 This talk is on publicly-accountable zero-knowledge and small shuffle arguments. My name is Niels Flecherker and this is joint work with Mark Simkin. In this talk, I will be talking about shuffling re-randomizable commitments. What do I mean by re-randomizable commitments? Normally, when you think of commitments, you will think of binding and hiding. Those properties are not important for our definitions or our construction. We need two properties of the commitment scheme. We need that if we need perfect re-randomizability, which means that if we have a message and we commit to it, resulting in a commitment C, and we re-randomize this commitment C to C prime, the distribution of this is identical to just recommitting with fresh randomness to the same message M. A second property we need is inverse re-randomizability, which means that if we have a commitment, we re-randomize it using randomness R, then there is a procedure to undo this, basically the inverse re-randomization. If we use the same randomness to inversely re-randomize, then you get back to the original commitment. Now for the shuffling arguments to be useful, you would still probably need some kind of hiding property because otherwise, well, things become trivial. However, for our definitions and for our construction, this is not relevant. Only these two properties are necessary. So let's talk about what does it mean to shuffle up commitments. It means we have a list or a vector of commitments V here with commitments C1 through C4 in this example. And to shuffle means we re-randomize each one of those commitments and then we permute them at random. And V1, V prime is a shuffle of V. If and only if there exists randomness C's, R1 through R4 in this case, and a permutation P such that C prime PI is in fact the re-randomization of CI with RI. And for short, we just write this as V prime is PI of V with randomness R and permutation P. Okay? And a shuffle argument now is an argument that we can use to, or a zero-knowledge argument in particular, that we can use to prove that V prime is in fact a shuffle of V. Now, how would we do this? So this is the situation we start with. We have V and V prime. And we know that there exists this shuffle and we also know what this shuffle is, R and P. And we want to prove that this R and P exists, essentially. So how do we do this? The idea is, well, split this R and P into two separate shuffles, R1, P1, R2, P2, such that if you apply those two shuffles one after another, what you get is in fact the original shuffle, R, P. Now, in general, it is not possible to do this for all commitments, but for most commitments, you can in fact find these things efficiently. Now, at the end with what we're doing, you don't actually need to do this, but it is in fact possible with most commitments to find this kind of split efficiently. Now, once you've split the shuffle like this, you can do a very simple Zegma protocol. Where the prover in the first round sends V1, the verifier then says, hey, open the first shuffle or hey, open the second shuffle. And the prover then replies by sending the corresponding shuffle. Now, say the verifier said to open the first shuffle, well, then they can recompute the shuffle, get a vector of commitments and compare this with V1. If it is the same, they accept. The same thing can be done in reverse. For the second shuffle, we start from V prime and we inversely re-randomize those commitments and permute them according to the R2 P2 and we can check, is this the same as V1 or not? And if it is, the verifier accepts. Now, this is a Zegma protocol. It's honest verifier is your knowledge. The simulator is very simple. You just randomly choose D. You randomly choose a shuffle, RDPD and then you can just compute V1. So this is honest verifier is your knowledge. It's also sound because imagine you have V and V prime such that V prime is not a shuffle of V. If the prover was able to prove that it is a shuffle to the verifier with probability greater than one half, that would mean that in some cases the prover is able to answer both of those challenges, one and two. But that would mean that there exists a shuffle from V to V1 and from V1 to V prime. And because of the perfect re-randomizability of the commitment scheme, we have that this would imply that there exists, in fact, a shuffle from V to V prime. And that would contradict, of course, the fact that V and V prime are not in the language. Now, why do we not just use this shuffle argument? This seems nice. It's a Zegma protocol. We can actually get the sounds error down through sequential repetition and we can apply Fiat-Chemier to that to make it non-interactive. However, this argument is actually huge because you can imagine that both prover messages V1 and, of course, these random values that we need to send in the third message, they scale linearly with the length of the vector V. And this means we can only prove relatively short shuffles with this in an efficient manner. What we would want is that it scales ideally independently of the length of those permuted vectors. Now, the first message is easily fixed. Instead of sending V1, we can just send a hash of V1. Now, the verifier can still check this. They can recompute the vector and then hash them and compare the hashes. Of course, it's no longer a proof. It's now only an argument, but we're perfectly fine with that. The bigger problem is the third message, the second prover message, where we need to send these random shuffles. And to minimize the communication cost here, we would need to somehow compress those. And well, those are basically random values. So you could imagine saying, okay, if these are random values, maybe we can replace them with something that is not random, but pseudo random. And well, that basically means, hey, replace them with the output of a pseudo random generator. And then we only need to send the seeds in the last round. Now, this looks good because the seed is actually independent of the length of the seed is independent of the length of the permuted vectors. So that's good. But the problem is this doesn't quite work because if we have an arbitrary shuffle from V to V prime, and we choose, for example, the seed as one, then with overwhelming probability that does not actually exist a seed as two that completes the shuffle. So this is annoying. However, at this point, we can observe something about the applications of shuffle arguments. You very rarely need to prove that some arbitrary shuffle is correct. In most applications of shuffle arguments, what you actually want is that you shuffle something at random, and then you prove that this random shuffle is still a list of the same things. And while we can replace those random shuffles with pseudo random shuffles, and then if we allow the prover to actually choose the shuffle, then we can get somewhere. So basically, we would allow the prover to choose V prime. The issue is that in the normal framework of zero-knowledge arguments, this is not possible because, well, there we do not allow the prover to choose part of the statement. However, we can actually define something like this. And this is exactly what we do. We define a new kind of language which we call partially fixable language where the partially fixable language is a subset of the Cartesian product of two sets, X and Y. And for any X in the set X, we define some sub-language, LX, that is actually all of the pairs in L such that X is the first component of that. And now we call a language L that has this structure partially fixable if we can sample efficiently, uniformly from every one of those non-empty LXs. Why do we call this partially fixable? Because this means that we can basically choose X and then later let the prover choose the Y. Now, how do we define arguments for this kind of language? This is what we call an argument for a partially fixed statement. And what we do is basically split the prover in two. In the first stage, the prover P0 is only given the first part of the statement X, which in our case would be the original vector V. And it then chooses the second part of the statement, which in our case would be V prime, and some auxiliary information. You can think of this auxiliary information as essentially the witness of the statement. It's just that it doesn't have to be a generic witness. It can be a very special kind of witness. In our case, this would basically be the PRG seeds. Now, once that is done, we can run a very normal protocol between a prover P1 that gets as input the statement X, Y, and the auxiliary information, which as I said you can basically think of as a witness. And the verifier gets as input only the statement X, Y, and then outputs 0, 1 for accept or reject. Okay, for this kind of argument, we need to define completeness and soundness. Completeness differs a bit from normal arguments. We say that for any X, such that LX is non-empty, so there exist pairs with X as the first component, it holds that if you run the protocol both stages, X, Y will actually be in the language. So we're saying that this prover will actually choose correct statements and the verifier will accept with probability 1. The difference to a normal completeness definition is that we here now need to require that the statement that a prover actually produces will actually be correct. Soundness is just, well, normal soundness, where we say that for any PPT prover and any statement that is not in the language, it holds that the probability that the verifier will accept is at most negligibly larger than epsilon is the soundness error, which for our protocol, for example, was one half. Okay, what remains to be defined is zero knowledge, and here again, we diverge a bit from normal definition of zero knowledge because we have this first stage, right, where the prover needs to choose Y. So we have the normal definition of we have two worlds, we have the real world where the prover on the left-hand side will choose Y and the auxiliary information. And then we have an execution between the honest prover and a malicious verifier, and at the end of this execution the malicious verifier will output some information S. On the right-hand side, we have the simulated world. Here, the second part of the statement, Y prime is actually chosen uniformly at random from LX. And this Y prime, or the combination of X and Y prime, is given to the simulator, and the simulator now can interact with the malicious verifier, can also rewind the malicious verifier, and then will output some information S prime. And we say this protocol is zero knowledge if the two tuples, X, Y, S, and X, Y prime, S prime are computationally indistinguishable. Now this differs from normal zero knowledge in that we also require that the statements are computationally indistinguishable. This is necessary because we need to here require that what the prover actually outputs is indistinguishable from a uniformly chosen Y prime. Otherwise, it could cause a weird distribution here and we don't want that. So this means that in our case, the uniformly random thing here is a uniformly random shuffle of our input vector. And this means that the prover will need to output something that is indistinguishable from a uniformly random shuffle. Okay. So what does that mean for our protocol? Well, it just means that basically this now just works. You can think of this part on top here as the first part of the prover, where given V, which is the X in the definition, the prover just chooses S1, S2, then can compute V prime, which will be the Y in the definition, and S1 and S2 are just the auxiliary information we output. And now the prover can actually do this proof because now there's no problem anymore that we need to somehow prove an arbitrary shuffle. We can now choose which shuffle to prove. And, well, this now works. We can only have to send this seed Sd, and this is independent of the length of the vector, so this whole transcript is independent of the length of the vector. Now, it still only has a soundness one half, and the problem is we can no longer do sequential repetition because if you sequentially repeat this protocol, what you will end up with is different V primes. Every time you repeat it, you get a different V prime, so you're not reproving the same statement over and over again, but you're proving fresh statements each time, which means the soundness error doesn't actually go down. We can get a slightly better soundness error by splitting the shuffle in more ways. Basically, instead of splitting it in two, we can split it into T shuffles and then have the verifier tell us one of those shuffles, and we will give him all except for this one. Now, this still works. The verifier can still verify this by computing forward up to the gap and backwards up to the gap and verify that all of those intermediate vectors are correct, and this now gives us a soundness error of one over T instead of one half, which is better though, well, still not great. Now, one thing we can now see here is that this transcript is actually now the length of it is independent still of the length of the vector. However, it depends linearly on the number of shuffles T here, and we can do a bit better than that by replacing the Pog seeds here with the outputs of a punctural PRF. So a punctural seed random function allows us to instead of sending a whole bunch of seeds in this last round, actually just sending a punctured key, punctured at the position that the verifier chose, which means the verifier will be able to recompute all of the seeds except for the one at position D. And this means that now this transcript only depends logarithmically on the number of shuffles T if we, for example, instantiate this PRF with GGM. Okay, this is actually a pretty nice protocol. It, of course, has issues. First of all, we've only proven that this is honest verifier zero knowledge. Second, it still has a constant soundness error. It's one over T, not one half, but it's still a constant soundness error. And it is an interactive protocol. We will see that these problems are all related, but we can solve some of them and mitigate others and solve, not solve some of them. Mainly we can show that the honest verifier zero knowledge thing is not a problem because our protocol and many protocols like it are actually full zero knowledge. And we can prove this in a generic way. The constant soundness error we can sadly not get rid of, which also means that we cannot make this thing interactive in any way that we are aware of. Because if you would, for example, apply fear to Shamir, well, then you get something that is non-interactive, but because of the constant soundness error, the prover can basically try and retry until they get an argument that is accepted, even for false statements. So the interactive thing, we cannot get rid of that. The constant soundness error, we also can't get rid of that, but we can mitigate the problems of it somewhat. But first, the honest verifier zero knowledge thing. Why is this not a problem? Well, we can prove a general theorem that if you have any three move public coin honest verifier zero knowledge argument that has a polynomial size challenged space, then this thing is also zero knowledge against malicious verifiers. Why is that the case? Well, if it's honest verifier zero knowledge, that means we have an honest verifier simulator, which means this is an algorithm that, given a statement X, Y, will output transcript alpha beta gamma that is indistinguishable from an honest transcript of an honest execution between the prover and the verifier. Now, how do we use this to construct a simulator against malicious verifiers? Well, first of all, just send alpha to the verifier. The verifier will now reply with some challenge beta. This challenge beta, or this challenge beta prime, may in fact be just the beta from our transcript that we have there. In fact, because the challenge space is only polynomially large, there is a noticeable probability that this will happen. Now, if this happens, we can just reply with gamma and we are done. This simulation works great, except, of course, there is a significant probability that beta prime will in fact not be beta. In this case, we cannot actually answer this challenge, but what we can do is we can rewind and try again. Get a new transcript, try again. Doing this naively would cause all kinds of issues because we might run into, well, infinite loops and basically our runtime might be exceeded if we try this. So we need a clever reminding strategy and a reminding strategy very similar to the one of Goldreich and Kahan, in fact, works here. We basically need to estimate the failure probability of the verifier and then we know how often we can rewind or how often we need to rewind and, well, basically this works. We just need to be clever about the rewinding and this means that any such protocol, in particular our protocol, that we've proven on as verifier zero knowledge, is in fact also fully zero knowledge. Okay, the second issue, the constant sound zero. We cannot get rid of the constant sound zero as much as we want to, but we can mitigate the problem that it causes, somewhat. Imagine that we have some execution between a malicious prover and the verifier. Now, if the malicious prover cheats, the verifier may notice that and what we want is that the malicious, that the honest verifier can then produce a certificate and give this to a judge who will rule and say, yep, indeed, the prover cheated. They're guilty. And you can use that to then basically enforce some kind of financial punishment against the prover. Now, of course, you also don't want the verifier to be able to do this against honest provers. So there's something called a defamation freeness, where we say that if the prover is in fact honest, even a malicious verifier should not be able to produce a certificate such that the judge would rule against the prover. Instead, they would rule against the verifier in this case. So formally, we define this as publicly accountable zero knowledge arguments, which have two properties. They are accountable and they are defamation free. Accountability means that if you have a malicious prover that convinces a verifier of a false statement with probability delta epsilon, where epsilon is the soundness error, then the verifier will be able to convince the judge that the verifier that the prover cheated with probability delta times one minus epsilon. And it's defamation free in the sense that if you have an honest prover, even a malicious verifier should only be able to convince the judge that the prover cheated with negligible probability. Now, how can we change our protocol to be publicly accountable? Well, the first thing is that with probability T minus one over T, the verifier will actually notice that the prover cheated because, well, they can see that the shuffles don't match. However, they can't do anything with that information because, well, the judge could say, okay, but you could have produced this transcript yourself. So what we introduce is that the prover will sign the transcript. They now have a public key associated with themselves and at the end of the protocol, they sign the whole transcript and the verifier also verifies the signature and only accepts if the signature is valid. So if the prover now goes through until the end and cheated, then, well, the verifier can go to the judge and show, hey, here's a cheating transcript. The prover signed it. So he's guilty. However, the prover, of course, knows whether the verifier will accept once they see the challenge D. So this doesn't quite work yet. We need a way to hide the challenge D from the prover and we can do this using something that we call an oblivious puncturing protocol. An oblivious puncturing protocol is a protocol between a sender and a receiver where the sender has a punctural PRF key. The receiver has an index D and the receiver will at the end receive the punctured key, the key punctured at position D. Now you need some security properties here. You need that the sender does not learn anything about the index D and you need that the interaction with the sender from the point of view of the receiver is simulatable in some sense. This protocol is basically very similar to a symmetrically secure private information retrieval protocol where the database of the peer would basically be all of the possible punctured keys. And if you have such a protocol, which is very efficiently insatiable using just lock T oblivious transfers for, for example, the GGM punctural PRF, then you can run the protocol like this. The first round is the same, then you run the oblivious puncturing protocol and at the end of the oblivious puncturing protocol the verifier has received the punctured key whereas the prover does not know anything about which punctured key they received so they don't know if the verifier will accept or reject but for them to accept at all they basically need to sign the whole transcript. So they do that but now if they cheat it and the verifier catches them with probability T-1 over T the verifier can go to the judge, show the cheating transcript and the signature on it and the judge can say yes indeed this is a cheating transcript and it's signed by the prover so the prover is guilty. And this now means that while we still have a constant soundness error we also have a way of punishing cheating provers with high probability. So to conclude I want to compare our work with several related work from the literature basically different shuffle arguments. We compare with three shuffle arguments the work of Bayer Gaudt from 2012 bullet proofs from 2018 and the Gaudt 16 snark and well we can see that our arguments if we do not need accountability and are fine with relatively large constant soundness errors you can get something that has communication cost very similar to snarks or even lower than snarks depending on how large you choose your soundness error. It's still interactive so it's in that case worse than snarks however we do not need a trusted setup compared to snarks and our assumptions are much weaker we only need a collision resistant hash function and a pseudo random generator. If we need accountability then well we need a CRS but not a structured CRS and we additionally need something to build an oblivious transfer from which is in this case for example a Decisional Diffie Harman which allows us to efficiently instantiate this and there we get something which is now larger than a snark but still significantly smaller than bullet proofs which if we are shuffling 100,000 commitments basically is about twice as large where it should be noted that both our work and the snarks they do not depend on the number of commitments whereas bullet proofs and biogroids do bullet proofs logarithmically biogroids with a square root so this means that our work is significantly smaller than both biogroids and bullet proofs it is in some settings comparable to snarks which means that at the cost of interaction and a constant soundness error we get very small communication costs for shuffle arguments from very simple assumptions Thank you