 Hello, and thank you for clicking on this video, where I'll be talking about our latest work, which is titled Rational Modular Encoding in the DCR setting, Non-Interactive Ranch Proofs and Payet-Based Nulling in the standard model. So this is joint work with Benoalibere and Thomas Peters, and as the title suggests, we would be using a particular Rational Encoding in order to build a Non-Interactive Ranch Proof that satisfies, concentrates, and unboundingness, and we also instantiate the narrowing paradigm under the DCR assumption. So first, let me tell you about Ranch Proofs. The idea is that you have some integer value that you do not want to reveal, for instance, the amount of money on your bank account, but you want to prove that this value belongs to some range, that you have enough money to buy something, for instance. So to do so, you will commit to this value to a verifier, and then you will have to give it a proof that it belongs to the intended range, and the verifier must be convinced in the end. The unboundingness property means that the CRS used to commit to the integer X does not bound the values a and b, and the rate, which we want constant, it's the ratio of everything you sent to the verifier over the length of your witness, being the integer you've committed to. So we can look at two previous examples. So first, we could try to instantiate CRS proofs in a particular way to get Ranch Proof, we may be achieving unboundingness, but however, we do not get a constant rate. Another interesting previous work, which is more recent, is a work by Kutu and Koutos. It uses the rational encoding that we will be using too, and they use that in different settings, but in all of those settings, they don't get the unboundingness property. And in our work, we notice that if we use their IDs in the DCR setting, then we are able to achieve unboundingness and constant rates because of some property that DCR has, and that I'll talk about later. In a second time, we'll be working on threshold public encryption schemes, which are basically the same as PKE, except that you distribute the decryption algorithm. So you have N servers, each of them has some private key share, and when they get a ciphertext, they compute a partial decryption. When you recover T out of N partial decryption, then you can recombine them and recover the message N. In this setting, Naur Young was already instantiated under the DCR assumption, but the proof they used for plaintext equities, the proof system they used, was flow, so it does not really hold anymore. We could also compare our results with one of our previous work, where we give also a TPKE under the DCR assumption that satisfies the NCCA2 security against adaptive adversaries in this standard model, because it has the drawback that key shares grows with the number of servers. In this work, we are proposing a new CIMA protocol and a new way to turn it into an uninteractive proof system that lets us instantiate Naur Young in a standard model. We have a slightly weaker security, because we're only secure against static adversaries in that adaptive, but the public key and key shares don't grow with the number of servers, and so we have a smaller key. So let me first recall what is the zeta decision composite residue as the assumption. So basically taking N, an RSA modulus, it is hard to distinguish between a random N to the zeta residue, or N to the zeta plus 1, and a random invertible element of Z N to the zeta plus 1. It has the nice property that will let us reach the unboundedness, that for any zeta polynomial in lambda, then its equivalent to the zeta DCR assumption is equivalent to the 1DCR assumption. It means that with one CRS comprised of N, the RSA modulus, you are able to do a lot of different instantiations of DCR. So that's the first tool. What we want to build is a Trabda CIMA protocol for gap language. So gap language, it's actually two languages, with L sound being slightly bigger than L, Z, K. And so you'll see that stuff that is done honestly belongs to L, Z, K, but when we want to prove the soundness, we only prove that outside of L sound, you cannot do false proofs. So we have some gap between what we can honestly prove and not honestly prove. So other than that, it is a CIMA protocol in the sense that we have a prover and a verifier. So if we compute the first statement, then the verifier returns a challenge and the prover must respond to that challenge. Depending on this response, the verifier accepts our rejects. We want the following properties for our Trabda CIMA protocols, first the completeness, which is if you do stuff correctly, then the verifier accepts. The special zero knowledge is that on input a statement X that belongs to L, Z, K and a challenge, then you can generate false transcripts that are indistinguishable from a real transcript. So we have the special soundness. So as I said, this is here where we get the gap between L, Z, K and L sound, because here if X does not belong to L sound, then whatever first message you send and whatever challenge is then returned, there is no accepting answer except for one challenge. So this challenge will be computed by something called the bad challenge function, but this bad challenge function needs some supplementary information that is given by a Trabda. And to get this Trabda, you have to replace the generation of CRS Gen by the TrabGen algorithm. So think of it as the CRS will always be some RSA modules N, and so the Trabda will always be its factorization PQ. The next tool is this Rational Encoding. So let's say we have some rational number R over S, which belongs to, so the numerator and denominator belongs to some specific range, okay? We're going to encode it as R times S to the minus one, what N to the zeta, where zeta is chosen in a particular way. Now how do we extract T from its encoding? Well, we can define the following two-dimensional lattice lambda, okay, which is the x, y that satisfies S times x is equal to y times R mod N to the zeta, and we actually know a particular basis of this lattice, okay, this vector and this vector, they form basis of it. And so we are able to use Gauss's algorithm to recover RNS. This was proven in a previous work, so we can recover RNS. So using this, we can define the following encryption over Rationals. So this is basically the time-guardiary encryption scheme, okay, where the zeta is chosen accordingly, depending on the size of the message that you want to encrypt, okay? So you choose the zeta in a particular way and then you compute a pi n encryption of the message over the zeta you've chosen. And to decrypt, you actually get some message prime using the same encryption algorithm as in the guardiary encryption scheme, but at the end, you use Gauss's algorithm to write the message as the encoding of some rational number, okay? So this lets you apply homomorphic operations on ciphertext, even over Rationals, but still get a correct decryption in the end. So we move to the first result. So let's say I have an integer x. I take it in 0b because if it was in some a, I could simply consider x minus a to get it back to that case. So the commitment I will consider to that integer is an inclusion of it from the previous scheme, okay? And actually, what we will do is we'll commit to the following integers, where we actually write 1 plus 4 times b minus x times x as the sum of three squares. And so what we actually want to prove membership of, it's of, so you take four encryptions and you want to see that they are encryption of four integers that satisfies this relation, this relation, okay? And actually what we can prove is that if we prove membership of that language, then we prove, we give a convincing proof that x is in 0b. So we have to consider, since we are working with gap languages, we need a soundness language. In this soundness language, it's actually the same except that they are encryption of encoded rationals. And because of the rounding operation at the end, well, when you decrypt, you may not get this to be true anymore, even if it holds inside this language. So this is why this is a soundness language, which is slightly bigger, because this may not hold, but the values are not too far from one another. So how do we do that? So let's say that I have, so my statement is the commitment to my integer, okay? So that's the encryption. And my witness, it's x and the randomness I used. So now p, as we said before, will generate encryption of the decomposition that we proposed before. Okay? So this is everything I put in right, xi and the randomness si that were used. Then it will need fresh randomness that I put in green. And it computes the following encryption r, which may seem a bit weird at first, but not the following. If r0, you change it into b minus x0, and r i, you turn it into the red xi, then all that, okay, it's just an encryption of one. So this will be important later, so try to keep it in mind. And then for consistency, it encrypts the r i used before in big r i. It sends all of that in the end, the commitment, the encryption, and the value r. Then it gets a challenge, which belongs to 0 to 0 minus 1. And it is computing, most importantly, z i, which is r i plus x i. And then some randomness values that are consistent with z i, consistent in the following way, v will be checking the following things. First, it checks that r i and c i are consistent with the z i, in the sense that they must satisfy this property, okay? And most importantly, it computes this value, this Boolean value. And we see the following. c i to the minus z i. When we look at it and expand it, we see that the red parts, as I said before, all of that, the beginning of the ciphertext, it will be an encryption of one times char. So this encryption of one times char, we've computed it in the reverse way. So we can remove it with the last thing we added here, but we still have all of the leftover green stuff that is multiplied by the red stuff contained in the c i's. And this will be exactly what r is, you know, because it is green stuff times red stuff. This is just to give you an intuition of what's going on. We can spend more time thinking about it. And in the end, we see that this sigma protocol is satisfying all of the desired properties. So first, it is complete. It satisfies the special cipher knowledge property. It also has the special soundness and CRS indistinguishability. And the bad challenge function is actually a bit complicated because it uses linear programming and then straws algorithm. But the important result is that it satisfies unboundedness. So it means that when we fix n, so the CRS, you know, it's n p times q. And the thing is we are not constraining the value b here at all because whatever value b you take here, then we will take the zeta for the commitment accordingly. So this is why we reach unboundedness. Then we also achieve constant rates because we can compute what it is that we have in a full transcript. And we will see that because of the way we choose zeta to be the smallest integer that is close to the x i's and x and everything, we get the constant rates. But most importantly, we want a non-interactive range proof. So to do so, we want to compile all of that into a multifuram non-interactive zero-range proof, but we don't want to lose the unboundedness property or not the constant rate property. And we can do so using different or tricks and over properties like that. So next, we move to how we instantiated the Naoyung paradigm under the CRS assumption in the threshold setting. So to give you a bit more insight on how a threshold public key encryption scheme works, it's actually a five-upper of algorithms, key-gen, partial decryptions, partial verification and combine. The partial verification algorithm I won't talk about here because this is something we can add on top of everything at the end. So the idea is that for the sender, nothing changes from a regular PKE. But when you want to decrypt, you have forwarded secret key shares to each server. So you forward the ciphertext to each of them, and they compute a partial decryption of the message. And when you have at least T that you give as a parameter here out of the number of servers, then you can use the combined algorithm to recover the message M if the TPK is correct. So M prime is equal to M. So what kind of security do we consider for TPKE? In our case, we're interested in the static NCCA2 security. This security is as follows. The adversary chooses a threshold T and a set of corrupted adversaries C, which is comprised of exactly T minus 1 servers. And the challenger, it will generate the public key and secret key accordingly to the choice of the threshold. And it will return the public key and the secret key shares of corrupted servers. So this is an NCCA2 security. So you have access to not a decryption algorithm because there is none here, but you have access to every partial decryption algorithm for each of the servers. And also you have the challenge query at some point as in NCCA2 security for TPKEs. And you have to guess which message was encrypted. Another interesting point is that you can make decryption queries for the challenge as long as you don't trivially win. So it means that if you make decryption queries for the challenge, then these queries must be made for servers that were corrected at the beginning. So what we want to build in particular, it is a treble sigma protocol for the language of ciphertexts that encrypt the same message m that's over different modules n1 and n2. In the case of the soundness language, since we are considering gap languages, it is simply that we are encrypting not only a message, an integer message, but we are encrypting a vibrational which belongs to, well, where the numerator and denominator belongs to this range. Of course, zeta must correspond to some particular choice, minimizing the modules, but still allowing for correct decryption at the end. So how do we do that? Well, this is a bit more standard because we are actually encrypting some random first message for both modules. So we produce two two ciphertexts, then we get a random challenge and what we have to provide the verifier is the following message a plus child times m and we have to provide the randomness to make sure that we can compute, well, to make sure that if you encrypt z using this randomness, then you get the homomorphic encryption of a plus child m using the big ab and the commitment ct1, ct2. So what V is checking is indeed that if you compute this homomorphic encryption, which is normally an encryption of c by choice of child, then you should get exactly this encryption where everything was provided here. So once again we have the completeness, special zero knowledge, special soundness and CRS indistinguishability properties and once more the bad challenge function so it uses a strobdoor, the factorization of n1 and n2 and it still needs to use linear programming and menstrual algorithm in order to find the bad challenge. Also for what we want to use it in we are actually giving a new way to term this previous protocol into a one-time simulation sound and interactive zero knowledge system because this new compiler it lets us do so without imposing a bound on the plain text space which is exactly what we want because we would like to be as close as possible to the damguardiauric encryption scheme so to give you a brief intuition of the construction well we start by instantiating twice damguardiauric and we take the secret key of the first instantiation and share it using Shamir's secret sharing. Then what is a safer text? A safer text it's simply an encryption under both schemes and also we add a proof using a previous construction that the plain texts encrypted are the same for both messages. Then how do we decrypt? Well we can use the partial secret key to so we can take first we verify the proof if the proof is wrong then we don't do anything if it's right if it's accepted then we use we compute the first safer text to the power something times the partial secret key as would be the first step of the damguardiauric decryption and when we have enough partial decryptions then we can recombine to recombine we have to recover the secret key in the exponent of the decryptions so we can do it and then we can run the rest of the damguardiauric decryption scheme and by doing so we achieve cca2 security under static corruption queries and moreover you'll notice that since we only have Shamir's secret sharing and N1 and N2 as public keys then the public and secret key shares don't depend on the number of servers that we had before so this is it I thank you for your attention and for watching this video until the end please look forward