 Tako manj, detak namente ponelti pritik je pravi, kot ješcina protokole, kot je kom столata in komitmens, nekaj ga se stavim. Na primer, najstaj nekaj pozgel je zato, nekaj pozgel nične izzivnosti meni vedno svoje. Pozlad nič nekaj pozgel možne zemljati. I odjevno je zelo povah, is a three-round concarned-nomalable commitment scheme. And it's based on the sub-explanationally secure one-to-one-one way functions, so it's a slightly strong assumption. But the nice part is that it can be instantiated with any three-round synchronous one-one weak-nomalable commitment where all these words synchronous one-one and weak mean that it's a very small-nomalability flavor that we amplify to the concarned-nomalability. So it's good that there are all those words in between a three-round and normalable commitment. Then there is a new notion. Again, this is for argument systems. It's called simulation witness indistinguistability. And it's very interesting because it's different in spirit from normalable zero-knowledge, normalable WI, simulation sound zero-knowledge that are well-known normalability flavors for argument systems. So the reason we need this new notion is because the previous notions turned out to be insufficient for our final goal. We can construct moreover such a tool, the CMWI argument system from one-way functions in just four rounds. In particular, one-man means that many in the middle can play with multiple verifiers. And finally, that's the title of the paper. We will put pieces together to get a four-round normalable commitment scheme. The interesting part is that our construction is absolutely modular, making use of these two tools together. So the final construction is simple because we use these two tools in a modular way. That's very important because if you have multiple associations of these tools, the moment one sensation dies because there is a bug, our result still stands because you can differentiate it in multiple ways. Anyway, it's known how to implement these tools under one-way functions, and we implemented in this work this tool with one-way functions, so the final result only requires a one-way function. OK, you all know what the commitment scheme is, otherwise you will be sitting in the other room with the title of my talk. So let's go directly to the normalability game. So we have an adversary that will get a commitment of either M0 and M1 it doesn't know, and it tries to compute a commitment of a message M prime that is related to Mb. OK, and there is a distinguisher that will get the committed message of the adversary in the clear, the view of the conversation, and it will try to output 2 to get B. OK, that's the goal of the adversary in the distinguisher. And very important, in general, with a normalable commitment scheme, the adversary might commit to a bogus message, a message that cannot be opened at all. It's part of his power, he can do that. This is the one-many normalability where the man in the middle can play with multiple verifiers, and this is the many-many case, it's the concurrent normalable commitment, the definition where the man in the middle is allowed to play with multiple senders and multiple verifiers. So there is a nice theorem of Lin et al. They prove that you can just focus on one-many normalability because any one-many normalable commitment scheme is also a many-many normalable commitment scheme. So we will mainly focus on this, in this talk. OK, now let's, so there is a lot that I have to tell you. So let's start with a big problem, the problem that we had to solve in this work. If you have many rounds, more than four, and you want to design a normalable commitment scheme, you have the following chance. You can kind of make some rewinds on the left, trying, I don't know, in a reduction, in the security proof, to simulate something, to basically send some bogus message to the man in the middle to extract something on the left. And moreover, you can also do it in the other session on the right because you have many rounds, therefore the rewind that you play on the left does not interfere with the rewind that you play on the right. OK, this is possible, but you need more rounds, more than four. The problem of breaking the more than four-round barrier, the multiple-slot barrier, was solved by Gojale Tal in 2014, showing a normalable commitment scheme in just four rounds from one-way functions. So this required significantly new techniques to break this barrier. But it was limited to the one-one case where the man in the middle plays with one sender and one receiver. So in this work, we break the multiple-slot barrier, having just the four-round constructions with full concurrency where there are multiple senders and multiple receivers. This is the state of the art after our work. So you can see that normalability for commitments is a very old problem. It has been studied trying to improve the round compressive, complexity over the years, the complexity assumptions, the concurrency, and we end up having some very nice properties because it is concurrent, we need the minimal assumptions just when we function, and we do it in four rounds. And then there is, and it's in 2016, because our work was online already in 2016. And then we have also the three-round construction that is based on experientially secure one-two-one-way functions, but the important thing is that it's a combination of these two tools. So, therefore, it can be also instantiated in different ways if there is a bug in one of the instantiations. You know, if you take many of these papers, maybe they have a bug, then everything is over, right? Okay, there can be a bug also in our paper, but the relevant part is that if the bug is in the way we combine things, it is a bug. If it's a bug in the underlying subprotocol, then we are fine as long as there are more instantiations of the subprotocol, because you can use another one, okay? So, a big effort that we made in this work is to have all these theorems that we have, all these constructions, both of them, that are modular combination of two weaker flavors of normality. There is follow-up work this year, so new work that does not improve our work. Still, it improves some dimension, but not some other dimension. It's worse on some other dimension. The new papers that are appearing in Fox, or are in the print, they have stronger complex assumptions, or they are based on number-toretic assumptions, okay? Okay, so let's start now with that sequence of results. So, we start with weak normality. What is weak normality? For commitments, it's a game in which the man in the middle is forced to commit on the right. So, this is the transcript of the conversation. To a message that can be successfully opened later, okay? It cannot commit in the sense of sending bogus messages, and therefore later it cannot open at all. It's a restriction, right? You might say, why do you have this restriction? It's useless, because in the real world, you can do whatever you want, so that's true. But indeed, my goal is to use this as a building block to construct full-fledged normality. And it's good to start with some weak flavor normality, because it's easier to achieve. So, you can achieve it under different assumptions, different constructions, and then you build on top of it. That's what we do in this work. So, there was a previous notion, similar in spirit of Goyal, that is called normality with respect to replacement. But it's formalized differently from what I just discussed. Okay, so, we are done with this new notion. And now, let's go to step two, the construction of three-round concarnable commitments from three-round, et cetera, et cetera. Okay, so, the point here, as I told you, is that we have this result, based on this tool, three-round synchronous one-one weak normality commitment. Interestingly, for this tool, for instance, there are two instantiation known, completely different. So, there are two papers, we are not part of these papers, but there are two different ways to construct this tool from one-to-one one-way functions. So, if one of them, when they unfortunately dies because of a bug, our result stands, because we can instantiate everything with other result. It's a benefit of the modular construction that we have. For the actual construction, how we build on top of this tool to get using also one-to-one secure one-way functions, getting a three-round concarnable commitment scheme, you can see the full version. I don't have time, because there is more interesting stuff that I want to present in the next minutes. Okay, let's continue. Then, we are done with step two, and we are now going towards step three. So, the final goal is to show concarnable commitments. So, why am I going to talk about argument systems? So, I'll introduce now the reason why we introduce a new normality flavor for argument systems. So, this is a genetic man-in-the-midel attack, where there are multiple senders, multiple receivers, and the man-in-the-midel can commit to bogs messages or to well-formed messages. And there is a construction, very important of Gojale Tal, in 2014, that we are abstracted in this way. First, they have a component that is secure against a weak man-in-the-midel. As you can see, all commitments here on the right are well-formed. There is no bogs message, because this is the definition of a weak normality that I explained to you a few slides ago. Okay, and they have a very important construction. They construct this building block. So, against a weak man-in-the-midel, they have a four-round construction that is concurrent, moreover, and based only on one way functions. Okay, good. What do they do then? They notice, okay, if the problem of this construction is that the man-in-the-midel can commit to... It's forced to commit to well-formed messages only, and we want to remove this limit. We can add the zero-knowledge argument, where the man-in-the-midel must prove that the committed message is good. Okay? By adding this argument of knowledge, then it's clear that here all commitments are well-formed, by a violated soundness of the argument of knowledge. Okay, good. So, putting these two blocks together, they have an eight-round construction of a concurrent and non-malleable commitment scheme against fully concurrent and malicious adversary. Okay? Moreover, this tool is also publicarned. This will be useful later. But here we have eight rounds. So, we are still far from the barrier. What we want is four rounds, because you have only one slot, and it's extremely tough to resolve the problem. Okay, so this is what we can do to have a four-round construction. Okay, let's not play the two sub-rotocol sequentially. Let's play them in parallel, and you get a four-round construction. Right. But let's see, does it work? Can we really do such things instead of playing sequentially, we play in parallel and everything is successful? So, let's start playing his attack with two red sessions, for instance. So, he played the first three rounds on the left, first three rounds on the right. Then there is the fourth round coming from the center, and the man and the middle can give a look, not at the weak non-malleable commitment that has a non-malleability flavor inside, because it's in the word non-malleable. But here, this is just a zero-knowledge argument of knowledge has nothing to do with non-malleability. It's extremely malleable. The enemy might be able to touch this message and to understand that he can complete one session if here there is really m1, m0, and to complete the other session, okay, m1, and another session if here there is m0. So, he can try to mole and to complete a session on the right, depending on the message that is not in the weak non-malleable commitment, but it is used as a witness in the zero-knowledge argument of knowledge. Okay, and it can just abort the other one. In this example, he completed this session and he aborted this one. Okay, so, but okay, you can see, but okay, if I have a proof, I don't care. I mean, there would be a way to translate this adversary in a reduction that breaks a primitive. Well, let's see, let's go back again. Here we had the weak non-malleable commitment in the zero-knowledge argument of knowledge. In a sequence of hybrid, you will end up using the simulator on the right. That's why it's zero-knowledge. Otherwise, you wouldn't need zero-knowledge. And the man in the middle now will not mole anymore. When he understands that there is a simulator on the left, he will just complete a random session, okay. So, we have the man in the middle that in the real game he moles. He actually completes a session related to the committed message on the left. In a security proof through the hybrid switch to the simulator, the man in the middle might just not mole anymore and you don't reach a contradiction. So, it's precisely the point in which you should, in your security proof, make advantage of this, because the man in the middle is essentially killing the simulator, right, because if you put the real proof where he moles, if you put the simulator, it does not mole anymore. Very good. So, reduction to the zero-knowledge. Let's do the reduction. Okay. So, we have on the left a challenger that is either a prover or a simulator of zero-knowledge and we make use of this man in the middle that is able to translate the fact that this is, either comes from a prover or from the simulator and completing here either the commitment of a message related to the session on the left or completely unrelated. Okay, but the problem is that if there is a committed message here and you want to see it, you have to extract it. In order to extract it, you have to rewind. If you rewind, the man in the middle will ask to play on the left again, but you have a challenger here. Having the challenger means that you cannot ask the challenger to replay the fourth round, you have to play it on your own and how you cannot play it on your own in zero-knowledge if you don't have the witness. If there is a challenger here playing four rounds and you ask to you want to play on your own a valid fourth round, you cannot. This means that you are stuck in the reduction. So it's not so easy. What we know now, it's not so easy to put together in parallel rather than sequentially these two sub-protocols. Okay, that's the big problem that I announced already before. When you have only one slot, it's very tough. If you extract on the right, you are going to disturb the session on the left. In particular the reduction. If there is a challenger, you are rewinding the challenger. So that's a big complication. Fortunately, there is already a solution. So Gojalital solved this problem. They have a better zero-knowledge argument of knowledge, a special one, so not just any. You play with a special zero-knowledge argument of knowledge that is kind of resilient to some rewinds. So with this special tool that they constructed, they managed to get a four-round construction under one way function. But these limited rewinds that can be tolerated by this zero-knowledge argument of knowledge is completely insufficient when you have multiple verifiers. Because then you have to extract everywhere and therefore there are there is an uncontrolled number of rewinds. Therefore their strategy dies and they have only one-one normallability. So the open question that we solve in this work is to construct concurrent normallible commitments just with one-way functions with four rounds and therefore one-slot only. This requires new techniques. So all this discussion motivated the fact that we need something better than just a zero-knowledge argument of knowledge. And that's precisely the notion that we construct. There are some other approaches possible. One is just use statistical zero-knowledge argument of knowledge. This will stop the man in the middle from looking at the zero-knowledge argument of knowledge, understanding the witness and doing something, because the witness is completely hidden. The simulation is statistical. This will work actually, but unfortunately it requires collisions in the solution. If you might think of using normallible zero-knowledge a much stronger zero-knowledge definition, but first of all there was no construction in four rounds, so many until a new work that we did this year. And second, it doesn't work. It's not enough, because in normallible zero-knowledge there is nothing about the distribution of the messages that are used, the distribution of the witnesses corresponds to the messages here. That is the real normallibility, the real point in which man in the middle is attacking. It's attacking on the message used by the prover in the zero-knowledge, which is the witness. And normallible zero-knowledge has nothing to do with the distribution of the witness. Just as soon as the simulator will figure out will extract a witness. Ok, so it remains despite the state of the art, if you want to get this result there is an open question that it must be solved. Ok, so this was their approach. Successfully they combined these two tools to get a one-one normallible commitment scheme. And our approach is different. We replace this component with a tool that is a simulation with this independent argument of knowledge. With this tool we get four-round concurrent normallible commitments. Ok, both tools can be instantiated under one-way functions, and the final result is under one-way functions. And we are going to see this new notion. So it's an argument system that has a normallibility flavor. So in the real game you have as usual the man in the middle playing on the left and on the right. This is the one-man definition, so there are many verifiers. And the man in the middle will ask the prover to complete the protocol on the left, and you will complete then the argument systems on the right. Ok, and now you have a distribution of the witnesses corresponding to the theorems proven on the right by the man in the middle. Because I'm assuming here that for every instance there is just one witness. Therefore it's well defined when you have the theorems on the right, the distribution of the witnesses encoded in the proof on the right. Ok, and this is the real game. Then we have a simulated game where of course since it's simulated there is no witness played at all on the left because there is a simulator and we still have some theorems proven on the right and you take the distribution of the witness that are on the right. So now the goal is that whatever is using here the distribution of the witness that are on the right we want them to be indistinguishable from the previous case where there was a witness. Ok, so this is the distinguishability of the two games. So this is the definition so if you play with the prover or with the simulator, the distribution of the witnesses encoded in the proofs given by the man in the middle on the right does not change. This is informally what it means. And informally we discuss in the paper that this definition has nothing to do with simulation extractability, simulation soundness and normality. Ok, good. Interestingly we can construct this tool with one-way functions all in four rounds but you might ask again why you have only one slot, so you might have the same issues. First observation. This notion does not require the simulator to be also an extractor on the right. This helps. It's something that simplifies. Second, we have a protocol design technique new that instead of using for instance a WI argument of knowledge that can be problematic in a security proof because of the rewind that will require to rewind the challenger we actually we use only components that have non-interactive challengers and non-interactive challenger does not suffer if there is a rewind. So this is the main protocol design technique that allows us to pass this four round barrier the multiple slot barrier. Moreover there is also an interesting new proof approach technique that is in particular in our security proof and is crucial for us and a hybrid in which in the same hybrid we play in the same argument system both with the prover and with the simulator of a special knowledge proof. Both prover and simulator in the same experiment in the same session. This is also something entirely new for us at least and it's fundamental so it's something very important for us to reach the final result we don't know how to do it without this technique and for instance this gives you the flavor of the difference with simulation sound rest because simulation sound rest is about simulating force theorem but if it's a force theorem I cannot switch between simulator and prover because it's false. There is no prover to prove a false theorem. OK. This is crucial observation and the new technique that we use and what we put in the proof. OK, still have some time. Good, so now that we have this important component we can put together simulation in WI in weak normality and now the proof is really smooth. Why? Because you have this was the previous case and the manager is attacking the zero knowledge mauling according to the zero knowledge so changing the witness and therefore the message according to the zero knowledge but simulation WI and this was the previous case simulation WI completely resolves this problem because it's a guarantee of simulation WI that when you switch from prover to simulator the manager does not change the messages encoded on the right the witnesses that are the messages encoded on the right and therefore we can then also play a reduction to the weak normality commitment. Don't have time to show you also this reduction but now it's things are easy and there is also a final thing so the reduction is also simplified by the fact that the weak normality commitment is public coin and I can conclude now so we broke the multiple slot barrier for concurrent normality commitments using minimal complexity assumptions and we have three and four one constructions in particular making modular use of sub protocols so this is very useful because it meets multiple sensations we have a new notion for argument system maybe with new applications in future because of the normal ability flavor and also it's interesting that we show new protocol design and proof approach techniques thank you very much for your attention