 Hello everyone, I'm Xiao Yang. I'm here to give a short overview of our results on non-manable zero knowledge. This is joint work with Adam Kim and Uncompending. Let's first briefly recall the definition for non-manable commitments and non-manable zero knowledge. For non-manable commitments, we consider the so-called mine-in-the-middle execution. In this execution, there is an adversary. We denote it as M. In the left execution, an honest committer commits to M. And in the red execution, this adversary M plays the role of a committer committing to some message to the receiver R. What non-manable commitments want to achieve is that the value committed by this adversary M in the red session should be independent of the value committed by the honest committer C in the left session. To capture this requirement, I first need to define two important random variables. The first variable is the view of the mine-in-the-middle adversary, view M. The other one is M-tutor, which is the value committed in the red execution by the mine-in-the-middle adversary. In this meme execution, we concern the joint distribution of these two variables. Now we compare this real world with a simulated world, where the honest receiver is talking to a simulator. This setting is a little bit different from a zero-knowledge definition in that the simulator cannot rewind the receiver R, because R is an honest receiver. However, the simulator can run the mine-in-the-middle adversary internally and potentially rewinds him. The simulator is required to be efficient, and importantly, he doesn't know the value M committed in the real game by the left honest committer. At the end of this simulated world, the simulator outputs a tuple, and we say that a commitment scheme is non-manable if these two tuples are computationally indistinguishable. Here, the intuition is that in this simulated world, the simulator manages to simulate the view of the mine-in-the-middle together with the value committed by the mine-in-the-middle, without knowing the honest committer's value M. Therefore, this intuitively implies that the value committed by the mine-in-the-middle should be independent of the value committed by the honest committer. Non-manable zero-knowledge can be defined in a similar way. We also consider the mine-in-the-middle execution, but the mine-in-the-middle adversary plays the role of a verifier in the left communication. In the right communication, this adversary plays the role of a potentially malicious prover, proving some statement to the right honest verifier. Similar to the non-manable commitment, the goal here is to make sure that the mine-in-the-middle adversary cannot prove statements that he cannot prove originally, meaning without talking with this honest verifier in the left. To capture this requirement, we look at the value output by the honest verifier. This is a binary bit indicating if the verifier accepts the adversary's proof or not. Now in the simulated world, we again have this simulator talking to the verifier trying to prove the same statement. Importantly, this simulator doesn't know the witness, W, and also it doesn't know the witness for this extruder. However, this simulator is trying to make the verifier output a big prime, which is supposed to be computationally indistinguishable from the verifier's discerning bit in the real world. As you can see, if the simulator manages to do so, that means what the adversary did in the real world can be done by an efficient machine, which is the simulator, without having the interaction with the left honest prover. This is how we capture the requirement written above. Before talking about existing works, I want to mention that these two primitives are very useful. Non-manable primates are useful for reducing run complexity of multipoddy computation protocols. And non-manable zero-knowledge has helped us obtain better, concurrent, secure multipoddy computation. Now let's take a look at what we know about the constructions. In the theoretical side, after a long line of research, we eventually have constant run constructions from the minimal assumption of one function. However, in the real world, the state of the earth are less satisfactory. For non-manable commitment, there does exist an efficient construction based on DDH, but for non-manable zero-knowledge, there are no reported eliminations with practical efficiency. In this work, we present the first non-manable zero-knowledge protocol achieving a real-world efficiency. Our construction only makes use of symmetric key assumptions, and is in the plain model, meaning without any setup. Our technique also implies the first practical non-manable commitment using only symmetric key assumptions. This is in contrast to the BGRV protocol mentioned earlier, which is based on DDH assumption. This is all I want to share during this short talk. If you are interested, please look forward to our talk at full length. Here is the related information. You can also find our paper at this link. Thank you for your attention.