 Hi everyone and welcome to my talk on non-interactive zero-knowledge in pain-free groups from weaker assumptions This is going to work with Shofra Kuto and Shichi Katsumata In this paper we present two results. The first is a non-interactive zero-knowledge protocol in cyclic groups Based on the one to the two to the three over four lambda one-way key dependent message security about Gamal and CDH The second result is to show the existence of an infinitely often basic in cyclic groups Based on the one to the two to the 28 over 29 lambda one-way key and security about Gamal and now the exponent becomes worse as you can see and In this presentation, I will mainly talk about the first result. So I know that you've seen the definitions already in the previous talk So I'll be fast zero-knowledge proofs are a protocol between a prover and a verifier Which is taken to an MP language L We have one statement X and the prover was to prove that the statement X belongs to the language and the prover has a weakness and We want to have the following three properties We want to have correctness if the statement is in the language then the verifier should accept Soundness says that if the statement is not in the language then the verifier should reject Is it a knowledge says that if it accepts then the verifier should not learn anything beyond the fact that X belongs to the language So in particular, you should not learn any information About the witness for example, and in this paper. We care about no attractive zero-knowledge. So knee six In this context, there is a common reference shrink Which is given to the prover and the verifier and the entire iteration Interaction consists in one message sent from the prover to the verifier, which we call the proof This knee six are a very important cryptographic primitive and have been constructed from a variety of cryptographic assumptions from factorization pairing groups and more recently from breakthrough results Which base knee six on LW e and circularly secure LW e but an open problem is whether we can build knee six from Group from groups where let's say discreet log is hard. So can we build knee six in groups without pairings? So we can take here the VH groups CDH groups, or maybe just groups where the discreet logarithm is hard and we don't want pairings and a series of recent work has actually made progress on this and I want to mention first this paper from the 2018 which constructs knee six based on strong KDM security Here the adversary is given an alchemyl ciphertext that encrypts this message M and M is a function of the key And we want that the adversary covers the key And the advantage should be smaller equal than S of lambda over to the lambda for all super polynomial functions S of lambda Now this assumption must hold with respect to all even Uncomputable functions f. So this means that the assumption has an un-facifiable flavor and Just to recall briefly what that meant falsifiable meant that challenger is able to efficiently determine whether the adversary broke the assumption or not And since these functions are un-computable the assumption has an un-facifiable flavor now this has been improved in a subsequent work and As you can see here the assumption now has to only hold with respect to a fine function And this is a falsifiable flavor assumption, but because this Advantage here is very small. We still the challenger still cannot efficiently determine Whether the adversary broke it broke the assumption So we only say that it's falsifiable flavor because we can write it as a game between the challenger and the adversary And this is better assumption is based on something called almost optimal security and we want to improve on that because this advantage here is so small and recovering the key that any improvement in the exponent for generic attacks would be very bad and would break the assumption And what we do in this work First our assumption becomes a little bit worse because instead of having to rely on fine functions, we have to rely on all randomized efficient functions. So the assumption must hold with respect to all randomized efficient functions But on the other hand, we improved the exponent from 2 to the lambda to 2 to the 3 over 4 lambda So here the the smaller the exponent the better the assumption the weaker and Because our adversary is only required to recover f of k. So the message that was encrypted and not the entire key then we say that this assumption is one way key dependent message security The adversary doesn't have to recover the entire initial key, but exactly what was included And as I mentioned we apart from the one to the two the three over four lambda one way kdm security available We also rely on cdh and Why was it bad to have almost optimal security? So why was it bad to have the s of lambda over 2 to the lambda before? This was because the best generic attack raw polar is known to give a polynomial advantage over just casing so the advantages fully of lambda over 2 to the lambda And If we managed to improve the exponent here in our assumption We have an exponential gap between the previous best assumption that was used to construct physics in this Getting free groups and our assumption But I want to mention that Disney six From the previous paper are more general while we only restrict ourselves to cyclic groups So now we have the construction overview. So I will briefly describe the blueprint Basically, we start the we have three stages The first one is to start with a semaprotocol for restricted language. So I noted this ldh Which would be a different language that I will describe later Then in a second stage We use the fiat chamber transform as has been done in a series of recent works and the fiat chamber transform just to recall it was to compute the second flow as A hash of the first flow. So it used a random oracle And the second flow was the hash of the first flow And all these recent works have translated this random oracle instantiated it with the correlation attractable hash function And then the resulting schemes are v6 in the standard model And what we do since The The correlation attractable hash function is applied on this restricted Diffie-Hellman language, then we obtain Diffie-Hellman music So then the third stage is about how can we Push up this Diffie-Hellman music to a music that covers the whole of NP And for this we construct what We what is known as a VPRG a verifiable to the random generator And we use this previous result by to work an hour from the 2000s That says that VPRGs and hidden bits and sticks Result in CRS physics for the whole of NP And since hidden bits and sticks are known to hold unconditionally Then our VPRGs enough to To use this previous result and obtain CRS physics for NP What is the key intuition of our scheme? The previous work that I mentioned used the fiat-chemic transform on a SEMA protocol that worked for an NP complete language So it covered the whole of NP And then It it replaced the random workload with correlation attractable hash function This meant that they directly obtain a music for the whole of NP But now if we look at the proofs that we have right now the proof techniques that are available to us We can make the observation that the assumption quality Will relate to the size to the to the rate between the size of the first flow in our SEMA protocol and the challenge size in our SEMA protocol So size of first law over the challenge size And unfortunately all the known SEMA protocols that we have for NP have very large first flows So this results in big losses in our assumption So worse assumptions And our idea is to get around this somehow and basically what we do is to Look instead of restricted SEMA protocols that have nice good rates. So good rate of the first flow size over the challenge size We obtain An easy for this restricted language And then we deal with extending to NP using other techniques. So as I mentioned using the VPRG And here I want to mention one technical detail If we were just to use any restricted SEMA protocol trivially It's likely that our assumption remains non-farsifiable. So for example, if we use this Divi-Helman protocol Trivially our assumption will be non-farsifiable because The relation for the correlation attractable hash function. This is very technical The relation for the correlation attractable hash function will correspond to inefficient functions because The function will have to compute a discrete logarithm So then the assumption is non-farsifiable and we work around this And you can see the solution in our paper What basically from inefficient functions we managed to Get to randomized efficient actions So what was the first step? Oh, we constructed the SEMA protocol for this Divi-Helman language. The Divi-Helman language is defined with respect to two generators g and h And words have two more elements x and y and we say that the word belongs to the language when The exponent is the same here. So when they have the same discrete log which is back to the generators g and the generator h x is the same And now how does this SEMA protocol look like to prove that the segment is in this language? We the prover first samples random r from cp uniform in random r Then it constructs the corresponding word. So g to dr h to dr It sends this to the verifier Which computes a challenge uniform a trend from cp star Sends this to the prover now the prover computes this d which is a masking of the witness x with E n r sense of the verifier in the verifier the verifier actually checks that this secret masking of The witness corresponds to the public information that it's already obtained And information that already let it already obtained from the problem And this can be shown that this is Both sound and zero knowledge Actually we'll have to do two repetitions of that protocol in order to achieve adaptive soundness Which is what we need for the pprg And now in the second step, we want to compile this SEMA protocol to NISI so here we use the correlation tractable hash function So this hash function is defined on a key space and an input space And its outputs values in an output space o And is defined with respect to a binary relation, which is included in i times o And we want that for all non-uniform ppt adversaries ad The probability that any efficient adversary finds an x such that x and its hash belongs to the binary relation should be negligible But this obviously does not hold for any relation and you can think of the trivial relation where everything is in relation with everything Because then anything is a solution for x and y belongs to the relation So basically What we want is to have some additional property on the relation And this is sparsity and we say that a relation is sparse if for all x's in the input space We have that there is only an negligible fraction of y's Which are in relation with x so then this probability when y sample uniformly is negligible So small a very negligible fraction of y's are in relation with x And looking ahead We want actually that the relation of the SEMA protocol is sparse And the relation with the SEMA protocol will consist of pairs first flow and second flow And this has been defined in previous work like this And such that there exists a third flow of the SEMA protocols that leads to acceptance And as I mentioned you can be shown that the SEMA protocol described before has a sparse relation and now we I recall that the proof where we sampled the first flow as usual and we set the second flow as the hash of the first flow And we want that the relation um The sparsity of the relation is preserved by h As a figure of speech and this is basically just what the correlation tractable property of h says And then what this at an intuitive level would mean is that Any adversary you cannot really break Break the music by attacking the hash function, but it will have to attack the underlying SEMA protocol So then we'll have soundness coming from the soundness of the underlying SEMA protocol And in the security proof Uh in the analysis, this is where the good rate of our picked SEMA protocol will come into play So we talked about soundness now. I also want to mention programmability and here Programmability mean it has been defined in previous work and it Means that given an input x and an output y We should be able to efficiently find a key that is distributed uniformly at random such that X is mapped to y and this helps with zero knowledge because basically once We we are able to find these keys which map x to y Our simulator for the music will use the simulator for the for the SEMA protocol to find an accepted transcript and then Find the key that maps the first flow to the second flow flow So let's look a bit at what the correlation tangible hash function. What is its? actual description It's very similar to the one used in this previous paper Basically the hashing keys and your gamma ciphertext. So c0 c1 The input to the hash is a gamma key. So the input is the key and the hat the hashing key is a ciphertext and Now the hash function Represents this l gamma decryption this partially gamma decryption. So it's a partial gamma decryption because it doesn't recover this bit log and then it interprets this as this as bits and it takes just the first half of the bits and using this correlation that the hash function will transform the SEMA protocol into Secure music and we can show that it is secure But the question remains how to construct musics for mp And as I mentioned before, this is the third step of the verifier of pseudo random generator So as I mentioned, we know that vprg's and hidden bits musics implies crs musics from previous results And now I want to intuitively describe what is a vprg Just a step to the random generator the string that is being output Hasps to the randomness But we also wanted the part that generates the random string can selectively open some of the bits And then generate proofs that these bits have actually been completed honestly And all of this happens while the other bits that are not open to remain hidden And this allows one to implement exactly this hidden bits model So some bits remain hidden and the some are being opened and the ones that are being opened are provably opened So for the second contribution, we want to remove cth from our construction And the reason for this is because as far as we can see The ktm assumption we use and the ktm assumptions used in previous schemes seem to be symmetric key-style assumptions And this is interesting because So far we don't know about how to construct musics that are constructed from assumptions that do not imply public encryption So most of the uses that we know are constructed from assumptions that imply public encryption And these assumptions are one of the exceptions So removing cth is interesting then because cth implies public encryption And we want to still preserve this symmetric key-style assumption flavor of the previous constructions So as I mentioned our second result is the existence of an infinitely often music in separate groups Which is based on the one to the two to the 28 of our 29 lambda one-way kdn security program And now what infinitely often is it just means that unlike The more traditional more widely used asymptotic security Here we can only guarantee that The security holds for an infinitely for infinitely many parameters And that let's say we if we are at a level of security and we want to increase to increase this level There might be gaps until we find the next one. So We might need to to increase a lot the security parameter, but we are guaranteed that at some point there will be one So infinitely many And how do we do this the blueprint is very similar We construct a semaprotocol for language of short elements, which I will briefly I will I would briefly mention afterwards what what kind of what do you mean by shortness And then as before I use the fiat-chammed transform and we use a fiat-chammed transform And we replace the hash function correlation tractable hash function Just as done in recent work. This allows us to obtain a music for this language of short elements And then we use this music for the language of short elements to construct the vprg as before And now in this step we use this low depth to the random generators of Lombardia mycontanata And as I mentioned once we have the vprg we have the music for the whole of mp So the key idea for this third step is to Notice that if so we we know what happens when cth holds and now we want to see what would happen if cth does not hold So we assume the cth is insecure and this is where the infinitely often security Will appear from And we know from previous work that each cth does not hold this can be compiled the adversary against cth can be compiled into a self-pairing And using this previous work we We combine this with Low depth to the random generators to homomorphic compute load that's prg's in the exponent And this along with the news is for the short language will yield Very fire up to the random generators and as as I mentioned this will lead to this is for mp So now what did I mean by short this is related to the shortest point of this fit logarithm assumption Which is at the core of this second construction. Basically here we have a group of g of order p then The exponent now is instead of being from zero to p is from zero to p over t So it's a short exponent and we want that no ppt adversary can recover x from g to dx and of course This can only happen if this range is super polynomial, but we hope that once this is the case then this assumption is Is secure And this concludes my talk. Thank you for your attention and I'm looking forward to seeing you all during the discussion panel. Thank you