 Hi everyone, my name is Egeran and I will present a joint work with Benny and Arpita about verifiable renaissance sharing and multi-verifier zero-knowledge in two rounds, trading with non-interactive zero-knowledge with honest majority. So that's a long title, let me first present multi-verifier zero-knowledge. In standard zero-knowledge, we have one pover and one verifier, and the pover wants to prove that the statement exists true without revealing any information about the secret witness tab and will require the standard completeness, soundness, and zero-knowledge properties. However, in this work, we are interested in zero-knowledge proofs where there is one pover and the many verifiers, and this can be seen as the doing of multi-prover zero-knowledge, and in fact it is a common scenario in multi-party computation where one player wants to prove that some statement is true to the rest of the players in zero-knowledge. We assume that the players can communicate with each other over secure channels and also that they have access to a broadcast channel, and we require strong security even against an active adversary that can deviate from the protocol, and by strong security, I mean that we require a strong completeness notion where an honest pover can convince the honest verifiers that the statement is true even in the presence of corrupt verifiers. We also require simulation-based zero-knowledge, which means that the corrupt verifiers have no information about the secret witness, and a strong soundness. Here, even if the corrupt pover commutes with some of the verifiers, this thing cannot convince the honest verifiers that the false statement is true. We also require knowledge extraction, which means that if the honest verifiers were convinced that the statement is true, then the secret witness can be extracted from the joint view of the honest verifiers. And in this work, we focus on the roundup complexity of protocols that achieve those requirements. So, a natural question is how many rounds are required for MVCK, and in this work, we are very interested in two-round protocols, so we ask, can we get a two-round MVCK protocol? So, it is known that there is no honest, so it is known that if there is no honest majority, then the answer is no, we cannot get a two-round protocol. So, this follows from the classic work of Kondra-Hendoren that shows that a two-round protocol exists only for BPP. I do want to mention that if there exists a common random string, then there exists a protocol in which only the pover sends a message, so this is non-interactive zero-knowledge, and it can be achieved either from public key assumptions or in the random molecule. So, we say that without honest majority, we cannot get a two-round protocol. On the other hand, if there exists an honest majority, then there exists a two-round protocol. And this protocol is implicit in the work of Grotenostrovsky, and it can be achieved from public key encryption and non-interactive zero-knowledge. And this protocol has this nice feature that the first round is independent of the inputs, so the players can execute the first round even before the pover knows the statement and the witness, which are only required for the second round. But as you can see, the assumptions required for this protocol are essentially the same as for non-interactive zero-knowledge or even stronger because we're required with public key encryption. So, a natural question is, can we use the fact that we have an honest majority in order to get rid of the assumption of non-interactive zero-knowledge, and in particular, can we use many creep-type assumptions? And we show that it is possible, so we assume the existence of non-interactive commitments, and we show that there exists an MVZK protocol with one of one round and one of one round, so that if the number of parties is constant, then we obtain optimal resiliency, which means that the number of corrupt parties t should be less than half the number of parties n. And if the number of parties is large, then we obtain an almost optimal resiliency, or the number of corrupt parties t should be at most one-half minus epsilon n, and epsilon e is any arbitrarily small constant. So, now let me say a few words about non-interactive commitments. So, there are two types of non-interactive commitments. First, we have statistically hiding commitments, and if we use those commitments, we obtain a protocol that provides everlasting security. This means that the protocol is secure against an adversary, which is bounded during the execution of the protocol, but can be unbounded after the execution. And in order to construct such commitments, it is enough to assume that the players are given access to a collision-resistant flash function. Now, the second type is only computationary hiding, and if we use those commitments, we obtain a protocol that provides standard computationary security, but in fact, we also need the commitments to provide security against selective opening attacks. And such commitments can be constructed based on injective one-way functions with sub-exponential hardness, and even based on standard one-way functions with sub-exponential hardness to either with a common random string or under some de-randomization assumptions. And as an application, our MVZK protocol can be seen as a substitute to non-interactive zero-knowledge, where the common random string is replaced with the same one-round, and the pool frame requires only one on one-round. And the main point, of course, is that you get all of this for many creep-type assumptions. And here are some more topics that I will discuss in the talk, so thank you and see you in the talk.