 Hello, everybody. This is a recording of our Asia Group 2021 Paper Gentry Wix's type, the Francis Weibull Non-Adept Miss Hans Snark. My name is Helger Lipma, and the paper is co-authored with Katarina Pavlik. We both work at Simula UIB, Perth and Norway. Sorry if I sound a bit off, because I'm still sick. This paper is about non-interactive knowledge, so let us briefly recap the notion. The case of music, there are two players, the Prover and the Verifier. The Prover and Verifier both share public input, but Prover also has access to a private witness. The goal of the music proof is for the Prover to convince the Verifier that the public input satisfies some properties, or as we say, belongs to some language L. To do that, the Prover creates a proof, pi, and sends it to the Verifier. And the Verifier can just check whether the proof, given the input and the proof, whether the input belongs really to this language. More precisely, we are going to talk about something that is called succinct non-interactive argument. So let us recall the security and efficiency properties of succinct music. First of all, it has to satisfy completeness. That means that the Honest Prover must convince the Honest Verifier. Second, it has to satisfy soundness, which means that Honest Verifier does not accept this Honest Prover. Third, it has to satisfy certain knowledge, which means that the Honest Prover's private information is not leaked. So now, if a proof system satisfies those three properties, and it has a single message, we say that it is a music. In addition, if it satisfies the following efficiency property, we have a succinct music. The property as follows. It just states that both the proof length and the Verifier's verification time must be small compared to the witness length, or ideally even compared to the input length. In that case, we have a succinct music, or as it is more popularly known, a snark, a succinct non-interactive argument. Why is one working at snarks? By now, this is quite obvious, because there's just a lot of money in it. There are hundreds of papers in top conferences that all propose new snarks or variants of their off for different applications. They are also used prominently in the real life. And if you look at the snark papers, they all claim the following thing. Our construction is based on non-falsifiable assumptions due to the impossibility result of Gentry Wicks 2011. Our paper is about this last statement. But before explaining Gentry Wicks, let me just briefly mention that in the world of Sierra Knowledge, there's a lot of non-impossibility results. For example, NISIC is impossible in the blame model, and thus people use the CRS model where it is assumed that there's a trusted party who outputs a common input to all parties. It is also known that succinct Sierra Knowledge proofs are impossible for NB, and because of that, people use what is called arguments. That is computationally sound proofs. Third, it is known that falsifiable perfect Sierra Knowledge is impossible for NB, and this is why people either use non-falsifiable assumptions or they use computational Sierra Knowledge. And there's a lot of different impossibility results too many to mention. In many of those cases, known impossibility-possibility results match. For example, NISIC is impossible in the blame model, but there's a plethora of NISICs that are known to be secure in the CRS model. So what is this famous Gentry Wicks result about? It basically states that the following properties cannot be achieved at the same time. Adaptive soundness, succinctness, hard languages, and falsifiable assumptions. And while I'm prominently mentioning Gentry Wicks, there's actually several papers that have shown that this combination is non-achievable. They just work for a slightly different notion of reductions. So what are those four properties about? First of all, succinctness means that you want to have efficient communication and efficient verification. Second, hard languages basically means that you can handle all entry languages, which means that you can actually keep Sierra Knowledge proofs for something non-trivial. Adaptive soundness is a bit more trickier property. It just means that your proof system must be sound even if the chosen input depends on the CRS. And finally, falsifiable assumptions are assumptions were intuitively one can efficiently check if the assumption was broken. One can argue that the first three properties are really necessary for NISICs or snarks to be used in practice. You want efficiency, you want to be able to do expressive languages, and you want to have this adaptive soundness property. On the other hand, the last property has not been important in practice. People are still using snarks, and they are implementing it, and there's a lot of money on it, even if the snarks are based on non-falsifiable assumptions. And the reason for that is that you must use non-falsifiable assumptions to get the first three properties. However, non-falsifiable assumptions are quite poorly understood, and they could be potentially broken. If not in theory, then in practice. Now, when we look at this two and three weeks result, as I said, it basically states that one cannot achieve the four properties at the same time. And there's good evidence showing that this is tight. There's a very famous result by Faige, Elapidot, and Shamil from 1991. They achieve adaptive soundness, hard languages, and passive assumptions, but their argument system is not succinct. There's a more recent work on delegation schemes that achieves all the other properties, but it works only for the complexity class B. And there's the famous line of work on snarks that achieves all other properties, but they are based on non-falsifiable assumptions. Curiously, there's a gap here. Basically, there's no previous work that proposes succinct arguments for hard languages based on falsifiable assumptions that are possibly or necessarily non-adaptive. This is the main result of the current paper. Because non-adaptive soundness is so important in the current paper, we will explain it a bit more in the next slides. First of all, I already mentioned the CRS model, all practical snarks work in this model. In that model, you assume the existence of a trusted third party, and then you have prover and verifier. The trusted third party generates, honestly, the CRS and sends it to the prover and the verifier. After that, prover chooses a common input and a secret witness. The fact that it is chosen after CRS is important because it might depend on the CRS. Then prover sends the common input and the argument to the verifier who uses the CRS to check whether the statement is true. Again, this is this common adaptive case where the CRS is created in the beginning, and we want to have soundness ever in the case when the input is chosen maliciously in a way that it depends on the CRS. Now, non-adaptive case has a subtle difference. Namely, in that case, the prover first chooses the input and the witness and sends the input to the verifier, and only then they receive CRS from the trusted third party, and then prover creates an argument and sends it to the verifier. Note that it does not mean that non-adaptive music or snark requires this temporal order. What it means is that soundness is only guaranteed in the case where the input does not depend on the CRS. So what are our results? Most importantly, we propose FANA, which is a falsifiable non-adaptive sound snark for NP. It is succinct. The argument is only 14 group elements, but this closes the gap in gentry weeks. In this sense, we see it as an important theoretical advance, but also FANA itself is concretely quite deficient. We also prove that FANA satisfies some additional properties. First of all, in our main result, we just show that FANA is non-adaptive sound under falsifiable assumptions. In addition, we show that it is non-adaptively knowledge sound in the algebra group model, and we also show that it is subversion zero knowledge. That means zero knowledge, even if the prover doesn't trust the CRS generator under a non-falsifiable assumption. In both of those cases, it is known that non-falsifiable assumptions are needed. Our major public blocks are a so-called bilateral subspace, quasi-adaptive music, and a functional somewhat statistically binding commitment scheme. The paper on sound has many new results about this PLS kind of music that I'm not going to present in this talk. What is the first idea about FANA? It functions initially as a lot of the first-generation snarks. The prover uses a perfectly hiding commitment scheme to commit separately to three vectors, the vector of all left inputs of all gates, the vector of all right inputs, and the vector of all outputs. This is like in this standard QAP language. For example, the first commitment is an extended Peterson commitment to the witness Z, where the set of generators is equal to U1 to Um, where U1 or let's say Ui interpolates the ith column of U, and U, V, and W are public matrices describing the circuit. This is very standard in this class of non-universal snarks, most famous of which are Pinocchio and Crot 16. The next step is that we use the BLS khanisik to prove that such a witness exists. The goal of the khanisik is to prove that there exists a witness Z such that Y1 is equal to M1 times Z, and Y2 is equal to M2 times Z, where Y1 is a vector of Krupp elements in Krupp1, and Y2 is a vector of Krupp elements in Krupp2, and we use a parent-based setting. The BLS khanisik is from the paper of Consolas, etc., from Asia Group 2015, and it is succinct. The communication consists of four Krupp elements, and it is based on a fanciful assumption S-Kerr-MDH. Now, in the soundness reduction, one usually needs to extract the witness Z. In the case of snarks, this is done by relying on a non-fanciful assumption, and one gets a succinct argument. On the other hand, if you don't use a non-fanciful assumption, then to extract, you need something that is longer than the witness. For example, you just need to encrypt the witness. On this contradicts the succinctness requirement. To solve this issue, earlier papers of Taza, etc., and Fauzi, etc., consider something that is called local extraction, and thus achieve fanciful assumptions. So what is local extraction? Basically, this is a variant of extraction very useful in a soundness proof, and it allows one to have a succinct commitment and the succinct argument. Basically, in the soundness proof, you know that the adversary cheated. So instead of creating a long, long witness of this, where a lot of the entries of the witness might not be necessary, you do the following. You guess where exactly the adversary cheated. That is, in the case of circuits, which gate was miscomputed. Then you prepare the CRS so that one can efficiently extract the succinct local witness, showing that this concrete gate was miscomputed. Note that you do not care about other gates. It is sufficient to derive a contradiction from the miscomputation of a single gate. Then one reduces soundness to a falsifiable assumption that uses only the succinct local witness. Note that here one has a security loss of the number of the gates times because of the guessing, the gate number. If the guess was incorrect, then the soundness reduction aborts. This idea was used in those two preliminary papers, Taza, et cetera, and Fauzi, et cetera, but their schemes are actually quite different. So they still rely on a non succinct commitment. They are quasi-adaptive musics, while our goal is to have something that is not quasi-adaptive. They are quasi-adaptively sound, which is a notion orthogonal to non-adaptive soundness, and it is something that falls under gentry weeks. It is quasi-adaptively serial knowledge, et cetera. Basically, they are in this corner of a scheme that doesn't contradict gentry weeks because they are not succinct. I would argue that their schemes are actually not natural starting points. The only reason we knew how to start from there is that I'm a co-author of a second paper, and once I had a doubt about its security proof, I tried to modify it, and then suddenly I got something completely different. So let us look at this adaptive soundness proof of the two previous papers. I'm going to present the proof in a linear manner. In actuality, it has several games. In each game, one does some modification, and then you have adversary in the last game. But in this linear manner, the soundness proof looks like that. The adversary commits to witness by using a non-succinct perfectly binding commitment. Then the game guesses the game where the adversary cheats and aborts later when the guess was incorrect. Now we extract the local witness from the perfectly binding commitment and reject if the guess was wrong. We modify the CRS to allow local extraction of the gate j. Then we obtain the argument from the adversary, and now we are in a situation where we did not reject. Since the commitment is perfectly binding, this is a very important observation, the adversary's input does not depend on the CRS, because we did not modify commitment perfectly binding commitment after modifying the CRS. Hence, the gate where adversary cheated does not depend on the CRS. Because of that, we get an adaptive soundness, or more precisely quasi-adaptive soundness, but it's still almost adaptive. Because the scheme achieves adaptive soundness, or those schemes from the two previous papers achieve adaptive soundness, they contradict gentrification unless one uses a perfectly binding commitment. So one very important tool that is used in the two previous papers and in our new paper is functional SSP commitment, somewhat statistically binding commitment. In that case, the commitment key fixes q-linear functions. Think of q as being a small constant like 4. That means that the commitment key basically contains the description of q-linear functions, each masked by some randomness. The randomness is needed because the commitment key has to hide the choice of the functions. That is, if you change the functions, the commitment key should look the same to the adversary. Then this commitment scheme is succinct. Basically, the message can be some n elements long, where n is a large parameter depending on the circuit size in our application, but the commitment is still succinct. So in the case of the Fauzi, etc. scheme, the length of the commitment is q plus one group elements. Now, when you're given extraction key, then you can actually extract those q-linear functions of the concrete input from the commitment. That is, you can extract the sum of alpha i, j, m, j, etc., etc., but importantly, they are only extracted as group elements. This is again something that is very standard because we are working in the group-based setting and extraction very often means just decryption by using a cleverly chosen secret key. This notion was defined in the paper of Fauzi, myself and others in the paper of this year. And as I mentioned, in our scheme, the commitment length is q plus one group elements. Informally, the scheme was already used before, but there was no proper formalization of it. Importantly, the FSSP commitment scheme is secure under DDH, which is the most standard falsifiable assumption. So how do we use FSSP in Fauna? We use it for local extraction. We need linear functions of the input for the full reduction to work. Unfortunately, I have no time to explain this point here. The two previous papers also used FSSP, but they used it for a different purpose. The idea of the use is that we use the linear functions of the run, depending on the guest gate, and then program CRS. And the CRS has a FSSP commitment key that depends on those newly chosen linear functions. The problem here is that in the adaptive case, the malicious A can choose input depending on the CRS. And because the CRS depends on the gate number, the malicious adversary can use some tricks so that this mis-computed gate number changes. So the CRS is programmed to detect cheating on gate J. But off of the CRS, malicious adversary can choose a new input and mis-compute some other gate. Now, this is exactly for Fauna as non-adaptive, because the definition of non-adaptivity means that basically A cannot change the input depending on the CRS, and thus A also cannot change the mis-computed gate depending on the CRS. What we achieve is succinctness. We will not need perfectly binding commitment anymore, but we lose adaptivity. So this is a trade. And exactly this is how we fill the gap in gentry weeks. So just to recap, in our non-adaptive-soulless proof, the proof is modelled after the adaptive-soulless proof of the previous papers with some subtle differences. So first of all, the adversary commits to the weakness by using a succinct FSSP commitment. I have underlined the important changes of this previous selfless proof. Then the game guesses a gate where the adversary cheats. Then we force the aid of fixed input. So the input, this should actually be even higher up because the input cannot depend on this gate. And we can do this fixing because we have a non-adaptive security proof. After that, we modify the CRS to allow local extraction of the gate J. And we obtain the argument from adversary. Again, here J did not change because the input was fixed before the CRS modification. After that, we extract local witness from the FSSP commitment and reject if the guess was wrong. Not that this is maybe the biggest change in the proof. We extract the local witness from the succinct commitment while in the previous papers they extracted the short succinct local witness but they extracted it from a perfectly binding commitment. For the reason that perfectly binding commitment did not depend on the CRS. Because of this change, we also have pushed the rejection a bit later because we first have to do the CRS modification and obtain the argument from adversary. And the argument contains FSSP commitment that we use to check whether the gate was correctly completed or not. And now, since we did not reject and we have non-adaptive soundness, the adversary's input does not depend on the CRS. Hence, the gate where the adversary cheated does not depend on the CRS. It's still the same gate J. And hence, we get non-adaptive soundness. Do not contradict gentrification. We require non-adaptive soundness because in this case, we have a fully succinct argument. Fauna itself looks deceptively simple. It is in the CRS model and the CRS contains the commitment key of the FSSP. It has the language parameter of the BLS-con-ISIC. So I'm not going to explain it here, but what makes an ISIC a con-ISIC is that they have a language parameter. On top of those two things, the rest of the CRS is very simple. It's just a bunch of monomials given in both groups. However, despite of this deceptive simplicity, I have to say that the language parameter of the BLS is circuit-dependent. This means that the CRS is circuit-dependent, and it is an interesting open question to design a universal version of Fauna. What does the Brewer do? Brewer initially acts as in traditional Pinocchio or GGPR-type snarks for QIP. It outputs four group elements, ACB, that are perfectly hiding commitments to the witness, and H, which is an argument that enables one to verify that the perfectly hiding commitments are consistent. On top of it, the Brewer creates an FSSP commitment to witness in both groups, and it creates a BLS proof that all commitments, perfectly hiding commitments and functional SSP commitments in all, in both different groups, are to the same witness. The verifier has to verify the BLS proof, or then check a snarky appearing product equation that A times P is equal to C plus this value H times polynomial ZX, where Z is a traditional vanishing polynomial. Let us just take the main security theorem. We have the Fauna's non-adaptive sound under the following assumptions. The assumptions are all falsifiable. S current may get MDH, which is the assumption behind BLS, DDH, which is the assumption behind the functional SSP, and then a novel QA Lindrass assumption. The latter assumption is a new falsifiable assumption that holds under the BDL assumption in the algebraic group model. It is also a non-adaptive knowledge sound in the algebraic group model under two additional non-falsifiable assumptions, and it is subversions that are knowledge under the DDH and a new non-falsifiable knowledge assumption, which we also prove to be secure in the algebraic group model. The rest of the paper. The paper is actually quite long, and it has a lot of different results. First of all, because we use BLS QA NISC a lot, we also prove several new properties of it. First of all, we define and prove that it is sigma strongly sound. This is a completely new security property. We also prove that it is adaptively sound, which is by itself very interesting because one only knew before that it is quasi-adaptively sound. We prove that it is adaptively knowledge sound. This knowledge sound was of BLS was not known before, and we prove that it is subversions that are knowledge. Then, as I said, we have a new security assumption QA Lindrass. We motivate it and prove that it is secure in the HL, and we also argue that this assumption is more natural than the target SDH type assumptions of the TASA plus and FOSI plus papers. We also prove that this new knowledge assumption behind subversions that are knowledge of FASA is secure in the algebraic group model, and we hope that those results are independently interesting. I personally think the BLS Garnizek can have many applications in FASA-for-all-the-settings, and QA Lindrass is a completely different type of assumption that might generate some new research. Thank you very much, and I'm looking forward to comments. Thank you. Bye-bye.