 Hi, my name is Elonio Gev. This is joint work with Alessandro Chiesa and this talk is about tight security bounds for Michalis snogs. So let's start and I'll start with a brief overview of what are snogs succinct non-interactive arguments in the random oracle model? So snogs in a row. So this is our proof system. So we have a prover. We have a verifier. We have some language and we have this verifier that is wondering if this instance X is in the language. The proof is non-interactive. So we have this single message proof pi that the prover sends and the verifier reads pi and decides if to accept or reject. The communication complexity is going to be succinct. So in in particular the size of this proof pi is going to be much smaller than the size of the witness of this NP language. And to get succinctness actually we have to sacrifice something. So what we're sacrificing is information theoretical soundness and we're going to settle for computational soundness. So what is computational soundness in the random oracle model? So both the prover and verifier have a common resource. This is a truly random function. So this is random the random function here. It eats arbitrary strings and outputs a string of length lambda and soundness is as follows. We're going to say that the the scheme has t epsilon security. So it has two parameters t and epsilon. For instance is not in the language. If for any t query unbounded adversary p. So the adversary has unbounded computational power but is bounded to at most t queries to this random oracle. So the probability over the random oracle that this prover outputs pi that makes the verifier acceptable. I know it's that the verifier has access to the same random oracle is at most epsilon. Okay, when epsilon is a function of t and lambda. So t epsilon security means that if you perform at most t queries you can convince the verifier of a false statement with probability at most epsilon. So why do we study snogs or in general? Why do we study crypto in the random oracle model? So first this is a very nice very elegant information theoretic model. Okay, there's no real computational assumptions here. We have a truly random function and then things are information theoretic. And this allows us to prove a lot of stuff upper bounds and lower bounds and these proofs are usually very tight. You can even get very very close to the to like very concrete in absolute constants. It's not only just a general model. We have some very beautiful constructions of snogs in the room. And you can take these constructions and if you want to bring them back to to real life you just heuristically instantiate the random oracle with some cryptographic cryptographic hash function. These are usually considered as relatively lightweight crypto. It doesn't involve things like a public encryption and lattices and so on. And it's actually a very efficient way to get post content security. Okay, so we have all these attractive features of snogs in the room and this is going to be the focus of this talk. So I talked about constructions and we're going to focus on I would say the main construction. Okay, the beautiful construction of Micali dates back to 94. It's going to be it's a construction based on Kylian's interactive version where he made it non-interactive using the Fiat-Chemire transformation and in a high high level overview the construction is as follows. So what we're going to do, we're going to take an information theoretic proof. Okay, in our case a PCP we're going to combine it with a cryptographic commitment scheme, okay, that supports local opening. These are going to be a miracle hash and together what we're going to get is our snog. So let me spell a few more details about this. So I assume most of you at least saw or heard about this construction, but I want to take you step by step because we need to see a few details. So the pover is going to start by writing a PCP for the statements. Okay, so this is a PCP that can convince the verifier that indeed X is in the language. Okay. The problem is that the pover cannot send this entire PCP because it's too large. Instead the pover is just going to send a commitment to this PCP. Okay, so it computes this miracle tree of this PCP and it computes this miracle tree using the random oracle, of course. Now the verifier is supposed to pick randomness, okay, for the PCP that will tell him which query locations he wants to read and we do not allow interaction here. So we're going to let the random oracle simulate the verifier. Okay, this is called the Fiat-Chemille transformation. So the pover is going to query the root. Okay, so after he committed to the PCP, he's going to query the this root, the commitment. Okay, so he's going to apply the random oracle to the root and use the output of the random oracle to derive PCP randomness. Okay, so once the pover has this PCP randomness, he knows what are the query locations that the verifier wants to see and the pover is going to contain the root of the PCP. All the PCP answers, okay, that correspond to this location and for each answer an authentication path that assures us that indeed the PCP answer that he wrote here corresponds to the PCP that underlies this root. Okay, so this is the part of the pover. What is the verifier going to do? Well, he's going to verify that the PCP answer, so he's going to run the PCP verifier, okay, on this to make sure that the PCP is fine and then he's going to check for each symbol, okay, in these answers, he's going to check the authentication path to make sure that indeed this is what the pover intended to send. So what is the size of this PCP? Very roughly speaking, it's the number of queries of the PCP queue, okay, so we need to open each location and for each location you have to send roughly log n nodes, okay, on the tree and each node has lambda bits output. So this is roughly the size of the poof. Okay, what about soundness? How do we prove soundness of this scheme? So again, we use some underlying PCP, okay, so suppose you initialize this scheme with a PCP with soundness epsilon PCP, okay. The best soundness expression known is actually due to BCS a few years ago. And we're going to denote the soundness with epsilon R, okay, this is the soundness of our argument scheme and as we said, it's a function of t and lambda. So the best soundness expression known is the following soundness, okay, so we have t times epsilon. t times epsilon is comes from the arrow of the PCP, so a cheating pover can just try to convince the PCP verifier, okay, you can do this say by just choosing a random poof and hoping that the verifier would be convinced, okay. And each time you might lose the probability of lambda and you can do this roughly t times, okay, because this is his query budget. And you can try to attack the random oracle. For example, you can try to find collisions and that's why he's not really committed to any specific string. And to rule out this, you have to assume that he didn't do magical things like find collisions or inverted the random oracle and you use, you lose this probability that comes from the birth date paradox. And main question that we want to ask is, is this tight? Is this expression tight? Okay, this is going to be the focus of this work and I want to point out that the negative answer would be excellent news because if this expression is not tight and you can actually prove a much tighter expression and this in turn would yield us a small argument size. Okay, and we're going to see this. So this part already hinted is actually tight. So the cheating poof can try to convince the PCP verifier roughly t times, okay, and each time he might actually lose an error of epsilon PCP. Okay, so we have like a matching attack for this expression. For this expression, the answer is unclear. Okay, so this tells us that the, for example, the cheating poof is not going to find any collision. But what about vice versa? Can you attack the scheme if you are given a single collision? So I want a pin point on this question and I want to show you that the answer to this question actually depends on the fine details of the construction. And if you're slightly careless with the implementation, then one collision is actually very harmful. Okay, so let's try to see this. So consider the Mecali construction, okay, and suppose we have a binary PCP. Okay, so this is the PCP string here. Okay, and every leaf think of padded up up to length lambda, okay, because we want to hash two lambda bits to lambda bits. This is the Merkel hash. The Merkel tree. So if this is the construction, then we can reuse a single zero and one collision. Okay, so you can find the collision in the leaves between zero and one. And you can reuse this collision everywhere. Okay, so if I found the collision here, I can use the same collision here and here and here and here and so on. So in this case, I'm almost not committed to any location of the PCP. So I can commit to something random using this collision. And then when I see the queries of the verifier, I can just open in a way that makes him accept. And if this is the case, then the soundness is actually optimal. Okay, we just have to rule this out and we have to assume that he found no collision. However, this can be trivially avoided by adding indexes. So when I mean adding indexes, we're going to add a prefix ij for every node. Okay, to the value of every node. Okay, these are like constant prefixes that just mentioned their location in the tree. Okay, so the leaves are going to be layer one. Okay, so we're going to add the one and then we have like this is node one. This is the first node in level one. This is the third node in level one and so on. And now you can ask, is the soundness optimal? So let me just mention that once I find that collision here, okay, I can actually, I can't reuse it here. Okay, because the prefixes are going to be different. So a collision here doesn't give me anything here. And if I want to find a collision here, I have to walk again and find a new collision. Okay, so I cannot reuse my computation. And more importantly, I cannot reuse the success probability. So if I had some success probability of finding a collision here, the probability that I find many, many collisions is going to decrease very fast. Okay, so with this implementation in hand, okay, with the prefixes, I can state our results. So we give a negative answer to this question and we show that it's not tight. Okay, and remind you that negative answer means good news. Okay, and what we do, we actually show a tight security bound for Mikali. So our main theorem is that the security expression for Mikali is the following. The same t times epsilon that we had before. Okay, but instead of this t squared over 2 to the lambda, we have t over 2 to the lambda. Okay, and we have some other small expression here that replaces the 4. Okay, capital C, which depends on n, the length of the PCP. And log sigma, where sigma is the alphabet of the PCP. Okay, so this is the expression we have. And this expression holds provided that lambda is not too small. Okay, so it has to be at least 2 log t. We show an almost matching lower bound. So this is tight and even inside C, this expression is almost tight. Okay, so we have a matching lower bound. And as I promised, this has implications on the argument side, sides. So using the previous analysis, if we wanted t epsilon security, we had to set lambda to be log t squared over epsilon. Okay, this is what you get if you require the successful ability to be at most epsilon. Using our analysis, we can set lambda to be the maximum of these two expressions. But you can see that it's smaller than this expression. Okay, so let's say that this is the maximum one, depending on the values of t and epsilon. The lambda has to be only log t squared and not log t squared over epsilon. And again, this gives us a smaller argument size because, as we said before, this is the argument size. It's q times lambda times log n. So these two things are like a constant and we are making lambda better. So any factor that we improve here, we gain the same factor in the argument size. We want quite how to make sure that all the constants and our theorems are very, very tight. Okay, and have a very concrete and good constants. And what we show is we get actually concrete efficiency as well. So in this table, we're comparing our analysis to the best pile analysis of Michali. So we took the same PCP with soundness and some proof length, okay, to the 13, we amplified it. And depending on t and epsilon, you can see the results here. So in red, this is the size of the argument in Michali schemes and in blue, it's our scheme. And you can see that overall, depending on the values of t and epsilon, we get an improvement between 20 to 40%. Okay, another thing that I want to mention, this tight analysis actually led us to a new construction. Okay, so this is a subsequent wall that you can see in the last crypto. And the new construction took the tight analysis and managed to overcome and circumvent all the bottlenecks in the analysis. And what we got is that the new construction has soundness just t times epsilon, okay, with the same requirement on lambda. And this actually gives a much better argument size both concretely and actually even asymptotically. And I really welcome you to see the paper on imprint. Okay, so now I want to dive back in to our construction, okay, in the analysis of our construction. So first, how the prior analysis worked. Okay, so we wanted security of Michali snogs, right. What we did usually is we wanted to say, okay, the commitment scheme is really a commitment scheme. So we had to assume, okay, or condition on the event that there are no collision and no inversions. Okay, and that's why we lost this probability in the soundness explosion. Once we have this, then really the cheating pulver has nothing he or she can do except to commit to some PCP strength and hope that the verifier is convinced. Okay, so the security from this point on is reduced to the soundness of the PCP. In our case, we want the security of Michali snog, but we cannot just condition or not finding collisions or inversions. Okay, and we actually have to keep showing that soundness holds even when the pulver finds collisions or inversions. Okay, what we're going to do instead, we're going to score the collisions when there are versions. Okay, and we're going to bound the probability that he finds more and more collisions or inversions. And then given a specific score, we're going to see how harmful this score is. Okay, so we're going to have some new game that we call tris on this game. And this game is going to have a specific budget and we're going to bound the probability of the adversary to win given this specific budget. And we're going to do this bound using a reduction to another type of game that we're going to call reverse soundness game. And this game will reduce back to PCP soundness. Okay, so the analysis is very modular in this approach. This game really describes all possible strategies that the adversary can do. And this is an intermediate and very simple game that allows us to reduce all these possible strategies to something very simple. In this game, we can like say something very meaningful just using the PCP soundness. Okay, so now I'm going to dive in these steps to give some additional leaders. And we're going to start with the scoring collisions and inversions. Okay, so we're in this part of the proof. So we introduce a scoring function. Okay, the scoring function is a function of the query traces of the algorithm. So suppose you have a cheating pooper, you can look at his query trace. Okay, and then you can give a score to this query trace. And this score is going to allow us to quantify the soundness even in the event of collisions and inversions. Okay, so let's first talk about the score. Okay, what score do I give to a specific trace? If the trace contains nothing interesting, it's not going to get a score. It's going to get a score when I see some rare events. So one example of, we have two kinds of rare events. The first one is collisions. So if I see a collision, I'm going to add one to the score. And I have to define this slightly more precisely. Okay, so what happens if I see a KY's collision? These are K elements that all collide to the same value. It's going to get a score of K minus one. Okay, I'm going to add all these scores. So this more or less counts the number of collisions in a given trace. Okay, the second thing is going to be about inversions. Okay, so inversion is another thing we don't want the adversary to do. Because then he can start by querying the root and seeing the queries and then walk his way back and just derive the PCP that he wants that convinces a specific verifier. Okay, so we're going to count the number of inversions. So an inversion is going to be a response Y. Okay, the hit a previous query X1, X2. Okay, so remember that queries are rehashing two elements to one. Okay, because of the marketry. So what we don't expect is to see an answer that hits something that we queried before. Okay, this is also an event and we're going to count these. And given this scoring function, what we claim and what we show in the paper is that any T algorithm, for any T query algorithm, the probability that the score is more than K is bounded by something that you can already see comes from the birthday paradox to the power of K. And this thing is not going to be very small. So this thing is going to be like a constant. So the probability that he finds a collision in our analysis is actually going to be some constant. Okay, so we can most definitely not rule out the event that he finds a collision. But the probability that he finds K's collisions, this already decays exponentially fast in K. Okay, so before I go into the other parts, the three soundness and everything, I just want to show you how using this and we're going to have a step that you're going to believe in. I'm going to show you later how I conclude the proof. Okay, so this will show why this is useful. So what is the probability that the verifier accepts? Okay, suppose that X is not the language and I want to bound the sound cell. So this thing I can always do. I can always do this infinite sum and say, okay, it's the probability that verifier accepts conditioned on the adversary getting a score of at most K times the probability of getting a score of most K. Okay, so this is just a sequence of an infinite sequence of events and I can just sum up the probabilities of all of these things. Okay, so this is using the scoring function. So now I can focus on one specific K and ask what is the probability that the verifier accepts? Okay, what's the probability that the gene pover succeeds? If I conditioned on him getting a score of at most K. So if K is 3, it means I cannot find 4 collisions. He has a budget of 3 collisions. So what's the probability of succeeding with this specific budget? This is exactly why we introduced this game, tree soundness game. Okay, so this is really by definition of the tree soundness game. Okay, now this is a step that of course I didn't show yet. Okay, this is going to be lemma 1 plus 2, okay, that we're going to just briefly see. And the probability of getting a score of K, this is the claim that we have on the scoring function. Okay, and we're going to see this expression. I just maybe just point out already that what we see here is this is actually the cost we get from collisions. So we have the same T and epsilon as before as in the original soundness expression of Mika'li. But we pay another factor here of 2 to the K. Okay, because if he has a score of K, this gives them a lot of power. It gives them exponential and K power. Okay, and this is going to come from the inversions part. But now we can just take everything that doesn't depend on K, we can take it out. And we just get this the same expression, okay, just rewritten differently. And then when we look at this infinite sum, okay, that depends on K. And now here comes the condition that lambda is slightly more than 2 log T. The infinite sum is going to converge and we're going to be left with the soundness expression that we want. Okay, so really what's missing is for me to give you analysis why if you're limited to a budget of K, okay, in this tree soundness game, I need to give you some bound of the soundness of this game. Okay, and lemma 1 plus 2 is going to be about the tree soundness and the reverse soundness. Okay, so now we're moving on to the tree soundness game. So we introduced this intermediate information theoretic game, okay, tree soundness game. It has two parameters, okay, T is the number of actions, okay, this corresponds to the number of queries the adversary has. Okay, in the game it's the number of actions he can do. And K is some bad budget, okay, it's going to be the collision and inversion budget. The game is planned on a graph, okay, it's planned on a graph. And in every, you have this infinite loop where the pooper can choose one of two actions, okay. The first one is adding the edge, the second one is deriving PCP randomness, okay, we're going to see this in a second. Every time he chooses an action, the budget T decreases by one, okay. And when we get to zero, we stop. Okay, so what is this graph? So the graph already contains all possible nodes. And what the cheating pooper can do, he can add edges from this set. Okay, so this is the complete set of edges and he can choose one and add it to the graph. So what are these edges? So remember in the construction we have the prefixes i and j. Okay, so every node we know exactly where it is, okay. So these are these i and j's here, okay. So we have levels and the i is going to be the level of the node, okay. So we're always connecting nodes from level i to two nodes in level i plus one, okay. For example here, so we have this is level i and two nodes in level i plus one, okay. And if you connect it to some position j and these are the corresponding positions, okay, in the next level. And the h values are just like the actual hash, the output of the oracle. This is something that he can completely specify, okay. So this is the complete set of edges and you can choose from here and add it to the graph. However, we didn't talk about the budget, okay. What happens to the budget K? Okay, so if he just adds an edge, let's say he added this edge, fine. He just adds it and the t decreases by one, okay. What happens if he adds a collision? Okay, so let's in this example here, okay. We have the node u and he added this edge here and the v primes, okay. So we have a collision here. He's allowed to do that, okay. But each time he does this, the collision budget decreases by one, okay. And of course, once we got to zero, that's it, okay. You cannot continue beyond zero, okay. So that was the easy part. What about inversions? Inversion is the harder part to add, okay. So the pover also has a budget of K inversions. And this is slightly harder to model because a single inversion actually allows him to win, okay. So if he can invert something, he can just compute a root and then compute the corresponding PCP that is good for this root and then just invert back the function to connect the two. So we're not going to allow arbitrary inversions, okay, or something called strong inversions. These are going to be disallowed, okay. Instead what we're going to allow is weak inversion, okay. I'm going to try to tell you what is the difference. So a strong inversion is going to be when I have some value y, okay. And I want to find some x such that f of x equals y. This is a strong inversion, okay. I particularly inverted y, okay corresponding to this function. What is a weak inversion, okay, which is allowed? The weak inversion is where I give you a large subset, okay, of y1 up to ym. And then you're going to find x that inverted one of them, okay. This is a much easier task and this is going to be allowed. And let me show you how this goes back to the graph, okay. So if the prover wants to add an inversion, okay, so inversion is adding an edge to a part of the graph that's already connected, okay. Then he can specify i and j, but he cannot specify h, okay. So if this node here is already connected and he wants to add now these two, this edge here connected to here, this would be an inversion, okay. So he can specify i and h, but he cannot specify the specific h of this node. Instead, h is going to be sampled from the all possible potential capital H, okay. So what is capital H? So capital H is going to be all the h's for which this node ijh he cannot connect to, okay. If there's some h such that ijh is just free and he can connect to it, and it's not considered an inversion, then fine, just do that, okay. You take all the nodes that are already connected to some component and this is going to be the capital H, okay. And now an edge is added only with probability the size of this capital H over to the t. Okay, if you're slightly confused, let me give you two examples. I think they'll make things easier. So when h equals 1, let's say it just started and have only one node that's connected to something and he wants to do an inversion. And then sure, he can say, listen, I give you ijh, I want to do this inversion. And capital H contains only this particular node, okay. So this is actually a strong inversion, okay. So right, this is a strong inversion, but we're going to add this edge only with probability 1 over 2t, okay. And maybe more importantly, I want to mention that every time he does this, the inversion budget decreases by 1, regardless of whether the edge was added or not, okay. So he can try to do a strong inversion, but it's going to happen with very small probability and it costs him an inversion budget, okay. The other side, he can make h very large, okay. You can make h the largest possible, it's t, okay. You can have at most t and nodes connected because they have to connect them first. This would be a very weak inversion, okay. But it's added with probability half, okay. So you can have many potential nodes and then you're going to be, you're going to add the edge with higher probability, okay. But your edge is going to be added to a randomly node from h. So you cannot really specify exactly where the inversion is going to be. You have a big bucket of nodes, potential nodes. You say I want an inversion with one of them and with high probability you have an edge that connects a random one. Okay, so this is like the trade-off between a strong and a weak inversion. And of course he can do anything on this trade-off that he wants. Okay, so that was the tree soundness game. And the tree soundness game really captured all possible strategies of the adversary and that's actually what we show. We show that any adversary for the original snar, we can translate to an adversary in the tree soundness game. And now what we do, we introduce a new game. Okay, and I'm going to present it here, a very simple form of this game called reverse soundness. And what we show, we reduce every adversary of the tree soundness game to the adversary to this reverse soundness game. So the reverse soundness game is the following. It's called reverse soundness because we're going to reverse the roles in a standard PCP, your first commit to a PCP, and then you choose randomness, right? And we're going to reverse this role, so we call it reverse soundness. So the game is as follows. We start where the game first samples row one up to row t. Okay, so this game has some parameter t. And these randomnesses, these are randomnesses of the PCP verifier. Okay, so we start by sampling randomness for the PCP verifier. Okay, very weird, but we sample a lot of them. Okay, so row one up to row t. Only then, okay, this is given to the prover. And the prover as a function of these randomnesses, he submits a proof pi. Okay. But then the game samples a random index i. Okay, and the prover wins if pi convinces the PCP verifier with randomness row i. Okay, so we choose a lot of randomnesses. The prover as a function of this chooses the proof pi. And then we choose a random one. Okay, and he wins if pi convinces the PCP verifier with randomness row i. Okay, this is very similar to the weakened version we talked about earlier. And our main result here is we show that you can reduce tree soundness. Okay, you can do the successful ability of achieving proven in the tree soundness game. You can reduce it to the reverse on this game. And then you can do this back to the standard PCP soundness. Okay, so let me just specify the two lemmas. So if we have epsilon three, that is a function of t and k. Okay, so you have t actions and k is the budget. The reverse soundness has only this one parameter t. Okay, and the first lemma says that the winning probability in the tree soundness game is this expression. Okay, so it's t times epsilon PCP because I can always just try. Okay, and actually every time I try I have an advantage of two to the k. Okay, these are because of the collisions. And I have this additional term. These come from the inversions. So I have two to the k power times my probability in this reverse soundness game. Okay, and these are due to inversions. And then the second lemma says that, okay, what is this epsilon reverse? Okay, this epsilon reverse actually something we can bound. And this bound actually just depends on the parameters of the PCP such as the length of the PCP and the alphabet. Provided that the PCP that you use has a good enough soundness. Okay, so it's not like a smooth expression with in terms of epsilon PCP, but once you have this condition, we can bound the reverse soundness. And now you plug these things in back in the original expression that we saw and we can conclude the proof. Okay, so conclusion. We gave a new and a tight analysis of Michalis Nog. This is a new upper bound and a matching lower bound. To do that, we had to introduce some new PCP games, which I think is interesting on their own right, in particular this reverse soundness game. We actually got something, we got a new, we got new and smaller argument sizes. Okay, both theoretically and practically. Some ideas for future work. First, what we do, what we did apply to Michalis Nog. And of course, if you want something really efficient and practical, you're not going to implement Michalis that use PCPs. We're going to implement a new modern version of it called BCS, where the construction is similar in spirit, but it's based on IOPs. Okay, so IOPs, this is an interactive version of PCPs and they're much, much more efficient and a lot of research these days on IOPs. So the idea of future work is actually taking what we did for one round, okay, of Michalis Nog applied to BCS, where you have many rounds and in each round you have this tree. Okay, so you would have to kind of define the interactive version of these PCP games, to be like IOP games. Second thing is that, as we already mentioned, we can take this tight analysis and this gave us a lot of ideas for a better construction with the smaller argument size. Okay, so future work, let's continue this, let's find better construction of snogs in the random oracle model. And I didn't define this explicitly, but there is the very big open problem of can you achieve a linear argument size of snogs in the random oracle model. So both the Michalis and the BCS construction have something called the quadratic argument size, which I didn't formally define, but the hope is that tighter and tighter analysis could lead us to a linear argument size, which would be very amazing. So with this, I end. Thank you very much.