 Okay, hi Indeed I'm going to talk about how to construct constant round concurrent zero knowledge from IO and Interestingly our construction will make use of a special purpose Delegation scheme for P which is some succinct argument for P So this kind of shows an interesting connection between the two types of arguments the zero knowledge ones and the succinct ones So for the entire talk, I'm not going to care about concrete round complexity but if you care to know our protocol can be compressed into six rounds and Also, let me say straight away that I will only talk about computational zero knowledge Argument systems and the plain model constructions only. Okay, so let's begin So zero knowledge protocols is a fundamental and enables a prover to prove about the validity of a statement without revealing anything else and this property is captured through the simulation paradigm Which requires that everything the verifier sees when talking to an honest a prover its view can be simulated efficiently using a simulator that knows only the statement itself a Very very natural extension of zero knowledge The first one you could think of is that what if the verifier receive more than one proofs and in particular He could control how the messages are scheduled in all those proofs And in this case in order to say that the verifier still learns nothing we need to require that there exists a simulator that can efficiently simulate the joint view in all different sessions and Generically there are two types of simulation in general the black box version and the non-black box version So the black box version is the simpler and the weaker one It restricts the simulator to be a tool can only make black box cause to the cheating verifier Whereas the non-black box simulation does not place any restriction and in particular simulator can make use of the code of the verifier itself Okay, so what do we know about concurrent zone knowledge? well for zero knowledge we know constant round construction from one way function and That has black box simulation On the other hand the concurrent knowledge just seems to be harder to achieve because the best protocol with a black box simulation Has logarithmic rounds and in fact that this is essentially tight because of a matching lower bound So therefore a central question that we care about is whether we can get a constant round concurrent zone knowledge Then necessary to circumvent the lower bound the word have to use non-black box simulation In recent years a couple construction emerged, however using very strong assumptions For example using knowledge of exponent type extractability assumption or using public calling different input IO Which itself is an extractability assumption or Using a new assumption called a p-certificate which is basically some non-interactive delegation for p so far We don't know of any Construction the only candidate is McCauley see as proof essentially So in this work we show that in fact IO Suffices if given together with collision resistant hash function and a one-way permutation or Primitives that have slightly super paranormal security okay, so as I said already towards Constructing constant round the concurrent zone knowledge from IO our construction make use of a special purpose delegation for p More concretely what we need is what we call this two round unique p-certificate So, let me tell you what they are They're basically two round succinct argument for p that have unique proofs So in the argument system for p is proving about to those statements that looks like a machine m or input x outputs Why in t steps and to prove such a statement the verifier in the prover each send one message The succinctness requirement is that both of their message are very short of lens affixed to polynomial independent of the lens of the statement nor the complexity of the statement The efficiency of the verifier depends only on the length of the statement Whereas the prover naturally where I have to run in time at least the runtime of the computation itself So the special property that we actually require with respect to such succinct argument is the uniqueness property what we want is that for any statement No matter it's true or false and any verifiers first message there exist at most one accepting proof at most one and that's all that's what we need and In the construction coming up next it is convenient to think about as a mental experiment that we actually have an even stronger tool Which is a non interactive unique p-certificate Which is everything the same except that there is no verifiers first message We just have in one shot a succinct to the proof that is unique And indeed this is the approach that we were go towards constructing constant rank and comments on knowledge That we were do two steps in the first step were constructed using the non interactive unique p-certificate And then we will show that in fact the two round version suffices Well, I won't have time to tell you about today is how to construct these two round unique p-certificate from IO Which I will leave you to refer to the paper Okay, so let's start So our starting point not surprisingly is a Brock's non black box zero knowledge protocol So let's see what it is. It doesn't matter if you care about concurrence on large or not I think a Brock's protocol is beautiful and it's on to know Okay So to begin the prover sends a commitment of either zero or some machine M To the verifier The verifier responds very simply with a very long random challenge much longer than the commitment itself And finally the prover proves using a witness indistinguishable proof that either the statement He's trying to prove is true or he has actually committed to a program in the first message And in fact for this program, there is a very short input that makes it outputting the challenge are Here by short it means the length of this input needs to be much shorter than the length of the random challenge at least by the security parameter and Here we actually make use of a very succinct commitment and the wi proof And we can think about the total length of their messages is n So to understand the Brock's protocol a little bit better we can see that the protocol actually consists of two half The left a half, which is the honest half and the right half. That's a trap door half Obviously the honest half is going to be used by the honest prover using a real witness Which is what he were doing in actual proof Whereas the trap door half is only there so that the simulator can cheat Using some fake witness they will have to consist of the machine M and the input E So despite the fact that there exists this trap door the soundness of the protocol still holds Why because a cheating prover in order to prove a false statement must use the trap door half and to do that He needs to commit to the program before the random challenge R is even chosen And then it's information theoretically to guess such a program that on a very short input Can predict this very long random challenge and therefore soundness holds On the other hand the simulator doesn't need to guess He knows about the code and the random coins of the verifier therefore can simply Come up with a fake witness which sets a machine to be the verifier V star itself and the input to be the first Commitment message. Let's verify that this is this is indeed a good fake witness first of all the commitment is very short because it's succinct and This machine V star all input the commitment by definition has to output the random challenge That's just a tautology Therefore the simulator can cheat Great, this is a beautiful idea Unfortunately, this idea fails when we go to the concurrent setting. Let's see why Here the verifier is receiving more than one proofs and The block simulator We're trying to let's look at them the case proof The block simulator is going to commit to the verifiers codes and Attempts to prove within the final WI that the V star on some short input is going to output the challenge in this session Which is RK? Then again by definition this input V star takes has to be all the message it has received the before output RK Unfortunately in the concurrent setting These messages length is unbounded. It could be very very long much much longer than the length of the random challenge Therefore the simulation doesn't go through a Potential fix to this problem is that well, why do we have to commit to the verifiers codes? Let's see instead commit to the simulator's code itself The idea being that in the simulation everything is generated by the simulator himself Therefore in the WI we should be able to prove that the simulator on no input at all will be able to produce RK Okay, then our problem shall be solved Unfortunately this introduces a new problem, which is the simulation time blows up So to see this let's consider the time for the simulator that it takes until it outputs RK and let's call it TK and Look at the WI that he needs to generate and the time for generating it. Let's call it T prime K Simply by the fact that in order to prove a statement We have to pay at least as long as the runtime of the statement itself Therefore we know T prime K is bigger than TK Now imagine that we have a Further level of nesting where there is a K plus one session that encloses entirely the K session The time for the simulator to generate the challenge in this session TK plus one is at least twice TK Now the runtime blow up exponentially Okay Great, how can we solve this problem while using a strong tool called the unique p-certificate? Let's see how we can use unique p-certificate to circumvent this problem So the product is going to stay more or less the same as before except that it would have a different trapdoor statement and This trapdoor statements instead of requiring that M takes a very short input It will require M to take a very structured input but long What is the structure? The input itself is going to consist of a list of p-certificates and Each of them is proving about some partial execution of the machine M itself In particular the I1 pi i will prove that the machine M on all the p-certificates before it is going to output some string R i And Then finally We're use another p-certificate pi to prove that this machine M only structured input indeed outputs the challenge in this session R So now with this new trapdoor statement we need to verify again that sound is still holds and The reason that it holds is that even though the input now could be very long It's so structured and by the uniqueness property of the p-certificate This list of p-certificates is essentially Inductively determined by the machine M itself. Why because they're all proving about some partial execution of M If it is uniquely determined by M, then even though it's very long it becomes useless And this is essentially why sound is still holds And let's see why simulation still holds Now our simulator is going to consist of two components The component as just as before there were simulated verifier Provers message for the cheating verifier and a new component as component as prime Which does nothing else except to from generating a bunch of appropriate p-certificates and the case one is going to prove that The simulator s on input or the previous p-certificate it receives the front as prime is going to produce the challenge in the case session Now given those p-certificates The simulator s can simulate everything by committing to its own code as before and Proving the wi that he has the right to p-certificate to certify the computation of the committed program Great. Why are we doing all of this complicated stuff? Let's see that why now the simulation time is tamed in particular We look at the time that needed for generating the final wi and Here the runtime again is going to be polynomial in the runtime of the statement it is trying to prove and now Luckily the statement only consists of verifying a bunch of p-certificates and The verification of the p-certificate is short and of some polynomial runtime Therefore the simulator runs in polynomial time and there is no time blow up anymore Okay So great given this very strong unique p-certificates we can indeed get a constant round the concurrent zone knowledge Unfortunately, this is so strong that we don't really know how to construct it So we have to get by with something weaker, which is a two-round the version The basic idea is what's so different with the two-round version Well, the verifier should just send the first message of the verifiers first message for the p-certificate And then we will have to modify the trapdoor statement again So that inside the trapdoor statement every p-certificate is verified with respect to some first message And we have to be very careful with doing that because we do not want to lose the uniqueness property of the p-certificate and in particular For all the p-certificates in the input it will be verified with respect to some First the message of the p-certificate that is produced itself by the machine M and Therefore inductively again that all the p-certificate No matter the first message or the actual proofs are all uniquely determined by the machine M itself and Therefore we again have the soundness fortunately It seems like Everything is great. This idea should work. Unfortunately. It fails at a much more fundamental level The problem with it is that the verifier in fact simply cannot generate the first message itself Why? Because remember that the first message of the p-certificate needs to be generated knowing the statement. It is trying to prove Unfortunately, what is the statement the statement is the committed machine M together with an input to it Which is has to be hidden away from the verifier for the zero knowledge of property to hold therefore the verifier doesn't know and Another reason is that the first message of the p-certificate can take in time Proportional to the length of the statement to generate and the length of the statement could again Be arbitrary polynomial, which is way beyond the capability of the verifier again therefore the simple idea doesn't work and Here again the delegation comes to help us to circumvent this problem What we will do is that instead of letting the verifier generate the first message to himself He's going to in fact delegate this job to the prover to generate And in particular, this is going to require us to use FHG plus IO to achieve a Smaller observation is that when actually in our paper when plugging our particular construction of p-certificate from IO We can avoid the usage of FHG and only rely on IO for this delegation step Okay, great so in summary We get constant round the concurrent zero knowledge using those unique p-certificate We can do with the non-interactive version and even better We can do with the not with the non-interactive to run the version, which itself can be constructed from IO And in fact in our proof can be generalized to even more non-interactive versions Which does not have to be too round as long as every prover's message is unique And that's all what I want to tell you. Thank you