 Hello, this is me, Alan Brana, and I'm going to talk about our work titled, A Secular City Programming for Sigma Protocols. This is a joint work with Masayuki Abe, Andrei Bogdanov, Alan Rosen, and Miyako Okubo. In his work, we present a new technique for combining Sigma Protocols, three move protocols that can be used to obtain very performance zero-knowledge-proof systems. Zero-knowledge-proof systems were devised by Golvaser Mikhailov in 1985. They allow a particle prover to convince a possibly skeptical verifier of the validity of certain mathematical theorems. The prover has a proof of the theorem, but she does not want to share it with the verifier. Instead, she wants to convince him of the validity of the statement, that is, of the fact that the theorem is true, but without revealing any information about her proof. A zero-knowledge-proof system is essentially a protocol that allows them to achieve this goal. After changing a few messages, the verifier will be convinced about the validity of the statement, or even about the fact that the prover knows a proof, but will have not learned anything in this process. Only that fact. In this talk, we will use x to refer to theorems for statements, and we will use w to refer to proofs or witnesses. We use an impregnation error to express the fact that a certain witness w is valid over respect to a certain statement x. Zero-knowledge-proof system is said to be complete if an honest verifier always accepts after interacting with an honest prover who really knows a proof. But it must also satisfy two other properties called soundness and zero-knowledge. Roughly, soundness protects the verifier in the sense that it is impossible or extremely unlikely that he will accept a proof of a false statement. On the other hand, zero-knowledge protects the prover in the sense that the verifier will not learn any information about her proof. A sigma protocol is a three-move protocol that can be used to obtain very efficient zero-knowledge proof systems. Remarkably, a sigma protocol must satisfy two very simple properties that could be seen as simpler versions of soundness and zero-knowledge. They are called spatial soundness and honest verifier zero-knowledge. We are going to illustrate what the sigma protocol is with a classical example of proving knowledge of a discrete logarithm. This is the celebrated protocol by Schnorr. Consider a group of prime order p generated by a certain element g, and consider relation r. The following protocol will allow prover to argue knowledge of the discrete logarithm w of x in base g. The protocol works as follows. The prover first commits to some randomness r. That is, the prover samples r uniformly from set p and sends a, computed as g to the power of r to the verifier. The verifier then samples a challenge e uniformly from set p. Finally, the prover responds with a valued set, which will be computed as shown in picture if the prover is honest. The verifier will accept the proof if g to the power of the received c equals a times x to the power of e. This protocol is too special sound because after a is transmitted, a prover who does not know w will only be able to answer correctly to one value of e among all the values in set p. In other words, and more formally, this protocol is too special sound because given two transcripts with the same first message a that satisfy the verification equation, the witness can be extracted in polynomial time. This protocol is also honest verifier zero knowledge because given an instance x and a challenge e, one can efficiently produce a transcript that is valid with respect to x and identically distributed to the transcript the two honest parities would produce. In the rest of this talk, we will denote by capital C and set the algorithm run by the prover and we will denote by v the final check by the verifier. We also denote by s which stands for simulator, the algorithm that produces a valid transcript from x and e. In general, the syntax of these algorithms is as follows. Note that algorithm C is allowed to use x and w in general, although in the example these values were not used to compute a. The properties that the sigma protocol must satisfy are weaker than those of a zero-knowledge pre-system. This makes it much easier to build and reason about sigma protocols. However, without much effort, they can be transformed into actual zero-knowledge pre-systems or arguments of knowledge. One way to do so is to use the Fiat-Schemer heuristic which consists of replacing the verifier by a hash function. In particular, a valid proof consists of an accepting transcript a, e and set where e is equal to the hash function evaluated on x concatenated with a. If the hash function h is modeled as a programmable random miracle, the resulting protocol is a non-interactive zero-knowledge argument of knowledge. It is a natural question to ask whether it is possible to compose several sigma protocols together. The CDS94 composition technique provides very good tools to do so by manipulating the challenge string. Suppose that we are given two sigma protocols, the first one with respect to a certain relation R1 and the second one with respect to R2. We can form a new sigma protocol for the predicate that joins in conjunction with R1 and R2 by running both sigma protocols in parallel with the same challenge. If instead we want to combine the relations in this direction, it is enough to run parallel copies of the protocols, this time within the little challenges e1 and e2 that can be chosen by the prover, but are bound to satisfying the following equation with respect to the very farest challenge e. This way, it is enough to know one of the witnesses in order to complete the proof. For example, if the prover does not know a witness for x2, she can choose e2 first and simulate the second trash curve with it. She will then compute a1 normally. When challenge e is known, she will set e1 to be ex4 e2 and complete the first trash curve using the witness w1. This idea generalizes two compositions and their more complex predicates as long as there exists a suitable sharing of the challenge string. Indeed, it is known that the CDS composition can be used to compose sigma protocols in a predicate expressed as a monotone span program on the atomic predicates. It is remarkable that the CDS-94 technique is a real composition in the sense that it maps sigma protocols to sigma protocols or to a sigma protocol. Furthermore, it needs no extra assumptions like random miracles. On the other hand, this technique is limited in the sense that the new sigma protocol size is proportional to the formula size or more generally to the span program size of the composing predicate. Note that the representation of some monotone predicates as a span program can be large. An example is directed connectivity, as we will see later. Another very important disjunctive composition technique is AOS, also known as sequential composition. It can be seen as a generalized version of the fiat charming heuristic. In this case, challenge e2 will be computed as the hash of a1 and challenge e1 will be computed as the hash of a2. For security, one may also need to include the statements x1 and x2 inside both hashes, but we have made these values for simplicity and for highlighting the number of a1 and a2 in each hash. Again, this is a proof of system for the disjunction of the original predicates. In particular, known one witness is enough to efficiently produce a valid proof. Suppose that the prover only knows a witness for x1, a witness w1 for x1. She can compute the first message a1 normally and this will unlock the value of e2. From e2, the prover can simulate the second transcript without knowing the witness for it and this will set the value for a2, which allows e1. Now the prover can complete the first transcript by using w1. This protocol can proven to be an interactive theory of knowledge argument of knowledge in the program of the random oracle model. Observe that the AOS technique can be generalized to psychos of other lengths, not just two. We can join three sigma protocols in disjunction with the following challenge dependencies. This approach leads to a ring signature scheme that can be used to combine snore and RSA signatures, one of the main applications mentioned in the work by Abeo Kubu and Suzuki. Furthermore, this technique has been recently revisited and shown to be useful for proving our affordability in the non-programmable random oracle model. In this work, we extend the AOS technique and consider more generalized structures than just a circle. For example, say we have four sigma protocols, each of them represented by a node in the following graph, where arrows represent challenge dependencies. If there is an arrow from node i to node j, we can say that j depends on i in the sense that ai, the first message of the transcript for sigma protocol i, must be included in the elements that are hashed to compute challenge ej corresponding to sigma protocol j. For example, given that node 3 has incoming edges from node 1 and node 4, challenge e3 is computed as the hash of a1 and a4. It turns out that doing so will give us a proving system for a composed statement of the sigma protocol predicates, but what composed statement is it? In this example, the composed statement is exactly this monotone formula. Note that the formula is expressed in conjunctive normal form, or CNF, and each disjunctive clause involves literals whose associated nodes form a cycle in the graph. To illustrate the proving process, suppose a prover holds a witness w1 and also w3 for statements x1 and x2 respectively. Note that this set of witnesses represents a satisfying assignment of the formula. The prover will proceed as follows. It will first start normally the transcripts for sigma protocol 1 and sigma protocol 3. This will relax all dependencies that involve a1 or a3. So let's remove all outgoing edges from nodes 1 and 3. Now, observe that node 2 has no incoming edges. This means that its challenge can be already computed. Certainly, as you can see, e2 should be the hash of a1 concatenated with a3, values that have already been set. The prover can therefore compute e2 and use it to simulate the second sigma protocol transcript. But this will set a value for e2, so all dependencies from a2 are now relaxed. Let's remove all outgoing edges from node 2. Finally, note that node 4 has no incoming edges now, so at this point the prover can compute e4 and use it to simulate transcript for sigma protocol 4. Finally, this will unlock the value of challenges e1 and e3, and the prover can finish the transcripts 1 and 3 by using the witnesses w1 and w3. On the other hand, let's see how a prover, without enough witnesses to satisfy the formula, will have a problem to complete the proof. Consider a prover who has witnesses w2 and w3, and note that these witnesses don't satisfy the formula. If we proceed as before, removing edges of transcripts whose value a is already chosen, we will end up in this situation, where a node that all nodes have incoming edges. So the prover has a problem now, because without witnesses 4x1 or x4, the prover cannot start transcripts 1 nor 4, because with w1 probability she will not be able to complete them. One may think that any monotone formula in CNF can be translated into a graph by having one node per statement and including cycles in the graph for every disjunctive clause. Unfortunately, this is not always true. Consider the following formula. We can add a cycle between nodes 1, 2 and 3. We then include a cycle between nodes 1, 2 and 4, and we need to include now a cycle between nodes 1, 3 and 4. However, note that with the new two arrows that we have introduced, we have also introduced an unintended cycle between nodes 1 and 3. In fact, no matter how we add the cycles in this graph, not that there could be several valid choices, we will always introduce an unintended cycle. To really model this formula, we would need to duplicate one of the nodes, for example, node number 3, to be able to add the intended cycle without introducing unintended ones. In this case, the proof could count with two different transcripts for signal product number 3. It is interesting to observe that in the previous example, which you can see now on the right, there also exist unintended cycles in the sense that they don't explicitly appear in the CNF formula, but this is not a problem. For example, note that we can cycle between nodes 2, 4 and 1, and it does not appear in the formula as an explicit clause. However, in this case, every unintended cycle contains the nodes of an intended one. So the graph actually models the formula. One may wonder what axis structures a cyclic graph captures in general, or in other words, what classes of monotone predicates can be efficiently expressed in this model? The answer is that our technique can capture any predicate that can be efficiently expressed as an acyclicity program. Acyclicity programming is a new model of computation introduced in this work that we define as follows. A monotone acyclicity program A is a directed graph G whose nodes are labeled by variables 1 to n, along with repetitions. Program A accepts a subset of variables S if and only if every directed cycle in G contains at least one node whose corresponding variable is in S. This is equivalent to saying that a set S is accepted by A. If the graph resulting from removing all the nodes in S contains no cycles. This is the description of our ACP Composition Prover. We just want to highlight that the general algorithm is essentially the same that we have described in our previous example. The prover will start all transcripts for which she knows a witness. This will relax some dependencies and will allow her to simulate those transcripts whose dependencies have disappeared. If the set of witnesses satisfies the acyclicity program, this process is guaranteed to finish by simulating all transcripts for which a witness is not known. Finally, the prover can complete initially started transcripts by using the corresponding witnesses. For proving that ACP Composition leads to a valid zero-knowledge argument of knowledge, we need to show knowledge soundness and zero-knowledge. Consider a prover machine that takes an acyclicity program A and outputs statement X and a proof pi. Note that this machine has access to the random miracle H and can potentially be malicious in the sense that it may deviate from the protocol specification. In order to argue knowledge soundness, we will show that if P star, so this machine runs in time t, has square complexity q and produces the value to prove on the chosen statement with probability delta, then we can build an extractor that uses P star. In order to produce a witness with probability at least delta divided by 2 and running in this expected time, here kappa is the special soundness parameter, so it's 2 in the case of 2 special soundness. Observe that if delta is non-negligible, then the extractor's running time is polynomial. We'll refer to the paper for details about the proof, but the main idea is that we can leverage the fork and lemma to extract at least one witness from every cycle in the graph in the used way program A. Finally, we will need to show that ACP composition satisfies the zero-knowledge property, but this can easily be done by leveraging the programmability of the random miracle. From a theoretical point of view, we studied the expressivity of our new model of computation and conclude that acyclicity programming is polynomial equivalent to branching programs. This diagram shows polynomial time-simulatability relations among different predicate representations. This makes our acp composition incompatible to the CDS-94 composition because there exist languages that can be efficiently described by acyclicity programs, but whose monotone span program representation is super polynomial and vice versa. Both methods of those are orthogonal in terms of the complexity and they complement each other. A major difference is that CDS-94 preserves the second protocol structure while our acp composition leads inherently to a non-interactive proof system which requires the random miracle model. In this work, we also propose a variant of our previous results that allows us to compose sigma protocols on predicate expressed as monotone circuits. Note that direct simulation of monotone circuits by acyclicity programs is inherently inefficient. That is why this new method leverages the extra assumption of an available common reference string that allows one to produce one out of two proofs for some auxiliary statements. Remarkably, this series can just be a group element h with a known discrete logarithm. This method transforms a monotone circuit into an acyclicity graph by translating AND gates into false statements and OR gates into a triple of statements connected as shown in the picture. So we have two schnor statements, a y and z, that point to a false statement with the extra condition that y times z must be equal to the common reference string. In the case of AND, the false statement cannot be proven, so it must be simulated. For that, it is necessary to have relaxed both of its dependencies. In the case of OR, it is enough to have relaxed the dependency of y or the dependency of z before the false statement can be simulated. For example, if the dependency of z has been relaxed, one can choose y with a known discrete logarithm and simulate the transcript for z. So this translation on a circuit would look like this. By placing the lookback edge from the node associated to the output gate of the circuit to all nodes associated to input gates, we have an acyclicity program for the circuit. We'll refer to our paper for more details. To sum up, we have presented another technique for combining signal protocols into a non-interactive zero-knowledge proof system that can be proven in the programmable random model. Our model allows us to combine signal protocols and the predicates expressed in a new model of computation that is not comparable to existing techniques. Furthermore, it is not limited to two special sound protocols, unlike CDS-94, and it can lead to more compact proofs in some cases. Thank you very much for your attention.