SlideShare uma empresa Scribd logo

ZK Study Club: Sumcheck Arguments and Their Applications

A
Alex Pruden

Talk given at the ZK Study Club by Jonathan Bootle and Katerina Sotiraki about the universality of sumcheck arguments and their importance in zero-knowledge cryptography.

Tecnologia
1 de 44
Baixar para ler offline
Sumcheck Arguments and their Applications Jonathan Bootle (IBM Research – Zurich) Alessandro Chiesa (UC Berkeley) Katerina Sotiraki (UC Berkeley) https://ia.cr/2021/333 1
Succinct arguments P V ⋮ 10 Common input 𝑥1 = 4 𝑥2 = 1 ⋮ Witness Completeness: if the witness is valid, the verifier accepts Soundness: if the witness is invalid, the verifier rejects Knowledge soundness: (later) Succinctness: the messages are much smaller than the witness 2
The sumcheck protocol [LFKN92] P V Given a polynomial 𝑝(𝑋1, … , 𝑋ℓ) over a field 𝔽 and a value 𝑢 ∈ 𝔽, prove that σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) = 𝑢 𝑞1 ∈ 𝔽[𝑋1] Checks that σ𝜔1∈𝐻 𝑞1 𝜔1 = 𝑢 σ𝜔2∈𝐻 𝑞2 𝜔2 = 𝑞1(𝑟1) ⋮ σ𝜔ℓ∈𝐻 𝑞ℓ 𝜔ℓ = 𝑞ℓ−1(𝑟ℓ−1) ⋮ Computes polynomials 𝑞𝑖 𝑋𝑖 = σ𝜔∈𝐻ℓ−𝑖 𝑝(𝑟1, . . , 𝑟𝑖−1, 𝑋𝑖, 𝜔𝑖+1, . . , 𝜔ℓ) Soundness: If σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) ≠ 𝑢 then V accepts with probability at most ℓ⋅deg(𝑝) |𝔽| . Communication ℓ ⋅ deg 𝑝 elements of 𝔽 𝑟1 ← 𝔽 𝑞ℓ ∈ 𝔽[𝑋ℓ] 𝑟ℓ ← 𝔽 Evaluates 𝑝 to check that 𝑝(𝑟1, … , 𝑟ℓ) = 𝑞ℓ(𝑟ℓ) 3
The sumcheck protocol is everywhere! Sumcheck protocol Probabilistic proofs [BFL91,BFLS91,GKR08] Sumcheck-based succinct arguments [Thaler13] [CMT13], [VSBW13], [W+17], [ZGKPP17], [WTSTW18], [XZZPS19], [Set20] Univariate-sumcheck- based arguments [BCRSVS19] [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20] Sumchecks for tensor codes [Meir13] [RR20], [BCG20], [BCL20] • Linear-time prover [Thaler13,ZXZS20] • Small space [CMT13] (can be implemented with streaming access) • Strong soundness properties [CCHLRR18] (can make non-interactive without random oracles) Useful properties: 4
The sumcheck protocol is everywhere! Sumcheck protocol Probabilistic proofs [BFL91,BFLS91,GKR08] Sumcheck-based succinct arguments [Thaler13] [CMT13], [VSBW13], [W+17], [ZGKPP17], [WTSTW18], [XZZPS19], [Set20] Univariate-sumcheck- based arguments [BCRSVS19] [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20] Sumchecks for tensor codes [Meir13] [RR20], [BCG20], [BCL20] • Linear-time prover [Thaler13,ZXZS20] • Small space [CMT13] (can be implemented with streaming access) • Strong soundness properties [CCHLRR18] (can make non-interactive without random oracles) Useful properties: https://zkproof.org/2020/03/16/sum-checkprotocol/ 5
Pairing-group arguments [LMR19], [ZGKPP17], [XZZPS19] Split-and-fold techniques: a separate body of work? Discrete-log arguments [BBBPWM18], [PLS19], [HKR19], [BHRRS20] Unknown-order-group arguments [BFS20], [BHRRS21] Lattice arguments [BLNS20], [ACK21], [LA20] Some unifying abstractions: [BMMTV19,AC20,BDFG21] Split-and-fold [BCCGP16] • Linear-time prover • Streaming prover [BHRRS20], [BHRRS21] (can be implemented in small space) Useful properties: 6
Pairing-group arguments [LMR19], [ZGKPP17], [XZZPS19] Split-and-fold techniques: a separate body of work? Discrete-log arguments [BBBPWM18], [PLS19], [HKR19], [BHRRS20] Unknown-order-group arguments [BFS20], [BHRRS21] Lattice arguments [BLNS20], [ACK21], [LA20] Some unifying abstractions: [BMMTV19,AC20,BDFG21] Split-and-fold [BCCGP16] • Linear-time prover • Streaming prover [BHRRS20], [BHRRS21] (can be implemented in small space) Useful properties: https://www.coindesk.com/aim-fire-bulletproofs-breakthrough-privacy-blockchains [BBBPWM18] implemented in Rust, Haskell, Javascript, and deployed by Blockstream, and in Monero, Mimblewimble and more… 7
Results 8
From two bodies of work… …to a unified perspective Sumchecks and commitment schemes [VSBW13], [Wah+17], [ZGKPP17], [WTSTW18], [XZZPS19], [BCRSVS19], [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20], [Set20] Sumcheck arguments (this work) [BCCGP16], [BBBPWM18], [LMR19], [BMMTV19], [PLS19], [HKR19], [BHRRS20], [ACR20], [ACF20], [BFS20], [BLNS20], [AC20], [BDFG21], [BHRRS21], [LA21], [ACK21] Folding techniques Sumcheck protocol 9
General goal: succinct arguments for commitment openings P V Common input: • commitment 𝐶 • commitment key 𝑐𝑘 Succinctness goal: communication ≪ |𝑚| ⋮ Focus: commitments with special structure Claim: ∃ 𝑚 such that 𝐶 = Com 𝑐𝑘, 𝑚 10
A new notion : sumcheck-friendly commitments Definition: A commitment scheme CM is sumcheck friendly if Com 𝑐𝑘, 𝑚 = ෍ 𝜔1,…,𝜔ℓ∈𝐻 𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ ) Example: Pedersen commitments 𝐶 = 𝑎1 ⋅ 𝑔1 + ⋯ + 𝑎𝑛 ⋅ 𝑔𝑛 𝐻 = −1,1 𝑅 = 𝔽𝑝 message polynomial in 𝕄[𝑋1, … , 𝑋ℓ], 𝕄 an 𝑅-module evaluation points from 𝐻 ⊆ 𝑅, 𝑅 a ring key polynomial in 𝕂[𝑋1, … , 𝑋ℓ], 𝕂 an 𝑅-module combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ 𝕂 = 𝔾, 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ = σ 𝑔𝑖1,…,𝑖ℓ 𝑋1 𝑖1 … 𝑋ℓ 𝑖ℓ ℂ = 𝔾 𝑓: 𝑎, 𝑔 → 𝑎 ⋅ 𝑔 commitment space ℂ is an 𝑅-module 𝕄 = 𝔽𝑝, 𝑝𝑚 𝑋1, … , 𝑋ℓ = σ 𝑎𝑖1,…,𝑖ℓ 𝑋1 𝑖1 … 𝑋ℓ 𝑖ℓ 11
Main result: sumcheck arguments Theorem 1: Let CM be a commitment scheme which is sumcheck-friendly and invertible. Given a commitment key 𝑐𝑘 and a commitment 𝐶, the sumcheck protocol applied to (with one extra verifier check) is a succinct argument of knowledge for the claim ∃𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚), with Sumcheck works over rings and modules Think 𝑂(log |𝑚|) 𝑝 𝑋1, … , 𝑋ℓ = 𝑓 𝑝𝑚 𝑋1, … , 𝑋ℓ , 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ ∈ ℂ[𝑋1, … , 𝑋ℓ] • completeness • soundness • communication ℓ ⋅ deg 𝑝 12
Application: succinct arguments for NP [VSBW13], [Wah+17], [ZGKPP17], [WTSTW18], [XZZPS19], [BCRSVS19], [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20], [Set20] [BCCGP16], [BBBPWM18], [LMR19], [BMMTV19], [PLS19], [HKR19], [BHRRS20], [ACR20], [ACF20], [BFS20], [BLNS20], [AC20], [BDFG21], [BHRRS21], [LA21], [ACK21] scalar-product arguments for bilinear modules Step 1: reduce NP statements to scalar products Step 2: use efficient subroutine for scalar-products Sumcheck protocol Sumchecks and commitment schemes Folding techniques Sumcheck arguments (this work) 13
Application to R1CS over rings R1CS problem over a ring 𝑹: given matrices 𝐴, 𝐵, 𝐶 ∈ 𝑅𝑛×𝑛 , does there exist 𝑧 ∈ 𝑅𝑛 satisfying 𝐴𝑧 ∘ 𝐵𝑧 = 𝐶𝑧? Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒) be a “secure” bilinear module where 𝑀𝐿 is a ring. Let 𝐼 ⊆ 𝑀𝐿 be a suitable ideal. There is a ZK succinct argument of knowledge for R1CS with R1CS Ring Prover time Verifier time Proof size 𝑀𝐿/𝐼 𝑂 𝑛 ops in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 𝑛 ops in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 log 𝑛 elems of 𝑀𝑇 Has enough structure for Pedersen and Schnorr Bilinear module: a triple of modules (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) over the same ring with a bilinear map 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇. 14
Lattice-based succinct arguments for R1CS Corollary: Let 𝑑 be a power of 2, 𝑝 ≪ 𝑞 primes, 𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑 + 1 and similarly for 𝑅𝑞. Then assuming SIS is hard over 𝑅𝑞, there is a zero- knowledge succinct argument of knowledge for R1CS with R1CS Ring Prover time Verifier time Proof size 𝑅𝑝 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems of 𝑅𝑞 Concurrent work: • [LA21] gives impossibility results and improvements for lattice POKs • [ACK21] gives lattice-based succinct arguments for NP 15
Open questions • Analyse the post-quantum security of sumcheck arguments • Investigate new lattice instantiations [LA21] and concrete performance improvements • Give instantiations of [BFS20,Lee21,BHHRS21] in our framework (or a generalization) 16
Techniques 17
Sumcheck arguments for commitment schemes Rings and modules Groups Pedersen commitments Scalar-product commitments Sumcheck-friendly commitments Generalised sumcheck-friendly commitments Today: Many more details and results in the paper! 18
19 sumcheck protocol for ෍ 𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 ഫ 𝜔 𝑝ഫ 𝐺 ഫ 𝜔 = 𝑛 𝐶 Sumcheck argument for Pedersen Common input: • commitment 𝐶 ∈ 𝔾 • key ഫ 𝐺 ∈ 𝔾𝑛 Claim: ∃പ 𝑎 ∈ 𝔽𝑛 s.t. 𝐶 = പ 𝑎, ഫ 𝐺 V 𝑝ഫ 𝑎 പ 𝑟 𝑟 ← 𝔽log(𝑛) 𝑞1, … , 𝑞log 𝑛 𝑟 “split-and-fold technique” [BCCGT16] is equivalent! (See App. A in the paper) P Opening: പ 𝑎 ∈ 𝔽𝑛 പ 𝑎 Communication: 3 log 𝑛 𝔾 + (log 𝑛 + 1) 𝔽 Verifier computation: O 𝑛 𝔾 𝑞1 1 + 𝑞1 −1 = 𝑛𝐶? 𝑞log(𝑛) 1 + 𝑞log(𝑛) −1 = 𝑞log(𝑛)−1(𝑟log 𝑛 −1)? ⋮ Consistency check: 𝑝𝑎 𝑟 𝑝𝐺 𝑟 = 𝑞log 𝑛 (𝑟log 𝑛 )?
Claim: σഫ 𝜔∈ −1,1 log(𝑛) 𝑝ഫ 𝑎 ഫ 𝜔 𝑝ഫ 𝐺 ഫ 𝜔 = 𝑛 പ 𝑎, ഫ 𝐺 (recall 𝑝𝑟 ഫ 𝑋 = σ𝑖=1 𝑛 𝑟Ӊ 𝑖𝑋1 𝑖1 ⋯ 𝑋log(𝑛) 𝑖log(𝑛) ) Completeness (part 1) Lemma: If പ 𝑎, ഫ 𝐺 = 𝐶, then the verifier accepts with probability 1. It suffices to show the following claim. Sumcheck argument: Pedersen ෍ ഫ 𝜔∈ −1,1 log(𝑛) 𝑝ഫ 𝑎 ഫ 𝜔 𝑝ഫ 𝐺 ഫ 𝜔 𝑛 പ 𝑎, ഫ 𝐺 hypothesis what the sumcheck protocol checks 𝑛𝐶 20
Completeness (part 2) σ𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 cancels monomials of odd degree in any variable, e.g., 𝑋1𝑋2 2 𝑋3 2 𝑝𝑎 𝑋 𝑝𝐺 𝑋 Hence, σ𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 receives contributions from monomials 𝑋1 2𝑖1 ⋯ 𝑋log(𝑛) 2𝑖log(𝑛) Monomials of the form 𝑋1 2𝑖1 ⋯ 𝑋log(𝑛) 2𝑖log(𝑛) arise from 𝑎 Ӊ 𝑖𝑋1 𝑖1 ⋯ 𝑋log 𝑛 𝑖log 𝑛 ∙ 𝐺 Ӊ 𝑖𝑋1 𝑖1 ⋯ 𝑋log 𝑛 𝑖log 𝑛 Sumcheck argument: Pedersen Claim: σ𝜔∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 = 𝑛 𝑎, 𝐺 (recall 𝑝𝑟 𝑋 = σ𝑖=1 𝑛 𝑟Ӊ 𝑖𝑋1 𝑖1 ⋯ 𝑋log(𝑛) 𝑖log(𝑛) ) 21 𝑖1, … , 𝑖log 𝑛 ∈ {0,1}
What kind of soundness? Knowledge soundness Sumcheck argument: Pedersen There exists an extractor that given a suitable tree of accepting transcripts for a commitment key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚). Soundness (part 1) ⋮ ⋮ ⋮ 𝑟1 (1) 𝑟1 (2) 𝑟1 (3) 𝑞1 𝑞2 𝑟1 (1) 𝑞2 𝑟1 (2) 𝑞2 𝑟1 (3) P V 𝑞1 ⋮ 𝑟1 𝑞ℓ 𝑟ℓ E message 𝑚 22
Lemma: There exists an extractor that, given a 3-ary tree of accepting transcripts for key ഫ 𝐺 and commitment 𝐶, finds an opening 𝑎 such that 𝐶 = 𝑎, 𝐺 . ⋮ ⋮ ⋮ 𝑟1 (1) 𝑟1 (2) 𝑟1 (3) 𝑞1 𝑞2 𝑟1 (1) 𝑞2 𝑟1 (2) 𝑞2 𝑟1 (3) 𝟑𝐥𝐨𝐠 𝒏 −𝟏 openings of size 2 for 𝑞ℓ−1 𝑟ℓ −1 with key ഫ 𝐺ℓ−1 ∈ 𝔾2 𝟑𝐥𝐨𝐠 𝒏 openings of size 1 for 𝑞ℓ 𝑟ℓ with key 𝑝𝐺 പ 𝑟 ∈ 𝔾 𝟑𝒊−𝟏 openings of size 𝟐𝐥𝐨𝐠 𝒏 −𝒊+𝟏 for 𝑞𝑖−1 𝑟𝑖−1 with key ഫ 𝐺𝑖−1 ∈ 𝔾2log 𝑛 −𝑖+1 where ഫ 𝐺𝑖−1 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, ഫ 𝑋 . 1 opening of size 𝟐𝐥𝐨𝐠 𝒏 = 𝒏 for 𝑛𝐶 with key ഫ 𝐺 ∈ 𝔾𝑛 Round 1 Round 𝒊 Round 𝐥𝐨𝐠(𝐧) Sumcheck argument: Pedersen Soundness (part 2) 23
Soundness (part 3) In the protocol, 𝑞𝑖 𝑋 = σഫ 𝜔∈{−1,1 }ℓ−𝑖 𝑝ഫ 𝑎 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ 𝜔 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ 𝜔 . So, 𝑞𝑖 𝑋 is quadratic. Claim: If ഫ 𝜋(𝑗) ∈ 𝔽2ℓ−𝑖 is opening for 𝑞𝑖(𝑟𝑖 (𝑗) ) for 𝑗 ∈ [3], we can find an opening of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1). Sumcheck argument: Pedersen 3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that ∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖 (𝑗) = ഫ 𝜋(𝑗), ഫ 𝐺𝑖 Then we can find 𝑞𝑖−1 𝑟𝑖−1 = 𝑞𝑖 1 + 𝑞𝑖 −1 = ഫ 𝜋′, ഫ 𝐺𝑖−1 Verifier’s check 24 Goal: find ഫ 𝜋 such that 𝑞𝑖 𝑋 = ഫ 𝜋(Χ), ഫ 𝐺𝑖−1
Soundness (part 4) ഫ 𝐺𝑘 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑘, ഫ 𝑋 = ഫ 𝜋(𝑗), (ഫ 𝐺𝑖−1,𝐿+ 𝑟𝑖 (𝑗) ഫ 𝐺𝑖−1,𝑅) = ഫ 𝜋 𝑗 , 𝑟𝑖 (𝑗) ഫ 𝜋 𝑗 , ഫ 𝐺𝑖−1 Sumcheck argument: Pedersen Claim: If ഫ 𝜋(𝑗) ∈ 𝔽2ℓ−𝑖 is opening for 𝑞𝑖(𝑟𝑖 (𝑗) ) for 𝑗 ∈ [3], we can find an opening of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1). 3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that ∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖 (𝑗) = ഫ 𝜋(𝑗) , ഫ 𝐺𝑖 ഫ 𝜋 such that 𝑞𝑖 𝑋 = ഫ 𝜋(Χ), ഫ 𝐺𝑖−1 linear algebra 25 Pedersen commitment is invertible.
Sumcheck arguments for commitment schemes Rings and modules Groups Pedersen commitments Scalar-product commitments Sumcheck-friendly commitments Generalised sumcheck-friendly commitments Today: 26
27 sumcheck protocol for ෍ 𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝ഫ 𝐺1 𝜔 𝑝𝑏 𝜔 𝑝ഫ 𝐺2 𝜔 𝑝𝑎 𝜔 𝑝𝑏 𝜔 𝑈 = 𝑛 𝐶 Common input: • key ഫ 𝐺1, ഫ 𝐺2, 𝑈 ∈ 𝔾2𝑛+1 • commitment 𝐶 ∈ 𝔾3 Claim: ∃ പ 𝑎, പ 𝑏 ∈ 𝔽2𝑛 s.t. 𝐶 = പ 𝑎, ഫ 𝐺1 , പ 𝑏, ഫ 𝐺2 , പ 𝑎, പ 𝑏 𝑈 𝑝𝑎 പ 𝑟 , 𝑝𝑏(പ 𝑟) Sumcheck argument for scalar-product commitments P Opening: പ 𝑎, പ 𝑏 ∈ 𝔽2𝑛 V 𝑟 Consistency check: 𝑝𝑎 𝑟 𝑝ഫ 𝐺1 𝑟 𝑝𝑏 𝑟 𝑝ഫ 𝐺2 𝑟 𝑝𝑎 𝑟 𝑝𝑏 𝑟 𝑈 = 𝑞ℓ(𝑟ℓ)? 𝑟 ← 𝔽log(𝑛) പ 𝑎, പ 𝑏 Communication: succinct Verifier computation: linear 𝑞1, … , 𝑞log 𝑛 𝑞1 1 + 𝑞1 −1 = 𝑛𝐶? 𝑞log(𝑛) 1 + 𝑞log(𝑛) −1 = 𝑞log(𝑛)−1(𝑟log 𝑛 −1)? ⋮
Completeness and soundness Lemma: The verifier accepts with probability 1. 𝐶 = പ 𝑎, ഫ 𝐺1 പ 𝑏, ഫ 𝐺2 പ 𝑎, പ 𝑏 𝑈 𝑝ഫ 𝑎 ഫ 𝑋 𝑝ഫ 𝐺1 ഫ 𝑋 𝑝ഫ 𝑏 ഫ 𝑋 𝑝ഫ 𝐺2 ഫ 𝑋 𝑝𝑎 ഫ 𝑋 𝑝𝑏 ഫ 𝑋 𝑈 Follows from completeness for Pedersen Lemma: If the commitment scheme is binding, there exists an extractor that, given a 4-ary tree of accepting transcripts for key (ഫ 𝐺1, ഫ 𝐺2) and commitment 𝐶, finds an opening പ 𝑎, പ 𝑏 such that 𝐶 = 𝑎, 𝐺1 , 𝑏, 𝐺2 , 𝑎, 𝑏 𝑈 . Similarly to Pedersen, we extract opening for each components. Using a computational assumption and the larger tree, we show that third component is the scalar-product പ 𝑎, പ 𝑏 . Scalar-product commitment is invertible. Sumcheck argument: Scalar-product commitment 28
Sumcheck arguments for commitment schemes Rings and modules Groups Pedersen commitments Scalar-product commitments Sumcheck-friendly commitments Generalised sumcheck-friendly commitments Today: 29
Sumcheck-friendly commitments Definition: A commitment scheme CM is sumcheck friendly if Com 𝑐𝑘, 𝑚 = ෍ 𝜔1,…,𝜔ℓ∈𝐻 𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ ) message polynomial in 𝕄[𝑋1, … , 𝑋ℓ], 𝕄 an 𝑅-module evaluation points from 𝐻 ⊆ 𝑅, 𝑅 a ring key polynomial in 𝕂[𝑋1, … , 𝑋ℓ], 𝕂 an 𝑅-module combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ commitment space ℂ is an 𝑅-module Sumcheck arguments for sumcheck-friendly commitments? 30
31 𝑝𝑚(പ 𝑟) Sumcheck argument for sumcheck-friendly commitments 𝑟 ← 𝔽ℓ 𝑟 Common input: • key 𝑐𝑘 • commitment 𝐶 Claim: ∃𝑚 s.t. 𝐶 = σഫ 𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 ഫ ω , 𝑝𝑐𝑘 ഫ 𝜔 P Opening: 𝑚 V Consistency check: 𝑓 𝑝𝑚 𝑟 , 𝑝𝑐𝑘 𝑟 = 𝑞ℓ(𝑟ℓ)? 𝑚 Communication: sumcheck + |𝑝𝑚 പ 𝑟 | Verifier computation: computation of 𝑝𝑐𝑘 𝑟 and 𝑓 𝑞1, … , 𝑞ℓ σ𝜔∈𝐻 𝑞1 𝜔 = 𝐶? σ𝜔∈𝐻 𝑞ℓ 𝜔 = 𝑞ℓ−1(𝑟ℓ−1)? ⋮ sumcheck protocol for σ𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 𝜔 , 𝑝𝑐𝑘 𝜔 = 𝐶
Extractor works inductively as in Pedersen using invertibility in each layer Completeness and soundness Lemma: The verifier accepts with probability 1. Follows directly from definition of sumcheck-friendly commitments Lemma: If commitment scheme is invertible, there exists an extractor that, given a suitable tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚. Sumcheck argument: Sumcheck-friendly commitment 32
𝑟𝑖 (𝑲) 𝑟𝑖 (2) Given polynomial 𝑞𝑖(𝑋) and “openings’’ 𝑝 1 ഫ X , … , 𝑝(𝑲) ഫ X such that ∀𝑗 ∈ 𝐾 ∶ 𝑞𝑖 𝑟(𝑗) = σഫ 𝜔∈𝐻ℓ−𝑖 𝑓 𝑝(𝑗) ഫ 𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖 (𝑗) , ഫ 𝜔) We can find polynomial 𝑝 such that σ𝜔∈𝐻 𝑞𝑖 (𝜔) = σഫ 𝜔∈𝐻ℓ−𝑖+1 𝑓 𝑝 ഫ 𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖−1, ഫ 𝜔) Invertibility 𝑟𝑖 (1) 𝑞𝑖 … Property that allows to climb up the tree from layer to layer. 𝑝(1) 𝑝(2) 𝑝(𝐊) K- Invertible commitment schemes: Pedersen commitments, scalar-product commitments, linear-function commitments Extra variable 𝑋𝑖: 𝑝 “bigger” than 𝑝(𝑗) Sumcheck argument: Sumcheck-friendly commitment 33
Sumcheck arguments for commitment schemes Rings and modules Groups Pedersen commitments Scalar-product commitments Sumcheck-friendly commitments Generalised sumcheck-friendly commitments Today: 34
From groups to rings Goal: an abstraction for mathematical structures where folding techniques can work Everything so far extends to general 𝔽-vector spaces, e.g., bilinear groups [BMMTV19]. Scalar-product commitments for bilinear groups: ഫ 𝒂, ഫ 𝑮𝟏 , ഫ 𝒃, ഫ 𝑮𝟐 , ഫ 𝒂, ഫ 𝒃 ∈ 𝔾𝑻 𝟑 𝔾1 𝔾2 Lattices and groups of unknown order? 35
Messages Keys Commitments Assumption small 𝑀𝐿 𝑀𝑅 𝑀𝑇 Bilinear Relation Assumption From groups to rings: bilinear modules Norm checks: only “short” elements are valid messages e.g., for ring-SIS 𝑹-module 𝑴: generalization of vector space over rings Bilinear module: 𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒 such that • 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 are 𝑅-modules • 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇 is 𝑅-bilinear Pedersen example: 𝐶 = 𝑎1𝐺1 + ⋯ + 𝑎𝑛𝐺𝑛 = ⟨𝑎 , 𝐺⟩ ‘Multiply’ message and key elements using 𝑒 Add the pieces together Hard to find small 𝑎 such that 𝑎 , 𝐺 = 0 Can define polynomials over message and key spaces 36
37 𝑝𝑚(പ 𝑟) 𝑟 ← 𝒞ℓ 𝑟 common input: • key 𝑐𝑘 • commitment 𝐶 claim: ∃𝑚 with 𝒎 ≤ 𝑩 s.t. 𝐶 = σഫ 𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 ഫ 𝜔 , 𝑝𝑐𝑘 ഫ 𝜔 P Opening: 𝑚 with 𝒎 ≤ 𝑩 V consistency check: 𝑓 𝑝𝑚 𝑟 , 𝑝𝑐𝑘 𝑟 = 𝑣? 𝒑𝒎(പ 𝒓) ≤ 𝑩∗? 𝑚 From groups to rings: sumcheck arguments Natural bound for evaluation of 𝒑𝒎 on 𝒞ℓ 𝑞1, … , 𝑞ℓ ⋮ Special challenge set ⊆ 𝑹! (necessary even for sumcheck protocol) σ𝜔∈𝐻 𝑞1 𝜔 = 𝐶? σ𝜔∈𝐻 𝑞ℓ 𝜔 = 𝑞ℓ−1(𝑟ℓ−1)? sumcheck protocol for σ𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 𝜔 , 𝑝𝑐𝑘 𝜔 = 𝐶
Arithmetic over rings might cause slackness factors and increase in norm. e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺: 𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ 𝑎 ≤ 𝑁ℓ ⋅ 𝐵∗ From groups to rings: soundness Lemma: If commitment scheme is invertible, there exists an extractor that, given a suitable tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds a relaxed opening 𝑚. Challenges: 1. Linear algebra different over rings and modules 2. Norm considerations arise Ring 𝒞 𝜉 𝛮 ℤ𝑞 𝑋 < 𝑋𝑑 + 1 > {𝑋𝑖: 0 ≤ 𝑖 ≤ 2𝑑 − 1 } 8 𝑂(𝑑7) Parameters for lattices: Tighter analysis in [LA21], [ACK21] Tighter analysis in [LA21], [ACK21] 38
e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺: 𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ 𝑎 ≤ 𝑁ℓ ⋅ 𝐵 From groups to rings: R1CS over rings Lemma (soundness): There exists an extractor that finds an R1CS witness. Without slackness! 𝐶 = 𝑎/𝝃ℓ, 𝐺 with പ 𝑎/𝝃ℓ ≤ 𝐵′ Issues: 1. 𝜉 might not be invertible 2. പ 𝑎/𝜉ℓ might not be small Ideal 𝐼 such that 𝜉 (mod 𝐼) is invertible, 𝑥 (mod 𝐼) small for all 𝑥 𝐶 = 𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰), 𝐺 with പ 𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰) ≤ 𝐵′ A remark about our R1CS result: 39
Instantiations of bilinear modules Assumption Messages Keys Commitments Ideal BRA small 𝑀𝐿 𝑀𝑅 𝑀𝑇 𝐼 DLOG 𝔽𝑝 𝔾 𝔾 {0} DPAIR[AFGHO10] 𝔾1 𝔾2 𝔾𝑇 {0} UO [BFS20] small ℤ 𝔾 𝔾 𝑛ℤ for suitable small 𝑛 RSIS [Ajtai94] small 𝑅𝑞 𝑅𝑞 𝑑 𝑅𝑞 𝑑 𝑛ℤ for suitable small 𝑛 40
Conclusion 41
Summary of results Theorem 1: The sumcheck protocol applied to a sumcheck-friendly commitment scheme is a succinct argument of knowledge of commitment openings. Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) be a secure bilinear module with 𝑀𝐿 a ring and 𝐼 ⊆ 𝑀𝐿 an ideal. There is a ZK succinct argument of knowledge for R1CS with Corollary: Let 𝑝 ≪ 𝑞 primes, 𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑 + 1 and similarly for 𝑅𝑞. Then assuming SIS is hard, there is a ZK succinct argument of knowledge for R1CS with R1CS Ring Prover and verifier time Proof size 𝑀𝐿/𝐼 𝑂 𝑛 ops 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 log 𝑛 elems R1CS Ring Prover and verifier time Proof size 𝑅𝑝 𝑂 𝑛 ops 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems 𝑅𝑞 42
Takeaways • Many commitment schemes are sumcheck friendly • We can recast many different cryptographic settings as bilinear modules • In the paper: instantiations and polynomial commitment schemes 43
Thanks! [VSBW13], [Wah+17], [ZGKPP17], [WTSTW18], [XZZPS19], [BCRSVS19], [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20], [Set20] [BCCGP16], [BBBPWM18], [LMR19], [BMMTV19], [PLS19], [HKR19], [BHRRS20], [ACR20], [ACF20], [BFS20], [BLNS20], [AC20], [BDFG21], [BHRRS21], [LA21], [ACK21] Sumcheck protocol https://ia.cr/2021/333 Sumchecks and commitment schemes Folding techniques Sumcheck arguments (this work) 44

Recomendados

zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
Alex Pruden
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
Alex Pruden
 
SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 Algorithm
Shiva RamDam
 
Cryptography - RSA and ECDSA
Cryptography - RSA and ECDSACryptography - RSA and ECDSA
Cryptography - RSA and ECDSA
APNIC
 
Verification Strategy for PCI-Express
Verification Strategy for PCI-ExpressVerification Strategy for PCI-Express
Verification Strategy for PCI-Express
DVClub
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK provers
Alex Pruden
 
ECDSA/EdDSA
ECDSA/EdDSAECDSA/EdDSA
ECDSA/EdDSA
JacobBrazeal
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
chauhankapil
 

Recomendados

zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
Alex Pruden
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
Alex Pruden
 
SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 Algorithm
Shiva RamDam
 
Cryptography - RSA and ECDSA
Cryptography - RSA and ECDSACryptography - RSA and ECDSA
Cryptography - RSA and ECDSA
APNIC
 
Verification Strategy for PCI-Express
Verification Strategy for PCI-ExpressVerification Strategy for PCI-Express
Verification Strategy for PCI-Express
DVClub
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK provers
Alex Pruden
 
ECDSA/EdDSA
ECDSA/EdDSAECDSA/EdDSA
ECDSA/EdDSA
JacobBrazeal
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
chauhankapil
 
Lattice-based Signatures
Lattice-based SignaturesLattice-based Signatures
Lattice-based Signatures
OnBoard Security, Inc. - a Qualcomm Company
 
Fpga implementation of (15,7) bch encoder and decoder for text message
Fpga implementation of (15,7) bch encoder and decoder for text messageFpga implementation of (15,7) bch encoder and decoder for text message
Fpga implementation of (15,7) bch encoder and decoder for text message
eSAT Journals
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
Kelly Bresnahan
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
Nikita Popov
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
Shafaan Khaliq Bhatti
 
Understanding Reed-Solomon code
Understanding Reed-Solomon codeUnderstanding Reed-Solomon code
Understanding Reed-Solomon code
继顺(Jeffrey) 王
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge Proof
Arunanand Ta
 
Deep generative model.pdf
Deep generative model.pdfDeep generative model.pdf
Deep generative model.pdf
Hyungjoo Cho
 
Session 6 sv_randomization
Session 6 sv_randomizationSession 6 sv_randomization
Session 6 sv_randomization
Nirav Desai
 
WiFi mesh network(ESP32 mStar and mesh topology)
WiFi mesh network(ESP32 mStar and mesh topology)WiFi mesh network(ESP32 mStar and mesh topology)
WiFi mesh network(ESP32 mStar and mesh topology)
Raziuddin Khazi
 
Ch12
Ch12Ch12
Ch12
Joe Christensen
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
Cysinfo Cyber Security Community
 
Programmable array-logic-and-programmable-logic-array
Programmable array-logic-and-programmable-logic-arrayProgrammable array-logic-and-programmable-logic-array
Programmable array-logic-and-programmable-logic-array
Jher Carlson Atasan
 
Implementation of reed solomon codes basics
Implementation of reed solomon codes basicsImplementation of reed solomon codes basics
Implementation of reed solomon codes basics
Ram Singh Yadav
 
Linux wireless kickstarter Guide
Linux wireless kickstarter GuideLinux wireless kickstarter Guide
Linux wireless kickstarter Guide
Chaitanya Tata, PMP
 
Hash Techniques in Cryptography
Hash Techniques in CryptographyHash Techniques in Cryptography
Hash Techniques in Cryptography
Basudev Saha
 
LDPC - Low Density Parity Check Matrix
LDPC - Low Density Parity Check MatrixLDPC - Low Density Parity Check Matrix
LDPC - Low Density Parity Check Matrix
Kavi
 
Convolution as matrix multiplication
Convolution as matrix multiplicationConvolution as matrix multiplication
Convolution as matrix multiplication
Edwin Efraín Jiménez Lepe
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptography
Yasser Ali
 
快快樂樂SIMD
快快樂樂SIMD快快樂樂SIMD
快快樂樂SIMD
Wei-Ta Wang
 
Type and proof structures for concurrency
Type and proof structures for concurrencyType and proof structures for concurrency
Type and proof structures for concurrency
Facultad de Informática UCM
 
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
Alex Pruden
 

Mais conteúdo relacionado

Mais procurados

Fpga implementation of (15,7) bch encoder and decoder for text message
Fpga implementation of (15,7) bch encoder and decoder for text messageFpga implementation of (15,7) bch encoder and decoder for text message
Fpga implementation of (15,7) bch encoder and decoder for text message
eSAT Journals
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
Kelly Bresnahan
 
Session 6 sv_randomization
Session 6 sv_randomizationSession 6 sv_randomization
Session 6 sv_randomization
Nirav Desai
 
Hash Techniques in Cryptography
Hash Techniques in CryptographyHash Techniques in Cryptography
Hash Techniques in Cryptography
Basudev Saha
 

Mais procurados (20)

Lattice-based Signatures
Lattice-based SignaturesLattice-based Signatures
Lattice-based Signatures
 
Fpga implementation of (15,7) bch encoder and decoder for text message
Fpga implementation of (15,7) bch encoder and decoder for text messageFpga implementation of (15,7) bch encoder and decoder for text message
Fpga implementation of (15,7) bch encoder and decoder for text message
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
Understanding Reed-Solomon code
Understanding Reed-Solomon codeUnderstanding Reed-Solomon code
Understanding Reed-Solomon code
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge Proof
 
Deep generative model.pdf
Deep generative model.pdfDeep generative model.pdf
Deep generative model.pdf
 
Session 6 sv_randomization
Session 6 sv_randomizationSession 6 sv_randomization
Session 6 sv_randomization
 
WiFi mesh network(ESP32 mStar and mesh topology)
WiFi mesh network(ESP32 mStar and mesh topology)WiFi mesh network(ESP32 mStar and mesh topology)
WiFi mesh network(ESP32 mStar and mesh topology)
 
Ch12
Ch12Ch12
Ch12
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
 
Programmable array-logic-and-programmable-logic-array
Programmable array-logic-and-programmable-logic-arrayProgrammable array-logic-and-programmable-logic-array
Programmable array-logic-and-programmable-logic-array
 
Implementation of reed solomon codes basics
Implementation of reed solomon codes basicsImplementation of reed solomon codes basics
Implementation of reed solomon codes basics
 
Linux wireless kickstarter Guide
Linux wireless kickstarter GuideLinux wireless kickstarter Guide
Linux wireless kickstarter Guide
 
Hash Techniques in Cryptography
Hash Techniques in CryptographyHash Techniques in Cryptography
Hash Techniques in Cryptography
 
LDPC - Low Density Parity Check Matrix
LDPC - Low Density Parity Check MatrixLDPC - Low Density Parity Check Matrix
LDPC - Low Density Parity Check Matrix
 
Convolution as matrix multiplication
Convolution as matrix multiplicationConvolution as matrix multiplication
Convolution as matrix multiplication
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptography
 
快快樂樂SIMD
快快樂樂SIMD快快樂樂SIMD
快快樂樂SIMD
 

Semelhante a ZK Study Club: Sumcheck Arguments and Their Applications

Type and proof structures for concurrency
Type and proof structures for concurrencyType and proof structures for concurrency
Type and proof structures for concurrency
Facultad de Informática UCM
 
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
Alex Pruden
 
Steven Duplij, Raimund Vogl, "Polyadic Braid Operators and Higher Braiding Ga...
Steven Duplij, Raimund Vogl, "Polyadic Braid Operators and Higher Braiding Ga...Steven Duplij, Raimund Vogl, "Polyadic Braid Operators and Higher Braiding Ga...
Steven Duplij, Raimund Vogl, "Polyadic Braid Operators and Higher Braiding Ga...
Steven Duplij (Stepan Douplii)
 
Local Model Checking Algorithm Based on Mu-calculus with Partial Orders
Local Model Checking Algorithm Based on Mu-calculus with Partial OrdersLocal Model Checking Algorithm Based on Mu-calculus with Partial Orders
Local Model Checking Algorithm Based on Mu-calculus with Partial Orders
TELKOMNIKA JOURNAL
 
pptx - Psuedo Random Generator for Halfspaces
pptx - Psuedo Random Generator for Halfspacespptx - Psuedo Random Generator for Halfspaces
pptx - Psuedo Random Generator for Halfspaces
butest
 
pptx - Psuedo Random Generator for Halfspaces
pptx - Psuedo Random Generator for Halfspacespptx - Psuedo Random Generator for Halfspaces
pptx - Psuedo Random Generator for Halfspaces
butest
 
RedisDay London 2018 - CRDTs and Redis From sequential to concurrent executions
RedisDay London 2018 - CRDTs and Redis From sequential to concurrent executionsRedisDay London 2018 - CRDTs and Redis From sequential to concurrent executions
RedisDay London 2018 - CRDTs and Redis From sequential to concurrent executions
Redis Labs
 

Semelhante a ZK Study Club: Sumcheck Arguments and Their Applications (20)

Type and proof structures for concurrency
Type and proof structures for concurrencyType and proof structures for concurrency
Type and proof structures for concurrency
 
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
 
Nearly optimal average case complexity of counting bicliques under seth
Nearly optimal average case complexity of counting bicliques under sethNearly optimal average case complexity of counting bicliques under seth
Nearly optimal average case complexity of counting bicliques under seth
 
Declarative Semantics Definition - Term Rewriting
Declarative Semantics Definition - Term RewritingDeclarative Semantics Definition - Term Rewriting
Declarative Semantics Definition - Term Rewriting
 
Steven Duplij, Raimund Vogl, "Polyadic Braid Operators and Higher Braiding Ga...
Steven Duplij, Raimund Vogl, "Polyadic Braid Operators and Higher Braiding Ga...Steven Duplij, Raimund Vogl, "Polyadic Braid Operators and Higher Braiding Ga...
Steven Duplij, Raimund Vogl, "Polyadic Braid Operators and Higher Braiding Ga...
 
Yoyak ScalaDays 2015
Yoyak ScalaDays 2015Yoyak ScalaDays 2015
Yoyak ScalaDays 2015
 
Local Model Checking Algorithm Based on Mu-calculus with Partial Orders
Local Model Checking Algorithm Based on Mu-calculus with Partial OrdersLocal Model Checking Algorithm Based on Mu-calculus with Partial Orders
Local Model Checking Algorithm Based on Mu-calculus with Partial Orders
 
Is Sized Typing for Coq Practical?
Is Sized Typing for Coq Practical?Is Sized Typing for Coq Practical?
Is Sized Typing for Coq Practical?
 
R Language Introduction
R Language IntroductionR Language Introduction
R Language Introduction
 
N-gram IDF: A Global Term Weighting Scheme Based on Information Distance (WWW...
N-gram IDF: A Global Term Weighting Scheme Based on Information Distance (WWW...N-gram IDF: A Global Term Weighting Scheme Based on Information Distance (WWW...
N-gram IDF: A Global Term Weighting Scheme Based on Information Distance (WWW...
 
CRDTs and Redis
CRDTs and RedisCRDTs and Redis
CRDTs and Redis
 
Alternative cryptocurrencies
Alternative cryptocurrencies Alternative cryptocurrencies
Alternative cryptocurrencies
 
Alternative cryptocurrencies
Alternative cryptocurrenciesAlternative cryptocurrencies
Alternative cryptocurrencies
 
Relations as Executable Specifications
Relations as Executable SpecificationsRelations as Executable Specifications
Relations as Executable Specifications
 
pptx - Psuedo Random Generator for Halfspaces
pptx - Psuedo Random Generator for Halfspacespptx - Psuedo Random Generator for Halfspaces
pptx - Psuedo Random Generator for Halfspaces
 
pptx - Psuedo Random Generator for Halfspaces
pptx - Psuedo Random Generator for Halfspacespptx - Psuedo Random Generator for Halfspaces
pptx - Psuedo Random Generator for Halfspaces
 
Executing Boolean Queries on an Encrypted Bitmap Index
Executing Boolean Queries on an Encrypted Bitmap IndexExecuting Boolean Queries on an Encrypted Bitmap Index
Executing Boolean Queries on an Encrypted Bitmap Index
 
RedisDay London 2018 - CRDTs and Redis From sequential to concurrent executions
RedisDay London 2018 - CRDTs and Redis From sequential to concurrent executionsRedisDay London 2018 - CRDTs and Redis From sequential to concurrent executions
RedisDay London 2018 - CRDTs and Redis From sequential to concurrent executions
 
Incremental and parallel computation of structural graph summaries for evolvi...
Incremental and parallel computation of structural graph summaries for evolvi...Incremental and parallel computation of structural graph summaries for evolvi...
Incremental and parallel computation of structural graph summaries for evolvi...
 
CVRP solver with Multi-Head Attention
CVRP solver with Multi-Head AttentionCVRP solver with Multi-Head Attention
CVRP solver with Multi-Head Attention
 

Mais de Alex Pruden

zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
Alex Pruden
 
ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)
Alex Pruden
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
Alex Pruden
 

Mais de Alex Pruden (11)

zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
 
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...
 
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
 
ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)
 
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
 
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelzkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
 
Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9
 
Quarks zk study-club
Quarks zk study-clubQuarks zk study-club
Quarks zk study-club
 
zkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to CircuitszkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to Circuits
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

ZK Study Club: Sumcheck Arguments and Their Applications

  • 1. Sumcheck Arguments and their Applications Jonathan Bootle (IBM Research – Zurich) Alessandro Chiesa (UC Berkeley) Katerina Sotiraki (UC Berkeley) https://ia.cr/2021/333 1
  • 2. Succinct arguments P V ⋮ 10 Common input 𝑥1 = 4 𝑥2 = 1 ⋮ Witness Completeness: if the witness is valid, the verifier accepts Soundness: if the witness is invalid, the verifier rejects Knowledge soundness: (later) Succinctness: the messages are much smaller than the witness 2
  • 3. The sumcheck protocol [LFKN92] P V Given a polynomial 𝑝(𝑋1, … , 𝑋ℓ) over a field 𝔽 and a value 𝑢 ∈ 𝔽, prove that σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) = 𝑢 𝑞1 ∈ 𝔽[𝑋1] Checks that σ𝜔1∈𝐻 𝑞1 𝜔1 = 𝑢 σ𝜔2∈𝐻 𝑞2 𝜔2 = 𝑞1(𝑟1) ⋮ σ𝜔ℓ∈𝐻 𝑞ℓ 𝜔ℓ = 𝑞ℓ−1(𝑟ℓ−1) ⋮ Computes polynomials 𝑞𝑖 𝑋𝑖 = σ𝜔∈𝐻ℓ−𝑖 𝑝(𝑟1, . . , 𝑟𝑖−1, 𝑋𝑖, 𝜔𝑖+1, . . , 𝜔ℓ) Soundness: If σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) ≠ 𝑢 then V accepts with probability at most ℓ⋅deg(𝑝) |𝔽| . Communication ℓ ⋅ deg 𝑝 elements of 𝔽 𝑟1 ← 𝔽 𝑞ℓ ∈ 𝔽[𝑋ℓ] 𝑟ℓ ← 𝔽 Evaluates 𝑝 to check that 𝑝(𝑟1, … , 𝑟ℓ) = 𝑞ℓ(𝑟ℓ) 3
  • 4. The sumcheck protocol is everywhere! Sumcheck protocol Probabilistic proofs [BFL91,BFLS91,GKR08] Sumcheck-based succinct arguments [Thaler13] [CMT13], [VSBW13], [W+17], [ZGKPP17], [WTSTW18], [XZZPS19], [Set20] Univariate-sumcheck- based arguments [BCRSVS19] [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20] Sumchecks for tensor codes [Meir13] [RR20], [BCG20], [BCL20] • Linear-time prover [Thaler13,ZXZS20] • Small space [CMT13] (can be implemented with streaming access) • Strong soundness properties [CCHLRR18] (can make non-interactive without random oracles) Useful properties: 4
  • 5. The sumcheck protocol is everywhere! Sumcheck protocol Probabilistic proofs [BFL91,BFLS91,GKR08] Sumcheck-based succinct arguments [Thaler13] [CMT13], [VSBW13], [W+17], [ZGKPP17], [WTSTW18], [XZZPS19], [Set20] Univariate-sumcheck- based arguments [BCRSVS19] [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20] Sumchecks for tensor codes [Meir13] [RR20], [BCG20], [BCL20] • Linear-time prover [Thaler13,ZXZS20] • Small space [CMT13] (can be implemented with streaming access) • Strong soundness properties [CCHLRR18] (can make non-interactive without random oracles) Useful properties: https://zkproof.org/2020/03/16/sum-checkprotocol/ 5
  • 6. Pairing-group arguments [LMR19], [ZGKPP17], [XZZPS19] Split-and-fold techniques: a separate body of work? Discrete-log arguments [BBBPWM18], [PLS19], [HKR19], [BHRRS20] Unknown-order-group arguments [BFS20], [BHRRS21] Lattice arguments [BLNS20], [ACK21], [LA20] Some unifying abstractions: [BMMTV19,AC20,BDFG21] Split-and-fold [BCCGP16] • Linear-time prover • Streaming prover [BHRRS20], [BHRRS21] (can be implemented in small space) Useful properties: 6
  • 7. Pairing-group arguments [LMR19], [ZGKPP17], [XZZPS19] Split-and-fold techniques: a separate body of work? Discrete-log arguments [BBBPWM18], [PLS19], [HKR19], [BHRRS20] Unknown-order-group arguments [BFS20], [BHRRS21] Lattice arguments [BLNS20], [ACK21], [LA20] Some unifying abstractions: [BMMTV19,AC20,BDFG21] Split-and-fold [BCCGP16] • Linear-time prover • Streaming prover [BHRRS20], [BHRRS21] (can be implemented in small space) Useful properties: https://www.coindesk.com/aim-fire-bulletproofs-breakthrough-privacy-blockchains [BBBPWM18] implemented in Rust, Haskell, Javascript, and deployed by Blockstream, and in Monero, Mimblewimble and more… 7
  • 9. From two bodies of work… …to a unified perspective Sumchecks and commitment schemes [VSBW13], [Wah+17], [ZGKPP17], [WTSTW18], [XZZPS19], [BCRSVS19], [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20], [Set20] Sumcheck arguments (this work) [BCCGP16], [BBBPWM18], [LMR19], [BMMTV19], [PLS19], [HKR19], [BHRRS20], [ACR20], [ACF20], [BFS20], [BLNS20], [AC20], [BDFG21], [BHRRS21], [LA21], [ACK21] Folding techniques Sumcheck protocol 9
  • 10. General goal: succinct arguments for commitment openings P V Common input: • commitment 𝐶 • commitment key 𝑐𝑘 Succinctness goal: communication ≪ |𝑚| ⋮ Focus: commitments with special structure Claim: ∃ 𝑚 such that 𝐶 = Com 𝑐𝑘, 𝑚 10
  • 11. A new notion : sumcheck-friendly commitments Definition: A commitment scheme CM is sumcheck friendly if Com 𝑐𝑘, 𝑚 = ෍ 𝜔1,…,𝜔ℓ∈𝐻 𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ ) Example: Pedersen commitments 𝐶 = 𝑎1 ⋅ 𝑔1 + ⋯ + 𝑎𝑛 ⋅ 𝑔𝑛 𝐻 = −1,1 𝑅 = 𝔽𝑝 message polynomial in 𝕄[𝑋1, … , 𝑋ℓ], 𝕄 an 𝑅-module evaluation points from 𝐻 ⊆ 𝑅, 𝑅 a ring key polynomial in 𝕂[𝑋1, … , 𝑋ℓ], 𝕂 an 𝑅-module combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ 𝕂 = 𝔾, 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ = σ 𝑔𝑖1,…,𝑖ℓ 𝑋1 𝑖1 … 𝑋ℓ 𝑖ℓ ℂ = 𝔾 𝑓: 𝑎, 𝑔 → 𝑎 ⋅ 𝑔 commitment space ℂ is an 𝑅-module 𝕄 = 𝔽𝑝, 𝑝𝑚 𝑋1, … , 𝑋ℓ = σ 𝑎𝑖1,…,𝑖ℓ 𝑋1 𝑖1 … 𝑋ℓ 𝑖ℓ 11
  • 12. Main result: sumcheck arguments Theorem 1: Let CM be a commitment scheme which is sumcheck-friendly and invertible. Given a commitment key 𝑐𝑘 and a commitment 𝐶, the sumcheck protocol applied to (with one extra verifier check) is a succinct argument of knowledge for the claim ∃𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚), with Sumcheck works over rings and modules Think 𝑂(log |𝑚|) 𝑝 𝑋1, … , 𝑋ℓ = 𝑓 𝑝𝑚 𝑋1, … , 𝑋ℓ , 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ ∈ ℂ[𝑋1, … , 𝑋ℓ] • completeness • soundness • communication ℓ ⋅ deg 𝑝 12
  • 13. Application: succinct arguments for NP [VSBW13], [Wah+17], [ZGKPP17], [WTSTW18], [XZZPS19], [BCRSVS19], [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20], [Set20] [BCCGP16], [BBBPWM18], [LMR19], [BMMTV19], [PLS19], [HKR19], [BHRRS20], [ACR20], [ACF20], [BFS20], [BLNS20], [AC20], [BDFG21], [BHRRS21], [LA21], [ACK21] scalar-product arguments for bilinear modules Step 1: reduce NP statements to scalar products Step 2: use efficient subroutine for scalar-products Sumcheck protocol Sumchecks and commitment schemes Folding techniques Sumcheck arguments (this work) 13
  • 14. Application to R1CS over rings R1CS problem over a ring 𝑹: given matrices 𝐴, 𝐵, 𝐶 ∈ 𝑅𝑛×𝑛 , does there exist 𝑧 ∈ 𝑅𝑛 satisfying 𝐴𝑧 ∘ 𝐵𝑧 = 𝐶𝑧? Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒) be a “secure” bilinear module where 𝑀𝐿 is a ring. Let 𝐼 ⊆ 𝑀𝐿 be a suitable ideal. There is a ZK succinct argument of knowledge for R1CS with R1CS Ring Prover time Verifier time Proof size 𝑀𝐿/𝐼 𝑂 𝑛 ops in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 𝑛 ops in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 log 𝑛 elems of 𝑀𝑇 Has enough structure for Pedersen and Schnorr Bilinear module: a triple of modules (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) over the same ring with a bilinear map 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇. 14
  • 15. Lattice-based succinct arguments for R1CS Corollary: Let 𝑑 be a power of 2, 𝑝 ≪ 𝑞 primes, 𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑 + 1 and similarly for 𝑅𝑞. Then assuming SIS is hard over 𝑅𝑞, there is a zero- knowledge succinct argument of knowledge for R1CS with R1CS Ring Prover time Verifier time Proof size 𝑅𝑝 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems of 𝑅𝑞 Concurrent work: • [LA21] gives impossibility results and improvements for lattice POKs • [ACK21] gives lattice-based succinct arguments for NP 15
  • 16. Open questions • Analyse the post-quantum security of sumcheck arguments • Investigate new lattice instantiations [LA21] and concrete performance improvements • Give instantiations of [BFS20,Lee21,BHHRS21] in our framework (or a generalization) 16
  • 18. Sumcheck arguments for commitment schemes Rings and modules Groups Pedersen commitments Scalar-product commitments Sumcheck-friendly commitments Generalised sumcheck-friendly commitments Today: Many more details and results in the paper! 18
  • 19. 19 sumcheck protocol for ෍ 𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 ഫ 𝜔 𝑝ഫ 𝐺 ഫ 𝜔 = 𝑛 𝐶 Sumcheck argument for Pedersen Common input: • commitment 𝐶 ∈ 𝔾 • key ഫ 𝐺 ∈ 𝔾𝑛 Claim: ∃പ 𝑎 ∈ 𝔽𝑛 s.t. 𝐶 = പ 𝑎, ഫ 𝐺 V 𝑝ഫ 𝑎 പ 𝑟 𝑟 ← 𝔽log(𝑛) 𝑞1, … , 𝑞log 𝑛 𝑟 “split-and-fold technique” [BCCGT16] is equivalent! (See App. A in the paper) P Opening: പ 𝑎 ∈ 𝔽𝑛 പ 𝑎 Communication: 3 log 𝑛 𝔾 + (log 𝑛 + 1) 𝔽 Verifier computation: O 𝑛 𝔾 𝑞1 1 + 𝑞1 −1 = 𝑛𝐶? 𝑞log(𝑛) 1 + 𝑞log(𝑛) −1 = 𝑞log(𝑛)−1(𝑟log 𝑛 −1)? ⋮ Consistency check: 𝑝𝑎 𝑟 𝑝𝐺 𝑟 = 𝑞log 𝑛 (𝑟log 𝑛 )?
  • 20. Claim: σഫ 𝜔∈ −1,1 log(𝑛) 𝑝ഫ 𝑎 ഫ 𝜔 𝑝ഫ 𝐺 ഫ 𝜔 = 𝑛 പ 𝑎, ഫ 𝐺 (recall 𝑝𝑟 ഫ 𝑋 = σ𝑖=1 𝑛 𝑟Ӊ 𝑖𝑋1 𝑖1 ⋯ 𝑋log(𝑛) 𝑖log(𝑛) ) Completeness (part 1) Lemma: If പ 𝑎, ഫ 𝐺 = 𝐶, then the verifier accepts with probability 1. It suffices to show the following claim. Sumcheck argument: Pedersen ෍ ഫ 𝜔∈ −1,1 log(𝑛) 𝑝ഫ 𝑎 ഫ 𝜔 𝑝ഫ 𝐺 ഫ 𝜔 𝑛 പ 𝑎, ഫ 𝐺 hypothesis what the sumcheck protocol checks 𝑛𝐶 20
  • 21. Completeness (part 2) σ𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 cancels monomials of odd degree in any variable, e.g., 𝑋1𝑋2 2 𝑋3 2 𝑝𝑎 𝑋 𝑝𝐺 𝑋 Hence, σ𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 receives contributions from monomials 𝑋1 2𝑖1 ⋯ 𝑋log(𝑛) 2𝑖log(𝑛) Monomials of the form 𝑋1 2𝑖1 ⋯ 𝑋log(𝑛) 2𝑖log(𝑛) arise from 𝑎 Ӊ 𝑖𝑋1 𝑖1 ⋯ 𝑋log 𝑛 𝑖log 𝑛 ∙ 𝐺 Ӊ 𝑖𝑋1 𝑖1 ⋯ 𝑋log 𝑛 𝑖log 𝑛 Sumcheck argument: Pedersen Claim: σ𝜔∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝𝐺 𝜔 = 𝑛 𝑎, 𝐺 (recall 𝑝𝑟 𝑋 = σ𝑖=1 𝑛 𝑟Ӊ 𝑖𝑋1 𝑖1 ⋯ 𝑋log(𝑛) 𝑖log(𝑛) ) 21 𝑖1, … , 𝑖log 𝑛 ∈ {0,1}
  • 22. What kind of soundness? Knowledge soundness Sumcheck argument: Pedersen There exists an extractor that given a suitable tree of accepting transcripts for a commitment key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚). Soundness (part 1) ⋮ ⋮ ⋮ 𝑟1 (1) 𝑟1 (2) 𝑟1 (3) 𝑞1 𝑞2 𝑟1 (1) 𝑞2 𝑟1 (2) 𝑞2 𝑟1 (3) P V 𝑞1 ⋮ 𝑟1 𝑞ℓ 𝑟ℓ E message 𝑚 22
  • 23. Lemma: There exists an extractor that, given a 3-ary tree of accepting transcripts for key ഫ 𝐺 and commitment 𝐶, finds an opening 𝑎 such that 𝐶 = 𝑎, 𝐺 . ⋮ ⋮ ⋮ 𝑟1 (1) 𝑟1 (2) 𝑟1 (3) 𝑞1 𝑞2 𝑟1 (1) 𝑞2 𝑟1 (2) 𝑞2 𝑟1 (3) 𝟑𝐥𝐨𝐠 𝒏 −𝟏 openings of size 2 for 𝑞ℓ−1 𝑟ℓ −1 with key ഫ 𝐺ℓ−1 ∈ 𝔾2 𝟑𝐥𝐨𝐠 𝒏 openings of size 1 for 𝑞ℓ 𝑟ℓ with key 𝑝𝐺 പ 𝑟 ∈ 𝔾 𝟑𝒊−𝟏 openings of size 𝟐𝐥𝐨𝐠 𝒏 −𝒊+𝟏 for 𝑞𝑖−1 𝑟𝑖−1 with key ഫ 𝐺𝑖−1 ∈ 𝔾2log 𝑛 −𝑖+1 where ഫ 𝐺𝑖−1 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, ഫ 𝑋 . 1 opening of size 𝟐𝐥𝐨𝐠 𝒏 = 𝒏 for 𝑛𝐶 with key ഫ 𝐺 ∈ 𝔾𝑛 Round 1 Round 𝒊 Round 𝐥𝐨𝐠(𝐧) Sumcheck argument: Pedersen Soundness (part 2) 23
  • 24. Soundness (part 3) In the protocol, 𝑞𝑖 𝑋 = σഫ 𝜔∈{−1,1 }ℓ−𝑖 𝑝ഫ 𝑎 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ 𝜔 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ 𝜔 . So, 𝑞𝑖 𝑋 is quadratic. Claim: If ഫ 𝜋(𝑗) ∈ 𝔽2ℓ−𝑖 is opening for 𝑞𝑖(𝑟𝑖 (𝑗) ) for 𝑗 ∈ [3], we can find an opening of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1). Sumcheck argument: Pedersen 3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that ∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖 (𝑗) = ഫ 𝜋(𝑗), ഫ 𝐺𝑖 Then we can find 𝑞𝑖−1 𝑟𝑖−1 = 𝑞𝑖 1 + 𝑞𝑖 −1 = ഫ 𝜋′, ഫ 𝐺𝑖−1 Verifier’s check 24 Goal: find ഫ 𝜋 such that 𝑞𝑖 𝑋 = ഫ 𝜋(Χ), ഫ 𝐺𝑖−1
  • 25. Soundness (part 4) ഫ 𝐺𝑘 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑘, ഫ 𝑋 = ഫ 𝜋(𝑗), (ഫ 𝐺𝑖−1,𝐿+ 𝑟𝑖 (𝑗) ഫ 𝐺𝑖−1,𝑅) = ഫ 𝜋 𝑗 , 𝑟𝑖 (𝑗) ഫ 𝜋 𝑗 , ഫ 𝐺𝑖−1 Sumcheck argument: Pedersen Claim: If ഫ 𝜋(𝑗) ∈ 𝔽2ℓ−𝑖 is opening for 𝑞𝑖(𝑟𝑖 (𝑗) ) for 𝑗 ∈ [3], we can find an opening of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1). 3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that ∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖 (𝑗) = ഫ 𝜋(𝑗) , ഫ 𝐺𝑖 ഫ 𝜋 such that 𝑞𝑖 𝑋 = ഫ 𝜋(Χ), ഫ 𝐺𝑖−1 linear algebra 25 Pedersen commitment is invertible.
  • 26. Sumcheck arguments for commitment schemes Rings and modules Groups Pedersen commitments Scalar-product commitments Sumcheck-friendly commitments Generalised sumcheck-friendly commitments Today: 26
  • 27. 27 sumcheck protocol for ෍ 𝜔 ∈ −1,1 log(𝑛) 𝑝𝑎 𝜔 𝑝ഫ 𝐺1 𝜔 𝑝𝑏 𝜔 𝑝ഫ 𝐺2 𝜔 𝑝𝑎 𝜔 𝑝𝑏 𝜔 𝑈 = 𝑛 𝐶 Common input: • key ഫ 𝐺1, ഫ 𝐺2, 𝑈 ∈ 𝔾2𝑛+1 • commitment 𝐶 ∈ 𝔾3 Claim: ∃ പ 𝑎, പ 𝑏 ∈ 𝔽2𝑛 s.t. 𝐶 = പ 𝑎, ഫ 𝐺1 , പ 𝑏, ഫ 𝐺2 , പ 𝑎, പ 𝑏 𝑈 𝑝𝑎 പ 𝑟 , 𝑝𝑏(പ 𝑟) Sumcheck argument for scalar-product commitments P Opening: പ 𝑎, പ 𝑏 ∈ 𝔽2𝑛 V 𝑟 Consistency check: 𝑝𝑎 𝑟 𝑝ഫ 𝐺1 𝑟 𝑝𝑏 𝑟 𝑝ഫ 𝐺2 𝑟 𝑝𝑎 𝑟 𝑝𝑏 𝑟 𝑈 = 𝑞ℓ(𝑟ℓ)? 𝑟 ← 𝔽log(𝑛) പ 𝑎, പ 𝑏 Communication: succinct Verifier computation: linear 𝑞1, … , 𝑞log 𝑛 𝑞1 1 + 𝑞1 −1 = 𝑛𝐶? 𝑞log(𝑛) 1 + 𝑞log(𝑛) −1 = 𝑞log(𝑛)−1(𝑟log 𝑛 −1)? ⋮
  • 28. Completeness and soundness Lemma: The verifier accepts with probability 1. 𝐶 = പ 𝑎, ഫ 𝐺1 പ 𝑏, ഫ 𝐺2 പ 𝑎, പ 𝑏 𝑈 𝑝ഫ 𝑎 ഫ 𝑋 𝑝ഫ 𝐺1 ഫ 𝑋 𝑝ഫ 𝑏 ഫ 𝑋 𝑝ഫ 𝐺2 ഫ 𝑋 𝑝𝑎 ഫ 𝑋 𝑝𝑏 ഫ 𝑋 𝑈 Follows from completeness for Pedersen Lemma: If the commitment scheme is binding, there exists an extractor that, given a 4-ary tree of accepting transcripts for key (ഫ 𝐺1, ഫ 𝐺2) and commitment 𝐶, finds an opening പ 𝑎, പ 𝑏 such that 𝐶 = 𝑎, 𝐺1 , 𝑏, 𝐺2 , 𝑎, 𝑏 𝑈 . Similarly to Pedersen, we extract opening for each components. Using a computational assumption and the larger tree, we show that third component is the scalar-product പ 𝑎, പ 𝑏 . Scalar-product commitment is invertible. Sumcheck argument: Scalar-product commitment 28
  • 29. Sumcheck arguments for commitment schemes Rings and modules Groups Pedersen commitments Scalar-product commitments Sumcheck-friendly commitments Generalised sumcheck-friendly commitments Today: 29
  • 30. Sumcheck-friendly commitments Definition: A commitment scheme CM is sumcheck friendly if Com 𝑐𝑘, 𝑚 = ෍ 𝜔1,…,𝜔ℓ∈𝐻 𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ ) message polynomial in 𝕄[𝑋1, … , 𝑋ℓ], 𝕄 an 𝑅-module evaluation points from 𝐻 ⊆ 𝑅, 𝑅 a ring key polynomial in 𝕂[𝑋1, … , 𝑋ℓ], 𝕂 an 𝑅-module combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ commitment space ℂ is an 𝑅-module Sumcheck arguments for sumcheck-friendly commitments? 30
  • 31. 31 𝑝𝑚(പ 𝑟) Sumcheck argument for sumcheck-friendly commitments 𝑟 ← 𝔽ℓ 𝑟 Common input: • key 𝑐𝑘 • commitment 𝐶 Claim: ∃𝑚 s.t. 𝐶 = σഫ 𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 ഫ ω , 𝑝𝑐𝑘 ഫ 𝜔 P Opening: 𝑚 V Consistency check: 𝑓 𝑝𝑚 𝑟 , 𝑝𝑐𝑘 𝑟 = 𝑞ℓ(𝑟ℓ)? 𝑚 Communication: sumcheck + |𝑝𝑚 പ 𝑟 | Verifier computation: computation of 𝑝𝑐𝑘 𝑟 and 𝑓 𝑞1, … , 𝑞ℓ σ𝜔∈𝐻 𝑞1 𝜔 = 𝐶? σ𝜔∈𝐻 𝑞ℓ 𝜔 = 𝑞ℓ−1(𝑟ℓ−1)? ⋮ sumcheck protocol for σ𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 𝜔 , 𝑝𝑐𝑘 𝜔 = 𝐶
  • 32. Extractor works inductively as in Pedersen using invertibility in each layer Completeness and soundness Lemma: The verifier accepts with probability 1. Follows directly from definition of sumcheck-friendly commitments Lemma: If commitment scheme is invertible, there exists an extractor that, given a suitable tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚. Sumcheck argument: Sumcheck-friendly commitment 32
  • 33. 𝑟𝑖 (𝑲) 𝑟𝑖 (2) Given polynomial 𝑞𝑖(𝑋) and “openings’’ 𝑝 1 ഫ X , … , 𝑝(𝑲) ഫ X such that ∀𝑗 ∈ 𝐾 ∶ 𝑞𝑖 𝑟(𝑗) = σഫ 𝜔∈𝐻ℓ−𝑖 𝑓 𝑝(𝑗) ഫ 𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖 (𝑗) , ഫ 𝜔) We can find polynomial 𝑝 such that σ𝜔∈𝐻 𝑞𝑖 (𝜔) = σഫ 𝜔∈𝐻ℓ−𝑖+1 𝑓 𝑝 ഫ 𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖−1, ഫ 𝜔) Invertibility 𝑟𝑖 (1) 𝑞𝑖 … Property that allows to climb up the tree from layer to layer. 𝑝(1) 𝑝(2) 𝑝(𝐊) K- Invertible commitment schemes: Pedersen commitments, scalar-product commitments, linear-function commitments Extra variable 𝑋𝑖: 𝑝 “bigger” than 𝑝(𝑗) Sumcheck argument: Sumcheck-friendly commitment 33
  • 34. Sumcheck arguments for commitment schemes Rings and modules Groups Pedersen commitments Scalar-product commitments Sumcheck-friendly commitments Generalised sumcheck-friendly commitments Today: 34
  • 35. From groups to rings Goal: an abstraction for mathematical structures where folding techniques can work Everything so far extends to general 𝔽-vector spaces, e.g., bilinear groups [BMMTV19]. Scalar-product commitments for bilinear groups: ഫ 𝒂, ഫ 𝑮𝟏 , ഫ 𝒃, ഫ 𝑮𝟐 , ഫ 𝒂, ഫ 𝒃 ∈ 𝔾𝑻 𝟑 𝔾1 𝔾2 Lattices and groups of unknown order? 35
  • 36. Messages Keys Commitments Assumption small 𝑀𝐿 𝑀𝑅 𝑀𝑇 Bilinear Relation Assumption From groups to rings: bilinear modules Norm checks: only “short” elements are valid messages e.g., for ring-SIS 𝑹-module 𝑴: generalization of vector space over rings Bilinear module: 𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒 such that • 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 are 𝑅-modules • 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇 is 𝑅-bilinear Pedersen example: 𝐶 = 𝑎1𝐺1 + ⋯ + 𝑎𝑛𝐺𝑛 = ⟨𝑎 , 𝐺⟩ ‘Multiply’ message and key elements using 𝑒 Add the pieces together Hard to find small 𝑎 such that 𝑎 , 𝐺 = 0 Can define polynomials over message and key spaces 36
  • 37. 37 𝑝𝑚(പ 𝑟) 𝑟 ← 𝒞ℓ 𝑟 common input: • key 𝑐𝑘 • commitment 𝐶 claim: ∃𝑚 with 𝒎 ≤ 𝑩 s.t. 𝐶 = σഫ 𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 ഫ 𝜔 , 𝑝𝑐𝑘 ഫ 𝜔 P Opening: 𝑚 with 𝒎 ≤ 𝑩 V consistency check: 𝑓 𝑝𝑚 𝑟 , 𝑝𝑐𝑘 𝑟 = 𝑣? 𝒑𝒎(പ 𝒓) ≤ 𝑩∗? 𝑚 From groups to rings: sumcheck arguments Natural bound for evaluation of 𝒑𝒎 on 𝒞ℓ 𝑞1, … , 𝑞ℓ ⋮ Special challenge set ⊆ 𝑹! (necessary even for sumcheck protocol) σ𝜔∈𝐻 𝑞1 𝜔 = 𝐶? σ𝜔∈𝐻 𝑞ℓ 𝜔 = 𝑞ℓ−1(𝑟ℓ−1)? sumcheck protocol for σ𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 𝜔 , 𝑝𝑐𝑘 𝜔 = 𝐶
  • 38. Arithmetic over rings might cause slackness factors and increase in norm. e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺: 𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ 𝑎 ≤ 𝑁ℓ ⋅ 𝐵∗ From groups to rings: soundness Lemma: If commitment scheme is invertible, there exists an extractor that, given a suitable tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds a relaxed opening 𝑚. Challenges: 1. Linear algebra different over rings and modules 2. Norm considerations arise Ring 𝒞 𝜉 𝛮 ℤ𝑞 𝑋 < 𝑋𝑑 + 1 > {𝑋𝑖: 0 ≤ 𝑖 ≤ 2𝑑 − 1 } 8 𝑂(𝑑7) Parameters for lattices: Tighter analysis in [LA21], [ACK21] Tighter analysis in [LA21], [ACK21] 38
  • 39. e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺: 𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ 𝑎 ≤ 𝑁ℓ ⋅ 𝐵 From groups to rings: R1CS over rings Lemma (soundness): There exists an extractor that finds an R1CS witness. Without slackness! 𝐶 = 𝑎/𝝃ℓ, 𝐺 with പ 𝑎/𝝃ℓ ≤ 𝐵′ Issues: 1. 𝜉 might not be invertible 2. പ 𝑎/𝜉ℓ might not be small Ideal 𝐼 such that 𝜉 (mod 𝐼) is invertible, 𝑥 (mod 𝐼) small for all 𝑥 𝐶 = 𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰), 𝐺 with പ 𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰) ≤ 𝐵′ A remark about our R1CS result: 39
  • 40. Instantiations of bilinear modules Assumption Messages Keys Commitments Ideal BRA small 𝑀𝐿 𝑀𝑅 𝑀𝑇 𝐼 DLOG 𝔽𝑝 𝔾 𝔾 {0} DPAIR[AFGHO10] 𝔾1 𝔾2 𝔾𝑇 {0} UO [BFS20] small ℤ 𝔾 𝔾 𝑛ℤ for suitable small 𝑛 RSIS [Ajtai94] small 𝑅𝑞 𝑅𝑞 𝑑 𝑅𝑞 𝑑 𝑛ℤ for suitable small 𝑛 40
  • 42. Summary of results Theorem 1: The sumcheck protocol applied to a sumcheck-friendly commitment scheme is a succinct argument of knowledge of commitment openings. Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) be a secure bilinear module with 𝑀𝐿 a ring and 𝐼 ⊆ 𝑀𝐿 an ideal. There is a ZK succinct argument of knowledge for R1CS with Corollary: Let 𝑝 ≪ 𝑞 primes, 𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑 + 1 and similarly for 𝑅𝑞. Then assuming SIS is hard, there is a ZK succinct argument of knowledge for R1CS with R1CS Ring Prover and verifier time Proof size 𝑀𝐿/𝐼 𝑂 𝑛 ops 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 log 𝑛 elems R1CS Ring Prover and verifier time Proof size 𝑅𝑝 𝑂 𝑛 ops 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems 𝑅𝑞 42
  • 43. Takeaways • Many commitment schemes are sumcheck friendly • We can recast many different cryptographic settings as bilinear modules • In the paper: instantiations and polynomial commitment schemes 43
  • 44. Thanks! [VSBW13], [Wah+17], [ZGKPP17], [WTSTW18], [XZZPS19], [BCRSVS19], [BCGGRS19], [ZXZS20], [CHMVW20], [COS20], [CFQR20], [BFHVXZ20], [Set20] [BCCGP16], [BBBPWM18], [LMR19], [BMMTV19], [PLS19], [HKR19], [BHRRS20], [ACR20], [ACF20], [BFS20], [BLNS20], [AC20], [BDFG21], [BHRRS21], [LA21], [ACK21] Sumcheck protocol https://ia.cr/2021/333 Sumchecks and commitment schemes Folding techniques Sumcheck arguments (this work) 44