 Thank you. I'll talk about non-interactive zero-knowledge proofs for composite statements. This is joint work with Shashanka Grawal and Pemen Mohazel. Zero-knowledge proofs provide a powerful tool that allows a prover to convince a verifier that a statement is true without revealing any further information. Zero-knowledge proof satisfies the following two properties. Soundness, which means that a cheating prover cannot convince a verifier of a statement that is false. And the property of zero-knowledge, which means that a cheating verifier cannot learn anything more than the validity of the statement itself. It is known that all languages in NP have a zero-knowledge proof system, but it remains challenging to design proof systems that are efficient enough to be implemented in practice. So if we look at the state of the art in zero-knowledge today, we have sigma protocols that are efficient in terms of proof size and public operations for both the prover and the verifier, and they do not rely on any setup assumptions. But they apply only to a restricted set of languages, like proving knowledge of discrete logarithm of a public value or roots or polynomial relationships among committed values and so on. Then there are approaches that are based on garbled circuits and MPC in the head. This line of work is very efficient for the prover, requiring only a few symmetric operations per gate in the circuit. But unfortunately, they lead to large proofs. And the system based on garbled circuit also leads to a proof system that is interactive. And then we have succinct, non-interactive arguments of knowledge, also called snarks. They allow for very short proofs and efficient verification, but they rely on a trusted setup. And they also require prover public operations per gate in the circuit. So now we have very different techniques to prove different kinds of statements. If we want to prove an algebraic statement, like knowledge of a discrete logarithm of a public value y, sigma protocols are really efficient. On the other hand, if we want to prove a non-algebraic statement that's represented as a circuit, for instance, knowledge of pre-image of a hash function like Shah, then the garbled circuit approach or the snark approach is more efficient than sigma protocols. So the question is, how do we prove a statement that is a combination of an algebraic component and a non-algebraic component? We call such statements composite statements and ask how to efficiently prove such composite statements. Such statements frequently arise in practice, and for the purposes of this talk, we look at privacy-preserving audits in cryptocurrencies as a motivating application. So we have the Bitcoin network here, and most Bitcoin users prefer to store their assets on an exchange, like Coinbase, which provides services like online banking with account management and so on. While this is very convenient, this also leaves the users vulnerable to loss of their assets in case the exchange loses bitcoins due to fault or fraud. Famously, Mt. Gox, which was one of the largest exchanges a few years ago, and handled about 70% of all Bitcoin transactions, filed for bankruptcy, but only after losing for $50 million in client money. So the goal here is it is desirable to have exchanges prove that they are solvent. And what does it mean to be solvent? It means that the exchange controls enough assets to clear each of its customers' balances. And this is easy to do if it is public what Bitcoin addresses and exchange controls, and a list of its customers along with their corresponding balances. One can publicly compute the total assets of the exchange and the total liabilities, and check that the total assets is at least as much as the total liabilities, and therefore the exchange is indeed solvent. But this is, of course, not private. It reveals both the total holdings of the exchange itself and the holdings of each of its customers. So the question is, can we have an exchange prove that it is solvent while preserving privacy of the exchange and its customers? The state of the art in our Privacy Preserving Proof of Solvency is a system called Provisions that was proposed a couple of years ago, which is based on Sigma Protocol Proofs. But unfortunately, it doesn't work for Bitcoin because of the following reason. If we look at Bitcoin addresses, they are of the form H, which is hash of y, where y is g to the x for a secret key x. And h is a cryptographic hash function. So if we look at the statement that we want to prove for proof of solvency, it involves proving knowledge of x and y, such that y is g to the x, and hash of y is h for a public h. Now notice that this involves a non-algebraic component, which is the hash function here, and an algebraic component, which is the exponentiation here. So we have a composite statement. And because Provisions is based on Sigma Protocol Proofs, it does not really work with Bitcoin hash addresses of this form. So how do we prove such a composite statement? In principle, one could use Sigma Protocols to even prove a non-algebraic statement represented as a circuit by writing out each gate as an algebraic relation between the input and the output wires and using Sigma Protocols to prove such a relation. But that would mean the prover exponentiation and the proof size grows with the size of the circuit, and it becomes prohibitively expensive for large circuits like a hash function. On the other hand, we could also prove algebraic statements by writing it out as a circuit and using circuit-based proofs like Snarks. But this would mean that we have to represent group operations as a circuit. And this would blow up the size of the circuit. For instance, exponentiation requires cubic size where n is the bit size of the modulus. So what we ideally want to do is to use Sigma Protocols for the algebraic part of the statement and Snark for the non-algebraic part of the statement. Can we simply combine two different protocols, one for the algebraic part and one for the non-algebraic part? If we do that, a cheating prover could simply use two different witnesses in the two different protocols without having a single valid witness for the entire combination statement. So such a naive combination does not work. And one of the challenges we face when dealing with composite statements is to be able to bind the values that the prover uses in the Sigma Protocol with the input that he uses in the Snark proof. And we want to be able to do this without having to prove large circuit statements using Sigma Protocols and without having to represent group operations as circuits. So we study how to prove composite statements efficiently and show the following. We give constructions for Snark on algebraically committed input and output. And then we give constructions of Sigma Protocols on committed output. Then we show how to use these two building blocks to prove composite statements that arbitrarily compose algebraic and arithmetic representations of functions. For instance, a composite function like this where each FI could have an arithmetic or an algebraic representation and have shared secret inputs. I'll begin by talking about Snark construction on algebraically committed input and output. Our starting point is the Snark construction based on quadratic arithmetic program representation of an arithmetic circuit. I'll give a very high level overview of a quadratic arithmetic program. So we have a circuit with addition and multiplication gates over our field. And a quadratic arithmetic program encodes this computation in the following way. We pick a distinct root Rg for each multiplicative gate in the circuit and define a polynomial that is called the target polynomial to have roots at each of these chosen Rg. And now to encode the values on the wires, we define sets of polynomials v, w and y. Where the high level idea is that the v set handles the left input of a gate. So we define vi of Rg to be one if the ith wire is the left input of the gate. And the w set of polynomials handles the right input of a gate. So w i at Rg is one if the ith wire is the right input of a gate and zero otherwise. And the y polynomials handle the output of the gate. So vi of Rg is one if the ith wire is the output wire and zero otherwise. So to illustrate this, if I label the input and output wires of the gate g here as one, two and three, we see that v one of Rg is one because one is the left input of the gate g. And v two and v three of Rg will be zero. W two of Rg is one because two is the right input wire of the gate g. And y three of Rg is one. So now the quadratic arithmetic program itself consists of these sets of polynomials and the target polynomial. And it is set to compute the circuit f if the following condition holds. a one to a n and a k to a m is a valid assignment of the input and output variables of f if and only if there exist intermediate values of a that is a n plus one to a k minus one such that the target polynomial divides this polynomial expression p. This polynomial p is a linear combination of the v polynomials and the w polynomials minus the linear combination of the y polynomials. So at a very high level, why does this divisibility condition encode this computation? If we look at the divisibility, it means that at every root Rg of the target polynomial t, the polynomial p is zero. And that gives us this equality. And at a particular gate g at root Rg, this equality basically gives us the gate equation because of the way we have defined the v and w polynomials. So the divisibility check handles all the gate equations in parallel. Now to construct a snark from a quadratic arithmetic program representation of a circuit, the high level idea is to encode the polynomials of the QAP in the CRS. And this is done by evaluating each of these polynomials at a secret point in the field and encoding it by exponentiating within a bilinear group. So I show it here only for the v polynomials, but this is done for w and y polynomials as well. And now the prover uses the witness to compute the values on the wires, the ai's. And now using the CRS and the ai values, he can compute the encoding of the four polynomials here. So the v polynomial is a linear combination of the vi polynomials where the coefficients are the y values that he obtained. W and y polynomials are defined in a similar way with the same coefficients ai. H is the quotient polynomial with respect to T where T is the target polynomial of the quadratic arithmetic program. And now the divisibility check of the QAP can proceed using the bilinear map. So this verification equation here tests for the divisibility. Now to construct a snark on committed input, we begin with a QAP-based snark and then separate the circuit wires into committed input and intermediate values. So we have a distinct CRS and proof elements corresponding to them. Recall that in a QAP-based snark, the prover computes the encoding of these four polynomials like we just saw. And now the prover computes the encoding of two different polynomials we common we made where we define vcom to be a linear combination of the vi polynomials but only for those wire values that correspond to the committed input. And the vmid polynomial is a linear combination of the vi polynomial but only for those indices of wires that correspond to the intermediate values. So this separation of wires does not interfere with the divisibility check which can still proceed using the bilinear map. And after adding additional checks to ensure that the same coefficient is used in all the linear combinations and certain additional elements in the CRS, we can show that this is still a good snark. So why did the separation of circuit wires help us? We now notice that the new proof element which is the encoding of the vcom polynomial looks like an algebraic commitment. If we rewrite this proof element, it has ai the values on the circuit wires in the exponent where the base is the encoding of the vi polynomial and is already a part of the CRS. So now the prover uses a standard Sigma protocol proof to prove knowledge of ai's and show equality between the exponent here and value inside an algebraic commitment. So this proof binds the value inside a commitment and the input that the prover uses inside the snark. We use similar techniques to achieve snark on committed output as well where we now separate the output wires and have distinct proof element corresponding to the output values and an additional Sigma protocol proof like this to prove equality of a committed value and the exponent in the snark proof here. I'll now talk about our Sigma protocol constructions on committed output. I'll begin with a simple situation where our algebraic function has a one bit output. So the function is f of xy equal to b where x is a secret value and b is a bit and y is public. And now the statement we want to prove looks like the following. We want to prove f of xy equal to b where c is a public commitment to x and d is a public commitment to b. Our construction is simple. Using the Sigma protocol for the algebraic function f, we prove that f of xy is one and the commitment inside d is one or the commitment inside d is zero. And to prove this statement, we use the standard Sigma protocol or transform that allows one to prove that either x naught is in L or x1 is in L but without revealing which xi. Now, in general, when our algebraic function has a group element as the output, the statement we want to prove looks like this where we want to prove knowledge of many xis and y such that y is a product of gi to the sum polynomial in the xis. In the simplest case, we only have one input and this statement reduces to proving knowledge of x and y where y is g to the x given commitment to x and commitment to y. So this is the discrete logarithm proof and there are techniques known in literature that work for integer groups. So we show how to do the double discrete logarithm proof in an elliptic curve group. And our starting point is the proof of point addition for elliptic curve points. The point addition relation is specified by an equation that is specific to a curve. For instance, for the Bitcoin curve, given points p and q, the point addition relation is specified by the following equations for distinct p and q. And when p equal to q, it is specified by a double formula. In general, we can think of polynomials L and R in the coordinates of the point that specify the point addition relation. So can we use sigma protocols on committed coordinates to prove these polynomial relationships? So that is the general idea, but one issue is the following. The point addition computation is over Ft where the coordinates of the points live and therefore the commitments have to be in a group of order t, which is not necessarily the same as the order of the elliptic curve group. So we get around this issue by working in two different groups, g1 and g2, where g1 is the elliptic curve group of order p and g2 has order that is large enough to prevent wrap around in the point addition computation. So now we commit to coordinates and the intermediate values in the computation in the second group g2 and prove the polynomial relationship among committed coordinates. Now to translate this equality to modulo t, we use division with remainder along with range proofs and this proves the polynomial relationship of the point addition relation over Ft. Finally, to put things together, we again use the sigma protocol R transform and prove the following statement that either p and q are distinct and the add formula holds or p is equal to q and the double formula holds or p is minus q and t is zero. And this proves the point addition relation. Now we use the point addition proof to give a double discrete logarithm proof in elliptic curve groups. So recall the goal is to prove t is p to the lambda where we are given commitments to t and commitment to lambda. The prover begins by choosing a random alpha from the field, computes q as p to the alpha and sends commitments to both alpha and the point q. And now the verifier chooses a challenge bit. If the challenge bit is zero, the prover reveals alpha. If it is one, he reveals the difference between alpha and lambda along with the proof that p to the z is qt inverse. The verifier checks that the commitments are well formed and that the proof is correct. Here notice that the commitment to the elliptic curve points t and q is really commitment to the two coordinates and the proof by here to prove this relationship is where we use our point addition proof that I just talked about. Finally, we also give arbitrary composition of algebraic and arithmetic representation of functions in the paper, but I don't have time to talk about it now. But what I want to do is to give an outline of how our techniques apply to composite statements in two applications. So revisiting the proof of solvency application that I started with, recall the statement to prove is knowledge of x and y such that y is g to the x and hash of y is h. So now using the tools I just showed you, we use the double discrete logarithm proof to prove that y is g to the x on committed y and x and then use snark on committed input for hash of y equal to h where h is represented as a circuit to prove the statement. The second application where composite statements arise is in privacy preserving credentials where the setting is the following. We have a certificate authority or a credential issuer who issues certain credentials to a user and the user later wants to be able to prove to a verifier or a service provider that has been given appropriate credentials. So the credential itself consists of a set of attributes and a signature from the organization and one solution if a prover wants to prove certain properties about the attributes is to simply reveal the signature. But this would reveal additional information which is not always desirable. So what we want is for the user to be able to use the credentials he obtained and prove to the verifier that he has been given appropriate credentials and attributes satisfy a certain policy. There have been several proposals for anonymous credentials in literature and they rely on specially designed signatures. So what if we want to base privacy preserving credentials on a standard signature? For instance, like an RSA signature. Now notice that RSA verification given a message M and a purported signature Sigma involves checking if H of M is Sigma to the E mod N. This again involves a non-algebraic component which is the hash function and an exponentiation and results in a composite statement. So we can use our techniques here to prove this composite statement using a SNARK on committed input and output to prove the circuit statement of the statement H of M equal to H. And then use a standard Sigma protocol to prove knowledge of E truth of committed value and this proves the RSA signature. Or to conclude, in the paper we show how to use our techniques to prove general composite statements that involve function composition or and and. We also give a protocol to prove equality of committed values over different groups. And then we show how to apply our techniques to applications in proof of solvency and anonymous credentials. Thank you.