 Okay, so I'm from New York, and this is the final talk of this morning. So the title of this talk is A Subversion Resistance Dark by Pezad Abdul Maliki, Karen Baylori, Helger Litma, Michal Zech, from the University of Tartu in Estonia, and as I said, this is the second article invited to the Journal of Cretology, and the talk will be given by Neho. Hi, so roughly two hours ago, Niky Mukhan apologize for standing between you and coffee, and now I'm standing between you and lunch, so I think I'm in much worse situation. So thanks you, thanks for inviting me here, and it's a real pleasure to present you my joint work on the Subversion Resistance Dark. So let me start with a brief outline. So I will start with motivations for our work, and the motivation is the problem of verifiability of computation. I will introduce some zero-knowledge notions, and I will tell quickly what snarks are. Then I will say why Subversion Resistance framework for snarks is actually important and what could happen if public reference strings, public reference parameters are generated maliciously. Then I will go to the main part of our work that is Subversion Resistance Snark. I will show how to achieve zero knowledge in the subverted setting, and this will be a shift for quite recent graphs snark for quap, and finally I will conclude with showing you some numbers to convince you that our framework, our technique is really efficient. Okay, so we can illustrate verifiably computation by two machines. So we have a client and we have a server, and client maybe is like not very powerful machine, but it wants to compute program P on some input x. On the other hand, we have a server that has the required power and maybe has some additional input x prime that makes computation possible. So basically the client sends program P along with public input x, and the server replies with evaluation of this program on x x prime, but of course server needs to provide also a proof, because otherwise the server could just send some random garbage and claim that that's the hope. So an important comment is that the client can actually send a program once and then evaluate it on as many inputs as it wants. So we represent a program as a circuit, so part of the circuit input is this input given by the client, another part is given by the server. So how we can verify the computation? So if server reveal all intermediate values on this arithmetic circuit, then the client could just run the circuit and verify the program on its own. But in this case, we basically don't need a server. So what if x prime is secret? So we need to provide correctness that doesn't reveal intermediate values in particular this secret input x prime. So correctness is verified by showing that some relation on the circuit on wires values hold and there's like national reduction from arithmetic circuits to quadratic arithmetic programs, and keeping an internal secret is related to zero knowledge rules. So in zero knowledge we have two settings, interactive and non-interactive. In interactive setting there is many messages exchanged between the prover and verifier, the client and the server. On the other hand, we have non-interactive setting when the server has to convince the client that the computation were performed correctly with like one message. So we want to work in this setting with this single message setting is non-interactive. So we want to prove that is non-interactive and is succinct. And here comes snarx. So snarx are non-interactive proof that are short. So basically the idea is that the proof itself is much shorter than the state. And to get the non-interactive zero knowledge we need some trust assumptions. So basically the most popular tool is either random oracle or common reference string. So the problem with random oracle is that it doesn't exist, but usually it makes zero knowledge proof really really efficient. On the other hand we have trust that we have common reference string setting where a trusted third party can generate some common parameters, common string that will be shared between the parties. And the problem with this model is that sometimes it's slower than just model with random oracle. But in case of snarx, the situation is quite opposite. Usually snarx that are based on CRS are faster than this based on random oracle. Okay, so in zero knowledge proof we have some NP language L and we want to prove that some X belongs to M. So we have three parties. So this trusted third party in the middle and some prover that is equipped with statement X and witness W. And on the other hand we have verifier that has only statement X but doesn't know the witness W. And this trusted third party picks some secret numbers called trapdoor and computes common reference string as a function of this secret. Then it provides the CRS to the parties. So with this CRS given, the prover is able to give the convincing proof to the verifier. In fact, in zero knowledge proof, we need one more party. It's called the simulator. And simulator is given this secret numbers, this trapdoor. And this allows him to simulate the proof as prover would do. But without witness. So zero knowledge proofs has three properties. So versus completeness, so an honest prover should be able to convince the honest verifier we have soundness. So in this setting, if prover is malicious, is not honest and wants to convince the verifier that some X belongs to the language but that's not the case, then the prover should be able to do so only with negligible probability. And the third property is zero knowledge. So we define zero knowledge by the existence of a simulator that given this secret trapdoor T.S. produces fake proof that is indistinguishable from a proof given by the real prover. So in Eurocrypt 2016, Fien's growth proposed a snark for quadratic arithmetic programs. And up to date, it's the fastest snark for this relation. The proof contains only three group elements, so it's really, really short. It's based on billionaire pairings and it's secure in both symmetric and asymmetric setting. And its security was shown in a generic group model. So let's go back to our picture with the trusted third party providing CRS in the middle. So the question is, what happens if we substitute this party by some malicious subvert? And this problem was discussed last year on Asiacrypt by Valare Pugsbauer Scafuro. So in this setting, we cannot trust the outputs given by the subverter, right? And it affects CRS given to prover and verifier and also affects the trapdoor given to the simulator. So let me point some problems we may have. So if subverter cooperates with prover, they can potentially break sounds, right? So we need a system that remains sound even if the subverter cooperates with the prover. And this is called subversion sounds. On the other hand, the subverter may cooperate with verifier to break zero knowledge, right? Or may give some trapdoor that is not well formed to the simulator. So the simulator is not able to simulate anymore, right? So we need a system that remains zero knowledge even if the subverter cooperates with the verifier and this is called subversion zero knowledge. Actually last year Valare Pugsbauer and Scafuro shown that it's impossible to get both. So we focus on getting subversion zero knowledge because that's a more important task for Snarks. So as I said, zero knowledge may no longer hold because of basically two reasons. So the first is that the trapdoor given to the simulator may not be the same trapdoor the subverter used to produce a CRS. Or maybe the CRS is just not well formed so maybe just some random bits without any meaning. So basically we need to make sure that we can still simulate. Okay, so in a verifiable computation let's go back to this picture. We still have the client in the server, a client sends program P but also sends the CRS that will be used by the verifier. And also it's malicious and wants to learn this secret X prime. So the problems, so we need to provide the simulator with a correct trapdoor and we need to check that the CRS given to prooper is well formed. Okay, let's start with the first one. So how simulation in a hostile environment look like? So basically we cannot trust this trapdoor given by the subverter. So the idea is that the simulator will use extractor to extract trapdoor from subverter. And in the end the simulator will produce the very same CRS as subverter. And we will define one simulator for all subverters. So this simulator uses extractor to get the trapdoor and we need knowledge assumptions here. And actually this extractor can depend on the subverter. So before we continue, please let me introduce some notation. So we use additive notation for groups. We have three groups G1, G2, Gt of the same size P. And by alpha in brackets with index one, we denote an element in this group G1 and its element alpha times G1 where this G1 is the generator of the group. And similarly for group 2 and group T. We use billionaire pairings. So it's mapping that goes from G1 times G2 to target group Gt. And we denote the pairing by multiplication. So basically alpha one times beta 2 equals alpha beta t. Okay, so knowledge assumptions we use is billionaire Diffie-Hellman knowledge of exponent assumption. And it's quite well-known assumption if you work with knowledge assumptions. So basically we allow adversary to return some alpha alpha prime in brackets such that it holds that alpha in a group 1 times 1 in the group 2 equals 1 in group 1 times alpha prime in group 2. So basically we assume that in group T these elements are equal. Okay, then we say that alpha equals alpha prime and then there exists an extractor x such that if we run this extractor along with the adversary then we can get alpha. And for that we actually need a symmetric pairing because this assumption doesn't hold in a symmetric set. So as I said we will need to extract chapter from the subverter so we need to make sure that in CRS we can compute both yota in group 1 and yota in group 2 for every yota in n-chop. Okay, so that's how we make sure that the simulator gets the correct chapter. So let me show how to check that the CRS is well formed. So subverter cooperates with the verifier and the idea is that to give a prooper an algorithm that will check that the CRS is well formed. So we define an additional algorithm called CRS verification, CV, not very fancy name. And this algorithm doesn't have any superpowers. Basically it can do only what prover can do. So it can add the group elements or make bearings. And this algorithm needs to be run only by the prover because that's the party that is interested in zero knowledge. We want to make CV as efficient as possible. So we think that roughly the time needed to verify the CRS is roughly the time that is needed for a prover to give a convincing proof, then we are fine. Okay, so how CRS is generated in this original graph 2016 paper. So first we generate a secret chapter that contains five elements. We compute the common reference string. And this common reference string is divided into three parts. So basically the first part is CRS-P. It's a part of CRS that is used only by the prover. And the other part is CRS-V, that part used only by the verifier. And we actually needed to add CRS-CV, additional CRS that will allow us to extract the trapdoor for the simulator and will allow the CV algorithm to check that CRS-P is well-formed. So how CRS verification looks like. So the setting is that we have trapdoor elements that are secret, but usually known in exponents. And we have some polynomials, Ui, Vi, Wi, that are publicly known. Here we have this polynomials, but it's not known the values on the secret key. Okay, so our checklist list is as follows. So do we divide by zero? Okay, we have some elements that cannot be zero in the CRS. We have also elements like this beta here, that should be represented in both groups. So we need to check whether if the subverter claims that this element is equal to this element, like the value hidden in both groups is the same, we need to do to check that this statement is true. And of course we need to check whether all polynomials were evaluated at the same point here. So how CRS verification looks like. So as I said, we need some additional help. And this help is this CRS-CV. It contains elements like, for example, alpha in group 2 that is necessary to be able to extract alpha from the CRS. On the other hand, we have also the ground polynomials that makes verification really, really efficient. Okay, so our checklist. Do we divide by zero? And let's check the really, really simple, so we basically check that the elements that shouldn't be zero are not a zero element. If we need to check whether two group elements carry the same value, then we use the same equation we used for the knowledge assumption. So we check whether yota times one equals one times yota prime. We also need to check that all the polynomials are evaluated at the same point. So we have two types of polynomials basically here. First are consecutive powers of he. And it's checked by by bearing he to i times one equal he to i minus one times he. And we need to check all these polynomials ui, vi, wi. And this is checked by by evaluating these polynomials using Lagrange basis. Okay, so that's how we check that CRS is well-formed. So the CRS has the correct form. The simulator knows exactly the same trapdoor as the subverter used to create the CRS. So we can we can simulate. Let me tell something about soundness. So this graph is knowledge sound. And it's proven in a generic group model. So proofs in generic group model highly relies on what is in the CRS and what's not in the CRS. So basically if you add some element to the CRS, you can easily have a situation that that the security doesn't call it anymore. And we in fact added some elements to the CRS. So we need to we needed to to reprove soundness. So graph snark is secure for symmetric setting also. So basically in the symmetric setting G1 equals G2. And these parts of CRS that are represented in one group are the same in both groups. So the CRS is like contains more more elements. And we preserve we preserve this this property. Okay, so let me tell something about efficiency. So we implemented our verification algorithm on a not very powerful machine. It's like five year old laptop. The implementation was done in C++ in a Lipsnark library. I will show some numbers for this circuit size. So we have circuit size up to half a million. Input size, this input size of of of prooper is 1000 and all times are given in seconds. So basically what we can read from this table is that the time needed to verify the CRS is roughly even smaller than the time needed for for prover to give a convincing convincing proof. Okay, so let me make a short commercial break. So if you are bored with your snark or you are worried about CRS generation, please don't and use our framework to give your snark subversion resistance for basically free. And our framework is well fitted for snarks. It's suitable for zero knowledge and doesn't require any change in the original simulator. It's well fitted from snarks and it's efficient and it's really easy. Just add CB algorithm. So let me conclude. We proposed new definitions for subversion resistance framework and this definition covers statistical zero knowledge. It also gives one simulator for subverters and that only extractor depends on the adversary. We took the most efficient snark for Guap and made it subversion resistant. We show that the CRS does not need to be trusted by the prover and the CRS can be efficiently verified. Thanks for your attention. I'm sure everyone is hungry but we have time for one question. Maybe? Gens? Maybe? No? Help me out. Are we sure? I guess my question is whether you looked at other snarks. Is this sort of a general framework that applies in all sorts of snarks or is it specific just to this 2016 snark? So the CB algorithm itself has to be suited for a particular snark but the framework is general. We used the same framework to show that Pinocchio is subversion resistant and some later implementations of Pinocchio that made it a little bit more efficient. We also shown that your recent snark from crypto, sorry, don't recall the factor is also subversion resistant. So that concludes our morning sessions. Let's thank the speaker again.