 The title of this work is FEG-based wood stripping with the designate proven non-interactive zero knowledge. I am Rotem and this is a joint work with Svicka Borkersky and Sandram Galko. So let me first describe the model we're working on. So we have two parties, a proven and a verifier and there is some NP-relation R and we want to have a non-interactive zero knowledge protocol with respect to this relation. So the syntax is as follows. There is a setup algorithm that takes this relation R and then it generates two values. The first value is a common reference string, a CRS and it is accessible to both the proven and the verifier. And the second value is a secret key and we have this additional value because we are in the designated proven model. So this secret key is designated for the proven. So now assume that the proven has a pair of a statement X and a witness W in a way that X and W are authorized by the relation R. So the proven can generate a proof. It takes as input the pair of X and W and in addition uses this secret key SK and it generates a proof pi. And then the verifier given the pair of the statement X and the proof pi can verify that indeed X is in the language that is defined by R and you can do it without seeing neither the witness W or the secret key that only the proven has. So this is the syntax. And now given such protocol, we want it to satisfy three properties. So I'm not being very formal here but I will describe the intuition about what we want. So for completeness, we want that if X and W are indeed in the relation so the proof that was generated by the proven will be accepted by the verifier. And now the two other properties concern the security. One is the security that the proven cares about and the other one is the security that the verifier cares about. So the proven cares about zero knowledge which means that it doesn't want to leak any information about the witness W that used in order to generate the proof. So we use the standard zero knowledge definition with a simulation but I will not go through the definition here. And for the verifier, we want the soundness property which means that statements that are not true cannot be proved by the proven. So if there is an X that is not in the language which means that there is no witness for which R accepts X and W then there is also no proof that will cause the verifier to accept the proof with respect to the statement X. Okay, so I want to point out that because we are in the designated proven model the proven gets a secret key and the security guarantee that the proven cares about is the zero knowledge which means that if the verifier get to see some information about the secret key it might violate the zero knowledge but it has no effect on the soundness because the soundness is guaranteed to the verifier and the secret key should remain hidden from the verifier. One can think of other model, other models. So of course there is standard non-interactive zero knowledge in which there is only the CRS and no secret key and there is the designated proven model where the proven gets a secret key. In addition, there is a designated verifier model where the verifier gets a secret key and then the secret key guarantees the soundness and there is the additional model of the most generalized one which is the music with pre-post thing where both of them get designated keys. So the proven has his own secret key and the verifier has another secret key of his own. Okay. So in the way that it is described now on the slide the proven can only generate a single proof. So indeed in this setting we call such a scheme a single statement, the designated proven is X but we would also like to consider the stronger model where the proven can generate multiple proofs. So if he has multiple pairs of statement X and the weakness W he can generate multiple proofs using the same CRS and the same secret key and still we want those three properties to hold. So we will focus on the problem of bootstrapping a scheme that is secure with respect to a single statement to one that is secure with respect to multiple statements. So again point out that if the proven generates more than a single proof then what potentially can break the security is that he uses the same secret key multiple times and then some information about the secret key might leak and it might violate the zero knowledge. So when you're going from a single statement to a multi-statement the thing that can break down is the zero knowledge. So let me talk a bit more about this action of bootstrapping a single statement to multi-statement. So this idea first was suggested in the famous FLS paper where they showed that if we have a standard music and non-designated one then we can go from a single statement to multi-statement in a generic way. And recently it was shown that the similar technique can be used in the designated verifier model but it was also pointed out that the similar technique doesn't seem to work when we're in designated proven model. So Kim and Wu showed that it is not possible to have this generic bootstrapping but they showed how to directly construct deep music as Kim using something that is called homomorphic signatures. Okay, so here is our contribution. We show another construction of designated proven music but instead of using homomorphic signatures we use a fully homomorphic encryption, F-A-G. And more specifically we take two steps. So in the first one we show a generic bootstrapping assuming that the single statement deep music that we start from satisfies some succinctness property that we'll define later. So we say that given a succinct single statement deep music we can generically bootstrap it to a multi-statement one. And then to complete the picture we show that it is possible to construct a single statement deep music with succinctness given any fully homomorphic encryption skills. So that will be the main part of our work but in addition we also show a two-way equivalent between designated proven music and something that is called attribute-based signatures but I will not go into that in this talk. So the main technical part will be about constructing this deep music from F-A-G. Okay, so the high-level structure of our construction is as follows. We have an F-A-G scheme. We then construct from it a succinct single statement deep music and then we show how to bootstrap it to a multi-statement deep music. So again as I pointed out earlier single statement means that the zero knowledge guarantee holds as long as the poover only uses the secret key once in order to generate the proof. And now what I mean by succinctness is that the set up algorithm which generates the CRS and the secret key is of complexity that is independent of the relation R. So it's running time and its output is of size that is independent of R. Okay, so before I show how to construct succinct single statement deep music from F-A-G I want to point out that if we don't care about the succinctness we only want a single statement deep music then it is actually possible to get it from a new one-way function which also explains why generic bootstraping with high probability does not exist. So the idea is to allow the pover to encrypt the witness with some symmetric encryption. So in the set up algorithm we begin with sampling a symmetric key and then we use the following circuit. So we have the circuit that verifies the relation R, it takes as input some statement X and in addition it takes as input an encryption of a witness. So this circuit will take the encrypted witness, we'll decrypt it and then we'll verify it with respect to R according to the input X that it received. So we look at this circuit and now we compute garbelling of it the garbell circuit of the circuit that we just defined and eventually we compute commitments to all of the input labels of the garbell circuit. So all of that will be the CRS of the construction and we can assume without loss of generality that the secret key is all of the randomness of the set up algorithm. So we assume that now that the verifier so that the pover can get to see the secret key and all of the randomness that was used for the garbelling and all of the randomness that was used for the commitments. Okay, so now we have the pover and he has his statement X and some witness W and he doesn't want to reveal W. So he uses the secret key in order to encrypt W, he gets this W tilt then encrypted version of W and now he looks at this pair of X and encrypt W and provides labels of the garbell circuit according to this input and also the commitments to the corresponding labels. So the verifier now can verify the commitment in order to know that he indeed got valid labels and then he can execute the circuit and to verify that I'll accept this X with respect to some W. So the reason that this construction satisfies zero knowledge only with respect to a single proof is because the pover reveals some of the labels of the garbell circuits and we know that garbell circuit is secure only as long as the adversary gets to see only a set of labels for a single input. And this construction uses only one way function because we use a symmetric encryption and garbell circuit and commitments which all of them can be realized from one way functions. Now we have this construction but we want to add to it the succinctness property and in order to compromise for that we now allow to use a fullyomorphic encryption instead of one way function. So just to remind you by succinctness we mean that the complexity of the setup algorithm should be independent of the relation of. So what you see now on the slide is still the construction that we saw from one way function and we can see now that the setup algorithm complexity goes with R because we need to compute a garbell circuit that depends on this R. So the idea here is to postpone the computation that depends on R in a way that it will be performed by the pover and the verifier independently instead of doing the setup. So we do it as follows. So first, instead of sampling the standard symmetric key we sample a secret key of a homomorphic encryption scheme and then instead of garbling the circuit so that the creeps, the witness and the executes R we garble a circuit that only takes homomorphic encryption in ciphertexts and decrypt it with the secret key that we sampled. Okay, so now how can we still guarantee that this protocol will be with respect to the relation R? So we postpone the computation of R to the pover and the verifier. So after the pover computes an encryption of W now it is a homomorphic encryption of W then you can homomorphically compute the circuit that has the statement X encoded in it and it verifies it with respect to R and the encrypted witness. So after he performs this homomorphic encryption he will get a ciphertext city which encrypts a single bit either 0 or 1 which denotes whether the relation accepted this witness or not. So given the ciphertext he can then do the same as before which is to provide the labels of the garbled circuit that correspond to the ciphertext along with their decommitments. So now the verifier gets to see the statement X and the homomorphically encrypted version of the witness which is W till. So we can locally also compute the exact same ciphertext you will also compute this homomorphic evaluation of R with respect to X and encrypted witness. You will end up with the same ciphertext and then you can do as before which is to verify the decommitments with respect to the labels that he got and then to execute the garbled circuit and see whether their output is 0 or 1. Okay, so now assume that we have a single statement deep in music and we want to convert it to one that can support multiple statements. So a name solution would be to generate exponentially many instances of a single statement deep in music and then every time the prover wants to generate a new proof then he can randomly sample one of those instances and hope that he never uses the same one twice and then given this randomly sampled instance he will generate a proof with respect to it. So the idea is take this solution which is non-efficient because it runs in exponential time and to somehow convert it to a more efficient one. So the high level idea is to postpone the generation of these instances to be on the fly. So only on demand one wants the prover wants to generate a new proof. So we consider this conceptual tree structure of all of the instances of the single statement deep in music. So we have a binary tree of depth security parameter and then we think of each node as an independent instance of a single statement deep in music. And eventually we would have two to the security parameter leaves of the tree and each of the leaves can be used to prove an independent statement in the multi-statement construction. So now we want to generate the tree root to actually generate in the real setup algorithm of the multi-statement construction and then to allow the prover and the verifier to parallelly generate the same intermediate instances of the tree. Okay, so now the question is which relation will be associated with each of the instances of the single statement deep in music. So we said that for the leaves, we want them to be used to actually prove statements in the multi-statement protocol. So we will associate them with the relation for which we generated the multi-statement construction. And now for each level of the tree, we will need to define some relation. So for the highest level, we will define the relation R, I. And now the question is how to define this relation. So we want each tree node to provide a proof that its two children were generated honestly because the security of the single statement relies on the fact that the CRS was generated honestly. And if we let the prover just generate them the way that he wants, then he can generate a bad CRS and then he can move false statements. So in order to prevent the prover from generating an arbitrary CRS, we use every tree node to prove that it's two children who are generated honestly with respect to a valid CRS. So we want the relation in the highest level, the R, I, to verify that nodes of the I plus one level were generated with respect to the relation R, I plus one. So we define the relations recursively. We start from the leaves node which is associated with the real relation R and then we go up in the tree until we get to the tree roots which is described by R zero. So a bit more formally, the relation R, I, will take two CRS values that correspond to two children nodes. And in addition, some random string R and then it will authorize this pair as long as the two CRS values were indeed generated by a setup algorithm with respect to the relation R, I plus one with the randomness R. So R works as the witness in this relation. So the verifier doesn't get to see the witness because of the zero knowledge property. So you cannot learn anything that you shouldn't learn because the CRS is public. So it is okay for him to learn CRS one and CRS two. Now, because we want the soundness to hold, we need this randomness R to be truly random which means that also R the witness cannot be sampled by the prover. So we'll actually choose this R at the very beginning of the scheme when we generate the tree root. We'll choose truly random R and this R should be used in all of the nodes of the tree. So now there is another problem because if we use the same R in the setup algorithm so we end up with the exact same instance of the single statement construction and then it is like proving multiple statements with respect to the same instance. So now we violate the zero knowledge. So we will not use simply R but we will explore it with the value that comes from a PRF. So the PRF seed will be known only to the prover and to the eyes of the verifier, those values will look truly random. So the pseudo randomness of the PRF is for the zero knowledge to hold and the real randomness of the R value is for the soundness to hold. And it turns out that if we saw those two values for every node and we can guarantee simultaneously both the soundness and the zero knowledge. So there are some details that I'm not getting into here but this is the high level idea. And I want to point out that if you look at the complexity of R i then it is at least twice as the complexity of the setup algorithm with respect to R i plus one. So this is why we need the succinctness. If we didn't have the succinctness then the setup algorithm with respect to R i plus one will run in time that is proportional to R i plus one. And then the complexity of R i will be at least twice and because we have a security parameter levels of the tree who will end up with an exponential blow up in the running time and in the description of those relations. So this is why the succinctness is required. So if we take the succinct DPNZ for single statement from FIG and combine it with the bootstraping technique that we just saw we end up with a new DPNZ construction from FIG. So I want to compare it with previously known constructions. So first recall that I said earlier that there is the construction by Kim and Wu from homomorphic signatures. And then we can combine it with the homomorphic signature construction from LWE by GBW. If we compare it to our work when FIG is instantiated from LWE we actually get better parameters with our technique. And this is because in FIG it is known how to do bootstraping and I'm completely overloading the notation here but in the context of FIG bootstraping means that we can generate a secret key of size that is independent of the circuit to be computed. And in the homomorphic signatures construction we don't know how to do this kind of bootstraping. So there we end up with parameters that go with the depth of the circuit. Another construction is the NISIC from FIG by Kaneti et al. And this is incomparable because on one hand they get the stronger notion of NISIC which doesn't require the designated approval setting. But on the other hand, their assumption is stronger because they assume that the FIG satisfies the circular security. Another construction is the NISIC directly from LWE by Kaneti et al. So again, this is incomparable because we have this generic assumption of FIG but on the other hand they get the stronger notion of NISIC without designated approval. And lastly, there are other constructions that rely on completely different kind of assumptions of assumptions on group with Bayesian error maps. So to sum up their results, we show a generic bootstraping theorem for succinct to deep NISIC from single statement to multi statement. We show how to construct this succinct single statement deep NISIC using any fully homomorphic encryption. And we show an equivalence between deep NISIC and attribute-based signatures which are also known to be equivalent to homomorphic signatures. This correlation is we get a new construction of deep NISIC from fully homomorphic encryption and also new constructions of attribute-based signatures and homomorphic signatures also from homomorphic encryption.