 So thank you for the introduction. This is a joint work with Ryo, Shota, and Takashi, all from ICE and NTT. So this is part 3, and it's only going to take about 10 more minutes. So this is our result, and what we have is that, so as Jafar told us, the first one is the same for all three groups. We got a designated verifier and NISCs from the CDH assumption. And the thing is that this, the proof size is very, well, rather long. So in our paper, what we did is that we actually considered, like, the short proof size setting, and we kind of modified the setting from DVNICs to designated proverent NIZK and pre-processing NIZK, and we got short proof size by changing the model a little bit. And all these are obtained through Diffie-Hellman type assumptions. And for the last one, the third result, the pre-processing NIZK, we get this from the DDH assumption. So the first one is already done. So what we're going to be looking at is the following item 2 and item 3. So let me just tell you about the motivation a little bit more. So when we consider NIZKs with proof size, which are independent of the circuit size C, computing this NP relation, we actually only know them from rather strong assumptions, such as IO, FHE, knowledge assumptions, and so on. So the question is, if we don't really want to use these kind of assumptions, then what do we get? So without relying on these assumptions, we actually don't have a lot of really compact proofs. And, well, first of all, the DVNICs that we were talking about so far, it has to go through these FLS transforms, so it has a very long proof size. And the famous growth of Ostrowski Sahai NIZK has actually proof size, that is, security parameters times the circuit size. And as far as we know, the shortest one without relying on the strong assumption is the CRS NIZK of growth in 2010, which is based on a factoring-based assumption, and this has proof size that it's polylog lambda times the circuit size. So when you look at this, all of these, well, NIZKs, proofs, when you don't rely on these strong assumptions, we only get what we get is a multiplicative overhead in this circuit size C. So the question is, can we make this additive? And this is what we did in this work. So we construct a designated prover and a preprocessing NIZK based on, well, falsifiable pairing or pairing-free group assumptions with proofs size that are additive in this circuit size. So it's going to be the circuit size plus poly lambda. So this is going to be the main thing that I'll be talking about. So as a recap, well, it might not be a recap because nobody explained this so far, but the DP and PPNIZ, what is this? So DP is sure for designated prover NIZKs. It's the quite opposite of DVNIZ. So rather than the verifier having this secret key, the prover is going to have the secret key. And a preprocessing NIZK, this is where it's a relaxation of DP and DV, where both of them have secret keys in a preprocessing phase. And after that, they can do NIZKs as much as they want. And the reason why this DP and PPNIZKs are kind of interesting is because there was a very nice result by Kimu in 2018 crypto that showed that from any context-hiding homomorphic signatures or MACs, you can convert them into a designated prover or a preprocessing NIZK. So when it's a signature, you get a DP and NIZK. When it's a MAC, you get a preprocessing NIZK. So for the rest of this talk, I'll only be talking about this context-hiding homomorphic signatures or MACs. And so when we get this from a Diffie-Hellman type assumption, then it means that we get a DP and PPNIZK from that same assumption. Okay, so what are these homomorphic signatures or MAC? So let me explain this in a very informal way. So in this scenario, the signer is given a mess... Well, the signer produces a lot of message and a signature pair. So here it's W1 to WK. It constructs K messages and K signatures. And the signer can just give this pairs of signatures and message pairs, along with the circuit C. And there's going to be this public evaluator, which constructs an evaluated signature on this message C of W. So more formally, what it means is that the public evaluator is going to homomorphically modify these signatures and construct the sigma C, which is a signature on CW. And we rely two types of security guarantees for these homomorphic signatures or MACs. So unforgeability, I won't get into detail, but this is basically very similar to Singer Scheme's unforgeability. And at a high level, this provides you with soundness when you convert it into NIZK. And the other one is a little bit more special and unique to this setting is context hiding. And what context hiding tells you is that for an evaluated signature, CW and the sigma C pair, this does not leak any information of the original message W, other than the fact that it computes to CW. And as you can kind of see, this is going to be very important for zero knowledge because W is going to be our witness and the circuit C is somewhat related to this, the circuit computing this NP relation. So with zero knowledge, with context hiding, we get zero knowledge. Oh, and I forgot to tell, but when this CW and sigma C, the evaluated signature, if it can be verified publicly, then it's a homomorphic signature scheme. Otherwise, it's a homomorphic MAC. And finally, what Kim Wu showed is that if for all NC1 circuits, this homomorphic signature or MAC outputs a homomorphic, well, evaluated signature that is size poly lambda, which is independent of the circuit, then by going through this Kim Wu transformation, what you get is an NIZK with proof size, which is a circuit size plus poly lambda. So in the end, our goal is getting a homomorphic signature or a MAC, which has a proof size, which has an evaluated signature size independent of this NC1 circuit size. So if we get that, then we get our goal. And this brings us to our first result. We got a new homomorphic signature scheme, which, as I said, implies a DP NIZK. And this is going to be a compact homomorphic signature for NC1 circuits based on a new non-static Diffie-Hellman type assumption, which is secure in the generic group model. And the core idea is that we view the simulator used in certain key policy ABE schemes. I mean, the simulator used in these key policy ABE security proofs as homomorphic signatures. I will explain this in the next slide. So after that, we construct a new key policy ABE with constant size secret keys, and this will lead us to this compact homomorphic signature scheme. So a little bit more in detail, a very high-level understanding of this is that... So let's consider the proof of a selective security of an ABE scheme. So in this scenario, what happens is that the adversary outputs this X star, this target attribute to the simulator. And this ABE simulator is supposed to simulate the real-world challenger right now. So what it does is that it generates this simulation trapdoor, which is related to this target attribute X star. And it also produces this public parameter and provides the public parameter to the adversary. And the adversary can query any circuit that does not satisfy this target attribute, and he'll be able to get this secret key C, because it's the secret key query. So the simulator is going to use this simulation trapdoor TDX star to simulate this SKC and provides it back to the adversary. And the thing is, this is our main observation, is that this simulation trapdoor TDX star, we can kind of view this as a signature on this message X star. And we can view this process of simulating this secret key SKC as evaluating on this trapdoor, the simulation trapdoor TDX star on this circuit C. Because the adversary can only query for a circuit which satisfies the CX star equals zero, it kind of tells you that the secret key is an invalid signature for a circuit which satisfies CX star equals zero. And through this kind of way of observing these security proofs, we construct new homomorphic signature schemes. And since these SKC, these secret keys are the evaluated signature, when these secret keys are succinct, when they're compact, then it ends in a very compact homomorphic signature scheme. And this is our second result. So we construct a new homomorphic MAC, and as again, this results in a pre-processing NICK. And I won't get into details, but we construct a compact homomorphic MAC for arithmetic circuits of fully bounded degree based on the DDH assumption, very weak assumption. And this includes NC1 circuits. And the core idea is that we transform this information theoretically secure non-context-hiding homomorphic MAC by Catalona and Fiora into a context-hiding homomorphic MAC using this special extractable FE for inner products. So functional encryption schemes for inner products, IPFE. So we can forget about this extractable part through this technical overview. But basically, if we instantiate this IPFE based on the DDH-based construction of Agro, Libert, and Stelet from 2016, we get our context-hiding homomorphic MAC from the DDH assumption. And this, again, is a very high-level overview of a result, too. So how did Catalona and Fiora get a non-context-hiding homomorphic MAC? This is a review. Here, the secret key was just a vector of zp elements. And to sign on a message wi, what it does is that it just outputs a signature, sigma i, which satisfies that kind of relation, ri equals wi plus sigma is. And to evaluate on this function f, which is degree D, what it does is that this evaluate signature is just going to be that vector c1 through cd. Where the c1 through cd is actually a coefficient of the function that's, well, the polynomial that is evaluated on the right-hand side. And as you can kind of compare with the above line, you can see that, well, without the knowledge of r and s, the secret r and s, you could still compute these ci's because these cj's are a function only of this w and sigma, which are public right now. And to do this evaluation algorithm, this verification algorithm, the verifier just computes this fr and checks whether that equation holds or not. And the reason why this is not context-hiding is because this evaluate signature, which is this c1 through cd, may leak information of the original message w because, as I said, the c1 to cd are a function of this w and the sigma right now. So our main observation here, like how to fix this into a context-hiding Mac, homomorphic Mac, is that when you actually view this verification algorithm, the verifier only needs to know that summation of this cj to sj. And it doesn't need to know these individuals c1 through cd. So what we do is that we use a functional encryption scheme for inner products to kind of solve this problem. So we're going to modify this evaluation of this signature. So we're going to output this evaluate signature as an encryption of this vector c1 to cd. So we're not going to output this c1 to cd in the clear. We're going to encrypt it using this IPFE. And to verify this, what we're going to do is that we're going to provide, as this secret key for this verifier, we're going to provide him with this s2sd vector and we're going to provide this key for this inner product functional encryption scheme. So what we can do now is that the verifier can just run this decryption algorithm for this IPFE and it will get back that summation that I write in the red box on top. And since the verifier never learns these individuals c1 to cd, we can argue through this IPFE that it leaks no information of these c1 to cd and it becomes context-hiding. And here, since we can use a DDH-based IPFE, this just provides us with a homomorphic exchanger scheme based on the DDH assumption. And that ends my session, not session like my part. And any questions? Yeah, any questions to the last speaker as well as to previous speakers? Right, I see you're eager for the reception. Then let's thank the speakers.