 Hey everyone, thank you for coming. Today I'm going to talk about batteryification for statistical zero-knowledge proofs. It is a joint work with Guy and Ron Rottenblum, Adam Silphon, and Prashan Vasudevan. So zero-knowledge proofs introduced by Golba Sir Mikhaili and Rakov are an amazing idea. And as you all probably know, it allows a prover to convince a verifier of the validity of some statement without revealing any additional information. In this talk, we focus on statistical zero-knowledge for which both the zero-knowledge and soundness are information theoretic. So our protocol is statistical zero-knowledge. If it has three properties, the standard completeness and soundness, know that the soundness is defined also against an unbounded prover. And the zero-knowledge requirement is that for every poly-time verifier we start, there exists a poly-time simulator such that the output of the simulator is really close to the distribution of the messages being sent between P and this P star on the input X. And when I mean very close, I mean that the statistical distance between those distributions is a negligible. So we also consider a real-care notion of statistical zero-knowledge, which is honest verifier statistical zero-knowledge for which the zero-knowledge requirement is only against the honest designated verifier. Okay, so so far we talked about verifying only one instance, but let's say that we want to check that k-different statements are all true, meaning it wants to accept if all instances are yes instances and to reject if at least one instance is a known instance. Okay, so the naive way to do that is just run the basic protocol for each input sequentially. However, communication is a key resource in modern networks and if verifying one instance take us, let's say m bits, then verifying k instances will take us m times k communication bits. So question being asked is, can we verify k instances with less than these m times k communication bits? Okay, so let me briefly mention some prior work on this topic. So using the IP equals piece per theorem, we can get batching for every problem in IP. However, with an inefficient prover, also this line of work of water, blue, water, blue and rain gold show batching for UP, which is a specific subclass of NP with communication of fully m low k, where m is the witness land. The special property about those protocol is that the prover is efficient. And there are more work showing batching with only computational soundness and also under crypto assumptions. And the special property about those protocols is that the communication complexity is only poorly log n, low k. So in this work, we focus on batterification for SDK. And our main question is, suppose that some problem is in SDK. So can we verify that k different instances are all yes instances in zero knowledge with non-trivial communication? Meaning can we do a batterification for SDK with non-trivial communication while maintaining the zero knowledge? So we think it is a natural problem and it also can be used for verifying signatures and public keys. And we give a partial positive answer, which will be stated in two slides. But first, let's recall the model of non-interactive statistical zero knowledge. In this model, both parties get the CRS, which is a shared uniform random string. Then the prover based on the input x and on the CRS generates a proof pi and sends it to the verifier. And the verifier based on the x, the CRS and this pi decides if to accept or reject. Okay, so we have here the standard commitments and soundness requirements. And the zero knowledge requirement is that there exists a poly time simulator such that for every x, which is the yes instance, the output of the simulator is close to the distribution of the CRS alongside this message pi. So now we're ready to state our results. So our main theorem is that for every pi, which is in NA SDK, every problem pi in NA SDK has the oldest verifier SDK batch replication protocol with a non-trivial communication of K plus poly N. And in this talk, we ignore poly log factors. So we show it in two steps. The first step, in the first step, we show a new NA SDK complete problem called approximate injectivity. And then we show honest verifier SDK batch replication protocol for this problem of approximate injectivity. So before we dive in and introduce this new problem of approximate injectivity, we start with a warm-up of batch verification for permutations. So the input for this problem is length preserving circuit. And we define the yes cases to be circuit that define a permutation and the no cases to be circuits that are far from defining a permutation in the sense of their injectivity. Meaning that for the no cases, every image has at least two pre-images. So now we want to construct a batch replication protocol for this problem. So the input is case circuits and we want to check that each and every one of them is a permutation. And the way we think of this circuit is as a composition. So now we construct an honest verifier SDK batching protocol which will go as follows. So first we sample samples X1 and sends YK to the prover. And this YK is the composition of the circuits on this X1. Then the prover finds some X1 prime such that the composition of the circuits on this X1 prime gives us the YK sent by the verifier. And it sends it to the verifier and then we check that indeed X1 equals to X1 prime and accept or rejects accordingly. So for showing this protocol is indeed honest verifier SDK, we need to show completeness and zero knowledge. So we start with completeness and zero knowledge for which all circuits are permutations. So for completeness, know that permutations are invertible and therefore the prover can just invert each circuit in each turn and eventually get the X1 from this YK. And for zero knowledge, we can construct the simulator that will just sample X1 and compute YK the same as the verifier. And just that X1 prime to be this X1. So we get here a perfect zero knowledge. For the soundness, for the no cases, we consider the first no instance. Okay, so even if the prover manages to guess correctly, this YI, meaning the YI, which is the composition of the first I circuits on this X1, and then still this YI has at least two pre-images. Now, we know that X1 is sampled uniformly and all the I-1 circuits, the first I-1 circuits are permutations and therefore XI is also uniform. And therefore the prover cannot guess with probability more than half, which is the correct XI. And each XI here will be translated to a different X1. So in total, we get the soundness of the half and we can also amplify it by repetition. So if the permutation problem was NISK complete, then we would essentially be done, but that doesn't seem to be the case. So instead, we will introduce a variant of the permutation problem that is NISK complete. And this variant is the approximate ejectivity problem. So this problem differs from the permutation problem by two significant ways. So the first difference is that the circuits are not length preserving anymore. The inputs here are circuits that map inputs of size N to outputs of size M, when we think of M as the poly of N. And the second difference is that the requirement of the injectivity or non-injectivity is not as absolute as in the permutation problem. So here for the yes cases, the majority of the inputs, one minus delta fraction of the inputs do map injectively, but for a delta fraction of the input, we let them to be mapped potentially non-injectively. So as far as we know, all the inputs here can be mapped also to the same outputs. For the no cases, the majority of the inputs, one minus delta fraction of the inputs are mapped in a way that every input has at least one other input that is mapped to the same output, but we do let a delta fraction of the inputs to be mapped injectively. So later we showed that this problem is NISK hard. And now we will show a batching protocol for this problem. So for simplicity of this talk, we focus on the case where delta equals zero. So although it is not known to be NISK hard, it still captures most of our main ideas. So our goal for today is to distinguish circuit that are injective from those in which every image has at least two pre-images. So for the permutation, we start every circuit input to be the previous circuit output. But now the output side is not the same as the input size. And therefore, we cannot directly compose. So an idea is to just use hashing and to hash each circuit output to the next circuit input. But while doing that, we still want that each Xi will be close to uniform for soundness. From the same reasons, we needed that for in the permutation protocol as we will see also later. So a natural idea is to use extractors. And since each circuit image size is two to the M and each circuit input is of size M, we need extractors that extract almost all entropy. Also, we cannot afford the C to be too long because it will be translated later to messages being sent. Luckily, Goswami, Umans, and Wadhan show the construction for extractors that indeed extract almost all entropy and has a seed length of only polylog M and that leads us to the protocol's first attempt. So in the protocol's first attempt, they verify samples X1 and K seed Z1 to ZK and computes for each circuit each output Yi and the next circuit input Xi plus one, which is the result of the extractor on Yi and the seed Zi. Then it sends YK and Z1 to ZK to the prover and the prover has to find a consistent X1 prime. And when I mean consistent, I mean such a X1 prime that if it performed the same computation as the verifier, it gets the same YK send by the verifier. So then it sends back this X1 prime to the verifier and the verifier that indeed the X1 is sampled and accept or rejects accordingly. But we have a problem with this first attempt and the problem is that even if this extractor given the Zi were a random function, then still a constant fraction of the XI plus one has more than one pre-images. And therefore peace chances to get the correct X1 are negligible and therefore we don't have completeness. So an idea to solve it is just to give P an additional information about this X1. But then we encounter a new problem and the problem is that the sufficient amount of information we need to give the honest prover so it can guess the correct X1 can also have the malicious prover. And therefore we don't have soundness. And the solution for that will be just to use interaction in the sense that the verifier will gradually reveal information about the YIs and now we see how it solves it. So that leads us to the second attempt. It starts the same the verifier samples X1 and Zi to ZK and compute YI and XI plus one for every circuit. But then for every I from K down to K, it first send the YI, then the prover find some XI prime such that YI equals to Zi of XI prime and send this XI prime back to the verifier and the verifier verifies that XI is equal to XI prime and reject if not, and if all the checks pass, checks pass, then it accepts. However, clearly we have here communication overhead for K times, the party sends YI and XI prime which are of size M and N. So this is the trivial communication complexity and we want better than that. So soon we will discuss how to solve this communication overhead, but first let's discuss why this protocol is indeed on its verifier statistical zero knowledge. So for completeness, each circuit is injective and therefore the prover can easily guess the correct XI. For soundness, let's consider again the first known incident circuit, the CI star. So we took care of that, that the input XI star is close to uniform and we did it by using extractors. And therefore, peace chances to get the correct XI star given the YI star is the utmost half. And for zero knowledge, consider the simulator that generates the Xs, the Zs and the Ys similarly to the verifier and then just set each XI prime as the XI. But we still have this communication overhead which we want to solve. And the way we will do that is by sending hints of YI and XI prime instead of YI and XI prime. So the verifier still sends YK and the prover still sends X1 prime. But for every other YK and X, but for every other YI and XI, the verifier instead sending YI will say send hints about YI and ZI. Then the prover will find XI prime such that YI equals to CI of XI prime. So now there can be a few YIs that will match the hint of YI and therefore multiple XI primes. But it also has to check that the extractor of YI and ZI equals to XI plus one. And that narrows down again the number of YIs and we are good with that. It's enough for us. And then in return, the prover sends instead of XI prime, we just sent a hint about XI prime. So the hints are generated by a pairwise in the benefit hash function, so pass to the variance. And I won't have time to go over the details of that, but please feel free to contact me if you have any questions. Okay, so this sums up the batch verification protocol and what we have left to discuss is why AI is NIHZK complete. So let's recall the entropy approximation problem introduced by Goldreich, Sahay and Padhan. So they introduced this problem and show it is a NIHZK complete. So for us, for showing that the approximate injectivity is NIHZK, we just show a reduction from approximate injectivity to entropy approximation and to show that approximate injectivity is NIHZK hard. We show a reduction from entropy approximation to approximate injectivity. So again, I won't have time to go over the details here too, but again, feel free to contact me if you have any questions. So let's summarize our results. We show that for every problem in NIHZK, it has an honest verify NIHZK batch verification protocol with the non-trivial communication of K plus 40 N. So two improvements for this theorem that are not longer open problems is a protocol, which is the statistical zero knowledge and also a protocol, which is the public one. And it was showing a recent joint work with Rottenbloom and Vasudevan. And more open problems are batch verification for SBK and not only to NIHZK. And communication complexity of only poorly N low K. Also a constant number of rounds and efficient prover in the sense that the prover can be implemented in polynomial time, given access to a suitable witness. So by that, I will end this talk. Thank you very much for coming and for listening. And if you have any questions, please feel free to contact me.