 I'm going to talk to you about distinguisher-dependent simulation. This is joint work with Avishek Jain, Yael Kalai, and Ron Rothblum. Isn't working? So let me start by telling you about interactive proofs for NP. An interactive proof is a protocol between a prover and a verifier, where the prover has access to an instance and a witness for the membership of this instance in an NP language. And the job of the prover is to convince the verifier that the instance is indeed in the language. The completeness requirement from this protocol, or the correctness requirement, is that if both the prover and the verifier behave correctly, and if the instance is indeed in the language, then the verifier should output except at the end of this protocol with overwhelming probability. The soundness requirement formalizes the notion of security against malicious provers. And we need that for any prover, no matter how it behaves, such a prover should not be able to convince the verifier to accept if the instance is not in the language, meaning that in such a situation, the verifier should reject with overwhelming probability. What about security against malicious verifiers? Or in fact, privacy against such verifiers tries to formalize the requirement that such a verifier should not learn too much information about the witness that the prover used. This is formalized in a variety of ways with different definitions. And the goal of this work is to minimize interaction in such proofs while achieving strong privacy guarantees, which will include many of these, but I'm going to touch upon them later in the talk. For now, I want to focus on the strongest privacy guarantee out of these, which is that of zero knowledge. Roughly, zero knowledge requires that the view of any malicious verifier should be simulatable by a simulator that does not have access to the witness, only has access to the instance and yet is able to generate a view that remains indistinguishable from the view of the verifier when he was interacting with an honest prover. And a canonical application of zero knowledge, for example, is to implement the commit and prove functionality. Here, a prover is required, let's say, to commit to some message and then give a proof that this commitment was correctly constructed. This is used in several crypto applications. This or variants of this are used in several crypto applications. But for simplicity, let's consider the situation here, where the proof is just required, where the proof is just required to be a proof that there exists some message such that C1 is a correctly generated commitment to that message. And normally, in order to get some meaningful notion of hiding while giving such a proof, the guarantee that is required from such proof systems is typically zero knowledge. Why is that? Because the whole point of having a commitment there is to hide the message M. And if the proof revealed this message, then that is potentially disastrous. So you'd want to have a proof which hides the message. And the way this is implemented with zero knowledge is that there is a simulator that is able to generate a simulated proof without knowing the message or the randomness used to generate the commitment, such that the view of the verifier remains indistinguishable. And once this is done, since the simulator doesn't need to know the message or randomness that was used, we could rely on the hiding of the commitment to replace it, let's say, with a commitment to zero. And this means that the message M really remains hidden in this situation. And so the goal again, like I already told you, is to minimize interaction while achieving privacy and enable applications such as these. And maybe, potentially, maybe this requires two message zero knowledge. So now let's review what we know about whether zero knowledge is possible or not in two rounds. If we had four rounds or more, there have been constructions for many years now that achieve zero knowledge in four rounds or more based on standard assumptions. On the other hand, if we limited ourselves only to three rounds, then we know how to achieve notions such as witness indistinguishability, which is a weaker notion, or we know how to achieve zero knowledge, but that's based on new and relatively unstudied assumptions and requires non-black box simulation. On the other hand, there have been a bunch of impossibilities that show barriers to achieving zero knowledge or other strong notions of privacy in just two rounds. In particular, we know that the standard notion of zero knowledge is impossible to achieve in just two messages. So what do we know? What can we achieve in just two rounds? Well, so the notion of witness indistinguishability, which is a weakening, is known to be possible to achieve not just in two rounds, but in one round. And the question is, can we do better than witness indistinguishability? Can we get stronger guarantees? And in order to attempt to answer this question, we relax the standard notion of zero knowledge, introduce a bunch of relaxations that allow us to bypass impossibilities while simultaneously sufficing for applications like the one I just demonstrated. So the first relaxation that we are going to make to the notion of zero knowledge is that we will consider the distributional setting where the instance and the witness are sampled by the prover from some public distribution. Moreover, it is easy to jointly sample the instance and witness together. However, given just the instance, it's hard to find a witness. And we require that the indistinguishability of the real proof and the simulated proof hold over the randomness of sampling the instance. In particular, the simulator is going to be able to sample other instances and witnesses from the same distribution. However, the simulated proof that he generates should be for some external instance for which he does not know the witness. And this is important because otherwise simulation would become trivial. The second relaxation that we will add is that we will restrict ourselves to a delayed input setting. Meaning that the input about which we are going to, about which the prover is going to provide a proof will only be decided in the second round, in the second, along with the second message of the prover. And the third relaxation that we will impose will be that we will allow the simulator to depend on the distinguisher. So quantifiers will, so the quantifiers are changed in the following way. We only require that for every distinguisher, there exists a simulator that can potentially depend on the distinguisher and that generates a simulated transcript that is indistinguishable to this distinguisher from a real proof. So these are the three restrictions that we impose. And so finally, to summarize, we're going to be in a setting where the prover samples the instance from a distribution and sends it in the second round and the verifier is restricted so that his first message must be sent before he sees the instance that the prover is about to send. And note that zero knowledge is usually used to prove correctness of cryptographic computation. And in two round protocols, when we use this in applications, we would normally want to use this in a protocol that is itself two rounds. And over there, if the prover is the one that is choosing the instance and proving something about it, in many situations, it makes sense for the prover to just send this in the second round itself. So this will have applications, for example, in the commit and prove scenario that I just talked about where the prover can sample the commitment and send it in the second round. And so now, if some parts of that definition were hard to remember, don't worry about it because I'm going to repeat them when I tell you about the technique. So now let me move on to the technique where we give a way to prove, to give a distinguisher dependent simulator for two message arguments. And to begin with, so we want two message arguments with privacy. And let me start by telling you the three round proof system for NP that has a weak privacy property. This is just the blunt protocol for graph Hamiltonicity. And note that since graph Hamiltonicity is NP complete, a proof for graph Hamiltonicity can be used to generate a proof for all of NP. So the protocol, the details of the protocol don't matter, but all you need to remember is that this is a three message protocol that is honest verifier zero knowledge, meaning that a simulator that knows in advance the challenge of the verifier can actually generate a simulated transcript easily. This particular protocol with a one bit challenge has soundness one half. However, it can be repeated in parallel to amplify soundness and this parallel repetition preserves honest verifier zero knowledge. So this is all you need to know about this protocol. We will use another tool, which is a transformation that was developed by Kali and Raz, that helps transform any interactive public coin proof into a two message argument. And the transformation just asks the verifier. So the verifier has public coin queries in the interactive proof. The transformation just requires the verifier to send these queries as the queries of a private information retrieval scheme. And the prover sends his answers, his first message in the clear, his second message as a response to the private information retrieval query that is under the hood of the PIR scheme, and so forth. And Kali and Raz showed that assuming quasi-pollinomially secure private information retrieval, the second protocol is sound against adaptive cheating provers. So soundness of this protocol is already guaranteed. So if we were to perform this transformation, soundness is already guaranteed. Our strategy is going to be to apply this transformation to the three round proof system that I just told you about. So let's take the three round proof of blum on the left and squish it into two rounds using this transform. And what results is a two message protocol where the verifier first sends his challenge encrypted inside a PIR, and the prover then responds with his first message for the blum protocol and the third message for the blum again comes inside the hood of the PIR. Now this protocol, it's easy to see that this already remains honest verifier zero knowledge. That means if the verifier was honest but curious and the simulator knew the coins of the verifier, then it would be easy to simulate because he would just learn E and use this E along with the honest verifier ZK property of the underlying protocol. But what if a malicious verifier sends a malformed query that does not encode any valid bit at all? So any arbitrary verifier could just send a weird message that doesn't correspond to encryption of anything. What happens in that situation? It's not clear and this could ruin privacy potentially but we're going to prevent this by using a special kind of private information retrieval scheme or a special kind of oblivious transfer which I'm going to tell you about next. So oblivious transfer and since we only care about two message protocols right now, we're going to restrict ourselves to two message oblivious transfers. This is a protocol between a sender who has input two messages and a receiver who has input a choice bit. The receiver sends his first message of the protocol as some function or an encryption of his choice bit and the sender sends a response to this by sending an encryption of both his messages with respect to the first message sent by the receiver. At the end of this protocol, the receiver learns the B-th message of the sender and the standard privacy guarantees that we require from oblivious transfer are that a cheating sender should not be able to guess what the receiver's choice bit was and a cheating receiver should not be able to guess what the other message of the sender was, the one that he did not ask for was. We will add another, we will require another, a stronger privacy property here, which will be that every acceptable string that was sent by a cheating receiver should correspond to an encryption of some bit, meaning that for every string C sent by the receiver, it should correspond to an encryption of either B equals zero or B equals one and if it is an encryption of B equals zero, then the second sender message corresponding to his actual inputs M0, M1 should remain indistinguishable from a sender message that has both messages set to M0 and similarly if the choice bit is one. So, such OT is already known based on the decisional Diffie-Hellman assumption or quadratic reciduosity or entresiduosity. We will make use of this OT and we'll apply the Kalaira transform that I just told you about on the three-message lump protocol, we'll squish it down to two using this particular oblivious transfer. And Kalaira's already showed and I already told you because this OT is a special kind of private information retrieval, the second protocol remains sound against probabilistic polynomial time provers, even if they choose the instance adaptively. But what about privacy? We show that the argument that we get as a result of this transformation satisfies meaningful privacy guarantees when the PIR is instantiated with this particular oblivious transfer. In particular, it satisfies delayed input, distributional, distinguisher-dependent zero knowledge which is what I told you about initially but don't worry if you don't remember all of this. It also satisfies a bunch of other privacy notions which are not the focus of this talk. So, I'm going to tell you about them just a little bit about them later. So, let me show you the privacy analysis that gives us our main result. If we take our protocol, we know because of the security of oblivious transfer that every message sent by the verifier corresponds to an encryption of some challenge. This is what the oblivious transfer gave us. And therefore, in order to show that there exists a simulator that can start generating simulated proofs, if this simulator somehow knew what this challenge was, then we can invoke the honest verifier zero knowledge property of the underlying BLUM protocol and use that to simulate. However, the simulator does not know what the challenge is. Maybe it can break the encryption and figure it out. So, privacy of this protocol is indeed possible to prove via super polynomial simulation. This is explored in a concurrent work along with various other applications of this. However, in this talk, we really want polynomial simulation. We don't want the simulator to run in super polynomial time. So, now how should the simulator find out what the verifier challenge E is? Remember that one of the relaxations that we added was to allow the simulator to depend on the distinguisher. So, the simulator is allowed to observe what the output of the distinguisher is, and we're going to crucially use this to help the simulator find out the challenge E. Another simplification that we're going to make is that so far we were working with a parallel repetition of BLUM protocols, so as to amplify soundness. But let's simplify and look at a single parallel repetition right now and see if we can prove something about this. Note that unlike the case of BLUM, here it's unclear how to simulate even a single parallel execution because even if the simulator were to try to guess the challenge, it cannot really check it trivially. So, let's consider the setting of a single parallel execution and as a first attempt, let's have the simulator just send a second message that consists of A, which is the first message of the BLUM protocol, sampled honestly and a completely junk value inside the private information retrieval answer. And the question is, can the distinguisher tell the difference? Suppose the distinguisher cannot tell the difference. Now this could correspond to a situation where the verifier generated the encryption of E using some randomness, but did not convey this randomness to the distinguisher in the view. So the distinguisher has no idea what randomness was used for the OT encryption and maybe as a result, it cannot decrypt and recover the answer from within the PIR scheme. Also, the BLUM protocol already has this property that the first message A computationally hides the witness. So the simulator can easily sample some other A that looks similar to the honest A and send a junk message with it. And if the distinguisher really did not know the randomness that was used to generate the encryption of E, then maybe it's not going to be able to tell the difference and the simulation would be successful. But the more interesting case is when the distinguisher can tell the difference. For example, in this case, the distinguisher does know the randomness used to generate the encryption E and when the simulator tries playing this trick of sending a completely junk message, the distinguisher can tell and just says abort. So the simulator cannot sample this. This will be distinguishable. So what do we do? Well, in this case, we are going to use the fact that the distinguisher knows what E is to find out E from him. So the simulator will use the distinguisher to extract E in this situation and this is really the technical heart of our paper. Recall that we wanted a simulator that could simulate a proof for some x sampled from the distribution without access to a witness for this x. However, the simulator could sample other instances and witnesses from the same distribution by the distributional relaxation that we imposed. So our main idea is that the simulator is going to sample these other instances and witnesses from the same distribution. This is going to be allowed because of our distributional delayed input setting. And the simulator, since it has these other instances and witnesses, it will also be able to sample honest proofs for these other instances using their correct witnesses. So now the simulator that can sample another instance will keep the first message of the verifier fixed and is now going to sample a different instance and test what the distinguisher says on this instance. So let's say it samples some x prime and then A and Z0, Z1 correspond to an honest proof for x prime. The simulator tries to observe what the distinguisher does in the actual game. It also runs in parallel a game zero where within the OT, it guesses that maybe is an encryption of bit zero. And as a result, it sends its third message, so it's message for the OT to correspond to an encryption of Z0 twice. So the zero game basically is the simulator guessing that E was zero, sorry. And the one game is the game where the simulator guesses that the encrypted bit E was one. And therefore, the simulator sends under the OT hood and encryption of messages Z1 and Z1. And note that because of security of oblivious transfer, either the actual game is indistinguishable from game zero or the actual game is indistinguishable from game one based on what E is. They cannot both be distinguishable and therefore the simulator can check if the distinguisher's output when the simulator played with the actual game is close to the distinguisher's output when the simulator guessed that E was zero or if the actual game is close to the game where the simulator guessed that E was one. And one of these has to be close. Maybe they're both close, but in that case, that's like the distinguisher not knowing what the challenge is and that's okay anyway. So it's going to use this to extract E. And now let me summarize the simulation technique. So the simulator wants to simulate a proof for an externally sampled X without knowing its witness. In order to do this, it's going to sample a different X prime together with the correct proof and see what the distinguisher says. Next, it's going to sample a fake proof with both answers for the Sigma protocol corresponding to challenge equals zero. And it's going to see what the distinguisher says this time. Next, it's going to sample the second message corresponding to both answers for the underlying BLUM protocol when the verifier's challenge bit is one. And it's going to again see what the distinguisher said. And in this way, the simulator is going to rewind the distinguisher and use this to learn the OT challenge E. And this technique is going to be successful whenever the distinguisher D knows what the challenge E is because one of the two games will be distinguishable and the other will not. And if the distinguisher doesn't know what E is, then it suffices to just send a junk message because the distinguisher cannot tell the difference between both games anyway. And we note that unlike the case of standard, of the three round BLUM protocol that I just described, this technique extends to extracting the verifier challenge from a parallel repetition of these protocols. And therefore, if we repeat this in parallel to amplify soundness, the entire system still lets us extract the verifier challenge E bit by bit. So as a result, we get distributional distinguisher dependent zero knowledge. In the delayed input setting where for all distributions, for all verifiers and distinguishers, there exists a simulator that generates a simulated proof and is allowed to depend on the distinguisher. This implies indistinguishability or hiding based notions such as witness hiding in the delayed input setting where we require that for all efficiently sampled distributions, a verifier that interacts with a prover should not be able to output the witness at the end of the protocol. Another notion that this implies is that of strong witness indistinguishability, where we require that when two instances come from indistinguishable distributions, then the instance along with a proof should appear indistinguishable in case one versus two. In order to get this implication, we need an additional property of the zero knowledge that I don't have time to talk about right now. But to summarize, assuming Poise polynomial DDH or quadratic residuality or nth residuality, we obtain two round arguments in the delayed input setting that satisfy distributional zero knowledge where the simulator depends on the distinguisher. They also satisfy witness hiding, strong witness indistinguishability, and they also satisfy the standard notion of witness indistinguishability without any of the delayed input restrictions. Previously, witness indistinguishability was known based on different assumptions, and so we get it based on other assumptions than were previously known. We also get three round versions of our arguments relying on polynomial hardness of the same assumptions. And we give multiple applications of these proof systems and argument systems, and to get some perspective, like this introduces a new extraction technique for cryptography. It's a black box polynomial simulation strategy that only requires two messages, whereas previously revinding required more rounds. Here, we are able to rewind the distinguisher and use that to cut short one message. This helps us go towards resolving open problems on the round complexity of witness hiding and strong WI and has applications to multiple two round and three round protocols beyond argument systems. So to conclude, in the round complexity timeline, here in two rounds, we obtain additional privacy guarantees such as distributional week zero knowledge, witness hiding, strong WI, et cetera. We also obtain two round witness indistinguishability from different assumptions than before. And in the paper, we demonstrate applications to a variety of round optimal protocols, which I don't have time to go into right now. So to conclude, sorry, let me just conclude with some open questions. First, can we get two round versions of these protocols based on polynomial hardness? Second, can we make our protocols a strongly private coin? Can we make them public coin? Can we get other interesting applications of distinguisher based simulation? And can we get other black box or non-black box techniques for two round protocols? Thank you.