 Hello everyone. OK, so let me go directly to describing the problem. So in this work, we studied the problem of proving in your knowledge and understand that large assumptions, that large committed integers satisfies certain algebraic relations. By large integer, we mean the committed integer x, y, and z are of arbitrary polynomial b-size, area equal to a polynomial n, where n is the security parameters. OK, so we consider the following relations, at least in multiplication relations, where we have a committed integer x, y, and z. And we want to prove that x plus y equal to z over the integers, or x times y equal to z over the integers. We also consider rands relations, where we want to prove that committed integer x belong to a rand amphibita, where amphibita may be public or hidden. And we also consider set non-membership arguments, where we have a public set and we want to prove that our committed integer doesn't belong to that set. OK, so the problem is interesting in the context of cryptographic protocols when we do some operation with large integers and we want to ensure some privacy preserved in features. For example, the range arguments may have application in context of anonymous credentials, anonymous cryptocurrencies, and e-voting, and so on. And set non-membership arguments may have application in blacklisting, where you want to prove that your key does not belong to the given list of blacklist keys. The problem has been receiving considerable attention. And many, many solutions have been given. And some of them are really efficient. For example, the protocol by Couture, Bitters, and Bolshevon in Yerukryp last year, or the set non-membership argument system by Bayer and Gross in Yerukryp 13. OK, so these existing solutions are based on number theoretic assumptions, like discrete loss or strong ISAs. And they are vulnerable against quantum adversaries. So it's reasonable to investigate the problem based on alternate assumptions like that are quantum resistant, for example, lattices. OK, so let me consider the problem in the lattice testing. In this testing, however, the problem is still open. OK, let me discuss a little bit about this. For instance, if we were to use the existing zero-knowledge proof system in adiolattices to prove that we have the x, y, and z are polynomial of this size, that certify the additive relations. So the known technique required to prove this addition of modulo sum q, where q is exponent large. And then each element in zq have to be represented by at least L bits. And each ring element that gives for the commitment scheme would cause thousands of L bits. As a consequence, to prove that the additive relation, and also we have to prove that the x and y are small with respect to q, because we have to ensure that no reduction mode q occurs. OK, so on at up so we need a protocol with communication cost, hundreds of thousands of L bits. So that would be very, very inefficient. Additionally, such a protocol would require very strong assumption, for example, the approximation factor for the underlying adiolatted problems had to be at least sub-exponential. And moreover, ensuring soundness for such a protocol would be non-trivial, because if we use rejection sampling techniques, for example, then the soundness property is only a relaxed soundness. And then it's not clear how to define soundness in the setting of existing. OK, so for regarding rank proofs, so we only have some limited form of rank proof from lattices, for example, proving that committed x belong to the rank from 0 to 2 to the m minus 1 for some m. And there's no efficient non-membership argument from lattice in on. OK, so our results first follows. So we provide statistical general arguments for relation among comedic integers and the very might assumption in general lattices. In our protocol, integer of polynomial b-side are committed via the sys-based commitment scheme by Kawachi, Tanaka, and Sagawa as a group 0, 8. And we only require very small modulus. That's a small polynomial moduloq. And we require a relatively weak assumption. That's the SIVP gamma is half for gamma or our sub-O of square root of l multiplied with n square root of m, OK? Our addition argument has communication cost z star plus 20 times l times kappa, where z star is the cost of proving knowledge of the valid openings for the commitments. And kappa is the number of protocol repetition in order to achieve a negligible signage error. Our range argument has communication cost z star plus O l of the time kappa for a range of size 2 to the l. So it's the logarithmic in the size of the range. Similarly, our number of arguments also scalable, which are communication cost logarithmic in the size of the set. And for multiplication, so we have a variant of the protocol that achieves sub-quadratic complexity in both communication and computation aspects, OK? OK, so now let me discuss our ideas and our techniques. OK, so our main idea is to view into the addition as binary addition would carries, and then prove in zero knowledge that the operations are done correctly. OK, so by working with binary strings, so we can work with small modulus and can work with a very weak assumption. However, proving that the binary additions are done, would carries are done correctly is not straightforward at all. In fact, to the best of our knowledge, this approach is quite natural, but it's had never been considered in the context of zero knowledge previously. OK, so let's look closely how the addition would carry is going on. Suppose that we want to add two bits x and y, would carry in bit c in, and we obtain bit z, would carry out c out. So here is a table expressing how the values of the bits arise, depending on x, y, and c in, OK? So we can observe that the x, y, c in, z, and c out are related as follows. It's captured by two equations, monologue two. First, z equal to x plus y plus c in mode two. Second, c out equal to x times y plus z times c in, plus c in mode two, OK? OK, so now let's look at the protocol for addition of l bits into x, l bits into y, and l plus 1, and we obtain l plus 1 bits into z, OK? So for every i, we will denote by like a c i plus 1, the carry out bits of the i addition. So based on the observation, we can express the whole addition by two l equation mode two, OK? So we obtain a system of equation where we have some linear term x i, y i, z i, and some quadratic term like x, x i times y i, and z i times c i. OK, so we call that we also have to prove that our integer x, y, and z are committed via the KTX commitment. OK, so the relation between the commitments, the public keys, and the committed bits, and the randomness of the commitments can be expressed by some equation most key data linear over the bits x i, y i, z i, and the randomness kj, OK? So now our goal now is to prove in zero knowledge that we know the secret bits x, y, x i, y i, z i, the carry bits c i, and the commitment randomness bits, such that on the equation mode two and mode q hold. OK, to z n, we will use the stern light techniques. OK, so let me now recall the stern light techniques. OK, so 10 to years ago in cryptos, the stern proposed a gerotin protocol for the syndrome decoding problems. OK, so that's in the context of code bay crypto. So the main idea is to use random permutation to prove some constraints of the secret witnesses that satisfy some matrix vector equations, OK? So the idea has recently adapted into the lattice testing. So recall that we have to prove that the knowledge of some secret bits and the knowledge of some product of two secret bits. So let me now recall the technique for handling the situation that that was probably in previous work. OK, so for handling secret bits, so we have a following techniques. For any bit b, so we denotes by b bar, 1 minus b, and we define the two-dimensional vector x2 of b to be b bar and b, OK? And then for any bit c, we define some permutation, depending on c, that transform a two-dimensional integer vector v, v0 and v1, into the vector vc and vc bar. So basically if c is 0, so it's keep the arrangement of the entries of vector v. If c is 1, so it's what the two coordination. OK, so we have observations. This vector v is a correct, well-formed extension of the bit b, if and only if the permutative vector pc of v is the correct extension of the bit b plus c mode 2. OK, so this equivalent is very helpful. In fact, it helps to prove knowledge of secret b. That may appear in several correlated equations. How to do that? OK, so to do that, we first extend the bit b to the vector, extend 2 of b, and then we assemble a uniformly random bit c and send the permutative vector to the verifier and convince that, OK, the left, the right-hand side of the equivalent holds. So the verifier should be convinced that the left-hand side holds would, in turn, imply the knowledge of some bit b. And the verifier should not learn any additional information about the bit b because here we have the bit c that acts as a one-time bet that completely hides the bit b. Moreover, if we want to prove that the bit b appear in two different equations, we can use the same one-time bet c in these two places. OK, next, so here is a technique of proving that we have a product of two bits, OK. For any two bits, b1 and b2, we define some vector of dimension 4, it's called x4 of b1, b2, that have the entries like this. The first one is b1 bar times b2 bar. Second one is b1 bar times b2. Third one, b1 times b2 bar. And the last one is b1 times b2. It's a binary vector of length 4, and which is an extension of the product b1, b2. Next, for any bit c1 and c2, so we define a permutation associated with the two bits such that it transforms into the vector of length 4 in a space-fixed way, such that we can obtain a similar equivalent like before. That is, we have vector v is a correct extension of two bits b1, b2. If and only if the permutic vector is the correct extension of two bits b1 plus c1, and mod 2 and b2 plus c2, mod 2. Similarly, so this equivalent will be helpful for proving knowledge of product of secret bits b1 and b2, where the bits z bits can appear in other equation, OK. So let me now go back to our protocol for insert addition. So using the permuting techniques, we can prove that all of the secrets in our equation mod 2 and mod q are where from. That includes the bits xi, yi, zi, ci, and rk, j. Also, the bit products xi, yi, and zi times ci, OK. So we also have to prove that the equation mod 2 and mod q hold to it. And we will transform all the equation into just two equations. One is equation mod 2 and one equation mod q. And then we use a random masking technique with uniformly random vector over z2 and zq, and convince the verifier that some equivalent equation holds mod 2 and mod q. OK, so that is how our argument for insert addition works, OK. Once we have it, when we can handle the addition relation of a non-negative integer, in fact, we can easily obtain an argument system for inequality and for rent. For inequality, for example, if we want to prove that x is less than y or equal to y, then we can instead prove that there exists a non-negative integer z, such that x plus z equal to y are integers. If the inequality is strict, then we prove that there exists a non-negative z, such that x plus z plus 1 equal to y. So in both cases, it's just additive relations. OK, so if we can already handle inequalities and rents versus just follows straightforwardly, to prove that x committed in the x belong to a rents and 5 beta, where, OK, so the interval can be inclusive or non-inclusive and 5 beta can be hidden or publicized or whatever. So we can reduce the problem to proving two inequalities. So x is greater than n x less than beta, for example. OK, so next, I want to discuss our argument for set non-membership. To do that, we use our technique for rent arguments, and we need some additional techniques, OK. The problem is that z follows. We are given a public set consisting of m elements, h1 to hm, other in increasing others, and whereas the quantity of the set is polynomial in the secluded parameters. And we want to prove in zero knowledge that we have a committed integer x. That does not belong to this set, OK. OK, so the target is to obtain protocol and good communication cost logarithmic indices, because that will be scalable for set with large penalty. And in fact, obtain protocol with linear complexity in m is quite trivial, OK. OK, so to do that, we process follows. First, we append, we add two more elements to the set, say, h0, which is the element consisting on the euros, and hm plus 1, which is the element consisting of on one. So the element will indicate the smallest possible and the largest possible integer of a given length, respectively. And after adding these two elements to the set, so we will prove that our committed integer belongs to an interval, hj to hj plus 1 for some j, OK. So that can be done in two steps. First, we prove a rent argument. x belongs to the interval yz for some y and some z. Second, we will prove that the yz are, in fact, elements of the set, of the extended set, OK. And they are consecutive, OK. So to do this, we need some structures, some additional structure and additional techniques, so that we can achieve complexity logarithmic in the cardinality of the set. So that is where we use a Merkel-Hastry. OK, so without loss of generality, we assume that m plus 2 is a power up 2, OK. So in this way, we can build a Merkel-Hastry based on lattice over the element of the extended set, and we prove knowledge, prove knowledge of two t-butt from the lift, y and z, to the root of a g. So this thing can be done with a technique, probably by the same set of authors in Eurogrip two years ago. And the three structures allow us to obtain argument of logarithmic size. OK, so next we have to prove that y and z are consecutive set elements. To this end, we prove that the two t-butt are, in fact, consecutive. So we prove that let v and w be the integers corresponding to the binary string indicating the two parts, and we prove that v plus 1 equal to w. So that is just one simple addition. OK, so finally, let me discuss our arguments for integer multiplication. OK, so the task is to prove that we have an L-bit integer, x and y, and a two L-bit integer, z. And we want to prove that x times y equal to z of integers. Since we already have the technique for addition, so if we apply the schoolbook multiplication algorithm, then we can carry out the multiplication via L addition. And in this case, we can obtain protocol with communication cost quadratic in the bit length of the witness. So this is a straightforward solution, and I think it's suitable for practically interesting values of L, like L's S-mode 8,000, something like this. OK, so here we are interesting in a theoretical question. Can we break the quadratic barriers? OK, so in fact, to the best of knowledge, all of the known protocol either had quadratic complexity in the communication aspect or in the computation aspect. OK, in fact, if we have some protocol that is sub-quadratic in both aspects, then it will imply some sub-quadratic multiplication algorithm. So to this end, it's good to start with some sub-quadratic multiplication algorithm, for example, the glass-suba algorithm. OK, so suppose that x and y are of the bit length L, and then we can divide, first we can divide x and y into 2 halves, x1, x0, and y1, y0 of length L over 2. Then observe that the product x times y can be computed via four partial products, x1, y1, x1, y0, x0, y1, and x0, y0, where the length of the witness now reduced by a factor of 2. So this project can be recursively done until we reach some base. And in this way, the algorithm will have a complexity quadratic in L. So kerasubas observation is that in each step, the number of partial products can be reduced from 4 to 3. So here's some clear combination of this one. And eventually, he can work with just three partial products, x1 times y1, x0 times y0, and x1 plus x0 times y1 plus y0. So doing this recursively, so the algorithm will have a complexity O in O of L to the power log 2 of 3, which is sub-quadratic. This is, in fact, the first sub-quadratic multiplication algorithm known. Our method is to emulate the kerasuba algorithm in the process of multiplying x and y. And we prove that the result, in fact, gives us the committed integers yet. So we just follow all of the steps on the algorithm and prove that each step is done correctly. So at the result, we obtain a zero-null argument for multiplicative relations with sub-quadratic communication and also sub-quadratic computation complexity. OK, so let me summarize. Is it what we deduce relation for large integers to binary addition with keras? And we prove binary operation with keras in zero-null during stern light techniques. It's allowed to work with small modulus with weak light assumption and our protocol energy scalability. OK, so here are some concrete estimation of the communication cost for our rank argument. X belongs to the rank alpha beta, where alpha beta are public. So for the rank size of 1,000, for example, the cost of proving rank membership is around 0.38 megabytes. But the cost for proving opening up the commitment is more than 3 megabytes. And it's increased linearly. For example, for rank upsize 8,000, so the cost of rank membership is already 3 megabytes. And the total cost is from 9.6 megabytes. So it's probably not efficient enough to be used in practice. The main problem here is our execution of our protocol has a constant soundness. And we have to repeat the protocol many, many times to achieve some desirable level of soundness. For example, here, we have to repeat the protocol 1 37 times to achieve soundness 2 to Z power minus 80. OK, so we hope that this problem can be improved in the near future. So that's all. Thank you for your attention.