 Hello, everyone. My name is Yu Wang. I'm from USTC. Our title is Non-Interactive Zero Knowledge Proofs with Fine-Grain Security. It's joint work with the judging panel. In standard cryptography, we usually require that the owner's party runs in polynomial time, and a polynomial time adversary cannot break the system. By now, there have been a lot of constructions proposed based on various assumptions, such as the one-way function factor in discrete logarithm, DDHLWE, or even the generic or algebraic groups. But it's still unclear whether these assumptions hold, so it's desirable to construct primitives based on no assumptions, or just some mild complexity-worst-case assumptions. But in the long history of cryptography, it has turned out that this is quite difficult. But fine-grain cryptography gives us a way to approach this problem. In the fine-grain setting, we just require that the owner's party uses less resources than the adversary, and the resources of the adversary can be applied bounded. Since the power of the adversary is limited, it's possible to construct primitives based on very mild assumptions. But notice that in the fine-grain setting, we also require that the scheme should be quite efficient. The field of fine-grain cryptography was initialized by Marco, and there have been many fine-grain primitives proposed, such as the kxchange one-way function pke, verifiable computation, trapdoor one-way function, and abe. But it's still unclear where the needs, which is one of the most important primitives in cryptography, exists in the fine-grain setting. Now let's briefly recall the definition of NISC. In NISC, the prover wants to prove that some statement x is in some language l, and there are five algorithms. Change outputs some binding CRS, and change outputs some hiding CRS and a trapdoor. The prover only puts the CRS, the statement, the wayness w, and generate the proof, and the simulator wants to assimilate the proof by making use of the trapdoor without knowing the wayness. The verifier just checks whether the proof is valid. The NISC is required to satisfy three properties, which are complainers, perfectionists, and composable zero-knowledge. Complainers says that only proofs must pass the verification. Perfectionist says that when the CRS is binding, then there exists no valid proof for some statement not in the language. Composable zero-knowledge says that a binding CRS and a hiding CRS are indistinguishable, and when the CRS is binding, then the simulator perfectly simulates the only proof. Actually, by now there have been several fine-grain proof systems proposed, such as the hush-proof system proposed by Kassel and others, a QINISC proposed by Wang and others, and a NISC with the inefficient prover proposed by Bo and others. All of the existing proof systems in the fine-grain setting are secure against adversaries in NC1 under the assumption that NC1 is not equal to parity ale slash poly. NC1 is the class of circuits with logarithmic depth, and parity ale slash poly is the class of languages with polynomial-sized branching programs. Here notice that the assumption that NC1 is not equal to parity ale slash poly is quite mild, and this assumption is widely believed to hold, but there are limitations on the existing proof systems. For the hush-proof system, the verifier cannot verify publicly. The reason is that it needs a secret key. For the QINISC, it just supports the linear languages, and a CRS should be dependent on the language parameter. And for the NISC with the inefficient prover, it's actually not in the fully fine-grain setting. The reason is that the prover needs more competition resources than NC1. It has two running polynomial time, so an ONIS user might choose more power than the adversary. In this work, we propose the first fully fine-grain NISC for NC1 circuit satisfiability. In our construction, all the CRS generator, the prover, the verifier, and the simulator run in NC1, and the construction is secure against all the adversaries in NC1. The assumption is the same as before, which is that NC1 is not equal to parity ale slash poly. Notice that our NISC supports all the statements verifiable in NC1. We also note that a statement circuit cannot go beyond NC1. Otherwise, even the ONIS prover in NC1 cannot decide with the winners whether the statement is true or not. This is the real map of our construction. At first, we construct a sigma particle, and then we compile this sigma particle to a NISC for linear languages. Afterwards, we compile this NISC for linear languages to an OR proof, and by making use of this OR proof, we achieve our NISC for NC1 circuit satisfiability. Now, I will briefly introduce how we construct this sigma particle. In our sigma particle, the prover wants to prove that some statement x is in the span of m, where m is some matrix in the language parameter. In the first round, the prover randomly samples some matrix r, and sends m times r, which is denoted by c in our case, to the verifier. In the second round, the verifier sends some random string, which is the challenge, back to the prover. We denote this by k. In the third round, the prover sends the response d back to the verifier. d is equal to r w times a, and the verifier just checks whether c x times a is equal to m times d. Here, a is the transpose of the concatenation of a constant matrix s and sk. Specifically, s is the transpose of the concatenation of a zero vector and an identity matrix i. We can prove that our sigma particle satisfies all the properties that a sigma particle should have, which are completeness, special sonness, and specialness verifier zero knowledge. Next, I will introduce how we compile our sigma particle to a NISC for linear languages. Before introducing our construction, we first recall a lemma proved by de Guicard and others, which says that two distributions, zero-samp and one-samp, are indistinguishable against N-C1 adversaries. If N-C1 is not equal to parity L-slash-poly. Here, zero-samp outputs a rank-deficient matrix m0 and a vector s in its kernel, and one-samp outputs a full-rank matrix m1. So this lemma basically says that a rank-deficient matrix and a full-rank matrix are indistinguishable against N-C1 if our complexity assumption holds. Then in our sigma particle, we first change the distribution of s to L-samp prime, where L-samp prime is some intermediate algorithm in zero-samp. In this case, the distribution of the transpose of a will become zero-samp. And then we set A as the hiding CRS. And we set K, which was the challenge sent by the verifier in the second round as the travel. Now the proof consists only of the first and third round messages. Now we can see that the sigma particle becomes a nitsk. The complain is of the nitsk follows from that of the sigma particle and the zero-knowledge of the nitsk follows from the special nitsk verifier zero-knowledge of the sigma particle. Some nitsk follows from the fact that when we switch the distribution of the transpose of A from zero-samp to one-samp, the kernel of A will become empty and there will be no invaluex that can pass the verification. So this is how we achieve the nitsk for linear languages. And next, I will talk about how we compile these nitsk for linear languages to an oproof. In the oproof, the prover wants to prove that for two matrices m0 and m1, either x0 is in the span of m0 or x1 is in the span of m1. Let's say that xj is in the span of mj where the radius is w. To generate the proof, the prover first splits the CRS of the nitsk for linear languages, which was denoted by A into a binding CRS aj and the hiding CRS a1-j with the trapdoor k' Then it generates proofs for aj and a1-j with the radius w and the trapdoor k' respectively by making use of the prover and the simulator of our nitsk for linear languages. The summiest follows from the fact that when A is binding, which means that the transpose of A was sampled from one sample, then either a0 or a1 must be binding. Zero knowledge follows from the fact that when A was sampled from zero sample, then both a0 and a1 must be hiding. So this is how we achieve the oproof. Next, we talk about how we convert this oproof into a nitsk for circuit satisfiability. In our nitsk for nc1-circuit satisfiability, without loss of generality, we just consider slimming circuits consisting only of 9 gates. At first, the prover extends the wayness to contain the bits of all wires. Next, we use the dvv and c1-fankin pke to encrypt all the bits. Here in the dvv pke, the puppy key and secret key pair is sampled from the zero sample. And for the final output, we should be one if the wayness is valid. We set the output ciphertext as a fixed ciphertext for one. The dvv pke has two nice properties that are used for in our case. The first one is ITIV homomorphism, and the second one is that a ciphertext is in the span of the puppy key A if and only if the plaintext is equal to zero. Now, for each 9 gates with the input ciphertext cti, ctj, and output ciphertext ctk, Prover proves that the ciphertext satisfies a relation supported by our own proof. Specifically, the relation says that e plus cti plus ctk and e plus ctj are in the span of A or e plus ctk and ctj are in the span of A. Here A is the fixed ciphertext for the plaintext one. Now we can prove that if the ciphertext satisfies the relation, then the corresponding plaintext wij and wk must be a valid input-output tuple of the 9 gate. Specifically, wij and wk should satisfy that 1 plus wi plus wk is equal to zero and 1 plus wj is equal to zero or 1 plus wk is equal to zero and wj is equal to zero. Then the soundness of the resulting needs follows from the fact that we can extract a value in this from a valid proof by decrypting the ciphertexts. Zero knowledge follows from the fact that when we switch the distribution of A which is the public key of the underlying dvvpke from zero-samp to one-samp then the ciphertexts will become random matrices and they will contain no useful information and also the all-proofs will reveal no useful information as well due to its zero knowledge. So this is how we achieve our needs for Nc1 circuit satisfiability. Notice that in our construction the proof size is dependent on the circuit size which means that the proof size might be very large if the statement circuit is very large. Besides our needs for Nc1 circuit satisfiability we propose a fangren fully homomorphic encryption for ACCM02 circuits. Here ACCM02 can be treated as the class of all the polynomials at a constant degree. Our starting point for constructing this fully homomorphic encryption is the dvvpke which was already actively homomorphic and the main challenge is to achieve the multiplicative homomorphism. Our solution is a tricky way to extend the ciphertext of the dvvpke from vectors to matrices. For the details, please see our paper. By making use of this fully homomorphic encryption we can convert our all proof into a needs for ACCM02 statement circuits. The class of statement circuits supported by this needs is more restricted compared with our needs for Nc1 circuit satisfiability but we note that it has a nice property that the proof size is independent with the circuit size that the proof size could be very short even if the statement circuit is very large. As extensions of our work we propose a converging from our needs to non-interactive zaps. Here a non-interactive zap means an IWI in the plane model. To achieve our goal, we first prove that our needs have very viable correlated key generation and then we make use of the GeoS converging technique proposed by Geos and others to convert our needs to non-interactive zaps. All the needs we talked about before are in the CRS model and we also propose converging from our needs to ones in the URS model where the CRS is just some random string. At the core of our construction we prove that a random matrix with some particular form is abiding and hiding CRS with half of probability and by rounding our needs with the random CRS for the same statement for multiple times in parallel we immediately achieve a needs in the URS model. The zero-knowledge of the resulting needs follows from the zero-knowledge of the needs in the CRS model and the statistical soundness follows from the fact that for multiple random strings at least one should be abiding with overwhelming probability. So this is the conclusion of our work. In our work we proposed several proof systems not as secure against NC1 adversaries under the assumption that NC1 is not equal to party L slash party. Our results include a needs for NC1 circuit satisfiability, a needs for ACCM02 circuits with short proofs and non-interactive zaps and needs in the URS model to achieve our needs for ACCM02 circuits we also proposed a fully homomorphic encryption for ACCM02 circuits. Thank you.