 And this is a joint work with my PhD advisor, Zhen Fucao and Eva Viscontin. And this is the outline of my talk today. First, I will give a short introduction of our commitment scheme under two notions of non-mereability. Then I will show our main result from the layout given proof sketch of our commitment scheme. So, you know, a commitment scheme is a two-party protocol between a commit and a receiver. You can consider it as a lockable steely box. In a commitment phase, the commit put a secret value in the box, lock the box up and hand the box to the receiver. And in the commitment phase, the commit give the keys to the receiver, the receiver use the keys to unlock the box and retrieve the secret value in the box. So, basically, a commitment scheme usually has two properties. In order to guarantee the security of the commit, we need a hiding property. It means that before the commitment phase, a receiver cannot learn the committed value. And in order to guarantee the security of the receiver, we need a binding property. It means that after the commitment phase, the commit cannot open its commitment in two different ways. In literature, there are mainly two kinds of commitment schemes. One is statistically hiding commitment and the other one is statistically binding commitment. So, it is well known that the basic property of a commitment scheme may not be sufficient in many application scenarios. And when it was used in a high-level protocols, there may be some problems, such as memorabilia issues. I will take a digital auction for example. You see in the picture, there are three participants, the auctioneer and the two players. And we consider it as a sealed bid auction. And the first auctioneer will ask the two players to hand their secret bid. The first player may commit to a secret bid and give a commitment to the auctioneer. Second player may intercept the commitment of the first player. It then generates commit to a secret bid and hand its commitment to the auctioneer. Next, the auctioneer will ask both of the players to open their secret bid. So, the first player opens his commitment, its secret bid to the value of V and the second player sees bid V and it can open his commitment to the value of V prime. Although the second player may not lend a secret bid before the commitment of the first player, but he can make sure that his commitment is one larger than the secret bid of the first player. So, the basic properties of the commitment scheme cannot prevent the adversary from the second player from doing this. And this is why researchers introduce a notion of non-molial ability. So, there are two notions of non-molial ability. The first is non-molial ability with respect to commitment. Using a picture, there's a money remit of the adversary. He may receive a commitment on the left and generate a commitment on the right with the receiver. So, basically, if we see a commitment scheme is non-moliable with respect to commitment, if the adversary, the money remit of the adversary cannot generate, should not be able to produce a new commitment, comprimed to a value V prime that is related to V with non-negligible bad probability after the same income, then before the same income. And another notion of non-molial ability is non-molial ability with respect to opening or the commitment. And you see, we also require that the adversary after receiving the commitment on the left, he is able to also, he's able to open the commitment on the right. So, basically, we want the adversary to do equally well without interacting on the left with the committer. In our people, we use assimilation as a definition. We give a definition of a concurrent non-molial ability by comparison with a money remit of execution and assimilated execution. I use a picture there, in the money remit of execution, the adversary may receive a polynomial money commitment on the left and it generates a polynomial money commitment on the right. And I use the random variable on the top denotes the values committed on the right. And in assimilated execution, there's all assimilated, there's no commit, there's no commit. The simulator will generate polynomial money commitments with the receiver. So, the random variable on the top also denotes the values committed in a commitment. So, we see a commitment is non-molial, concurrent non-molial, but with respect to commitment if for every money remit or the adversary that participate polynomial money sessions on the left and a polynomial money sessions on the right, there exists a simulator that basically, we need the two random, two probability ensembles are computational or indistinguishable. Oh, this is a notion of a concurrent non-molial ability with respect to commitment, using similar ways we can define concurrent non-molial ability with respect to the commitment. After introducing two notions of non-molial ability, a natural question is, does the non-molial, does the formal notion implies the right notion? It depends on the set of the definitions and at least for the simulation-based definition, especially in a plain model, and we are not sure that the formal definition implies the right notion. The main difficulty lies in that in the proofs of non-molial ability with respect to commitment, there are always a simulator. The simulator will internally run the copy of the adversary, it externally interact with the receiver. And the common way of a simulator is generate a commitment to dummy values on the left section and it will relay the messages between the internal adversary and external receiver. So, but in the proofs of non-molial ability with respect to commitment, we only consider commitment phase and the commitment phase does not involve, does not involve. But in the proofs of non-molial ability with respect to the commitment, the simulator must also emulate the left commitment phase. The previous simulator may get stuck because it does not know how to open, it opens the commitment to a value other than a dummy value. So, in a plain model, we are not sure that the former notion implies the left notion, but in a common reference stream model, the former nation implies the left notion. So, this is a related work on statistical binding commitment scheme that is non-moliable with respect to commitment. You see the fifth result, pass and the chosen has given construction of a concurrent non-moliable commitment scheme. And it is not efficient, but it uses non-black box techniques and the assumption is based on a family of clover implementations. And the most recent result was by the pass and the B, this result, the last people. And this paper will appear in this year's Euro-requipped Conference. And they also give a construction of a concurrent non-moliable commitment scheme. But they only using black box techniques and their assumption, I think it is similar, it is stronger than the assumption of the pass and the chosen work. And they assume one way functions that is secure against the sub-exponential circuits. So, this is the statistical hiding commit, a related work on statistical hiding commitment scheme that is non-moliable with respect to the commitment. And you see, also with K pass and the Visconti in the TCC paper, the TCC paper in a full version of the TCC paper, they gave a construction of a concurrent non-moliable commitment scheme. And they also assume an existence of a family of clover reprimitations. They are using non-black box techniques and it is run efficient. So, all previous work have left an open problem is that whether or not constant around the commitment scheme that is both the concurrent non-moliable with respect to commitment and the concurrent non-moliable with respect to commitment exist in a pre-model and a stronger simulation-based definition. So, the TCC paper, they have considered a computational hiding and a computational Biden commitment scheme. And our work have focused on the statistical Biden commitment scheme. So, before going on to the actual construction, we take a brief review over the tools we used. We used a statistical Biden commitment scheme, a statistical hiding commitment scheme, and the retake-based non-moliable, perfect zero knowledge, argument of knowledge, and a statistical WI argument of knowledge and a computational WI proof of knowledge and also strong signature scheme. So, the commitment phase of our scheme is similar to the TCC, to the OPV paper, and it includes three stages. In the first stage, the commit will generate a commitment C to the value V using a statistical Biden commitment scheme. And then it proves knowledge of opening of C using a tag-based non-moliable ZK argument of knowledge. And the tag of the proof is the public care of a strong signature scheme. And in the second stage, the receiver will use a statistical hiding commitment to generate two commitments, C0, C1, to two secretes, V0 or V1, respect, respectfully, and then it proves knowledge of I secretes and it uses a statistically WI argument of knowledge. And in the third stage, the commit will use a strong signature scheme to generate a signature to the transcript up to now and the receiver then will verify its correctness of the signature. So, this is the commitment phase of our scheme. It includes three stages, four stages. In the fourth stage, the commit will generate a commitment C to C prime to the dummy value using a statistical Biden commitment. Then the receiver will open its values, V0 or V1 and then proves knowledge of opening of residual commitment using a statistically WI argument of knowledge. In the second stage of the commitment phase, the commit will open its value to V and then it uses a computationally WI proofs of knowledge to show that IRC is a commitment to V or C prime is a commitment to V0 or V1. In your third stage, the commit will use a tag-based non-malleable or perfect argument of knowledge to show that and C is a commitment to value V or it knows openings of IRC commitment C0 or C1. And in the fourth stage, the commit will also use a signature scheme to generate a signature up to the transcript up to now and our main contribution lies in the design of the commitment phase, especially in the second stage of the commitment phase, I will show later. So in order to show our commitment is a concurrent non-malleable commitment and a decommitment, we need to show that the commitment is a computational hiding, statistical binding and a concurrent non-malleable with respect to both, with respect to commitment and a concurrent non-malleable with respect to decommitment. So your computational hiding property basically follows from the hiding property of the statistical binding commitment and the zero-knowledge property of a tag-based proof. And for the statistical binding property, and you can see in the second stage of the commitment phase, and we see the first part of the statement proved it is certainly wrong because since the advisory opens its commitment in two different ways. So the first part of the statement is wrong. And for the second part of the statement, and you see the adversary has no way to learn the information V zero or V one in the commitment phase. So in the first stage of the commitment phase, the C prime can't be a commitment to a V zero or V one. So the second part of the statement is certainly wrong. And so according to the unconditional soundness of the commitment, of the computational proof of knowledge and the statistical binding property is guaranteed. So for the concurrent non-malleability with respect to the commitment, Parson and Rosa has shown that if a commitment is one-manly concurrent non-malleable, it is a fully concurrent non-malleable. So we only need to show that the commitment is one-manly concurrent non-malleable. So the proofs basically is essentially the same as that of the OPV people. And we only give a high level structure of the simulator. You see that the simulator internally runs a simulated copy of the adversary. It externally interacts with the receiver. So there's only commitment phase. There's no decommittment phase. And in the left section, in the left interaction, the simulator will commit to the dummy values in the first stage of the left sessions. All other sessions over the left commitment will be emulated by the simulator by running as honest commit strategy. And in order to emulate the left right interaction for the adversary, the simulator simply relays the messages between the simulator and the external receiver. So this is basically a high level structure of the simulator. And notice that we assume that the commitment phase and the decommittment phase don't overlap in time in the proofs. And to show that our commitment is concurrent and memorable with respect to decommittment, we also give a high level structure of the simulator. The simulator also runs a simulated copy of the adversary and externally interacts with the receiver. And you see in the first stage of the left interaction, the simulator also committed to dummy values. And all other sessions over the left commitment and the left on the right commitment will be emulated by the simulator by running as honest commit strategy and honest receiver strategy respectively. And after the completion for the simulation of the adversary, the simulator will sequentially extract all the witnesses over the second stage of the left interaction and the first stage of the right interactions. And the simulator will run as honest commit strategy and commit to the value till the VI that extracted in the first stage of the right interaction. And after the commitment phase, and we have to emulate the decommittment phase for the adversary. You see in the first stage of the left interaction, the simulator will commit to the values extracted in the left commitment phase. And in the second stage, we will receive auxiliary input VI from the outside and all other sessions over the left decommittment phase and the right decommittment phase will be emulated by the simulator. And after if the right, if the right decommittment phase succeeds, the simulator will run as honest commit and decommit opens value to the external receiver. So we also assume that the commitment phase and the decommittment phase don't overlap in time. So finally, as a conclusion, in our paper we give a statistical binding commitment scheme that is concurrent and non-malleable with respect to commitment and is concurrent and non-malleable with respect to decommittment. And it's run efficient, but it'll use non-blackbox techniques. And the open question is how to remove the assumption about the time barrier between the commitment phase and the decommittment phase. So that's all, thanks, thank you very much. Thank you.