Talk given at the ZK Study Club by Jonathan Bootle and Katerina Sotiraki about the universality of sumcheck arguments and their importance in zero-knowledge cryptography.
This week's session covers new work from Justin Thaler (GWU) et al on Lasso/Jolt.
Lasso is a new lookup argument (more on this below) with a dramatically faster prover. Our initial implementation provides roughly a 10x speedup over the lookup argument in the popular, well-engineered halo2 toolchain; we expect improvements of around 40x when optimizations are complete. To demonstrate, we’re releasing the open source implementation, written in Rust. We invite the community to help us make Lasso as fast and robust as possible.
The second, accompanying innovation to Lasso is Jolt, a new approach to zkVM (zero knowledge virtual machine) design that builds on Lasso. Jolt realizes the “lookup singularity” – a vision initially laid out by Barry Whitehat of the Ethereum Foundation for simpler tooling and lightweight, lookup-centric circuits (more on why this matters below). Relative to existing zkVMs, we expect Jolt to achieve similar or better performance – and importantly, a more streamlined and accessible developer experience. With Jolt, it will be easier for developers to write fast SNARKs in their high-level language of choice.
Lasso: https://people.cs.georgetown.edu/jthaler/Lasso-paper.pdf
Jolt: https://people.cs.georgetown.edu/jthaler/Jolt-paper.pdf
This week, Benedikt Bünz and Binyi Chen of Espresso Systems present ProtoStar:
Accumulation is a simple yet powerful primitive that enables incrementally verifi-able computation (IVC) without the need for recursive SNARKs. We provide a generic, efficient accumulation (or folding) scheme for any (2k − 1)-move special-sound protocol. The prover in each accumulation/IVC step is also only logarithmic in the number of supported circuits and independent of the table size in the lookup
https://eprint.iacr.org/2023/620
A real-world example of Functional Programming with fp-ts - no experience req...Frederick Fogerty
In this talk I'll walk through a real-world Javascript project and discussing how we can refactor it to a more functional style using a TS library, fp-ts.
Go is a language developed by Google with multi-core in mind. Differ from other languages, concurrency is a first-class primitive in Go. This talk covers some useful patterns for dealing with concurrency.
This week's session covers new work from Justin Thaler (GWU) et al on Lasso/Jolt.
Lasso is a new lookup argument (more on this below) with a dramatically faster prover. Our initial implementation provides roughly a 10x speedup over the lookup argument in the popular, well-engineered halo2 toolchain; we expect improvements of around 40x when optimizations are complete. To demonstrate, we’re releasing the open source implementation, written in Rust. We invite the community to help us make Lasso as fast and robust as possible.
The second, accompanying innovation to Lasso is Jolt, a new approach to zkVM (zero knowledge virtual machine) design that builds on Lasso. Jolt realizes the “lookup singularity” – a vision initially laid out by Barry Whitehat of the Ethereum Foundation for simpler tooling and lightweight, lookup-centric circuits (more on why this matters below). Relative to existing zkVMs, we expect Jolt to achieve similar or better performance – and importantly, a more streamlined and accessible developer experience. With Jolt, it will be easier for developers to write fast SNARKs in their high-level language of choice.
Lasso: https://people.cs.georgetown.edu/jthaler/Lasso-paper.pdf
Jolt: https://people.cs.georgetown.edu/jthaler/Jolt-paper.pdf
This week, Benedikt Bünz and Binyi Chen of Espresso Systems present ProtoStar:
Accumulation is a simple yet powerful primitive that enables incrementally verifi-able computation (IVC) without the need for recursive SNARKs. We provide a generic, efficient accumulation (or folding) scheme for any (2k − 1)-move special-sound protocol. The prover in each accumulation/IVC step is also only logarithmic in the number of supported circuits and independent of the table size in the lookup
https://eprint.iacr.org/2023/620
A real-world example of Functional Programming with fp-ts - no experience req...Frederick Fogerty
In this talk I'll walk through a real-world Javascript project and discussing how we can refactor it to a more functional style using a TS library, fp-ts.
Go is a language developed by Google with multi-core in mind. Differ from other languages, concurrency is a first-class primitive in Go. This talk covers some useful patterns for dealing with concurrency.
Test Driven Development emphasises quick iterations for your code. You won't code faster, but perhaps you will be more accurate.
TDD has been around for a while and I have avoided it for most of my career. I decided for the month of October all code I write I will do TDD. The result was much more positive than I thought it would be and made me rethink how I code. This talk covers the testing pyramid, the importance of unit testing and the tools I use for testing React. As part of the talk I will work through a trivial example to demonstrate how to do TDD.
Paper: https://eprint.iacr.org/2022/1355
Plonk is a widely used succinct non-interactive proof system that uses univariate polynomial commitments. Plonk is quite flexible: it supports circuits with low-degree ``custom'' gates as well as circuits with lookup gates (a lookup gate ensures that its input is contained in a predefined table). For large circuits, the bottleneck in generating a Plonk proof is the need for computing a large FFT.
In this work, the authors present HyperPlonk, an adaptation of Plonk to the boolean hypercube, using multilinear polynomial commitments. HyperPlonk retains the flexibility of Plonk but provides several additional benefits. First, it avoids the need for an FFT during proof generation. Second, and more importantly, it supports custom gates of much higher degree than Plonk without harming the running time of the prover. Both of these can dramatically speed up the prover's running time. Since HyperPlonk relies on multilinear polynomial commitments, the authors revisit two elegant constructions: one from Orion and one from Virgo. The authors also show how to reduce the Orion opening proof size to less than 10kb (an almost factor 1000 improvement) and show how to make the Virgo FRI-based opening proof simpler and shorter.
Teach your kids how to program with Python and the Raspberry PiJuan Gomez
RaspberryPis are the new frontier in enabling kids (and curious adults) to get access to an affordable and easy-to-program platform to build cool things. Over a million of these nifty little devices have been sold in less than a year and part of their popularity has been due to how easy it is to start programming on them.
In this session you'll learn how to get started with the Raspberry PI, initial set-up, configuration and some tips and tricks. Then we'll have a brief introduction to basic Python and we'll write a few simple programs that run on the RaspberryPI. The last section of the session will be dedicated to PyGame, we'll learn about surfaces, events, inputs, sprites, etc and demonstrate how to build very simple games that are as much fun for kids to write, than to play!
The essentials of Cucumber-JVM and Spock - a handbook written for the BDD/TDD Masterclass (https://johnfergusonsmart.com/programs-courses/bdd-tdd-clean-coding/)
Introduction to OCL - Tutorial given at the SFM'12 summer school
Learn more about OCL (and UML, DSLs, MDE,...) at : http://modeling-languages.com
Home page: http://jordicabot.com
Greedy Algorithms WITH Activity Selection Problem.pptRuchika Sinha
An Activity Selection Problem
The activity selection problem is a mathematical optimization problem. Our first illustration is the problem of scheduling a resource among several challenge activities. We find a greedy algorithm provides a well designed and simple method for selecting a maximum- size set of manually compatible activities.
Hearts Of Darkness - a Spring DevOps ApocalypseJoris Kuipers
In this talk Joris shares several real-life failure cases concerning running Spring applications in production. Examples include services being killed because of health check issues, Micrometer metrics getting lost, circuit breakers never closing after opening, OOM errors caused by unbounded queues and other nightmarish scenario’s. Not only will you come to understand how these problems could sneak through staging to make their way to production, you will also be given practical tips on how to avoid these things from happening to your own applications. Otto von Bismarck famously said “Fools say that they learn by experience. I prefer to profit by others’ experience”. Don’t be a fool, and profit by viewing this talk!
The main challenge of concurrent software verification has always been in achieving modularity, i.e., the ability to divide and conquer the correctness proofs with the goal of scaling the verification effort. Types are a formal method well-known for its ability to modularize programs, and in the case of dependent types, the ability to modularize and scale complex mathematical proofs.
In this talk I will present our recent work towards reconciling dependent types with shared memory concurrency, with the goal of achieving modular proofs for the latter. Applying the type-theoretic paradigm to concurrency has lead us to view separation logic as a type theory of state, and has motivated novel abstractions for expressing concurrency proofs based on the algebraic structure of a resource and on structure-preserving functions (i.e., morphisms) between resources.
A decade of active research has led to practical constructions of zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) that are now being used in a wide variety of applications. Despite this astonishing progress, overheads in proof generation time remain significant.
In this work, we envision a world where consumers with low computational resources can outsource the task of proof generation to a group of untrusted servers in a privacy-preserving manner. The main requirement is that these servers should be able to collectively generate proofs at a faster speed (than the consumer). Towards this goal, we introduce a framework called zk-SNARKs-as-a-service () for faster computation of zk-SNARKs. Our framework allows for distributing proof computation across multiple servers such that each server is expected to run for a shorter duration than a single prover. Moreover, the privacy of the prover's witness is ensured against any minority of colluding servers.
We design custom protocols in this framework that can be used to obtain faster runtimes for widely used zk-SNARKs, such as Groth16 [EUROCRYPT 2016], Marlin [EUROCRYPT 2020], and Plonk [EPRINT 2019]. We implement proof of concept zkSaaS for the Groth16 and Plonk provers. In comparison to generating these proofs on commodity hardware, we show that not only can we generate proofs for a larger number of constraints (without memory exhaustion), but can also get speed-up when run with 128 parties for constraints with Groth16 and gates with Plonk.
https://eprint.iacr.org/2023/905
Test Driven Development emphasises quick iterations for your code. You won't code faster, but perhaps you will be more accurate.
TDD has been around for a while and I have avoided it for most of my career. I decided for the month of October all code I write I will do TDD. The result was much more positive than I thought it would be and made me rethink how I code. This talk covers the testing pyramid, the importance of unit testing and the tools I use for testing React. As part of the talk I will work through a trivial example to demonstrate how to do TDD.
Paper: https://eprint.iacr.org/2022/1355
Plonk is a widely used succinct non-interactive proof system that uses univariate polynomial commitments. Plonk is quite flexible: it supports circuits with low-degree ``custom'' gates as well as circuits with lookup gates (a lookup gate ensures that its input is contained in a predefined table). For large circuits, the bottleneck in generating a Plonk proof is the need for computing a large FFT.
In this work, the authors present HyperPlonk, an adaptation of Plonk to the boolean hypercube, using multilinear polynomial commitments. HyperPlonk retains the flexibility of Plonk but provides several additional benefits. First, it avoids the need for an FFT during proof generation. Second, and more importantly, it supports custom gates of much higher degree than Plonk without harming the running time of the prover. Both of these can dramatically speed up the prover's running time. Since HyperPlonk relies on multilinear polynomial commitments, the authors revisit two elegant constructions: one from Orion and one from Virgo. The authors also show how to reduce the Orion opening proof size to less than 10kb (an almost factor 1000 improvement) and show how to make the Virgo FRI-based opening proof simpler and shorter.
Teach your kids how to program with Python and the Raspberry PiJuan Gomez
RaspberryPis are the new frontier in enabling kids (and curious adults) to get access to an affordable and easy-to-program platform to build cool things. Over a million of these nifty little devices have been sold in less than a year and part of their popularity has been due to how easy it is to start programming on them.
In this session you'll learn how to get started with the Raspberry PI, initial set-up, configuration and some tips and tricks. Then we'll have a brief introduction to basic Python and we'll write a few simple programs that run on the RaspberryPI. The last section of the session will be dedicated to PyGame, we'll learn about surfaces, events, inputs, sprites, etc and demonstrate how to build very simple games that are as much fun for kids to write, than to play!
The essentials of Cucumber-JVM and Spock - a handbook written for the BDD/TDD Masterclass (https://johnfergusonsmart.com/programs-courses/bdd-tdd-clean-coding/)
Introduction to OCL - Tutorial given at the SFM'12 summer school
Learn more about OCL (and UML, DSLs, MDE,...) at : http://modeling-languages.com
Home page: http://jordicabot.com
Greedy Algorithms WITH Activity Selection Problem.pptRuchika Sinha
An Activity Selection Problem
The activity selection problem is a mathematical optimization problem. Our first illustration is the problem of scheduling a resource among several challenge activities. We find a greedy algorithm provides a well designed and simple method for selecting a maximum- size set of manually compatible activities.
Hearts Of Darkness - a Spring DevOps ApocalypseJoris Kuipers
In this talk Joris shares several real-life failure cases concerning running Spring applications in production. Examples include services being killed because of health check issues, Micrometer metrics getting lost, circuit breakers never closing after opening, OOM errors caused by unbounded queues and other nightmarish scenario’s. Not only will you come to understand how these problems could sneak through staging to make their way to production, you will also be given practical tips on how to avoid these things from happening to your own applications. Otto von Bismarck famously said “Fools say that they learn by experience. I prefer to profit by others’ experience”. Don’t be a fool, and profit by viewing this talk!
The main challenge of concurrent software verification has always been in achieving modularity, i.e., the ability to divide and conquer the correctness proofs with the goal of scaling the verification effort. Types are a formal method well-known for its ability to modularize programs, and in the case of dependent types, the ability to modularize and scale complex mathematical proofs.
In this talk I will present our recent work towards reconciling dependent types with shared memory concurrency, with the goal of achieving modular proofs for the latter. Applying the type-theoretic paradigm to concurrency has lead us to view separation logic as a type theory of state, and has motivated novel abstractions for expressing concurrency proofs based on the algebraic structure of a resource and on structure-preserving functions (i.e., morphisms) between resources.
A decade of active research has led to practical constructions of zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) that are now being used in a wide variety of applications. Despite this astonishing progress, overheads in proof generation time remain significant.
In this work, we envision a world where consumers with low computational resources can outsource the task of proof generation to a group of untrusted servers in a privacy-preserving manner. The main requirement is that these servers should be able to collectively generate proofs at a faster speed (than the consumer). Towards this goal, we introduce a framework called zk-SNARKs-as-a-service () for faster computation of zk-SNARKs. Our framework allows for distributing proof computation across multiple servers such that each server is expected to run for a shorter duration than a single prover. Moreover, the privacy of the prover's witness is ensured against any minority of colluding servers.
We design custom protocols in this framework that can be used to obtain faster runtimes for widely used zk-SNARKs, such as Groth16 [EUROCRYPT 2016], Marlin [EUROCRYPT 2020], and Plonk [EPRINT 2019]. We implement proof of concept zkSaaS for the Groth16 and Plonk provers. In comparison to generating these proofs on commodity hardware, we show that not only can we generate proofs for a larger number of constraints (without memory exhaustion), but can also get speed-up when run with 128 parties for constraints with Groth16 and gates with Plonk.
https://eprint.iacr.org/2023/905
A new kind of quantum gates, higher braiding gates, as matrix solutions of the polyadic braid equations (different from the generalized Yang–Baxter equations) is introduced. Such gates lead to another special multiqubit entanglement that can speed up key distribution and accelerate algorithms. Ternary braiding gates acting on three qubit states are studied in detail. We also consider exotic non-invertible gates, which can be related with qubit loss, and define partial identities (which can be orthogonal), partial unitarity, and partially bounded operators (which can be non-invertible). We define two classes of matrices, star and circle ones, such that the magic matrices (connected with the Cartan decomposition) belong to the star class. The general algebraic structure of the introduced classes is described in terms of semigroups, ternary and 5-ary groups and modules. The higher braid group and its representation by the higher braid operators are given. Finally, we show, that for each multiqubit state, there exist higher braiding gates that are not entangling, and the concrete conditions to be non-entangling are given for the obtained binary and ternary gates.
Local Model Checking Algorithm Based on Mu-calculus with Partial OrdersTELKOMNIKA JOURNAL
The propositionalμ-calculus can be divided into two categories, global model checking algorithm
and local model checking algorithm. Both of them aim at reducing time complexity and space complexity
effectively. This paper analyzes the computing process of alternating fixpoint nested in detail and designs
an efficient local model checking algorithm based on the propositional μ-calculus by a group of partial
ordered relation, and its time complexity is O(d2(dn)d/2+2) (d is the depth of fixpoint nesting, n is the
maximum of number of nodes), space complexity is O(d(dn)d/2). As far as we know, up till now, the best
local model checking algorithm whose index of time complexity is d. In this paper, the index for time
complexity of this algorithm is reduced from d to d/2. It is more efficient than algorithms of previous
research.
N-gram IDF: A Global Term Weighting Scheme Based on Information Distance (WWW...Masumi Shirakawa
A deck of slides for "N-gram IDF: A Global Term Weighting Scheme Based on Information Distance" (Shirakawa et al.) that was presented at 24th International World Wide Web Conference (WWW 2015).
Presentation by Stefan Dziembowski, associate professor and leader of Cryptology and Data Security Group University of Warsaw. In BIU workshop on Bitcoin. Covered exclusively by vpnMentor.com
Presentation by Stefan Dziembowski, associate professor and leader of Cryptology and Data Security Group University of Warsaw. In BIU workshop on Bitcoin. Covered exclusively by vpnMentor.com
We propose a simple and efficient searchable symmetric encryption scheme based on a Bitmap index that evaluates Boolean queries. Our scheme provides a practical solution in settings where communications and computations are very constrained as it offers a suitable trade-off between privacy and performance.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...Alex Pruden
In this zkStudyClub session, Ivo presents techniques for applying the log-derivative lookup tables in a circuit using LegoSNARK-style commitment. As an application, we show how this lookup table can be used to implement range checks, specifically applying it to the non-native arithmetic. Using these optimisations, we were able to reduce the proof time for BN254 pairing in Groth16 to approx 5s (MBP M1). The technique also works for PLONKish arithmetisation.
zkStudyClub - cqlin: Efficient linear operations on KZG commitments Alex Pruden
This week, Liam Eagen (Blockstream Research) and Ariel Gabizon (Zeta Function Technologies) present cqlin - Efficient linear operations on KZG commitments with cached quotients.
Given two KZG-committed polynomials , a matrix , and subgroup of order , we present a protocol for checking that . After preprocessing, the prover makes field and group operations. This presents a significant improvement over the lincheck protocols in [CHMMVW, COS], where the prover's run-time (also after preprocessing) was quasilinear in the number of non-zeroes of M, which could be n^2.
ZK Study Club: Supernova (Srinath Setty - MS Research)Alex Pruden
This week, Srinath Setty (MS Research) will present SuperNova, a new recursive proof system for incrementally producing succinct proofs of correct execution of programs on a stateful machine with a particular instruction set (e.g., EVM, RISC-V). A distinguishing aspect of SuperNova is that the cost of proving a step of a program is proportional only to the size of the circuit representing the instruction invoked by the program step. This is a stark departure from prior works that employ universal circuits where the cost of proving a program step is proportional at least to the sum of sizes of circuits representing each supported instruction—even though a particular program step invokes only one of the supported instructions. Naturally, SuperNova can support a rich instruction set without affecting the per-step proving costs. SuperNova achieves its cost profile by building on Nova, a prior high-speed recursive proof system, and leveraging its internal building block, folding schemes, in a new manner. We formalize SuperNova’s approach as a way to realize non-uniform IVC, a generalization of IVC. Furthermore, SuperNova’s prover costs and the recursion overhead are the same as Nova’s, and in fact, SuperNova is equivalent to Nova for machines that support a single instruction.
https://eprint.iacr.org/2022/1758
Eos - Efficient Private Delegation of zkSNARK proversAlex Pruden
Succinct zero knowledge proofs (i.e. zkSNARKs) are powerful cryptographic tools that enable a prover to convince a verifier that a given statement is true without revealing any additional information. Unfortunately, existing systems for generating zkSNARKs are expensive, which limits the applications in which these proofs can be used.
This new work (presented by co-author Pratyush Mishra) achieves security against malicious workers without relying on heavyweight cryptographic tools. We implement and evaluate our delegation protocols for a state-of-the-art zkSNARK in a variety of computational and bandwidth settings, and demonstrate that our protocols
are concretely efficient. When compared to local proving, using our protocols to delegate proof generation from a recent smartphone (a) reduces end-to-end latency by up to 26×, (b) lowers the delegator’s active computation time by up to 1447×, and (c) enables proving up to 256× larger instances
https://www.usenix.org/system/files/sec23fall-prepub-492-chiesa.pdf
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Alex Pruden
This week, Arantxa Zapico of the Ethereum Foundation presents new work (co-authored with Vitalik Buterin, Dmitry Khovratovich, Mary Maller, Anca Nitulescu, and Mark Simkin) called Caulk, which examines position-hiding linkability for vector commitment schemes. One can prove in zero knowledge that one or more values that comprise commitment cm all belong to the vector of size committed to in C. Caulk can be used for membership proofs and lookup arguments and outperforms all existing alternatives in prover time by orders of magnitude.
https://eprint.iacr.org/2022/621
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]Alex Pruden
Slides accompanying zkStudyClub talk: Zero-Knowledge Proofs Security, in Practice. JP Aumasson (co-creator of the BLAKE hash function family) will share his experience doing security auditing for various projects that use zero-knowledge proofs. He will describe his approach, the common pitfalls in the different components of a proof system, as well as a catalog of bugs that have been discovered in various projects
This week, Luke Pearson (Polychain Capital) and Joshua Fitzgerald (Anoma) present their work on Plonkup, a protocol that combines Plookup and PLONK into a single, efficient protocol. The protocol relies on a new hash function, called Reinforced Concrete, written by Dmitry Khovratovich. The three of them will present their work together at this week's edition of zkStudyClub!
Slides:
---
To Follow the Zero Knowledge Podcast us at https://www.zeroknowledge.fm
To the listeners of Zero Knowledge Podcast, if you like what we do:
- Follow us on Twitter - @zeroknowledgefm
- Join us on Telegram - https://t.me/joinchat/TORo7aknkYNLHmCM
- Support our Gitcoin Grant - https://gitcoin.co/grants/329/zero-knowledge-podcast-2
- Support us on Patreon - https://www.patreon.com/zeroknowledge
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelAlex Pruden
Slides for Eylon Yogev's (Bar-Ilan University) presentation at ZKStudyClub, covering his new work (co-authored w/ Alessandro Chiesa of UC Berkeley) about SNARGs in the random oracle model of sub- quadratic complexity.
Link to the original paper: https://eprint.iacr.org/2021/281.pdf
zkStudyClub: CirC and Compiling Programs to CircuitsAlex Pruden
The programming languages community, the cryptography community, and others rely on translating programs in high-level source languages (e.g., C) to logical constraint representations. Unfortunately, building compilers for this task is difficult and time consuming. In this work, Alex Ozdemir et al present CirC, an infrastructure for building compilers for SNARKs that build upon a common abstraction: stateless, non-deterministic computations called existentially quantified circuits, or EQCs.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
ZK Study Club: Sumcheck Arguments and Their Applications
1. Sumcheck Arguments and
their Applications
Jonathan Bootle (IBM Research – Zurich)
Alessandro Chiesa (UC Berkeley)
Katerina Sotiraki (UC Berkeley)
https://ia.cr/2021/333
1
2. Succinct arguments
P V
⋮
10
Common
input
𝑥1 = 4
𝑥2 = 1
⋮
Witness
Completeness: if the
witness is valid, the
verifier accepts
Soundness: if the
witness is invalid, the
verifier rejects
Knowledge soundness:
(later)
Succinctness: the messages are much
smaller than the witness
2
3. The sumcheck protocol [LFKN92]
P V
Given a polynomial 𝑝(𝑋1, … , 𝑋ℓ) over a field 𝔽 and a value 𝑢 ∈ 𝔽,
prove that σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) = 𝑢
𝑞1 ∈ 𝔽[𝑋1] Checks that
σ𝜔1∈𝐻 𝑞1 𝜔1 = 𝑢
σ𝜔2∈𝐻 𝑞2 𝜔2 = 𝑞1(𝑟1)
⋮
σ𝜔ℓ∈𝐻 𝑞ℓ 𝜔ℓ = 𝑞ℓ−1(𝑟ℓ−1)
⋮
Computes polynomials
𝑞𝑖 𝑋𝑖 =
σ𝜔∈𝐻ℓ−𝑖 𝑝(𝑟1, . . , 𝑟𝑖−1, 𝑋𝑖, 𝜔𝑖+1, . . , 𝜔ℓ)
Soundness: If σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) ≠ 𝑢 then V accepts with probability at most
ℓ⋅deg(𝑝)
|𝔽|
.
Communication
ℓ ⋅ deg 𝑝 elements of 𝔽
𝑟1 ← 𝔽
𝑞ℓ ∈ 𝔽[𝑋ℓ]
𝑟ℓ ← 𝔽
Evaluates 𝑝 to check that
𝑝(𝑟1, … , 𝑟ℓ) = 𝑞ℓ(𝑟ℓ)
3
4. The sumcheck protocol is everywhere!
Sumcheck
protocol
Probabilistic proofs
[BFL91,BFLS91,GKR08]
Sumcheck-based
succinct arguments
[Thaler13]
[CMT13], [VSBW13],
[W+17], [ZGKPP17],
[WTSTW18],
[XZZPS19], [Set20]
Univariate-sumcheck-
based arguments
[BCRSVS19]
[BCGGRS19], [ZXZS20],
[CHMVW20], [COS20],
[CFQR20], [BFHVXZ20]
Sumchecks for
tensor codes
[Meir13]
[RR20],
[BCG20],
[BCL20]
• Linear-time prover
[Thaler13,ZXZS20]
• Small space [CMT13]
(can be implemented with
streaming access)
• Strong soundness
properties [CCHLRR18]
(can make non-interactive
without random oracles)
Useful properties:
4
5. The sumcheck protocol is everywhere!
Sumcheck
protocol
Probabilistic proofs
[BFL91,BFLS91,GKR08]
Sumcheck-based
succinct arguments
[Thaler13]
[CMT13], [VSBW13],
[W+17], [ZGKPP17],
[WTSTW18],
[XZZPS19], [Set20]
Univariate-sumcheck-
based arguments
[BCRSVS19]
[BCGGRS19], [ZXZS20],
[CHMVW20], [COS20],
[CFQR20], [BFHVXZ20]
Sumchecks for
tensor codes
[Meir13]
[RR20],
[BCG20],
[BCL20]
• Linear-time prover
[Thaler13,ZXZS20]
• Small space [CMT13]
(can be implemented with
streaming access)
• Strong soundness
properties [CCHLRR18]
(can make non-interactive
without random oracles)
Useful properties:
https://zkproof.org/2020/03/16/sum-checkprotocol/
5
6. Pairing-group
arguments
[LMR19], [ZGKPP17],
[XZZPS19]
Split-and-fold techniques:
a separate body of work?
Discrete-log arguments
[BBBPWM18], [PLS19],
[HKR19], [BHRRS20]
Unknown-order-group
arguments
[BFS20],
[BHRRS21]
Lattice
arguments
[BLNS20],
[ACK21], [LA20]
Some unifying abstractions: [BMMTV19,AC20,BDFG21]
Split-and-fold
[BCCGP16] • Linear-time prover
• Streaming prover
[BHRRS20], [BHRRS21]
(can be implemented in
small space)
Useful properties:
6
7. Pairing-group
arguments
[LMR19], [ZGKPP17],
[XZZPS19]
Split-and-fold techniques:
a separate body of work?
Discrete-log arguments
[BBBPWM18], [PLS19],
[HKR19], [BHRRS20]
Unknown-order-group
arguments
[BFS20],
[BHRRS21]
Lattice
arguments
[BLNS20],
[ACK21], [LA20]
Some unifying abstractions: [BMMTV19,AC20,BDFG21]
Split-and-fold
[BCCGP16] • Linear-time prover
• Streaming prover
[BHRRS20], [BHRRS21]
(can be implemented in
small space)
Useful properties:
https://www.coindesk.com/aim-fire-bulletproofs-breakthrough-privacy-blockchains
[BBBPWM18] implemented in Rust, Haskell, Javascript, and deployed by
Blockstream, and in Monero, Mimblewimble and more…
7
10. General goal:
succinct arguments for commitment openings
P V
Common input:
• commitment 𝐶
• commitment key 𝑐𝑘
Succinctness goal:
communication ≪ |𝑚|
⋮
Focus: commitments
with special structure
Claim: ∃ 𝑚 such that
𝐶 = Com 𝑐𝑘, 𝑚
10
11. A new notion :
sumcheck-friendly commitments
Definition: A commitment scheme CM is sumcheck friendly if
Com 𝑐𝑘, 𝑚 =
𝜔1,…,𝜔ℓ∈𝐻
𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ )
Example: Pedersen commitments 𝐶 = 𝑎1 ⋅ 𝑔1 + ⋯ + 𝑎𝑛 ⋅ 𝑔𝑛
𝐻 = −1,1
𝑅 = 𝔽𝑝
message
polynomial
in 𝕄[𝑋1, … , 𝑋ℓ],
𝕄 an 𝑅-module
evaluation
points from
𝐻 ⊆ 𝑅, 𝑅 a ring
key polynomial
in 𝕂[𝑋1, … , 𝑋ℓ],
𝕂 an 𝑅-module
combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ
𝕂 = 𝔾, 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ = σ 𝑔𝑖1,…,𝑖ℓ
𝑋1
𝑖1
… 𝑋ℓ
𝑖ℓ
ℂ = 𝔾
𝑓: 𝑎, 𝑔 → 𝑎 ⋅ 𝑔
commitment
space ℂ is an
𝑅-module
𝕄 = 𝔽𝑝, 𝑝𝑚 𝑋1, … , 𝑋ℓ = σ 𝑎𝑖1,…,𝑖ℓ
𝑋1
𝑖1
… 𝑋ℓ
𝑖ℓ
11
12. Main result: sumcheck arguments
Theorem 1:
Let CM be a commitment scheme which is sumcheck-friendly and
invertible. Given a commitment key 𝑐𝑘 and a commitment 𝐶, the
sumcheck protocol applied to
(with one extra verifier check) is a succinct argument of knowledge for
the claim ∃𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚), with
Sumcheck
works over
rings and
modules
Think 𝑂(log |𝑚|)
𝑝 𝑋1, … , 𝑋ℓ = 𝑓 𝑝𝑚 𝑋1, … , 𝑋ℓ , 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ ∈ ℂ[𝑋1, … , 𝑋ℓ]
• completeness • soundness • communication ℓ ⋅ deg 𝑝
12
14. Application to R1CS over rings
R1CS problem over a ring 𝑹: given matrices 𝐴, 𝐵, 𝐶 ∈ 𝑅𝑛×𝑛
, does there
exist 𝑧 ∈ 𝑅𝑛
satisfying 𝐴𝑧 ∘ 𝐵𝑧 = 𝐶𝑧?
Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒) be a “secure” bilinear module where 𝑀𝐿 is a
ring. Let 𝐼 ⊆ 𝑀𝐿 be a suitable ideal. There is a ZK succinct argument of
knowledge for R1CS with
R1CS Ring Prover time Verifier time Proof size
𝑀𝐿/𝐼 𝑂 𝑛 ops
in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇
𝑂 𝑛 ops
in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇
𝑂 log 𝑛 elems of 𝑀𝑇
Has enough structure for Pedersen and Schnorr
Bilinear module: a triple of modules (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) over the same ring
with a bilinear map 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇.
14
15. Lattice-based succinct arguments for R1CS
Corollary: Let 𝑑 be a power of 2, 𝑝 ≪ 𝑞 primes, 𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑
+ 1
and similarly for 𝑅𝑞. Then assuming SIS is hard over 𝑅𝑞, there is a zero-
knowledge succinct argument of knowledge for R1CS with
R1CS Ring Prover time Verifier time Proof size
𝑅𝑝 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems of 𝑅𝑞
Concurrent work:
• [LA21] gives impossibility results and improvements for lattice POKs
• [ACK21] gives lattice-based succinct arguments for NP
15
16. Open questions
• Analyse the post-quantum
security of sumcheck arguments
• Investigate new lattice
instantiations [LA21] and concrete
performance improvements
• Give instantiations of
[BFS20,Lee21,BHHRS21] in our
framework (or a generalization)
16
18. Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
Many more details
and results in the
paper!
18
22. What kind of soundness? Knowledge soundness
Sumcheck argument: Pedersen
There exists an extractor that given a suitable tree of accepting transcripts for a
commitment key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚).
Soundness (part 1)
⋮ ⋮ ⋮
𝑟1
(1)
𝑟1
(2)
𝑟1
(3)
𝑞1
𝑞2 𝑟1
(1)
𝑞2 𝑟1
(2)
𝑞2 𝑟1
(3)
P V
𝑞1
⋮
𝑟1
𝑞ℓ
𝑟ℓ
E
message
𝑚
22
23. Lemma: There exists an extractor that, given a 3-ary tree of accepting transcripts for
key ഫ
𝐺 and commitment 𝐶, finds an opening 𝑎 such that 𝐶 = 𝑎, 𝐺 .
⋮ ⋮ ⋮
𝑟1
(1)
𝑟1
(2)
𝑟1
(3)
𝑞1
𝑞2 𝑟1
(1)
𝑞2 𝑟1
(2)
𝑞2 𝑟1
(3)
𝟑𝐥𝐨𝐠 𝒏 −𝟏 openings of size 2 for 𝑞ℓ−1 𝑟ℓ −1 with key ഫ
𝐺ℓ−1 ∈ 𝔾2
𝟑𝐥𝐨𝐠 𝒏
openings of size 1 for 𝑞ℓ 𝑟ℓ with key 𝑝𝐺 പ
𝑟 ∈ 𝔾
𝟑𝒊−𝟏 openings of size 𝟐𝐥𝐨𝐠 𝒏 −𝒊+𝟏 for 𝑞𝑖−1 𝑟𝑖−1 with key ഫ
𝐺𝑖−1 ∈ 𝔾2log 𝑛 −𝑖+1
where ഫ
𝐺𝑖−1 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, ഫ
𝑋 .
1 opening of size 𝟐𝐥𝐨𝐠 𝒏
= 𝒏 for 𝑛𝐶 with key ഫ
𝐺 ∈ 𝔾𝑛
Round 1
Round 𝒊
Round 𝐥𝐨𝐠(𝐧)
Sumcheck argument: Pedersen
Soundness (part 2)
23
24. Soundness (part 3)
In the protocol, 𝑞𝑖 𝑋 = σഫ
𝜔∈{−1,1 }ℓ−𝑖 𝑝ഫ
𝑎 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ
𝜔 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ
𝜔 .
So, 𝑞𝑖 𝑋 is quadratic.
Claim: If ഫ
𝜋(𝑗)
∈ 𝔽2ℓ−𝑖
is opening for 𝑞𝑖(𝑟𝑖
(𝑗)
) for 𝑗 ∈ [3], we can find an opening
of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1).
Sumcheck argument: Pedersen
3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that
∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖
(𝑗)
= ഫ
𝜋(𝑗), ഫ
𝐺𝑖
Then we can find 𝑞𝑖−1 𝑟𝑖−1 = 𝑞𝑖 1 + 𝑞𝑖 −1 = ഫ
𝜋′, ഫ
𝐺𝑖−1
Verifier’s check
24
Goal: find ഫ
𝜋 such that 𝑞𝑖 𝑋 = ഫ
𝜋(Χ), ഫ
𝐺𝑖−1
25. Soundness (part 4)
ഫ
𝐺𝑘 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑘, ഫ
𝑋
= ഫ
𝜋(𝑗), (ഫ
𝐺𝑖−1,𝐿+ 𝑟𝑖
(𝑗)
ഫ
𝐺𝑖−1,𝑅)
= ഫ
𝜋 𝑗
, 𝑟𝑖
(𝑗)
ഫ
𝜋 𝑗
, ഫ
𝐺𝑖−1
Sumcheck argument: Pedersen
Claim: If ഫ
𝜋(𝑗)
∈ 𝔽2ℓ−𝑖
is opening for 𝑞𝑖(𝑟𝑖
(𝑗)
) for 𝑗 ∈ [3], we can find an opening
of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1).
3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that
∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖
(𝑗)
= ഫ
𝜋(𝑗)
, ഫ
𝐺𝑖
ഫ
𝜋 such that
𝑞𝑖 𝑋 = ഫ
𝜋(Χ), ഫ
𝐺𝑖−1
linear algebra
25
Pedersen commitment is invertible.
26. Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
26
28. Completeness and soundness
Lemma: The verifier accepts with probability 1.
𝐶 =
പ
𝑎, ഫ
𝐺1
പ
𝑏, ഫ
𝐺2
പ
𝑎, പ
𝑏 𝑈
𝑝ഫ
𝑎 ഫ
𝑋 𝑝ഫ
𝐺1
ഫ
𝑋
𝑝ഫ
𝑏 ഫ
𝑋 𝑝ഫ
𝐺2
ഫ
𝑋
𝑝𝑎 ഫ
𝑋 𝑝𝑏 ഫ
𝑋 𝑈
Follows from completeness for Pedersen
Lemma: If the commitment scheme is binding, there exists an extractor that, given a 4-ary
tree of accepting transcripts for key (ഫ
𝐺1, ഫ
𝐺2) and commitment 𝐶, finds an opening പ
𝑎, പ
𝑏
such that 𝐶 = 𝑎, 𝐺1 , 𝑏, 𝐺2 , 𝑎, 𝑏 𝑈 .
Similarly to Pedersen, we extract opening for each components. Using a computational
assumption and the larger tree, we show that third component is the scalar-product പ
𝑎, പ
𝑏 .
Scalar-product commitment is invertible.
Sumcheck argument:
Scalar-product commitment
28
29. Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
29
30. Sumcheck-friendly commitments
Definition: A commitment scheme CM is sumcheck friendly if
Com 𝑐𝑘, 𝑚 =
𝜔1,…,𝜔ℓ∈𝐻
𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ )
message
polynomial
in 𝕄[𝑋1, … , 𝑋ℓ],
𝕄 an 𝑅-module
evaluation
points from
𝐻 ⊆ 𝑅, 𝑅 a ring
key polynomial
in 𝕂[𝑋1, … , 𝑋ℓ],
𝕂 an 𝑅-module
combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ
commitment
space ℂ is an
𝑅-module
Sumcheck arguments for sumcheck-friendly commitments?
30
32. Extractor works inductively as in Pedersen using invertibility in each layer
Completeness and soundness
Lemma: The verifier accepts with probability 1.
Follows directly from definition of sumcheck-friendly commitments
Lemma: If commitment scheme is invertible, there exists an extractor that, given a
suitable tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚.
Sumcheck argument:
Sumcheck-friendly commitment
32
33. 𝑟𝑖
(𝑲)
𝑟𝑖
(2)
Given polynomial 𝑞𝑖(𝑋) and “openings’’ 𝑝 1 ഫ
X , … , 𝑝(𝑲) ഫ
X such that
∀𝑗 ∈ 𝐾 ∶ 𝑞𝑖 𝑟(𝑗) = σഫ
𝜔∈𝐻ℓ−𝑖 𝑓 𝑝(𝑗)
ഫ
𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖
(𝑗)
, ഫ
𝜔)
We can find polynomial 𝑝 such that σ𝜔∈𝐻 𝑞𝑖 (𝜔) = σഫ
𝜔∈𝐻ℓ−𝑖+1 𝑓 𝑝 ഫ
𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖−1, ഫ
𝜔)
Invertibility
𝑟𝑖
(1)
𝑞𝑖
…
Property that allows to climb up the tree from layer to layer.
𝑝(1)
𝑝(2)
𝑝(𝐊)
K-
Invertible commitment schemes:
Pedersen commitments, scalar-product commitments, linear-function commitments
Extra variable 𝑋𝑖: 𝑝 “bigger” than 𝑝(𝑗)
Sumcheck argument:
Sumcheck-friendly commitment
33
34. Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
34
35. From groups to rings
Goal: an abstraction for mathematical structures where folding techniques can work
Everything so far extends to general 𝔽-vector spaces, e.g., bilinear groups [BMMTV19].
Scalar-product commitments for bilinear groups: ഫ
𝒂, ഫ
𝑮𝟏 , ഫ
𝒃, ഫ
𝑮𝟐 , ഫ
𝒂, ഫ
𝒃 ∈ 𝔾𝑻
𝟑
𝔾1 𝔾2
Lattices and groups of unknown order?
35
36. Messages Keys Commitments Assumption
small 𝑀𝐿 𝑀𝑅 𝑀𝑇 Bilinear Relation Assumption
From groups to rings:
bilinear modules
Norm checks: only “short” elements are valid messages
e.g., for ring-SIS
𝑹-module 𝑴: generalization of vector space over rings
Bilinear module: 𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒 such that • 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 are 𝑅-modules
• 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇 is 𝑅-bilinear
Pedersen example: 𝐶 = 𝑎1𝐺1 + ⋯ + 𝑎𝑛𝐺𝑛 = ⟨𝑎 , 𝐺⟩
‘Multiply’ message and key elements using 𝑒
Add the pieces together
Hard to find small 𝑎
such that 𝑎 , 𝐺 = 0
Can define polynomials over
message and key spaces
36
37. 37
𝑝𝑚(പ
𝑟)
𝑟 ← 𝒞ℓ
𝑟
common input:
• key 𝑐𝑘
• commitment 𝐶
claim: ∃𝑚 with 𝒎 ≤ 𝑩 s.t. 𝐶 = σഫ
𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 ഫ
𝜔 , 𝑝𝑐𝑘 ഫ
𝜔
P
Opening: 𝑚
with 𝒎 ≤ 𝑩
V
consistency check:
𝑓 𝑝𝑚 𝑟 , 𝑝𝑐𝑘 𝑟 = 𝑣?
𝒑𝒎(പ
𝒓) ≤ 𝑩∗?
𝑚
From groups to rings:
sumcheck arguments
Natural bound for
evaluation of 𝒑𝒎 on 𝒞ℓ
𝑞1, … , 𝑞ℓ
⋮
Special challenge set ⊆ 𝑹!
(necessary even for
sumcheck protocol)
σ𝜔∈𝐻 𝑞1 𝜔 = 𝐶?
σ𝜔∈𝐻 𝑞ℓ 𝜔 = 𝑞ℓ−1(𝑟ℓ−1)?
sumcheck protocol for
σ𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 𝜔 , 𝑝𝑐𝑘 𝜔 = 𝐶
38. Arithmetic over rings might cause slackness factors and increase in norm.
e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺:
𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ
𝑎 ≤ 𝑁ℓ ⋅ 𝐵∗
From groups to rings:
soundness
Lemma: If commitment scheme is invertible, there exists an extractor that, given a suitable
tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds a relaxed opening 𝑚.
Challenges:
1. Linear algebra different over rings and modules
2. Norm considerations arise
Ring 𝒞 𝜉 𝛮
ℤ𝑞 𝑋
< 𝑋𝑑 + 1 >
{𝑋𝑖: 0 ≤ 𝑖 ≤ 2𝑑 − 1 } 8 𝑂(𝑑7)
Parameters for lattices:
Tighter analysis in
[LA21], [ACK21]
Tighter analysis in
[LA21], [ACK21]
38
39. e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺:
𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ
𝑎 ≤ 𝑁ℓ ⋅ 𝐵
From groups to rings:
R1CS over rings
Lemma (soundness): There exists an extractor that finds an R1CS witness.
Without slackness!
𝐶 = 𝑎/𝝃ℓ, 𝐺 with പ
𝑎/𝝃ℓ ≤ 𝐵′
Issues:
1. 𝜉 might not be invertible
2. പ
𝑎/𝜉ℓ might not be small
Ideal 𝐼 such that 𝜉 (mod 𝐼) is invertible, 𝑥 (mod 𝐼) small for all 𝑥
𝐶 = 𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰), 𝐺 with പ
𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰) ≤ 𝐵′
A remark about our R1CS result:
39
40. Instantiations of bilinear modules
Assumption Messages Keys Commitments Ideal
BRA small 𝑀𝐿 𝑀𝑅 𝑀𝑇 𝐼
DLOG 𝔽𝑝 𝔾 𝔾 {0}
DPAIR[AFGHO10] 𝔾1 𝔾2 𝔾𝑇 {0}
UO [BFS20] small ℤ 𝔾 𝔾 𝑛ℤ for suitable small 𝑛
RSIS [Ajtai94] small 𝑅𝑞 𝑅𝑞
𝑑 𝑅𝑞
𝑑 𝑛ℤ for suitable small 𝑛
40
42. Summary of results
Theorem 1:
The sumcheck protocol applied to a sumcheck-friendly commitment scheme
is a succinct argument of knowledge of commitment openings.
Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) be a
secure bilinear module with 𝑀𝐿 a
ring and 𝐼 ⊆ 𝑀𝐿 an ideal. There is a
ZK succinct argument of knowledge
for R1CS with
Corollary: Let 𝑝 ≪ 𝑞 primes,
𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑
+ 1 and similarly
for 𝑅𝑞. Then assuming SIS is hard,
there is a ZK succinct argument of
knowledge for R1CS with
R1CS
Ring
Prover and verifier
time
Proof size
𝑀𝐿/𝐼 𝑂 𝑛 ops 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 log 𝑛 elems
R1CS
Ring
Prover and verifier
time
Proof size
𝑅𝑝 𝑂 𝑛 ops 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems 𝑅𝑞
42
43. Takeaways
• Many commitment schemes are
sumcheck friendly
• We can recast many different
cryptographic settings as bilinear modules
• In the paper: instantiations and
polynomial commitment schemes
43