 Hey everyone, I'm Alex and I'll be presenting joint work with Vinod and Daniel on constructing statistical zapper arguments from bilinear maps So zapper is a term that we invented in this paper But suffice to say for now that it's a particularly nice form of two-message witness indistinguishability So the paper is freely available on ePrint at the link on the slide. So on that note, let's get started The object we study in this work is closely related to the notion of a zero-knowledge protocol Introduced by Goldwasser McCauley and Rakhoff. So just as a reminder a zero-knowledge protocol for an NP language L Is an interactive protocol between a prover and a verifier Where the prover is trying to convince the verifier that a statement X is true Namely in the language without revealing any information beyond that fact So more formally the protocol should be complete Namely if the statement is true and the prover is honest then the verifier should accept It should be sound meaning that if the statement is false then even if the prover is dishonest the verifier should reject And it should be zero-knowledge which says that the verifier's view in an interaction here should be Simulatable without knowing the witness W that the prover has access to and this should be true Even if the verifier is behaving dishonestly this captures the notion that the proof doesn't reveal any information about the witness Due to a celebrated result of Goldrack McCauley and Vigderson We know that under the minimal assumption that one-way functions exist There is a zero-knowledge proof system for every NP language in the GMW protocol soundness is guaranteed to hold against Unbounded cheating provers while zero-knowledge holds against computationally bounded cheating verifiers It's also now known how to construct the opposite It's namely a protocol where soundness holds against computationally bounded cheating provers and Zero-knowledge is guaranteed to hold against unbounded cheating verifiers. This is called a statistical zero-knowledge argument system So this particular security setting Has received some interest because soundness is only a condition that you need to hold in the moment Whereas zero-knowledge is actually a property you might want to hold for all time because a proof will be posted somewhere and You don't want anybody to learn anything in the future either so for that reason this particular pair Security properties computational soundness and statistical zero-knowledge is an interesting one So in this work we now are scoped to the following setting first of all as I just said We're interested in getting statistical security against the cheating verifier But second of all subject to that we want to minimize the amount of interaction between the prover and verifier So in this setting this means considering a two-message protocol Unfortunately full zero-knowledge is impossible to achieve in the two-message protocol So we relax our security notion against the verifier to witness and distinguish ability This is a security property that says that when a statement x has multiple witnesses associated with it Then the proof generated by the prover using witness w1 is Indistinguishable from the proof generated from a prover using witness w2 So a proof reveals nothing about which witness out of this pair was used Two-message wi protocols have been studied fairly extensively in the past And so here's a summary of some of what's known about them So they were originally constructed by Dworken now or under the factoring assumption and since then there have been Constructions under the dvh assumption that qr assumption and the LWV assumption I specifically want to mention these two recent works that give a two-message Statistically witness indistinguishable protocol using a framework established in recent works about correlation intractable hash functions And this is all based on the LWV assumption Furthermore, I want to point out that some of these works Have these have this plus plus notation next to the wi and this is indicating that these protocols have nicer properties Beyond just being a two-message wi protocol What more could you hope to get out of a two-message wi protocol? Well, the problem we're really trying to solve is that of minimizing interaction between a prover and a verifier in a Meaningful cryptographic protocol. So what you could really hope is well first of all have it to have a two-message protocol second of all you could potentially hope that the verifier message is some random string which doesn't depend on the statement and Furthermore, you could hope that the proof is publicly verifiable meaning that the verifier doesn't need to remember how He sampled this random string In such a setting you could have some initial verifier sample this first message beta publish it and then totally forget everything that happened and Still as long as you trust that this verifier behaved correctly Any prover can then convince any verifier of even multiple arbitrary statements. You get nicer usability properties, etc As a result in this work We define a statistical zapper arguments the main object that we study to be a two-message protocol Satisfying all the properties we just discussed namely. It should be a delayed input publicly verifiable Statistically wi argument system So this notion is very similar to that of a zap introduced by Dworkin or as well as a statistical zap argument introduced just last year so the difference is that Dworkin or a zap is only computationally wi whereas our satisfied statistical wi And the difference in our notion and statistical zap arguments is that our notion doesn't require The protocol be public coin meaning that this beta this first message It needs to be sampled independently of x, but it may not to be a truly random string So in other words a zapper is a zap with private randomness So now the main results that we show in this work is that statistical zapper arguments can be constructed Under a standard assumption on bilinear maps So now that you know the main statement of our results, let's go back and take another look at the prior work So here's a more expansive table explaining what was known based on prior work And as you can see some of the prior constructions achieved these stronger notions of say Reusability and public verifiability, etc. And some of them did not so in focusing now on the protocol satisfying statistical wi We can see that the dvh and qr based protocols that were known Were privately verifiable and not and not satisfying these nicer properties But the recent construction of statistical zap arguments based on lwe satisfies all the properties you could ask for and then in this work We get the properties minimizing interaction, but not a public coin protocol based on bilinear dlin So in other words until this year there were actually no Constructions of statistical zapper arguments note at all under any computational assumption. It wasn't clear if the problem had a solution But then as I mentioned there was a construction based on the lwe assumption that used this new correlation and tractability technique So what we did in this work is we went back to older techniques and older tools based on bilinear maps and Showed that these could be adapted to solve a similar problem So in other words one takeaway is that correlation and tractability is not an essential tool for attaining this end goal And neither is the very powerful lwe assumption That concludes the introduction of the talk so for the rest of my time I want to talk a bit about how our construction actually works and since the ideas and the construction itself are fairly simple We're actually going to see quite a lot of it in the talk One of the main tools we use in our construction is a non interactive zero-knowledge protocol for NP This is a one-message zero-knowledge protocol, which is able to exist because we make a different modeling assumption from before Namely, we assume here the pruser and verifier have access to a common reference string, which has been set up by a trusted third party In this case it turns out that the impossibility results for zero-knowledge can be overcome and indeed one message Zero-knowledge protocols in this model exist So but to make sense of this we have to revisit the zero-knowledge definition Which said that a proof for a true statement should be simulatable given a statement and not the witness So here we relax this definition to allow the simulator to also tamper with the common reference string as long as it's done in an indistinguishable way So such an object is known Based on bilinear maps based on the Zelen assumption that we're going to use in this work And moreover such a construction is known to satisfy Computational soundness and perfect zero-knowledge. So in particular this means the protocol is also statistically witnessed and distinguishable So given the existence of this NISDK protocol, you might ask why aren't we already done? It actually looks fairly similar to the object that we're trying to construct But the answer is that this CRS modeling assumption is actually quite important. It's an important distinction from the plane model and And there isn't any obvious way to convert this protocol into a sound and zero-knowledge Protocol in the in a two-message plane model So the first thing that you would think of is allowing the verifier to pick the common reference string But unfortunately it might be the case that there are some bad choices of CRS that That allow the verifier to cheat successfully So if you think about it a little more you might think well Maybe even if it's not always possible to convert this a protocol in this model to a plane model protocol That the particular construction that we have might still suffice in particular this gos construction because it's perfect zero-knowledge What we actually know is that it's statistically w y for every single choice of CRS And you might think that's enough already to convert it into a two-message protocol So we repeat the question why aren't we done but the the answer is the subtlety that But perfect zero-knowledge property only guarantees that the construction is statistically w y for every CRS That is potentially output by the setup algorithm So you get some form of semi malicious security if the verifier picks any CRS in the support of the setup algorithm You get w y but if the verifier picks something that's not in the support of the CRS setup algorithm Then you have no guarantees and so in particular this naive transformation does not actually work So with this difficulty in mind I'll now start to describe a simplified construction It's only going to work for languages in NP intersects co-NP And I'll start out with even simpler incorrect solution and we'll work our way towards a functional protocol So here's the candidate protocol that we already discussed in which the verifier just sends a CRS Unconstrained and as we already discussed this protocol fails to be statistically w y Because an adversarial verifier could pick a CRS string Which is not in the support of the setup algorithm in which case we have no guarantees about the statistical Wi of the second message in this protocol So this is a problem and a first idea towards resolving the problem is that the claim that beta Any fixed string is a valid CRS. That is that it comes from the setup algorithm This claim is an NP statement And so we could hope to make the verifier prove that the CRS it picks is valid thereby guaranteeing the statistical Wi of the second message So here's a first implementation of that idea in this protocol We have the verifier sample a CRS as before and sends it over and Additionally send a statistically sound proof that the CRS is valid meaning that it's in the support of the setup algorithm The prover then only sends the second message after verifying said proof So the prover won't send anything until he's already been convinced that his second message is going to be statistically Wi so that's good. However, in order for this protocol to be sound We need the verifier message namely this proof of validity to not reveal secret information About the CRS string if secret information about the CRS were revealed and the prover might be able to break soundness of the overall protocol So for example, if the first message were zero knowledge, then we'd have nothing to fear However, we know that one message zero knowledge proofs do not exist in the plain model. So we can't hope for this to work The best we can hope to do is to rely on a non-interactive witness indistinguishable proof Otherwise known as a Newey, which is known to exist based on bilinear maps assumptions So so a simple modification will get a working protocol in a special case Namely if the language is happens to be in NP intersects co-NP Then there is a simple modification to the previous protocol that will get something that works So in this protocol, which is a working protocol for NP intersects co-NP We have the verifier sample a CRS for the NISDK send it over to the prover and Also send a Newey proof that's either the CRS is valid or that the statement X is actually false So this is a classic trick for NP intersects co-NP and it works here So then the prover verifies the proof that the verifier sent and if the proof checks out He then sends over an NISDK proof using the CRS that the verifier picked So so let me just sketch the proof that this is okay So in order to argue statistical wi as I was saying before since the statement is true the Newey Indeed forces the verifier To pick a valid CRS and this is because the in the disjunction here The second statement is oh is is false in this part of the analysis and so the soundness of the Newey means that the CRS that the verifier picks as long as the prover does not abort must be valid and Because we started with an NISDK, which is statistical wi for every valid CRS We get statistical wi of this plain model protocol To argue soundness We just need to say that this this proof supplied by the verifier doesn't tell the prover anything interesting about the CRS and Indeed because it can be indistinguishably generated Using a co-witness for X that it's using information based on X and not based on beta this proof Computationally does not reveal anything about beta beyond beta itself And so you get soundness by a reduction to the soundness of the of the NISDK protocol That completes the simplified construction which I think gets across a couple of the main ideas namely use an NISDK argument and Forced the verifier using a Newey to prove that he's picking a good CRS rather than a bad CRS From now on we'll see in a bit more detail the full construction which works for all NP languages Although I'll skip over some of the details So again working up to the full construction. Let's consider a slight variant of what we've already seen So in the protocol on this slide, we're having the verifier sample two independent CRS's using the setup algorithm for the NISDK argument and sending them both over In addition to the two CRS's the verifier will also send a Newey proof that at least one of them is valid That's still an empty statement so we can still send a proof of such a statement The the prover after verifying this proof then picks a random one out of the two CRS's and Computes an NISDK arguments for the actual statement using that particular CRS So, okay, this is a protocol. Let's stare at it for a moment and see what properties it has First of all, I claim that it's sound already as written So why is that? Well, if the prover breaks the soundness of this protocol of any cheating prover breaks the soundness Then this prover breaks the soundness with respect to either the first CRS beta zero or the second CRS beta one Again with a factor two security loss But no matter which beta R the prover is breaking soundness with respect to this Newey Could have been generated in a way that leaves the soundness of the NISDK with respect to that beta R uncompromised in other words Then Newey could have been generated with respect to the randomness used to generate beta one minus R as opposed to beta R and In such a hybrid this Newey does not reveal any information about beta R beyond beta R itself so You can piece this together and get an argument for soundness of this protocol using the witness and distinguish ability of the Newey and The soundness of the NISDK argument So that's good. We get soundness already of this two methods protocol Now this protocol itself is not statistically Newey in particular You can see this because a cheating verifier can sample one of the two CRS's Dishonestly in a way that breaks the Newey of the NISDK protocol and the prover might accidentally pick that CRS With in particular with probability half the prover will pick will choose to use that CRS with probability one half and And Newey is broken in that case But we get some weak form of Newey namely this protocol is statistically Newey with probability one half Over this choice of R that the prover makes Finally in the full construction, we're going to have a more complicated variance of what we saw on the previous slide So here I've displayed what the first message in our actual protocol is going to look like so what the verifier does is sample Three T CRS's for some repetition parameter T and arranges them into a three by T grid So we have T rows of three CRS's each The verifier sends all of these CRS's to the prover and sends a Newey proof that for every row At least two out of the three CRS's is valid So again, that's an NP statement to the verifier can send a proof of such a statement Then the prover after verifying this proof is going to pick a random one out of every three of These CRS's as for each row the prover picks a random one out of three CRS's and Then the prover is going to somehow generate a single and ISCK argument using these T CRS's that he sub sampled So we'll we'll see in a moment. What's going on, but let's just let's sketch a security argument already as is so first of all to argue soundness of this two message protocol We're going to do a souped up variance of our discussion from last slide So if the Newey is really secure if it's say three to the T secure Then what we know is that for any R for any sub sampling that the prover picks even if the sub sampling is adversarial There exists a hybrid There exists a hybrid generation of the first message In which every single one of the CRS's that is adversarially picked is actually uncompromised So This actually bears quite some resemblance to an argument made by Kalei Koran It's a high in the original construction of a two message statistical wi arguments and we poured it over in a sort of different guys here so so that's going to come into the soundness analysis and To argue statistical wi of this protocol. We're going to we're going to say the following Because of the proof that the verifiers forced to send over in the first round What we're guaranteed is that within this grid this t by three grid In every row at least two of the CRS's is guaranteed to be valid So then the prover when honestly sampling this random string R that is sub sampling one CRS out of every three We're going to get that with very high probability About two-thirds of the CRS's at least are going to be valid in the prover sub sampling So in order to be done what we need is a way to convert t CRS's into a single argument for a for an mp language With the guarantee that if at least two-thirds or close to two-thirds of the CRS's are generated correctly or from or from the right set That wi carries over So it's a sort of special purpose combiner that we need That converts about two-thirds correct CRS's into an actual wi argument To solve this final problem we turn to the mpc in the head technique So just to quickly sketch what's going on in our work We consider the mpc in the head technique as an information theoretic object Which takes an np witness w secret shares it into t parts And then writes down an execution of an mpc protocol in which party i is given wi And the t parties are jointly verifying that w is a witness while keeping the witness distributed amongst the t parties So the way that we use this information theoretic object is we write down commitments to every view of each party And we write down commitments to every point wise channel That is the transcript of communication between party i and party j for every pair i and j We then assign a CRS to each party in our heads And we're going to write down nisck proofs using crsi Of the consistency of party i's view with all of its channels all of its communication channels with the other parties So we're trying to prove an overall consistency statement about this mpc execution And we use crsi to prove all the statements about party i So and if you think about The way in which the mpc execution is interacting with these crs's It turns out that as long as at these two thirds of the crs's are statistically wi crs's the overall Proof that you write down here will also be statistically wi as long as the commitment is also statistically hiding And this now completes a full description of the protocol The only detail that i've left out that i think is worth mentioning Is that in order to prove that this protocol is computationally sound we still need the commitment to be statistically binding But to prove that the protocol is statistically wi we need it to be statistically hiding and this seems to be a contradiction But the resolution which has uh been used in all constructions of two message statistical wi so far Is to use a commitment scheme which is statistically hiding overall But with small probability it is also statistically binding So that's a detail that i'll leave to the paper So to conclude We construct statistical zapper arguments, which are the minimally interactive statistical wi argument that you can think of From standard assumptions on bilinear maps and we use a bunch of standard, but very powerful tools for in this construction Namely the gos nizics both variants of their nizic the mpc and the head technique Which we abstract out as an information theoretic object that we call locally zero knowledge proof As well as a sometimes binding statistically hiding commitment that has been integral to all constructions of two message statistical wi protocols so far So just to leave a couple of interesting open questions Is there a construction of this object from factoring it factoring at least gives us a knee we so there's some hope But there are definitely some things missing You can also ask if we can have any construction of a two message statistical wi arguments Without making use of complexity leveraging which has come into play in this third bullet point in every construction so far So those are some interesting questions and thank you for listening