SlideShare a Scribd company logo

zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo Kubjas, Consensys Gnark)

A
Alex Pruden

In this zkStudyClub session, Ivo presents techniques for applying the log-derivative lookup tables in a circuit using LegoSNARK-style commitment. As an application, we show how this lookup table can be used to implement range checks, specifically applying it to the non-native arithmetic. Using these optimisations, we were able to reduce the proof time for BN254 pairing in Groth16 to approx 5s (MBP M1). The technique also works for PLONKish arithmetisation.

Technology
1 of 19
Download to read offline
Log-derivative lookups for improving performance of non-native arithmetic in SNARKs Ivo Kubjas gnark August 3, 2023
Motivation I In pairing based SNARKs we work in a pairing-friendly elliptic curve group. I The arithmetic is defined on the scalars of the EC group. I The computation (circuit) is defined as a relation between polynomials. I Succinct verification: verifier only receives commitments to some polynomials, asks opening and checks relation on the evaluations. I Heavy prover: has to compute relation → need FFT/NTT for any reasonably-sized circuits
Motivation I But curves which are good for SNARKs, are not compatible with practical applications I ECDSA over BN254, P-256/P-384 I RSA signature scheme I BLS signatures I We need non-native (to the scalar field) arithmetic! Useful fields Fast fields for SNARKs BLS sigs over 2-chains
Non-native arithmetic I Chinese remainder theorem 1 - schoolbook multi-precision integer multiplication I Casting out primes (nines) 2 - check against many small prime moduli I Goblin Plonk - ZKSG a few weeks ago I xjSNARK-style polynomial identity testing 3 1 https://hackmd.io/@arielg/B13JoihA8 2 https://eprint.iacr.org/2022/1470 3 https://akosba.github.io/papers/xjsnark.pdf
Representation I Moduli of native field r and non-native field q. I Decompose non-native element a in basis 2B: a = N−1 X i=0 ai2iB , ∀ai ∈ [0, 2B ) I If 2B < r, then limbs ai can fit into the native field. Native element Non-native element limb a0 a1 a2 I Have to track if possibly ai ≥ 2B. Introducing overflow such that ai ∈ [0, 2B+overflow).
Arithmetic 101 I Arithmetic on integers, do not bother about modular reduction for now. I Addition limbwise: a + b = PN−1 i=0 (ai + bi)2iB. Set overflow = max(overflowa, overflowb) + 1. I It is going to be easy... I Subtraction limbwise: a − b = PN−1 i=0 (ai − bi)2iB. But what if bi > ai? 🤯 I Being in a field, can add multiples of q: padding s such that si > bi and s = αq. I Subtraction: a + s − b, then never underflows.
Multiplication I Naive integer multiplication: c = a · b ⇔ c` = 2N−1 X i,j=0 i+j=` aibj I Observe: native multiplication complexity O(N2). I xjSNARK observations I for integer a = P ai 2B associate polynomial a(X) = P ai X I can compute c out-circuit (using advice/hint) and have to assert a(X) · b(X) = c(X) I cannot do Schwartz-Zippel, but degree of c(X) is small enough to brute-force I constants! I Got O(N) multiplication complexity (T&C apply) I Overflow of the result limbs bounded by B + overflowa + overflowb + b + log2(2N − 1). I I went over the fact that we need to range-check c` from hint.
Modular reduction I Can amortize multiplications before we have to mod-reduce I But in practice not useful as limb count of grows exponentially and overflows large ⇒ range checks become very difficult I a ≡ b (mod q) ⇔ ∃α : a − b = αq (NB! integer assertion) I Could try comparing limb-wise, but a − b and αq may have different overflows I To carry excess, need to partition the limbs at common split ⇒ need to range check carries to ensure partition correctness. a0 a1 a2 - + - + b0 b1 b2 e0 e1 e0 e1 I For equality check of a and b, consider as polynomials a(X), b(X) and polynomial e(X) made from the excess: a(X) = b(X) + (2B − X)e(X)
Mulmod I Combining with multiplication and modular reduction, get: a(X)b(X) ≡ c(X) + α(X)q(X) + (2B − X)e(X) (mod r) I Good in R1CS (polynomial evaluation at constant) I Less good in PLONK I Some badness can be averted using caching
Done? I Multiplication complexity small-ish (O(N) with small constants) I But have to range check: c (modular residual c, coefficient α and carries e) I Naive range check adds 1/2 constraint per bit (O(B) with same small constants): (1 − xi) ∗ xi = 0 & X i xi2i = x I B is ≤ 64 times larger than N
Range checks I UltraPLONK (custom gates + plookup) - couldn’t figure out how to do nicely, also in Groth16. I Waksman permutation network - too small saving. I Multiset equality using logarithmic derivative argument? 4 X fi ki X − fi = X sj 1 X − sj 4 https://ia.cr/2022/1530
Fiat-Shamir challenge in-circuit I We would need a succinct verifier challenge depending on fi, ki and si. I In-circuit hashing doesn’t work, too expensive for prover. I Out-circuit challenge computation doesn’t work, too expensive for verifier and privacy loss. I LegoSNARK commitment?
I Trick to efficiency - use part of proof as a commitment.
Commitment as in-circuit challenge I Pedersen vector commitment with proving key as a basis I For binding, basis has to be linearly independent ⇒ basis with known relations to prover would lead to multiple valid witness. I If prover can predict commitment value for a random basis, then can break discrete log. I Hash commitment with domain separation to native field, use as a public witness. I For PLONK, we use a custom gate to mark committed variables and use its polynomial commitment as a public witness.5 5 https://ia.cr/2022/1072
Using randomness in circuit I Unified circuits for PLONK and R1CS. I Multiple commitment: τi = H(i, τ) I Tables by compressing entries and lookups: f(τ) = P i fiτi I Boolean function pre-computation: Lookup(x||y||XOR(x, y)) I Non-native mulmod check: a(τ)b(τ) ≡ c(τ) + α(τ)q(τ) + (2B − τ)e(τ)
Technical consideration - non-native soundness func (c *Circuit) Define(api *frontend.API) error { nna := emulated.New[emulated.Secp256k1](api) nna.Rangecheck(c.Witness) nna.Rangecheck(c.Input) res := nna.Mul(c.Witness, c.Input) nna.Rangecheck(res) // ... } Better func (c *Circuit) Define(api *frontend.API) error { nna := emulated.New[emulated.Secp256k1](api) res := nna.Mul(c.Witness, c.Input) // ... }
Technical considerations - lazy finalization func (c *Circuit) Define(api *frontend.API) error { rchecker := rangecheck.New(api) rchecker.Check(c.Witness, 16) // .. rchecker.Finalize() } Better func (c *Circuit) Define(api *frontend.API) error { rchecker := rangecheck.New(api) rchecker.Check(c.Witness, 16) return nil // automatically finalized }
Technical considerations - range check table size func (c *Circuit) Define(api *frontend.API) error { rchecker := rangecheck.New(api) rchecker.Check(c.Witness, 16) rchecker.Check(c.Witness2, 16) // built table of size 2^16 } I Estimate optimal table size for the number of inputs and bits checked
Benchmarks I Counting constraints not very descriptive (proof systems, precomputation) I Time, CPU usage, memory better I https://www.zk-bench.org/circuit I https://zka.lc/ I https://zprize.io I Benchmarks on MBP M1 over BN254 (solve + prove) Operation Groth16 PLONK ECDSA secp256k1/P256 1.29s (284767) 18.9s (1136131) ECDSA P384 2.75s (598706) 127.9s (2334733) BN254 pairing 7.07s (1895732) (7458801) BLS12-381 pairing 10.90s (2546974) (10077257)

Recommended

zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)Alex Pruden
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
プログラマのための線形代数再入門
プログラマのための線形代数再入門プログラマのための線形代数再入門
プログラマのための線形代数再入門Taketo Sano
 
【暗号通貨輪読会#14】confidential transaction
【暗号通貨輪読会#14】confidential transaction【暗号通貨輪読会#14】confidential transaction
【暗号通貨輪読会#14】confidential transactionshigeyuki azuchi
 
DNNのモデル特化ハードウェアを生成するオープンソースコンパイラNNgenのデモ
DNNのモデル特化ハードウェアを生成するオープンソースコンパイラNNgenのデモDNNのモデル特化ハードウェアを生成するオープンソースコンパイラNNgenのデモ
DNNのモデル特化ハードウェアを生成するオープンソースコンパイラNNgenのデモShinya Takamaeda-Y
 
CUDAのアセンブリ言語基礎のまとめ PTXとSASSの概説
CUDAのアセンブリ言語基礎のまとめ PTXとSASSの概説CUDAのアセンブリ言語基礎のまとめ PTXとSASSの概説
CUDAのアセンブリ言語基礎のまとめ PTXとSASSの概説Takateru Yamagishi
 
GPUが100倍速いという神話をぶち殺せたらいいな ver.2013
GPUが100倍速いという神話をぶち殺せたらいいな ver.2013GPUが100倍速いという神話をぶち殺せたらいいな ver.2013
GPUが100倍速いという神話をぶち殺せたらいいな ver.2013Ryo Sakamoto
 
GPGPU Seminar (GPU Accelerated Libraries, 3 of 3, Thrust)
GPGPU Seminar (GPU Accelerated Libraries, 3 of 3, Thrust) GPGPU Seminar (GPU Accelerated Libraries, 3 of 3, Thrust)
GPGPU Seminar (GPU Accelerated Libraries, 3 of 3, Thrust) 智啓 出川
 

Recommended

zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)Alex Pruden
 
A verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysA verifiable random function with short proofs and keys
A verifiable random function with short proofs and keysAleksandr Yampolskiy
 
プログラマのための線形代数再入門
プログラマのための線形代数再入門プログラマのための線形代数再入門
プログラマのための線形代数再入門Taketo Sano
 
【暗号通貨輪読会#14】confidential transaction
【暗号通貨輪読会#14】confidential transaction【暗号通貨輪読会#14】confidential transaction
【暗号通貨輪読会#14】confidential transactionshigeyuki azuchi
 
DNNのモデル特化ハードウェアを生成するオープンソースコンパイラNNgenのデモ
DNNのモデル特化ハードウェアを生成するオープンソースコンパイラNNgenのデモDNNのモデル特化ハードウェアを生成するオープンソースコンパイラNNgenのデモ
DNNのモデル特化ハードウェアを生成するオープンソースコンパイラNNgenのデモShinya Takamaeda-Y
 
CUDAのアセンブリ言語基礎のまとめ PTXとSASSの概説
CUDAのアセンブリ言語基礎のまとめ PTXとSASSの概説CUDAのアセンブリ言語基礎のまとめ PTXとSASSの概説
CUDAのアセンブリ言語基礎のまとめ PTXとSASSの概説Takateru Yamagishi
 
GPUが100倍速いという神話をぶち殺せたらいいな ver.2013
GPUが100倍速いという神話をぶち殺せたらいいな ver.2013GPUが100倍速いという神話をぶち殺せたらいいな ver.2013
GPUが100倍速いという神話をぶち殺せたらいいな ver.2013Ryo Sakamoto
 
GPGPU Seminar (GPU Accelerated Libraries, 3 of 3, Thrust)
GPGPU Seminar (GPU Accelerated Libraries, 3 of 3, Thrust) GPGPU Seminar (GPU Accelerated Libraries, 3 of 3, Thrust)
GPGPU Seminar (GPU Accelerated Libraries, 3 of 3, Thrust) 智啓 出川
 
FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料一路 川染
 
Multi-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasMulti-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasGus Gutoski
 
素数の分解法則(フロベニウスやばい) #math_cafe
素数の分解法則(フロベニウスやばい) #math_cafe 素数の分解法則(フロベニウスやばい) #math_cafe
素数の分解法則(フロベニウスやばい) #math_cafe Junpei Tsuji
 
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BARThyunyoung Lee
 
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...Preferred Networks
 
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!Junpei Tsuji
 
BLS Based Discreet Log Contracts
BLS Based Discreet Log ContractsBLS Based Discreet Log Contracts
BLS Based Discreet Log ContractsIchiro Kuwahara
 
Ansible 2.8 アップデート情報 -機能追加と注意点-
Ansible 2.8 アップデート情報 -機能追加と注意点-Ansible 2.8 アップデート情報 -機能追加と注意点-
Ansible 2.8 アップデート情報 -機能追加と注意点-akira6592
 
Lt 関数の変動性分類についておさらいしてみる。
Lt 関数の変動性分類についておさらいしてみる。Lt 関数の変動性分類についておさらいしてみる。
Lt 関数の変動性分類についておさらいしてみる。Toshi Harada
 
optimal Ate pairing
optimal Ate pairingoptimal Ate pairing
optimal Ate pairingMITSUNARI Shigeo
 
第12回 配信講義 計算科学技術特論A(2021)
第12回 配信講義 計算科学技術特論A(2021)第12回 配信講義 計算科学技術特論A(2021)
第12回 配信講義 計算科学技術特論A(2021)RCCSRENKEI
 
闇魔術を触ってみた
闇魔術を触ってみた闇魔術を触ってみた
闇魔術を触ってみたSatoshi Sato
 
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...hyunyoung Lee
 
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)Mr. Vengineer
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてts21
 
バイナリアンを目指して For a binaryen
バイナリアンを目指して For a binaryenバイナリアンを目指して For a binaryen
バイナリアンを目指して For a binaryenEyes, JAPAN
 
PyCUDAの紹介
PyCUDAの紹介PyCUDAの紹介
PyCUDAの紹介Yosuke Onoue
 
C++の黒魔術
C++の黒魔術C++の黒魔術
C++の黒魔術Daichi OBINATA
 
Introduction to Capsule Networks (CapsNets)
Introduction to Capsule Networks (CapsNets)Introduction to Capsule Networks (CapsNets)
Introduction to Capsule Networks (CapsNets)Aurélien Géron
 
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2Preferred Networks
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...Alex Pruden
 
Quantum Computing Notes Ver 1.2
Quantum Computing Notes Ver 1.2Quantum Computing Notes Ver 1.2
Quantum Computing Notes Ver 1.2Vijayananda Mohire
 

More Related Content

What's hot

FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料一路 川染
 
Multi-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasMulti-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasGus Gutoski
 
素数の分解法則(フロベニウスやばい) #math_cafe
素数の分解法則(フロベニウスやばい) #math_cafe 素数の分解法則(フロベニウスやばい) #math_cafe
素数の分解法則(フロベニウスやばい) #math_cafe Junpei Tsuji
 
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BARThyunyoung Lee
 
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...Preferred Networks
 
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!Junpei Tsuji
 
BLS Based Discreet Log Contracts
BLS Based Discreet Log ContractsBLS Based Discreet Log Contracts
BLS Based Discreet Log ContractsIchiro Kuwahara
 
Ansible 2.8 アップデート情報 -機能追加と注意点-
Ansible 2.8 アップデート情報 -機能追加と注意点-Ansible 2.8 アップデート情報 -機能追加と注意点-
Ansible 2.8 アップデート情報 -機能追加と注意点-akira6592
 
Lt 関数の変動性分類についておさらいしてみる。
Lt 関数の変動性分類についておさらいしてみる。Lt 関数の変動性分類についておさらいしてみる。
Lt 関数の変動性分類についておさらいしてみる。Toshi Harada
 
第12回 配信講義 計算科学技術特論A(2021)
第12回 配信講義 計算科学技術特論A(2021)第12回 配信講義 計算科学技術特論A(2021)
第12回 配信講義 計算科学技術特論A(2021)RCCSRENKEI
 
闇魔術を触ってみた
闇魔術を触ってみた闇魔術を触ってみた
闇魔術を触ってみたSatoshi Sato
 
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...hyunyoung Lee
 
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)Mr. Vengineer
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてts21
 
バイナリアンを目指して For a binaryen
バイナリアンを目指して For a binaryenバイナリアンを目指して For a binaryen
バイナリアンを目指して For a binaryenEyes, JAPAN
 
Introduction to Capsule Networks (CapsNets)
Introduction to Capsule Networks (CapsNets)Introduction to Capsule Networks (CapsNets)
Introduction to Capsule Networks (CapsNets)Aurélien Géron
 
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2Preferred Networks
 

What's hot (20)

FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料FPGA+SoC+Linux実践勉強会資料
FPGA+SoC+Linux実践勉強会資料
 
Multi-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideasMulti-scalar multiplication: state of the art and new ideas
Multi-scalar multiplication: state of the art and new ideas
 
素数の分解法則(フロベニウスやばい) #math_cafe
素数の分解法則(フロベニウスやばい) #math_cafe 素数の分解法則(フロベニウスやばい) #math_cafe
素数の分解法則(フロベニウスやばい) #math_cafe
 
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART
(Presentation)NLP Pretraining models based on deeplearning -BERT, GPT, and BART
 
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
 
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!
x^2 + ny^2 の形で表せる素数 - めざせプライムマスター!
 
BLS Based Discreet Log Contracts
BLS Based Discreet Log ContractsBLS Based Discreet Log Contracts
BLS Based Discreet Log Contracts
 
Ansible 2.8 アップデート情報 -機能追加と注意点-
Ansible 2.8 アップデート情報 -機能追加と注意点-Ansible 2.8 アップデート情報 -機能追加と注意点-
Ansible 2.8 アップデート情報 -機能追加と注意点-
 
Lt 関数の変動性分類についておさらいしてみる。
Lt 関数の変動性分類についておさらいしてみる。Lt 関数の変動性分類についておさらいしてみる。
Lt 関数の変動性分類についておさらいしてみる。
 
optimal Ate pairing
optimal Ate pairingoptimal Ate pairing
optimal Ate pairing
 
第12回 配信講義 計算科学技術特論A(2021)
第12回 配信講義 計算科学技術特論A(2021)第12回 配信講義 計算科学技術特論A(2021)
第12回 配信講義 計算科学技術特論A(2021)
 
闇魔術を触ってみた
闇魔術を触ってみた闇魔術を触ってみた
闇魔術を触ってみた
 
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...
(Paper Seminar detailed version) BART: Denoising Sequence-to-Sequence Pre-tra...
 
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
ZynqMPのブートとパワーマネージメント : (ZynqMP Boot and Power Management)
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについて
 
バイナリアンを目指して For a binaryen
バイナリアンを目指して For a binaryenバイナリアンを目指して For a binaryen
バイナリアンを目指して For a binaryen
 
PyCUDAの紹介
PyCUDAの紹介PyCUDAの紹介
PyCUDAの紹介
 
C++の黒魔術
C++の黒魔術C++の黒魔術
C++の黒魔術
 
Introduction to Capsule Networks (CapsNets)
Introduction to Capsule Networks (CapsNets)Introduction to Capsule Networks (CapsNets)
Introduction to Capsule Networks (CapsNets)
 
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
 

Similar to zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo Kubjas, Consensys Gnark)

zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...Alex Pruden
 
Quantum Computing Notes Ver 1.2
Quantum Computing Notes Ver 1.2Quantum Computing Notes Ver 1.2
Quantum Computing Notes Ver 1.2Vijayananda Mohire
 
Reducing Structural Bias in Technology Mapping
Reducing Structural Bias in Technology MappingReducing Structural Bias in Technology Mapping
Reducing Structural Bias in Technology Mappingsatrajit
 
An Introduction to Elleptic Curve Cryptography
An Introduction to Elleptic Curve CryptographyAn Introduction to Elleptic Curve Cryptography
An Introduction to Elleptic Curve CryptographyDerek Callaway
 
fauvel_igarss.pdf
fauvel_igarss.pdffauvel_igarss.pdf
fauvel_igarss.pdfgrssieee
 
Cheatsheet convolutional-neural-networks
Cheatsheet convolutional-neural-networksCheatsheet convolutional-neural-networks
Cheatsheet convolutional-neural-networksSteve Nouri
 
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...Matt Moores
 
lecture01_lecture01_lecture0001_ceva.pdf
lecture01_lecture01_lecture0001_ceva.pdflecture01_lecture01_lecture0001_ceva.pdf
lecture01_lecture01_lecture0001_ceva.pdfAnaNeacsu5
 
Ec2203 digital electronics questions anna university by www.annaunivedu.org
Ec2203 digital electronics questions anna university by www.annaunivedu.orgEc2203 digital electronics questions anna university by www.annaunivedu.org
Ec2203 digital electronics questions anna university by www.annaunivedu.organnaunivedu
 
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Spark Summit
 
Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)Daniel Lemire
 
Stratified Monte Carlo and bootstrapping for approximate Bayesian computation
Stratified Monte Carlo and bootstrapping for approximate Bayesian computationStratified Monte Carlo and bootstrapping for approximate Bayesian computation
Stratified Monte Carlo and bootstrapping for approximate Bayesian computationUmberto Picchini
 
Low-rank response surface in numerical aerodynamics
Low-rank response surface in numerical aerodynamicsLow-rank response surface in numerical aerodynamics
Low-rank response surface in numerical aerodynamicsAlexander Litvinenko
 

Similar to zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo Kubjas, Consensys Gnark) (20)

zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
 
Quantum Computing Notes Ver 1.2
Quantum Computing Notes Ver 1.2Quantum Computing Notes Ver 1.2
Quantum Computing Notes Ver 1.2
 
Reducing Structural Bias in Technology Mapping
Reducing Structural Bias in Technology MappingReducing Structural Bias in Technology Mapping
Reducing Structural Bias in Technology Mapping
 
An Introduction to Elleptic Curve Cryptography
An Introduction to Elleptic Curve CryptographyAn Introduction to Elleptic Curve Cryptography
An Introduction to Elleptic Curve Cryptography
 
3306565.ppt
3306565.ppt3306565.ppt
3306565.ppt
 
fauvel_igarss.pdf
fauvel_igarss.pdffauvel_igarss.pdf
fauvel_igarss.pdf
 
Cheatsheet convolutional-neural-networks
Cheatsheet convolutional-neural-networksCheatsheet convolutional-neural-networks
Cheatsheet convolutional-neural-networks
 
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...
R package 'bayesImageS': a case study in Bayesian computation using Rcpp and ...
 
lecture01_lecture01_lecture0001_ceva.pdf
lecture01_lecture01_lecture0001_ceva.pdflecture01_lecture01_lecture0001_ceva.pdf
lecture01_lecture01_lecture0001_ceva.pdf
 
Digital Logic
Digital LogicDigital Logic
Digital Logic
 
Ec2203 digital electronics questions anna university by www.annaunivedu.org
Ec2203 digital electronics questions anna university by www.annaunivedu.orgEc2203 digital electronics questions anna university by www.annaunivedu.org
Ec2203 digital electronics questions anna university by www.annaunivedu.org
 
3rd Semester Computer Science and Engineering (ACU-2022) Question papers
3rd Semester Computer Science and Engineering (ACU-2022) Question papers3rd Semester Computer Science and Engineering (ACU-2022) Question papers
3rd Semester Computer Science and Engineering (ACU-2022) Question papers
 
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
 
Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)
 
Stratified Monte Carlo and bootstrapping for approximate Bayesian computation
Stratified Monte Carlo and bootstrapping for approximate Bayesian computationStratified Monte Carlo and bootstrapping for approximate Bayesian computation
Stratified Monte Carlo and bootstrapping for approximate Bayesian computation
 
Low-rank response surface in numerical aerodynamics
Low-rank response surface in numerical aerodynamicsLow-rank response surface in numerical aerodynamics
Low-rank response surface in numerical aerodynamics
 
Mtc ssample05
Mtc ssample05Mtc ssample05
Mtc ssample05
 
Mtc ssample05
Mtc ssample05Mtc ssample05
Mtc ssample05
 
Computer Network Assignment Help
Computer Network Assignment HelpComputer Network Assignment Help
Computer Network Assignment Help
 
Minimizing boolean
Minimizing booleanMinimizing boolean
Minimizing boolean
 

More from Alex Pruden

zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)Alex Pruden
 
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)Alex Pruden
 
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments Alex Pruden
 
ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)Alex Pruden
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversAlex Pruden
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)Alex Pruden
 
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Alex Pruden
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]Alex Pruden
 
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelzkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelAlex Pruden
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsAlex Pruden
 
Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9Alex Pruden
 
Quarks zk study-club
Quarks zk study-clubQuarks zk study-club
Quarks zk study-clubAlex Pruden
 
zkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to CircuitszkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to CircuitsAlex Pruden
 

More from Alex Pruden (13)

zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
 
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
zkStudyClub - ProtoStar (Binyi Chen & Benedikt Bünz, Espresso Systems)
 
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments zkStudyClub - cqlin: Efficient linear operations on KZG commitments
zkStudyClub - cqlin: Efficient linear operations on KZG commitments
 
ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)ZK Study Club: Supernova (Srinath Setty - MS Research)
ZK Study Club: Supernova (Srinath Setty - MS Research)
 
Eos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK proversEos - Efficient Private Delegation of zkSNARK provers
Eos - Efficient Private Delegation of zkSNARK provers
 
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
zkStudyClub: HyperPlonk (Binyi Chen, Benedikt Bünz)
 
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
 
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelzkStudy Club: Subquadratic SNARGs in the Random Oracle Model
zkStudy Club: Subquadratic SNARGs in the Random Oracle Model
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their Applications
 
Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9Ecfft zk studyclub 9.9
Ecfft zk studyclub 9.9
 
Quarks zk study-club
Quarks zk study-clubQuarks zk study-club
Quarks zk study-club
 
zkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to CircuitszkStudyClub: CirC and Compiling Programs to Circuits
zkStudyClub: CirC and Compiling Programs to Circuits
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo Kubjas, Consensys Gnark)

  • 1. Log-derivative lookups for improving performance of non-native arithmetic in SNARKs Ivo Kubjas gnark August 3, 2023
  • 2. Motivation I In pairing based SNARKs we work in a pairing-friendly elliptic curve group. I The arithmetic is defined on the scalars of the EC group. I The computation (circuit) is defined as a relation between polynomials. I Succinct verification: verifier only receives commitments to some polynomials, asks opening and checks relation on the evaluations. I Heavy prover: has to compute relation → need FFT/NTT for any reasonably-sized circuits
  • 3. Motivation I But curves which are good for SNARKs, are not compatible with practical applications I ECDSA over BN254, P-256/P-384 I RSA signature scheme I BLS signatures I We need non-native (to the scalar field) arithmetic! Useful fields Fast fields for SNARKs BLS sigs over 2-chains
  • 4. Non-native arithmetic I Chinese remainder theorem 1 - schoolbook multi-precision integer multiplication I Casting out primes (nines) 2 - check against many small prime moduli I Goblin Plonk - ZKSG a few weeks ago I xjSNARK-style polynomial identity testing 3 1 https://hackmd.io/@arielg/B13JoihA8 2 https://eprint.iacr.org/2022/1470 3 https://akosba.github.io/papers/xjsnark.pdf
  • 5. Representation I Moduli of native field r and non-native field q. I Decompose non-native element a in basis 2B: a = N−1 X i=0 ai2iB , ∀ai ∈ [0, 2B ) I If 2B < r, then limbs ai can fit into the native field. Native element Non-native element limb a0 a1 a2 I Have to track if possibly ai ≥ 2B. Introducing overflow such that ai ∈ [0, 2B+overflow).
  • 6. Arithmetic 101 I Arithmetic on integers, do not bother about modular reduction for now. I Addition limbwise: a + b = PN−1 i=0 (ai + bi)2iB. Set overflow = max(overflowa, overflowb) + 1. I It is going to be easy... I Subtraction limbwise: a − b = PN−1 i=0 (ai − bi)2iB. But what if bi > ai? 🤯 I Being in a field, can add multiples of q: padding s such that si > bi and s = αq. I Subtraction: a + s − b, then never underflows.
  • 7. Multiplication I Naive integer multiplication: c = a · b ⇔ c` = 2N−1 X i,j=0 i+j=` aibj I Observe: native multiplication complexity O(N2). I xjSNARK observations I for integer a = P ai 2B associate polynomial a(X) = P ai X I can compute c out-circuit (using advice/hint) and have to assert a(X) · b(X) = c(X) I cannot do Schwartz-Zippel, but degree of c(X) is small enough to brute-force I constants! I Got O(N) multiplication complexity (T&C apply) I Overflow of the result limbs bounded by B + overflowa + overflowb + b + log2(2N − 1). I I went over the fact that we need to range-check c` from hint.
  • 8. Modular reduction I Can amortize multiplications before we have to mod-reduce I But in practice not useful as limb count of grows exponentially and overflows large ⇒ range checks become very difficult I a ≡ b (mod q) ⇔ ∃α : a − b = αq (NB! integer assertion) I Could try comparing limb-wise, but a − b and αq may have different overflows I To carry excess, need to partition the limbs at common split ⇒ need to range check carries to ensure partition correctness. a0 a1 a2 - + - + b0 b1 b2 e0 e1 e0 e1 I For equality check of a and b, consider as polynomials a(X), b(X) and polynomial e(X) made from the excess: a(X) = b(X) + (2B − X)e(X)
  • 9. Mulmod I Combining with multiplication and modular reduction, get: a(X)b(X) ≡ c(X) + α(X)q(X) + (2B − X)e(X) (mod r) I Good in R1CS (polynomial evaluation at constant) I Less good in PLONK I Some badness can be averted using caching
  • 10. Done? I Multiplication complexity small-ish (O(N) with small constants) I But have to range check: c (modular residual c, coefficient α and carries e) I Naive range check adds 1/2 constraint per bit (O(B) with same small constants): (1 − xi) ∗ xi = 0 & X i xi2i = x I B is ≤ 64 times larger than N
  • 11. Range checks I UltraPLONK (custom gates + plookup) - couldn’t figure out how to do nicely, also in Groth16. I Waksman permutation network - too small saving. I Multiset equality using logarithmic derivative argument? 4 X fi ki X − fi = X sj 1 X − sj 4 https://ia.cr/2022/1530
  • 12. Fiat-Shamir challenge in-circuit I We would need a succinct verifier challenge depending on fi, ki and si. I In-circuit hashing doesn’t work, too expensive for prover. I Out-circuit challenge computation doesn’t work, too expensive for verifier and privacy loss. I LegoSNARK commitment?
  • 13. I Trick to efficiency - use part of proof as a commitment.
  • 14. Commitment as in-circuit challenge I Pedersen vector commitment with proving key as a basis I For binding, basis has to be linearly independent ⇒ basis with known relations to prover would lead to multiple valid witness. I If prover can predict commitment value for a random basis, then can break discrete log. I Hash commitment with domain separation to native field, use as a public witness. I For PLONK, we use a custom gate to mark committed variables and use its polynomial commitment as a public witness.5 5 https://ia.cr/2022/1072
  • 15. Using randomness in circuit I Unified circuits for PLONK and R1CS. I Multiple commitment: τi = H(i, τ) I Tables by compressing entries and lookups: f(τ) = P i fiτi I Boolean function pre-computation: Lookup(x||y||XOR(x, y)) I Non-native mulmod check: a(τ)b(τ) ≡ c(τ) + α(τ)q(τ) + (2B − τ)e(τ)
  • 16. Technical consideration - non-native soundness func (c *Circuit) Define(api *frontend.API) error { nna := emulated.New[emulated.Secp256k1](api) nna.Rangecheck(c.Witness) nna.Rangecheck(c.Input) res := nna.Mul(c.Witness, c.Input) nna.Rangecheck(res) // ... } Better func (c *Circuit) Define(api *frontend.API) error { nna := emulated.New[emulated.Secp256k1](api) res := nna.Mul(c.Witness, c.Input) // ... }
  • 17. Technical considerations - lazy finalization func (c *Circuit) Define(api *frontend.API) error { rchecker := rangecheck.New(api) rchecker.Check(c.Witness, 16) // .. rchecker.Finalize() } Better func (c *Circuit) Define(api *frontend.API) error { rchecker := rangecheck.New(api) rchecker.Check(c.Witness, 16) return nil // automatically finalized }
  • 18. Technical considerations - range check table size func (c *Circuit) Define(api *frontend.API) error { rchecker := rangecheck.New(api) rchecker.Check(c.Witness, 16) rchecker.Check(c.Witness2, 16) // built table of size 2^16 } I Estimate optimal table size for the number of inputs and bits checked
  • 19. Benchmarks I Counting constraints not very descriptive (proof systems, precomputation) I Time, CPU usage, memory better I https://www.zk-bench.org/circuit I https://zka.lc/ I https://zprize.io I Benchmarks on MBP M1 over BN254 (solve + prove) Operation Groth16 PLONK ECDSA secp256k1/P256 1.29s (284767) 18.9s (1136131) ECDSA P384 2.75s (598706) 127.9s (2334733) BN254 pairing 7.07s (1895732) (7458801) BLS12-381 pairing 10.90s (2546974) (10077257)