 Hello, my name is Mia Lamberana and today I'm going to talk about joining the work with Masayuki Abe and Miyako Kubo on black box extension of non-interactive seronautic argument systems and signatures directly from simulations on this. So let's start. So I will start by defining what non-interactive seronautic arguments are. And for this, let me first define the seronautic arguments. Well, seronautic arguments were first defined by Goldwasser, Mikhaili and Rakov in 1985. In the seminar work, the knowledge complexity of interactive pre-systems. I'm going to explain what they are with an example. So let's consider an MP language. So that is a set of words X for which there exists a witness such that certain relation is satisfied, relation R. And in these systems, there are two parties, the prover and the verifier. The prover has an instance X and a witness W of the fact that X is in the language L. And the verifier wants to check whether X is in the language or not. And because the verifier doesn't have the witness, it may be skeptical about this fact. So what can they do? Well, they can engage into a seronautic argument protocol. In this case, it's going to be a protocol where they send messages back and forth. And at some point, the verifier will either accept or reject the proof. Okay, so now let's consider non-interactive seronautic pre-systems or pre-systems. In non-interactive arguments, there is one single message sent from the prover to the verifier. There are several models for non-interactive seronautic arguments. And we are going to focus on the common difference string model, where there is a common difference string, there is certain piece of information trust generated actually generated by this algorithm called CRS or CRS generation. And this is given to both parties. Now, using this information, the prover can execute what is called the proofing algorithm that takes the CRS, the instance and the witness and produce the proof. And the verifier will run the verification algorithm. But in the seronautic pre-system, there are usually other two algorithms in a total of five, the CRS simulation and the proof simulation. I will talk about those later. Seronautic argument systems must satisfy three properties. The first one is completeness, which says that if the prover is honest and the verifier is honest, prover should always be able to convince the verifier about the fact that some X is in the language if the prover knows the witness for X. Soundness says that basically the prover cannot cheat, that a prover should not be able to convince the verifier about the fact that some X is in the language if X is not actually in the language. And seronautic basically says that the verifier cannot learn any more information apart from the fact that X is indeed in the language. So, in particular, for example, the verifier should not be able to learn any information about W. Seronautic proof systems are one of the most common building blocks in cryptography. I'm going to mention some of the applications. One of them is to go from passive security to active security. So, once you have proven you have built a cryptographic primitive that is secure against honest but curious adversaries, you can use seronautic proofs to enforce honest behavior and therefore achieve active security, security against adversaries that may behave arbitrarily. Also, in authentication systems, you can prove that you should be allowed to perform some actions without revealing any other information about your identity or what you should be able to do it. Or even in blockchain technology, for example, to prove that seroton transaction has been valid or in ferrets change, it's a hot topic now with contingent payment. Seronautic proof systems are also used there. But why do we need the non-interactive property? Well, in the first work about non-interactive proof systems, they gave this scenario where there are two mathematicians, one of them leaves for a long trip and whenever he discovers a theorem, he writes a postcard to his friend proving the validity of the theorem in serial knowledge so that the friend doesn't really know why the theorem is proof but is convinced about the fact that it's true. And they argue that the non-interactive property is required because this process of sending letters is non-interactive, is monodirectional. By the way, they say that they need to have played heads and tails for a while. You can think of this as the common reference string generation. They both need certain pieces of information that is trusted and shared by both. Well, this application may not seem very appealing but actually, serial knowledge proof systems are very interesting because they have one unique property which is that they are transferable. If you're given a non-interactive proof, you can give it to a friend and the friend will be convinced about the validity of the statement as long as this person trusts in the CRS. And now let's talk about one of the properties that we study in this work and which is simulation soundness. Well, simulation soundness basically says that it is hard to compute proofs on false statements even if you have overkill access to some oracle that performs simulated proofs. Okay, so more concretely, there is a challenger and an adversary. The challenger runs this CRS simulation algorithm producing a CRS and a trapdoor that is going to be used to simulate proofs. CRS is sent to the adversary and not the adversary can perform queries. The adversary can choose how with our instances XI and it will get as an answer a proof that has been simulated with this algorithm, not that this algorithm needs to use a trapdoor. Well, this step can be performed several times. Some models consider only constant simulation soundness where this step can only be performed a constant number of times, but we are going to consider the notion of unbounded simulation soundness where the number of interactions is not specified. It can be polynomial in the security parameter. And the adversary at the end of the game has to produce forgery. This is some instance X star and some proof by star such that X star has not been queried. And it's actually a false statement. It's not in language and the verification still holds. So the proof still convinces a very far of the fact that X is in the language. Well, we say some NISC is a satisfied simulation soundness property if the probability of the event accept is negligible considering all PPT adversaries. Well, simulation soundness has one nice property which is that the non-interactive argument system is non-malleable. This means that it's infeasible to change the statement on a proof. If you're given a proof or certain statement, it's hard to compute a proof on a related statement. And now let's see how simulation soundness can be achieved once you have a NISC. How can you upgrade the NISC in order to achieve simulation soundness? Well, there are many works trying to do this. I'm going to talk about a few of them. So for example, the work by Sahay in 1999, it is a construction that is based on the generation of multiple common reference strings of the original NISC and it results in a bounded simulation sound NISC. So this O stands for one-time simulation sound, but it can be lifted to a constant number of times. On the other hand, the work by DeSantis et al. is the first construction of unbound simulation sound NISC and this work combines a pseudo-random function with a commitment scheme and the essential idea of this work, well, they also use a pseudo-random generator, the essential idea of this work is to prove that certain statement is true or the PRF was computed correctly. And then they leverage this disjunction in order to achieve simulation soundness. Finally, I want to mention another idea which was initiated by James Groth and then followed by many other works. So for example, here we saw the work by Halthine St. Jagger, which is to combine the original NISC, the original statement, the indents action with a signature scheme. They use a signature scheme to achieve simulation soundness. So now something is common to all these upgrades, which is all attempts use signature-like primitives. This raises the question of whether they are needed or not. Can we achieve simulation soundness without using a signature-like primitive or not? Well, in order to answer this question, we may try to build a signature scheme from every USS NISC. So can we do it? Can we build signatures from USS NISCs? Of course, we can. Actually, we can do it from any NISC. Why? Well, because NISC implies one-way functions, for example, the CRS generation is a one-way function. And there is a big result in cryptography that says that one-way functions implies signatures. But this is not satisfying for us. It doesn't answer our question. We need a signature with similar computation space complexity. And there are some words that explore this idea. So I'm going to talk about a few of them here. For example, Pellaria and Goldwasser combine a pseudo-random function and a public encryption scheme in the form of a commitment scheme in order to achieve a signature from a NISC. And what they do is they use the NISC to prove this relation here. And they show that this implies a signature. Another attempt by Katz and Vaikon-Tenathan builds a signature scheme by using the unbounded simulation sound NISC to prove this relation here that involves a public encryption scheme and a target collision-resistant function. Finally, let me mention this work by James Groth and Mary Moller from Crypto 17 where they build a general framework for constructing signatures of knowledge based on succeed simulation extractable NISCs. And notice how the reconstruction requires the NISC to be such that it not only supports a direct relation, but it also supports this conjunction with a TCR. And now I want to point here that all these constructions of signatures from NISCs or from USS NISC, they require NISC support certain specific relation or they require this language extension. So in this work we focus on answering two questions. One of them is whether the language extension is general or not, whether for example having any NISC you can always modify it in such a way that you get the NISC support in this conjunction with a TCR. And if this was possible then for example the work by Groth and Moller would explain why achieving simulation soundness and bounding simulation soundness is always done with using signatures. Basically because once you have built a NISC, any NISC that is unbounded simulation sound gives you a signature with the same complexity. However the answer to this question is no, at least not in a black box way and that's one of the first results of our work, one of the main results, several impossibility or possibility results of language extensions of NISCs in a black box manner. I will explain in second what a black box language extension is. And the second question that we consider is whether we can do it without language extension. So now given that we cannot always extend NISCs, at least not in a black box way, can we build signatures without using the language extension? So from any NISC or have language, can we build, if the NISC is unbounded simulation sound, can we build a signature scheme and we give a construction for this that I will explain at the end of this talk. And now let's explain what a black box language extension is. First, what do we mean by language extension? Well I will explain it with an example, in this case disjunctive composition, given two languages, L and L hat. This is how we define the language extension for disjunction. So it's basically the set of pairs of words where the first word is in L or the second is in L hat. And when we say black box extension of NISC, what we mean is where we ask is whether there exists a compiler. In this case, I call it the disjunctive compiler such that for any two languages L and L hat and given any two NISCs, the first one for L and the second one for L hat, this compiler builds a NISC for the disjunctive language defined here. Of course, we can consider other extensions like conjunction for example, conjunction instead of disjunction. So both words should be in the corresponding languages and others. And actually, in this work, one of the main results is that we prove is that disjunction cannot be done in a black box way. However, it is well known that conjunction can be done. And actually, straight forward parallel composition works. What do I mean by this? Well, you can just generate a CRS for both NISCs and then prove both X and X hat under the corresponding NISC. And it can be proven. It's not hard to see that this defines a NISC for the conjunction. So only if both statements are true, the verifier will accept this proof. Now let me start building figure one from our paper. So what we have seen so far is that conjunctives extension is possible. Well, I mean, this was known. So I'm going to represent with black arrows, straight forward results or known results. And of course, you can also go from a NISC to just one NISC if not in one of the classes. Now let's consider the case of simulation soundness. It was first pointed out by Sahai 1999 that simulation soundness is not preserved by this straight forward parallel composition. Why? Well, because an adversary can ask the simulation oracle for proof on a pair and then a different pair. And then the adversary can combine these two proofs, for example, as follows. And this is going to be a valid proof on a statement that was not queried. So this actually constitutes an attack to simulation soundness. So what we have seen now is that the same does not happen here. And at least the parallel composition does not work. And one of our results is that this is actually impossible. You cannot compose in conjunction in a black box way and preserve the unbounded simulation soundness property. From this impossibility result, many other results follow. I'm going to try to give the intuition of how we can prove those. But this argument is a bit informal, I refer to our paper for more details. First of all, observe that from any U.S.S. NISC, you can go to U.S.S. NISC by ignoring one of the classes. And from those on the right, you can go to those on the left by just not using the unbounded simulation soundness property. Now, given this, this direction should be impossible. Why? Because otherwise, we would have a way of going from U.S.S. NISC to one of the U.S.S. NISC, which we have shown it's impossible by just following this path. This observation leads to a very interesting result, which is basically that achieving unbounded simulation soundness cannot be done in a black box way. So it cannot be done even if you restrict to NISCs or to languages that have certain structure, like in this case the conjunction. So of course, it cannot be done in general. And now we are also going to focus on other scenarios, for example, the lazy action extension or the label NISCs. So a label NISC is basically a NISC where the prover and the verifier take an additional input, which is a label, and forgeries in the unbounded simulation soundness game must be new as a pair instance label. So actually, you can you can use in your forgery an instance that was queried before if the label is different. In this work, we also proved the impossibility of the distinctive composition from a label U.S.S. NISC, even when dealing up the U.S.S. property and the label. This impossibility result has a side condition, which is that the languages must be hard. And here we use the standard definition of hardness of languages in cryptography, which is that it's hard to distinguish these instances from no instances. In other words, there are samplers that there are two samplers, one only sample these instances, the other only samples no instances, and they're output is indistinguishable for any PPT distinguisher. Let me give you an intuition of how this impossibility result has been proven. So the first thing we do is to define the notion of legitimate CRS. So a CRS is said to be legitimate if it has been generated by by the black box construction by just calling the CRS generation algorithms, either the one from the first NISC or the one from the second NISC. What we first show is that the verification, the compiler kind of uses legitimate CRSs on verification calls that are successful. The second step is just to observe that because all successful verification calls are not legitimate CRSs, then soundness must be compromised. In order to prove the first claim, we leverage the zero knowledge property that allows us to swap between legitimate CRSs and the simulated CRSs and the hardness of the languages that allows us to swap between yes instances and no instances. In the paper, the proof is done more formally, and what we actually do is to define an oracle O that is sufficient to build a hard language L and NISC for L, but such that any any possible compiler with access to O cannot be a NISC for the disjunctive extension. In our proof, the construction of the adversary against simulation soundness uses a new technique. Basically, we use a genuine prover to forge a proof on a no instance and we simulate the oracle so that the no instance looks like a yes instance. So this actually eliminates the use of the PSPACE power from the adversary and we believe this can be useful or it can be applied to other impossibility results. Now let's go back to our figure and let me mention a couple of possibility results. So in the case if we consider labeled and USS NISC, we show that this is indeed possible. So what was impossible without labels, it is actually possible if you have labels. And furthermore, we give also these possibility results that basically says you can achieve labels if you have this structure of an USS NISC. Furthermore, we consider these other extensions of the label or an OR unbounded simulation sound and we give these possibility results. We give a black box construction to go from OR to get labeled at the cost of losing the disjunction. So basically you can use one of the two statements as a label and the other as the language. Considering all straightforward relations that we can derive from those that we have proven, the picture would work as follows and I just want to point out that in a black box way NISC and these two objects are essentially the same NISC and NISC and also these three seem to be the same object modular black box reduction. For future work, we leave to prove the missing relations here which we believe are impossibilities. Now let me conclude the talk by explaining how we can build a signature scheme from every SS NISC for hard language. Notice that NISCs for languages that are not hard are not so meaningful. Basically look at this Heinen algorithm. What we do is we simulate a proof on Y but Y is a false instance. So this is the we represent by D the sampler of no instances given by the hardness of the language. So the main idea is that you simulate a proof on a false instance using a trapdoor. So the trapdoor is a signing key and basically the unbounded simulation soundness game becomes the existential unforgeability game for the signature. So that's why this construction is secure. So I will conclude the talk now. This work started from the observation that all upgrades from NISC to achieve unbounded simulation soundness, they use a signature scheme or at least they leverage a signature like primitive and this seems to be a requirement given that as we have shown once you have an unbounded simulation sound NISC you have a signature scheme essentially and this signature is of the same computation and space complexity. In this work we have also studied composition of NISCs in particular Blackbird's composition and although several methods of composition exist for one example is CDS-94 that is a composition method for sigma protocols and as you know sigma protocols can be used to build non-interactive synology system so using the figure schemer heuristic. All existing methods for general composition of NISCs they assume certain specific structure on the NISC and what we have shown in this work is that if you don't assume any structure on the NISC there are many compositions that are impossible so for example this action cannot be performing a Blackbird's way or even conjunction if you want to preserve the simulation soundness property. So the conclusion is that in new settings and under new assumptions you will have to make extra effort to build the NISCs of general expressivity. So that's the end of my talk thank you very much for your attention.