 This is joint work with Stephanotus alone. Very broadly, this work develops a framework that provides security proofs for some proof systems used in practice, which did not have meaningful security guarantee so far. Over the last few years, we have seen zero-knowledge proofs being implemented in real-world systems. However, often the security guarantees about these proof systems are very weak on non-existence. This might sound surprising to you given that most of these proof systems have existing security analysis. The underlying reason for this issue is the use of the PRCharmage Transformer. Before I explain you why that is the case, let me briefly recall what the PRCharmage Transformer is. It starts with an interactive proof or argument which is public-point, that is the verifier's messages are random challenges. It uses a hash function to transform the interactive protocol into a non-interactive argument. The idea is that the hash function plays the role of the verifier in computing the next talent from the transcript so far. If the interactive protocol is zero-knowledge to begin with, then the non-interactive protocol is zero-knowledge as well. Many recently proposed non-interactive succinct argument systems have been designed using the PRCharmage Transformer. The key point is that the soundness of these protocols is only proof in the interactive setting. And you'd think that if the interactive protocol is sound and the hash function is a random oracle, then the non-interactive protocol is sound as well. Unfortunately, the situation here is complicated. It is a fact that most experts in the area know, but it is not very well-documented in general. The problem is the degradation of soundness resulting from the PRCharmage Transformer. Let us assume that the interactive protocol has soundness error epsilon for a cheating prover running in time t. Meaning that any such cheating prover can fool a verifier with probability at most epsilon. Then if the interactive protocol has r rounds and the hash function is a random oracle, the best guarantee that we can prove generically for the non-interactive counterpart is that its soundness error is at most t power r plus one times epsilon. This is a terrible soundness degradation as the two examples next will illustrate. Our first example involves bulletproofs, which is a popular argument system that has been deployed in practice in Monero and signals mobile phone. The interactive protocols has more than constant number of rounds, meaning that t power r plus one is huge and we get no meaningful security guarantees. It might appear that this is fine for constant round protocols, but even then the situation is not as nice as you think. It is not uncommon for these protocols to have at least four rounds. Because of the loss in the transformation for 256 bit curves, we cannot get a security guarantees for adversaries running in time beyond two power 60, which is not very meaningful. Are the proofs being overly pessimistic? Because from these systems, we expect much better security. So there's a significant gap between security expectations and what guarantees we can prove. This is a little alarming because some of these systems are being used in the real world without proofs backing security expectations. The goal of our world is exactly to narrow this gap. We do this by giving a general framework to analyze security in the algebraic group model for group-based protocols that use the Fiat-Chemite transform. Our framework captures protocols instantiated in groups with or without barriers. We apply our framework to obtain tight security bounds for the non-intractive version of bulletproof and sonic. In fact, for bulletproofs, this is the first non-trivial soundness guarantee for the non-intractive argument never proved in any model. Note that in concurrent work, Bunz et al analyzed the non-intractive version of the main component of bulletproof in the AGM. However, the bounds they obtain are not typed. We also expect our framework to be more widely applicable to a number of other proof systems, but leave that for future work. Also note that there are prior works that use the generic group model or the algebraic group model to analyze soundness of non-intractive protocols, but these protocols do not involve the Fiat-Chemite transform. Hence, their analysis does not encounter the challenges that we have here. The key ingredient of our approach is to analyze the notion of state restoration soundness. The state restoration soundness error of an interactive protocol is roughly an upper bound on the soundness error of the non-intractive protocol resulting from the Fiat-Chemite transform. Let me define what state restoration soundness is. Simply stated, this notion of state restoration soundness gives the cheating prover the additional power to restore the verifier to any of its previous states and resume its execution from there. Let me illustrate what I mean by this. It's an example of a protocol with two rounds. The verifier starts in its initial state. The cheating prover interacts with the verifier, sending a message, receiving a challenge, and it continues execution, which eventually leads to rejection. The cheating prover then restores the initial state of the verifier and starts with the new first message, receives a new first challenge, which it does not like and restores the verifier to an earlier state. The cheating prover continues the execution, restoring the state of the verifier, whenever it does not like a challenge, and that finally leads to an accept. The cheating prover wins if there's an accepting path in the execution tree. We define the state restoration soundness error as the probability that the cheating prover wins. So the question we can ask here is can we bound the state restoration soundness error for a protocol generically if we know the regular soundness error? Well, if we have a R-round protocol with soundness error epsilon, we can show generically that for cheating prover, serving in time t, the state restoration soundness error is upper bounded by t power r plus one times epsilon. This can be translated into an upper bound on the soundness of the non-interactive protocol resulting from the Fiat-Chemite transform. But if you remember, we could have already proved the same bound generically. And in fact, technically, the proofs behind these two statements are the same. And it looks like we're back to square one. Since we cannot do something generically, the question is whether for some protocols, can we prove better bounds directly for the state restoration soundness? The answer here again is it's complicated. It turns out that for interactive proofs, indeed, it is sometimes possible to give better bounds. In particular, these work show that some proofs satisfy a different notion called round by round soundness, which was shown to be equivalent to state restoration soundness by 100. However, we are interested in subsequent protocols, which are arguments. And for these, we don't actually know of any non-trivial bounds for state restoration sounds. I want to give you an idea of what the challenge is and highlight our approach. To do that, I want to first tell you normally how plain soundness of arguments is proved. Here specifically, I'll talk about a security notion which has been frequently used in recent work, which is that of witness extended emulation. This is a proof of knowledge property and therefore implies soundness. This notion is defined as follows for an interactive protocol. We consider a real world experiment where the cheating prover interacts with the verifier and their interaction generates a transcript. We compare it with an ideal world experiment where the cheating prover is interacting with an extractor that only knows the instance and can rewind the cheating prover. The extractor outputs a simulated transcript and a candidate witness. The requirement that we want to have is that the simulated transcript is identically distributed to the original transcript. And whenever the simulated transcript is an accepting transcript, that is a verifier would accept the interaction, then the candidate witness should be a valid witness for the instance. For arguments, the latter guarantee is only computational. That is it needs to hold against all efficient cheating provers except with some negligible probability. Typically, the way this is proved is by using very complicated forking lemmas for multi-round protocols starting from the work of Butel et al. and refined subsequent. What is the challenge for state restoration provers? The role of the extractor is much more complicated. And the reason for that is that the cheating prover now can rewind the verifier and the transcript that is being generated is going to be an execution tree. And now when we move to the experiment where the cheating prover interacts with the extractor, not only does the extractor need to rewind the prover, the extractor itself needs to deal with the fact that the prover will try to rewind the simulated verifier. We don't even know what are good extraction strategies and how to analyze them. In our work, we bypass the problem entirely by relying on online extraction. The idea is that we want to extract a witness from an accepting transcript without actually needing to rewind the cheating prover. So now we have removed one of the two sources of rewind. Of course, this sounds too good to be true. Online extraction does not come for free because otherwise the verifier could also extract the witness. So the way we can achieve online extraction is by using either knowledge assumption or doing the analysis in some ideal models. These approaches are common in existing analysis of succinct proof systems. In this paper, we focus on the algebraic group model. The algebraic group model is an ideal model that considers security against algebraic adversaries only. An algebraic adversary is one that provides a representation of every group element it outputs with respect to all the group elements that have been input. For example, if we imagine an adversary that initially gets as input generators G1 and G2. For some understood group G, it later produces a group element Y as output and a representation of Y in terms of G1 and G2. We denote the group element and its representation as a square bracket Y. Next it gets a group element H and it produces another group element Z as output and a representation of Z in terms of G1, G2 and H. Our target is to analyze the witness extended emulation for state restoration provers in the AGM. We first consider an adaptive version where the cheating prover gets to choose them. We again consider a real world experiment where the algebraic state restoration cheating prover interacts with the verifier. Here it can rewind the verifier and the interaction generates an execution tree. We compare it with an ideal world experiment where the prover is interacting with an extractor. Since the prover is algebraic, it provides the representation of the input and all of its messages that are group elements. Here the extractor again returns an execution tree and a candidate witness. For a good extractor, we need that for any distinct majority, the probability that D returns one on getting the original execution tree is approximately the same as the probability that D returns one on getting the simulated execution tree. And whenever the simulator execution tree has an accepting path, the candidate witness is a valid witness for the input. We accordingly define the state restoration witness extended emulation advantage for an algebraic cheating prover with respect to an extractor to be the maximum of the difference of these two probabilities for any distinguisher D. We also consider a non-adaptive version of the notion where the input is chosen by an external instance generator instead of the cheating prover. The main difference here is if the input contains group elements, the extractor does not learn the representations. This notion might be useful for some other applications. In our paper, we have results for this notion, but I shall focus only on the adaptive version for this talk. Our goal here is given an interactive protocol. We need to first define an extractor. Then we need to prove an upper bound on the state restoration witness extended emulation advantage of any algebraic cheating prover running in time T with respect to our defined extractor. So we propose a proof framework for this and our framework is composed of two main ingredients. First, for all partial paths in the execution tree, we define a set of back challenges. We show that there is some epsilon such that for any partial path, at most an epsilon fraction of the challenges are back. Secondly, we define an efficient function, little e, which is meant to take an accepting path and the instance as input and return either bottom or a witness for the instance. We define a path in the execution tree to be bad if there are any back challenges in the path and any path that does not have any bad challenges is a good path. Our goal is that if the accepting path input to e is good, then it returns a valid witness. Additionally, we want to minimize epsilon to ensure that there are not too many bad challenges. Now, suppose for an interactive protocol, the set of bad challenges and the function little e are defined. Then we can construct an extractor that runs the cheating prover and applies this function little e to an accepting path. And we can prove that for cheating provers, running in time t, the state restoration witness extended emulation advantage is upper bounded by t epsilon plus the probability that little e fails to extract a witness on a good accepting path. Generally for arguments, the probability of little e failing is going to be related to the probability of violating some assumption. We apply this framework to some protocols. We first apply it to bulletproof range group, which is an argument of knowledge of opening of a Pedersen commitment to a value in the range zero to two power n minus one. For this argument, we show that there exists an extractor such that for any cheating prover running in time t, it's a state restoration witness extended emulation advantage with respect to the extractor is upper bounded by the discrete logarithm advantage of an adversity in the group running in time t. Plus a small term that grows only nearly empty. For bulletproofs, our argument for arithmetic circuit satisfiability we prove a similar result. And likewise for sonic argument for arithmetic circuit satisfiability. We show that our bounds are tied by giving matching attacks. Prior work by Jager and Tesarro analyzed the concrete security of bulletproofs argument for arithmetic circuit satisfiability. Only in the interactive setting. Our bounds for the interactive protocol are better even though we prove a stronger soundness motion. In order to compare, we translate our bounds to the generic group model and see that we get security guarantees against adversaries running in much longer time. Finally, I would like to give a high level idea of how we instantiate our framework for specific protocols through the example of bulletproofs. This is a complicated protocol. It turns out, however, that to understand some of our basic ideas, you do not need to understand all the details of how bulletproofs work. The main ingredient in bulletproofs is an elegant inner product argument. For this argument, the input is a group element q and a scalar t hat. The prover proves knowledge of two vectors, L and R, such that q is a commitment to L and R and the inner product of L and R is t hat. In all instantiations of bulletproofs to prove knowledge of a witness for an NP relation, we reduce this to an instance of the inner product argument and then run the inner product argument on the particular instance. There are a couple of important points worth noting about analyzing bulletproofs in our framework. The first one is that there is no easy composition in the AGM. You would think that it would be enough to analyze the inner product argument in isolation first and then compose it with the analysis of the other sub-product. But this modular approach is not possible because the representation of the group elements in the inner product argument run in isolation is different from the representation of group elements when run as a sub-protocol for bulletproof instantiations. The second point is that extraction strategies for different instantiations of bulletproofs is different. For example, in the range proof, the instance is a group element provided by the prover and the extractor can directly extract from the representation. But for the argument of knowledge for arithmetic circuit satisfiability, the input has no group elements and we need to use a different strategy. Here you just heard something that might appear to make the problem trivial, namely for protocols where the instance is a group element, the AGM basically includes in the input a representation which might directly give out the bits. For example, the bulletproof range proof is an argument of knowledge of opening up Pedersen commitment C to a value X in the range 0 to power n minus one. The instance of the protocol is the group element C and the generators here are G and H. So the adaptive algebraic prover will provide a representation of C in terms of G and H. Now, the function looking E will just return the representation of C. This seems very simple, are we done? The catch here is that we are not guaranteed that X is in the range. In fact, the technical core of the proof boils down to showing that if the algebraic cheating prover produces a good accepting path and if X is not in the range, we can break discrete law. And we also have an analysis for the same protocol in the context of non-adaptive provers. In that case, we have to extract from somewhere else since the instance is not supplied by the algebraic prover. And hence, we need to give a more complicated proof which involves providing. Even if I've overwhelmed you in this talk and you want to walk away with one line, it would be that it is essential to analyze the state restriction soundness of interactive protocols when using the Fiat-Chemite transform. Finally, let me conclude by stating some of the related open problems. An interesting direction of future work is proving state restriction soundness for more protocols, specifically those which are not based on groups. Proving a non-trivial bound for state restriction soundness of any argument in the standard model is a very important open problem. Another interesting open problem is extending our framework to allow modular analysis in the AGM. The full version of our paper is a new print. Thank you.