 Hi everyone, this talk is going to be about sub quadratic snargs in the random oracle model. My name is Elon Yugev and this is joint work with Alessandro Chiesa. Okay, so let me start by a brief introduction, a very high level introduction to snargs. So these are succinct non-interactive arguments. So this is a proof system for some language L and we have a verifier that wants to be convinced that X is in the language and it's a non-interactive protocol. So the pover sends a single message pi, the communication complexity, okay, meaning the size of this proof is going to be succinct. So it's going to be very small in particular for an NP language. This is like much smaller than the witness itself. And the soundness is computational. What do you mean by computational? Okay, so this is in the random oracle model. So the pover and verifier both have this shared resource, this truly random function that outputs lambda bits and the security requirement is called this T epsilon security. So for any T query unbounded, so computationally unbounded cheating pover P, the probability that this pover performs at most T queries and outputs a proof pi that makes the verifier accept is at most epsilon. Okay, so T is the bound of the number of queries the cheating pover is allowed to do and epsilon is a bound on its success probability. So why do we study security of snogs in the random oracle model? Well, it's a very elegant information theoretic model. Okay, the questions are more about information and not computational or complexity assumptions. It's not only just a nice model, we actually, a nice model, we actually have very elegant and nice constructions in this model. After you take these constructions in the random oracle model, you can actually heuristically instantiate them using usually relatively lightweight cryptosymmetric crypto. Okay, and then these constructions are also post-quantum secure and also do not require any server. Okay. So what constructions of snogs do we have? We have several constructions. I'm just going to mention the main two. This is Micali and BCS. They both work in the same format or paradigm. So they both take an information theoretic proof. It's either a PCP for Micali or an IOP for BCS. Then you combine this with a cryptographic commitment. So this is just going to be a merkel tree using the random oracle. And you get a snarg. You get a very short non-interactive succinct proof. Slightly more detail just for Micali's constructions. We're going to use this later. So the pover writes a PCP for the statement that X is in the language. He takes this PCP, he computes a merkel tree. He gets the root. He applies the random oracle on the root to derive PCP randomness, randomness for the verifier. This defines the queries the verifier wants to read. And then the proof is going to contain this root. All the PCP answers, all the locations the verifier wanted to see, and all the authentication passes. So all the authentication passes, making sure that these answers are actually what he committed to under this root. So this is going to be the pover and the verifier is of course going to check the answers to the PCP. And then for each answer, he checks that the authentication path that corresponds to this answer. And one question is, what is the size of the snarg in this construction? So what is the size of pi? And let me give a one-slide answer of what the size is and what our contributions are. So Micali's construction has a quadratic argument size and I'm going to explain exactly what this means. And we give a slightly sub-cordatic argument size. And this is really the first time, the first improvement to Micali's construction in a long time. Okay, so now let me explain these two issues with slightly more detail. So Micali's argument size. So the argument size depends on the PCP that you use. Okay, so suppose the PCP has length L. Okay, so this is like the poof length over an alphabet sigma and it has Q queries. Okay, then the size is going to be, so this is exactly the answers to the PCP. So you have Q queries and this is one symbol. Okay, and then you need all those authentication passes. So for every query, you have a path of length log N and every node in the three is of size lambda. Okay, this is the size of the random oracle. Okay, so there's the information theoretic cost and this is the cryptographic commitment cost. So I claim that if you want to get T epsilon security, okay, you must set the random oracle to be O of log T over epsilon and the number queries of the PCP also needs to be log T over epsilon. Okay, roughly. This means that the argument size is quadratic. What do I mean by quadratic? If you plug in these two parameters here, okay, you get ignoring like small log terms. Okay, you get log T over epsilon squared. Okay, because this is log T over epsilon and this lambda is log T over epsilon. Okay, I want to briefly tell you why these two must hold. Okay, so first about the random oracle output size. Okay, so here's one attack. Okay, an adversary can just guess the root in advance. Okay, and then he can derive a fulling PCP for this particular root. Okay, if he knows the root then he knows the queries of the PCP and then if he knows the queries of the PCP in advance, of course he can he can fool you. Okay, but guessing in advance the root that has like a very small probability it's 2 to the minus lambda. Okay, this is just the size of the root and then he can try this T times actually. So a success probability is roughly T times 2 to the minus lambda. Okay, and if we want this to be smaller than epsilon, okay, it just means that the output of the random oracle must be log T over epsilon. Okay, what about Q, the number of queries? Okay, so again I claim that to get T epsilon security, the number of queries must be roughly log T over epsilon. Okay, and why is this? So first the soundness of the PCP must be epsilon over T. Okay, because he can try T times to win this probability and each time he has a probability of winning, so you have to put the soundness of the PCP to be epsilon over T. Now, how do we achieve a PCP with such small soundness? Well, you take the best PCP you can you know and use it as a base PCP and you repeat. Okay, and you repeat in degrees the L, you amplify the soundness. And if you look at the standard PCP that has like constant soundness, constant queries, or even very sophisticated constructions like DHK, which has had very good soundness with relatively small number of queries, or even if you go to the conjectured best possible PCP that we assume exists, it's like the sliding scale conjecture, which has soundness one over poly and all of one queries. Okay, still the number of repetitions you need to do is log T over epsilon over some small factor that I'm currently ignoring and so the final number of queries is still log T over epsilon. Okay, and this like we have lower bounds like you really cannot do do anything better. Okay, so let's just put things on a scale. So we said that Micali's construction is roughly log T over epsilon squared. Okay, you can easily show a lower bound of log T over epsilon. Okay, like this is a trivial lower bound, you cannot do better than that. And of course, the question is the focus of this talk is what happens here in the middle. Okay, and now using all this formulation, I can formally state a result. So we prove, okay, we give a new construction. So we prove that there exists a snogs in the random model that achieve argument size log T over epsilon times log T. Okay, so we don't have the log T over epsilon squared. Okay, but just one time this and then log T. Okay, for T epsilon security. And just one line about our approach. Okay, before I describe the construction, we use a stronger information theoretic proof. Okay, so we still use a PCP, but a stronger soundless notion. This allows us to combine this with a weak cryptographic commitment. Okay, so it's not actually going to be a commitment, but some weak binding. And together we get our sub-colytic snogs. Okay, so just putting this back on the scale. Okay, in this work we show, we get this argument size. Well, it's, so it's much closer to Mikali's and still we have like a logic up here where we don't know. Of course, we hope that maybe after, you know, our first step, maybe we could actually make this smaller and smaller and get to this lower bound. Okay, one last comment about the construction before I describe it. So we actually work hard to get not only this theoretical like big O tilde notation expressions, but actually we get good concrete parameters. And we compare this with like a Mikali with like a standard base PCP. And you can see that in this table, depending, of course, on the values of t and epsilon, like we get different improvements. And just like the best improvements is here in the table where we actually get like a factor of two better than Mikali. Okay, our construction. So I only have time to describe the construction. I won't have time to give you a proof, but I'll give the intuition of why this is secure on the way. Okay, so our starting point is Mikali's construction. Okay, like think of Mikali, like you take a PCP, you do this Merkel route, and then you give all the authentication passes. This is our starting point. What we are going to do is we're going to set the Oracle output size to be log t. Okay, so first, once we set it to be log t, actually, we exactly get the argument size that we want. Okay, that's going to be q, which is log t of epsilon times log t. Okay, so the argument size is right, but I just convinced you that you shouldn't use this output size above the molecule. Okay, but now, okay, so just using this, the construction is not secure, of course, and what we're going to do, we're going to introduce a few changes that together are going to make sure that the construction is secure. So make four main changes. Okay, we chop the tree, we introduce the main separation, we permute the poof, and we use robust PCBs. Okay, and I'm going to shortly describe these, and I just want to say that these changes, they do not increase the argument size. Okay, so we're definitely with the argument size that we want. Each and every one separately doesn't do a lot, but combined, they actually do increase security. Okay, and this is what lets us reduce the output size of the random molecule to just log t. Okay, and just a comment, this also works when you add salts, which is very good for zero knowledge. Okay, but I'm not going to talk about zero knowledge here. Okay, so this is Micali, right? You take the PCP, you do American tree, you derive randomness, and then you give all the authentication papers. So we're going to change this, this commitment. Okay, so instead of sending the route, we're going to chop the tree at some layer I star. Okay, so what do I mean? Let's say you choose some layer I star, okay, which I'm going to choose, okay, so and you stop computing the American tree at this layer, okay, and then you take all the nodes in this layer, we might have many nodes in this layer, you treat them as one like long concatenated string, okay, and this is like your new route. So you apply the random work into all of this to derive PCP randomness. Okay, so this is just a chop tree. Okay, so when I star equals zero, this is Micali. Okay, I didn't do anything. When I star equals log N, log L, okay, so this means that you just, you chop here meaning you just send the entire PCP. Okay, so this means that you have excellent security, okay, but your port length is like very, very large. Okay, and in general as I star is larger, the security is better, is higher, okay, but the argument size is also larger, okay, and the question is what is the best point, and in general this tradeoff is not in your favor, okay, except for one specific value of I star, and this is going to be log Q, okay, where again Q is the number of queries in the PCP, and for this specific setting we actually can show that we get better security, and we get the same argument size, okay, and why do we get the same argument size? This is because anyway you're going to open Q pathes, okay, so if you look at level log Q that has Q nodes in it, anyway the proof is going to contain with high probability almost all of these nodes, okay, so sending all of the nodes really doesn't increase the actual proof size, and just some comment on why this helps, so if you remember the attack that I described before where you guess the rules in advance, and then you know the entire randomness, okay, and this lets you win, this was one lower bound that made us set the random molecule to log T over epsilon, here you cannot guess all of this cap at once, okay, you can guess maybe a single node, okay, and then if you do that you can only control a small part of the PCP, okay, which hopefully doesn't increase your probability by too much, okay, the second change is a very simple change, okay, we call domain separation, so we're going to use a different overkill for every location in the tree, okay, and because this is a random overkill this is easily achieved just by you know putting a prefix for every query location ij, so if I have some node in level i of the tree, you know in the jth node in that level I just put this prefix there, okay, and this prevents reusing inversion or collisions in different parts of the trees, so if I the adversary found some collision, okay, on one node in the tree he cannot use this collision in a in a different node because he's gonna need to use different prefixes, this of course does not increase the size of the of the proof because these i and j you don't need to write them explicitly, okay, and so just an example the prefix of this node is 11, 12, 13 up to 116 in this example 121, 122, okay, so you just add the prefixes everywhere and this really splits the overkill to be different for every position in the tree, okay, change number three, permuting the proof, so we're gonna permute the pcp proof before applying the chopped merkel tree, okay, when I mean permute the pcp we're gonna permute the locations of the proof, okay, so for simplicity we're just gonna assume access to a random permutation, okay, over L over the positions 1 to L, okay, L is the size of the pcp, this is just simplifying assumption for now, okay, of course you can implement this permutation, okay, using a Lubirakov, okay, from a random numerical I'm not going to go into those details and the reason this creates the effect as if you had a pcp with uniform random queries, so if you have a pcp with uniform random queries to begin with then that's great you don't need this permutation, okay, but in general you might have a pcp that has like you know the distribution of queries is not uniform and I want every single query to be like to a uniform position so I just permute the positions of the proof, okay, so the position is important because the way the merkel tree is constructed, okay, it's just the pcp like the positions really mean nothing, okay, so it's the same construction we have the cap we have the prefixes and now instead of writing the pcp itself I'm permuting the pcp randomly, okay, and then writing this, so this might be position number 10, this might be position number two, position number 25 and so on, okay, but in every subtree we're going to have like a random subset of the pcp, okay, change number four, a robust pcp, so as we said we're going to use something stronger than the standard a soundness notion of pcps, okay, so this is a strong notion of pcp we call permuted robust pcps, this has to do with how we permute the proof and the intuition of robust pcps in general like robust pcp is not a new notion is that if the prover changes just a small number of symbols after the fact, okay, after the verifier already decided on what symbols to read, okay, so the prover commits to some proof, the verifier randomly chooses which symbols to read and then after that you allow the prover to change a few symbols, still he cannot make the verifier accept, okay, so the local view of the verifier is actually far from being accepting and we'll want such a notion, our notion is going to introduce something called the blocks, so we're going to have our parameter b which is the number of blocks and we're going to assume we have a random permutation over l, okay, and then we're going to define distance, okay, so this is not going to be distance by a single symbol locations but actually a blockwise distance, so it's the blockwise distance after you permute the strings according to this perm, okay, so I take the two strings I permute them and then I look at the block difference, okay, so for example the difference between these two strings is one, why, so these two blocks, all these blocks are exactly the same and then you have these two blocks where even though they have two different locations it's just one block that is different, okay, so the distance is one in this case, so what given this definition of distance what is our notion of RPCP, so it's the following, okay, so we have a parameter b and a distance d and then we first publish a random permutation, okay, so it's a truly random permutation but it's known to everybody, known to the pover beforehand, okay, the cheating pover p outputs a PCP string, okay, so he commits to some PCP string pi, okay, the verifier samples PCP randomness row, he gives this to the pover, okay, so he gives the randomness back to the pover and now the pover is actually allowed to output a different PCP string, okay, as a function of the randomness row, okay, so a different PCP string pi but, okay, the game is going to output one, okay, so it's going to win if and only if, not only of course the verifier accepted the new string, the new proof, this is like easy, okay, but the new string should be close to the original proof, okay, so the distance between the two is at most d, okay, and this distance relative to this block parameter b and this random permutation, so this is the how like permuted robust PCP, okay, well just the standard robust PCP would be without this permutation at all, okay, and then the b would be 1, okay, and we're going to say that the PCP has robustness ratio beta, if for any d the ratio between these two strings is bounded by beta, okay, so if you increase the distance by 1 and you look at distance with d, okay, so this ratio is bounded by beta, of course you increase the probability of the verifier but you can bound the ratio, okay, so then we say it has a robustness ratio beta, and so we're going to use such a PCP, we also construct this PCP, okay, and this is like the fourth change in the proof, okay, compared to Mikali that can just use any PCP, and so this is the final construction, we have the chopped tree, okay, we have the domain separation, we permute the proof, okay, and we use this robust PCP, okay, so this is a permuted proof of a robust PCP, okay, and I don't have time to show the proof, I'm just going to say the security is shown in two steps, so first we show that permitted robust PCPs plus this weak commitment, okay, so it's a chopped tree plus domain separation plus the permutation, okay, you actually get sub-quadratic snarls, and then the second step is of course constructing permitted robust PCPs, okay, so we show that these PCPs exist with the parameter just by showing that a repeated PCP actually can, so you can take any like base PCP repeated and this construction actually has the soundless notion that we want, okay, so just a summary, we have shown a snarl of size log t over epsilon times log t in the random oracle model, the lower bound is this and just the major open question here and like, you know, like wishful thinking, you know, I hope the answer is yes, are there snarls in the random oracle model of size or of log t over epsilon, okay, that of course will be like amazing improvement and I guess also like have many practical considerations, okay, thank you guys very much, bye.