 The talk is going to be about statistical witness indistinguishability and more in two messages by Yael Tauman-Kalai, Dakshita Kurana, and Amitzai, and Yael will be given a talk. OK. So thank you very much. I first wanted to start by saying that Dakshita should have come here and presented the talk. Unfortunately for you, she couldn't make it. She's a great speaker, but you can make it to Israel, so you're stuck with me. So let's begin. So what we show is a joint work with Dakshita and Amitzai. And what we show in this work is how to construct statistically witness indistinguishable arguments and more with two messages. OK. So let's start. Interactive proofs. They're wonderful. Interactive proofs are really great. Why are they so great? Because they allow us to do zero knowledge. That's really fantastic. This was shown by Golda Humphka in Bigdal Zone. We can do zero knowledge proof for all of NP. Moreover, so zero knowledge proofs have only computational zero knowledge. So you need to be bounded in order not to learn. But we know that we can even do statistical zero knowledge. So even if you're all powerful, you still can't learn anything. However, note that to get statistical zero knowledge, we need to relax from interactive proof to interactive arguments. So in interactive proofs, your sound against unbounded cheating proofers, whereas in interactive arguments, the sound miscommunication is only against computationally bounded cheating proofers. So if you're willing to rely on computational soundness, you can get statistical zero knowledge for all of NP. Fabulous. What do we want to do, though? So this is fantastic. The only problem is it requires interaction. In the focus of this work and previous work, we try to reduce the amount of interaction needed. Wow, this clicker's not free. OK, so what's our goal? Our goal is to take, to construct a two message, protocol with secrecy. So we want to, and the way we go about this is we say, you know, suppose we have an interactive protocol that offers secrecy. Can we convert it into a two message protocol while still preserving secrecy? This is the question we ask. So kind of similar to the previous talk. And the focus of this work, though, as opposed to previous talk, is on statistical secrecy. So we want secrecy even against an all powerful cheater who tries to learn information. And why do we care about statistical secrecy? Well, there's many reasons, but one of them is once you have the protocol, it can be out there forever. And so you really want, in a sense, to have this everlasting security. If you have statistical secrecy, then your guarantee is even if it's sitting there forever, this transcript, nobody can learn information. This is kind of in contrast to soundness where you need to be kind of online in order to cheat. So you can always time out if the cheating prover takes too long. So that's the motivation of trying to get statistical secrecy. And loosely speaking, what we show is we construct a two message argument system, so computationally soundproof, for NP with statistical secrecy. What do I mean by secrecy? So we get witness indistinguishability and more. And I'll say a little bit about the more at the end of the talk. But for the most, think of WI. And that's under relatively standard assumptions. The only reason it's kind of DDH, or predatory residuosity, or endosiduosity, or OT more generally. But we need slightly super polynomial security. And I'll get to that. So think of quasi-poly security. And I just want to mention that this was all known in the computational setting. Actually, in the computational setting, it was all known from the early 90s by work of Dworkin and Zapps and witness indistinguishable proofs into message. So again, the focus of this talk is on the statistical setting, where we did not have such a result under any standard assumption besides kind of random oracle type assumptions in two, or even in three messages, actually. So what's the starting point of this work? So this exact question of reducing, taking interactive protocol that's secret, and reducing interaction while maintaining secrecy, was already asked in previous works, but in the computational setting. And we kind of followed that approach. That's kind of the starting point of our work. So let me tell you what is done in these works, because the starting point is kind of similar. So they say, here's how they take an NP complete problem. For example, think of graph Hamiltonicity as an example, if you can think of others. So and take Blum's three message protocol, the zero knowledge protocol for graph Hamiltonicity, with only soundness half. OK, so soundness half, we have zero knowledge. Soundness half is enough for now. OK, so how does it work? This protocol, in the first message, the prover commits to his graph with the Hamiltonian cycle in there, to the premier graphs. And it doesn't really, the details are not important. The important thing is in the first message, there is a commitment to something. Then the verifier sends a bit around a bit, which is either zero or one. And based on this bit, the prover opens. Either he opens everything, the permitted thing, or he opens only Hamiltonian cycle. So that's kind of the high level structure. The details are really not important. And here's the idea of how to convert it into a two message protocol. So the idea is the following. Exactly similar kind of the spirit of the previous talk. The idea is, you know what, how do we reduce interaction? How does the verifier send his bit ahead of time? Now, of course, if he sends it ahead of time, it won't be secure at all. So instead, what we do, we have him send it hidden. How do we hide it? We hide it using a two message oblivious transfer protocol, okay, which I'll define in a minute. I'll explain in a minute what it is. But, and I want to say this OT is a specific, this kind of idea is known more generally as the peer heuristic or FHE heuristic. It was suggested originally by Bill Mayer and Wetzel in 99 in the multi-prover interactive proof setting. And with the RANRAS, we kind of looked at it in the interactive proof setting. And in this work, and because we're interested in secrecy, we don't use any peer scheme, but rather a symmetric peer scheme. And OT is just an instantiation of that when we don't hear about some sickness. So actually this transformation, this idea of transformation has been done before in the context of soundness, okay, even before this computational secrecy. So what was shown in the work with the RANRAS is that this is sound. This is sound, assuming, okay, so it's sound. However, you need to assume that the OT is more secure than the commitment. And that's why we need a super polynomial assumption and the OT. So this is sound as long as the OT is harder to break than the commitment scheme. Okay, good, and this was already in the work with RANRAS, so that's great. How about secrecy? Well, and this works, we work hard to show that it's also secret. Okay, so we get WI, secrecy, and more. Okay, but again, this was all computational. Now let's go to the statistical setting, which is a starting point of this work. Okay, so again, we wanna get a statistical secrecy. So what do we do? Well, we look at the BLUM protocol, same BLUM protocol, and we know how to make it statistically zero knowledge. How? Instead of using a statistically binding commitment, as BLUM, what you do is you use a statistically hiding commitment. So if the commitment is statistically hiding, this is known to be statistical zero knowledge. Again, the sound is half, but that can be amplified later, okay? So we have a statistically sound, a statistically, statistical zero knowledge argument, not an argument, because the commitment is only computationally binding. But, and that's just the same thing. So that's what we propose, just do exactly the same. Instead of sending the verifier's message in the third round, send it ahead of time, so to get statistically hiding commitment, you need two rounds or two messages. So send the bit E ahead of time with the first message of the commitment. So again, come one and come two, just as the first two rounds or messages of the commitment scheme. So the commitment consists of two messages, the first is come one, the second is come two. Okay, so this is exactly the same. Use OT, which I'm gonna define next, send the bit in the first message, the bit E in the first message kind of in a hidden way and that's it. Okay, so very similar as before. And the main thing is, okay, is this still sound and do we still get secrecy or statistical secrecy? So the first thing which follows pretty easily from previous, from the computational work is that secrecy is preserved. Okay, what do I mean by preserved, not preserved, you don't get to see your knowledge in two messages, but we do get WI and more, which I'll say the more later. Okay, but we do at least get WI, statistical WI. And now I wanna tell you a little bit about why we get statistical WI. So, I mean, previous work, the computational setting showed we got WI. And we use exactly the same, so what primitive do we use? Well, I plan that we don't get computational, we get already statistical. Why? Well, the commitment is statistical. So the verifier really doesn't, you know, it gets perfect kind of statistical security from the commitment. And the OT that we use, and it was also used in the previous work, also offers statistical secrecy to the verifier, in the verifier setting. So now let me define what a, okay, what the OT is, or the OT that we use. So the OT we use is one out of two OT. So there's a receiver and a sender. The receiver wants to get one of these two messages, N0M1, which one? Depends on the bit B. So he has a bit B and he wants to get NB, okay, the B's message. And the way it works, he sends a message that depends on B, B is hidden, okay? And he gets back a message that depends on his message and an N0M1. And from these two messages, it's only two messages. And from these two messages, he can recover the message he wants, which is M sub B. And here's the security guarantees, that's important. So first, you get even a cheating, a polynomial time, a PPT cheating sender, cannot cheat, cannot guess B, okay? So he cannot guess the bit B. But importantly, even an unbounded receiver does not learn anything about the other message. So we do get statistical guarantee for a malicious receiver. In our setting, the receiver is the verifier, okay? So that's exactly what we want. So we knew how to construct these from DDH and from quadratic residuality and then residuality. But as I said, for our works and also the previous works, we needed, it's not enough to get security against a polynomial time cheating sender, we need against a super polynomial time cheating sender and therefore our results are under any of these assumptions but with super polynomial hardness, okay? With hardness, that's more than breaking the commitment scheme that we use. Okay, so that's the primitive you use and because we get security here, again it's an unbounded receiver, when we get this protocol, we get statistical security as well. And why it's WI, it's from the previous work. Exactly as the computational setting. Quite interestingly, that's not where the hard part is. The hard part of this work is actually unsoundness. So the real question is why is this sound? And now let me take a little detour and tell you the problem is, so the idea of reducing interaction, reducing rounds in interactive protocols is an extremely interesting problem, okay? There's a lot of research on it and we know, so there's a quality speaking, there's kind of two classes of ways of reducing interaction. One is using the Fiat-Chamil, heuristic and one's using what I mentioned is the pure heuristic or FHA heuristic. And here's what we know. For proofs, if you start with an interactive proof as opposed to an interactive argument, it works. Okay, under assumptions and some which I didn't want to mention here because it's not the focus, but if you're willing to, some assumptions, you get security, okay? Great. What about when you try to reduce interaction from an interactive argument? Doesn't work. So Fiat-Chamil, there's actually counter examples or negative results and for the pure heuristic, we don't really have complete counter examples but we have a lot of intuition and indication that in general it's not sound. Okay, so actually, to date, we do not know how to reduce interaction from interactive arguments, okay? Unless, you know, applying a grand moral model but without relying on relatively standard assumptions, we do not know how to do that. Okay, now this is a problem for us because we start with the statistical zero knowledge which is an argument and I'm trying to reduce interaction from the argument which I do not know how to do. So that's why the sound is the issue here. Okay, and this seems like a dead end in a sense. However, we managed to do it and the main idea to get to do this is we use a special commitment scheme. Okay, so again, in general, I don't know that this is sound, this transformation for arguments. However, if you use a special commitment scheme, then we prove that it's sound. So that's kind of the main technical idea of this work is to prove that you can go from interactive arguments, reduce interaction, if you choose the commitment scheme in a clever way. So what do we want from this commitment? How do we choose this commitment scheme? So, statistically hiding, of course, I have to have statistically hiding to get my statistical secrecy. However, I need statistically binding or I need it to be a proof to get soundness. So the way we do it, we say, you know what, it's almost always gonna be statistically hiding but with some small probability, it won't and the negatives will be statistically binding. And the idea is you cannot distinguish between the two cases and that's how we kind of get the best of both worlds. So the statistically hiding will imply statistical secrecy, it's not actually here, we don't get zero knowledge, but statistical secrecy and or, you know, we get the original scheme of statistical zero knowledge and the statistically binding will imply that the resulting two message is sound. And because you cannot distinguish between these two modes, you can't, you know, break it in one case and not the other. So that's kind of the high level intuition. However, I wanna mention that not all what we need, it's not enough, what we really need is that it's gonna be extractable. And this is kind of technical in the proof, you know, you need some extractability of it. So I don't wanna get into the details of why because that's not very interesting. But one thing I do wanna kind of view to get from this talk is actually what we need in a weird way as a statistically hiding and extractable commitment scheme. And with this point, you should kind of be like, what? How can it be statistically hiding, meaning there's nothing there, but yeah, you can extract. That makes no sense. So again, but this is kind of what we do and the way we do it is inspired by a previous work, of a Dechita and Sai, one and Sai. And what we construct is a two message, a scheme, a commitment scheme, that is statistically hiding and computationally binding, but with some small probability, this commitment scheme switches to a statistically binding and extractable commitment scheme. There cannot tell if he's in the binding mode or in the hiding mode. So maybe in the few minutes I have left, so that's kind of the main idea, in the few minutes I have left, actually I wanna give you kind of a sense of what this commitment scheme is, so you won't leave kind of in this magic. So it's very, very simple. And let me give you kind of the basic idea, the basic protocol, which is not really hiding, but it achieves hiding with probability half. And then we amplify it. So what is the protocol? A committer wants to commit to a message and, what he does, he chooses two messages. One is and, and one is completely random. And he mixes them, he chooses random R, one of them is gonna be and the other is gonna be the random one, and what the receiver does, he gets one of them using an OT. Again, the OT comes, okay? So the receiver will send a bit, a random bit, and he will get one, he will get the R and one of these messages. If B equals R, he got the message. So it's not a good commitment scheme, it's not hiding at all, only probability half. If he didn't get R, he gets nothing, statistic. So this guy, you probably feel like, okay, this is kind of a cheating. However, so again, this is only hiding with probability half, and with probability half, it's extractable. If B equals R, he actually knows the message. But it seems not, not very surprising. So the actual, to get the actual statistically, the actual commitment scheme, we do this amplification. So instead of one message M, one uniform, there's K bits and two K messages, everything is random, subject to kind of some XORing being the message. And so I wanna go into the details, actually, because of a lot of the timing, because it's not, you know, I'll defer to the paper. But you know, this is essentially our statistically hiding commitment scheme, which is gonna be hiding with probability one minus two to the minus K, so two to the minus K probability, it'll be extractable. Okay, so let me wrap up. What did we get? So we constructed a two message statistical witness in the distinguishable argument for all of NP, assuming solid super polynomial, a secure T, which can be instantiated under the DDHQR or Anthrosiduosity assumption. This is the protocol. You take the statistically hiding, the statistical zero-notes version of BLUM and apply the OT heuristic to it. And the main take-home message is that actually reducing in traction using this heuristic can be sound. It's not in general sound for arguments, but it can be sound. And by kind of taking the argument and flipping it as sometimes being proof, but sometimes being argument, you can gain soundness. So one can think of, I think it'll be interesting to get kind of more out of this trick. And the way we do it is by constructing a statistical and extractable commitment. And let me just say a word about the more. So beyond WUI, we get statistical zero-knowledge with quasi-poly simulation. For example, we get adaptive soundness of this protocol. So X can be chosen even based on the first message. We still get soundness. We get statistically strong WUI in the delayed input setting and more, which I don't have time to... Thank you. We have time for questions. And why do you need that small probability in the chemical sketch to be instantiable? Yes, yes. Why is the solution that's probably not small? Yes, so the question is why is it sufficient that the probability is small? And the reason is, even if it's small, if in that case, I'll give you the intuition, it's kind of hard to say precisely, but the intuition is even if with small probability, he can cheat. In fact, it means what we show is that he can, with that probability, the two of the mind, you can set K, you can set that probability as you want. With that probability, he'll be able to distinguish. You can break the underlying commitment, the modes. And so that's how a... Because we know that in another case, you can't cheat. And in this case, you can cheat, then I know you weren't that mode, not that mode. And so we rely heavily on the fact that these modes, you cannot distinguish between them. That's the... Any more questions? So let's take care again.