 So, hi. So, first on to answer your question, the point is that you don't need the full power of the random oracle. Like, there's like a nice simple primitive here that you can define to sync proof with this incompressibility property and it's enough. Okay. So, hi. I'm Nier and I want to tell you about around optimal statistical zero-knowledge arguments and this is joint work with Omar Peneff. And in case you've just joined... So, in case you just joined the session, let me remind you what zero-knowledge protocols are. So, here we have a pover that interacts with the verifier in order to prove some statement. And the most basic requirement is, of course, completeness. If the statement is true, we want the verifier to accept. The second requirement is soundness. If the statement is false, the verifier should reject this overwhelming probability. And, of course, we have the zero-knowledge requirement that essentially says that the verifier should not be able to learn anything meaningful from the proof. And the way that this is captured is using the simulation paradigm and requiring that there exists an efficient simulator that can simulate an interaction out of thin air without ever speaking with the pover in the sense that the similar interaction should be indistinguishable from a real one. Now, as you may know, this notion comes in many colors and flavors. And in this work, we consider one main variant of zero-knowledge, which is the statistical zero-knowledge arguments. So, what are these? As the name suggests, here we really want that the similar interaction is statistically indistinguishable from a real interaction. And this is a very appealing property in the sense that it provides some sort of everlasting privacy. Even if the verifier stores the interaction and post-processes for a very long time, for unbounded time, it still doesn't gain any meaningful information. Now, statistical zero-knowledge systems for general NP languages are unlikely to also be statistically sound, which is why we relax the soundness requirement to only hold against computationally bounded povers. And these may definitely exist for all of NP. So, the question that we focus on in this work is a natural one, and it's around complexity of such arguments. How much interaction do you need in order to achieve statistical zero-knowledge? So, let me tell you a little bit about what we know and also compare it to what we know about computational zero-knowledge. So, we know that some interaction is required, in particular even computational zero-knowledge cannot be achieved in two messages. On the other hand, we've known for quite a while now how to achieve zero-knowledge in four messages based on standard assumptions for statistical zero-knowledge, specifically collision-resistant hash functions. Okay, so what is the exact round complexity of zero-knowledge? What about free messages? Can we have such protocols? And here we know that there is a difficulty. We know in particular that you cannot have protocols with black-box simulations. But nevertheless, in the computational setting, for computational zero-knowledge, there do exist protocols. So, protocols under non-falsifiable knowledge assumption have existed for quite a while. And more recently, there's also a protocol based on a falsifiable assumption on the multi-collision resistance of Kirish hash functions. You heard a little about it from Cody, and we're going to touch it again in a bit. So, what about statistical zero-knowledge? Here we basically don't know much. In fact, there are no protocols not even under non-standard assumptions, including knowledge assumptions, at least if we're thinking about general attackers, general non-uniform attackers. And this is where our work comes in. So, our main result is a statistical zero-knowledge protocol with optimal round complexity, namely free messages, assuming keyless multi-collision resistant hash functions, and other standard assumptions that you can instantiate, for example, from LWB. So, this basically matches the same assumptions used before for computational zero-knowledge, but achieves the strongest statistical guarantee. Okay. So, comparing to previous four message protocols, then we don't improve the assumptions here, but only the round complexity. But we're also showing this work, a four message protocol, that relaxes the assumption previously acquired from multi-collision resistance to multi-collision resistance. Okay. So, these are the results, and let me tell a little bit, a little bit, more about what are these multi-collision resistant hash functions in case you haven't encountered them so far. So, here we're considering shrinking function by at least some linear factor. And in such functions, there not only exist pairs of collisions, there also exist much larger tuples that sort of map to the same output, we call them M collisions. And naturally, you can define a relaxation of collision resistance called M collision resistant that says that it's hard to find such M tuples. Okay. So, this is really a natural relaxation, but something very interesting about it is that it also makes sense for fixed functions, for functions that don't have a key. So, we know that in the case of collision resistant hash functions, the attacker could always have a hardwired collision in its code, that this is unavoidable. Now, it's also the case for multi-collisions. You can always have a polynomial size collision hardwired in your code, but you can require that you cannot do better than that. In the sense that a non-uniform attacker that has non-uniform advice of size s should not be able to find multi-collisions of size significantly larger than s. So, it's a pretty simple assumption. It's falsifiable. It may hold for a certain time. Existing hash functions like, say, shah. But nevertheless, it's new at this point. It should be considered non-standard. We don't understand it well enough. And I'll get to this point towards the end of the talk again. Okay. So, this is a multi-collision resistant hash functions. And the rest of the time that I have, I'd like to give you a taste of the techniques. Yeah, this was taken yesterday at lunch right here. Okay. So, let me start by giving you a general template for constructing zero-knowledge protocols, which was sort of followed in the previous work that constructed computational zero-knowledge in free messages. And here we have two steps for the protocol. And the first step, the prover and verifier run a sub-protocol to establish some sort of trap door. And then, in the second step, the prover proves that either the statement x is correct or that it knows this secret trap door. Now, the point is that this trap door should be hard to find. And so, if the prover manages to convince the verifier, it must be the case that the statement is true. At the same time, a simulator that has the code of the verifier, unlike the prover, can somehow extract this trap door and use it to generate the proof. So, the proof is going to be what we call witness indistinguishable, meaning that the verifier cannot really tell whether it's given a proof that uses the actual witness for x or this trap door witness, and this is the way that you argue zero-knowledge. Okay, so where does this fit into our picture? So, the previous work that constructed computational zero-knowledge in free messages basically showed how to implement this trap door phase. And then you can couple that with off the shelf witness indistinguishable proofs of knowledge in free messages to get a protocol. So, you could expect that in order to get free message statistical zero-knowledge, the change that you have to make is really get statistical witness indistinguishable arguments of knowledge. And this is really more or less the case. So, we do use the trap door phase in previous work with some natural tweaks that I'm not going to get into in this talk. The main focus is really on obtaining these statistically witness indistinguishable arguments of knowledge. And as a matter of fact, our understanding of statistical w-y, witness indistinguishability, has not been much better than that of statistical zero-knowledge. In fact, up until recently, it was very much the same as statistical zero-knowledge. And very recently there was a very nice protocol that achieved statistical w-y in just two messages. But it's not an argument of knowledge. Well, we really need an argument of knowledge here, because this trap door, it always exists. The point is that it should be hard to find. It should be hard to show that you actually know it. You can efficiently extract it. Okay. So, this is sort of the technical focus of this work. And I want to tell you how we do it. Do we have a clock somewhere? Okay. Well, I'm the lost doc, so I'm going to forget about time. Yeah. If you get bored, just leave. Okay. So, I want to tell you how to construct these statistical w-y arguments. And for that, I'm going to recall how classical computational w-y arguments work. So, here in the first step, the prover takes some string, you know, classically to represent, say, some graph, and it computes bit commitments to the corresponding bits, send them over to the verifier. We then send a bunch of random challenges, basically asking that the prover opens some of these bits. The prover opens some commitments, and then the verifier decides whether to accept or not. Okay. Now, as you may expect, if you use statistically-hiding bit commitments, then you do actually get statistical witness indistinguishability. So, what's the problem? The problem is that statistical statistically-hiding bit commitments cannot be achieved noninteractively. And this is inherent when it's the same situation as in collision-resistant hash functions. Because it's statistically-hiding, collisions do exist, and they can always be hard-coded. Okay. So, we need to do something else, and we're going to rely on a weaker definition of binding, and let me tell you what it says. So, here, too, we'd like to commit to a bit string. And just as before, we'd like to be able to open a certain subset of the bits. And we want it's important that the unopened bits remain statistically-hidden. Okay. And this is just like in plain bit commitments. But we are going to ask for a much weaker binding guarantee. All that we're going to ask for is that for any efficient attacker, there's basically a short list, a polynomial-size list of strings, so that whenever he opens up a subset of the commitments, they must be simultaneously consistent with one of these strings. Okay. So, we might be able to open each individual bit in any way that it wants by choosing one of these strings, but it cannot mix and match. Okay. So, this is sort of the object that we want to get. And I want to argue that this is actually sufficient to get an argument of knowledge. And intuitively, the reason is that if you have an attacker that convinces the verifier of accepting with some noticeable probability, this attacker has a corresponding polynomial-size set. And there also exists an attacker that is polynomial smaller, but still noticeable probability convinces the verifier while being consistent with one of these strings. And this allows a reduction to the previous setting where we really had the classical notion of binding. Okay. So, this is really what we want. And as we said, it's another thing that the last thing that I want to do is give you some clue on how to construct this object. Okay. So, the construction is pretty simple to describe and relies on two tools. So, the first tool is weekly binding string commitments that don't have this subset opening property. Namely, you can open the entire commitment. Okay. No bit would remain hidden. And this is something that you can actually do based on multi-collision resistance. The construction is completely analogous to that of statistically hiding commitment from collision resistance. The second tool is something that you all know, which is threshold secret sharing. Okay. So, here I'd like to be able to take a bit and encode it into a bunch of symbols with the following two properties. So, first, as long as I reveal not too many symbols, less than my threshold, then B remains perfectly hidden. Okay. And the second thing is that these encodings, if I have encodings of different bits, they must be far apart. Okay. We can only agree on less than T symbols. And indeed, we know that if you have T symbols, you can already sort of recover the sequence. So, these are the basic two things that we need. And with that, let me describe the construction. So, we have our bit string, which we'd like to commit to. And the first thing we're going to do is we're going to compute secret sharing encoding to each and every one of these bits, put it in corresponding columns. Then we're going to compute these weekly binding commitments to each one of the encodings. And now we're going to take another copy of this matrix and also compute commitments to the rows. Okay. And this is basically going to be our commitment. Okay. So, it's basically just the commitments to the columns and rows of this secret sharing matrix. Good. So, how do we open a subset? So, first, naturally, we would open the corresponding encodings, namely the columns corresponding to the subset that we want to open. But we're not going to stop at that. The opening procedure is actually randomized. So, the receiver is going to pick at random a few random rows, not more than the threshold, and also asks that the sender opens the commitments for these rows. Okay. So, I'm not going to approve anything, but let me wave my hands a little bit to convince you why this thing works. Right. We forgot to say that the verifier at the end should, of course, check consistency that these encodings are really valid encodings and also that it has consistency between the rows and the columns. Okay. So, first, let me argue that this thing is hiding. And this is the case, really, because for the bits that we do not open, we only reveal very few coordinates of their corresponding encodings. So, we're protected by the secret sharing privacy guarantee. Okay. The more interesting part is arguing weak binding. And why does that intuitively hold? Okay. So, these column commitments, we understand, they're already bound the sender to a few encodings for each and every one of the bits. But it may still be that it could somehow independently open them, in particular, assume for simplicity that it can open one encoding of zero and one encoding of one for each and every one of the bits. We want to make sure that it cannot mix and match. Okay. And this is exactly what these cross checks are for. This is why we open also the rows. And the intuition is that if you fix any two such encodings of different bits and you choose random locations, enough random locations, then because they're far apart, then with very high probability, we're going to fix one of them. Okay. So, as a matter of fact, if you choose your parameters right, then these tests are actually going to fix the entire bit string of the sender. And this is computationally fixed, not information theoretically fixed. Okay. Now, where does this small set of strings come from? So, what's important here is that the sender is also bound by its commitment to the rows. Okay. So, basically, for this random selection, there are only very few sort of openings that you can present. And this directly maps to very few strings that it can eventually open. Okay. So, this is a little bit about the construction. You're welcome to ask me more about it offline. Yeah. So, before I finish, I wanted to give you some food for thought. So, you've heard now in this talk and in the previous talk already about two primitives that seem to inherently require some sort of setup or a key, simply because, you know, like hard wiring attacks exist. And a fascinating question is really can we get meaningful security even without, like, such randomized setup? And then this is not only interesting from a theoretical perspective, it's also a practical concern, because this is what we do all the time, right? We use SHA for collision-resistant. We don't sample keys for collision-resistant hash functions. So, in this talk and also in the previous ones, we've seen that at least you can formulate meaningful security guarantees for such fixed functions or, in that case, it was Snarks. And I think it's fascinating to understand these, because we're speaking about the completely different type of hardness. It's very different from the average case hardness we're used to and love so much in cryptography. It would be very interesting to get any kind of formal evidence beyond, you know, assuming this thing as an atomic assumption on a certain, you know, on SHA or on a different function, which I think is also reasonable. But, you know, it would be great if we can get, like, actual reductions to different forms of hardness. So, we're not there yet, and I encourage all of you or some of you to think about it. And this is all that I wanted to tell you. Thank you, Nier. Any questions? All right. So, let's thank Nier and other speakers.