 Hello everyone and welcome to my talk on our paper shorter non-interactive zero-knowledge arguments and ZAPs for algebraic languages. My name is Dominik Hartmann and this is joint work with Geofar Kutul. So let me start by briefly recalling the setup for interactive proofs. We have Alice who wants to convince Bob of a statement and Alice knows a witness, but she doesn't want to reveal it, so she requires a zero-knowledge proof. And there are two types of zero-knowledge proofs. First are interactive proofs which are often computationally very efficient and pretty well understood, but they have the disadvantage that Alice and Bob have to exchange multiple messages, so the latency between the messages is a major drawback, and both parties have to be present throughout the whole protocol because these protocols generally aren't transferable, so only if the other party is present during the protocol it actually believes the proof. So in many cases we want non-interactive zero-knowledge protocols, where Alice simply sends a single message, a single proof pi, and Bob is convinced even if he sees the proof later. The drawback of these protocols of course is that they don't exist in the plain model, so we require some trusted setup like a common reference string or the random oracle model, and they are often computationally way more expensive than interactive protocols, but since interactive protocols can't be used in all applications, for example in voting they are not feasible, we often require non-interactive zero-knowledge and we will focus on that in this paper. So what are existing constructions and why do we need another one? Well first there were results that showed that non-interactive zero-knowledge exists for all of NP, whoever these generic constructions use expensive NP reductions and don't yield efficient zero-knowledge, so we want to recap some efficient constructions. And the first one was the so-called Fiat-Chamier transformation from 87, which compiles a sigma protocol into a NISIC using a hash function which is modeled as a random oracle and this yields very efficient non-interactive protocols almost as efficient as the underlying sigma protocol and security can be reduced to the properties of the underlying sigma protocol and since we can compile all public coin constant round protocols, we can prove all statements over NP. However as I said the hash function has to be modeled as a random oracle in order to get a security proof, so in the standard model this security is in a way heuristic so we would like to avoid this. The first construction without random oracles was due to growth and so-high which allows us to prove statements over pairing product equations and it is secure in the standard model under the SXDH assumption and also yields adaptive soundness. However the efficiency is much worse than that of the Fiat-Chamier transformation, although still very much usable and it is widely used and was extended in many follow-up papers and is the I think the most used zero-knowledge framework to date. Another line of work is on the so-called quasi-adaptive NISICS, which for linear languages culminated in the work of Kils and We, which gave constant size proofs for linear languages in the standard model under the standard kernel matrix if you have an assumption, but as I said only in a quasi-adaptive sense so the common reference string they use may depend on the language and their approach only works for linear languages so a much smaller class than pairing product equations or even NP. So why do we need another framework for non-interactive zero-knowledge? As you can see all constructions that we showed here have some kind of drawback. The Fiat-Chamier transformation requires the random oracle model in the proof, gross Sahai proofs are quite inefficient compared to Fiat-Chamier and the Kils-We proofs, although very efficient, only work for linear languages and only with quasi-adaptive soundness. So the question was can we find something which is as efficient as the Fiat-Chamier transformation secured in the standard model so does not require random oracles under some standard assumption with adaptive soundness for a larger class of languages than linear languages and the answer is partially yes. In this work we present a new compiler for interactive protocols namely sigma protocols to non-interactive zero-knowledge arguments that does not require random oracles in the security proof, has almost as good efficiency as the Fiat-Chamier transformation, adaptive soundness and works for the class of algebraic languages which is considerably considerably bigger than the class of linear languages and is secure under a new assumption which we call the extended kernel matrix to Fiat-Chamier assumption which is a natural extension of the regular kernel matrix to Fiat-Chamier assumption. So what is the idea of our compiler? As I said we start with a sigma protocol and want to compile it into a NISIC, so this is a sigma protocol over an abelian group. We have a word which is a group element vector and the witness is a zp vector. The first flow is a group vector as well, the challenge from the verifier is just a random zp element and the response is a zp vector. And now we want to compile this into a non-interactive zero-knowledge argument. So we somehow have to eliminate this one flow from the verifier to the prover and the most simple way would be okay we simply choose e as the common reference string and both parties have access to it and can simply non-interactively compute the proof and also verify it. However this sadly doesn't work since it breaks the soundness of the protocol because the property of a sigma protocol, one of them is the special honest verifier zero knowledge which says that if we know the challenge and the statement which does not need to be in the language then there is a simulator which produces an accepting transcript so an A and a D which is accepting even though x is not in the language so we can't make it as easy as simply giving e to the prover in advance. However we somehow have to eliminate it and this is where our core idea comes from and instead of giving e in the clear we simply give it to a different group. So instead of giving e as the CRS we give g2 to the e for some generator g2 of a group. Now x is in a different group than e and if the two groups have an asymmetric pairing then verification still is possible since most sigma protocols have a linear verification equation and all the protocols that we consider will have such an equation so correctness in this compiled protocol simply holds due to a pairing. Of course the second flow of the prover now also has to be in group g2 since it depends on the challenge which is now only present in group g2 as well. We can also easily see that this construction is zero knowledge because as I said if the prover had e in the clear it could simply compute A and D without knowing the witness so this is exactly a simulation trapdoor. Now if we give the simulator e he can use the special honors verifier simulator of the underlying signal protocol and the proof is convincing. The two interesting questions here are whether this construction is sound and if so for which languages and since the compiler itself is really simple those two questions are the main contribution of our work and as I told you in the beginning it will work for the so-called algebraic languages and sounds will hold relative to our new extended kernel matrix divi harmon assumption but before I get into the specifics let me give you a brief intuition on why soundness should hold and why and not for more than algebraic languages. The intuition for soundness is as follows we have e in group g2 but we have to compute a vector a in group g1 which has a non-trivial relation to this e because this is exactly what normally the special honors verifier zero knowledge simulator would do because for x not in the language there simply isn't that aren't that many options for choosing a but since we have the one thing namely the challenge in group g2 but have to compute a in group g1 this should be hard because there should not be too much connection between the two groups other than the pairing but that only gives us group elements in the target group which also shouldn't help us find something in group g1 and this is also where the restriction to algebraic languages come from because algebraic languages only live over a single group however if we would have something like pairing product equations where the language is over group g1 and g2 then this split between the challenge being hidden in one group and the first flow which is in the same group as the statement being in group g1 simply doesn't hold anymore because now this first flow is in group g1 and g2 or even in group gt and then this whole divide between challenge and commitment doesn't hold anymore and we don't know how to show soundness so that's it for intuition now let's get more into the technical details and for that i'll start with some notation as i said we'll be using asymmetric pairing groups so we have three groups g1 g2 and gt with respective generators and instead of writing gi to the x i'll use implicit notation and write x in brackets with subscript i vectors will be lowercase both front letters and matrices will be uppercase both front letters and pairings will be denoted by this dot and of course pairings and implicit notation directly translates to vectors and matrices so a matrix vector product in the appropriate groups can be expressed via pairings so let's start with defining what algebraic languages actually are and an intuition is that these are the languages described by polynomial relationships between exponents in an abelian group so for example algamal encryptions of a bit are an algebraic language but also the square diffie helman language so whether we have g g to the x and g to the x squared or g g to the x and g to the z for some random uh z and formally these languages can be described by a language matrix function in a target vector function which both take the word as input and then output a matrix and a target vector and a word is in the language if its target vector is in the image of its language matrix so this already looks very similar to linear languages and exactly uh linear languages are a subset of these algebraic languages if we simply set the language matrix function as a constant matrix and the target vector as the identity function so we can already see that this is more versatile than linear languages and indeed it has the nice property that algebraic languages are closed under conjunction at this junction so the disjunction of two algebraic languages is in itself again an algebraic language so we get all proofs basically for free another property that we can define for algebraic languages is the so-called witness sampleability which means that this language matrix function can be sampled together with a trapdoor which allows us to check language membership this property originally comes from linear languages where this language trapdoor is simply a vector in the kernel of the language matrix so if we multiply a potential element in the language with this kernel vector it is canceled and if it is not in the language then it is a non-zero vector so it indeed allows us to check language membership however for algebraic languages it won't be as clear what this trapdoor exactly is because such a vector in the kernel of the language matrix for every x generally simply won't exist or won't be computable so we can't define it exactly the same as for linear languages but in the spirit it is the same and can be reasonably defined and an example for a witness sampleable algebraic languages would indeed be the algamal encryption of a bit where simply the public the secret key sorry would be exactly this trapdoor and allowed us to check it however for squared phermon languages it isn't clear what this trapdoor would exactly be especially if it has to be word independent because how can we check whether we have a square triple or not so not all algebraic languages are witness sampleable but many interesting ones actually are and to make it explicit once more as i already told you linear languages are a real subset of algebraic languages which themselves are a subset of pairing product equations which we can prove with closer high because as you can see algebraic languages are only defined over a single group while pairing product equations um span all three groups of an asymmetric pairing so of course they are more versatile than what we have here okay so we want to apply our compiler to algebraic languages and for that we need a sigma protocol for algebraic languages and this we get by instantiating the framework of maura and the resulting sigma protocol looks as follows the prover starts with a random image under the language matrix for the word he wants to prove a statement over gets a random zp element as a challenge and its response is the scaled witness blinded by the randomness used in the first step and you can see the verification equation is indeed linear in the challenge so simply by replacing the regular multiplication with pairings we can still verify and this is exactly what we do we move e in group g2 to the crs d is now also in group g2 and all the regular multiplication is now replaced by pairings and you can see easily that correctness holds and as i told you before if we give our simulator e in zp and not in g2 as a simulation trapdoor we can use the underlying special honest verifier simulator to show zero knowledge the open question is how can we prove soundness and for that as i already told you we want to exploit that e and a have to have a non-trivial relationship and reduce this to a new assumption and this new assumption is the so-called extended kernel matrix to the helman assumption which as the name implies is an extension of the kernel matrix to the helman assumption so next i'll show you what this kernel matrix to the helman assumption is why it is insufficient to prove soundness in this case and then show you our extension and why this is actually sufficient to show soundness but first since you now know what algebraic languages are and already know the name of the assumption i can show you the main theorem of our paper and this is as follows if we have a language matrix function m and a target vector function teta which describe an algebraic language and we have pairing groups then the compiled sigma protocol from the slide before is indeed a non-interactive zero knowledge argument for the language namely it is perfectly correct perfectly zero knowledge and if the extended kernel matrix to the helman assumption holds relative to the pairing groups then the protocol is also computationally sound so let's get to the kernel matrix to the helman assumption it was introduced by murilla rafals and villa and it is pretty simple the adversary gets as a challenge a matrix d from some matrix distribution in group g2 and has to answer with a vector c in group g1 which has to be in the left kernel of this matrix and this is already in a similar flavor to what i told you is what we need we want the adversary to give us something in the opposite group of the challenge with a non-trivial relation to this challenge and as it turns out this kernel matrix if the helman assumption is already sufficient to prove soundness for linear languages because if we have a linear language with some trapdoor t which as i told you cancels these this matrix m from the left then we can simply look at the verification equation and apply the trapdoor so we multiply it from the left and by definition this m vanishes so the left side is zero however if the adversary actually produced a proof for something not in the language then this x and this a won't cancel and if we rearrange this a bit then we can see the left side as a vector c and have a solution for the kernel matrix to the helman assumption for the language one e for the language matrix one e and we have a reduction to this assumption so why doesn't this work for algebraic languages problem comes with the trapdoor for linear languages we can find a trapdoor which cancels the matrix m however for algebraic languages this in general won't be possible because now m depends on the word and since to use the trapdoor in the way we do it here the trapdoor has to be over zp because otherwise we would have to use the pairing at the point of multiplying t with a and x and then we couldn't use the pairing in the end and the solution would be in the wrong group because it would already be in group gt so we need a trapdoor over zp which somehow would have to depend on the vector x but x is over group g1 so in order to compute this trapdoor which cancels m for every x it would have to depend on x and this is in general not possible so in order to cope with this freedom of the adversary to choose x and in this sense manipulate this matrix m of x we have to also give the adversary more freedom in the assumption and this is exactly what we do in the extended kernel matrix to the helman assumption and that looks as follows now we make it a bit easier for the adversary to find elements in the kernel of the matrix by allowing him to add rows to this matrix so he gets to add l rows but in order to keep the assumption on trivial he also has to give us l plus one vectors in the kernel of this new matrix and these vectors have to be linearly independent in order to keep the assumption on trivial and this l is now a parameter of the assumption so the bigger l gets the more linearly independent kernel vectors the adversary has to give us formally we can say that this matrix c times d combined with b has to be zero and the rank of c has to be at least l plus one so why is this a reasonable assumption to make at all well first of all it is in a way a natural extension of the kernel matrix to the helman assumption we give the adversary more freedom by allowing him to extend its challenge but in order to win he has to also give us more it is also a static and non-interactive assumption and we've shown that it holds in the generic and algebraic group model the problem comes in with falsifiability in order to for a solution to be a valid solution the rank of this matrix c has to be at least l plus one however this won't be checkable in general for a matrix of group vectors so the assumption in general is not falsifiable however for a large class of useful languages it actually can be falsifiable namely for the class of witness sampleable algebraic languages because we have this trapdoor which allows us to check language membership and this can be used as follows again we look at the verification equation already multiplied by the trapdoor t which now does not cancel m of x and having put t times m of x paired with the on the right side and if we rewrite this again in the same way as we did for the linear case we get this matrix c which is in the kernel of one combined with d so this d is now the extension that the adversary uses and this is hopefully a solution and we can actually show that the rank of c is full and in a sense visible if and only if this word x is not in the language so in exactly this case we get a reduction to our extended kernel matrix divi helman assumption the visibility of the rank in this case means that we can bring this matrix c in an aperture angular form without computing any anything like cdh so we can check the rank note that of course we also get a reduction to the assumption for non-witness sampleable languages however then the assumption is non-falsifiable however this non-falsifiability is not in a knowledge assumption flavor but more in a gap assumption flavor which one can think of as something like saying that dh in group g2 is still hard even if we had a cdh oracle in group g1 but this is only as an intuition so let's conclude this talk by comparing our results with some existing ones namely what the ones i told you about in the beginning and for the case of linear languages and more completely for dh we can see that our construction is more efficient than gross so high in proof size where we save one group element as well as in the number of pairings where we save three quarters of the pairings that gross so high needs which is quite a lot however we are not as efficient as the kills we proves since they yield constant size proves and smaller ones and they need less pairings however our proofs are fully adaptive while theirs are only quasi-adaptive and the assumptions actually a sound one because we are secure under the same assumption as the kills we proves which is the standard kernel matrix diffie helmet assumption for linear languages and the efficiency improvements compared to gross so high also hold in the general case for linear languages so also asymptotically we improve over gross so high in proof size as well as pairing number another interesting fact is that to the best of our knowledge our framework yields the first proves which are fully adaptive but leverage witness samplability so we close the gap between gross so high in kills we since the first is fully adaptive and does not use witness samplability while the kills we proves are both quasi-adaptive and one does not use witness samplability while the other does so it is a nice completion in a sense another important applications are all proofs and they are the most prominent and most used all proof is the one by ruffles which is an application of the gross so high framework and again for the ore of 2 dh languages we will start and there the proof size of the existing proofs are 10 group elements and they require 24 pairings while we only need seven group elements and 12 pairings so huge efficiency improvement of course at the cost of assuming our new extended kernel matrix diffie helmet assumption and also using witness samplability which for dh is a given and this also of course extends to general languages described by an n times t matrix and an n2 times t2 matrix note that these do not have to be the same so this is a really flexible construction and there is well the efficiency improvements hold asymptotically so what are some applications of our new ore proof um there are many and some include the tightly secure structure preserving signature constructions simulation sound cross adaptive physics ring signatures and many more and for many of these applications the ore proof is actually a large part of their size and computation and by reducing its size we can significantly improve the size of the primitives in which they are used so by assuming our new assumption we can greatly improve many primitives so this is at least something to consider so that's it for my talk i hope you enjoyed it and thank you for your attention if you have any questions i'll gladly answer them at the panel discussion and i'll gladly see you then bye