 All right, thank you very much for the introduction, and thank you everyone for sticking around. So I'll be talking about physics in this talk. So let's begin with a quick review of zero-knowledge proof systems. So we all know what this is. A zero-knowledge proof system is basically a two-party protocol between a prover and a verifier, where the prover wants to convince the verifier that some statement X is contained in some language L. So a zero-knowledge proof system should satisfy three properties of completeness, soundness, and zero-knowledge. So completeness says that if some statement X is contained in the language L, then an honest prover following the protocol should be able to convince the verifier to accept the proof. So soundness says that if some statement X is not contained in the language, then even a dishonest prover should not be able to convince the verifier to accept the proof. And finally, a zero-knowledge property says that a verifier participating in the protocol should not be able to learn any more information about the statement X, other than the fact that the statement X is contained in the language. Of course, we capture this third property of zero-knowledge using the existence of some simulator that can simulate without knowledge of any witness, that can simulate the transcript of the protocol from the perspective of the verifier. So zero-knowledge proof systems are very well-studied objects in cryptography. By now, we have loss and loss of constructions from a variety of different assumptions. However, a natural question though that we can ask is what is the minimum number of rounds that's required for a zero-knowledge proof system? So in particular, can we have a single round or a one-shot zero-knowledge proof system? So for a standard zero-knowledge proofs, the prover and the verifier are allowed to send some messages back and forth and interact in many number of rounds. Now we're asking whether there exists a protocol where the prover just has to send a single message to the verifier and this is enough for the verifier to accept or reject the proof. So this is what we call a non-interactive zero-knowledge proof system and IZK or NISIX for short and this will be the main object of study in this work. So what do we know about NISIX? Do we know that they even exist? Well, it turns out that in the standard model or in the plain model, we can only hope to achieve NISIX for very easy classes of languages and this is because the two properties of soundness and zero-knowledge implies an efficient decision algorithm for the underlying language. So at least in the standard model, we can't really hope to construct NISIX for any interesting classes of languages. So what we generally do is work in weaker security models. So a very popular model that we generally consider is the random oracle model and in fact in this model, we know of many nice techniques for constructing NISIX from a variety of different assumptions. However, in this work, I will focus on constructing NISIX without relying on random oracles. So in this case, the goal standard is to work in the common reference string model or the CRS model. In this work, we'll actually focus on a third model called the preprocessing model, which can in fact be seen as a generalization or a relaxation of the standard CRS model. But since the ultimate goal of constructing NISIX is to work in the CRS model, let's first discuss the CRS model. All right, so what is the CRS model? Well, we're going to have the exact same setting as before. We're going to have a prover and we're going to have a verifier who wants to interact in some NISIX protocol. But before the protocol starts, we're going to have some trusted authority that generates some common string to provide to both the prover and the verifier. And this common string, we call this string the common reference string or the CRS and the requirement is that the CRS be independent of any statement to be proved in any future protocols. So once the prover and the verifier has access to the CRS, then they can participate in any unbounded number of NISIX protocols just as before. All right, so this is basically the model. So what do we know about constructions in the CRS model? So can we actually construct NISIX for all of MP in the CRS model? So in fact, in the literature, there are a number of ways, well, there are a number of ways that we know how to construct NISIX in the CRS model from a number of different assumptions that I listed here in the slides. But if you actually look at this list carefully, then immediate class of assumptions that we noticed that's missing from this list turns out to be the class of lattice assumptions. So standard lattice assumptions like SIS and LWE. We still don't know how to construct NISIX in the CRS model for all of MP from assumptions like SIS or LWE. So we do know how to construct NISIX for some specific classes of languages. However, the general problem of constructing NISIX for all of MP remains an open problem today. So this is actually a bit surprising just given how much we can already achieve from LWE in other areas of crypto, outside of proof systems, but just the algebraic properties that's required for constructing NISIX from all these other assumptions does not seem to exist in the lattice world. So in fact, this problem had been open for quite a while despite many attempts by us, by the crypto community, and in fact is considered one of the major open problems in cryptography today. So in this work, we make progress in this problem by considering a weaker model, by constructing NISIX in a relaxed model called the pre-processing model. So let's see what this pre-processing model is. So recall that in the CRS model, we allow a trusted authority to generate some common string to provide to both the prover and the verifier. In the pre-processing model, we're going to relax this requirement and allow the trusted authority to generate two different strings to want to provide to the prover and want to provide to the verifier. So the string that's provided to the prover, we call this the proving key, and the string that's provided to the verifier, we call this the verifying key. And just as in the CRS model, we require that the proving and the verifying keys to be independent of any statement to be proved in future protocols. So once the prover and the verifier has access to the proving and the verifying keys, then they can participate in any unbounded number of NISC protocols just as before. So in this model, soundness is achieved assuming that the verifying key is hidden to the prover. And analogously, zero knowledge property is achieved, assuming that the proving key is hidden to the verifier. So if we were to actually implement NISC in the pre-processing model, then we would generally just replace the trusted authority with some interactive protocol between the prover and the verifier to generate the proving and the verifying keys. And we call this the set of phase, the pre-processing phase, and hence the name, the pre-processing model. All right, so this is basically the model. Let's see what we currently know about constructions in this model. So in the literature, there are actually constructions of pre-processing NISCs from very weak assumptions like one way functions or oblivious transfers. However, all these constructions work in the single theorem setting where they only provide either bounded theorem soundness or bounded theorem zero knowledge. So bounded theorem soundness says that soundness holds only for an a priori bounded number of proofs. So if the prover gets to observe the behavior of the verifier for an a priori unbounded number of proofs, then it can cook up some valid proof for an unsure statement and violate soundness. So analogously, bounded theorem zero knowledge says that zero knowledge holds only for an a priori bounded number of proofs. So if the verifier gets to observe an a priori unbounded number of proofs, And at some point, it's going to be able to learn some information about the prover's witness. So this is, of course, not ideal. We want a construction where the prover and the verifier just has to run this preprocessing step once. And this is enough for them to run any a priori unbounded number of unicyc protocols. And this is what's called the multi-theorem setting for preprocessing physics. And this is the model that we consider in this work. So in fact, today, the only known constructions that we know of for multi-theorem preprocessing physics are actually the constructions that are in the CRS model. So since we do not know how to construct physics from standard lattice assumptions in the CRS model, we can naturally ask, can we actually realize multi-theorem preprocessing physics from standard lattice assumptions? And the hope is that constructing preprocessing physics from standard lattice assumptions can be used as a stepping stone towards constructing physics in the CRS model from standard lattice assumptions. So this is basically the motivation. So let me just summarize what we achieve in this work. So number one, we basically construct physics for all of NP in this preprocessing model from LWE. So in fact, what we actually achieve is something stronger. So in our construction, soundness holds, even if the verifying key is made public to the prover. So this is actually what's called a designated prover physics, but I will talk a little bit more about this later on in the talk. And number two, in order to use our physics proof system, the prover and the verifier have to participate in this preprocessing phase. So in the paper, we basically show a specific way of implementing this preprocessing phase that's tailored specifically towards our construction that's very efficient. It only requires oblivious transfers. And along the way, we introduce a new primitive that we call blind homomorphic signatures, which we believe is also of independent interest. And finally, we apply our constructions to the setting of multi-party computation. So in particular, we get a new succinct GMW compiler that can be instantiated from lattices. So in this talk, I'll focus mainly on our NISIC construction. And I will refer to our paper for the rest of the details on blind homomorphic signatures and applications to NPC. All right, so let's basically, let's discuss our construction. So how do we go about constructing NISICS in the preprocessing model from LWE? So a main tool that we're going to use is what's called homomorphic signatures. So this was a notion that was first formalized by Bonet and Freeman in 2011. So this is just like a standard signature scheme, but it allows for homomorphic computation on the signatures. So more specifically, just as in a standard signature scheme, a signer can take some message X and generate a signature with respect to some verification PVK. But now anyone can just come along and do or run some computation on the message X so they can compute f of X. While at the same time, homomorphically evaluate the function F on the signatures, on the signature of X to derive a new signature on the message f of X. So this new derived signature, this homomorphically evaluated signature is basically certifies the message f of X not just with respect to the verification P, but with respect to both the function F and the verification PVK. So this homomorphically evaluate signature is basically certifying that the message f of X was indeed the output of the computation F that was applied to the originally signed message X. So we required a homomorphic signature scheme to satisfy two security requirements. So the first security requirement is unforgeability. So we say that an adversary violates unforgeability and so an adversary violates unforgeability if given some message X and some homomorphic signature on the message X can generate some valid signature on a message Y with respect to some function F, but when a Y is actually not equal to F of X. So in other words, we're basically saying that the adversary violates unforgeability if it can falsely convince the verifier that some message Y was indeed the output of the computation F applied to X, when in fact Y is not equal to F of X. All right, and note that the second property that we require from a homomorphic signature scheme is called context hiding. So the context hiding security basically says that the homomorphically evaluated signature does not contain any information about the underlying signed, about the originally signed message X other than what can already be revealed from the output F of X. So we captured this formally using a simulation-based definition. So we consider two different distributions. So in the real distribution, the challenger that is given some message X and the signature on this message Sigma just honestly evaluate some function F on the signatures to derive a new homomorphically evaluated signature. And in the ideal distribution, a simulator is just going to simulate this homomorphically evaluated signature just given the output F of X but not given the original message X or the original signature Sigma. So if you actually look at this context hiding security definition then it kind of looks like a zero knowledge property. So what context hiding property is allowing you to do is just simulate the output of some computation without actually knowing the inputs to the computation itself. So it's kind of reminiscent of a zero knowledge property. So it seems like a homomorphic signature scheme that satisfies context hiding security should be able to give some sort of a zero knowledge protocol. And this indeed turns out to be the case. So let's discuss, so let me describe our construction of pre-post-signific from homomorphic signatures. So let's say we have two parties. We have a prover and a verifier and the prover has some statement X and some witness W and he wants to convince the verifier that the pair X and W satisfies some ampule relation R. But before the protocol starts just as a thought experiment, let's say that the prover is given access to a homomorphic signature on the witness W that it has. So the prover is going to start off the protocol with the homomorphic signature on the witness W. So in this case, it's relatively easy for the prover to convince the verifier that the statement X is true. What we can do is just homomorphically evaluate this function R sub X on the signature that it has and just send over the homomorphically battery signature to the verifier. So what is this function R sub X? This is just going to be the original MP relation R but with the statement X hardwired inside it. And what the verifier will do is just check that this homomorphic battery signature is valid on the message one with respect to this function R sub X. And the simple construction, it turns out that the simple construction actually satisfies all the properties that we need from a zero-knowledge protocol. So completeness just follows from the, straightforwardly from the correctness of the homomorphic signature scheme. And stillness follows from the unforgeability property of the homomorphic signature scheme. So if the statement X is not contained in the language, then there was, there does not exist any witness that satisfies the MP relation. And therefore the function R sub X is basically a normal zero function. So the prover without violating unforgeability should not be able to come up with a valid signature on the message one. And therefore soundness just falls. All right, and zero-knowledge property follows from the context-hiding property of the homomorphic signature scheme. So remember that the context-hiding security guarantees that the homomorphically evaluated signature does not contain any information about the originally signed message. So in this case, the originally signed message is the witness itself. So this is basically saying that the proof which consists of the homomorphically evaluated signature does not contain any information about the witness that the prover has. And therefore the zero-knowledge property just follows. So it seems like we have a protocol here that satisfies all of completeness, soundness, and zero-knowledge. And it basically satisfies the syntax of pre-possignistic. So we can just allow the trusted authority to just provide the prover with the homomorphic signature on the witness as the proving key. However, remember that the requirement for a pre-possignistic was that the proving and the verifying keys to be independent of any statement to be proved in the protocol. So here, the string that the prover needs to start the protocol is actually a homomorphic signature on the witness which does depend on the statement to be proved in the protocol. So we have a problem here. So this violates the requirement for a pre-possignistic. So the way we get around this problem is to add an extra layer of indirection. So instead of the prover starting the protocol with the homomorphic signature on the witness, it's going to start off the protocol with the homomorphic signature on some encryption key. So we're basically going to fix some encryption key for the protocol, so fix some encryption scheme for the protocol, and the prover is going to be given a homomorphic signature on the encryption key. Now, how does the prover convince the verifier? What it will do is first encrypt the witness that it has using the encryption key and send over the cypher text to the verifier. And at the same time, a homomorphic evaluate this function C on the signature that it has and send over the homomorphic evaluated signature. And what is this function C? This function C is going to be defined with respect to the statement X and the cypher text CT that it generated. It's going to take in an encryption key. It will first decrypt the cypher text and then check the MP relation. And just as before, the verifier is basically going to check that the homomorphic signature is valid on the message one with respect to the function C. And in fact, we can actually use the exact same argument as before to prove completeness, soundness, and zero knowledge. So completeness just follows from the correctness of the homomorphic signatures again and the correctness of the encryption scheme. And oops. And soundness basically follows again from the unforgeability property of the homomorphic signature scheme. So just like before, we argue that the function C, so if the X is not contained in the language, we argue that the function C is basically a null zero string so the prover cannot violate soundness without violating unforgeability. And zero knowledge property also follows very similarly as before, it follows from context hiding security of the homomorphic signature scheme and semantic security. We first argued that the homomorphic signature does not reveal any information about the encryption key and then we just resort to semantic security to prove that the witness is hidden. All right, so we now basically have a protocol that satisfies completeness, soundness, and zero knowledge and the string that's required by the prover is also independent of the statement to be proved in the protocol. So this is basically our protocol, so we just basically allow the trusted authority to provide the prover with the homomorphic signature of an encryption key as the proving key and now the prover can send over a cyber text and the homomorphic value signature to prove any statement that it wants and any number of statement that it wants. And note that the verifier, note that the only information that the verifier needs to check the proof is actually the verification key for the homomorphic signatures. So in this case, verifier has no secrets at all, so the verifying key is basically just an empty string. So what we actually get is what's called designated prover, NISIC, from homomorphic signatures. So the only question that remains is can we actually construct homomorphic signatures from standard lattice assumptions? And basically the answer is yes, there are homomorphic signature constructions in the literature from standard lattice assumptions. So this is starting from a very beautiful work of Korupinov-Baikon-Tanathan and Wix from 2015. So there are actually two variants of their construction and both of them we can instantiate our protocol with either of these constructions or either of these variants. So if you use their first variant, suddenly this stopped working. All right, so yeah, so there's basically two variants of their construction. So if we use their first variant, then what we get is a pre-posting NISIC argument from the assumption SIS for integer solutions. And if we use their second variant, then this is often called homomorphic commitments, then we actually get a pre-posting NISIC proofs from LWE. All right, and that's basically it. That's basically how we get pre-posting NISICs from standard lattice assumptions. So let me just quickly summarize. So yeah, so we basically get new multi-theorem designated proof for NISIC from homomorphic signatures that can be based on either SIS or LWE. And I did not get a chance to talk about it in this talk, but we basically define, we've introduced a new notion of line homomorphic signatures for efficient implementation of the pre-posting step. And we also apply our construction to MPC to get new succinct MPC protocols and succinct GMW compiler that can be instantiated from lattices. And let me just finish up with open problems. So yeah, the obvious open problem here, of course, is constructing NISICs from lattices in the CRS model. So the reason why our construction doesn't work is because if the proving key becomes public, then it contains the encryption key that was used to encrypt the cybertext. So anyone given the encryption key can just encrypt the message and just read out the witness and therefore we don't get zero knowledge property. Another really nice open problem is to actually get multi-theorem pre-posting NISICs from other assumptions, so assumptions like DDH. So for this actually, we don't, so if you actually don't want designated proof for NISIC, but if you just want pre-posting NISIC, then a weaker notion called morphic max actually surfaces. And I'm aware that some groups are actually already working on this, so which is great because I think this is a very, very nice open problem. Right, and with that, let me finish. Thank you very much.