 The last talk of this session is about the issues with the untrusted CRS security in the face of parameters subversion, Micha Berre, Yoke, Fish Burger, and Alessandra Skafflow. And the speaker is Yoke. Thanks for the introduction. So welcome to the last talk of a very long day. In this work we look at noninteractive zero-nudge proofs and we look at what can be said if the CRS cannot be trusted. So the motivation of this work is that one of the things that the Snowden revelations showed was that the security agencies are trying to support parameters of cryptographic schemes and usually the way we model schemes is that we trust these parameters. So the example that was already mentioned this morning is the dual-EC random number generator designed by the NSA where there are some parameters namely two elliptic curve points P and Q which is supposed to be trusted. And however it's been showed that if someone knows the logarithm of one point with respect to the other one then he can actually predict the output of the RNG. And later check-off showed that this can actually be used to break TLS. So what we look at is a different cryptographic primitive namely noninteractive zero-nudge proofs which is a central primitive that inherently depends on trusted parameters because they need this common reference string and it's supposed to be set up in a trusted way. And a recent example was a new anonymous cryptocurrency called Zcash which actually uses zero-nudge snarks and there's been a lot of discussion about whether these parameters have been set up in a trusted way and whether one should trust the parameters. So related work, the work that's most related is probably two move zero-nudge protocols. There's also been a lot of work in trying to distribute the trust needed to set up the CRS by using secure multi-party computation and the subversion side of our work has also been a lot of work and we saw one example this morning, namely about cryptography. Okay, so let's look at the setting we're looking at. So we consider noninteractive proofs, so what are these? Well, suppose we've got a language, a language L and P language and we want to prove that some statement is in the language. There's a proofer and the verifier and the proofer has, in addition to the statement, has a witness W and using this witness he computes a proof send it to the verifier who either accepts or rejects. And we suppose that we have this common reference string here which is accessible by both of them and it has been set up in a trusted way. So the classical properties that we want from a proof system is soundness which means that no adversary can convince the verifier of a wrong proof so meaning that if the proof is accepted then the statement should be in the language and there's also notions that protect the proofer from malicious verifiers and in particular we want to protect the witness that is used by the proofer and a weaker notion is a witness in distinguishability which asks that proofs computed using different witnesses should be indistinguishable. Now, a stronger notion is zero knowledge which formalizes the fact that nothing should be leaked about the witness and this is formalized by requiring that there be a simulator that can compute its own CRS and using a trap that can simulate proofs without having access to the witness. And we say that a proof system is zero knowledge if these two worlds or the real world and the simulated world are indistinguishable. Okay, so what we did is we consider now notions where this CRS is not trusted. So, for example, we consider subversion soundness where again the adversary's task is to compute the proof of a wrong statement but we now let the adversary choose the CRS. So, subversion soundness again means even if the adversary chooses the CRS if a proof verifies then the statement is true. Conversely, we consider subversion witness indistinguishability where now the adversary again outputs the CRS and if the prover uses this CRS to compute proofs, again the proofs should be indistinguishable which witness was used. And finally, the third notion we introduce is subversion zero knowledge so this was the classical definitions or simulated world real world but now we want to consider an adversarily generated CRS. So, suppose we have a CRS subverter that is some algorithm that takes input random points and outputs a CRS. Then what we want is that we should be able to simulate the view of this subverter so in particular we want that our simulator can not only create simulated CRS but the full view including the coins that were used by the CRS subverter. So again, if these two worlds are indistinguishable then we say that our scheme is subversion zero knowledge. So, just to be more precise, we want that for any CRS subverter there exists a simulator that outputs a CRS and coins that are indistinguishable from the ones output by the subverter and in addition simulates proofs. So it means that for the adversaries it's indistinguishable whether it's given a real proof oracle or an oracle that simulates proofs. And then we say a scheme is subversion zero knowledge. So, these are our results. We have six notions, the classical ones, soundness zero knowledge and witness indistinguishability. We have our three new notions, subversion soundness, subversion zero knowledge, subversion witness indistinguishability. And we show that the subversion versions imply the original versions and any zero knowledge version implies witness indistinguishability. Okay, it's not very exciting so we have more results. In particular, so we have defined three new versions that are subversion resistant and what we actually do is we analyze what can be achieved and under which assumptions can we achieve it. So, first some trivial results, if we want subversion zero knowledge then we could just define proofs of being the empty string there but the verifier always accepting that subversion zero knowledge but it's not sound so it's not very interesting. Also, we could have soundness, even subversion soundness just sending the witness and the verifier checking himself but that wouldn't be zero knowledge. So, that's not really interesting. In particular, what we have is there are schemes that satisfy the classical notions and what we're really interested in is to see if these schemes can be upgraded to in addition give subversion resistant security. So, I want to see that which of these properties can be achieved and I'll start with the bad news and the bad news is that if we want zero knowledge then we cannot have subversion soundness. So, subversion soundness means that if we want to break it then we should construct an adversary outputting a CRS and a proof that verifies for a false statement. So, how can this be done? Well, basically it's because zero knowledge guarantees that there's a simulator that can simulate proofs and unless the language is trivial we can just use the simulator and simulate a proof for a wrong statement. So, we see that there's two goals that are incompatible. So, the next question we ask is can something be achieved? For example, if we really want subversion soundness then we know we can't have zero knowledge, we cannot have subversion zero knowledge either, of course, but can we have, for example, subversion witness and distinguishability? So, that would be the best possible notions including subversion soundness and it turns out this can be done and there is actually there is a scheme that achieves that non-interactive SAPs which is a non-interactive witness and distinguishable proof system that doesn't have a CRS. So, if there's no CRS then there's no way to subvert it. So, the standard notions imply the subversion resistant notion and Grothostrovsky and Sahai actually construct such a scheme under a standard assumption, they prove that it's witness and distinguishable under decision linear assumption. So, that's good, so we saw that this can be achieved but what if we want to have zero knowledge? In particular, what if we want to have subversion zero knowledge? So, we know that since subversion zero knowledge implies zero knowledge so we can't have subversion soundness but can we have everything else except that? The thing is that if we have subversion zero knowledge then we basically have a security, we can protect the proof even if the verifier generates the CRS. So, that implies certain kinds of to move zero knowledge because we can just let the verifier choose the CRS and we know that these can only be achieved under extractability assumptions like for example extractable one-way functions in the work by Vitansky et al. And so, it's very unlikely that we can achieve subversion zero knowledge secure schemes under falsifiable assumptions and what we construct is actually something that's secure under new knowledge of exponent assumption that we introduce. So, this is our goal if we want to have subversion zero knowledge then for any CRS subverter we need to construct a simulator that simulates the CRS and the coins used by the subverter and who can simulate proofs. So, let's look at knowledge of exponent assumptions. The classical version states that for any algorithm that is given two random group elements g and h and that outputs a pair of this form g to the s, h to the s then actually the algorithm must know s. So, what does it mean to know s? This is formalized by requiring that there be a simulator, sorry, an extractor that extracts s. Okay, so we have this assumption guarantees that if an algorithm outputs something then we can extract something that's somehow hidden inside and that's kind of the idea that we use for constructing subversion zero knowledge. Namely, we define CRS is to be of this form and we know that we can extract this element s and we use that as our trapdoor. How does this s allow us to simulate proofs? Well, we simply prove statements of the form either the x is in the language or I know some s. And now since the simulator can extract the s it can simulate proofs. What do we use for these proofs? Well, we use saps again because we only need witness indistinguishability in order to ensure that simulator proofs and real proofs are indistinguishable and moreover we don't need an extra CRS. Okay, so it's a nice idea but it doesn't work because the problem is who chooses this element h? So this knowledge of exploring this option only guarantees that if the algorithm gets these two random group elements and produces such a structured output then we can extract s. But now we need to construct or define a CRS that's completely simulated by the simulator and in particular by the CRS sub-burter. And in particular if we let the sub-burter choose h then this is not true anymore because the sub-burter could just pick a random element here and knowing the logarithm of h could produce this element without knowing s. So what we do is we argue that that's actually the only way that the algorithm could construct such a structured output and we introduce a new kind of knowledge of exponent assumption that states that if an algorithm outputs g to the s, h to the s and h, then either you must know s or you must know the logarithm of h. So there exists an extractor that extracts one of the two logarithm of this Diffie-Hellman triple hence the name ph-k-e-a. And now we adapt our proof stating that either the statement is true or I know s or I know the logarithm of h. And again whatever can be extracted here then allows us to simulate. So there's another technicality that we have to overcome which is how do we actually realize this proof of knowledge? So if it was traditional non-interactive to your knowledge then a way to do it is include in the proof an encryption of whatever I prove knowledge of. So include an encryption of s. But the question is under what public key do we encrypt this? So if we only needed to your knowledge we could just include this public key in the CRS and then when we prove in the reduction for soundness the reduction would know the secret key and it could decrypt and we could extract and the proof would work. But since we want subversion zero knowledge then that's actually not possible because if the public key under which the trap is encrypted is in the CRS then if the adversary created that CRS it could distinguish simulated from real proofs by simply decrypting whatever the challenger encrypted and then check whether it was a simulated proof or not. So that's not possible. So where else can we put the public key? We could put it in the proof but that also seems to not make sense because in the soundness game it's the adversary that constructs a wrong proof and if it's the adversary that adds an encryption under a key that he computed himself then how should we extract? So to get around this we use the knowledge of exponent assumption again and add a proof of the secret key that can then in the reduction so the secret key can then be extracted using the knowledge of exponent assumption and we can thereby prove soundness. So that leads to the third line here so we show that we can achieve all possible notions except the version soundness which is incompatible with zero knowledge as I said under a strong assumption and I said that this is kind of what we expect because it implies to move zero knowledge. So what if we're not happy with strong assumptions? Can we do something? Can we at least have some subversion resistance without resorting to strong assumptions? And that's the third, fourth actually result that we show which is that if we're happy with having a regular NISIC and in addition we want subversion witness and distinguishability then this can be achieved without assuming anything else so there's no extra assumptions needed for that and that concludes my talk. So you needed the proof or the proof that it knows the secret key for the public key, right? So you mean this, right? Yeah, the KEA proof. So basically if we look at the Schiff exponent assumption again then basically what we do is we have so S would be the secret key and we, so actually since we don't know whether we're going to extract S or ETA what we do is we actually have two ciphertext and then combine the secret key so that we're sure that one of the two secret keys we can extract. So it's a linear encryption, so there's two exponents and what we do is actually we, so this here would have both exponents so we combine all possible combinations and we know that if we extract from all four then there must be at least what's technical so you can show that you can extract by having more than one encryption. Any other questions? Thank you again. So since all speakers are there, any announcements? I need to announce. Okay, so there is an IACR meeting just after here. Okay, right now. The IACR membership meeting will start right here in this room in two or three minutes.