 So, behind these needlessly complicated titles, I had a very simple question. Can we make simple zero knowledge for lattices? So, first some definitions. What are integer vector one-way functions? So, an integer vector one-way function will be a function going from z to some power r into an abelian group, such that it is homomorphically, additively homomorphic, and it is hard to inverse for small vectors, where smalls means with norm bounded by some constant. Why do we care about integer vector one-way functions? Because they are used in basically all lattice-based constructions, such as encryption, hash functions, commitments, and so on and so forth. Now, what is zero knowledge? Well, very simple, a prover wants to convince a verifier that he knows a preimage x for some image y. We have the usual properties. Correctness states that the protocol should finish if everyone is honest. Zero knowledge states that no leakage of information should occur except for the truth of this statement. And sonness says that no cheating prover should be able to convince a verifier. Somewhat more formal is to say that sonness states that any deterministic prover that succeeds with a probability p from him, one can extract a preimage of y in expected time one over p, or linear in one over p. Now, let's give a very simple example of zero knowledge. So we have a prover who knows a vector x and its image y, and a verifier who knows only y. The prover will start by sampling a small randomness r and computing its image a, send a to the verifier, who sends back a challenge in zero one. And finally, the prover computes that which is either x plus r if c equals one or just r if c equals zero. Sends that back to the verifier, who checks both that f of that equals c times y plus a, which will be true given the homomorphic properties of f if everything has been done correctly, and that z is small. So that's simple, is that good enough? Well, no, not at all. First, because that's not zero knowledge. Here, that depends on x, because clearly when c equals one, it's x plus r, this leaks information about x. There is a solution for this, which is called rejection sampling. So essentially rejection sampling states that the prover will only proceed to the third step if z does not leak anything about x. So there is a probability that the prover will restart the whole protocol. In this talk, we will completely ignore rejection sampling because we will just assume that rejection sampling is accepted with probability one. It's not very important for the rest of our talk. Now another problem is that this is not really sound either because the prover can just guess the challenge since the challenge is in zero one and cheat if his guess is right. So to achieve k bits of soundness, this protocol will have to be repeated k times. That's not really good. So as I have said, this is very inefficient. Having to do 100 or more repetitions of this protocol gives rather large proofs of knowledge and the use computations. So maybe we can do something better if instead of trying to prove knowledge of one secret, we try to prove knowledge of many secrets at once. So now the new context is that the prover wants to prove knowledge of pre-image of y one up to y n. So as we have seen, we can do this with this simple proof in which we will have an overhead linear in the security parameter. Slack, what we call Slack is the difference between the size of z and the size of x. So since we see that z is x plus r, z will have to be larger than x and the Slack dictates the parameter of the schemes that we will use those vectors on. So here the Slack is constant at least in the parameter k which is what we are interested in and amortization for the simple proof is basically one since we only need one equation. A work by Kramer et al at Eurocrypt this year made a huge progress in this direction in which for amortize zero knowledge, they achieve constant zero knowledge and the constant is a small one and they achieve linear Slack which is totally okay considering the size of the vector we use. On the other end, they need four k squared equations for this amortization to kick in which is to say that for k 128 bits of security, we will need nearly 70,000 equations to be able to prove zero knowledge. Our work is to reduce this amortization. So what we achieve is overhead linear in some logarithmic in some parameter alpha but here the constants are very small so this basically does not matter at all. We divide the Slack by log alpha which is in itself nice but just a side effect but most importantly we get amortization over four times k divided by log alpha square equations which can reduce the number of equations quite a lot. So how does, first how does Kramer et al, how did Kramer et al do this zero knowledge? It's a very clever construction that uses two building blocks. The first one is an imperfect amortized proof which is to say that an amortized proof would normally, soundness would normally ensure that any prover who succeeds with probability to the minus k, I should be able to extract all pre-images from this prover but for imperfect amortized proofs from any prover that succeeds with probability to the minus k, I can extract all but k pre-images which is not enough for soundness clearly but they use the homomorphic properties of the function F and the clever construction of a bipartite graph to show that there exists a compiler that can turn every imperfect amortized proof for n greater than four k squared into a full zero knowledge proof of knowledge and this comes at very small costs since this introduces a multiplicative overhead of two and only a linear slack. We will not touch the compiler in this paper. We will focus on the amortized proof. So we will work to reduce this number of things we can extract to k divided by log alpha for some parameter alpha and naturally just doing this means that when using the compiler we will divide this k by log alpha again and only need n greater than four k squared divided by log square alpha. And same thing for the slack, we will divide the slack by log alpha. So let's see how they do the amortized proof first. So once again we have the same setting the prover knows n secrets and their images and the verifier only knows the images. First the prover will sample small randomnesses, compute their images and send the images to the verifier. The verifier will sample zero one challenge again, send the challenges and the prover will reveal all the randomnesses where the challenge, the corresponding challenge was a zero. So basically the prover will reveal alpha v's randomnesses. What's really important here is that contrary to what intuition we could have, we don't use n randomnesses in this first step. We have n secrets but we use three n randomnesses. Simply because since we reveal each of them with probability one-half after this first step we will have overwhelming probabilities at least n randomnesses have not been revealed if n is large enough. So we can do this first step and then the second step we will use n randomnesses that have not been revealed and compute z i equals x i plus r j. Well, these r j are the first n that have not been revealed. We can then send the z i's to the verifier which exactly like before will verify that f of z i equals y i plus a j and that's z i is small. So this is the imperfect proof. Why does it have the soundness that I gave? Because the probability of revealing each randomness or i will be one-half. Now, imagine the prover wants to cheat on k of these secrets. How do they do it? It will cheat on k of the randomnesses, hope the verifier does not ask to reveal them and then use these randomnesses to cheat on the z i's. So essentially to cheat on k pre-images we will have to cheat on k randomnesses and the probability that none of these randomnesses will be revealed is two to the minus k. More formally, we can show that from a prover who succeeds with probability two to the minus k, one can extract all but k pre-images. Now, how to improve this? Well, the solution is very simple. We just increase the probability of revealing each randomness. So clearly if each randomness is revealed with probability one minus one over alpha with alpha greater than two, then to have none of the k secrets revealed, the cheating prover will have a probability one over alpha to the k. And once again, more formally, we can show that from a prover who succeeds with probability two to the minus k, one can extract all but k over alpha log alpha pre-images. So we will do exactly this on this protocol. So instead of taking c from zero one to the three n, we take c to be a Bernoulli variable with parameter one over alpha, which is a fancy way of saying we reveal every each randomness with probability one over, one minus one over alpha. So this introduces an issue because for the next step, we need n randomnesses to not have been revealed. And clearly if we reveal too many of them, this will not work anymore. So we have to increase the number of randomnesses we take in the beginning and thus increase the number of images we send. So now we have achieved the sumness that we asked to get, which is k divided by log alpha. But we have introduced an overhead linear in alpha. So this protocol as it stands is completely useless. It's not more efficient than the previous one in any way. So we will patch things up. First, we can compute a hash of all these images, a one, two, a three alpha n. And instead of sending this, send the hash. Of course now these checks do not make any sense because the verifier does not have a i or a j. But we can replace them by one check in which the verifier will compute a i himself. So for everything that was revealed, it can compute f of r i, which will be a i. And for all those that were used in this equation, it can compute f of z i minus y i, which should be a j for the remaining j. So we can compute these, reorder them in the right order and check that the hash is the right one. If the hash is collision resistant, then we keep the soundness of the protocol. And this works fine. So now how we done yet? Well, no, the soundness is the, the overhead is still linear in alpha because in the third step, we reveal most of the randomnesses. We will on average reveal three times alpha minus one times n randomnesses, which is clearly linear in alpha and clearly much too large. So we need a more efficient way to reveal the randomnesses to the verifier. So the prover will first, first we will extract each randomness from a seed simply by using a PRG. And to do so, it will structure the seeds as a tree. This way, instead of using all the seeds, it will only need to reveal a few nodes. So what will the prover do? First, he will sample one seed uniformly at random with 256 bits and use two PRFs. So size preserving PRFs, which we call PRF zero and PRF one. And get S zero, which will be the image of S using the first one and S one, which will be the image of S using the second one. Repeat the same thing to get the next layer of seeds. And again, until he has more seeds than needed, which will be at least three times alpha times n seeds. From this, he can use a PRG on each seed to get the corresponding randomnesses. Let's say he needs only eight randomnesses. And then, on the second step, the verifier will send a challenge to the prover asking to reveal some of those randomnesses. Let's say he needs to reveal randomness one, two, three, five, six, seven, eight. Then he can simply go back up this tree and see which nodes will be necessary to reveal these randomnesses. So here, if we see that, for example, if he sends this seed to the verifier, the verifier can apply PRF zero and PRF one to the seed and recover then using the PRG R1 and R2. Same thing. He needs to send this node, this node, and this node. So only three nodes to be able to reveal all those seven seeds. On average, computations show that n times log alpha nodes will be sufficient. So the prover will only need to send n times log alpha seeds to be able to reconstruct the randomness needed to be able to reconstruct the randomness that he must reveal. So now we finally have reached overhead big O of log alpha. So another improvement that can be made on this protocol is to consider polynomial integer vector one-way functions. So we changed the setting that we had before a little. Instead of using that to the R, we use a ring to the power of R, the ring being usually Z of X divided by X to the N plus one. It can be other rings, but that's the most common one. And now we have an additional property for one-way function is that it's linear for a product with a polynomial. Where here C times X means that we multiply every coefficient of X by the polynomial C. And this C goes out of the F when applied. So still the same requirement that it is R to inverse for small X. And why do we consider this? Because virtually all efficient lattice constructions are over polynomial rings. And since we want efficient zero knowledge, this is an important setting. And now the challenge that used to be zero one can be taken to be a monomial, which means that instead of having only two possibilities for the challenge, we have two N plus one possibilities for this challenge. And we can do the exact same protocol, but you think this challenge is with only need N greater than four K squared over log square alpha times N equations to be amortized over. I will not give the proof of someness for this setting because it is quite a bit more involved and I would not have that time. So in conclusion, the work of Kramer et al construct and amortize zero knowledge, proof of knowledge for integer vector one-way function with constant overhead and linear slack. This was a huge improvement upon prior works, but the amortization is really large. The number of vectors needed for amortization was quite large. We reduce this number to four K squared divided by log square alpha for any parameter alpha. And we can even further reduce this number of equation to four K squared divided by log square alpha N in the case of polynomial invertible one-way functions where I will not go into details here, but the zero knowledge proof is somewhat weaker in this context. So to give you some numbers, the original work needed around 70,000 equations for amortization to kick in. If we use binary challenges, we see that only a few thousand of equations are enough. And if we use monomial challenges, even a few hundreds of equations are enough, which will be much more feasible in practical situations. On the other end, the overhead, the somewhat more efficient implementation of the work of Kramer et al give proof size per secret of 8.8 kilobytes. And we see that with our construction, we reach at most 10.3 kilobytes per secret, which is 15% increase in size, which is totally reasonable. So thank you for your attention. Thank you.