 Yes. Thanks. So as protocol dictates, I have to repeat that this is joint work with Ronald Kramer from CWI Amsterdam and Chao Ping-Sing and Chen Nuan from NTU in Singapore. So let me dive straight into the primitive that we are using all the time in this talk. Something we call integer one-way function, for lack of better names, I guess. So it's basically maps an integer to a finite group G, a billion group G. It must be hard to invert and the function must be added homomorphic so f of x plus y is f of x plus f of y. In the paper we consider a general case of mapping vectors with integer entries into the abelian group, but for the talk I just stick with single integers input that's just for simplicity. There are tons of examples, so the reason for this abstraction is of course that there's lots of stuff it captures. So for instance, pretty much an analysis-based cryptosystem you'll see in literature has an encryption function which is an integer one-way function if you consider it as a function from both the message and the randomness to the ciphertext. Lots of analysis-based types of functions are the same, basically again because you basically take some public matrix and multiply it by a vector consisting of the inputs. Integer commitment schemes is another example which don't have to be lattice-based by the way. There are also examples based on the strong RSA assumption which by the way in this conference you'll see can be based also on just the RSA assumption. So it's a pretty general thing and therefore it's also interesting to be able to give serial knowledge proofs for these functions. So there's a prover that claims that he knows a small, numerically small, or in the vector case short, pretty much acts for output value y. And the reason why that's so important to be able to do efficiently is because there's, for instance, if the integer one-way function is the encryption function of a lattice-based cryptosystem then what the prover is doing really is proving that his ciphertext is well formed. In other words, I chose message and randomness input that was short enough so that during the encryption process there was no overflow and therefore this ciphertext can be decrypted to a unique value. This is what you need for, let's say, proof of plaintext, proof of input knowledge in many APC protocols, for instance. And also if there was a hash function then what you want to prove is that I know a short enough free image under the hash function so that nobody, including me, can find another free image that matched to the same output. So therefore this kind of thing is definitely something we want to solve in many different contexts. So here's a very simplistic approach. We have the prover on top there who knows x. Both parties know y which is f of x and the prover claims that x numerically is smaller than this fixed bound b. What you do is that the prover chooses, let's say, a smallish r that's random, applies f, gets a, and sends this over, the verified challenge is with a zero or one value and the prover must now return z which is r plus e times x so r plus x so it'll just start itself. And if you apply f on both sides of that equation you get f of z equals f of r which is a plus e times f of x which is y and so that's an equation that the verified can check. And then in addition because, in addition because smallish r plus perhaps small x is still to be smallish, quote unquote, then the verified can check that this set is actually a small value. Whatever that means precisely. So this is fine but there are several problems here. So problem number one is that to make this be zero knowledge we need that the distribution of the value r is not changed much by adding x. So therefore we can simulate by just choosing a random thing in the right interval and this means that r must be much bigger than b by some exponentially large factor in the security parameter. And since we're using those responses from the prover to extract a valid input from a cheating prover, what that means is that in the end we'll get a much bigger preimage possibly from a cheating prover than what the honest prover is using. And this is annoying because so we say that the soundness slack is in this particular case exponential in case that's a multiplicative factor between what the honest prover is using and what we can force a dishonest prover to use. The reason why this is very annoying that it's large is because if we were doing this for an encryption function say then we would only be able to ensure that the dishonest prover knows values that are much bigger than what he should be using. And so in the encryption scheme we have to choose bigger parameters to make sure that if we encrypt even with those larger values we'll still not get overflow. So this means everything gets bigger and therefore less efficient. So we'd like to avoid that. So we want small soundness slack. Problem number two is that of course you have to repeat the protocol k times if I just do this to get small soundness error probability. Usually in other domains you just take e from a larger domain and then everything is solved. That doesn't work here because if you do the extraction for the soundness proof you'll find that you have to divide by the difference between two challenge values in order to get the answer you after in the extraction procedure. And of course here we have to deal with the integers that that's the input domain. So we can only divide by one and minus one so that's that I mean we can't really have a bigger challenge value. So the overhead is large in the simplistic solution that's also something we'd like to reduce. So what do we know about this problem? So if we just want to prove knowledge of a single pre-image we don't know how to reduce both overhead and soundness slack at the same time using Ljubosiewski's reaction sampling result we can reduce the soundness slack but we cannot reduce the overhead at the same time. So what people have done instead is say so let's consider a large number of images Y1 up to Yn and let's consider the amortized cost of proving pre-image knowledge. And that's been done a few times so there is work by myself and Ronald Cramer in 2009 where we get constant overhead but unfortunately still exponential soundness slack. Much later Lysius Krypto with Baume myself, Larsen and Nielsen we got also constant overhead but now let's say quasi polynomial soundness slack. And this work we take the final step and we get constant overhead and linear soundness slack. Okay that's one more parameter actually because as with all amortized proofs, amortized results, you have to amortize over enough instances before the amortization improvement kicks in. So what this means here is that N must be large enough compared to K and what we need here is that in our simplest version of the result N must be K squared. That's actually pretty simple solution constants are very small so this has real practical potential. We can also do more stuff and reduce this to K to the 1.5 and a subsequent work to ours that does even better so arbitrary close to K in fact. But the more of this you do the more unpleasant constants you get so it gets less and less practical in fact. But asymptotically it seems you can get really close to K. Okay so let's look at the construction. Right so first of all we borrow an ingredient from previous work something called imperfect proof which is basically a very simple cut and choose style protocol plus reduction sampling. And this is at first sight very, very nice we get constant overhead constant soundness slack what could be what's not to like. Well the problem is that it only allows us to extract from the prover if he survives the protocol we get almost all primitives that we want we'll be missing up to K of those. And the further problem is that of course we don't know ahead of time which K will be that we're going to miss that that's going to be adversarially chosen. I should mention there is in very recent work by Ljublicevsky et al. There is an improved version of this imperfect proof where they can for a little bit of extra work but same communication complexity they will miss even fewer of these primitives than before. So this can be pretty much plugged and played into our result here and you'll get an even more practical protocol. That's a different story though. So the main protocol is our contribution and we use two ingredients imperfect proof homomorphic property of the function and a bipartite graph with certain nice properties and this way we get another protocol where we extract all the free images. There's a slight cost in bigger soundness slack but not much. Okay so how does this work? Well here's a bipartite graph. There's going to be n nodes on the left and nodes on the right and remember was the number of free images that we want to prove knowledge of. So we take the images that we're given publicly and assign one of these to each of the left side nodes. And then to the right hand side node we will, to each right hand side node we will assign the sum of the y values that come from the other side. So this is completely natural. So the value that gets y1 plus y3 plus yn assigned because it comes, it's hit by those values from the left hand side. Good. So now the idea is to use the imperfect proof on all values on the left and also all values on the right. And remember I told you that this means that now if the proofer survives this we can extract from him small, really small free images of almost all these values. So we'll get something like this. So we can write say y1, y2, y3 as f of something and also similarly on the other side. But we'll miss some values. Let's just say for example we might fail on let's say one instance on either side. And this means we're not done because we wanted a free image of yn of course but the point is that if the graph is nice enough we'll still be in business. So if further the point is here that since we failed on yn but if we can find a place on the right hand side where one we succeeded in getting free image on the right hand side and secondly the target value yn in this case is the only one that failed in the neighborhood of this guy on the right. So you can see this is exactly what happens on the right there. We have y1, y3, we know free images. The other side we know free images of the sum. So we can just solve for yn this is what we do on the bottom here. Solve for yn and plug in what we know about y1 and y3 use homomorphic property and we've managed to write yn as f of something. So we have a free image. And furthermore just by triangle in the quality since all those things were small to begin with then we can also infer a small bound on that expression there. So that's great and you can probably also feel immediately that this is what's going to generalize. If the graph is nice enough in this particular sense, there's some obvious abstract property we can demand from the graph and this thing will always work. So let me just say what that is. So first of all we want the indegree on the right is order k and then the sound is like will be order k also because we'll never need to deal with the sum of more than k things coming from the other side. Then we want something called the strong unique neighbor property. This gets a little bit complicated but it's not really, it's just an abstraction of what we just said on the previous slide. So what we want is if we take any set of size k on the left capital A, any set of size k on the right capital B, then if I take a node little a on the right hand side in that subset there, there is a node on the right hand side that saves us in the sense that if I take the intersection of my set A and the neighborhood of B up there then A is the only thing in that intersection. That's exactly what will save the day then because then we can extract the free image of A when we use this in the protocol. So that's why extraction will work. The reason we call it this way, this property is because there was already an expandograph theory something called unique neighbor property which is kind of similar to this but we call it strong unique neighbor property because we say there must be this unique neighbor even if we exclude this small subset B on the right hand side. You can still find a nice node on the other side. So now of course we need to build such graphs to make this work. This isn't generally related to graphs with good expansion properties but no results don't do what we want basically. So there are various approaches to fixing this but there is a very direct way to do this just based on simple universal hash functions. So here's the construction. We take a prime P which is bigger than 2k plus 1 but not much bigger, hopefully. And then so we consider F to fill with P elements and a member in our family of universal hash functions is defined by one element, one field element and we define H of A0 and A1 so the function maps pairs of field elements to a single field element and it's going to take A0 and A1 to H times A0 plus A1. And now the idea is from this hash function and from the values there we can define a set of nodes on the left which would simply be pairs of field elements and on the right we'll define nodes by pairs that are hash function and field element which is the same thing of course but the hash functions are also defined by single field elements. So I'm going to get P squared nodes on both sides. And finally there will be an edge from a node defined by a pair A0, A1 to H, B exactly if the function H takes A0, A1 to that value B. Pretty simple stuff. In diagrams it looks like this, this is saying the same thing. If I have this pair there on the left that's going to be an edge up there to H, B exactly if that equation H, A0 plus A1 equals B is satisfied. So this way we get a good graph where the most 16k squared nodes it turns out on each side and in degree is order k. So that's clear of course immediately just from the construction right because if there is a node 2H, B if there's a node at all into that thing that equation H, A0, A1 equals B must be satisfied. So if I fix H and B then that's going to be exactly field size solutions for that equation. So that's going to be the integrate of course. Strongly, the neighborhood property is more complicated you have to see the paper for this but it's intuitively quite reasonable I think because it follows of course from the collision probability of the hash function. What's going to go on is that basically the hash function will take any small subset on the left hand side, spread this out across most of the domain on the other side so it's quite likely that you'll find in fact quite a few nodes on the right hand side that has this guy here as a unique neighbor. So that means even if you exclude a few things on the right hand side which we had to do then you'll still find at least one that will save the day in this way. So it's basically collision probability plus combinatorics and a few unit bounds. Good. There is also an alternative construction where we base ourselves I guess more on known results so there are certain known graphs that have very good expansion properties. They're not known to have excited what we need but we can take previous proof techniques and adapt them to get what we need. So it turns out we get something which doesn't look very good at first sight we get this time k-cube nodes on both sides and we get a strong unique neighbor property that only holds in a probabilistic sense which doesn't sound very good but it turns out that this construction test is peculiar property that even if n is way too small so it's much smaller than k-cube you still get from it a protocol that will not take away all the bad things for which we don't know pre-images but it will reduce the number of unknown pre-images very much. It's going to be much smaller than before. And what this means again very intuitively is that I can start with an n which is really too small to work in the first place but I apply this result first this probabilistic result then I get a much smaller number of remaining pre-images and then I can apply a scaled down version of the first result the one with the hash function to get rid of the remaining things and this way with this two-step process you can actually get something where the overhead is over one and sound is like it's over k but now n only has to be k to the 1.5 to make this work and if you're thinking that it should be possible to do more steps like this and maybe you can get even smaller and this is indeed true this is not in this paper but I'm told from Ronald and his student in Singapore that this actually does work and I should also say by the way that if you want a graph that has exactly those properties that I was talking about the one that was constructed from the hash function one can show that you cannot get below n squared for such a graph so if you want to take this approach and go below n squared you have to do something else some probabilistic thing like we did here there's not any better graphs than what we have there okay so I should give Omar Rankov an announcement for an idea that led us to this in case quite a result and apart from that, that was what I had to say so thank you