 Hello, I'm going to present our paper Non-Interactive Composition of Sigma Protocols via Shiaven Hash. This is a joint work with Miguel Ambrona, Andrei Bogdano, Miyako Okubo, and Aaron Rosen. I'm Masayuki Abe. Our starting point is the Sigma Protocol, which is a special kind of proof system where approver convinces the verifier that there exists a witness W that satisfies a relation with respect to a statement X by exchanging three messages A, E, and Z. It is sound in a sense that, given two valid transcripts on the same first message and distinct challenges, an extractor successfully computes a witness that satisfies that relation. This property is called Two Special Soundness. A Sigma Protocol is a special honest verifier of zero knowledge in the sense that there exists a simulator that takes a true statement and an arbitrary challenge string and outputs the first and last messages that verify correctly. Since a Sigma Protocol is a public coin proof system, the Fiat-Shamiya technique works to make it non-interactive in the random oracle model. The challenge is generated by hashing the first message. Here, the statement X is also given to the hash function as input for security reasons, but we omit that for the visual simplicity in the rest of this talk. One of the reasons that Sigma Protocols are widely used is that it is easy to obtain a Sigma Protocol for a compound statement by composing the Sigma Protocols for basic statements. For a conjunctive statement, parallel execution of Sigma Protocols for the basic statements with a common challenge constitute a Sigma Protocol for the compound statement. For disjunctive statements, a well-known technique by Grammar, Dengard, and Schomacher is widely used. When a pluber knows a witness for either of the basic statements, it simulates the unknown side with a random challenge and answers to the known side with respect to a challenge computed by additively sharing the given challenge string so that the preliminarily chosen challenge is the other chair. The verifier checks if the challenges chosen by the pluber are in the correct relation and verifies every basic proof. From the verifier's point of view, it is totally unknown which of the shared challenges are chosen in advance for simulation. Actually, efficient Sigma Protocols are obtained by such composition for any compound statement that is efficiently represented by a monotone formula or a threshold access structure or a monotone span program. In the rest of this talk, we focus on the case of monotone formula for simplicity. Now we get back to the simple overproof by the CDS-94 composition. We consider its non-interactive variant with the Fiat-Chemier technique. Recall that the challenge string used for simulation is chosen by the pluber and the verifier does not see how it is generated. Namely, the pluber has full control over the challenge string. It is perfectly fine in the original CDS composition but it can be troublesome in some extended cases as we explained later. Furthermore, the CDS composition has other limitations that we try to overcome in this work. Our proposal can be summarized in one sentence, hash each share before using it as a challenge. Namely, instead of choosing a challenge randomly, we generate it by hashing a random string. The additive sharing is done with respect to the input to hash function f and the shares are sent to the verifier. The verifier algorithm is modified accordingly. Hash function f used for this purpose is independent of hash function h for the Fiat-Chemier transform. Now we explain how such a small modification makes differences. There are three benefits in the modified scheme compared to the original CDS composition. We explain them one by one. The first point is an efficiency improvement by recycling transcripts for repeated statements. Consider a compound statement where the same statement appears multiple times in different classes. In such a case, the original CDS requires multiple runs of the underlining sigma protocol on the repeated statement. Let's think of a toy example where the compound statement consists of three literals and two variables like this. Statement x1 appears twice in the compound statement. A pluber knowing a witness for x1 simulates a proof on x2 and proves on x1 twice, once for the first appearance in the compound statement and the other for the second. Challenge strings are generated according to the secret sharing for the dual of the access structure for this formula. The verifier executes the underlining verification algorithm three times. Thus, the overall complexity is linear in the number of literals in the compound statement. We then consider eliminating the multiple executions of the sigma protocols on the duplicated statement. Suppose that we merge the first message for statement x1 into 1. Since the challenge strings are generated according to the access structure, there are still two challenges to x1. So the pluber answers to those challenges with the same first message. However, this constitutes two valid transcripts with the same first message and different challenges that reveals the witness. Such a risk is indeed pointed out in the literature that presents an efficient compiler for sigma protocols. Our share then hash modification allows secure margin of all shares assigned to a repeating statement. In this case, shares s1 and s1 prime assigned to two appearances of x1 are hashed together to generate a challenge string e1. Accordingly, they execute the underlining sigma protocol only once for each statement, no matter how many times they appear in the compound statement. This saves both computation and communication compared to the original CDS composition. Let me move to the second point where we explain about generalized special soundness. Observe that the original two special soundness can be naturally extended to K special soundness where, given K valid transcripts with respect to the same first message and distinct challenges, the extractor successfully outputs a witness. There are several interesting protocols that fall into this category. In particular, style-like protocols are known to be three special sound and used in many lattice-based and code-based constructions. To explain how the original CDS falls short with K special sound protocols, we first recall that K special sound protocols can have large soundness error. It means that it might be possible to answer two multiple challenges without knowing the witness. Now recall that in the CDS composition, the given challenge e is shared into e1 and e2. Since it is possible to answer up to this number of challenges in each part, if their combinations cover all possible challenges, it is possible to complete the protocol without knowing the witness. Here is a toy example of three special sound cases with the challenge space consisting of 0, 1 and 2. It has soundness error of two stars and it is possible to answer two challenges without knowing the witness. If a1 and a2 are set so that one can answer two challenges 0 and 1 to x1 and 0 and 2 to x2, then their combination allows to answer any e in 0, 1 and 2. Share then hash modification can solve the problem. Suppose that the challenge space is exponentially large. To cover the whole space, at least one of these variations must be exponential. Then if f is a random protocol, challenges distribute uniformly over the challenge space. However, it is hard to prepare a first message where one can answer exponentially many random challenges. Actually, in the paper, we proved the soundness in several cases where hash functions used to the Fiat-Chamia transform and share then hash modification are modeled as programmable or non-programmable random miracles. Now we move to the third point where we explain how our new technique leads to our security proof in non-programmable random miracles for signature converted schemes. Think about a signature scheme obtained from CDS and the Fiat-Chamia transform. In the minimum setting, a public key consists of two instances of a hard language, and a signature is an OR proof of the statements where the message is included in an input to the hash function. The signature scheme is indeed secure if the hash function is modeled as programmable random oracle. A question is if the same holds in a non-programmable random oracle model where the random oracle is out of the control of the reduction algorithm. The proof will be done by reducing the unavoidability to the statistical soundness of the underlining sigma protocols. The signing oracle can be simulated without manipulating the output of the random oracle if one of the witnesses is given to the simulator. A problem is that when the adversary succeeds, there is no way to see if the adversary was successful in attacking the other instance whose witness is not known to the simulator. Indeed, Phishrin, Harassila and Jensen showed that its unavoidability cannot be proved by a black box reduction in a non-programmable random oracle model. In the case of shared hash, we have another hash oracle here. Then, by observing the order of queries and answers from these hash oracles, one can see which instance is being attacked. For example, look at this case where a star in a forged signature is returned from hash function H before E1 is returned from F. It means that a one star is fixed before its challenge E1 star. Thus, G1 is a real answer that can be obtained only by breaking the soundness of the underlining protocol on statement X1. This property helps to prove the unavoidability in the non-programmable random oracle model. In this work, we have proposed a simple modification over the CDS composition of sigma protocols. While there are techniques to improve properties of CDS in specific settings, our advantage is the generality and simplicity of the modification. Thanks for listening.