 Thank you. Right, so I will be talking about Fiat Show Me Bulletproofs being non-malable in the AGM model. In this work, we give a modular security analysis to show how to prove simulation extractability for multi-round protocols. And in particular, we show an application towards one specific proof system that being bulletproofs. So to start with, what is zero-knowledge proofs? It consists of two parties, prover and a verifier, and the prover owns a secret input witness, W, and he claims that public statement X, column W, isn't some relational. And then the prover and the verifier go through this interactive protocol where the prover sends messages and the verifier tosses coins and sends back challenges. And then in the end, we want the following properties. We want it to be complete, which means that if the prover is honest, so he knows the witness, in that case, with very high probability, he should be able to convince the verifier. We should have, the protocol should be proof of knowledge, which means that there exists an extractor that can extract the witness. And then in the real world, it means that if the prover manages to convince a verifier, the prover must know the witness. And finally, we want it to be zero knowledge, which means that there exists a simulator that can simulate a verifier's view. Again, in the real world, this means that the verifier could have generated the transcript by herself, and so the whole interaction with the prover, she's not really learning anything extra. Right. But in the real world, we like to make the interactive protocol non-intractive because it reduces communication. Well, the number of interaction with the verifier, and the way we do it, one way to do this is using Fiat Show Me Transform. So if you notice, all that the verifier was doing in the previous slide, and like any public coin protocol, is that it tosses coins and sends it back to the prover. There's no internal secret. So we can replace that with the random miracle, and the prover instead pings the random miracle for the challenges by asking for hushes of the statement on the transcript so far, and then towards the end, send the entire transcript to the verifier. One additional advantage that the prover has in the interactive case compared to the non, sorry, the non-intractive case compared to the interactive case is that the prover gets to ping the random miracle for multiple challenges, and then pick the one that it likes to complete the proof. Okay, so the standard security definition that is considered as proof of knowledge are, since we are in the non-intractive world, Fiat Show Me extractability. So we see, we want an extractor who has access to the prover and initiates an interaction with the prover, and the extractor is also sometimes responsible for simulating the random miracle queries that the prover might make in the real world. And then it takes the final forgery, which is the statement on the proof-file star, and it outputs a witness, such that if the final proof-file files, then the witness is a valid one. But as it turns out, this notion of security might not be enough in practice. One example can be, so Tali is a non-is-prover, and he has some amount of money in his bank, and he makes a public statement claiming that he has at least $100, and he has a public proof file. And then Lucy is a card prover, and if Pi is valuable, she can take Pi, model it locally, generate a different proof-file star, and claim that she also has a certain amount of money when she really doesn't. And then the third party has absolutely no reason not to trust Lucy. So what is happening here that is not captured by plain extraction is that Lucy, who's corrupt, gets to see a bunch of honest proofs before she gets to make her forgery. So that is captured by something stronger, which is simulation extractability. So in addition to the random miracle, there is also proof-forgery, or a simulator, that the prover gets to pay a bunch of times, and then the prover gets to make its forgery. And even in the stronger case, we want that the extractor should extract a valid witness in case the final proof verifies, and if it was inquired earlier to the simulator. Okay, so in this work, we consider, we study simulation extractability for bulletproofs. And a little bit about why bulletproofs, well, it's a very attractive proof system. It has lots of good properties that we like. It's public harm, it has transparent setup that can be removed in the random miracle model. It is extremely efficient communication-wise, and it's deployed in the real world. So we care about whether or not it's secure. Right, but there's one challenge while considering simulation extractability here. Bulletproofs has a non-constant number of rounds. And at the time of writing this paper, one, well, the only way we knew how to prove simulation extractability, how to approach it, was to go from the interactive version to the non-intractive via a naive production, and that would result in an exponential blow-up in terms of the number of rounds. So of course that's not good when it comes to bulletproofs, or any non-constant round protocol. But recently there was this work by Gershaw and Tessaro in crypto last year, where they circumvent this blow-up by considering a stronger definition of online extraction, and they do this by proving it in the AGM model, but note that this work only addresses extraction. It doesn't satisfy the stronger property of simulation extractability. But this is already a good starting point. All right, so what is online extraction? It's a stronger brilliant of the plain extraction that we saw, and one caveat or one constraint that we have here is that the extractor does not have this additional power of rewinding the adversary while it's trying to extract the witness. To prove this stronger property, like Gershaw and Tessaro, we also consider AGM, which means that all the algorithms are algebraic, and they can only do group operations, and moreover, if an algorithm outputs a group element, it must also output the way this group element was generated. So if it outputs y, it must also output e1 to en. Right, the way it's formally defined is to consider a real and ideal world. In the real world, of course, we have the random miracle, the prover quo is the random miracle, and then outputs the proof. In the ideal world, we have the extractor, and the extractor is internally split into two parts, easy one even. The first part is responsible for answering the proof, the random miracle queries in a consistent way, and the second part takes this final output and outputs the witness. The crucial thing to note here is that e1 does not have any additional power over the adversary, the prover, and all it does is it just takes this final output and outputs the witness. And the conditions remain the same as before, but in addition, we also wanted the real world and the ideal world view for the prover are indistinguishable. To extend this to simulation extractability, in the real world, we also have the simulator, and then the prover outputs the proof, and in the ideal world, we have this additional part to the extractor, which is responsible for taking care of this simulation or the proof of the queries. And the conditions remain almost the same as the previous case. So this, like starting simulation extractability has been done before, I do not remember the name, I'm sorry, but it has been done before, and the crucial central idea there that is exploited is, well, what if the simulator does not give any additional power to the adversary? In that case, it's enough to rely on the extractability definition, extractability property of the underlying protocol. And in fact, if the protocol has unique responses, we can say something of this form. So what is unique response? Consider two transcripts that have the same prefix, so I want to challenge CI minus one out of the same, and then it splits at the id prover message. So MI and MI prime are different. And we say that for protocol pi, it is very hard for the adversary to come up with such two transcripts. They have the same prefix, and then they split at a certain point. And in particular, if a protocol has something like this, it would imply that the adversary cannot reuse a simulated transcript. So the theorem that is the variant of the theorem that is shown by these prior works goes a bit like this. If the interactive protocol has extraction on its verifier zero knowledge and unique response, then the non-intractive protocol has simulation extractability. And the proof would, well, for the proof you would construct an extractor for simulation extractability, and that extractor would answer the proof queries by running the HVZK simulator internally. And that extractor would take the final forgery made by the prover. It would check if this forgery has a matching prefix with one of the simulated transcript. If it does, reduce it to the unique response property. Otherwise, just use the extractor that we have from EXT. So we can use this, well, the question is can we use this for bullet proofs because we already have something similar in the prior works. We have for this verifier zero knowledge for bullet proofs, but do we have extraction and do we have unique response? And while we need something stronger for extraction, we need online extractability. And one of the reasons we need this is because we rely on a prior work by Gershal and Tessaro. So yeah, the first question is answered. Bullet proofs does have a non-interactive version of bullet proof is online extractable in the AGM. But does it have unique responses? To see that, this is a very rough sketch of bullet proofs. In the first round, the prover comments to the witness. In the second round, the verifier sends back challenges. And then the prover computes some polynomials based on the first two rounds. And commits to it using randomness R. So of course, the prover could use the same first two round messages, use different randomness to commit to the same polynomials, and come up with these two transcripts that have the same prefix, that is the first two round messages, and a different third round message. And more generally, any protocol that has an intermediate randomized round will not have unique response. But let's take a step back. All we needed for the proof to go through was that the adversary should not be able to reuse a simulated transcript. So in fact, the observation is that the definitions that we have in the literature are way too strong, and it suffices to fix one of the transcript. It suffices to fix another transcript pi, and then ask the adversary to come up with a pipeline with respect to this pi. And in this work, we introduced this notion, and it's inspired from state restoration soundness, which was introduced by Ben Sasan et al. And so state restoration soundness captures this additional advantage that the prover has in the non-intractive case very nicely. The additional advantage being that the prover can in some sense, rewind the verifier a bunch of times and ask for different challenges, and then pick the challenge that it likes. So the way we define unique response is, well, first of all, the prover must have the proof with respect to which it has to create this fork. So first the prover is provided with a proof from the simulator with respect to the statement of its choice. Then it gets access to a state restoration oracle that behaves in some sense as a verifier in the real world. So the prover can send messages to the oracle and in response, get back challenges just as it would in the real world. And the oracle would maintain everything that it sees from the prover. And now the prover can send this rewind message to the oracle so that it can send a different N2 prime to receive a different C2 prime. And the oracle also maintains this fork that was made from N2 to N2 prime, N2 star. And in the end, the prover summits a pi prime which would correspond to some part in the execution tree that is maintained by the state restoration oracle. And the winning condition is, well, the pi prime should be accepted and it should have a prefix, matching prefix with pi, but it should defer at some point. And intuitively this should be hard for the prover to do because if the prover doesn't know the witness, because the challenges are picked at random. And so, okay, so this definition is an interactive version of the definition. But towards the end, we want to argue something about non-intractive protocol. And in the paper, we show that if the interactive proof system satisfies this legal version of unique response, the non-intractive version via Fiat Shamir also satisfies weak unique response. Okay, so we have this from prior works. If we have these three properties, in some ways we can show simulation extraction. But we begin with interactive properties and then we go towards non-intractive. The first part that is extraction is already shown by Gushal and Tessaro. And I'm not gonna talk about SOSV which is State Restoration Witness Extender Demolition which is a property that they consider in that paper. We know this, we've known this for quite some time. So if we can show for the interactive proof protocol, if we can show that it has unique response, then because of the reduction which I will talk about that we have in the paper, we have this. And then given these three things, we finally arrive we can say that bullet proofs are simulation extraction. So all that remains now is to see that bullet proofs has unique response and then we're done. So at a high level, we have a simulated transcript and the adversary summits pi prime with respect to pi. Since we are in the AGM world, we assume that the simulator is algebraic and in fact it is for bullet proofs. So we assume that the simulator along with pi it also summits the way it was generated. So it outputs A1, B1, AI, BI and so on so forth. And then the adversary is algebraic and so it also summits its representation. So XI, YI and et cetera. And you might guess it, but we would use Schwarz Palema on the given these two transcripts and their group representation to break discrete log at some point. A little bit more in detail. So for bullet proofs either we can break discrete log directly by analyzing the verification checks. So the first one we have because pi verifies which is the simulated transcript. And the second one is because the adversary transcript verifies. And R here is some value that only depends on the shared prefix. Or in a slightly complicated analysis, we can say because the adversary transcript verifies and because of the verification check, we can say something of the form that the first equation should be zero. And since CIs are picked by the state restoration oracle and they're random, therefore this polynomial must be a zero polynomial and therefore A1 must be a zero. And A1 is something that the simulator picked at random. So it will not be a zero with very high probability. So once again, we prove that Fiat-Chemille bullet proofs the simulation extractable in the AGM random oracle model. And we show this relation between the advantage of different adversaries we consider. Right. And well, Q2 is the number of simulation queries that the adversary makes. To conclude, we have a new approach to show non-intractive protocols are simulation extractable. We give a concrete analysis for bullet proofs and range proof. And this might be applicable for other multi-run constructions. And well, one final thing, there was a concurrent work by Atema et al. Where they prove that the non-intractive protocols, the non-intractive multi-run protocols are extractable and they do this without assuming AGM. And using their result, we can remove the reliance on AGM from our own result. And this is something which is still work in progress and will be soon up on the apron. Thank you. Thank you, Mark. Do we have any questions? Please walk to the microphone if you can. Thanks. Thanks for your great presentation. So now that you don't do the extraction by rewinding, can we also think about black box variant of the simulation extractivity? Let's say we have extractor, which is universal, doesn't depend on the adversary. Because you don't need to rewind the adversary, yeah, if I get correct. Yes. So because this version that you said, I'm still not sure if it's black box extractable, maybe co-authors can comment on it. So you mean there's an extractor that works for all adversaries? Yeah, because there is a result that if you have black box extractability of the simulation extractivity, so that should be enough to realize the ideal functionality of this NISCs in UC model. So now I'm just curious to know that if this is sufficient, because now you don't use rewinding of this. Well, I think there's, so do you mean like simulation extractability, proving simulation extractability in the UC? If this is black box, then would this imply simulation extractability in the UC? Yeah, my question, let's clarify. So my question is that, does this simulation extractability that you achieve is for black box simulation extractability, or I saw that it's not non-black box, because you don't use rewinding of adversary? I'm not sure actually. No problem, we can discuss it. Thank you. One comment I have from that, there's also an algebraic remodel in the middle, so maybe that's also true. Right, that's also true, yeah. Yeah, without GM. No, but then you would rewind. So we will no way GM by rewinding the adversary a bunch of times. Let's thank the speaker again.