 Hey, my name is Rachel and today I'll be talking about joint work with young time in Kali and the notify continent Nathan called the summer statistical soundness post quantum security and snarks. So today I'll start by talking about the last of these three things. The first snark is succinct non interactive argument. The idea is that a prover wants to prove to a verifier some statement x is in a language. She's going to do this. So they're going to have both parties going to have this common random string that is generated by the third trusted party. And they both know it, the proof of generate the certificate pie in response to the common random string and the verifier upon receiving pie and x will verify them jointly with the common random string. So these are the two properties we're going to want. The first is sickness, which is that if a language takes time to compute, then verifying it should take time way lesson T. The second property is sadness, which is that for any poly T size she improver, they shouldn't be able to generate both x and the proof pie. So the verifier would accept if X is not actually in the language position and be able to convince the verifier of any false statement. There's been a lot of work on trying to construct snarks. So, for a long time, all efforts were directed at constructing snarks for MP. And it was only done under really strong assumptions such as the random article model or knowledge assumptions. So it took an effort dedicated towards constructing snarks for deterministic languages. So for P, it was to construct it under some essential IO, or under this assumption on binary groups. Recently as a work constructed snark to buy into computations based on some exponential w. We also want to mention a concurrent work by Charlie Jane and Jen, which constructs not batch and PNP, which under w. In our work today, we're going to investigate this connection between snark for batch and PNP. So in particular, we're going to show that there's a snark for P, or more generally any language that the computation or non signaling PCP, assuming that there's a snark for batch MP. I mentioned that the set of languages that have computational snark signaling PCPs includes P, but also classes such as batch MP, which we've done this year, but we're assuming it and but also class MTSP, which is a subclass of MP that consists of all non deterministic computations done in time T and space s. So we'll also talk about some more statistical soundness and post quantum soundness, but we won't get to that yet. So first we'll start by this connection between snarks for languages as cohesion not signaling PCPs from snark for batch MP. So, to just to start, let's talk about the publicly verifiable snark, which we want to get we'll talk about existing work on privately verifiable snarks. So the works of Kalei Ross and Ross bloom and breakers key home ground Kalei showed that there exists a privately verifiable snark for any language have a computer not non signaling PCP, assuming FHE or the distance of a peer scheme. And once again, like the type of languages that have computer non signaling PCPs include P batch MP and TSP. So let me tell you how this privately very valuable snark. So prior in a verifier, the verifier is going to compute a set of PCP queries, along with a set of public and secret keys for for the FHE scheme. So one for each of the query locations. So to send encryptions of each of the query locations under this like FHE scheme so Q one is the encryption of Q one hat is an encryption of Q one with the public key PK one and so on. And the very heart is also going to keep in his head this trap door, which is because of all the secret keys. The prover is going to compute the PCP PI. And then back on the encryptions of the answers at the location Q one to Q L, which they are able to compute under the hood. So they're able to take these encrypted queries and compute these encrypted answers. And the verifier then takes the trap door which you know he has kept a secret in the brain and will invert the encrypted answers, and then check the resulting plain text answers. So this is known as BMW heuristic. And so the question of what they're about this paradigm is down in general for an arbitrary PCP was open for a while actually was known that it was not sound for an arbitrary PCP and there's a question like, you know, which PCP is actually sound for. And it turns out that the condition that is necessary is. It's like the other PCP is computational non signalling. So I won't tell you what combination of all the things on the only important thing for this talk is that this is like the property we need for this BMW paradigm to be sound. So today we're going to get rid of this pair of privately verifiable clause and hopefully get just publicly verifiable. Before we do this, we're going to depart from this like privately verifiable non interactive argument, and go to and talk a little bit about publicly verifiable interactive argument. So that is, you know, famous killing protocol. So, I'm killing protocol works as follows. The basic idea is that the prover is going to compute this route which is a commitment to PCP PI, send it over to the verifier, who then sends over. It picks a random PCP query, and ask the PC on the prover to reply with the answers to those locations, along with openings to the commitment to show that they were in fact the PCP answers the prover had committed to previously. And so, in order for there to be these local openings will need like a hash function a commitment scheme, which allows for local openings or this like. And to like, give the value of a location and have it be verifiable without having to open everything, because I PCP PI might be very long. And this is, so this exists and is known as like a tree commitment scheme, and I won't look at how that works but just know that it's a scheme with local opening. So our observation is that the first two rounds of the clean protocol look a lot like an instantiation of PRR. If the PCP is computer not signaling, and if the hash H is a tree hashed PR scheme. And so the question then is like, you know, does this tree hashed peer scheme exist, and the answer is yes, it does. It's something called a summer statistically binding hash. So summer statistically binding hash is a hash function with local opening that can be binding on an index of your choice. So here we're going to be buying on the index I am to get a hash key for those binding on I, along with the trapdoor. And you have the property that is possible to take a hash of your of X, and which is binding on index I, and inverted using the trapdoor to get the location Xi. And second property we're going to want is that for any two possible locations of what you're binding is, you can't tell which of the two locations your hatchback is binding on. So these are like, you know, these are the properties of a pure scheme in the sense that a pure scheme has privacy, which means that you can't tell which location you're binding on location you're asking and that's exactly the second property here. It also has a property that you can invert any possible response to figure out what the other person was sending you under the hood, and that's the first property here. So extractable and private. And these SSB hash functions are known to exist, assuming the harness of w e. So let's return again to the claim protocol where we have used these SSB hash functions. So now our hash keys that the previous going to have to use to compute the commitment is a sequence of hash keys. One for each PCP query. So it's going to be binding on each of the PCP queries that you know the very hard to use this. So you have to compute the commitment they're going to compute each hash individually and send over all L hashes. And then, you know, for the rest of the protocol verifier is going to ask for a query, the previous going to send back the answers, along with openings for each of the L hash functions and each of the L answers. So this is this is an initiation KR is sound. And the point is that, you know, in these first two rounds, the verifier actually asked the prover for an encrypted and encrypted answers to the PCP queries at Q star. And if only they could actually invert that and figure out, you know what the prover had sent, then this would be sound. So we note that if, you know, this next query that the verifier asks is equal to Q star the encrypted queries, then even an all powerful adversary can find accepting answers and openings to celebrate exist on bias and it's a KR. So this is like the key point that we will be using to talk. So here's a new perspective on the killing protocol, which is that we start with a privately verifiable instantiation of here are. And we want to ask, how do we make this protocol publicly verifiable. So, to the answer is to add interaction. For us, we are interested in constructing non interactive arguments so that's not going to work. So we have a paper that actually achieves non interactive argument by coli penness and young, which uses do you have to go encryption, which is assumption and violin your maps. I'm sort of a non standard assumption not sure not sure how to initiate it. So, in our work, we propose this alternative idea, which is to add a decision of snark that for all possible questions of the verifier could ask for Q, which is a PCP query. There exists some answers and openings that the prover could send to the verify would accept. So in one shot, we're asking the prover to convince the verifier that you know no matter his next message no matter which queue he wants. You know, there will always be an answer that the prover could give that verifier accept another very hard of them would have to ask you anymore because the prover has proved to him that, you know, it all he would always have for any queue. And we note that this is precisely a batch MP statement, because it's for all queue so for many possible values of q. There's this MP statement which is that there exists. So this is like a witness W that V accepts. So this is about the MP statement and it's for this following language LV, which is basically that an instance XH root and query queue is an LV. If there exists this witness so answers an opening such that the verifier would accept it. So now let's see what our stark look like. So the verifier, just going to the common random string will consist of all L hashes so binding on the queue of L locations of the PCP query, along with a CRS for the batch MP snark. So this is basically our snark, we're almost done. So basically the point is that if X is not a language L, then by the sound is a KRR and BHK. And since awesome particular for the snark. So basically the point is that if X is not a language L, then by the sound is a KRR and BHK, and this is awesome particular for the snark. So awesome particular for the special queue started with encrypted. So then, you know, so if X is not in the language, then this statement has to be false because this is false in particular for a queue to choose star. And then the previous should not be generated. So okay, anyway, so we're basically done now. There is one technicality, which is that a number of statements is very large. And so in particular, if you consider a time t computation, the PCP pi will be size at least like poly T. And for not simply PCP, the size of a PCP query is poly log t, which means that a number of possible queries is T to the body log T. Which generates this batch MP proof, they're going to have to run in time T to the poly log T, which is pretty large. Ideally, we would have poly T. So turn on the suffix to this. So for all non-signal PCPs that we know of, they have the same structure, which is that there is that you can position any query into a bunch of tests that are checking each test individually and taking the end of all the tests. So we can just replace this for all queue clause with a for all test clause. So we're going to check every single test, which is our only polity of them. And the suffices to check any possible query queue, because a query queue is the end of a bunch of tests. The first statement is poly T and the prover can generate this batch and P proof and time poly T. So he runs time poly T and we're done. So that wraps up our construction of a snark for any language that the competition of the link to see you. I want to return once again to our earlier discussion of the killing protocol as with the first two rounds being instantiation of the KRR protocol. And just recall once again that this has the property that if the third message from the verifier is Q star, then even an all powerful adversary cannot find existing accepting answers and openings since it doesn't exist. And so, and like so since this holds for Q is Q star to argue soundness what you want to do is just say that if you said it's a random Q. Well, you can't tell what was hashed or what was hidden in these like hash functions h of Q i star by the soundness by like the privacy and distinguishability of the SSB hash functions. So for random Q. Well, you couldn't tell what was in the hash function so it might will happen Q. And then it just sound. So that's sort of like the disability that this entire security is relying on. So this is the straight line proof of soundness. So more precisely a straight line proof of soundness is a reduction. In this case is to this indistinguishability assumption that runs by interacting with a sheeting prover exactly once. So just sends a message to the prover receives the answer to another question and receives an answer. Does not involve any rewinding. So if you know about this thing like this improve Achillean the standard this improve Achillean. You might know that the proof involves running the first two rounds, putting a bookmark there and then running the next two rounds and rewinding back to the to that bookmark many many times. And each time you get a new answer. You can then eventually use to extract the entire PCB. It's also also rewinding and rewinding is generally known not to be sound against quantum adversaries. So now that we are only running our protocol exactly once no rewinding. It turns out this is actually this reduction actually holds for quantum adversaries as well. We actually prove that which is that any argument system that is proven sound via straight line reaction reduction. It's also post quantum sound, assuming that the underlying assumption is straight line quantum sound. And as a corollary, we get that Kylian with combination of non significantly PCP and a parallel SSB hash family is both going to sound. And so this is like a pretty simple proof of the fact that Kylian is quantum sound. This was done independently in a work by GSM mouse winner and Dan tree, which shows Achillean is post quantum sound for any PCP SSB hash function. But they do this using advanced quantum techniques. So the benefit of our corollary is that this is understandable for people who don't have very much of quantum background. What we do is witness a reduction that quantum, for quantum adversaries as well. So I just want to finish by generalizing this argument for a broader class of protocols called some more specifically sound. So, some are redefined so some are specifically sound argument are essentially generalization of this idea that for the Kylian protocol, the third message. There's a third message, such as the reporting protocol is statistically sound. So that's actually what the first, what the first condition says that there exists a certain message, such that everything else after that is just the sound of the group or can she no matter what. The second is that the third message is basically indistinguishable for random, and that held for our case as well by the security SSB hash function you can tell what the q or q star was encrypted in the hash function. But this allows you to argue security in general. So as we just sort of showed with a Kylian protocol. So more specifically sound gives you straight line soundness, which gives you both condoms on this. And we additionally conjecture, actually snarls again, that any SSS interactive argument is the extra mirror for me. If you don't know what the extra mirror is. You can see the interactive paradigm, which allows you to turn any interactive argument, or any interactive protocol into a non attractive one. And you do this by replacing every verifier message was a hash of everything so far so a hash of the, like, all the previous just for for instance. And so all the works of getting the talk I mentioned constructing snarls. And so we can go through the future mirror paradigm, and proving that it is sound. So if you actually are is known to be unsound in general for arguments, but it is known to be sound for some, like many proofs. And so, there's a question and we just like which, which, which protocols is the extra mirror actually signed for. And so I guess what we're doing in this work is that we're conjecturing that the, that there's that the idea of being so more statistically sound is enough to be fetching your family, or for Fiat should be sound. And so the idea is, there exists a message for which the protocol is the sound, and in general, there's an indistinguishable ideas of the argument. And so I guess essentially what some more statistically sound argument is is a hybrid between a for argument on where everything is, you know, just an argument, and a proof on in which is something is specifically sound. So somewhere a proof. And there are an argument, and we can measure this is the right property for an argument should be fetching your family. To summarize our key contribution is a new perceptive on Kylian's protocol as a publicly verifiable and interactive variant of PR. And we have a few, few different branching out of that I would, that we explore. So the first is we are able to configure snark for any language that has a computation on not signaling PCP, from us not for a batch on P. We also have some artistic ghost on this, and we show this implies treat line soundness, which then implies with condoms on this. And we also conjecture that any SS interactive argument, it's fetching your family. So that concludes my talk. Thank you for listening.