 My name is Rex Fernando and I'll be talking about statistical ZAP arguments. This is joint work with Sikrishna Badr Narayanan, Ayush Jain, Dakshita Corona, and Amit Sahae. I'll start by going over what an argument system is. So let's say we have a language L in NP, which means that for every X and L there is an efficiently verifiable witness W for X. So the story is that we have a prover that knows X and W and a verifier that knows only X and the verifier wants to be convinced that X is an L. To that end, an argument system is a protocol potentially randomized that the prover and the verifier can participate in such that if X is in the language then the verifier is convinced of that. Now for this argument to actually be convincing, it needs to be the case that for every efficient malicious prover and for every X that's not in the language, the verifier should reject with overwhelming probability. We call this property soundness. In the context of cryptography, an argument system usually satisfies some sort of privacy requirement. One such privacy requirement is called witness indistinguishability or WI. And what this says is that for any two different witnesses for the same statement X, if the prover chooses one of these two statements at random, then any malicious verifier should not be able to tell which witness was used. In this talk, we'll focus on a particular type of argument system called a statistical zap. And this type of argument system has the following requirements. First is that the protocol is only allowed to have two messages. Second is that the verifier is not allowed to have any private state and its message is only allowed to be a uniform random string. This property is called public coin. And what it means is that any outside observer who observes the transcript of the protocol should be able to decide whether or not the transcript is accepting. Finally, we want that the WI property holds against computationally unbounded verifiers. We call this property statistical WI. So computational zaps with computational WI were introduced by Dwork and Nauer in 2007. And they gave the first construction of computational zaps from Nizik proof systems. But since 2007, it's remained open whether or not statistical zap arguments exist. And this question will be the focus of this talk. Our first main result shows that the answer to this question is yes. We show that there do exist statistical zap arguments for all languages in NP in the plain model assuming quasi polynomial LWB. And in fact, the actual assumption that we use is even better than this. It's a variant of LWB that I'm just going to call LWB star. And I'm going to explain this at the very end, but for now you can just forget that I said this and think of our assumptions as being quasi polynomial LWB. For the remainder of this talk, I'm going to give a high level overview of how our construction of statistical zap arguments works. To do that, I'm first going to talk about an exciting recent line of work that shows some new techniques to build something called non-interactive zero-knowledge. And then I'll show how we use these techniques and build on them to get our construction. First, let me quickly review what we mean by a non-interactive zero-knowledge system, or Nizik. The goal of a Nizik is similar to that of an argument system like a zap, but now we want to remove the interaction completely. What this means is that we want the protocol to consist of a single message from the prover to the verifier. On top of that, we want a stronger notion of privacy called zero-knowledge to hold. It turns out that these two requirements in tandem are impossible in the plain model. So to fix that, we're going to work in a slightly different model called the CRS model, which allows for the possibility of Niziks. In this model, we assume the existence of a trusted party, which we assume will behave completely honestly. And this trusted party's only job will be to provide a uniform random string to all parties. This uniform random string will be called the common random string, or the CRS. I will introduce the recent work on Niziks by describing a simple classical technique for taking a public coin interactive argument and turning it into a non-interactive one. Let's say we're starting with a three-round interactive protocol, and we want to somehow make it non-interactive. One very simple idea that we could try is to have the prover run the protocol in their head and then publish the resulting transcript to the verifier. Since the verifier's message is simply a random string, the prover can compute it on behalf of the verifier. And since the interactive verifier has no private state, the non-interactive verifier can use the public verification algorithm to check the transcript. There is a problem with this, though, and that is that the underlying interactive protocol assumes that the verifier's message E is uniformly random, and soundness is only guaranteed to hold if this is true. So it could be possible that there are some bad E's that the prover could choose in order to be able to publish an accepting transcript for an X not in the language of false transcript. So for this to work, we can't let the prover have so much freedom in choosing E. There's a classical technique that fixes this problem, which works as follows. Let's imagine that both the prover and the verifier have access to some public hash function. Remember that we're working in the CRS model, so we can assume that the CRS is a description of the hash function. So if this is true, then we can require that the prover choose the verifier's message E by hashing the prover's first message A. And then when the verifier receives the transcript, they can verify that the prover computed their message correctly. Let's think about what kind of properties this protocol has. I won't go into the details, but it's fairly straightforward to show that if the underlying protocol has some zero-knowledge properties, then the resulting protocol, the non-interactive protocol, satisfies zero-knowledge. But soundness seems more tricky. To argue soundness, we would need to rely on some property of the hash function. So let's take a step back here. The reason that it makes intuitive sense to use a hash function here is because they're supposed to be unpredictable. But it's not clear whether any of the classical properties of hash functions, such as collision resistance, would be useful for us. This technique of using a hash function to compress rounds is actually quite old. It was introduced by Fiat and Shamir in 1986. But when they gave their construction, they originally didn't give any security proof. So this technique was originally presented as a heuristic. And since then, it's remained pretty wide open whether it's possible to give security proofs for Fiat-Shamir-based constructions in any realistic model. Before we go any farther, let's try to define more formally what a hash function would need in order for us to prove soundness for the protocol. So let's say there's an adversary who has some x that's not in the language. In order for the adversary to produce a corresponding false transcript, it would need an a star such that when you hash a star, there exists some z star such that the corresponding transcript is accepted. So now we can define a relation, r sub bad, to be such a star as an e's where there exists some corresponding z star that accepts. So in terms of this relation, we can now characterize exactly what the adversary needs. So the adversary needs an a star where the corresponding transcript prefix is in this relation r sub bad. So if we can construct a hash function that makes it hard to find such a stars, then we would achieve soundness. Obviously this is a very generic and vague outline of what is needed. But recently, a line of work was able to take this basic outline and turn it into a specific method for getting physics from Fiat-Shamir. And moreover, the last in this line of work was able to get physics from LWE, which was not known previously. I'm now going to give a high-level overview of the last two works in this line. The first of these two works is by Kanedi, Lombardi and Wix. They make some important observations about classical interactive zero-knowledge protocols which are useful in this context. I don't have time to go into the details of the underlying zero-knowledge protocol, but in essence they observed that we can get a protocol where if x is not an L, then there is exactly one bad e for every a star. What this means is that the relation defined in the previous slide is now a function. And moreover, they observed that if you make some modifications to the underlying zero-knowledge protocol, then you can get that this function is efficiently computable. So in essence they were able to make the requirements for the hash function that we need much more specific and attainable. The second work by Pyker and Jihan was able to construct a hash function from LWE that satisfies exactly these requirements. In particular, they were able to construct a hash function that has the following security property. Let's assume we have an efficient adversary and let's fix an efficiently computable function F. What we are guaranteed is that if a hash function is chosen uniformly at random from the family, then it should be computationally hard for the adversary to find any x such that the hash of x is equal to F of x. So one detail about this, which will be important later, is that the choice of F has to be fixed before the choice of the hash function. So Pyker and Jihan were able to take this result, this new hash function, and plug it into the result of Kennedy, Elamarty and Wix to get the first construction of Nizics from LWE. Now I'm going to talk about how we build on these techniques to get statistical zaps. And as a first step, let's try constructing a computational zap. If we have the Nizic construction from the previous slides, then a natural idea to turn this into a two-round protocol without a CRS is to have the verifier choose the hash function H, and then to have the prover send the computed transcript. Let's think about the security of this protocol. I won't go into the details, but it's fairly easy to show that this protocol satisfies witness indistinguishability. Soundness is more difficult though, and so in order to talk about soundness, I'm going to need to talk about commitment schemes, which I'm going to introduce now. A commitment scheme is a two-phase protocol between two parties called the Committer and the Receiver. The Committer has a value X, and will first interact with the Receiver to commit to this value. Later on, the Committer will supply an opening to X, which the Receiver will verify. In order to be useful, such a scheme is required to have two separate properties. The hiding property says that the committed value should be hidden from the Receiver until the opening phase, and the binding property says that the Committer shouldn't be able to open to any other value than the one that they committed to. With that in mind, I'm going to describe the messages of the underlying interactive zero-knowledge protocol that we've been working with this whole time in more detail. So it turns out that the prover's first message, A, is actually a set of commitments, and then the prover's second message, Z, is a set of openings for a subset of these commitments, and the prover chooses which of the commitments in A to open based on the verifier's message E. Going back to our WI protocol and filling in the details, I can now describe for you a problem which we will have when trying to prove soundness. Remember that H is correlation intractable with respect to some efficiently computable F, which takes A as input, and it turns out that in our case, for F to be efficiently computable, it needs to be able to open the commitments of A. The way that the NISIC construction solve this is that they use a specific type of commitment scheme called a trapdoor commitment, where there is a set of public parameters which the commitment algorithm uses, and then corresponding to this set of public parameters, there is a master key which can be used to open any commitment. In the context of NISICs, the commitment key can be embedded in the CRS, and then the corresponding master key can be hard-coded inside of F. But the problem in our case is that the prover chooses the set of public parameters for the commitment which determines the master key. So one thing to note is that we can't have the verifier choose the public parameters, because then otherwise no form of privacy would hold because then the verifier can open any commitment that the prover commits to. Also recall that the Piker-Chihan hash function only guarantees correlation and tractability if F is fixed before H. This seems like a big problem, but here's a seemingly silly idea. What if the verifier just guesses the master key at random and fixes the corresponding choice of F? So let's play this out. Let's imagine for the sake of contradiction that there is an adversary that takes an X that's not an L and is able to produce an accepting transcript with non-negligible probability. So the question now is does this A, does this transcript contradict the correlation and tractability property of the hash function? So if the verifier guesses the master secret key correctly, then the answer is yes. And what this means is that we can write the probability of contradicting correlation and tractability in terms of the advantage of the adversary and the probability of guessing the correct master key. So let's fix the guaranteed advantage, the guaranteed correlation and tractability advantage that the hash function gives us. So if we can set the parameters such that the first probability is much bigger than the second probability, then we're done. And it turns out that we can do this if we're willing to assume that LwE is sub-exponentially hard. So with that, we have soundness. And it also turns out that the hash function description is pseudo-random, so we also have public coin. And like I said before, we also get computation of wi. So the only thing remaining is the question of whether this protocol achieves statistical wi. So it turns out, unfortunately, that this protocol fails to achieve this because of the specific properties of the commitment scheme that we are using. Let's explore why this is the case. Recall that a commitment scheme needs to have two properties, hiding and binding. So it turns out that in our construction, the binding property holds even against computationally unbounded committers. So even a computationally unbounded committer will not be able to open to any other value than the value that they committed to. And this is because there is the master key. So because of the master key, every commitment has a corresponding well-defined message. So we say that the binding property is statistical, so we have statistical binding. And because of the statistical binding property, it means that we have computational hiding. We have hiding that only holds against computationally bound receivers. So what we would need in order for the previous protocol to be statistical wi is we would need statistical binding because of the master key, and we would need statistical hiding, too. But unfortunately, it is well known to be impossible to have a commitment scheme with both statistical hiding and binding. We can construct commitment schemes where either one of the properties is statistical but not both. At this point, it seems like we're stuck, and I think it makes sense to take a moment to appreciate just how stuck we seem to be because the requirement for the function f is that it has to be efficient. And what it seems to imply is that the commitment has to have a trapdoor, a master key. And because of this trapdoor, the commitment has to be statistically binding. And like we just said, commitments that are statistically binding have to be computationally hiding, which dashes all hopes of getting a statistical wi protocol. So it seems at this point that these techniques might be inherently limited to proving computational wi. But of course, the ending to this story is a happy one, so let me tell you how it ends. It turns out that there is a very particular type of commitment scheme, which will somehow provide the two seemingly contradictory requirements of statistical hiding and efficient extraction. And this commitment scheme is going to look like this. So the commitment scheme is going to be a two-round commitment scheme. So the receiver is going to first send a message, and then the committer is going to send a committing message. And then there's going to be an extraction algorithm that takes the receiver's private randomness and the committer's message and outputs some x. And it should be the case that the only valid opening that the committer can give is to x. Of course, this picture as is is impossible since it would contradict hiding because any receiver would be able to run the extraction algorithm. But the main idea behind this commitment scheme is that we are going to allow the extraction algorithm to succeed with some negligible probability mu. And then we're going to guarantee that even unbounded receivers cannot do any better than mu. More specifically, the committer and the receiver will agree on an extraction parameter m. And then the extraction algorithm is going to succeed with probability approximately 1 over 2 to the m. And in the case where the extraction algorithm succeeds, the only valid opening is going to be to x. And unlike before with the trapdoor commitment, this commitment scheme can be statistically hiding. So this idea was introduced by Kalai, Gurana, and Sahai in a sequence of two works. And in the later work, they were able to construct this type of commitment scheme assuming LWB. Let's plug this back into our construction and see what we get. So we can assume that the correlation intractable hash function guarantees a negligible advantage of mu prime. And now with this new extractable commitment scheme, we can define an F that unlocks the commitments in A with probability approximately 1 over 2 to the m. So now if we set m so that 1 over 2 to the m is negligible but still much bigger than mu prime, then we achieve soundness. And it also turns out that the first message in this commitment scheme is pseudorandom just like the hash function. So we get public coin as well. And now finally we get statistical WI. So there are several technical challenges that I'm sort of sweeping under the rug. One particular one is that we have to modify the commitment scheme of Kalai, Gurana, and Sahai slightly so that we can support committing to a set of commitments without shrinking the extraction probability. Second, remember that in the computational WI construction I said that we need to assume sub-exponential hardness of LWE in order for security to hold. But it turns out that in this construction we can use a much weaker version of LWE. And so I'm going to describe this version now. Recall that in the standard version of LWE and in the standard version of almost all cryptographic primitives the advantage of the adversary is specified as follows. For all adversaries A, there should exist an epsilon sub-A that upper bounds the advantage of that adversary. In the version of the LWE assumption that we need, ostensibly the main difference is that we change the order of the quantifiers. So there should exist one universal epsilon that asymptotically bounds all adversaries advantages. This might seem like a big difference but in fact Bellarie in 1997 proved that these two formulations are equivalent. So it turns out that in essence this is all we need to construct statistical zap arguments module of the following two requirements. One is that this epsilon, this universal epsilon should be efficiently computable. And two is that we are allowed to build a protocol that depends on this epsilon. This version of LWE with these two small differences is what I meant when I was talking about LWE star before and this is sufficient for our construction. So just to recap we show that there exists statistical zap arguments for all languages and NP in the plain model. And I should mention that there was a concurrent work by Goyal, Jane, Jin and Malavota which gets the same result. I didn't have time to go over any of the details of our second main result but we also observe that the same protocol essentially unmodified also satisfies statistical zero knowledge under super polynomial simulation. Thus we achieve the first two message public coin SPS statistical zero knowledge argument for all languages and NP in the plain model. And I'll refer you to the paper for details on this. With that I would like to conclude. Thank you.