 Thank you very much. Yeah, so as was already said, this is going to be a joint talk about two papers, which are very similar in techniques, and therefore it makes sense that they were submerged. And basically the plan is that I will give a very high level introduction into the topic and the techniques, and then Rupeng will take over in the second half and give one of the protocols and also applications of our result. Okay, so our papers are concerned with zero knowledge proofs for letter scriptography, and in this area basically the main problem that one wants to solve is proving a short solution to a linear equation. So this means there's some public matrix A and some public right-hand side, we, and the prover wants to prove that he knows the short vector w such that a times w equals we, and yeah maybe the simplest example of this, which maybe should also convince you that some unnatural letters problems can be phrased in this way is proving knowledge of an LWE secret, and therefore I've put this example on the slide so there you see that for example such an LWE secret you can write in this matrix vector form, and the secret vector will then just consist of the LWE secret and the error. And I should also say that we are basically interested in really concretely efficient protocols, so really protocols where the proof size is measured in kilobytes, and for this reason it makes sense to look at ring based, or at least for this talk to focus on ring based, yeah problems. So if now the goal is to prove such an equation really exactly, and in particular this means that the solution you can extract from some prover is as short as the solution some, the honest prover at least really knows, then until basically this, yeah basically this year the only proof system for this were the so-called stern type proofs, and unfortunately they are very inefficient. So for example for this ring LWE case if you prove this exactly with a stern type proof system then your proof size is a couple of megabytes large, and in our papers with our techniques we can basically improve on this by about a factor or by about an order of magnitude. So proving such a ring LWE sample now takes a couple of hundred kilobytes. Yeah before, yeah before I give a high level overview of our techniques I want to also mention other systems, but I think we have also seen this in the talk before, so maybe I try to go very quickly here. So because these stern type proofs have been so inefficient there has been a lot of yeah other basically other proof systems developed which prove slightly relaxed statements and are more efficient than stern type proofs, and the most important example are the so-called approximate proofs, and in these proofs what you do there is that or what they achieve is that the vector they prove is significantly longer than the one the prover really knows, and also the equation is perturbed by some small polynomial on the right hand side, but still for some applications this is enough, and the most important example are signature schemes. So for example the deletion signature scheme in the NIST competition this is based on such a proof, and you can really get down to for example in the case of deletion to 2.7 kilobytes, but yeah for some applications this is just not enough, then there are so-called amortized proofs where you prove many equations at once, if you happen to have many equations that you want to prove, and then amortize over all of them they are also extremely efficient, and different to the approximate proofs they don't have this annoying somewhat perturbation factor on the right hand side. What they still have is that they are not exact because the basically the vector they prove is much longer than the one the prover knows, and then last but not least what you also can do is you can transform or transform your lattice equation to something which is amenable to discrete log-based proof systems for example bullet proof, and then prove them with bullet proofs if you're fine but your sum is just being based on discrete log. Okay so much for this introduction now to give a high-level idea how our exact proof system works, we maybe look at approximate proofs and basically one of the main steps in these proofs is that the prover sends some masked secret or some masked version of the secret, so if w is one of the secret polynomials inside this vector w then what the prover sends is basically some challenge polynomial alpha times w plus some masking polynomial, and yeah in the case of approximate proofs now what you do is you choose alpha to be really small polynomial and then alpha times w is small and then with the help of a technique which is called rejection sampling you can also only take the masking polynomial to be quite small and then the verifier can basically infer something about the secret polynomial or about the size of the secret polynomial from the size of the masked version of it. This is how these approximate proofs work. What we do differently is that we actually prove that the secret polynomial inside the masking is short or more precisely that really all the coefficients of the polynomial they lie in some small interval and yeah the simplest case is that we prove that all the coefficients are binary so they are 0 or 1, yeah the standard technique to prove something to be 0 or 1 you prove that it's a solution to the polynomial x times 1 minus x and for the polynomial to now prove that really all the coefficients are 0 or 1 what you need to do is you need to prove that the point wise product or the coefficient wise product of the polynomial w times the polynomial where you flip all the bits which is the all one polynomial minus w that this point wise product is 0 and if you now look at this equation and basically replace w by our masked version of it and now also somehow restrict our challenges to not be arbitrary polynomials but really only integers in the queue then we see that we get an equation which on the left hand side is some quadratic point wise product and on the right hand side is a polynomial where basically the term we're interested in appears at the at the leading or as the leading coefficient and this gives us a strategy to prove that this basically that this secret inside the mass secret is more and namely we basically only have to convince the verifier that the mass secret is of the correct form so it's really like r plus alpha times times the secret and that in this quadratic point wise product there is no quadratic term so this leading order term finishes and the difficult part is to basically prove this in zero knowledge and before I explain how this works I want to do two observations or maybe three first since we now have these coefficient wise products this is not really compatible anymore with polynomial products that we want to have for what at least in the approximate proofs we have for for the challenge polynomial and so and this is why in the slide before I basically said we have to really basically restrict to to integer challenges and this is bad because the reason why the approximate proofs are so efficient is because they can use polynomial challenges now if you cannot do this anymore at least what we want to do is we want to choose the challenges from all of the queue so to basically have as large a challenge base as possible but then we also need a uniform masking polynomial and this as basically the from this follows that the simple technique in the approximate proofs to to to prove that sectors of the correct form by just giving out a times r is not enough anymore because this does doesn't bind the this polynomial are anymore so this part of the approximate proofs you also have to change so yeah the we achieve all this by using basically some sort of homomorphic commitment scheme and what we need is a commitment scheme where it is possible to compute basically linear expressions over our ring r inside the commitment so basically given two commitments to two messages that the verifier doesn't know he needs to be able to compute a new commitment to some linear expression of the messages and if we have this and also prove to prove that there some commitment is actually commitment to zero then we can we have a tool to prove linear or linear expressions in inside commitments and then in the knowledge and to give an example how this works yeah this is yeah and so I said we need to prove that that is of the correct form and that this is somehow now more complicated than in the approximate proofs and what we do is that the prover gives out commitments to to to the masking polynomial and to to to the secret and then he proves that this linear combination of the two commitments is actually a commitment to to to the mask secret to to that this is yeah the first part and then now to really prove that the that the secret is zero one remember that we had this quadratic point-wise relation where on the on the right hand side there was this polynomial in alpha and we were only interested in the in the leading term so we we basically commit to these low-order terms that that we call garbage terms and then prove that all already basically this linear polynomial with coefficient these commitments is is a commitment to this quadratic product so this basically means that there is no quadratic term meaning that this vanishes what we wanted to prove actually so in now in our paper there's a slightly different technique I think I now have to be very quick to explain this so what what we already have in the proof is that the prover gives out some some commitment to the to the to the secret because we needed this for this to prove that the mask secret is of the correct form and this means that in this quadratic relation where we had basically twice the mask secret we can use the actual secret ones and then only the the mask secret only once and to do this directly what we would need is basically a commitment scheme where we could do point-wise products but our commitment scheme doesn't support this and what we use as basically as a method to to still do this is basically use the fact that the entity of a polynomial product translates to a point-wise product in the entity domain and then with this trick we can basically prove that if the entity of some quadratic polynomial product that they are in the leading term an expression evolves which which shows that the entity of our secret polynomial is 0 1 yeah and with this I hand over to yeah ropeng thanks Greg hi I'm ropeng and we'll finish the remaining part of this talk Greg has just shown how to construct a zero-knowledge argument okay Greg has just shown how to construct a zero-knowledge argument for linear equations is a binary solution a very rough idea and next I will talk about how this idea can be extended to prove a much wider lattice-based relations okay both their work and our work aims to achieve some standard sonics and high efficiency ten years late okay let's start with our main protocol the main relation considering this work is linear equations with quadratic or with quadratic constraints over its weakness in particular the proven need to prove that he knows a secret wax a w marked as right here satisfy a linear equation a w equals way and a quadratic formula fw equals 0 and here for simple city we consider a simplified instance where w is only three and that the quadratic formula is w1 equals w2 times w3 okay so to prove this our standpoint is a standard small protocol in the lattice-based setting this is perfect to prove the linear equation part but tells nothing about the quadratic constraints so to prove the second part okay so to prove the second part we rely on the observation that after receiving the response day the alpha is able to compute the two times a three and one times alpha and the difference between the two products is the linear in alpha if and only if w1 equals w2 times w3 so we can reduce the problem of argue of critical constraints into the problem of argue that the two parts the two these three minus the one alpha which is the density here is indeed a linear in alpha so to prove this we can commit the coefficients and send send the commitments c and cb to the WIFI and then the WIFI checks if alpha c a plus cb is a commitment of D this seems to work if the commitment scheme is homophic but it requires that the run this used to commit D is is equal to alpha c a plus sb so next we will require the approval to send the correct run this to the WIFI and then the WIFI check will check the equality of commitments using this correct run this the equality will hold if the commitment scheme is homophic with respect to addition and multiplication by constant so as a some this is guaranteed but partially partially revealing the but but partially revealing the run this our commitment may affect its hiding property and thus we will comprise the there are no property of the whole protocol to analyze to analyze why this to analyze why this does not occur we can we consider a concrete commitment scheme developed recently by Balm et al. in this commitment scheme the run this s is sampled from a constitution and it can be proved that if we write reject sampling on the run this the correct run this s then the whole protocol is still there knowledge one problem of this commitment scheme and all knowing all knowing that is this commitment scheme is that it is only homophic with respect to multiplication by a small constant so here instead of sampling alpha from the queue we will sample it from EP where P is small number okay this is the main part of our our main protocol our the full protocol also includes some auxiliary commitments and some auxiliary proofs but they are omitted from this talk okay notice that our protocol can perfectly prove the linear equation part where a standard small protocol and can perfectly prove the quality constraints where argue linear equations or the commitments so it so it achieves a standard soundness also if P is not too small then this basic protocol will only repeat a few times rather than 200 times to achieve negligible soundness on this error so it can achieve a high efficiency okay this is okay okay okay okay okay we just we just talked about our main protocol and next we will see how our main protocol can be used to prove three different and commonly used that is relations first we will see how to prove linear equations with short solutions here for simplicity we assume that the bound beta plus one is a power two and to prove this we rely on first although although that I integer a is bounded if and only if it can be decomposed into a boundary vector or bounded length so in the first step we will decompose the vector w into a binary W prime and prove that this binary vector certify a new linear relation to prove that W prime is a binary vector we rely on the following observations that I integer a is binary if and only if it certify that to a square equals a so in the next step we will prove that W i prime is binary we argue that W i prime equals W i prime times W i prime so in this way we can transform the whole relation into a linear equation and a correct a constraint over its witness okay so this is exactly what can be proved by our main protocol okay next there is also some troubles okay okay yeah thank you okay next I will talk about how to prove some sense some of my emulating equations here the base here each bi is a bit and is used to select each AI w i and the task a to prove that the sum of the selected AI w i equals way for simple city here we consider a simple file example that m equals 2 and each W i is our least one to prove this okay to prove this let w i prime is equal bi w i then we can transform the first equation into a standard standard linear equation and the correctness of each W i prime and the fact that each bi is binary can be argued where quality constraints so again we know how to prove this from our main protocol okay next we will see how to prove linear equations with hidden metrics here the protocol should protect both the metrics a and the work to w and for simple city here we come we assume that a is 2 by 2 metrics and to prove this that you are j equals a r j times w j and it can be very easy to see that we 1 equals your 1 plus your 2 and we 2 equals your 2 1 plus your 2 2 so we can transform this linear equation with the hidden metrics into linear equation with a public metrics also current list of each u r j can be argued where quality constraints so again we know how to prove this to summarize from our main protocol we can construct there are knowledge arguments for 3d different and basic lattice relations and next we will see how this there are knowledge argument can be used to construct reward applications here we will not go step into the detail construction and only give a graph route map and some results first as just missing as just mentioned from our main protocol we can construct there are knowledge argument for some basic lattice relations and then from this there are knowledge arguments we can construct there are knowledge argument for some cryptographic primitives for example prune knowledge or plaintext for pke scheme and for some of these cryptographic schemes for example accumulator or prf we currently we only know how to construct there are knowledge arguments for them from standard protocol and our work solve this problem next from suitable lattice based cryptographic schemes and and there are knowledge arguments for them we can construct prism primitives that are used in reward applications including risk signature gross signature electronic cash and rent proof if we set if we set the concrete parameters of our schemes suitably we find that schemes from our solution are much more efficient than those from a standard type protocol but is less efficient than schemes from a physical mirror without protocol but we stress that we don't use optimization such as structural lattice and some application specific optimizations and we believe that the efficient thing could directly improve if we use these optimizations okay that's all thank you for your attention and okay okay and I will uh by the way I will get my PhD degree this December and I will be on the market then if you are interested please contact me thank you um could you go back to your main protocol sorry could you go back to your main protocol or is it offline okay okay so this I think this is this whole called binary proof and this has been known for a few years in the discrete logarithm setting and was extended to the lattice setting last year what's the difference of this protocol versus the previous ones uh from the previous uh from small protocol yeah so what's your new technique in this protocol versus the previous one okay uh the main uh the main difficulty is to prove that uh vector is small in previous small protocols they use small also they set also small for example a small r a small alpha and then check if they is small right but I think the previous protocols can still prove that the this thing the secret that you have is binary so you are proving that it's short in the previous protocols as well by Gregor no it's not by Greg no no uh in previous protocols they don't okay they don't use the they don't argue linear relations over the components so uh actually we don't know how to prove that uh uh the witness is binary no we haven't seen that maybe uh if you say okay if we can use the one-off proof in the that this idea this is possible but we don't know how to make it in details yeah okay thank you