 Hi everyone, this talk is about Kwanis in the Bayfake model, or quasi-adoptive non-interactive zero-knowledge in the Bayfake model. I am Besad Abdul Maliki and this is a general work with Helger Lipma, Yano Sim and Michal Zajic. Kwanis is a variant of music in the CRS model, where the CRS depends on the language parameter L-par. For some language, which parameterizes with some language parameter L-par. As in the CRS model, we assume that there is a trusted third party, which is given a language parameter L-par as an input. It generates the CRS and shares it to both prover values and verifier pop-up. And then prover, an input L-par and CRS wants to convince the verifier of validity of some statement X. Such dependency on the CRS allows to construct very efficient Kwanis for linear language, which this construction is based on some standard assumptions. As an application, such a construction, I mean this Kwanis can be used to construct comic-penny-skim IDEA and signature, and recently they are used to build an SNAR and shuffle documents. The main challenge in such a model, and basically in the CRS model, is the need of the trusted party for generating the CRS, which arises the following questions. Is the security guarantee if the prover does not trust the CRS generator? Is the security guarantee if the verifier does not trust the language parameter generator? Or can we transfer such a construction to a more relaxed model, like a real-public model or a PPK model in short? This talk or this work will mainly answer or investigate such questions. Let's first have a look at the background of this work. We first start with the definition of non-interactive zero-knowledge in the common reference S3 model, or in short, NISIC in the CRS model, where we assume that there is a trusted third party who generates CRS and shares for both prover and verifier. Such an argument allows the prover to convince the verifier valid to the outside of the statement X and here verifier B either accepts the proof or rejects it. Such a construction must satisfy the following properties. Completeness states that for a valid X or for X which is in the language verifier B should accept the proof. Soundness is actually opposite and states that for a cheating prover who doesn't have a valid X or a valid statement which is not in the language, it should not be able to convince the verifier. And finally, zero-knowledge states that the proof of Pi generated by a valid prover should not leak no information of the witness than the fact that X is in the language to the verifier. As I mentioned at the beginning, a variant of the NISIC is called quasi-adoptive, NISIC or QANIS in short, where in such a construction the CRS depends on the language parameter row, which the language parameter row is generated honestly before we fix the CRS. And also, this row cannot be adoptively dependent on the CRS. And usually, you can think this, and usually row is some public key. Or for example, in the Elgamol encryption or Elgamol language, row can be seen as a public key of the encryption. In the most efficient QANIS for the linear language, the proof size only contains one group element, which is the main advantage of the using QANIS in some applications. And as I pointed before, it has a lot of applications. Commitments may be signature, and recently they just used snark instruction and shuffle arguments. So they are getting more attention these days. The notation of QANISIC first was introduced by Roy and Muld, Eutla in 2013, and then ended by Kilsand B in Eurocape 15, where they proposed the most efficient QANISIC for the linear language, which contains only one group element. Before we explain Kilsand B QANISIC, let's have a short overview of the notation. Let G1, G2 and Gt be a data group of order of P, and we denote the bracket of I, which and this A is A times GI, where GI is a generator of GI, and A is an integer. And as you know G1 times G2, go to the Gt, is a bilinear mapping. Kilsand B in 2015 proposed the most efficient QANISIC for subspace or linear language by the efficiency, I mean the efficiency respect to the proof size and verification complexity. And bilinear language here, I mean the language that the word is the SPAM of some language parameter, for example here the language parameter M, with some W, and as I mentioned before, prefers pick or generate the language parameter Rho, and then COS generator, given the language parameter Rho, generates the COS and the rest of the protocol is the same as before. The nice thing about Kilsand B QANISIC, of the soundness of Kilsand B QANISIC, is that its soundness is under some standard assumptions. It's called kernel MDTH, roughly speaking kernel MDTH says that given some vector in group, some vector A in group, for example here it could contains only one and a random A. It should be difficult to compute a vector, which contains a vector in group, which contains B and C, non-zero element such that A times this B and C is equal to zero in group T. And this is just a simple version of kernel MDTH, and this also works for other distribution of A. Another new actually, a notion of security is called subversion security, which was introduced by Belare, Fuchspower and Escapura in 2016, where they studied NISIC in some untrusted setup, and they defined it some new security notation, which first called subversion ZK, states that zero knowledge holds even CRS creator is managed use. Subversion soundness states that soundness should hold even if the CRS creator is managed use. And also they proved some possibility and impossibility results that are listed here, which the most important one is that they prove that having simultaneously subversion soundness and subversion ZK is impossible and even subversion soundness and ZK is impossible. So, and also they proved that having soundness and subversion ZK is possible, which this property got some attentions. Where in 2017 we, and also in 2018 Fuchspower in a different work, constructed a version of SNAR that satisfy soundness and subversion ZK. And before this work, having soundness and subversion ZK QANISK was an open problem. Before we go through to the main result, we just remind different models here that will be used in the rest of the talk. So far, we were in the CRS model or common reference string model, where the CRS was generated by some trusted party, and this trusted party shares the CRS to both prover and verifier. A relaxed version of this model is called BPK or bare public model, where in such a setting both prover and verifier can generate his own public key and register it in his own authority. And then, and then read the public key from the other authority, for example prover can read the public key one and generate his proof based on that and send it to the verifier and verifier in order to verify the proof can read the public key two and verify the proof. I would here note that this BPK one and two can be seen as a public bulletin board. Now let's go through to our result. Now we already go through to our result. We first observe that we first investigate a variant of the BPK model where verifier generates the public key, or if I want to match with the previous slides, here by BPK we mean the CRS, but in the rest of the talk we call it BPK. Where verifier generated and registered it to some bulletin board and prover read it and generate his proof and send it to the verifier, where prover does not trust the BPK of the prover. And here I would note that again that this bulletin board is only trusted to a store not to change the BPK. And as we saw before, sub-CK setting states that prover does not need to trust the CRS generator or more precisely from prover's point of view the CRS generator and the prover and the verifier can be only one party or they can communicate to each other. And so we were interested to have zero knowledge in such a setting. We observed that sub-CK in the CRS model is equivalent to the BPK model to the BPK model or in short BPK model. And then we translated koanistic definition, koanistic security definition in the BPK model and says that koanistic argument system for linear language in BPK model allows the prover to convince the verifier of the validity of some statement that must satisfy the following properties. Completeness, sub-power soundness, persistence EK and zero knowledge. Completeness states as a before that for a valid X or X in the language verifier should accept it. Sub-power soundness is a new security definition which states that the soundness should hold even the language parameter row is generated maliciously and public key is honestly generated. So this is the stronger notion of the soundness where in this setting actually we assume that language parameter also is generated maliciously and another new security notation is called persistence zero knowledge where it states that proof of pi should not leak any information of the witness than the fact that X is in the language to the verifier. Even both language parameter and public key are maliciously generated. And also it should satisfy the standard ZK which has the same as before. And finally we conclude that such construction in koanistic BPK model is subversion ZK if both persistence ZK and ZK holds simultaneously. Now this question might arise that persistence ZK is stronger than ZK or not since as we saw before in the persistence ZK we assume that both language parameter we saw that zero knowledge holds even both language parameter and the public key are generated by some malicious guy. But I would say that we can decline that persistence ZK is stronger than ZK or let's say if persistence ZK holds for short ZK holds it's not true. By showing a counter example we called it leaky koanisk where we put the language parameter in both groups. Language parameter M for example here for such a linear language that you can see here. And in the setup gets this language parameter this setup is the terrestrial third party for example and output the CRS which is bottom and its trapdoor also is bottom and the prover can generate the proof with this way that it just put it in the exponent so it means that CRS is useless here. And for the zero knowledge proof as in the standard zero knowledge proof we assume that the CRS is generated by some trusted third party. So the trapdoor of the CRS exists and the simulator in the ZK proof can get the trapdoor and simulate the proof. But here for the leaky koanisk we can see that as the proof is generated just by knowing the witness and doesn't need to use the CRS. And the trapdoor does not exist so the simulator in the ZK proof cannot simulate the proof and so leaky koanisk does not satisfy ZK property. But on the other hand for the persistent ZK as we rely on some non-falsable assumption or more precisely we use some extractor under some non-falsable assumption to extract the trapdoor of the language parameter M for this leaky koanisk. And then the simulator of the persistent ZK can get the trapdoor of the language and then simulate the proof. So here we saw that this leaky koanisk can satisfy the persistent ZK but it doesn't satisfy the zero knowledge property. And roughly speaking by the British assumption here we mean that if there is an algorithm by having some as an input some random thing it could generate a Y for example in both groups there is an extractor with the same input that can extract Y without rocket. And in this slide we just summarise our recipe for Kills with Koanisk in Beppeke model. Mainly we designed a public algorithm which is called Beppeke which is called PKW that checks the bell form of the public key or more precisely this algorithm gets as an input language parameter row and a public key key key and output one if it's bell form. And then it guarantees that there is some separate SK of the public key key key. So I would say that designing this PKW I mean the structure of this algorithm is very complicated because it has some sub algorithms for for checking the distribution of. Some matrices in the Kills with Koanisk and then and so I would not go through to that with the details so I would refer to the I would refer the paper to see the detail of such an algorithm. But such algorithm is very crucial in for proving sub ZK or more precisely for persistence ZK where we say that in the proof we say that if the public key this PKW on input a row and the public key output one which says that this is bell form. We say that there is this extractor that can recover the secret key from the public key and then simulating can be done by this secret key and this extractor works under some new knowledge assumption we called it Kills V knowledge of exponent or in short KW KE. So we can see here that the the extraction of the escape required some non black box knowledge assumption or non falsable is assumption which formally says that there exists extractor such that if create or. Carries public key Piki such that the public algorithm PKV on input a row and this Piki output one or this or the Piki is well for then the extractor output the secret key of the public. At the end I just listed some additional results of this work which first is that we translate the kills we go on is in the pay public model and also we prove its sub par soundness on their a variant of the kernel MDH called kernel MDH. DL which is an interactive assumption such that kernel MDH holds even the adversary was given non adaptive access to a deal or occur. And importantly I would say that here is the first of the use of such X power Y type non falsable assumption to construct success and needs. And then we proved a stronger notion of the soundness we call it sub par knowledge sound under some. Assumptions that's called SDL DL assumption or symmetric the script look assumption. And at the end we proved a the kills we we proved the kills we go on is resistance under the new knowledge assumption a KW KE and also. We proved that this new knowledge assumption is secure in the model which beside this quantity this knowledge assumption got. Some other. Other. Interest in some other works for example for generating just. Snark and. Yeah. Thank you so much and see you in the main talk.