 Hello, I'm Roberto Parisserma and I'm going to present Efficient Musics for Algebraic Studies. This is a joint work with Prof. Pnajoto, Elgar Lipma, and Arneto Diaz-Oderberg. A language associated to a relational heart is defined by the set of statement axes for which there exists a witness such that the statement witness is in the relation. Not in the language would be called as true statement, element not in the language would be called as false statement. An interactive zero-knowledge proof is a protocol initiated by two parties. One of them, the pruber, has an input-to-pay statement witness, has to convince Diaz-Oder, the verifier, that is, as the witness, without revealing any additional information. The parties exchange interaction and the verifier, at the end, having an input-to-statement and the whole set of messages, which is also called proof, has to out-put-accept or reject. And it out-put-accepts if it convinces that the verifier knows the witness. We require those protocols to enjoy the following three properties. They have to be complete, which means that honest pruber always convinces the verifier. They have to be sound, which means that malicious pruber cannot convince the verifier. Particularly, it should be impossible to make the verifier accept for any false statement, and they have to be zero-knowledge in the sense that, at the end of the interaction, the verifier cannot learn anything about the witness. We are also interactive in non-interactive zero-knowledge proof, which are a particular kind of zero-knowledge proof that consists only of one message sent by the pruber to the verifier, which has only to output-accept or reject. We are interested in a non-interactive zero-knowledge proof, which we shortly called musics, not only because verification is possible even when the pruber is offline, but also because they are used in many applications and they are used as a primitive to build more complex cryptographic tools. However, in order to define a musics, we must oppose the existence of a trusted third party that computes and make available to both pruber and verifier a common reference link or shortly CRS. For instance, this CRS can be the description of a Nash function, or an element from some distributions, or, as in our case, an element sent from the universal distribution over a cryptographic group. And the existence of this trusted third party is necessary in order to define musics which are sort of sound and complete. Let's move on with an overview of the existing musics construction and let's compare them in terms of efficiency, competitiveness, and security, and at the end, I also compare our new musics construction to show how it performs compared to the other. The first musics construction is due to Fiat and Shamir, and their core idea is a compiler that define a musics from a particular class of three-round public coin interactive proof of knowledge, which is called Sigma Protocols. Their compiler uses cryptographic hash functions. So those musics have all the advantages of the underlying Sigma Protocol, which means that they performs very well in terms of efficiency and expressivity. In fact, for many applications, they are still the most efficient musics we have, and they are defined for all MP languages. However, their security is defined only in the random oracle model, where we model the cryptographic hash function as a truly random oracle. It took quite a while before GLUT and TENSAI were able to define musics from standard well-established cryptographic assumptions. Those musics were an outstanding result, however, they had some limitation, which makes them sometimes impossible to be used in practice. First of all, they are often just not efficient enough, and then they are defined only for payment product equation, which means that in order to define a GLUT sign using four specific applications, one must first find the representation of a given problem as a set of payment product equation, which sometimes is a very hard task. Lastly, recently, Kuto and Artman developed a new framework for defining musics. Their idea is a compiler that, as for future metastore, define musics from Sigma Protocol. However, their compiler only works for a specific Sigma Protocol. So even though those musics have some very few features such as efficiency comparable to fiascia metastore for some application, they also have some critical limitations. For instance, they are defined only for algebraic languages, which is a very restricted class of languages. Moreover, their assumption is based on a novel x-temp VH assumption, which can be a problem because it was a novel assumption, and maybe it was also not enough motivated to the original paper. Finally, with our music, we built on top of the framework, and we overcome their main limitations. So, we define musics that performs slightly better than C8 musics for most of the application. But more important, our musics are defined for algebraic sense, which are, I would say, a wide, expressive class of languages. But also, it relies on C8 in the assumption, which is less a weaker version of the x-temp VH assumption that I will define later. So in the rest of this presentation, now that I give you a motivation of why our result is needed, I move on to present our result in details. Let's first start with some notation. I use bracket notation, so I actually assumed in this paper that we are using type 3 pages, which means that we suppose no efficient isomorphism exists between group 1 and group 2. We use bracket notation, so x in bracket is the exponentiation of x with respect to a pixel generator. This big circle is indicated for the paving operation. We indicate vector with this arrow, and we indicate matrices with upper letters with no arrows. We also need some preliminaries from CUTO and Dartmouth paper. So as I said before, their idea is to take a compiler that define a music from one specific Sigma protocol. Here in figure, I just sketched some of the peculiarities of the Sigma protocol, which are required in order to understand how their compiler works. So the statement and the first message are vectors of group elements, the witness and the third message are vectors of file elements, and the challenge is one single file element. And the verification question is linear. The core idea of CH20 is taking the challenge embedded in group 2 and publish it once and forward in the CRS. So now the compiler will compute the first message as before, and intuitively, since it has the challenge already in group 2, it cannot explore this knowledge in order to achieve it. Then it will compute the second message, the third message directly in group 2, and it will send the proof, or leave one message to the verifier, which now performs the same verification equation, but using Baylicks. And as I mentioned before, this music is sound under the novel x-carenvh function. So those musics enjoy some very appealing features. I would say that most of all, they have some very efficient music for specific applications with efficiency comparison to fiat-shaming musics. However, they have some critical limitations. The first issue arises with the assumption. So first of all, the x-carenvh assumption is not always a classifiable assumption. Basically, they have classifiable x-carenvh only for all of linear languages. And then the assumption is not studied enough. Actually, Kuto and Dartmouth pointed out the assumption is trivially secure in GGM. Most important, those musics are limited to algebraic languages, which are, in principle, not as expressive as Baylick's product equation, and as Baylick's product equation, to find representation of a given problem as an algebraic language is an ARC's task, which requires several hours of work from dedicated exercises. It will be much more considerable to have a framework to define a music directly and automatically from an IP level description of a given application. With our work, we overcome those limitations. First of all, our main idea is to define a different noble sigma protocol and then apply the CH compiler to the sigma protocol in order to define a new music. Actually, the sigma protocol is not explicitly defined in the conference version of the paper, but the sigma protocol can be found in the full version of the paper. In the conference version, we just define the inactive music resulting from CH compilation. So, the reason why we were able to overcome the previous limitation was the following. First of all, we relied on a CAD assumption, which is a weaker flavor of the X-CAN MDH assumption. Here, we use weaker in the sense that stronger conditions are required for the adversary in order to win the underlying security game. Using the CAD assumption, we were able to show that more cases are based on falsifiable CAD, and also, even in the general case where CAD is non-facifiable, we were able to reduce CAD to a single and very plausible gap assumption. But more important, instead of algebraic languages, our sigma protocol and to our music relies on algebraic sets. So, algebraic sets are well-studied in classical algebra, and we know many properties, and we can use this property in our paper in order to define music for a wide class of languages and application. One important property is that it is possible to reduce circuit satisfiability to membership of some algebraic sets efficiently, as we pointed out in the paper. But more important, maybe, using algebraic set, we are able to define directly and almost automatically music from a very IP-level description of a given problem. Let's now define formally how our languages are defined. So, first, we pick a finite set of polynomials over a finite file. An algebraic set is the set of axes such that f of x is equal to zero for each f that are part of the set of the polynomial we have chosen before. Then, we choose a publicly linear-neumomorphic encryption scheme, and the language is defined by the algebraic set and the encryption scheme as an encryption of an x that is in the algebraic set. So, an element in the language could be an encryption of a common root of a given public set of finite polynomials. As I said before, our main contribution is a framework to define directly and music from a very IP-level description of a given application. So, let's start with the first point of this framework. The first task of this framework, which is find a good basis for the algebraic set. An algebraic set can be seen as an idea in a polynomial ring. So, from classical algebra, we know that many algorithms are known to find a basis of ideal in the polynomial ring. We have to run one of those algorithms only once to find a good basis of the algebraic set. We point out that this is a non-critographic problem, and this is not solved, but we have methods to find a solution that is efficient enough for many interesting applications. And digging into this problem is beyond the scope of this paper. So, the language is defined by encryption, as I said before, encryption of element axis, such that f of x is equal to zero for each polynomial that form the basis of a given algebraic set. The second step is now to define a music given a base of an algebraic set to completely and almost automatically solve this second point is our main technical contribution. And this is what I will explain now in this presentation. For the sake of clarity, throughout the rest of the presentation, I just pick with the simplest case of algebraic set generated by one single polynomial. The generalization will just be trivial and can be found in the paper. So, we choose to use Elgamal's Dlean Encryption Scheme, but actually any publicly Dleaner Leomomorphic Encryption Scheme sub-piece in order to instantiate our music. We use those two because with Elgamal we have the best efficiency, and with the Dlean Encryption Scheme we have some music with some properties that we'll present later. In order to define a music, we have to solve three steps separately. The first one is to define a possibly small affine matrix C of x, such that the determinant of C of x is equal to the given polynomial f of x with some properties on top of that. The second step is to define an efficiency map protocol to show that the determinant of C of x is equal to zero given an encryption of x. And the third step is to use CH compiler to define a music. As I said before, the second step is not explicitly defined in this paper, but interested reader can find the sigma protocol in the full version of the paper. So, to explain the first point how to define this matrix C of x, let's start with the definition of the quasi-determinant representation. A given matrix is a quasi-determinant representation or short QDR of a given polynomial f if it enjoys the following property. First, each entry is an affine map of the given f, then the determinant C of x is equal to f of x, and note that those two properties define the well-known notion of matrices in the determinant representation of a given polynomial. But on top of that, we require these third properties. If we say that the first column of C is H and the rest of the matrix is T, we require this first column dependent. So, for each f that is actually a root, f, we require that H of x is in the span of the other columns of the matrix, of course, evaluated in the given x. An intuition why those properties are needed in order to define our matrix. The matrix has to be affine because the verified will only have an encryption of x, and it has to homomorphically compute an encryption of C of x given the encryption of x. The properties that the determinant of C of x is equal to f of x is needed in order to guarantee soundness. Roughly speaking, if x is a false statement, then f of x is not equal to 0, which by this property means C of x is correct, which means that we are able to break the underlying K and D H-based assumption. And finally, the third property, the first column dependent, is a technical detail needed in order to ensure that the honest bloomer is efficient. Okay, so far, another viewer could aptly think that finding a QDR matrix could be just a task as finding an algebraic representation or a parent product equation representation. Even worse, if it is known that many interesting polynomial are a bit determinant representation, maybe those results doesn't carry out through the less general requirement for QDR form. We show that this is not the case, defining a QDR matrix directly from an algebraic branching program, or ADP. An ADP is a directed acyclic graph with two vertices, S and T, and the labeling function feed, such that feed assigns an affine function to each edges. And a polynomial, f of x associated to the ADP, is computed taking the sum over all the possible paths from S to T of the product of the label across the path. Here a simple example, so f of xy is a b-variate polynomial, which is equal to x to the third plus a x plus b minus y square. And we can see that x square is the product over edges of the blue path, a x is the product of edges of the green path, b on the red path, and minus y square on the black path. We are able to deterministically and efficiently define a QDR matrix from an ADP. As it was already known, we started from the adjacent semantics of the graph, we remove the corresponding to the vertex F, we remove the row corresponding to the vertex and we have a matrix which is a determinant form of the given polynomial. That is already known. Then, on top of that, we just noted that if we replace zero with minus one on the lower diagonal, we have a matrix in QDR form. So, at best of our knowledge, defining an easy directly and deterministically from a very simple representation of an ADP is a useful and good result, and different from previous construction of musics doesn't require dedicated expertise. Now, I can show in the test how our musics is defined. So, the language, the statement would be an encryption of a given element under random SR such that the determinant of c computed evaluated in that element is equal to zero and the witness would be the element key and the randomness R. The zero R as I said before would be a uniform in random element in group two. The brewer will have the statement witness and CRS, the verifier is only CRS and the statement, so the encryption. So, the brewer act in the following way. First, it uses two algorithm to compute two vector gamma and theta. Gamma is computed using the description of c and only x as input. Delta is computed using as additional input some internal states and the challenge. Then the proof will consist of gamma in group one and delta in group two. And I point out again that the first column dependence that we require for our matrix, it is needed in order to ensure that those two algorithms are efficient. So, particularly this property ensures that the brewer is able to efficiently compute gamma independently from c. Then gamma and theta and delta has to verify the verification question that we found here in the right bottom of the slide. So, gamma plus c of x times e concatenated to delta must be equal to zero. And verify, we just check this verification equation using papers. Of course, that was a mock version of our music. Now we can see the figure out the music is actually defined. The first, the real first message would be an encryption of gamma on freshly generated randomness. The real third message would be delta computed in group two because the prover has the challenge e only group two. And some auxiliary element z also computed in group two. And verify instead of checking the plain verification question without going too much into details, just check an encrypted version of the verification equation using the dos element z in order to eliminate randomizers. Soundness can prove under the x KMDH assumption, which basically is an extension of the well-known external KMDH assumption. As for the case of KMDH assumption, we received an input in group two, and we have to have the matrix in group one, such that the input is the kernel of the matrix, and the matrix is of rank i nine. But in this case, we allow the adversary the power to expand the vector it receives as input. So this gamma in group two will actually be the extension of the input. And the adversary can extend this vector as long as for each element it added, it also outputs an additional element in group one. So as long as an high enough number of vectors in group one are linearly dependent, then in order to compute them, the adversary must have found no trigger relation between input in group two and output in group one, and this should be i. And so we say that the adversary needs to again, if it outputs this matrix gamma to the concatenated c, such that the extended vector the concatenated gamma is in its kernel, and the rank of this matrix in group one is i nine. In in our case is n. Why is this a bit for soundness? Well, because if x is a full statement, then c of x has rank n, and then the grid adversary of the verification equation can be used to ensure that the adversary breaks the x kernel dh assumption. But actually, we require weaker condition in order to guarantee soundness, because we only require that the rank of c is equal to n. So previously, we say that the adversary wins if rank of gamma concatenated c is equal to n. While for soundness, it's a piece that the adversary wins only if rank of c is equal to n. Which means that we actually don't need the full power of the x kernel dh assumption, but only a weaker person of it. That is a piece of for soundness of our music argument. And that's why we introduce the cad assumptions. So here I just record briefly that we are in type 3 paintings. So the game is the same as the game for the x kernel dh. We sample the challenge. We give its vectoring loop 2 to the adversary. The adversary computed a matrix in loop 1 and an extension of the inputting loop 2. And the adversary wins the game if the extended battery is in the kernel of the matrix in loop 1, and the rank of c is equal to n. Using the set assumption means that we can guarantee better security condition. First of all, more cases are basic and falsifiable cad. Because basically every time we can check that given matrix c of x is full rank, given x as a loop element, we have falsifiable cad. For instance, every time f is a product of a fine function, we can efficiently check that f of x is equal to 0 given x as a loop element. And so those cases are always basic and falsifiable cad. Another case is that the algebraic set itself has only a polynomial number of elements, which is for instance the case of univariate polynomials. So univariate algebraic sets generated by univariate polynomials are sound under falsifiable cad. And our musics for those sets are sound under falsifiable cad. In the general case where cad is not falsifiable, we were able to reduce it to a single plausible cap assumption. A cap assumption is an assumption of the following time. Say that a given problem is easy, this doesn't mean that another given problem is easy too. In our case, we use the following cap assumption. If cdh is in group one, it doesn't mean that cannon dh is also easy too. This is a very plausible assumption that depends where exploiting some regularity in group one should not carry out in exploiting the same in group two. And lastly, slightly modifying our construction, we were able to show music to design a music based on falsifiable cad for each languages. Of course, this comes at the cost of efficiency. First of all, we have to use the less efficient real encryption scheme. And this is because the way we rely on falsifiable cad is because we force the prover to add additional elements and we check that f of x is equal to zero given an arithmetic circuit of the gate of the group two, that computes f of x, which means that we have to force the prover to output encryption of x group two, and that's why we need the real encryption schemes. So to show the goodness of our method, we have some applications of course. So we have to the best of our knowledge, the best music for set membership in term of efficiency of prover and purifier and also communication complexity. We also have very efficient music to show that a point belongs to a given analytic group, which is an application needed for some scenarios in blockchains and critical currencies. And we also have some very efficient musics for circuit satisfiability to the best of our knowledge. Those are the most efficient musics in a standard model for circuit satisfiability. As a side result, we also have a better representation of some algebraic languages with better year I mean shorter than the biggest state of art representation, which actually means we are better efficiency for primitive likes smooth project functions. But also we need that one of the very good selling point of our paper is its generality and how easy it is to define efficient music. So we hope that as it was the case for good side music, more application will come in the future. At the end, I have some concrete efficiency campaigns. For example, in this case, we have numbers for set membership proof musics where here we just embedded the set membership problem as a membership of an algebraic set generated by a univariate polynomial. So in the case of good side music, we didn't add proven verification complexity because numbers are not published. They are based on our estimation, but we can see how we prove also in the sides of communication complexity. Maybe it's not easy to see at the first slide, but let's recall that usually elementing group two are twice as long as elementing group one. So here the first line is for Optimized Prootzai proof for set membership. The second line is for previous state of art CH20 music. The third line is using directly CH20 with our new algebraic languages construction. And finally, the third line is our music. Another example, the comparison of musics based on falsifiable assumption for Boolean circuit satisfiability. Here, for example, we can see that we say several elements, particularly in group two. First of all, let's point out that the commitment, which in this case is the statement, in the case of groups I is to be given in both group one and group two, while in our case has to be given only in group one. So we actually just save a lot by that. And also the prover is more efficient. And also the computational complexity is way better. Thanks for your attention. And I hope you will find the paper interesting. And if you can, you can also find for the full version of the print.