 Y cwmwys i ni, rydyn ni'n cyd-dweud y cynhyrchol cyd-dweud, ac rydyn ni'n cyllid y cyfrwyng sydd y cyfrwyng. Y cyfrwyng digital yw'r cyfrwyng yn dda, yn y gynhyrch i'r cyfrwyng yn ei ddweud, rydyn ni'n gofyn yw'r cyfrwyng. Cymru cyfrwyng y cyfrwyng yw'r cyfrwyng yma, y cyfrwyng yn y bwysig i'r gifnodau Dysgu'r cyfnodd, y cwmddiannol. Y bwysig yw'r cyfnodd digital yw Bitcoin. A Bitcoin yw'r cyfnodd digital yn dechrau. Yn y gallu y gweithio cyfnodd yn gallu cyfnodd yn y cyfnodd. Ond yw'r cyfnodd yn gallu cyfnodd arall cwmddiannol, Ac mae'n ddweud bod yn gweithio'r propiti sydd yn gweithio'r cyhoeddfa arno. Felly ydych yn gallu gweithio'r cyhoeddfa a chymlu'r cyflawn. Felly mae'r fawr yn gweithio'r cyhoeddfa mewn cyflawn a chymlu'r adres. Ond, cyflawn cyflawn o'r cyflawn yn cynnwys. A gyda'r cyflawn o'r cyhoeddfa arno, Mynd i amser mae'r byddwch yn ysgrifwm erbyn ar gyfer gyda byddwch pleidydd a gwaith gyda'i hefyd i'r parloedd gorffjadi o'r teimlo sydd gwefnodol. Yr hynny, xerocoiwyd yw cywdingen iawn o ffordd yn ymddangos iawn o'r cyfan yn cael cyfynu llain sydd gennym beth sydd y cyfynu llai cyfnwys. Fy rydyn ni'n mynd i amparad yr unrhyw ar y cyfnwys. Mae'r cyfnwys ar y cyfnwys ynnydd gaf ar y cyfnwys, However, there are two senses in which they are not that efficient. The first is that to use a signature of knowledge, you actually have to store quite a lot of data in the ledger. And the second is that the signatures themselves take quite a long time to verify. This puts a lot of extra pressure on the miners. And that's sort of the reason that Zcash chose to use zero knowledge snarks instead, because these are very small and very fast to verify. And they provide exactly the same anonymity guarantees as signatures of knowledge. They approve provides no additional information as to who this vendor is. However, they do not provide the same trust guarantees. And in particular, on this third point here, in a zero knowledge snark, it is often possible to modify the proof in some way such that it will still verify for a different potentially false statement. This doesn't mean that Zcash is insecure. They do go to extra measures in order to prevent these styles of attacks. But if they went straight with signatures of knowledge, they wouldn't have to bother with these. In our paper, we construct the first simulation extractable snark. And we do this by... And in doing this, we also get the first succinct signature of knowledge, because they are quite linked. And to do this, we use square arithmetic programmes, as well as asymmetric bilinear groups. I'm first going to run through some definitions. In our scheme, we need asymmetric bilinear groups, and I'm not going to dwell on this too much, apart from to point out the asymmetric or type three property. We need that there is no efficient isomorphism between the two source groups. And actually, if this property doesn't hold, then our scheme will not be sound, so it's very important. S e snark stands for simulation extractable zero knowledge succinct non-interactive argument of knowledge, which essentially means that if a proof verifies, then the person who computed it knows the witness to the truth of a statement. It is correct in the sense that somebody who does know a valid witness can always convince an honest prouver. And it is sound in the sense that somebody who doesn't know a witness should not be able to convince an honest verifier. And it is also zero knowledge and simulation extractable, which I shall spend some more time on. Zero knowledge is the property that any information that is included in the proof should be something that a person who does not know the witness should be able to calculate anyway. And intuitively, when you hear this, you think that it would break soundness. But in order to be able to compute these simulated proofs, you need to know the trapdoor. So provided that there is some trusted set-up algorithm, nobody should know this trapdoor in practice. We model zero knowledge as a game. The adversary is given a proof pi, and he knows that pi has either been computed by a prouver who knows a valid witness, or it has been computed by a simulator that knows a trapdoor. However, just from looking at the proof, the adversary should not be able to figure out whether it was calculated using the witness or the trapdoor. It can guess, but it shouldn't be able to do any better than guessing. Simulation extractability is a property that cannot use old proofs in order to forge new proofs. And again, we need our trusted set-up algorithm. It generates a common reference string and a trapdoor, sends a common reference string to the adversary, sends a common reference string in the trapdoor to an oracle. And this oracle is going to be a simulation oracle. This is so that the adversary is able to query it on false statements. Actually, the proofs will look exactly the same as if we'd given it the prouver oracle because of zero knowledge. So this time, the adversary is given a common reference string, and it's allowed to query its simulation oracle up to a polynomial number of times on instances of its choice. It receives back valid proofs that we'll verify, and at the end of this process, it will output an instance and a proof. Simulation extractability is a property that if this instance and proof verifies, then either the adversary actually does know a valid witness to this instance, or it has just spat back out one of the instances and proofs provided to it by its oracle. It hasn't modified them in any way. And this directly implies sameness because knowledge sameness is simulation extractability without the oracle, basically. Snarks are also required to be used to sync, and this means that the proofs sizes are small, and the amount of time it takes to verify them is small. Signatures of knowledge should have exactly the same properties as simulation extractable snarks. Only this time, there is a message involved. And we show that by working the message into the instance, you can generate a signature of knowledge from a simulation extractable snark and a hash function. They need to be correct, they need to be zero knowledge, they need to be sound, they need to be simulation extractable. Square arithmetic programmes are going to be the MP language that we're going to be working over. So in our scheme, the proof is trying to show that they know a satisfying assignment of the values of wires in a known arithmetic circuit, and this arithmetic circuit will be an encoding of some MP language. The instance is just going to be some of the wire values that will be revealed, the witness is the remaining values of the wires. Our prever is going to commit to the values of the wires. And from these commitments, they will show that the output wires are consistent with the input wires and that multiplication and addition gates are evaluated correctly. Arithmetic circuits can be described by quadratic arithmetic programmes. These are described by a prime, which is just used to describe a field that the arithmetic circuit is over. L here is the size of the instances as well, but the interesting stuff is the polynomials. We have three sets of degree n-1 polynomials, one set to describe the left input wires, the UIX, one set to describe the right input wires, the VIX, and one to describe the output wires, the WIX. And there is also a degree n-pollinomial T of X. And a satisfying assignment of wires for an arithmetic circuit will always satisfy this equation here. So you have that the sum of the left input polynomials, scaled by the values of the circuits, of the wires, sorry, multiplied by the sum of the right input polynomials, scaled by the values of the wires, is equal to the sum of the output wires, scaled by the values of the wires, modulio this polynomial T of X. In our scheme, we're going to need that the commitment to the left input wires and the right input wires holds the same value, which can be achieved if we are willing to double the size of the circuit. So this time, there is no V of X because the V of X and the U of X polynomials are the same. And rather than a quadratic constraint, we get a squaring constraint onto our construction. Our construction can be seen as a modification of Grott's 2016 scheme. The proof is going to consist of three group elements. One can be seen as a commitment to the left input wires. One can be seen as a commitment to the right input wires. And one can be seen as a commitment to the output wires. Verification consists of checking one pairing equation. And the verifier is going to need to have some group elements due to the alpha, h to the beta, h to the delta 1, h to the delta, where alpha, beta, delta 1 and delta are all secret. There will also be some function in the instance, and this will be a polynomial in some unknown value X. Each of these pairings contributes towards knowledge soundness. And the reason for this is threefold. First, this function, f of phi, which is going to be included in the exponents, cannot be cancelled out by A or by C or by B because of this 1 over delta term that it is multiplied by. And this essentially forces the prover to use their witness, because otherwise they cannot balance that term. Second, the two pairings, e of AB and e of C, h to the delta, ensure that multiplication and addition gates are evaluated correctly. And finally, this term, e of G to the alpha, h to the beta, is used to ensure that the internal wires are consistent with one another. However, Grot's 2016 scheme is not simulation extractable, and in particular there are two generic styles of attack. In both, the adversary will modify the commitment to the right input wires B. It can either do this by exponentiating B by some known value r, and if it does this and it's elbow to also modify the commitment to the left input wires, such that the group elements still satisfy the verification equations. Alternatively, it can multiply B by h to the r delta. Again, r is some known value to the adversary. And this time it is able to adapt the commitment to the output wires, such that the verification is still satisfied. So in our scheme, we essentially are trying to find ways to get around these two styles of attack. The first one, we're going to take advantage of a second verification equation. And by including the second verification equation, we can check that the exponents of A and B are the same. This was not the case in Grot's scheme. However, we are using square arithmetic programs, so the commitments to the left input wires and the commitments to the right input wires are a commitment to the same thing. We also have to bring g to the alpha and h to the beta into the first pairing, and that is to avoid an attack where the adversary would set r equal to minus one. In the second style of attack, we're again going to take advantage of this second verification equation, but we were also extremely careful about what we gave out in the common reference string. And in particular, the common reference string is not allowed to contain the generator g. So another way of seeing that is you choose your generator g to the g dash, let's say, and you would divide it by one over gamma in order to get the secret component. OK, so now let's suppose that our adversary modifies the commitment to the right input wires B by multiplying it by h to the r. Well now, because the exponents of A and B have to be the same, it has to add exactly the same value to the exponent of A. But whether the adversary doesn't actually have this g value here, this means that for the adversary to be able to compute the A that satisfies, the known r value must depend on gamma. But then, with the first pairing, E of A due to the alpha B h to the beta, the C component is going to contain a factor of gamma squared. So provided that the common reference string contains limited information about gamma squared in the exponents, we can show that the adversary will not be able to calculate the required group element C dash such that the verification equations are satisfied. OK, and I now just need to discuss efficiency a little bit. Public parameters and the proven computation is higher than the state of the art. However, other schemes in the literature are not simulation extractable. So this was sort of a cost that we thought that we had to pay, really. However, verification is extremely efficient. There are just two verification equations and the verifier has to multiply things that depend on the instance, but not the witness. Likewise, the proof size is very small. Again, there are just three group elements. And we actually show in the full version of the paper that these two conditions are minimal for simulation extractable snarks. Any pairing-based simulation extractable snark has to have at least two verification equations and at least three group elements. A scheme was implemented in Libsnark by Popov, Keizer and Madars, and I think this came out a couple of days ago, so feel free to have a look at it. I can't take any credit for that. Thank you very much.