 G'day! My name is Arndt Tobias Ödegorch. I will be presenting the paper very highly extractable one-way functions and their applications to subversion serial knowledge. The paper accepted to ASICRIV 2021. My co-authors are Prasoudi Fauzi, Helger Lyfma, Jan Ossim and Gerhard Seilens. So I'll start by giving some intuition about the setting we're in and the problems we're trying to solve. So non-interactive proofs is a nice primitive to have in photography. So we're in a setting where the prover cat, who knows the statement X, as well as some private witness W, which certifies that X is the true statement, wants to convince the verifier white cat about the truth of this statement without revealing its witness to the white cat. So what we would like to do is that the prover cat calls some algorithm proof on the statement and the witness, and outputs a proof pi and sends this to the verifier cat. The verifier cat can then check is this proof I should accept or reject using some verify algorithm. And so we want this system to have some desirable properties, namely completeness, soundness and serial knowledge. So completeness is saying that if the prover cat is behaving honestly, so it creates a valid proof from the statement and the witness, then this should be accepted by the verifier cat. Soundness states that if the prover cat is being dishonest, so it's trying to prove something that's not true, then it should not be accepted. And serial knowledge is finally saying that the proof reveals nothing more than the fact that the statement is true, and importantly does not reveal anything about the witness used. Now, certainly this does not exist in the plain model, it's a non-impossibility result. So you need to bypass this somehow, and one way to do this is to work in the CRS model, or common reference string model. So this is a model where the prover and the verifier share some common reference string generated by a trusted third party, and use this to do the proving and the verification of the statement. So then you can get non-interactive serial knowledge or NISIC in the CRS model. So in this case we can actually achieve completeness, soundness and serial knowledge as long as the third party that generated the CRS was behaving honestly. So this relies on a trusted third party, but they do not really exist in the real world. So in case the third party is not trusted, it's good for nothing cat that is in conflict with the other two cats, is it still possible that we can achieve some guarantees? So that is the basis of our paper. So what can we now achieve if we allow for the CRS to be subverted by this third party? So if we require that both soundness and serial knowledge should remain in the case where the CRS is subverted, aka we have properties of subversion, soundness and subversion, serial knowledge, this is impossible. And similarly if we adjust one subversion, soundness, but ordinary serial knowledge, so we let the serial knowledge property go if the CRS was subverted, this is still impossible. It is possible to get subversion, soundness and a privacy-preserving property, known as subversion-witness-instinguishability, which is essentially saying that even if the CRS is subverted, no adversary can tell two proofs of the same statement, but with different witnesses apart. So we will not focus on that in this paper. Our focus will be on subversion, serial knowledge and soundness. So if the CRS is maliciously generated, even in this case, the serial knowledge property should remain. The soundness property will hold if the CRS was honestly generated, but will fail or might fail if the CRS is maliciously generated. And so the key question of our paper is under which assumptions can subversion, serial knowledge be achieved? That is the fundamental question that we try to answer in this paper. Our lab gives a slightly more proper definition of subversion, serial knowledge, NISIX. It consists of five main algorithms and has three main defining properties. So the algorithms are a generate CRS algorithm, a prove algorithm to prove statements, verify algorithm to verify statements and proofs, a verify CRS algorithm to verify that the CRS is of the correct form and a simulate algorithm which is part of the mathematical definition of serial knowledge. It's an algorithm which is able to create real looking proofs based on knowing just the statement, but also some additional information like a trapdoor, but importantly not the witness to the statement. The defining properties are completeness and soundness we've seen before. Subversion, serial knowledge is the new one here. So suppose there is some cat which generates the CRS, then it should be possible to extract by examining this cat a trapdoor that you can use to simulate proofs that should look indistinguishable from real proofs. So again the simulator does not know the witness and the proof outputted by the simulator looks like a real proof, so the real proofs cannot depend on the witness in any serious way. So that brings me to our contributions in this paper. So we define a new primitive which is a variant of an old primitive. So it's a verifiably extractable one-way functions. We give some constructions of this primitive to show how constructions in the literature satisfy our definition. And then we construct some CKNesics from this verifiably extractable one-way functions or Bayoff's. Not just from this we require some additional primitives. And finally we construct Bayoff's from sub-CKNesics under certain conditions. So we really show that there is a strong connection between Bayoff's and sub-CKNesics. So Bayoff's are very tightly related to the assumptions needed to have security of a sub-CKNesics. I'll now define verifiably extractable one-way functions. So a function f is a Bayoff if it satisfies the following three properties. So it should be one-way, so given an image of the function it should be hard to output a pre-image of the function or a pre-image of that image under the function. It should be extractable. So if an adversary outputs an image of f there exists an extractor which outputs a pre-image of y. And this extractor should have access to the adversary and its inputs and auxiliary inputs. If we just have these first two conditions we have the extractable one-way function which is a non-primitive in the literature. It dates back a long way. It was formalized by Kenneth the anecdote. So we add on the final condition of image verifiability. So it should be efficient to check if some y belongs to the image of f or not. And this should be publicly checkable based on only public information, no secrets. And we have some constructions of Bayoff's. So we have constructions in a restricted model but then you can use delegation schemes. And some clever ideas. This is based on work by Petanski, Kenneth the Penetran-Rosen 2016. It turns out that their construction of an extractable one-way function turns out to be verifiable as well. We can get Bayoff's from knowledge of exponent assumptions with pairings. So if f of x is equal to g to the x and g to the x squared there is a knowledge assumption which says that the only way to do this is essentially to know x a.k.a. if any adversary outputs a tuple of this form then there must be an extractor which can output x. So the pre-image of the function. And the pairings, so if you have symmetric pairings in this group you can actually verify that a tuple is of the correct form. Knowledge soundnessics are another way to get verifiably extractable one-way functions. So this is not quite correct but the idea is that the function takes some statement and some witness and outputs a proof of this statement and this witness. And here you rely on NISICS with an additional stronger soundness property known as knowledge soundness which is essentially saying that in order to produce a valid proof you must know a corresponding witness. And the verification here is done by the verify algorithm that's in the NISICS itself and the one-way property holds because of zero knowledge. And finally we have a sort of neat heuristic signature of schemes so the idea here is that if someone is able to create a valid signature they should really know the secret key. Now it's sort of not to work in a certain number of cases like you can see that it's not possible to do the extraction but in certain other circumstances this seems to give a reasonable candidate for verifiably extractable one-way function. So this is not provable based on concrete provable assumptions this is more of a heuristic to create candidate layoffs. It's time to see how we can connect sub-CKNISICS and layoffs. So we get two generic constructions of sub-CKNISICS so we achieve the same sub-CKNISICS property as BFS 16, first bar 18 and ALS Z21 from any layoff. So we have a generic construction based on generic assumptions which in our view better highlights which assumptions are really needed in this case as opposed to the concrete constructions of these three papers. Not that there is anything wrong with those constructions but for our purposes we think that our construction adds some value. So our constructions follow a fairly straightforward approach so they use the FLS approach which is that you add an image Y of a layoff F to the CRS and then you prove with witness insignificability that you either know a witness to the statement or you know a pre-image of Y. Since given just Y it's hard to find the pre-image any successful prover should know a witness. And similarly for the subversion serial knowledge since the CRS generator was able to output an image Y of F the extractor can extract a pre-image and use this as a simulation tractor. And here is important that we have the image verifiability because we need to verify that the CRS is correctly formed. So if we did not have this we would not achieve subversion serial knowledge. So both constructions follow this follow this approach but with some slight tweaks. And then finally we show that the CRS generation algorithm of a sub-CKNISIC is a payoff. Now note this is under certain assumptions on the NISIC. We will not get it in all cases for all languages but for a large class of sub-CKNISICs the CRS generation algorithm is a payoff. That brings us to the conclusion what did we learn today. So the paper defines the new primitive verifiably extractable one-way functions. We show how to construct this primitive from various assumptions and we show how this primitive relates to subversion serial knowledge NISICs. Now there are a number of open questions left here are just two of them. Are there other uses of payoffs? I mean we've used it for sub-CKNISICs are there other uses where this would be interesting? And can they be constructed from other assumptions? So yes we have some constructions from some assumptions are there other ones out there? Thank you very much for watching. If you want to see more details please read the full paper over at the print.