ノーションブレイケージリジェンゼロナレッジノーションブレイケージリジェンゼロナレッジ against the verifierswho obtains the leakage of the proven secret state.So in particular,レイケージリジェンゼロナレッジis defined by considering verifierswho make any leakage query during the protocol.So the verifier can query any functionat any time of the protocol.And after the query,the function is evaluated immediatelyon the current state of the proven stateand the output is returned to the verifier.And of course, the verifier can queryany number of queryand this query can be made adaptably.So more formally,レイケージリジェンゼロナレッジis defined as follows.So for any cheating verifierswho can query any leakage querywe require that there exists a simulatorthat can simulate the cheating verifier's viewincluding the answer to the leakage query.So the simulator is requiredto simulate the leakage for the cheating verifier.However,since we consider cheating verifierwho can query any leakage query,the verifier can request leakagefrom the witness of that proven house.And then in this case,the simulator cannot simulate the leakagebecause it doesn't have any information about the witness.So in the definition of the leakagereality on the knowledge,we consider the simulatorthat can obtain some information about the witnessby making query to a protocolcalled the leakage protocol.So leakage protocol is parameterizedby the witness that the proven houseand it evaluates any function on the witnessand returns the output to the simulator.So in the setting of the leakage region,the knowledge,the goal of the simulatoris to simulate the cheating verifier's viewincluding the leakageby obtaining some informationabout the witness from the leakage protocol.And I know that in order to make surethat this definition guaranteemeaning security,we require that the simulatoratmost the same amount of the leakageas the verifier.So we require that if the cheating verifierobtain a little bit of the leakageby making the leakage query,then the simulator can obtainatmost a little bit of the leakagefrom a leakage protocol.Then in the previous work,in the work by Gag et al.,they show that we can constructleakage region zero knowledge protocolif we use a relaxed definition.So in particular,they consider definitionif it is the simulator can obtainslightly more amount of the leakagethan the verifierand they show that we can constructthe protocol under such a definition.And the round complexity of the protocolis at least omega log n.And the assumption they useis a statistically hiding commitmentwith the public coin property.And it is known that such a commitmentcan be based on any one function.Then in a recent work by Pandey,the result of Gag et al.was improved.And in particular,Pandey shows thatwe can constructleakage region zero knowledgewithout relaxing the definition.So Pandey construct a protocolusing the definitionthat I explained in the previous slide.And Pandey also improves the resultof Gag et al.In terms of the round complexity,and in particular,Pandey's protocolhas only a constant number of rounds.However,these assumptions,these improvements come with the cost of the assumption.And in particular,Pandey usesDDH assumptionand the existence of thecollision-resistant hash functionto prove the security of his protocol.So of course,the both of the DDH assumptionand the existence of thecollision-resistant hash functionare quite standard.And there is no problemof using them in practice.But however,in a theoretical perspective,it is important to determinewhat is the weakest possible assumptionto construct primitive.And in that perspective,the use of the DDH assumptionis not so very goodin the protocol,in the work of Pandey.Because the DDH assumptionis seemingly much strongerthan the existence ofcollision-resistant hash functionor one-way function.So,in this work,I consider the problemof removing theDDH assumptionfrom the result of Pandey.So,the goal of this workis to constructthe retail-religion-zero-narrated protocolby assuming only the existenceof thecollision-resistant hash function.OK.So,now let me statethe result of this work.So,in this work,I prove the following theorem.So,assume the existenceof thecollision-resistant hash function.Then,there exists a constantround public coinDK-ZGN-zero-narrated argumentfor any language in NP.So,compare with the previous work.This work achieves the same securityand the same round complexity.And at the same time,this work uses a weaker assumption.And in particular,we use onlythecollision-resistant hash function.So,DDH assumption is no longer used.And I also want to know thateven though this work uses a weaker assumption,the protocol of this worksatisfies an addition propertycalled the retail-religion-sandness,which is a soundness againstcheating proverwho obtainsunbounded amount of the leakagefrom a verify as a secret state.So,leakage-religion-sandnessalone is not so hard to satisfy.And actually,any public coin-zero-narrateis already leakage-religion-sand.However,satisfying bothleakage-religion-zero-narrateand theleakage-religion-sandnessis not so easy.And in particular,previousleakage-religion-zero-narratedoesn't satisfyleakage-religion-sandness.So,the protocol of this workis the first onethat satisfiesleakage-religion-zero-narrateand theleakage-religion-sandnesshemitaneously.Okay.So,this work uses a weaker assumptionand provides a protocolthat satisfiesstronger securityin the leakage setting.So,this is the result of this work.So,in the rest of this talk,let me explain the techniqueof this work.So,first,let me explainthe basic simulated strategyin the setting ofleakage-religion-zero-narrate.And in particular,I want to knowthat in order to proveleakage-religion-zero-narrate,it suffices to consider a simulatorwho simulatesproper the messageand prove the randomnesssemitaneously.So,recall thatin the definition ofleakage-religion-zero-narrate,the simulator is requiredto simulate a cheatingverified view,includingthe answer to the leakage-oracle,leakage query.So,the simulatorhave to simulateproper the messageand leakagefor the cheatingverifier.However,it iseasy to see thatif the simulatorcan simulateproper the randomness,then the simulatorcan easily simulateleakage for cheatingverifierby just forwardingthe leakage queryfrom the cheatingverifierto the oracle,to the leakage oraclewith simulated randomnessbeing hardwiredat the input of the function.So,it isso,in order to proveleakage-religion-zero-narrate,it suffices to consider a simulatorwho simulatesproper the messageand randomness.So,we construct a protocolsuch thatproper the messageand randomness can be simulated.Then,I constructleakage-religion-zero-narrate protocolin the following two steps.So,in the first step,I construct mainToolwhich isnew instance-basedequivocal commitmentthat satisfy not onlyequivocalitybut also a niceleakage-religion-zero-narrate property.And I construct such a commitmentby using only one way function.Then,in the second step,I use this instance-basedequivocal commitmentto constructleakage-religion-zero-narrate protocol.And I will explainboth of these stepsand let me first explainthe first steps.So,require thatinstance-basedequivocal commitmentis a commitment schemethat is based on anNP instancesuch thatwhen the instanceis false,then the commitment is bindingbut when the instance is true,then the commitment isequivocaland in particulara commitment can be opento both zero and oneby using a witnessfor the instance.Then,in this work,I constructnew instance-basedequivocal commitmentby convertingtheleakage-religion-zero-narrateprotocol of GaG et al.to our instance-basedequivocal commitment.So,in particular,since theleakage-religion-zero-narrateof GaG et al.is based on theBramed Hermitian-State-zero-narrate.All I did hereis just usea well-known techniquethat convertsBramed Hermitian-State-zero-narrate.to our instance-basedequivocal commitment.And a nice thing hereis that sinceour instance-basedequivocal commitmentis based ontheleakage-religion-zero-narrateof GaG et al.Ourequivocal commitmentinherit theleakage-religion-propertyfrom the protocol of GaG et al.So,in the next slide,I will explain this property.So,okay.So,roughly speaking,ourequivocal commitmentsatisfies the following property.So,consider athree-round protocolbetween theprover and the verifierin which theprover commit to zerousing ourequivocal commitment.And then,after receiving a bit Bfrom the verifier,it opens the commitment to Busing equivocality.Then,the nice propertyof ourequivocal commitmentguarantees that we cansimulate theprovered messagerandomness of this protocolas long as we can predictthe value of B in advance.So,I know that this propertyis not so simpleand it is not clearif this property is really niceor not.But the important thingis that this propertysay that we cansimulate theprovered messagerandomness of ourequivocal commitmentas long as we knowourequivocal commitmentjust as in thiscommit theequivocal protocol.So,this means thatif we can constructthe zerounit protocolby using ourequivocal commitmentjust as in this protocol,then we canshow that we cansimulate theprovered messagerandomness of such a protocoland so we canconcrete ourleakage-region-zeroknowledgeness.So,now our goal isto constructleakage-region-zeroour goal is to constructthe zerounit protocolby using ourequivocal commitmentjust as in this protocol.So,now let me explainourequivocalgent-zero-unit protocol.So,in our protocolwe useso-calledBarak's preamblewhich ispreamble stageof theBarak'snon-Barak box-zeroknowledge.So,the detailof theBarak's preambleis notneededfor this talkand what is neededis thatBarak'sis the fact thatafter the preamble,the pruber and the verifierobtain a statementcalled the trapdoor statementand it is guaranteedthat any cheating prubercannot make the trapdoorstatement truebut there exists a simulatorwho can make the trapdoorstatement trueand obtain a witness for itby using the codeof the verifier.OK.And I know that actuallyin this workI need to modifytheBarak's preambleso that it can be usedin the leakage settingbut in this talkI could do this fact.OK.Then,usingBarak's preambleI constructleakage-illusion protocolas follows.So,basically,ourleakage-illusionzero-knowledge protocolis theHarmistonicityzero-knowledge protocolin which the graphis committedby usingwhy-cubock commitmentwhich is based onit is based onthe statement xand also the statementto be provenin trapdoorstatementis thetrapdoorstatementthat isgenerated byBarak's preamble.So,our protocoltheproverand the verifierfirstexecuteBarak's preambleto obtaintrapdoorstatementand thentheyexecuteBrammedHarmistonicityzero-knowledgein whichthe trapdoorstatementis proved.Now,beforeshowing the securityof this protocollet me first checkthe correctnessof this protocolmeaning thatthehonestprovercan proveprove thestatement.So,actuallythatthe correctnessof this protocolis not clearbecausetheproverhave to provetrapdoorstatementinHarmistonicityzero-knowledgebutthe trapdoorstatementis forcedfrom the propertyofBarak's preamble.So,the key point hereis thateven thoughthe trapdoorstatementis forced,theprovercan stillgenerateacceptingHarmistonicityzero-knowledgeprovebysimulatingitbyequivocation.So,inparticularsincetheproverknowthewitnessfortherealstatementx,itcanequivocatein theopeningoftheourequivocalcommitment.So,itcangenerateacceptingHarmistonicityzero-knowledgeprovebyjustcommittingzerozerometricsusingourequivocalcommitment.Andthen,openthecommitmentto eitherRandompaptationofdependingonthevalueofthechallenge.So,inthis way,even thoughthetureverhalftotureproveforstatement,theproxtenceofaproticlestillfollowedstillhold.So,next,letmecheckthesoundness.And,actually,thesoundnessofourproticlefollowedalmostimmediatelyfromthesoundnessofHarmistonicityzeroknowledge.So,inparticular,sincebarakthepreambleguaranteethatthethe trap of statement is false for any cheating prover,thecheating prover have to prove a falsestatement inHarmistonicityzeroknowledge.However,sincein the setting of soundness,thestatement x is a false.Ourequivalent commitment is binding.Andso,usingexactly the same argument as thesoundness 2 for theHarmistonicityzeroknowledge,we can show that theprover cannot prove a falsestatement in Harmistonicityzeroknowledge.So,wecanconclude that there's a sound.Wecanourprotocoid sound.So,finally,Iwill explain theprover leakage inzeroknowledge.But,beforethat,let me first explain theprover sound,aprove of zeroknowledge as a warm-up.So,herewe consider a simulator whosimulates theprover's message for thecheatingbarryfire.So,thekey point here is that thesimulator can generateaccepting proof oftopper's statement byjust provingtrapter's statementhonestory.So,inparticular,thesimulator canmake thetrapter's statementtrue and obtaina witness for itin thebarrexpreamble.So,itcan generateacceptingHarmistonicityzeroknowledge proofby just committingto arandom permutationof thetrapter'sstatement inthe firstrand.And then,openthe commitment toeither the entiregraph or thecycle in thegraph byopening it,openingthe commitmenthonestory.So,inthis way,it iseasy tosimulateproper'smessage.Andas I saidearlier,inorder toprove thereakageregimentalknowledge,allwe have toshow now isto show thatpro-simulatorcan alsosimulateproper'srandomnessin additionto theproper'smessage.So,inorder toshow thatwe considerhybrid experimentthat isdefinedas aforward.So,inthishybrid experiment,justas in thereal experiment,theprover commit tothat zeromatrixusing ourequival commitmentand openthe commitmentby usingequivocality.However,inthis experiment,insteadofopening thecommitment toeither therandomtapitation ofthetrapodalstatementorrandomcycle,theprover openthe commitmenttoeithertheeitherrandompampationof thetrapodalstatementorthe cyclein thatstatement.Andyouwant todo that,theprovermake thetrapodalstatementjustlike thesimulatorin thepreviousslide.Andit is not sohard to seethat theverified viewin thisexperimentis indistinguishablefrom theverified viewin thepreviousin thereal experiment.Soall wehave to shownow isthatwe cansimulatetheverified viewequalthe leakagein thishybridexperiment.Andinwant tothat,it'ssuffice toconcent.It'ssuffice toshow thattheprover'smessageand randomnesscan beshibratedin thishybridexperiment.Ok.Andthe key point here isthat sincein thishybridexperiment,theproveropened thecommitmentto eitherthe entiregraphorcyclein thegraph.Foreach bitin theadjacentmatricofthatgraph,theprover doeseithercommitthenequivocateorcommitthendon'top.Soinparticular,whenthechallangeis there,thentheproveralwaysthechallangeis there,thencommitterdoesproverdoescommitthenequivocateifthe bitrepresentsedgeanedgeonthecycleanditdoescommitthendon'topanothercases.Thenwe observethatifwe cansimulatetheprover'smessageand randomnessofcommitthenequivocate.Wecantribiallysimulateprover'smessageand randomnessofboththese cases.Soso itremainto panscommitthenequivocate.Butthis is exactly whatthenight property ofourequivoccommitment guarantee.Sowe canconcretetheproof just by usingthenight bike property.Sothis isUTthis israthsketchofftheproofofthe proof.Sofordetailproveprove iss spinning日本 오け、okay.Solet meconcouragenightproveinファンクションand like previous workWe assume only the existenceof the collision-register functionand also unlike previous workwe construct a protocolthat satisfies bothstereo-narrativeness and soundnessin the leakage sector.Thank you so much.We have time for a very quick question.Thank the speakers of the session.