common random string as the trusted setup. The verifiers can choose their verification key arbitrarily. And zero knowledge should hold in this model, even if the verification key is chosen maliciously. It turns out that all of our designated verifier music constructions are easily adapted to satisfy this notion of malicious security. In some cases, we actually have to replace the common random string with a structured string, but still the verifiers can later come along and sample their verification key independent of the trusted party. The techniques that we use is very similar to those used in Quash-Ross Blumen Weeks, but we can actually rely on a simpler information theoretic argument based on the near independence rather than a more complex rewinding argument. As a result, we are able to realize dual mode malicious designated verifier musics from the DDH assumption or more generally the K-Lin assumption, as well as from the subgroup indistinguishability assumptions like QR and DCR. This is in contrast to previous works which relied on the complex and rewinding argument and an interactive one more CDH assumption. So by generalizing everything to vectors and looking at the linear algebraic properties, we can actually get constructions from weaker assumptions and that are simpler to analyze. So just to summarize, in this work, we provide another way of leveraging the FLS compiler to for the first time realize statistical zero knowledge. And this has now yielded many new constructions. For instance, in the designated verifier setting, we can realize dual mode malicious secure designated verifier musics from the K-Lin assumption and pairing three groups, also from the QR and DCR assumptions. Even in a publicly verifiable setting, we can obtain a new pairing based construction from a qualitatively weaker assumption than those previously needed to achieve statistical zero knowledge. And now I'll conclude with a couple open questions. One open question is that throughout all of these constructions, we still do not know how to construct statistical zero knowledge from the factoring assumption. We know that FLS gives us computational music proofs from factoring and our work gives us constructions in the designated verifier model from factoring like assumptions like QR or DCR. But it is completely open how to realize statistical zero knowledge just from factoring. Another interesting open direction is to consider other assumptions and whether they might also be able to give us some notion of statistical zero knowledge. For instance, can we realize something from the learning parity with noise assumption, from the CDH assumption or other assumptions not currently known to provide statistical zero knowledge? I should note that both of these LPN and the CDH assumptions are known to provide computational zero knowledge in a designated verifier setting but not known to provide statistical zero knowledge. And with that, I'll conclude. Thank you for your attention.