 Hi! Welcome to this extended talk on composition with knowledge assumptions. I'm Tom Skerber, and this is joint work with my co-authors and supervisors, Agilos Kias and Paul Weiss, who's done at the University of Edinburgh at Agilos Kias. So I want to start a bit with our motivation, and if you've dealt with both knowledge assumptions and compositional systems before, then you're probably already familiar with this, but at the core these are both two very very useful concepts, and for knowledge assumptions they're useful because they often give succinctness where it would otherwise be impossible. The core idea of knowledge assumptions in many ways is that a short message can imply knowledge of something much larger, and this is something which is quite hard to do if you're not making assumptions about it. And in compositional systems you have a tendency to lose sight of the bigger picture of how cryptographic primitives actually end up being used, and it can be a large problem if they're used in ways that are not inherently secure, especially if they're interacting, perhaps negatively, with other cryptographic primitives somewhere else on the system. Perhaps there are shared secrets or shared messages that are being given to both systems, and there are correlations that can be drawn between these. This is something which you want to avoid, and compositional security gives you a very nice way of reasoning about why this does not happen in certain constructions. Now unfortunately the two tend to conflict, and we've seen in practice that this is because of the reliance on white box extraction in knowledge assumptions for the most part, and I'll get into that in a few slides. But essentially, especially when we've looked at this through the lens of how our ZK Snarks modeled, which was our primary motivation for this work, we ran into two approaches, and the first was, well, let's make a Snark protocol more complex and no longer as succinct in order to make it usable in a composable setting. So what's done here is often the witness is encrypted as part of the Snark proof, and this makes the proof both more expensive because you now need to prove correct encryption, and also it makes it longer and not succinct anymore because it contains the witness by definition. The other direction we've seen is an approach of we have composition up to non-interactive zero knowledge and assume that Snarks do that securely, and this is something that many works take, and some do this explicitly and say we are going to instantiate this with Snark, and we know that that doesn't fit into compositional frameworks, but we're going to do it anyway. This is obviously not satisfactory. There's a gap in the security analysis there, and it's a gap that should be filled. So to start with, I'm going to do a very brief recap of both compositional security and of knowledge assumptions to make sure that we're all on the same page. Now compositional security generally tends to be a fairly simple premise, which is you have some protocol of interacting systems on the left-hand side. Now they don't need to be interacting, but they tend to be, and you want to show that a series of interactions with something external, and this is usually where it gets instance instructions from, so these might be your proof or your verify or encrypt or whatever messages your protocol takes. These are the external interactions. We want to prove that this corresponds to some setting where you've got a trusted third party dealing with these, with everything, but with the same messages, and this isn't quite the entirety of the story. It gets a little bit more complicated than that, obviously, and one of the things that make this slightly more complicated in the compositional setting is the notion of an anniversary, and this notion is more complicated because usually in the real world we want to give the adversary quite a lot of power. It's denoted here through the dashed interfaces, and we want to have them have power over things like what are the exact ciphertexts that are being sent, be able to observe all network messages, this kind of power, which is a very large attack surface that our trusted third party here probably doesn't replicate, and in fact it shouldn't. We wanted the trusted third party to be an ideal of how this should be implemented, and so it would be ideal if it had a reduced attack surface, one which is secure by definition. That's what's usually done, and then in order to have any sense of equivalence, we need to expand this attack surface again. We need to show that this can be, that the larger attack surface can be replicated with it, and that's the task of the simulator that gives simulation security its name. So this simulator interacts with both the reduced attack surface and the larger attack surface that it provides in order to be equivalent with the real world protocol. Now the only thing that's left there and where the notion of composition really comes in is what does this indistinguishability notion, this equivalence between the two sides mean, and in practice what's done is a distinguishing environment to see. Now terminology is a little bit of an issue here that the two largest systems are universal composition and constructive cryptography, and our work follows more on the lines of constructive cryptography just because of its simplicity, but we are also aware that most people are more familiar with the universal composition terms. We're going to go in with universal composition terms here as well, and this distinguisher is actually the pair of your environment and your adversary, and as many people observe in universal composition you can use the dummy adversary with add loss of generality, because that's essentially what we're assuming here, we're assuming a dummy adversary where your environment is the attacker as well. And so this, the statement of security is usually one of you have a set of permitted distinguishes or environments, and you say that well for any distinguisher in this set, if you connected up with both your your protocol on the left hand side here and with your ideal world consisting of your specification or ideal functionality in UC terms and your simulator, if you connected up with both of these it's still equivalent. This doesn't quite reduce the problem because you've still got an issue with well one is when is one interactive system equivalent to the next, but one thing which you can do very nicely with the set is you can say well I don't want to have any open interfaces left except for one which outputs a single bit and this bit can be interpreted as a guess of is it in the left hand side or in the right hand side. So that is how this is usually phrased that you phrase it as a guessing game of the environment is trying to tell which of the two worlds it's in if it can't tell then you have security by definition because it means that any attack can be translated any attack against the real system can also be translated into an attack against the ideal specification and that the two behave identically. One thing which this notion affords is and this depends a bit on the the set of permissible distinguishes that you can freely move things between this set and the protocol or ideal functionality on the left or right hand side and this does depend on the set in particular if your set of distinguishing environments is closed under addition and subtraction of these notes and in the settings of universal composition and by constructive cryptography it is in our setting this is a little bit more complex and I'll get into that in a moment but if it is then this is what gives you composition for free because the semantics of the whole execution aren't changed by this move you're just reassigning what you're labeling what and it means it's still going to be secure for regardless of the set of distinguishes on the left and right hand side and yeah this can be used to both do sequential composition if you absorb simulators into the distinguisher and it can also be used for parallel composition by just absorbing parts which you're not interested in into the distinguisher or pulling them back out. Now I also want to briefly go over knowledge assumptions and I'm going to work with the example of the algebraic group model which is a very powerful and very useful knowledge assumption the basic premise is that if you have some algorithm which behaves algebraically and we'll get into the constraints of that the assumption usually is that all algorithms you're interested in including your attacker and your your environments will be algebraic then if this algorithm outputs a group model a group element in the algebraic group model so here it outputs y and it must know how to construct them from its inputs g and h in this case our our algorithm knows that y is g to the h to the b and this this should be the case for any algebraic system and to make concrete what it means for it to know this we introduce the notion of an extractor and this also is how you can interact with knowledge assumptions on a practical level the assumption is that there is an extractor which takes the same inputs as our algorithm it knows all of the details about the algorithm including its code and its randomness and instead of outputting the the group element it outputs how this group element can be constructed it outputs essentially a witness corresponding to the knowledge of this group and we call the group elements that are being output here knowledge implying objects in our setting in the sense that the possession of one of these objects implies knowledge of something further and we call these representations witnesses in our set now one of the the questions we ran into is how do you take this from a setting of where there's a single algorithm and move it to one where suddenly you have complex interacting systems sending messages and large parts of these messages are not going to be group elements are not going to be knowledge implying objects and to address this we introduce a rudimentary type system now most of this type system so everything here in black is is just dealing with standard messages how would you send bit strings how would you send a single bit how would you send a field element to these kinds of things but here in blue highlighted are the parts of this type system which are specifically dealing with knowledge assumptions and specifically given a specific knowledge assumptions and its public parameters which which is something I will not be going into in this talk we have two additional types of objects the first is knowledge implying object so this would be the group element y here and we also have an annotated knowledge implying object saying for a given set of inputs with this knowledge implying object we have a pair of both the object and its witness so in this case this would be both of these parts together and it's crucial that we have the inputs here because for any kind of knowledge assumption and not just for the algebraic group model you can trivially just pass on a knowledge implying object and that doesn't need to add any information but it's something that you can always do and as a result you need to know what your inputs are to know what witnesses are valid and the additional typing rules here are just essentially unwrapping this we say that well for whatever kind of knowledge implying object we have there's some internal representation of how this is actually sent over the wire and corresponding with these pairs there's also a representation of the witnesses and crucially if we have one of these pairs of knowledge implying objects and witnesses and these need to satisfy some relation depending also on what inputs you got now how do we use this in practice where would we want to use this in a compositional system so in practice we would want to attach mainly use extraction in the simulator so we now and this is sort of also where this runs into its its issues in standard compositional frameworks is we also normally want to extract from the distinguished environment so we want to get more knowledge about the distinguisher and in particular for attacker created objects so for example in the case of non-interactive zero knowledge we'd like to extract from a non-interactive zero knowledge proof that is created from the by the environment or by the attacker and this is the problem because what that means for your standard notion of extraction is well if we want the simulator to extract from from this part here it needs to know this part's inputs and this parts randomness and its code which in a composable setting means we have to give the simulator which is the ideal world attacker full access to the entire system and that means we have essentially removed all notions of privacy that are possible in our ideal world we can no longer express privacy properties that's something that we probably want to avoid so this is a the fundamental problem of why you don't have white box extraction in composable settings and how we get around this is we make it not quite white box and in particular we give the simulator essentially oracle queries just to this extractor and in practice we do this by lifting our environments into environments which give the simulator access to an oracle that allows it to query the extractor and essentially the way we do that is we assume first off that all of our distinguishes are what we call knowledge respecting or in the algebraic group model case would be algebraic and this is crucial because if this is not the case then we can't extract from it so we need to make this as an assumption next up for each of the individual parts of this environment we transform it into a part which outputs as well to witnesses in particular if we have an original message which contains a knowledge implying object that may be an extra bit of information we transform this into a message with the extracted pre-applied and this message outputs not just the knowledge implying object but also its witness so here it's outputting that y is g to the a times h to the v the exact representation of this doesn't really matter now this message is not what the recipient at the other end is going to expect it's going to expect just the knowledge implying object so we intercept this message at the the midpoint of these channels so we essentially add a new node to this network which does this intercepting and this node is charged with doing two things first is parsing out which part of this is the the interesting part the part with the knowledge implying object and the witness and sending this to a centralized repository of knowledge which is just going to record right this knowledge implying object has this witness and the second part is it's going to erase this again replace it just with the knowledge implying object and send that on and this centralized repository of knowledge is then queryable by the simulator in the ideal world now because there's a mismatch in the real world in the ideal world there's no entity querying it in the real world we also introduce a node which essentially just makes sure the connections are balanced which exists in both worlds now there's one thing which is still quite important here and that is we should not let the distinguishing environment itself query the knowledge repository and it's not immediately obvious why this is the case but i'm going to argue it now and essentially it's so that we can preserve some notion of composition and crucially imagine if we wanted to move things out of the uh distinguisher into the the protocol on the left here then one of the consequences of this would be that part of the protocol would be providing knowledge implying objects and witnesses to the knowledge repository and crucially while if we do this as a single step it might be the same on on both sides in multiple steps we may have a case where one of the steps has something on its left hand side that is not on the right hand side placing things into the into the knowledge repository and so there's essentially a case where it may very well be possible that the knowledge repository will have different contents in the real and ideal worlds just because of the technicalities of how we have moved things in and out of the distinguisher this is something we don't want the distinguishes of a different of that experiment to be able to say tell so it's something that could very easily break break security statements and make them very brittle if the distinguisher could just uh say query a non-interactive zero knowledge proof to the knowledge repository and ask was this created in the real protocol or not um and to prevent that we we explicitly forbid querying of the knowledge repository in both worlds and this has some interesting consequences because it means that um the simulators cannot immediately be absorbed into uh into the sets of distinguishes so we come up with a slight variant of the denotation of constructive cryptography and there there are various ways in which this differs but essentially we have a calculus that allows for differences in sets of distinguishes so we no longer need this to be a something that is fixed and it's something that can vary between uh statements of security and in particular we note that for transitivity um this means that you need to be secure with respect also to the simulator of the first step of the transitivity statement when you're doing the second step so essentially this forbids negative interaction between simulators um and same thing goes for a parallel composition where we forbid negative interaction with the parallel component uh now this has interesting implications for knowledge assumptions um specifically because if one of the simulators is actually using the knowledge repository you can't just easily absorb this into this into the distinguisher and uh the reason for this is uh quite simply because that would then give the distinguisher access to the knowledge repository directly so uh one of the interesting things we observed is that this is still going to work fine so long as you have disjoint sets of knowledge assumptions um for the most part so if you're doing a transitivity step and both steps use different knowledge assumptions this is fine you just need to uh knowledge lift the simulator of the first part and it's also fine with parallel composition so long as what you're parallelly composing with is knowledge respecting um and you can lift it with respect to the set of knowledge assumptions you're working with then the most part this means you're fine so long as you don't reuse knowledge assumptions across your system and we also given possibility results where we show that if you do try to reuse knowledge assumptions bad things happen uh and specifically bad things happen because uh now your simulator can be used to essentially provide the the distinguishing environment access to the knowledge repository and this allows to distinguish uh what parts are being put into this in the real and ideal world this happens with the simulator and transitivity and it happens with the parallel component and parallel composition now finally we have some concrete results on zk snarks um we give a proof sketch that graph 16 is composable in the upgrade group model we also take this a step further and we show that it's still secure um using special case composition if you're using a setup ceremony for graph 16 and we want to finish this talk with some practical questions in particular um we believe it's understudied which snarks are simulation extractable and we think this is would be something that's valuable to study both for existing and new snarks um and we also raise a an open question which this leaves which is uh this is only if knowledge assumptions are not being reused and what we see in practice is that group uh curved pairs are reused frequently and we would like to know if this is safe um and it's not obvious to us at this moment it may very well be that re-randomization guarantees this uh but it's remains an open question now if you're watching this before the conference um please feel free to drop into the live session and ask your questions if you have any uh if not drop an email to me and thanks for listening to this talk all right it was great having you bye