 Hello. In this video, I'll talk about Sigma protocols for MQ, PKP and SIS and fishy signature schemes. This paper is available on e-print with number 2019-490. So let's get started. The main contribution of this paper is the construction of zero-knowledge proofs of knowledge for three problems. The first of these problems is called the multivariate quadratic problem, and here we are given a multivariate quadratic map F, which is a list of M quadratic equations in N variables. And the goal is to find a vector S such that F of S is equal to zero. So really, we're just trying to find a solution to a list of multivariate quadratic equations. And the goal of this paper is to be able to prove in zero-knowledge that you know such a vector S. This means you want to prove that you know such a vector without revealing anything about the vector itself. The second problem is called the permutative kernel problem, and here we are given a white matrix A, which is a matrix that has more columns than rows, and we're also given a vector V. And the goal is to find a permutation of this vector V. There's a new vector whose entries are a permutation of the entries of V, such that this permuted vector sits in a kernel of A. And again, the goal of the paper is to prove that we know such a vector without revealing anything about the vector itself. And finally, we have the short integer solution problem, which is probably the most well-known of these three problems, where we are again given a white matrix, and again we want to find a vector in the kernel of this matrix, but now the constraint is that we have to find a vector whose L2 norm is bounded by some given bound. The zero-knowledge proofs in this video are examples of sigma protocols. Sigma protocols are protocols with a three-round structure that are started by the prover who sends a commitment to the verifier, then the verifier sends a challenge back to the prover, and finally the prover sends a response back to the verifier, and then the verifier will either accept the proof or reject the proof. There exist sigma protocols for the three problems that we are interested in. For example, there's psychomotor-adults protocol for MQ, there's Shamir's protocol for PKP, and there's Stern's protocol for SIS. However, a common problem with these three protocols is that they have a soundless error of two-thirds. This means that even if a prover does not know a solution, he can still convince the verifier that he knows a solution to probability 2 out of 3. To solve this problem, you can repeat the protocol a large number of times because the probability that the prover will be able to successfully convince the verifier in each iteration gets very low if you have more iterations. For example, if the soundless error is two-thirds and you repeat it 2 to the 90 times, then you get a soundless error that is lower than 2 to the minus 128. One of the reasons why sigma protocols are so useful is because they can be transformed into signature schemes with the Fiat-Shamir transform. As long as you start from a sigma protocol for a computationally hard problem, you will end up with a secure signature scheme. Since the MQ problem and the PKP problem are believed to be computationally hard, even against quantum adversaries, we have reason to believe that if you apply the Fiat-Shamir transform to a sigma protocol for MQ or for PKP, you will end up with a post-quantum secure signal. However, since we need to repeat the sigma protocols a large number of times in order to get soundness, the signature schemes will not be very efficient. For example, if you need to repeat the sigma protocols 290 times, then the size of your signature will be 290 times bigger, and also the time to verify your signature will be 290 times slower. In this graph, we show two signature schemes that are derived from the Fiat-Shamir transform. In red, we have MQ-DSS, which is based on the MQ problem, and which is one of the round two candidates from the NIST post-quantum competition. In blue, we have PKP-DSS, which is based on a primitive kernel problem, which is a finalist from a Chinese post-quantum competition. For both these signature schemes, the signature size is relatively large. For example, at the NIST level 1 security level, the MQ-DSS signature schemes have signature size of 28 kilobytes, and PKP-DSS has a signature size of 20. In this work, we make sigma protocols which have a lower soundness error, and therefore they have to repeat it a lower number of times in order to get soundness, which will eventually result in more efficient signature schemes. As a first step towards a more efficient sigma protocol, we will first relax the definition of a sigma protocol a little bit. We will introduce a trusted third party called the helper, which will start in the beginning of the protocol by running a computation and sending the result of this computation to the verifier as some auxiliary information, and it will send the seed that I used to seed this computation to the prover. And from then on, the sigma protocol is just like a normal sigma protocol with a commitment, a challenge, and a response. It's not surprising that if you have the help of this trusted third party, you can come up with more efficient protocols. In the case of MQ and PKP, we can come up with protocols that have a knowledge error of only one divided by Q prime, where Q prime is any integer between one and Q, the size of the finite field in the MQ problem and the PKP problem. So this is a nice observation, but at first sight, it doesn't look like this is something very useful because trusted third parties are hard to come by, and even if you had a trusted third party, there's no point of doing a sigma protocol anyway because you can just send your solution to the trusted third party and the trusted third party will tell the verifier if the solution is correct or not without revealing anything. However, it turns out that there's a simple procedure that allows you to remove the helper from the protocol and get back to a normal sigma protocol where there's no trusted third parties. The overhead in doing this is dominated by the prover building a merkle tree with Q prime leaves, so the prover times goes up by an amount that's linear in Q prime, and the prover also needs to include a path in his merkle tree in the response, so the proof size goes up by an amount that is lower rhythmic in Q prime. So at first, we win some efficiency by introducing the helper, and later we lose some of that efficiency because we have to do this transformation that gets rid of the helper again. But overall, it's still a net improvement in efficiency. With this ID, we create two new signature schemes, one based on the MQ problem and one based on the PKP problem. The one based on the MQ problem, we call the multivariate quadratic Fiat-Charmier scheme or MATF for short. We see that compared to MQ DSS, the candidate in the NIST competition, we have signatures that are half as big, and with our implementation, the signing algorithm is also two times faster. From a geometric perspective, you can think of each role of the matrix in a primitive kernel problem as defining a hyperplane, and then the problem is to find a permutation of a vector that lies in all these hyperplanes. Therefore, we call our new signature scheme a shuffled solution in hyperplanes Fiat-Charmier scheme or SushiFish for short. In this graph, we show three instantiations of SushiFish with different values of Q prime. This gives a trade-off between signature size and signing time. Compared to PKP DSS, the candidate from the Chinese postcompetition, we see that with our implementation, the signing time is slower, but the signature size is significantly smaller. So far, I've given a broad overview of the paper. For the remainder of this video, I'll talk about three more things. First, I'll explain the Sigma protocol with helper for the primitive kernel problem. Then, I'll show how we can remove the helper from the protocol to get a normal Sigma protocol again. And then finally, I'll say something about how we can use this work to improve the zero-knowledge proofs for the SIS problem. So first, the Sigma protocol with helper for the primitive kernel problem. First, I'll give a Sigma protocol that is totally not secure, and then I'll show how we can fix it by introducing a helper that makes the protocol secure. So for now, we have a protocol between two parties. On the one hand, we have the prover, who knows the matrix A and the vector V, and the solution pile so that if you permit V with pile, you get the vector in the kernel of A. And on the other hand, we have the verifier who knows A and V, but who doesn't know a solution. The prover starts the protocol by sampling a random permutation Sigma and a random vector R. Then, he mask his solution pile with the inverse of Sigma to compute a permutation row, and he computes Y as A times R, permuted with row. Then, he sends these values to the verifier, who picks a random challenge in the challenge space and sends it back to the prover. The prover then computes his response as R plus Alpha times V, permuted with Sigma, and he sends his response to the verifier. To verify the proof, the verifier just checks whether Y is equal to A times X, permuted with row. If both parties stick to the protocol, and if pile is a solution to the PKP problem, then this check will always pass. This is because if you write out what A times X, permuted with row is, it is equal to Y plus Alpha times A times V, permuted with Pi. Therefore, if Pi is a solution to the permitted kernel problem, that A times Alpha times V, permuted with Pi part will drop out and the equality holds. It's easy to see that this is a zero-knowledge protocol, because a prover only sends a uniformly random permutation row and a uniformly random vector X, so this does not leak any information about Pi, and it also sends the vector Y, but Y can be computed from X and row, so this does not carry any additional information either. The protocol almost has special soundness, but not quite. An almost prover, if you're given two different challenges, Alpha 1 and Alpha 2, it will return two different axes, X1, which is equal to R plus Alpha 1 times V, permuted with Sigma, and X2, which is R plus Alpha 2 multiplied by V, permuted with Sigma. This is a problem that we have to solve in order to recover the permutation Pi. Since the size of the challenge space is Q prime, this would mean that the protocol has a soundness error of 1 divided by Q. The problem with this argument is, of course, that the cheating prover does not have to be A, honestly, so nobody forces him to return X1 and X2 that allow us to extract the permutation Pi. To solve this problem, we are going to use the trusted third party. The real Sigma protocol with helper. In the beginning of the protocol, the helper samples a Sigma and R as before, and is going to compute all the commitments that the prover might have to send to the verifier. Then he's going to commit to all of them and put them in a big Merkle tree. This is only possible because there are only polynomially many elements in the challenge space. Then the helper sends a root of the Merkle tree to the verifier, and he sends a randomness to see this computation to the prover. Then the protocol proceeds as before, except that now when the prover has to send his response, he can no longer respond how he wants, but he has to open one of the commitments that was created by the helper. And to do this, he needs to include a path in the Merkle tree to prove that his commitment was correct. This way, we are convinced that the prover sticks to the protocol, and we get a sound Sigma protocol with helper with sound as error 1 divided by Q prime. Now I'm going to show how to transform the Sigma protocol with helper into a normal Sigma protocol that does not need the help of an additional party. The idea is very simple. Since there's no helper anymore, we're going to make the prover do the work of the helper. But we have to make sure that the prover doesn't cheat, so we're going to make him do the work of the helper K times to make K setups, and then we allow the verifier to pick one of these setups to do the protocol with, and we allow it to verify if the other K-1 setups are generated correctly. The prover starts the protocol by running the job of the helper K times to produce K sets of auxiliary information which he sends to the verifier. He also runs the first phase of the Sigma protocol for each of these setups to come up with K commitments which he sends to the verifier. The verifier will pick one of the setups for which he wants to continue the protocol and it will pick a challenge for this execution. Then the prover responds to this challenge and he also sends a seed for the other executions for which they didn't finish the protocol. This allows the verifier to check if these K-1 setups were generated correctly. The soundest error of this protocol is the maximum of 1 over K and 1 over Q prime. This is so because either the prover cheats in one of his K setups, in which case it will be caught probably 1 minus 1 over K, or if it's honest in all his K setups, then the soundest of the underlying Sigma protocol with helper kicks in and we know that the soundest error is at most 1 divided by Q prime. This transformation increases the runtime of the protocol by a factor which is linear in K because the prover has to do the setup K times. It also looks like the proof size will increase by an amount that is linear in K because the prover has to send K sets of auxiliary information and K commitments. But this can be optimized away and the proof size can be increased by an amount that is lower in K. In the last part of the video we will talk about how we can use our work as a more efficient alternative to Stern's protocol for SIS and many other lattice-based relations. A common strategy for ZNR's proofs for many lattice-based relations is to first transform the lattice problem into a problem of the following form. Given a matrix A, a vector V, and a target vector T, the problem is to find a permutation such that if you permute V with this permutation, then A times the permutative vector is equal to the target vector. This problem is very similar to the permutative kernel problem except that now on the right-hand side we have a non-zero target instead of zero. Sometimes there is an additional constraint that demands that the permutation pi lies in some subgroup of the permutation group. Then the next step is to prove that you know a solution to this problem with Stern's protocol. For an example of how we can transform a lattice problem into a pKp-like problem we can look at the binary SIS problem. In the binary SIS problem we are given a matrix A and the problem is to find the binary vector such that A times this vector is equal to zero. It is equivalent to a pKp-like problem where the matrix is twice as long as A where the first half is A itself and the second half is just a matrix full of zeros. And we define a vector V where the first half is equal to zero and the second half consists of all ones. Then the problem is to find the permutation of this vector V such that our extended matrix times the permutative vector is equal to zero. It is easy to see that these two problems are the same because if you have a solution for the binary SIS problem then you can transform it into a solution for the pKp problem and the other way around also. This idea can be generalized to more complex lattice based relations such as SIS with arbitrary bounds, algebra E or proofs of the equation and so on. This idea that a particular protocol can prove is so close to the pKp relation we can just plug in our pKp-sigma protocol instead of string protocol and get a big decrease in proof size. As a concrete example we will look at LWE. We take a modulus of 32 bits at dimension 1024 and the entries of the secrets and the error terms are minus one zero or one. Then the problem of finding an S and an E can be reformulated as a pKp-like problem where the dimension is 496. Then if we use our sigma protocol to prove this pKp problem then it takes only 233 kilobytes. In contrast if we were to use string protocol then the proof size would be 2.3 megabytes which is 10 times larger. If you want a more detailed comparison between our protocol, string protocol and other proof systems for user-based relations please have a look at the paper. In conclusion in the paper we show that if you have the help of a helper party that does a trusted setup for you every time you are going to execute a protocol then you can use this to construct more efficient sigma protocols for MQ and pKp. Moreover we show that removing this helper from the protocol again can be done in a relatively cheap way. This results in sigma protocols that are more efficient than existing sigma protocols for MQ and pKp. If you apply the Fiat-Charmier transfer to these new sigma protocols we end up with new post quantum signatures which we call mudfish and sushifish. Mudfish and sushifish are more efficient than existing signatures that rely only on the hardness of MQ and pKp. And finally we saw that we can use our pKp sigma protocol as a more efficient alternative to string protocol for many last days. That's all. Thanks for watching.