 Hello, everyone. I'm Susan Kyushima from ATT Research. I'm going to talk about my work, Round-Optimal Blackboard Commitment Proof with Saxing Communication. As the title of this work suggests, in this work we study Saxing Commitment Proof protocols. In particular, we obtain a new Commitment Proof protocol by using two round-saxing diagram. So, in this talk, I will first explain two round-saxing arguments and the Commitment Proof protocols, and next explain our result and techniques. So, let's begin from a two round-saxing argument. So, what is a Saxing argument? A Saxing argument is a two-party protocol between a Proof of P and a Verifier of P. The goal of a Saxing argument is that the Proof will compensate the Verifier of the correctness of the state. In this work, we focus on two round-saxing arguments. So, the protocol consists of just two messages. The first message is a query message from the Verifier, and the second message is the answer message from the Proof. For the security, a Saxing argument is required to satisfy completeness and soundness, whereas completeness requires that when the statement is true, the Verifier always accepts the Proof made by the honest member, and the soundness requires that when the statement is false, the Verifier rejects any Proof made by a malicious member. And additionally, as an efficiency requirement, a Saxing argument is required to satisfy succinctness, which requires that the communication complexity is very small. So, for example, it is often required that the communication complexity is polytogalithymic in T, where T is terminated for checking whether the statement is true or not. And here I would like to note that all the succinctness sometimes also requires that the running time of the Verifier is very small. In this work, we only focus on the succinctness of the communication complexity. And informally speaking, the existing two round-saxing argument can be separated into two groups. So, the first group is the scheme-phase of non-Forschfeld assumption, and the second group is the scheme-phase of Forschfeld assumption. So, regarding the scheme-phase of non-Forschfeld assumption, all I need to say is that the non-Forschfeld assumption is considered as a strong assumption in theoretical curriculum. So, even though the many of the schemes based on non-Forschfeld assumptions satisfy real property and practical efficiency, in this work, we do not consider these schemes. And rather, we focus on the scheme-phase of Forschfeld assumptions, and in particular, we focus on the scheme by color, light, glossogram, and the subsequent works. So, from now on, whenever I say succinct argument, I always mean succinct argument based on Forschfeld assumptions. And these schemes are not as powerful as the scheme-phase of non-Forschfeld assumption, but still they satisfy several nice properties, like they can prove any statement in P, or even some statement in FB, and also they can be proven sound and standard assumptions, like light with air, or more concretely, support fully homophobic encryption, or two-round private information retrieval systems. So, essentially what I would like to say in this slide is that we already have a really good result on two-round succinct argument based on Forschfeld assumptions. So, now, given this state of the art, a natural question to ask is, further we can obtain as a succinct protocol by using a two-round succinct argument. So, for example, since an interactive argument has been used in many cryptograph protocols, in the form of several arguments, two of which is indiscriminate argument, I think it is natural to ask whether we can obtain a succinct version of this cryptograph protocol by just using an existing two-round succinct argument instead of a normal interactive argument. Unfortunately, there are several difficulties to what is M, and the main difficulty is that the existing two-round succinct arguments are less powerful in several aspects when they are compared with the typical non-succinct argument in cryptography. So, the first weakness of the existing two-round succinct argument is that the current result for open-out page is not guaranteed. So, this means that for each application we need to see what kind of anti-statement needs to be proven, and then we need to see whether such statement can be proven by existing two-round succinct arguments. And the second weakness is that the witness' privacy is not guaranteed, and this means that we need to cause the addition mechanism for guaranteeing witness' privacy, like between distinct superiority or their own knowledge. And the third weakness is that the public verifyability is not guaranteed, at least we will focus on skin-based, well-studied assumptions, like lagging with air. So, this means that the periphery actually have a succinct information, and the verification cannot be made without this secret information. So, despite of this difficulty, we actually have a few examples using succinct argument to obtain other succinct protocols, such as succinct access control or more performant access structure and succinct non-succinct computation. However, the number of applications is still limited. So, it's important to study more about whether they exist and as an application to run succinct argument. And as I said earlier in this work, we study applications to commit and prove protocols. So, next, let me explain commit and prove protocols. So, what is commit and prove protocol? So, commit and prove protocol is basically a commitment scan that has an additional proof of existence. So, in particular, in the commit frame, the prouper can commit to this equal input just as a standard commitment scan. And later, in the additional prove phase, the prouper can prove any statement of the committed value without opening the commitment. So, in particular, for any adaptability of the function F, the prouper can prove that the committed value W, satisfied F of W, is equal to 1. So, the most famous application of the commit and prove protocol is a compiler from semi-honest security to malicious security. So, suppose there exists a semi-honest protocol in which a party P1 sends a message M to a party P2. So, by using commit and prove protocol, we can make this protocol maliciously secure by considering the protocol where P1 first commits to a random-storing R1 by using a commit and prove protocol. And then, after receiving a random-storing R2 P2, P1 imputes a message M using I1 plus R2 as randomness and then proved by using a commit and prove protocol that it computed M-honest. And here, I would like to note that we cannot replace the commit and prove protocol with a standard commitment scheme and the semi-honest argument for all that be it when black box use of a grid or graphic creative is desirable. So, this is because the use of semi-honest argument for all that be inherent will require the non-black box access to the code of the primitive like a commitment scheme. And in contrast, the commit and prove protocol can be black box in the sense that it uses the underlying crypto-black primitive only black box. So, currently we already have several black box constructions of commit and prove protocols. And in particular, we have both random map of direction and the succinct of direction. Here, the round-optima constructions have four rounds and this is an option in the sense that this construction can be used as black box element argument which are known to require at least four rounds. However, we currently do not have construction that moves round-optima and succinct and this is what we study in this world. So, now let me explain our result. So, our result is a succinct commit and prove protocol that satisfies the following properties. First, our basics. Our basic scheme satisfies witness indistinguishability and constant sound error and it can be upgraded into one with zero-narrate and negligent sound error by using the existing transformation by Krzysztof Czciński and Szyniewicz. Second, our commit and prove protocol has four rounds and after being upgraded into zero-narrate and negligent sound error this round-optima is optimal when our commit and prove protocol is used as a black box element argument. Third, our commit and prove protocol only require a relatively mild assumption and it particularly only requires sub-exponentially hard, collision-resist hash function to run the private information retrieval and the two round-optimist transfer protocols. And here I would like to note that sub-exponentially hard and silly quarries since in the analysis we use complexity rebalancing techniques. And finally, our commit and prove protocol is black box in the sense that it uses underlining cryptograph operative or rebalancing. Now, I have to explain our result. In the rest of the talk I'm going to explain our techniques. So the starting point of our construction is following non-succinct construction based on the famous MPC in the head technique. The same that we have two private M-part MPC protocol where M is any constant and assumed for simplicity that this MPC is deterministic. So in the commit phase the prove will split its secret input W into M secret shares W1 to WM and commit to each of these shares by using any succinct commitment scheme. In the prove phase for adaptive retrosion statement M, the prove will first run the MPC protocol in its head where the input to the M-part is the M secret shares W1 to WM, respectively. And the functionality to be computed is F-prime where F-prime is a functionality that takes the secret shares input and then reconstructs the secret share and then variates the statement M on the reconstructed secret share. Then the prove and M-fire execute the two-round M-part protocol where the prove sends the commitment to M secret share along with M-parties and the variator picks a random pair of MPC-30, I-thumb jester and obtaining every I-thumb jester which includes the secret share and MPC-bues of I-thumb jester. Finally, the variator checks whether the MPC-bues of I-thumb jester satisfies the following conditions. First, the MPC-bues of I-thumb jester are consistent in the sense that in the bues, the message is that I-thumb jester is equal to the messages that I-thumb received from I-thumb and by sparse. Second, in the bues, the input to I-thumb jester is equal to the commit secret share and the I-thumb of the jester which is specified in series of tables. Third, in the bues, the output of I-thumb jester is equal to I-thumb jester. Now, let's see this game is two written indistinguishable commitment-full protocols. First, this game is written indistinguishable because the sender privacy of OT guarantees that the periphery obtains MPC-bues of I-thumb jester and the two privacy of MPC guarantees that the periphery can apply and issue greater information in this case. This game satisfies soundness because of the following reasons. First, the receiver privacy of OT guarantees that you are able to complete the periphery with sufficiently high probability. It's proven to send a set of MPC-bues such that each pair of MPC-bues satisfies the three conditions that the periphery checks in the verification. Now, it is not hard to see if the correctness of MPC guarantees that the output of the functionality F prime for input of the committed share W1 to Wm is equal to 1. And then, from the definition of F prime it follows that the output of the statement F on the for input of the committed Mw is also equal to 1. And finally, this game is not succinct because the previous sender secret share of the committed value other MPC-bues serve all the protocols. Now, our high-level idea to upgrade this non-succinct construction into a succinct construction is to let the prove approve the consistency of review etc. by using two non-succinct arguments. So, please, we consider a protocol where instead of sending MPC-bues themselves, the prove that just keeps succinct commitment of the views and then proves that each pair of the committed MPC-bues are consistent etc. by sending a succinct argument for each pair of the views as a result of the protocol. So, in total, the prove as the MSQA succinct argument as a result of the protocol. So, good news is that even after this demotivation which is in distinct clarity of the protocol. So, in particular, even though existing two non-succinct arguments do not provide evidence privacy, this is not problematic since the verify obtain a succinct argument or a pair of MPC parties and the two privacy of MPC guarantee that the verify cannot run any secret issue. Information from MPC of any two parties. However, a problem occurs because of sound loss. And in particular, the problem is that existing two non-succinct argument are not provisional for the particular and best statement we consider. So, we consider the protocol where the proof activates a succinct argument for each pair of the MPC parties and in each of these succinct arguments, the statement is that they exist MPC input or signature W1 to WJ and MPC view P and VJ such that they are committed in the succinct commitment and the second the MPC views are consistent etc. Now, roughly speaking the analysis of the existing succinct argument does not work for this particular statement since some element of the witness in particular MPC views P and VJ are committed adeptively after the very various query message queue of the succinct argument. So indeed, if the entire witness was committed and non-adept just like MPC input W and WJ in the committed phase then the analysis of the existing succinct argument could be used naturally for a certain aspect. So, essentially the problem is that the witness included MPC views P and VJ. Another solution to this problem is to analyze the status of all the succinct argument joint view. So that is, rather than individually analyze each succinct argument, given for each pair of the committed MPC views we jointly analyze the MS squared succinct argument simultaneously. So the key point is that if we analyze all the succinct argument joints essentially the witness is MPC input that views all the party instead of those of only a pair of parties. And since the MPC input of all the party uniquely determine MPC views of all the party we can analyze soundness as if the witness is MPC input alone. And now as I said earlier since MPC input are committed in an adaptive way in the commit phase in this case the analysis of the existing two succinct arguments can be used naturally for upsetting us. So unfortunate news on this solution is that in order to formulate this idea post the constructions and the analysis need to rely on low level detail of the succinct argument of KRR14. So I won't explain the detail but I just would like to know that no significant modification is required and only natural adjustment are required. So to conclude this is the summary of our result so thank you for listening.