 Thank you very much. So, yeah, this is a three way match. This is going to be about new construction of non-interactive zero-on-edge proof systems I'm going to present what is a common result in all three works and then a willy-and-choichi will present More specific results obtained in the other works So a zero-on-edge proof That's an interactive protocol between a prover and the verifier whereas a prover tries to convince the verifiers That some statement is true The protocol should be correct. It should also be sound meaning that if the statement is incorrect Then normally shows prover shall be able to convince the very first that the statement is true And it should be zero-on-edge meaning that the very first should not learn anything from the protocol Other than the fact that the statement is true A non-interactive zero-on-edge proof That's a special kind of zero-on-edge proof that consists of a single flow from the prover to the verifier And in this work will be interested into a special forms of non-interactive zero-on-edge proof So in this first part, I will focus on something that's called designated very fair non-interactive zero-on-edge proof or divinizic in short So in a divinizic The verifier is given a secret verification key. He can verify the proof sent by the prover using some secret information Now here's something that's very important is that the standard soundness notion which states that the prover Should not be able to prove an incorrect statement Does not suffice to adequately capture the security we want from such a system anymore? Because it doesn't prevent the prover from learning information about the secret verification key of the verifier by receiving feedbacks on previous proof So the right security notion for divinizic and the one we will consider in all these works is the notion of unbounded soundness Which state that it should not be feasible to forge a proof or incorrect statement even if you're given arbitrary polynomial access to verification oracle that has a secret verification key hard-coded Very brief history of nizics and designated very fair nizics nizics have been introduced in 1988 and in terms of assumption We essentially know three main Assumption that imply nizics we can build nizics from the factorization assumption. We can build nizic from pairing related assumptions and very recently in a brexit result we learned that we can build nizics from the LW assumption Without going into all the details for divinizics Actually all the early results Regarding the possibility of building this relaxed variance of nizics They had the issue that they only satisfy bounded soundness Meaning that it was possible to completely break the soundness of the protocol If the prover was given feedback on previous proofs by the verifier So this is not really a realistic security Notion and the desirable one is unbounded soundness as I said and All that has been some recent work on achieving those relaxed variants of nizics with unbounded soundness Essentially the main takeoff is that until our works It was not known whether it's possible to build designated refer nizics with unbounded soundness from assumptions Which are not already known to imply standard nizics And so this is exactly the problem we solve in this work We achieve designated refer nizics from an assumption that's not known to imply standard nizics And we build the designated refer nizics for all of NP from the standard computational DFL man assumption There is a second result in our work that builds a new nizics from LWE plus non-interactive witness indistinguishable proof For a bounded distance decoding language But since that was recently Subtuned by the wonderful result of piekert and shehan I will not discuss it in this work in this talk So here is a roadmap Our starting point is a work by Dwork and Naur that builds Non-interactive zero-nudge proof starting from two main building blocks The first one is a cryptographic building block. It's called verifiable pseudonym generator and the second one is an idealized model It's and this is this is the existence of non-interactive zero-nudge proof in the hidden bit model. So our Construction proceeding two steps. First, we will relax this notion of verifiable pseudonym generators That was invented by Dwork and Naur by relaxing the soundness notion of these VPRGs and generalizing them to the designated refer setting and We will show that this relaxation and generalization still allow for a construction of non-interactive or of Music or designated refer music using in addition musics in the hidden bit model And at the same time, we will show that actually those veralax VPRG are easier to build and we will provide a construction of Relax designated refer PRG From the computational DFL my assumption So let's go over musics in the hidden bit model Here this eye that they show on this slide denotes what each of the parties sees So our prover on top sees a long hidden bit string. So this is a truly random string that have been sampled Honestly, and that is somewhere in the sky At the same time the verifier does not see anything about this hidden bit string hence the name a hidden bit model and So to design a music in this model What the prover is allowed to do is first to write some message any message of its choice and Then to select a subset of the beat of the hidden bit string Then the prover will send this message to the verifier and reveal The location of the hidden bit string Indexed by this subset and you can really think of it as turning up some care cards that were faced down So you cannot put the very the prover cannot possibly cheat about that in this idealized model So we know since the work of Feigal lapid on Shamir in 1990 that Non-interactive zero-image proof for all of NP do exist unconditionally in this idealized model The question is now how to transform a proof in this idealized model into a proof in the standard a common reference string model Intuitively the main tool that we need is something that will allow the very the prover to generate a long string that should look random That should also allow him to probably open some position of this string to the verifier in a verifiable way and Those opening should not leak any information about the values that the prover decided not to open Well as you can guess this is exactly what a verifiable pseudo random generator does a VP agit at three algorithm VP agit takes as input some seed and produces a long string of pseudo random bits together with a value that will bind The prover to the seed you can think of it as being a commitment to the seed Then there is a proving algorithm that essentially allows to show when you have the seed that some specific position of the hidden bit string corresponding to the committed seed is equal to the right value and The verification algorithm takes as input is commitment to the seed takes as input a position of the hidden bit string a proof and The candidate bit an output CS or no indicating whether EX it accepts or rejects a proof Among the properties we need for this property for this primitive. We want the seed to be short We want our proof the proofs that we do not to leak any information about the seed except that the fact that some specific position of the hidden of the Psyronum string is equal to the right value and the proof through certifies son nests in a very strong sense and I insist that in the initial work of Dwork on our son There's had to be a very strong notion of son nests So Dwork on our required that every possible commitment to the seed even maliciously formed has to be in the image of the VP agit That for every possible even maliciously formed commitment to the seed there has to be unique associated Psyronum string and that proof of opening to incorrect bits should not exist So our starting point is relaxing this strong son nests notion First we entirely drop the first requirement. We don't require the commitment to the seed to be All correctly formed they can be maliciously formed and not be in the image of the VP agit Then instead of asking incorrect proof not to exist We only require that proofs for an incorrect statement are hard to find and this is crucial because in the designated very fair setting It's always possible for the prove to cheat by guessing the secret key. He can use the secret key the secret verification key to forge proofs So proofs for an incorrect statement do always exist. We can only hope to guarantee that they are hard to find and Then if we only had those requirements then that would be a trivial primitive It will be satisfied by something that just takes the PRG Stretches it to a pseudoronum string and commit to the output bit by bit and that will be the commitment to the seed So we add just a minimal additional requirement to make this non trivial Which is that the commitment to the sheets will be short much shorter much shorter than the long pseudoronum string With this we can actually build now a music for all of NP the idea is as follow The prover will pick a seed generate a long pseudoronum string and XOR it with the common reference string Which is just a long random string and it will think of this long of this XOR of two string as being his string in the hidden Bit model and in his head you run the proof in the hidden bit model Obtaining a message and a subset of positions to open Then the prover sends to the verifier the commitment to the seed that he used The message for the proof in the hidden bit model The subset of the position he wants to open together with the value He wants to open them to and proves that he's not lying about the opening to those position Why is that secure? Intuitively that's because in the hidden bit model our music is unconditionally sent meaning that with sufficient parallel repetition We can ensure that only a tiny negligible fraction of all possible hidden bit string For only a tiny negligible fraction of all possible hidden bit string there exist proofs for incorrect statement So what we look at is all possible CRS And we say that the CRS is close to being a bad string if there exists a commitment to the seed such that if you take the The pseudoronum string associated to this commitment and you XOR that with the Common reference string you obtain a hidden bit string for which a bad proof exists but since the commitment are short and since we can make the The the fraction of bad hidden bit string as small as we like by a union bound We can ensure that with overwhelming probability of as a choice of the common reference string It will not be close enough to a bad string for the prover to be able to find a short commitment To the seed that will allow him to create a bad hidden bit string So then the hidden bit string will have to be correct and the prover cannot cheat about this message and the subset So he has to find incorrect proofs for the opening if he wants to cheat But by finding such incorrect proofs he will break the third property of our relaxed Sunnest notion Which contradicts the security notion of our VP AG and That essentially concludes the proof of the Sunnest the proof of the zero-knowledge part Essentially reduces to the fact that the VP AG does not leak any information about the non-opened position The main instantiation that we have is from the computational Diffie element assumption So the idea is quite simple CDH states that given G G to the AG to the B. It should be hard to build G to the AB Actually, we will use two well-known results first It's known that it's a result by a cash kills shoot Into some eight that if you're given G G to the AG to the B and G to the C It is hard to build G to the AB and G to the AC Even if you're given a specific checking key that allows you to check the corresponding decisional problem Like checking given G to the AB and G to the AC that they satisfy the corresponding decisional relation with G to the A, G to the B and G to the C So essentially what has been shown in this paper is that the CDH problem the standard one is equivalent to this gap between CDH problem So We will use a second much well-known result. I mean extremely well-known result which is the the Goldreich-Levin CRM, which is that We can't find a hard core bit for any computational problem. So we will denote B this hard core bit So the problem will rely on is the fact that it should be hard to find this bit B of G to the AB G to the AC Even given G G to the AG to the B G to the C and a secret key that allows us to check The decisional relation between G to the AB G to the AC and the previous values and this can be proven to be equivalent to CDH Now in our construction intuitively this G to the A here will be our commitment to the seed A will be the seed and We will think as those G to the B and G to the C as being public parameters We will have many of them as many as the size of the hidden B string we want to produce and Now this bit B will correspond to the pseudo random bit associated to the commitment to the seed with respect to those public parameters So how do you open? So the fact that this is pseudo random that it cannot be found that reduces easily to this computational D.Fielman assumption by the argument I just gave And how do you open a position of the string? You simply reveal G to the AB G to the AC Then the very fairer can check that if you take the out car bit you obtain the right bit And at the same time you can use his twin Decisional D.Fielman checking key to check that you've not lied by sending G to the AB and G to the AC and they satisfy the correct decision or relation So that gives essentially the construction we like we want We will switch to the NEL talk if you have any question first