 Hello, everyone. I'm Takashi from Entity. Today, I will talk about a black box approach to post-contempt their knowledge in constant rounds. This is a joint work with Ai Hui-cha and Kai Min-chan. Their knowledge proves and arguments are fundamental primitives in cryptography. In those primitives, a prover tried to convince the verifier of truth of some statement without revealing anything beyond the truth of the statement itself. Formally, we require the following three properties. The first is completeness, which means that if the statement is true and everything is done correctly, then verifier accepts with overwhelming probability. Second is the soundness, which means that the statement is false, then the verifier accepts with negligible probability. And especially, when we consider unbounded time cheating prover, then we call the protocol proofs. And if we consider a polynomial time at the bottom, then that is called arguments. And the third property is their knowledge property, which means that verifier learns nothing beyond the fact that the statement is the truth statement. And next, I will explain a more formal definition of their knowledge property. So, their knowledge property is defined like this. For any verifier, there exists a simulator. They exist for any distinguisher such that distinguisher doesn't distinguish these two worlds. In the real world, verifier interacts with the honest prover. And in the ideal world, simulator simulates the verifier's view. And especially when we consider classical their knowledge, everything VSD and OGS is classical. And when we consider quantum their knowledge, everything is quantum. And especially, we consider the subgraph of their knowledge called black book their knowledge. The difference from the normal their knowledge is that the simulator here uses the verifier only in a black book manner. And here are several reasons why we study black book their knowledge. First, most non-protocols satisfy black book their knowledge. Second, there are very few non-black book simulation techniques. And third, protocols with non-black book their knowledge are usually far from practical. So, for those reasons, it is very important to study the power and the limitations of black book their knowledge. And especially, what we consider in this work is post-quantum their knowledge. Post-quantum their knowledge protocol is a classical protocol with quantum their knowledge. And especially, we focus on those for NP languages. And because we already know a lot of contractions of classical their knowledge protocols for NP. So, one may think that we can obtain post-quantum their knowledge by just replacing the assumption with post-quantum assumptions in those classical construction. However, in general, this doesn't work because of the usage of a revinding technique that is often used in the classical security proofs. And I would like to review non-constructions of classical and post-quantum their knowledge protocols. And I remarked that this is not exhaustive list of the non-constructions. And this is just most related work for our work. The first, sorry, first their knowledge proof for NP languages was proposed by Goh-Rai-Himika Rih-Dazen. And this is based on one way function. However, the round complexity of this protocol is polynomial. So, after that, it is one of the most important research topics in their knowledge to reduce the number of rounds. And the other constant rounds, there are protocols by Goh-Rai-Himika-Han and Belare Jakobsen-Yen. And this is five round based on collision relations hash. And this is the four round based on one function, and this is only argument. So, this is the state of art in the classical setting. However, it is not immediately clear if these constructions also satisfy quantum their knowledge, even if we use post-quantum assumptions. For that direction, the first progress was made by Watras in 2005. So, he proved that a many non-constructions of classical their knowledge protocol actually also satisfy quantum their knowledge if we use quantum assumptions, post-quantum assumptions. And as a result, he obtained their knowledge, quantum, post-quantum their knowledge proof for based on post-quantum assumptions. However, his technique is only applicable to protocol with polynomial number of rounds. So, after that, it has been a long standing open problem to construct constant round post-quantum their knowledge proofs or even arguments. This open problem was recently solved by Vitansky and Schimeli. They constructed constant round post-quantum their knowledge argument. However, there are several caveats in their construction. First, their construction is argument, and so it only satisfy computation of soundness. Second, they rely on some non-blackbook simulation technique, which means that their protocol is not blackbook their knowledge. Third, their assumption is rather strong. They are the quantum hardness of LWE and the existence of quantum fully homophic encryption. Therefore, we ask the following question in this work. They are constant round post-quantum blackbook their knowledge protocols, hopefully with statistical soundness from weak assumptions. This is our results. We construct post-quantum blackbook their knowledge proofs and arguments from weaker assumptions at the cost of weakening their knowledge to what is called epsilon their knowledge, which I will explain later. Especially, we construct two protocols. The first is proofs from collapsing hash function, which is the quantum counterpart of collision resistance hash function introduced by UNRU. And the second is argument from one way function. And here I would like to remark that our follow up work showed the impossibility of constant round post-quantum blackbook their knowledge for NP and the reasonable assumption. Therefore, weakening their knowledge property is unavoidable for obtaining blackbook their knowledge in constant round. So this follow up work justifies the weakening of their knowledge to their knowledge. So this is the comparison table among non-constructions and our constructions. So as I said, the collapsing hash function is the quantum counterpart of collision resistance hash function. So given the similarity, our first construction is very similar to what is achieved by goal right-hand protocol. And actually our first construction is almost the same construction as the goal right-hand construction except that we use post-quantum building blocks. So now I would like to explain why it's in their knowledge. But before that, let's recall the definition of the standard their knowledge property. So the blackbook their knowledge property says that the difference between these two probabilities is upper bounded by negligible function. By the definition of negligible function, this is equivalent to this. For any inverse polynomial epsilon, this is upper bounded by epsilon. And the epsilon their knowledge is obtained by slightly changing the order of quantifiers. That is, epsilon comes before S. This means that the simulator can depend on their epsilon and so this weakens their requirement. However, we like to claim that epsilon their knowledge is just below the standard their knowledge in the hierarchy of variance of their knowledge properties for the following reasons. First, it's in their knowledge implies weaker notions of their knowledge, such as witness indistinguishability, witness hiding and so on. And the second, it's in their knowledge is sufficient for many game-based security applications. And third, achieving it's in their knowledge is usually as hard as achieving their knowledge in the classical setting. And for those reasons, we believe that it's in their knowledge is very mild relaxation of their knowledge property. So from now I would like to move on to the technical part. And though we propose two constructions, but in this talk I focus on the first construction. And our first construction is almost the same as the Goal-Reichigahem construction as I mentioned. And that construction is based on the Sigma protocol. So let's start from Sigma protocol. So Sigma protocol is a three-round interactive protocol that satisfies the following three properties. The first two are just standard completeness and solidness. And the third property is called spatial honest verifier their knowledge. So this means that for any fixed E, the transcript can be simulated by simulator given E. So remark that this is different from the general standard of knowledge, because when we consider a general malicious verifier, the verifier can choose E depending on A, so we cannot fix E at first. So this means that if we know verifier sends some particular E in advance, then we can simulate the transcript. And the Goal-Reichigahem protocol is based on the Sigma protocol, and they added some additional commitment by verifier to make the protocol their knowledge against general verifier. So the idea is to let the verifier commit to the E at the beginning. Then a simulator can first rewind verifier to extract E, and after that E is already committed, so simulator can use that extracted E to simulate the transcript of the Sigma protocol part, and then it can accomplish the task of simulation. However, the problem is that if verifier is content, then this rewinding doesn't work, because when the simulator rewinds the verifier, verifier's internal state may collapse, and so verifier may not go back to the original state. So this is the problem in the content setting. And in spite of this difficulty, we managed to prove that this protocol is quantum epsilon zero knowledge by using a novel proof technique. Towards quantum simulation, we first make the following observation. Suppose that the following two assumptions hold. First, E R is information theoretically determined from the commitment, and second, V never aborts. Then we can rewind V without collapsing its internal state. The reason is that if these assumptions hold, then E R sent in this round is already determined in advance, and such a deterministic quantum computation can be done without collapsing the state in January. And so, in this case, we can rewind the verifier without collapsing its internal state. And this was already observed in Bitansky and Schimeli work. And for the item 1, this can be achieved by just requiring commitment to be strict binding. Through the definition is exactly the item 1. And this requirement can be relaxed to what is called strong collapse binding, which can be seen as a computational version of strict binding. And we know that such a commitment can be constructed based on collapsing hash function. And this is the only assumption we use. And collapse, so the details about the definition of collapse binding is not very important for the rest of this talk, so I will omit this. And for the second item 2, this is a significant restriction of V because for proving the knowledge property, we have to consider a malicious verifier that sometimes abodes. And so, the main technical difficulty is to deal with such a verifier that sometimes abodes. To deal with such a malicious verifier that sometimes abodes, we first rely on the simple finite trick introduced by Bitansky and Schimeli. The idea is to guess whether we abode or not. So, suppose that we have two Schimelators that work conditioned on V abode and doesn't abode, respectively. And then by randomly running either of these two Schimelators, we get a Schimulator that works with probability one-half because the probability that the guess is correct is one-half. And by the water-resigning lemma, such a Schimulator that works with probability one-half can be converted into a full-fledged Schimulator that always succeeds. By using this trick, our task is reduced to contracting two Schimulators for aboding and non-aboding cases separately. First, let's consider the aboding case. So, in the aboding case, actually the Schimulation is very easy because when verifier abodes, the prover doesn't need to send the final message Z. In that case, the Schimulator only has to simulate A, which is the first message of the sigma protocol. And the first message of the sigma protocol can be simulated without using witness. And so, this case is very easy. So, far as the non-trivial is the non-aboding case. So, in the non-aboding case, the verifier doesn't abode, so prover has to send Z, which means the Schimulator also has to simulate Z. And for simulating Z, the simulator has to somehow extract E. But in the extraction, it should not collapse the verifier state too much. So, this is the difficulty and we will explain, I will explain how to resolve this difficulty. So, for explaining our idea, let's first consider the following toy example. So, suppose that verifier, the internal state after sending a commitment is psi, which is the sum of two orthogonal states, psi A and psi NA. And suppose that verifier performs some projection, performs projection to psi A and if the projection succeeds, it abodes and otherwise doesn't abode. And let's think about what happens if we try to extract E from this verifier. So, the simulator first runs the verifier until it sends ER, assuming that it doesn't abode. Then, the verifier's internal state collapses to psi NA. And at this point, this state is different from the original state psi and we don't know how to go back to the original state. So, one may think that the simulation gets stuck at this point. However, our key observation is that such a collapsing also happens in the real execution in the non-aborting case. Therefore, this collapsing doesn't matter for simulation of non-aborting case because recall that we are now constructing a simulator that is only required to work in the non-aborting case. So, this collapsing is actually fine for that simulator. So, this is our very key observation. So, for generalizing the idea to the general case, we rely on Jordan lemma, which is a commonly used lemma in quantum information theory. So, this lemma gives us a decomposition of verifier's internal space into two orthogonal subspaces that satisfy the following. Let's denote the first subspace component by psi smaller than epsilon and the second subspace component by psi larger than or equal to epsilon. And the meaning of this notation is the following. If verifier only has the first subspace component, then it doesn't abort with probability smaller than epsilon. And if it only has the second subspace component, then it doesn't abort with probability larger than or equal to epsilon. And moreover, these states in the different subspaces do not interfere with each other. And the lemma especially ensures that if verifier internal state only has the second subspace component, then that remains in the subspace even if we apply arbitrary number of rewinding of the verifier. Based on this observation, we can extract E with overring probability by order of epsilon inverse times rewinding if verifier's internal state only has the second subspace component. And moreover, such almost deterministic quantum computation can be done almost without collapsing the internal state in general. Therefore, if verifier only has the second subspace component, then we can extract E almost without collapsing the state. However, in general, verifier also has the first subspace component and this state may collapse in an unexpected way. However, our observation is that this doesn't matter because this state almost vanishes in the real execution condition or not aborting similarly to our previous toy example. And if we can set epsilon to be negligible, then we would be able to prove the standard of knowledge. However, because our rewinding procedure needs order of epsilon inverse times rewinding, so we can only set epsilon to be inverse polynomial, though we can set that to be arbitrary with more inverse polynomial. And this is why we can only achieve epsilon to be a knowledge rather than the standard of knowledge. So this is the summary of how to construct our simulator. So first we construct two simulators that work in the aborting case and the non-aborting case respectively. And the aborting case simulator is trivial and the non-aborting case simulator is constructed by the combination of Jordan's lemur and cryptographic techniques, such as collapse binding commitments. And based on the Bitansky and Schimary trick, we combine these two simulators to obtain a simulator with success probability, one half. And finally we rely on water rewinding lemur to convert this into full-fledged simulator. And as I mentioned, the non-aborting case simulator has epsilon simulation error, and this is inherited to this and also this. And this is why our final simulator only achieves epsilon zero knowledge simulation. This is the summary of this work. We gave two constructions of black box epsilon zero knowledge protocols. And the first contraction is proofs based on collapsing hash functions. And the second contraction is arguments based on one function. This is the end of my talk. Thank you for your attention.