 Thank you, so I'll be talking about efficient zero-knowledge proofs of algebraic and non-algebraic statements with applications to privacy-preserving credentials This is joint work with Melisa and Payment So zero-knowledge proofs allow a prover to convince a verifier that a statement is true without revealing any further information Zero-knowledge proofs are known to exist for all languages in NP But the challenge is designing proof systems that are efficient enough to be used in practice We have few techniques that give efficient proof systems and most of them fall into the class of Sigma protocols Which are three move interactive protocols for algebraic statements And then we have snacks that allow for short proofs and efficient verification, but have shortcomings in prover efficiency And there are gots a high proofs based on pairings, but they again apply to a restricted set of languages To prove general statements, we need expensive NP reductions or the prover needs to perform Publicly operations proportional to the size of the circuit representing the statement Efficient Sigma protocols mostly focused on proving algebraic statements like statements about discrete logarithms roots polynomial relationships and so on What if we want to prove a non-algebraic statement like knowledge of pre-image of a cryptographic hash function? We can of course express any NP relation as a combination of algebraic statements by expressing it as a circuit and each gate As an algebraic relation between the input and output wires But if we were to take this approach and use Sigma protocols to prove this it would be very expensive for large circuits requiring several public operations per gate Recently Javaric et al. proposed a garble circuit based method for proving statements that are phrased as garbles that are phrased as Boolean circuits This is a very efficient method requiring only few symmetric key operations per gate and Results in a proof for a yes or Shah circuit in a few milliseconds using state-of-the-art garble circuit implementations But expressing public key operations as a circuit is still expensive for example In-bit modular Exponentiation has a circuit size of roughly o of n cube and for cryptographic sized groups. This is prohibitively expensive So now we have two very different techniques for achieving zero knowledge proofs for algebraic and non-algebraic statements And the question we ask is what if we are interested in proving statements that combine the two? This come up in many applications for example if we want an efficient protocol for proving knowledge of an RSA signature Recall RSA signatures work by taking the message hashing it and raising it to the secret key mod n and Verification on message m and signature sigma proceeds by checking that H of m is sigma to the E mod n So verifying an RSA signature requires computing both the hash function and exponentiation Even though proving a combination of algebraic and non-algebraic statements come up in many applications for the purposes of the stock I'll use anonymous credentials as an example application Anonymous credentials was introduced by charm and it's in the following setting We have a credential issuer who is a certificate authority and issues credentials to a user and the user later Wants to prove to a verifier that he has been given appropriate credentials In more detail the user has a set of attributes and the credential is the signature of the organization on the attributes and The user wants to prove to a verifier that has attributes satisfy a certain policy Using the credentials issued by the organization and the system is anonymous if nothing more is revealed beyond the fact That is if the verifier learns nothing more than what Bob proves here Protocols are known to obtain and prove possession of credentials Examples include Microsoft's you prove and IBM's idemix Practical anonymous credential systems are usually built around sigma protocols And in general they follow a similar approach the issued credential is a signature of the organization on the user's attributes And to prove possession of credentials the prover proceeds by first committing to his attributes M and then proving knowledge of Signature on M in zero knowledge and then prove again in zero knowledge that M satisfies a certain policy Now this in turn means that the credential that was issued has to be a specially formed signature on the user's Attributes so that a sigma protocol can be used to prove knowledge of signature on a committed message What if we want to base our credentials on a standard signature? As motivation what if the entity that is signing the credentials uses off-the-shelf signatures like an RSA signature or What if the prover already has a standard signature on his attributes and wants to be able to use it in an anonymous way? So Here Bob has attributes M and a standard signature on his attributes sigma and wants to prove in zero knowledge Knowledge of sigma on M and later use a sigma protocol to prove that his attributes M satisfy a certain policy And we want to ensure that the M that he's proving properties about and the M that he proves knowledge of signature on is indeed the same M And I want to point out that the proof of knowledge of signature for M Here for a standard signature involves proving a combination of algebraic and non-algebraic statements One can of course think of combining two different protocols one for the algebraic component and one for the non-algebraic component But such a knife combination will not work because a cheating prover can use two different witnesses for the two proofs and Come up with a convincing proof for which there is no single valid witness So one of the challenges is to be able to bind the values that the prover commits to in the sigma protocol With the input that the prover uses in the garbled circuit for the non-algebraic proof And we want to be able to do this without expensive group operations inside the garbled circuit and Without having to prove large circuit statements using sigma protocols Again one way to achieve this would be to have the prover commit to a witness and make sure that he uses the same witness in The two proofs, but then again we have commitments that work well with garbled circuits And then we have algebraic commitments that work well with sigma protocols and we still need a way to tie the two together So here is a summary of our results we study combining proof systems for algebraic and non-algebraic statements And proposed protocols to prove that f of x equal to 1 for a committed value x where the commitment is an algebraic commitment And f is represented as a Boolean circuit We then show how to build on these protocols to obtain a proof that two commitments in different groups commit to the same value And finally show how to put these proofs together to obtain an efficient proof of knowledge of signature on committed message For standard signatures like RSA, DSA and ECDSA I'll begin by describing our protocol Before that I want to quickly recall what garbled circuits are a garbling scheme is a tuple of algorithms garbled encode eval and decode Garbled takes the description of a Boolean circuit and outputs a garbled circuit and encoding and decoding information Encode takes an input to fx and outputs a garbled input x eval takes the garbled circuit and a garbled input and Returns a garbled output Decode takes a garbled output and decoding information and returns decoded output For security we want privacy that is we want the property that the garbled circuit and a garbled input reveals nothing beyond f of x and Authenticity that is given the garbled circuit and a garbled input It is hard to find a garbled output that decodes to something other than f of x The starting point for our protocol is the protocol of Jaurik et al And they begin by the observation that zero knowledge is a special case of two-party computation Where only one party has the input the prover has the witness as his input and the verifier has no input and this means that one circuit suffices to achieve malicious security because the Circuit that is evaluated can also be later opened and checked for correctness since the verifier has no secret inputs And this is as opposed to requiring many circuits and cutten tubes in general to party computation Coming to our protocol so recall given a commitment to M We want to prove that f of M equal to 1 and throughout these commitments are algebraic commitments that allow Proving linear relationships among committed values efficiently like Peterson's commitment So the verifier Alice here begins by Augmenting the circuit in the following way she chooses uniformly random integers a and b and Constructs a circuit that computes f of M where M is the prover's input and a one-time Mac on M using a and B as the one-time Mac key She garbles the circuit and sends the garble circuit to Bob They now engage in a committing OT protocol or recall oblivious transfer is a protocol where a sender has two secrets The receiver has a choice bit and at the end of the OT protocol the receiver obtains his chosen secret Without learning anything about the other secret and the sender learns nothing about the choice bit Here we need a stronger OT property called the sender committing property where the sender is committed to both his inputs at the end of the OT protocol So Alice and Bob engage in a OT protocol where Alice's inputs to the OT are the wire keys of the garble circuit corresponding to the input and Bob's input are the input bits of his witness At the end of the OT protocol Bob receives the wire keys corresponding to his input Which allows him to evaluate the garble circuit and obtain garbled output Z and T He then commits to the garbled output Z by sending a commitment to Z Alice now reveals the decoding information corresponding to output T Bob can now decode and obtain the one-time Mac T here and then sends a commitment to the one-time Mac Now the verifier opens the garbled circuit by revealing all the randomness that was used to construct the garbled circuit And Bob can verify that she indeed constructed it correctly And he then opens the commitment to the garbled output Z Which allows Alice to decode and obtain F of M Bob now gives a Sigma protocol proof that T is AM plus B And notice here that T and M are committed values And A and B are public after the open phase and this is just proving a linear relationship among committed values Which we know how to do efficiently If F of M equal to 1 and if the Sigma protocol proof verifies Alice outputs except so in our protocol We used a one-time Mac to be able to bind the witness that the prover uses in the algebraic and the non-algebraic components of the proof This required us to do one multiplication inside the garbled circuit Where the multiplicand a needs to be only as big as the statistical security parameter One observation that helps us avoid this multiplication inside the garbled circuit is that the oblivious transfer keys already act as Mac on the input bits of the prover So again recall that oblivious transfer the prover receives one out of the two keys that corresponds to his input bit And it can be written algebraically like this We now use this observation to avoid one multiplication inside the garbled circuit in our second protocol So again given commitment to M. We want to prove that F of M equal to 1 Alice here takes the circuit that computes F of M garbles it and sends the garbled circuit to Bob So after committing to his input M Bob also commits to it bitwise by sending bitwise commitments and Then receives the garbled circuit and then they again run a committing OT protocol Where Alice's inputs are the wire keys corresponding to the garbled circuit and Bob's input are his Witness bits and now he receives the keys corresponding to his input and since these OT keys are acting as Mac on his input bits We now have Bob commit to his OT outputs, which is basically a one-time Mac on his input He can now also evaluate the garbled circuit and obtain the garbled output Z He now sends a commitment to Z and now the verifier opens the garbled circuit by revealing the randomness that was used in the construction And proves that it was indeed constructed correctly Now the prover opens his commitment to the garbled output and the verifier can decode it to obtain F of M Now Bob uses a Sigma protocol to prove that his OT outputs Was according to the input bits that he committed to earlier again notice here that k i prime is a committed value Mi is again a committed value And k i 1 and k i 0 are public after the open phase of the garbled circuit And this is proving a linear relationship among committed values and then Bob again uses a Sigma protocol to prove that his input bits that he committed to here when combined yield M Again M is a committed value and Mi's are committed values and this is a linear relationship So if f of M equal to 1 and if the Sigma protocol proves verify Alice outputs accept A word about efficiency So both our protocols have the desired properties that the garbled circuit based component is dominated by garbling F and not by Expensive group operations and the number of public key operations is independent of the size of the circuit F In our first protocol we required a constant number of Exponentiations and an additional number of symmetric key operations for the computation of the one-time Mac So if N is the length of the prover's input and s is the statistical security parameter We required an additional o of N as symmetric key operations For our second protocol we required o of N Exponentiations due to the bitwise commitment But this could be more efficient when bitwise commitments are already used as part of the application As it is in some of our examples We can think of further optimizations like using Karatsuba's multiplication instead of textbook multiplication for computation of one-time Mac in our first protocol and Privacy free garbling so Fredrickson et al in Eurocrypt 2015 Made the observation that in the zero-knowledge application of garbled circuits Privacy is not a required property and only authenticity suffices again This is because the garbled circuit that the prover evaluates is on an input that he knows entirely and the Verifier has no input So this applies to our second protocol because the verifier has no secret input in our first protocol We need a and b to be secret But we can still think of the bigger circuit as consisting of two smaller circuits one computing f of m and one computing a m Plus b and use the privacy free garbling for the first component and standard garbling for the second component and have them share the oblivious transfers This results in a significant reduction in the size of the garbled circuit I will quickly go over how we obtain proof of knowledge of signature on committed message for RSA signatures using an instantiation of our protocol We can think of the instantiation of the protocol I just described where f is the circuit that takes two messages and checks that one is a hash of the other If we are thinking of standardized signatures like RSA FTH and RSA PSS We can have F check additional padding and formatting of messages and so on This gives a proof that given commitment to M1 and commitment to M2 M2 is hash of M1 Caminich and Stadler proposed a protocol to prove knowledge of E through to a committed value We can use that protocol to prove E through to M2 where M2 is only committed to here and Putting these two proofs together we obtain a proof of knowledge of RSA signature on M1 given commitment to M1 So to summarize we combined proof systems for algebraic and non-algebraic statements In particular we gave two protocols to prove that f of x equal to 1 for a committed value x where the commitment was algebraic And f is a Boolean circuit We then showed how to prove knowledge of signature on a committed message for RSA signatures In the paper we show how to do this for other signatures like DSA and ECDSA Then I talked about how we can use our techniques to base anonymous credentials on standard signatures Other applications of our techniques include more general policies for anonymous credentials and Obtaining a proof of equality of committed values in different groups which would allow one to convert between commitment schemes And and to obtain a protocol for two-party computation with authenticated or signed input I'll stop here. Thank you