 Hi everyone this is a joint work with Alessandra Scafu and Ivan Visconti and today I am going to talk about publicly verifiable zero knowledge from collapsing blockchain. So what is a zero knowledge proof? Well it's a protocol between a prover and a verifier where the prover want to prove to the verifier that some statement is true. Now if this proof is publicly verifiable means that one proof can convince many verifiers. We are going to ask that this proof should be sound and zero knowledge where soundness means that a malicious prover cannot convince an honest verifier of a malicious statement and zero knowledge means that nothing except that the statement is true will be learned by a malicious verifier. So not that this type of proof since are publicly verifiable can be just posted on blockchain and everyone reading them can understand if the statement was true or not. An example of this proof are non-interactive zero knowledge proof that they usually come with the cost of a set up assumption or a risk assumption. So what we are asking this talk if we can replace this set up assumption with something already running in the world like a blockchain. Today we are asking can we use the blockchain and the assumption that we make on the blockchain to construct a cryptographic protocol on top of it. And in particular if we can construct a publicly verifiable zero knowledge protocol. This question was already asked by Goyal and Goyal in 2017. And they give an affirmative answer. They constructed non-interactive zero knowledge proof system from proof of stake blockchain. Now they actually make some limitation on this proof of stake because they ask that the adversaries cannot corrupt the player adaptively and moreover some assumption also on the second behavior are made. So the contribution of this talk are two. First of all we are going to see that some Saturday can arise when we are using the blockchain as an assumption. And moreover, we are going to see how to construct a publicly verifiable zero knowledge proof system from from a generic blockchain. In this protocol with the main zero knowledge, even when all the secrets of the honest player are revealed and the blockchain collapse. So let's move now to the first contribution. The non-interactive zero knowledge of Goyal and Goyal uses the proof of stake blockchain as a setup, which means that this type of proof will inherit all the assumption of a proof of stake blockchain. Which is that in any point in time the majority of the stakes belongs to the honest people, which in turn means that an adversary cannot produce a long fork in the blockchain. And this is the key idea inside the non-interactive zero knowledge of Goyal and Goyal, because they are going to use a non-interactive WI and apply the FLS paradigm, which consists in proving that X is in L or I know a trapdoor theorem. And in this case the trapdoor theorem is the knowledge of a long fork in the blockchain. Now, more in detail, let's say that we have our blockchain where there are a bunch of public key of stake holders, there is a parameter K, carefully used in the analysis of Goyal and Goyal, and we have our prover. So at high level, the non-interactive WI will prove X is in L or I know a fork of length K. So the honest prover, which has a witness for X in L, it's going to see that the share is witness and encrypt the share of the witness using the public key. And in this way, she will compute a bunch of encryption and using non-interactive WI, she will prove that the bunch of shares that are encrypted compose a witness for X in L. Then she's going to send to the verifier this bunch of encryption and the non-interactive WI. Now, let's see why this protocol is sound. Well, a malicious prover that is also an adversary of the blockchain doesn't have the majority of the stake, since this belongs to honest people. So the malicious prover is not able to produce a long fork in the blockchain. So due to the soundness of the non-interactive WI, the only statement that can be true is the one for X in L. Let's see why now this protocol is zero knowledge. Well, by the definition of Goyal and Goyal, the simulator will act also as the honest player of the blockchain. So she will be able to have enough stake to produce a long fork and use these as a witness to compute the non-interactive WI. In particular, this fork will be secret shared and encrypted using the public key of the stakeholder. Why this protocol is a zero knowledge? Well, from the witness indistinguishability of the proof system, the malicious verifier cannot distinguish which witness was used to compute this transcript. The majority of the stake is honest, so a lot of this type of text cannot be decrypted from a malicious verifier, and so she will be not able to know which witness is inside this encryption. But this crucially rely on the fact that the honest stakeholder will never reveal their secret key, even in the future. Moreover, the malicious verifier cannot corrupt the player adaptively, otherwise she will just corrupt the one that with which key are used inside the non-interactive zero knowledge to distinguish real world from medial world. So this is the zero knowledge of this protocol. Actually, there is still some subtlety that they're going to arise when we are using the blockchain as an assumption. And in particular, we are going to show a static adversary that actually can invalidate the zero knowledge of this protocol. So we will show an adversary that is completely compliant with all the restriction of Goyal and Goyal. So what we observe is that this adversary is a user of the blockchain, so she can deploy smart contract. In particular, after she received the non-interactive zero knowledge, in particular she received a bunch of encryption, she can just publish a smart contract and ask to the people to decrypt this cypher text for her. So if people engage in this smart contract, she will collect enough shares to distinguish which witness was used inside the encryption and learn in which word she is, like in the simulated world or in the real world. Some consideration on this smart contract, well, in this smart contract, the secret key of the honest people are never revealed. Plus, the honest people, they don't know that their smart contract is used to construct a non-interactive zero knowledge. So when they are participating in this smart contract, they are completely honest and there is no bribing because they are just doing something that a player of the blockchain will do, like participate in the smart contract. So this smart contract actually is an example to show that when we are constructing a cryptographic protocol, the security of this cryptographic protocol should not be bounded to the permanent secret of the blockchain player. And also kind of ask the question that if we can construct a public verifiable zero knowledge protocol that doesn't suffer of this problem. This is our second contribution, which is how to construct a public verifiable zero knowledge from a generic blockchain that satisfies some assumption. So we mean that our protocol works independently of the consensus mechanism of the blockchain. So it can be run on a proof of stake or a proof of work blockchain. The zero knowledge of this protocol will remain even if all the secrets of the honest player are revealed. So let's see what is the assumption that we make on the blockchain. Let's start from the chain quality. Chain quality says that among n blocks, at least k are generated by honest user, where n and k depends on the adversarial resources. Our chain quality is a little bit different. And he'll ask that in the blocks, there is a specific field and when this field, it belongs to an honest block this string is a high mean entropy string. So, for instance, we can, we can think about that as the coin based transaction of Bitcoin, which contains a wallet identifier, and sometimes this wallet identifier is new and is a string that is I mean entropy. So, our assumption asked that there are n blocks, at least k of them, they contain this field with the new value that never appeared before in the blockchain. And among, among these k blocks, at least half plus one are generated by the honest people. Like if we go back from our Bitcoin example, we are asking that among 100 blocks, 50 of this block in the coin based transaction, there is a new wallet identifier, and among them, 26 of this block are added by honest minor. So, the first consideration that we can make on this assumption is that when, when the malicious adversary is in a point in time in the blockchain, he is not able to predict which will be the value of this field. So, what are the ingredients for our public verifiable zero knowledge. Well, first of all, a blockchain that satisfy this assumption. Moreover, a statistically banned commitment that can be constructed from one way permutation. And finally, a public verifiable with witness indistinguishable proof system that was constructed by Scafuros in his Calchi Visconti, and can be based on one way permutation. And actually, this, this tool works for many blockchain that satisfy a mild notion of this assumption. So also this tool, like our public verifiable zero knowledge protocol is independently from the underlying consensus mechanism of the blockchain. Moreover, we showed in our paper that this tool is still WI even if the blockchain collapse, which means even if all the secret or bonus player are revealed. So, let's see now how our public verifiable zero knowledge protocol works. So we have our prover, we have the blockchain. And the first thing that the prover does is posting the blockchain X and a bunch of commitment to zero. And then it's going to wait until n blocks are added in the blockchain. And then she will publish a public verifiable WI for the statement X is in L or I know a trapdoor theorem. And in this case, the trapdoor theorem will be composed by the block of the blockchain in particular from our assumption we know that among n blocks that are at risk K that contain a fresh value, never seen before in the blockchain. And so the trapdoor theorem is that at least the majority of this K value are committed in the common post a head of time in the blockchain. So why this protocol is zero knowledge. Following going on going on our simulator is acting as the honest player of the blockchain. Since he's acting as the honest player of the blockchain, she will post some of the blocks that contain I mean and to rest in the majority of them. So precompute them ahead of time because this value since they are I mean interesting that don't depend from any other value from the blockchain. So she can precompute them and commit them in the commitment. She's going to wait until the new block are posted in the blockchain. And when she's acting to act as an honest player and that the block in the blockchain, she will use one of the value that are committed before. And then she's going to use the trapdoor theorem to finish the public verifiable WI. So this protocol is zero knowledge due to the public the very the witness indistinguishable property of the double of the proof system and to the adding of the commitment. Moreover, why this protocol is sound. Well, as we said before, giving our assumption when we are when the malicious prove it is in the first blue book. It actually doesn't know you cannot predict the value of these on strings, because there are high mean entropy. So due to the soundness of the publicly verifiable with WI proof system. The only statement that can be true is the one for X in L. Now I want to argue why this protocol is zero knowledge, even if the blockchain collapse. Well, the thing is that our publicly verifiable WI proof system is WI even if the blockchain collapse. However, the opening of the commitment is not a secret of the blockchain is just a secret of the prover of our protocol so he can just secure a rather than concluding. To compare our work with the the one of going on going on. First of all, we are not making any restriction on the on the view of behavior stakeholder on the on the consensus mechanism we are generic, as long as the blockchain satisfy our assumption. However, our work can be based on one way permutation. And it is that our prover is actually interacting with the blockchain while the prover of going on going on is just sending one message to be verified. So it's completely non interactive. That's all. Thanks a lot.