>>Hello, everyone. This is not appropriate to lapse of America. I'm going to talk about the motivation. For zero knowledge goes back to the heart off, winding down identity, ownership, community and control. Much of photography exists today to support control communications among individuals in the one world. We also consider devices as extensions of individuals and corporations as communities. Here's hoping you're not fit in this picture. What defines the boundary off an individual is the ability to hold a secret with maybe, it says, attached to the ownership. Off some ethic, we want the ability to use the secret to prove ownership of this asset. However, giving up the secret itself essentially announced ownership since then, anybody else can do the same. Dear Knowledge gives us tools to prove ownership without revealing the secret. The notion of proving ownership off a digital object without revealing it sounds very paradoxical outside the model off. So it gives us a surprise when this motion was formalized and constructed by Goldwasser Miccoli and back off in the late eighties, we'll focus on the non interactive >>version of Siri, a knowledge our music in the >>stock, which was first developed by blow Tillman and Peggy, where the general it can span multiple rounds of communications music only allows a single message to be trusted. No, let's get into some technical details for musics. The objective of for music is to show that an object X, which you can think off as the public footprint, often asset, belonging clan and the language without revealing its witness. W, which you can think off as the Future Analytics team consists off three algorithms, video proof and very. The key generation process is executed by a trusted third party and the very opposite, resulting in a common >>random string, or steers, which is made public. The >>true vendor produces a proof by based on the CIA's X and the very fine with the checks. The proof against X and accepts or rejects music off course has to satisfy some properties. We needed to be correct, which basically says that when everyone follows the protocol correctly on, so we can expect, we need to be thought, which says that a false statement cannot be proven. The channel is a trickier properly to form this. How do we capture the intuition behind saying that the proof there is no knowledge of the witness. One way to capture that is to imagine their tools is the real world where the proof is calculated. Using the witness on there's a simulation worth where the proof is calculated without a witness. To make this possible, the simulator may have some extra information about the CIA's, which is independent off the objectives. The property then requires that it is not possible to effectively distinguish these words Now. It is especially challenging to construct music's compared to encryption signature schemes, in particular in signature schemes. The analog off the Hoover can use a secret, and in any case, the analog off the very fire can use a secret. But in is it's none of the crew layer and the verifier can hold a secret. Yeah, in this talk, I'm going to focus on linear subspace languages. This class is the basis of hardness. >>Assumptions like GH and deliver >>on has proved extremely useful in crypto constructions. This is how we express DD it and dealing as linear software. We will use additive notation on express the spirit logs as the near group actions on coop elements. You think the syntax we can write down Deitch on dealing Jupiter's very naturally a zoo witness sector times a constant electric so we can view the language as being penetrated by a constant language. Metrics really was hard by many groups in our instructions. What does it mean? S while uh, Standard group allows traditions and explain it off by in your group also allows one modification In such groups, we can state various in yourself facing elections. The DDN is the simplest one. It assumes that sampling a one dimensional space is indistinguishable from something full professional. The decisional linear assumption assumes the theme from tours is three dimensional spaces generalizing the sequence of Presumptions. The scaling the resumption asks to distinguish between gay damaged examples and full it and >>examples from a K plus one national space. >>Right, So I came up with a breakthrough. Is the construction in Europe 2008 in particular? There? Music for many years Off Spaces was the first efficient >>construction based on idiots and gear. Structurally, >>it consisted of two parts Our commitment to the witness Andre question proof part and going how the witness actually corresponds to the object. The number of elements in the proof is linear in the number >>of witnesses on the number of elements in the object. >>The question remains to build even shorter visits. The Sierras itself seemed to provide some scoop Rosa Russo fix. See how that works for an entire class of languages? Maybe there's a way to increase proof efficiency on the cost of having had Taylor Sierra's for each year. This is what motivates quality and after six, where we let the solace depend on the language itself. In particular, we didn't require the discrete logs of the language constants to generate this, Yes, but we did require this constant student generated from witness sample distributions. This still turns out to be sufficient for many applications. The construction achieved a perfect knowledge, which was universally in the sense that the simulator was independent. However, soundness is competition. So here's how the construction differed from roots high at a very high level, the language constants are embedded into the CIA s in such a way that the object functions as it's only so we end up not needing any separate commitment in the perfect sense. Our particular construction also needed fewer elements in the question proof, as there On the flip side, the CIA's blows up quadratic instead of constant. Let's get into the detail construction, which is actually present with this script. Let the language apparently trace by Giovanni tricks with the witness changing over time, we sat down and matrices >>D and B with appropriate damages. >>Then we construct the public series into what C. S. D is meant to be used. By the way. On it is constructed by >>multiplying the language matrix with D and being worse, Sierra's V is the part that is meant to be used by the very fair, and it is constructed using details be on be embedded in teaching. >>Now let's say you're asked to computer proof for a candidate X with fitness number we computed simply as a product of the witness with CSP. The verification of the truth is simply taking with the pairing off the candidate and the proof with the Sierras. Seeming threats is equal to zero. If you look carefully. Sierra's V essentially embedded in G to the kernel of the Matrix, owned by the language metrics here and so to speak. This is what is responsible for the correctness. The zero knowledge property is also straightforward, >>given the trapdoor matrices, D and B. Now, >>when corrected journalism relatively simple to prove proving illnesses strictly The central observation is that, given CSP, there is still enough entropy. >>India and me to >>random I seriously in particular Sierra's we Can we expand it to have an additional component with a random sample from the kernel allows it. This transformation is purely statistical. No, we essentially invented idiots are killing their talent in the era of kernel part in this transform sitting within show that an alleged proof on a bad candidate and we used to distinguish whether a subspace sample was used for a full space >>sample was used at the challenge. The need >>to have the kernel of the language in this city. That's the technical >>reason why we need the language to come from a witness. Sample. >>Uh, let's give a simple illustration >>of the system on a standard Diffie Hellman, which g one with the hardness assumption being idiot. >>So the language is defined by G one elements small D, E and F, with pupils off the phone due to the W. After that ugly, the CIA is is generated as follows example D and >>B from random on Compute Sierra speak as due to the day after the being verse and Sierra's V as G to do to do the big on day two of the video. The >>proof of the pupil >>detail that I do after the bill is computed using W. As Sierra Speed race to the party. I know that this is just a single element in the group. The verification is done by bearing the Cooper and the proof with the Sierras VMS and then checking in quality. The >>similar can easily compute the proof using trapdoors demand without knowing that what we are expecting. People leave a Peter's die and reduce the roof size, the constant under a given independent of the number of witnesses and object dimensions. Finally, at Cryptocurrency 14 we optimize the proof toe, one group >>element under the idiots. In both the works, the theorists was reduced to linear sites. The >>number of bearings needed for ratification was also industry in years. This is the crypto Ford in construction in action, the construction skeleton remains more or less the famous VR turkey. But the core observation was that many of the Sierras elements could were anomaly. Comite. While still >>maintaining some of this, these extra random items are depicted in red in this side. >>This round of combination of the Sierras elements resulted in a reduction of boat, Bruce says, as also the number of clearings required for education in Europe in 2015 kills, and we came up with a beautiful >>interpretation of skill sets based on the concept of small predictive hash functions. >>This slide is oversimplified but illustrated, wanting, uh, this system has four collecting >>puzzle pieces. The goodness of the language metrics okay again and a key Haider when >>the hidden version of the key is given publicly in the Sears. Now, when we have a good object, the pieces fit together nicely into detectable. However, when we have a bad object, the pieces no longer fit and it becomes >>infeasible to come up with convincing. Zero knowledge is demonstrable by giving the key to the simulator on observing that the key is independent of the language metrics. >>Through the years, we have extended >>enhanced not mind to be six system, especially with our collaborators, Masayuki Abby Koko Jr. Born on U. >>N. Based on your visits, we were able to construct very efficient, identity based encryption structure, resulting signatures >>public verifiable CCS, secure encryption, nine signatures, group signatures, authorities, key extremes and so on. >>It has also been gratifying to see the community make leaps and bounces ideas and also use queuing visits in practical limits. Before finishing off, I wanted to talk to you a little bit about >>some exciting activities going on Hyper ledger, which is relevant for photographers. Hyper >>Leisure is an open source community for enterprise. Great. It's hosted by the minute formation on enjoys participation from numerous industry groups. Uh, so difficult funded to efforts in Africa, we have versa, which is poised to be the crypto home for all. Blocking it and practice a platform for prospecting transactions are part of the legs on the slide here, >>we would love participation from entity inference. So >>that was a brief history of your analytics. Thanks for giving me the opportunity. And thanks for listening