Talk given at the ZK Study Club by Jonathan Bootle and Katerina Sotiraki about the universality of sumcheck arguments and their importance in zero-knowledge cryptography.
The document discusses homomorphic encryption, which allows computations to be performed on encrypted data and obtain an encrypted result without decrypting the inputs. It provides examples of partially homomorphic encryption schemes like RSA that allow only addition or multiplication, and fully homomorphic encryption introduced by Craig Gentry in 2009 that allows any computation. The document also discusses applications of homomorphic encryption like secure cloud computing and processing of sensitive encrypted medical records. It summarizes Craig Gentry's homomorphic encryption scheme and the HELib software library implementation.
The document discusses approximation algorithms for solving hard combinatorial optimization problems. It defines optimization problems and covers NP-hard problems like the clique, independent set, vertex cover, and traveling salesman problems. Approaches for solving NP-hard problems include exact algorithms, approximation algorithms that provide guaranteed good solutions, and heuristics without guarantees. Approximation algorithms aim to settle for good enough solutions rather than optimal ones.
Monotonic Multihead Attention, Ma, Xutai, et al. "Monotonic Multihead Attention." International Conference on Learning Representations. 2020. review by June-Woo Kim
The document discusses approximation algorithms for NP-complete problems. It introduces the idea of finding near-optimal solutions in polynomial time for problems where optimal solutions cannot be found efficiently. It provides examples of the vertex cover problem and set cover problem, describing greedy approximation algorithms that provide performance guarantees for finding near-optimal solutions for these problems. The document also discusses some open questions around whether these approximation ratios can be improved.
This document discusses cryptographic hash functions. It provides an overview of hash functions and their properties like producing a fixed-length digest from an arbitrary-length message. It describes common hash functions like MD5, SHA-1 and SHA-2 and their structures. It also discusses attacks on hash functions and the need for a new secure hash standard to replace insecure functions like MD5 and the soon-to-be insecure SHA-1, leading to the NIST SHA-3 competition to select a new standard.
L’optimisation par essaims de particuleschagra bassem
L’optimisation par essaim de particules est une méthode d’optimisation
stochastique, pour des fonctions non-linéaires, basée sur la reproduction d’un comportement social.
Elliptic curve cryptography (ECC) uses elliptic curves over finite fields for encryption, digital signatures, and key exchange. The key sizes are smaller than RSA for the same security level. Its security relies on the assumed hardness of solving the discrete logarithm problem over elliptic curves. ECC defines elliptic curves with parameters over Galois fields GF(p) for prime p or binary fields GF(2m). Points on the curves along with addition and doubling formulas are used to perform scalar multiplications for cryptographic operations.
Because of deep learning we now talk a lot about tensors, yet tensors remain relatively unknown objects. In this presentation I will introduce tensors and the basics of multilinear algebra, then describe tensor decompositions and give some examples of how they are used in representation learning for understanding/compressing data. I will also briefly describe how tensor decompositions are used in 1) the method of moments for training latent variable models, and 2) deep learning for understanding why deep convolutional networks are such excellent classifiers.
The document discusses the Data Encryption Standard (DES), including:
- DES is a block cipher that encrypts data in 64-bit blocks using a 56-bit key and 16 rounds of encryption.
- DES has a block size of 64 bits, a key size of 56 bits (though the key specification is 64 bits with 8 bits used for error checking), and uses 16 intermediate 48-bit keys over its 16 rounds.
- The DES encryption process uses substitution boxes (S-boxes) to encrypt each block, and has 4 known weak keys that should be avoided during key generation.
Solving travelling salesman problem using firefly algorithmishmecse13
The document describes adapting the firefly algorithm to solve the travelling salesman problem (TSP). Key points:
- The firefly algorithm is inspired by the flashing behavior of fireflies to find optimal solutions. It is adapted for TSP by representing fireflies as permutations and using inversion mutation for movement between cities.
- Distance between fireflies is calculated using Hamming or swap distance on their city orderings. Brighter fireflies attract nearby fireflies to move toward better solutions.
- The algorithm is implemented in MATLAB to test on standard TSP datasets. Results show the firefly algorithm finds better solutions than ant colony optimization, genetic algorithm, and simulated annealing on most problem instances.
The main challenge of concurrent software verification has always been in achieving modularity, i.e., the ability to divide and conquer the correctness proofs with the goal of scaling the verification effort. Types are a formal method well-known for its ability to modularize programs, and in the case of dependent types, the ability to modularize and scale complex mathematical proofs.
In this talk I will present our recent work towards reconciling dependent types with shared memory concurrency, with the goal of achieving modular proofs for the latter. Applying the type-theoretic paradigm to concurrency has lead us to view separation logic as a type theory of state, and has motivated novel abstractions for expressing concurrency proofs based on the algebraic structure of a resource and on structure-preserving functions (i.e., morphisms) between resources.
A decade of active research has led to practical constructions of zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARKs) that are now being used in a wide variety of applications. Despite this astonishing progress, overheads in proof generation time remain significant.
In this work, we envision a world where consumers with low computational resources can outsource the task of proof generation to a group of untrusted servers in a privacy-preserving manner. The main requirement is that these servers should be able to collectively generate proofs at a faster speed (than the consumer). Towards this goal, we introduce a framework called zk-SNARKs-as-a-service () for faster computation of zk-SNARKs. Our framework allows for distributing proof computation across multiple servers such that each server is expected to run for a shorter duration than a single prover. Moreover, the privacy of the prover's witness is ensured against any minority of colluding servers.
We design custom protocols in this framework that can be used to obtain faster runtimes for widely used zk-SNARKs, such as Groth16 [EUROCRYPT 2016], Marlin [EUROCRYPT 2020], and Plonk [EPRINT 2019]. We implement proof of concept zkSaaS for the Groth16 and Plonk provers. In comparison to generating these proofs on commodity hardware, we show that not only can we generate proofs for a larger number of constraints (without memory exhaustion), but can also get speed-up when run with 128 parties for constraints with Groth16 and gates with Plonk.
https://eprint.iacr.org/2023/905
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Nearly optimal average case complexity of counting bicliques under sethNobutaka Shimizu
1) The document presents a theorem showing that under the Strong Exponential Time Hypothesis (SETH), counting the number of bicliques in a graph is hard on average, requiring nearly-optimal average-case complexity of Ω(na-ε) time for any ε > 0.
2) It introduces a technique for amplifying this fine-grained hardness by reducing the problem of counting bicliques to solving many independent instances of the problem, showing any o(na-ε) time algorithm would succeed with high probability on only a 1 - 1/polylog(n) fraction of graphs.
3) The amplification is achieved by constructing an interactive proof system for counting b
Declarative Semantics Definition - Term RewritingGuido Wachsmuth
This document discusses term rewriting and its applications in compiler construction. It covers term rewriting systems, rewrite rules that transform terms, and rewrite strategies that control rule application. Examples are provided for desugaring code using rewrite rules and constant folding arithmetic expressions using rewrite rules and strategies. Stratego is presented as a domain-specific language for program transformation based on term rewriting.
A new kind of quantum gates, higher braiding gates, as matrix solutions of the polyadic braid equations (different from the generalized Yang–Baxter equations) is introduced. Such gates lead to another special multiqubit entanglement that can speed up key distribution and accelerate algorithms. Ternary braiding gates acting on three qubit states are studied in detail. We also consider exotic non-invertible gates, which can be related with qubit loss, and define partial identities (which can be orthogonal), partial unitarity, and partially bounded operators (which can be non-invertible). We define two classes of matrices, star and circle ones, such that the magic matrices (connected with the Cartan decomposition) belong to the star class. The general algebraic structure of the introduced classes is described in terms of semigroups, ternary and 5-ary groups and modules. The higher braid group and its representation by the higher braid operators are given. Finally, we show, that for each multiqubit state, there exist higher braiding gates that are not entangling, and the concrete conditions to be non-entangling are given for the obtained binary and ternary gates.
The document summarizes a presentation titled "Yoyak" given by Heejong Lee at ScalaDays 2015. The presentation introduces Yoyak, a static analysis framework developed by the speaker. It covers the following topics:
- Static analysis and abstract interpretation theory
- Implementation highlights of the Yoyak framework
- Experiences using Scala in developing Yoyak
- The roadmap for future development of Yoyak
Local Model Checking Algorithm Based on Mu-calculus with Partial OrdersTELKOMNIKA JOURNAL
The propositionalμ-calculus can be divided into two categories, global model checking algorithm
and local model checking algorithm. Both of them aim at reducing time complexity and space complexity
effectively. This paper analyzes the computing process of alternating fixpoint nested in detail and designs
an efficient local model checking algorithm based on the propositional μ-calculus by a group of partial
ordered relation, and its time complexity is O(d2(dn)d/2+2) (d is the depth of fixpoint nesting, n is the
maximum of number of nodes), space complexity is O(d(dn)d/2). As far as we know, up till now, the best
local model checking algorithm whose index of time complexity is d. In this paper, the index for time
complexity of this algorithm is reduced from d to d/2. It is more efficient than algorithms of previous
research.
This document summarizes a research paper on implementing sized typing for the Coq proof assistant. It describes sized types, which associate inductive types like natural numbers with size levels. The paper presents an implementation of sized typing for Coq that adds size annotations during type checking and uses a constraint solving algorithm during size inference. Evaluation shows the sized typing implementation increases compilation time but supports more modular termination checking of recursive functions.
The document outlines various statistical and data analysis techniques that can be performed in R including importing data, data visualization, correlation and regression, and provides code examples for functions to conduct t-tests, ANOVA, PCA, clustering, time series analysis, and producing publication-quality output. It also reviews basic R syntax and functions for computing summary statistics, transforming data, and performing vector and matrix operations.
N-gram IDF: A Global Term Weighting Scheme Based on Information Distance (WWW...Masumi Shirakawa
A deck of slides for "N-gram IDF: A Global Term Weighting Scheme Based on Information Distance" (Shirakawa et al.) that was presented at 24th International World Wide Web Conference (WWW 2015).
This document discusses conflict-free replicated data types (CRDTs) and their implementation in Redis. It begins with an overview of how communication speeds have increased over time, from weeks in the 19th century to milliseconds today. It then discusses how CRDTs allow for concurrent updates by preserving "sequential semantics" even when operations are partially ordered. Examples are given of how counters, registers, and sets can be implemented as CRDTs to support both sequential and concurrent executions across distributed replicas in a way that converges to a common value. Redis uses specific CRDT implementations for its counters, registers using last-writer-wins, and add-wins sets.
Presentation by Stefan Dziembowski, associate professor and leader of Cryptology and Data Security Group University of Warsaw. In BIU workshop on Bitcoin. Covered exclusively by vpnMentor.com
Litecoin was the first major alternative cryptocurrency, using the Scrypt hash function instead of Bitcoin's SHA-256 to make specialized mining hardware less effective. Spacemint proposes using proofs of storage space instead of computational power for mining. Alternative cryptocurrencies aim to address drawbacks of Bitcoin like high energy use, lack of anonymity, and non-Turing complete scripts by using different consensus mechanisms like proofs of stake and storing useful data.
This document discusses using relations and relational calculus to specify programs in a more natural way. It proposes enhancing data types with invariants to tame non-determinism and partiality in relational specifications. This allows inferring checkable domain and range predicates for relations to optimize execution. Bidirectional transformations are also specified relationally to maximize updatability.
pptx - Psuedo Random Generator for Halfspacesbutest
This document summarizes research on constructing pseudorandom generators for halfspaces. The key results are:
1) The researchers developed a pseudorandom generator for halfspaces over arbitrary product distributions on Rn, requiring only that E[xi4] is constant. This improves on prior work that only handled the uniform distribution on {-1,1}n.
2) Their generator can simulate intersections of k halfspaces using a seed of length k log(n), and arbitrary functions of k halfspaces using a seed of length k2 log(n).
3) The generator exploits a "dichotomy" among halfspaces - they are either "dictator" functions depending on few variables, or
pptx - Psuedo Random Generator for Halfspacesbutest
This document summarizes research on constructing pseudorandom generators for halfspaces. The key results are:
1) The researchers developed a pseudorandom generator for halfspaces over arbitrary product distributions on Rn, requiring only that E[xi4] is constant. This improves on prior work that only handled the uniform distribution on the boolean cube.
2) Their generator can handle intersections of k halfspaces using a seed length of k log(n), and arbitrary functions of k halfspaces using k2 log(n) seeds.
3) The generator exploits a "dichotomy" in halfspaces - they are either "dictator-like" depending on few variables, or "majority-like
We propose a simple and efficient searchable symmetric encryption scheme based on a Bitmap index that evaluates Boolean queries. Our scheme provides a practical solution in settings where communications and computations are very constrained as it offers a suitable trade-off between privacy and performance.
RedisDay London 2018 - CRDTs and Redis From sequential to concurrent executionsRedis Labs
CRDTs and Redis
- CRDTs (Conflict-Free Replicated Data Types) allow for data to be replicated across multiple systems and remain available even if those systems become disconnected from each other.
- Redis implements several CRDT data types including counters, registers, sets, and lists to provide causal consistency across replicas while preserving availability.
- The talk discusses how CRDTs transition from sequential execution models to concurrent ones while still preserving correctness and sequential semantics. Different concurrency policies, like add-wins and remove-wins sets, are explored.
Incremental and parallel computation of structural graph summaries for evolvi...Till Blume
This document presents an incremental and parallel algorithm for computing structural graph summaries of evolving graphs. The algorithm incrementally updates graph summaries when the input graph changes, which is often faster than recomputing from scratch. The algorithm partitions the graph and computes summaries in parallel. Experimental results on real-world and benchmark graphs show the incremental algorithm outperforms batch computation even when 50% of the graph changes. The algorithm runs in linear time with respect to graph changes and degree.
Similar to ZK Study Club: Sumcheck Arguments and Their Applications (20)
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
This week's session covers new work from Justin Thaler (GWU) et al on Lasso/Jolt.
Lasso is a new lookup argument (more on this below) with a dramatically faster prover. Our initial implementation provides roughly a 10x speedup over the lookup argument in the popular, well-engineered halo2 toolchain; we expect improvements of around 40x when optimizations are complete. To demonstrate, we’re releasing the open source implementation, written in Rust. We invite the community to help us make Lasso as fast and robust as possible.
The second, accompanying innovation to Lasso is Jolt, a new approach to zkVM (zero knowledge virtual machine) design that builds on Lasso. Jolt realizes the “lookup singularity” – a vision initially laid out by Barry Whitehat of the Ethereum Foundation for simpler tooling and lightweight, lookup-centric circuits (more on why this matters below). Relative to existing zkVMs, we expect Jolt to achieve similar or better performance – and importantly, a more streamlined and accessible developer experience. With Jolt, it will be easier for developers to write fast SNARKs in their high-level language of choice.
Lasso: https://people.cs.georgetown.edu/jthaler/Lasso-paper.pdf
Jolt: https://people.cs.georgetown.edu/jthaler/Jolt-paper.pdf
zkStudyClub - Improving performance of non-native arithmetic in SNARKs (Ivo K...Alex Pruden
In this zkStudyClub session, Ivo presents techniques for applying the log-derivative lookup tables in a circuit using LegoSNARK-style commitment. As an application, we show how this lookup table can be used to implement range checks, specifically applying it to the non-native arithmetic. Using these optimisations, we were able to reduce the proof time for BN254 pairing in Groth16 to approx 5s (MBP M1). The technique also works for PLONKish arithmetisation.
zkStudyClub - cqlin: Efficient linear operations on KZG commitments Alex Pruden
This week, Liam Eagen (Blockstream Research) and Ariel Gabizon (Zeta Function Technologies) present cqlin - Efficient linear operations on KZG commitments with cached quotients.
Given two KZG-committed polynomials , a matrix , and subgroup of order , we present a protocol for checking that . After preprocessing, the prover makes field and group operations. This presents a significant improvement over the lincheck protocols in [CHMMVW, COS], where the prover's run-time (also after preprocessing) was quasilinear in the number of non-zeroes of M, which could be n^2.
ZK Study Club: Supernova (Srinath Setty - MS Research)Alex Pruden
This week, Srinath Setty (MS Research) will present SuperNova, a new recursive proof system for incrementally producing succinct proofs of correct execution of programs on a stateful machine with a particular instruction set (e.g., EVM, RISC-V). A distinguishing aspect of SuperNova is that the cost of proving a step of a program is proportional only to the size of the circuit representing the instruction invoked by the program step. This is a stark departure from prior works that employ universal circuits where the cost of proving a program step is proportional at least to the sum of sizes of circuits representing each supported instruction—even though a particular program step invokes only one of the supported instructions. Naturally, SuperNova can support a rich instruction set without affecting the per-step proving costs. SuperNova achieves its cost profile by building on Nova, a prior high-speed recursive proof system, and leveraging its internal building block, folding schemes, in a new manner. We formalize SuperNova’s approach as a way to realize non-uniform IVC, a generalization of IVC. Furthermore, SuperNova’s prover costs and the recursion overhead are the same as Nova’s, and in fact, SuperNova is equivalent to Nova for machines that support a single instruction.
https://eprint.iacr.org/2022/1758
Paper: https://eprint.iacr.org/2022/1355
Plonk is a widely used succinct non-interactive proof system that uses univariate polynomial commitments. Plonk is quite flexible: it supports circuits with low-degree ``custom'' gates as well as circuits with lookup gates (a lookup gate ensures that its input is contained in a predefined table). For large circuits, the bottleneck in generating a Plonk proof is the need for computing a large FFT.
In this work, the authors present HyperPlonk, an adaptation of Plonk to the boolean hypercube, using multilinear polynomial commitments. HyperPlonk retains the flexibility of Plonk but provides several additional benefits. First, it avoids the need for an FFT during proof generation. Second, and more importantly, it supports custom gates of much higher degree than Plonk without harming the running time of the prover. Both of these can dramatically speed up the prover's running time. Since HyperPlonk relies on multilinear polynomial commitments, the authors revisit two elegant constructions: one from Orion and one from Virgo. The authors also show how to reduce the Orion opening proof size to less than 10kb (an almost factor 1000 improvement) and show how to make the Virgo FRI-based opening proof simpler and shorter.
Caulk: zkStudyClub: Caulk - Lookup Arguments in Sublinear Time (A. Zapico)Alex Pruden
This week, Arantxa Zapico of the Ethereum Foundation presents new work (co-authored with Vitalik Buterin, Dmitry Khovratovich, Mary Maller, Anca Nitulescu, and Mark Simkin) called Caulk, which examines position-hiding linkability for vector commitment schemes. One can prove in zero knowledge that one or more values that comprise commitment cm all belong to the vector of size committed to in C. Caulk can be used for membership proofs and lookup arguments and outperforms all existing alternatives in prover time by orders of magnitude.
https://eprint.iacr.org/2022/621
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]Alex Pruden
Slides accompanying zkStudyClub talk: Zero-Knowledge Proofs Security, in Practice. JP Aumasson (co-creator of the BLAKE hash function family) will share his experience doing security auditing for various projects that use zero-knowledge proofs. He will describe his approach, the common pitfalls in the different components of a proof system, as well as a catalog of bugs that have been discovered in various projects
This week, Luke Pearson (Polychain Capital) and Joshua Fitzgerald (Anoma) present their work on Plonkup, a protocol that combines Plookup and PLONK into a single, efficient protocol. The protocol relies on a new hash function, called Reinforced Concrete, written by Dmitry Khovratovich. The three of them will present their work together at this week's edition of zkStudyClub!
Slides:
---
To Follow the Zero Knowledge Podcast us at https://www.zeroknowledge.fm
To the listeners of Zero Knowledge Podcast, if you like what we do:
- Follow us on Twitter - @zeroknowledgefm
- Join us on Telegram - https://t.me/joinchat/TORo7aknkYNLHmCM
- Support our Gitcoin Grant - https://gitcoin.co/grants/329/zero-knowledge-podcast-2
- Support us on Patreon - https://www.patreon.com/zeroknowledge
zkStudy Club: Subquadratic SNARGs in the Random Oracle ModelAlex Pruden
Slides for Eylon Yogev's (Bar-Ilan University) presentation at ZKStudyClub, covering his new work (co-authored w/ Alessandro Chiesa of UC Berkeley) about SNARGs in the random oracle model of sub- quadratic complexity.
Link to the original paper: https://eprint.iacr.org/2021/281.pdf
The document proposes an elliptic curve fast Fourier transform (ECFFT) algorithm that can perform FFTs over any prime or binary field, unlike the classical FFT which requires a field with a special structure. It works by replacing the multiplicative group used in classical FFT with an elliptic curve group, and using isogenies between elliptic curves instead of field multiplication to map points between subgroups. This allows performing FFTs in O(n log n) time like the classical FFT, but over any field by leveraging properties of elliptic curves and isogenies.
zkStudyClub: CirC and Compiling Programs to CircuitsAlex Pruden
The programming languages community, the cryptography community, and others rely on translating programs in high-level source languages (e.g., C) to logical constraint representations. Unfortunately, building compilers for this task is difficult and time consuming. In this work, Alex Ozdemir et al present CirC, an infrastructure for building compilers for SNARKs that build upon a common abstraction: stateless, non-deterministic computations called existentially quantified circuits, or EQCs.
Securiport Gambia is a civil aviation and intelligent immigration solutions provider founded in 2001. The company was created to address security needs unique to today’s age of advanced technology and security threats. Securiport Gambia partners with governments, coming alongside their border security to create and implement the right solutions.
DefCamp_2016_Chemerkin_Yury-publish.pdf - Presentation by Yury Chemerkin at DefCamp 2016 discussing mobile app vulnerabilities, data protection issues, and analysis of security levels across different types of mobile applications.
Discover practical tips and tricks for streamlining your Marketo programs from end to end. Whether you're new to Marketo or looking to enhance your existing processes, our expert speakers will provide insights and strategies you can implement right away.
Project management Course in Australia.pptxdeathreaper9
Project Management Course
Over the past few decades, organisations have discovered something incredible: the principles that lead to great success on large projects can be applied to projects of any size to achieve extraordinary success. As a result, many employees are expected to be familiar with project management techniques and how they apply them to projects.
https://projectmanagementcoursesonline.au/
Using ScyllaDB for Real-Time Write-Heavy WorkloadsScyllaDB
Keeping latencies low for highly concurrent, intensive data ingestion
ScyllaDB’s “sweet spot” is workloads over 50K operations per second that require predictably low (e.g., single-digit millisecond) latency. And its unique architecture makes it particularly valuable for the real-time write-heavy workloads such as those commonly found in IoT, logging systems, real-time analytics, and order processing.
Join ScyllaDB technical director Felipe Cardeneti Mendes and principal field engineer, Lubos Kosco to learn about:
- Common challenges that arise with real-time write-heavy workloads
- The tradeoffs teams face and tips for negotiating them
- ScyllaDB architectural elements that support real-time write-heavy workloads
- How your peers are using ScyllaDB with similar workloads
Planetek Italia is an Italian Benefit Company established in 1994, which employs 120+ women and men, passionate and skilled in Geoinformatics, Space solutions, and Earth science.
We provide solutions to exploit the value of geospatial data through all phases of data life cycle. We operate in many application areas ranging from environmental and land monitoring to open-government and smart cities, and including defence and security, as well as Space exploration and EO satellite missions.
Connecting Attitudes and Social Influences with Designs for Usable Security a...Cori Faklaris
Many system designs for cybersecurity and privacy have failed to account for individual and social circumstances, leading people to use workarounds such as password reuse or account sharing that can lead to vulnerabilities. To address the problem, researchers are building new understandings of how individuals’ attitudes and behaviors are influenced by the people around them and by their relationship needs, so that designers can take these into account. In this talk, I will first share my research to connect people’s security attitudes and social influences with their security and privacy behaviors. As part of this, I will present the Security and Privacy Acceptance Framework (SPAF), which identifies Awareness, Motivation, and Ability as necessary for strengthening people’s acceptance of security and privacy practices. I then will present results from my project to trace where social influences can help overcome obstacles to adoption such as negative attitudes or inability to troubleshoot a password manager. I will conclude by discussing my current work to apply these insights to mitigating phishing in SMS text messages (“smishing”).
UiPath Community Day Amsterdam: Code, Collaborate, ConnectUiPathCommunity
Welcome to our third live UiPath Community Day Amsterdam! Come join us for a half-day of networking and UiPath Platform deep-dives, for devs and non-devs alike, in the middle of summer ☀.
📕 Agenda:
12:30 Welcome Coffee/Light Lunch ☕
13:00 Event opening speech
Ebert Knol, Managing Partner, Tacstone Technology
Jonathan Smith, UiPath MVP, RPA Lead, Ciphix
Cristina Vidu, Senior Marketing Manager, UiPath Community EMEA
Dion Mes, Principal Sales Engineer, UiPath
13:15 ASML: RPA as Tactical Automation
Tactical robotic process automation for solving short-term challenges, while establishing standard and re-usable interfaces that fit IT's long-term goals and objectives.
Yannic Suurmeijer, System Architect, ASML
13:30 PostNL: an insight into RPA at PostNL
Showcasing the solutions our automations have provided, the challenges we’ve faced, and the best practices we’ve developed to support our logistics operations.
Leonard Renne, RPA Developer, PostNL
13:45 Break (30')
14:15 Breakout Sessions: Round 1
Modern Document Understanding in the cloud platform: AI-driven UiPath Document Understanding
Mike Bos, Senior Automation Developer, Tacstone Technology
Process Orchestration: scale up and have your Robots work in harmony
Jon Smith, UiPath MVP, RPA Lead, Ciphix
UiPath Integration Service: connect applications, leverage prebuilt connectors, and set up customer connectors
Johans Brink, CTO, MvR digital workforce
15:00 Breakout Sessions: Round 2
Automation, and GenAI: practical use cases for value generation
Thomas Janssen, UiPath MVP, Senior Automation Developer, Automation Heroes
Human in the Loop/Action Center
Dion Mes, Principal Sales Engineer @UiPath
Improving development with coded workflows
Idris Janszen, Technical Consultant, Ilionx
15:45 End remarks
16:00 Community fun games, sharing knowledge, drinks, and bites 🍻
Flame emission spectroscopy is an instrument used to determine concentration of metal ions in sample. Flame provide energy for excitation atoms introduced into flame. It involve components like sample delivery system, burner, sample, mirror, slits, monochromator, filter, detector (photomultiplier tube and photo tube detector). There are many interference involved during analysis of sample like spectral interference, ionisation interference, chemical interference ect. It can be used for both quantitative and qualitative study, determine lead in petrol, determine alkali and alkaline earth metal, determine fertilizer requirement for soil.
Webinar: Transforming Substation Automation with Open Source SolutionsDanBrown980551
This webinar will provide an overview of open source software and tooling for digital substation automation in energy systems. The speakers will provide a brief overview of how open source collaborative development works in general, then delve into how it is driving innovation and accelerating the pace of substation automation. Examples of specific open source solutions and real-world implementations by utilities will be discussed. Participants will walk away with a better understanding of the challenges of automating substations, the ecosystem of solutions available to help, and best practices for implementing them.
Welcome to our third live UiPath Community Day Amsterdam! Come join us for a half-day of networking and UiPath Platform deep-dives, for devs and non-devs alike, in the middle of summer ☀.
📕 Agenda:
12:30 Welcome Coffee/Light Lunch ☕
13:00 Event opening speech
Ebert Knol, Managing Partner, Tacstone Technology
Jonathan Smith, UiPath MVP, RPA Lead, Ciphix
Cristina Vidu, Senior Marketing Manager, UiPath Community EMEA
Dion Mes, Principal Sales Engineer, UiPath
13:15 ASML: RPA as Tactical Automation
Tactical robotic process automation for solving short-term challenges, while establishing standard and re-usable interfaces that fit IT's long-term goals and objectives.
Yannic Suurmeijer, System Architect, ASML
13:30 PostNL: an insight into RPA at PostNL
Showcasing the solutions our automations have provided, the challenges we’ve faced, and the best practices we’ve developed to support our logistics operations.
Leonard Renne, RPA Developer, PostNL
13:45 Break (30')
14:15 Breakout Sessions: Round 1
Modern Document Understanding in the cloud platform: AI-driven UiPath Document Understanding
Mike Bos, Senior Automation Developer, Tacstone Technology
Process Orchestration: scale up and have your Robots work in harmony
Jon Smith, UiPath MVP, RPA Lead, Ciphix
UiPath Integration Service: connect applications, leverage prebuilt connectors, and set up customer connectors
Johans Brink, CTO, MvR digital workforce
15:00 Breakout Sessions: Round 2
Automation, and GenAI: practical use cases for value generation
Thomas Janssen, UiPath MVP, Senior Automation Developer, Automation Heroes
Human in the Loop/Action Center
Dion Mes, Principal Sales Engineer @UiPath
Improving development with coded workflows
Idris Janszen, Technical Consultant, Ilionx
15:45 End remarks
16:00 Community fun games, sharing knowledge, drinks, and bites 🍻
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
ZK Study Club: Sumcheck Arguments and Their Applications
1. Sumcheck Arguments and
their Applications
Jonathan Bootle (IBM Research – Zurich)
Alessandro Chiesa (UC Berkeley)
Katerina Sotiraki (UC Berkeley)
https://ia.cr/2021/333
1
2. Succinct arguments
P V
⋮
10
Common
input
𝑥1 = 4
𝑥2 = 1
⋮
Witness
Completeness: if the
witness is valid, the
verifier accepts
Soundness: if the
witness is invalid, the
verifier rejects
Knowledge soundness:
(later)
Succinctness: the messages are much
smaller than the witness
2
3. The sumcheck protocol [LFKN92]
P V
Given a polynomial 𝑝(𝑋1, … , 𝑋ℓ) over a field 𝔽 and a value 𝑢 ∈ 𝔽,
prove that σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) = 𝑢
𝑞1 ∈ 𝔽[𝑋1] Checks that
σ𝜔1∈𝐻 𝑞1 𝜔1 = 𝑢
σ𝜔2∈𝐻 𝑞2 𝜔2 = 𝑞1(𝑟1)
⋮
σ𝜔ℓ∈𝐻 𝑞ℓ 𝜔ℓ = 𝑞ℓ−1(𝑟ℓ−1)
⋮
Computes polynomials
𝑞𝑖 𝑋𝑖 =
σ𝜔∈𝐻ℓ−𝑖 𝑝(𝑟1, . . , 𝑟𝑖−1, 𝑋𝑖, 𝜔𝑖+1, . . , 𝜔ℓ)
Soundness: If σ𝜔∈𝐻ℓ 𝑝(𝜔1, … , 𝜔ℓ) ≠ 𝑢 then V accepts with probability at most
ℓ⋅deg(𝑝)
|𝔽|
.
Communication
ℓ ⋅ deg 𝑝 elements of 𝔽
𝑟1 ← 𝔽
𝑞ℓ ∈ 𝔽[𝑋ℓ]
𝑟ℓ ← 𝔽
Evaluates 𝑝 to check that
𝑝(𝑟1, … , 𝑟ℓ) = 𝑞ℓ(𝑟ℓ)
3
4. The sumcheck protocol is everywhere!
Sumcheck
protocol
Probabilistic proofs
[BFL91,BFLS91,GKR08]
Sumcheck-based
succinct arguments
[Thaler13]
[CMT13], [VSBW13],
[W+17], [ZGKPP17],
[WTSTW18],
[XZZPS19], [Set20]
Univariate-sumcheck-
based arguments
[BCRSVS19]
[BCGGRS19], [ZXZS20],
[CHMVW20], [COS20],
[CFQR20], [BFHVXZ20]
Sumchecks for
tensor codes
[Meir13]
[RR20],
[BCG20],
[BCL20]
• Linear-time prover
[Thaler13,ZXZS20]
• Small space [CMT13]
(can be implemented with
streaming access)
• Strong soundness
properties [CCHLRR18]
(can make non-interactive
without random oracles)
Useful properties:
4
5. The sumcheck protocol is everywhere!
Sumcheck
protocol
Probabilistic proofs
[BFL91,BFLS91,GKR08]
Sumcheck-based
succinct arguments
[Thaler13]
[CMT13], [VSBW13],
[W+17], [ZGKPP17],
[WTSTW18],
[XZZPS19], [Set20]
Univariate-sumcheck-
based arguments
[BCRSVS19]
[BCGGRS19], [ZXZS20],
[CHMVW20], [COS20],
[CFQR20], [BFHVXZ20]
Sumchecks for
tensor codes
[Meir13]
[RR20],
[BCG20],
[BCL20]
• Linear-time prover
[Thaler13,ZXZS20]
• Small space [CMT13]
(can be implemented with
streaming access)
• Strong soundness
properties [CCHLRR18]
(can make non-interactive
without random oracles)
Useful properties:
https://zkproof.org/2020/03/16/sum-checkprotocol/
5
6. Pairing-group
arguments
[LMR19], [ZGKPP17],
[XZZPS19]
Split-and-fold techniques:
a separate body of work?
Discrete-log arguments
[BBBPWM18], [PLS19],
[HKR19], [BHRRS20]
Unknown-order-group
arguments
[BFS20],
[BHRRS21]
Lattice
arguments
[BLNS20],
[ACK21], [LA20]
Some unifying abstractions: [BMMTV19,AC20,BDFG21]
Split-and-fold
[BCCGP16] • Linear-time prover
• Streaming prover
[BHRRS20], [BHRRS21]
(can be implemented in
small space)
Useful properties:
6
7. Pairing-group
arguments
[LMR19], [ZGKPP17],
[XZZPS19]
Split-and-fold techniques:
a separate body of work?
Discrete-log arguments
[BBBPWM18], [PLS19],
[HKR19], [BHRRS20]
Unknown-order-group
arguments
[BFS20],
[BHRRS21]
Lattice
arguments
[BLNS20],
[ACK21], [LA20]
Some unifying abstractions: [BMMTV19,AC20,BDFG21]
Split-and-fold
[BCCGP16] • Linear-time prover
• Streaming prover
[BHRRS20], [BHRRS21]
(can be implemented in
small space)
Useful properties:
https://www.coindesk.com/aim-fire-bulletproofs-breakthrough-privacy-blockchains
[BBBPWM18] implemented in Rust, Haskell, Javascript, and deployed by
Blockstream, and in Monero, Mimblewimble and more…
7
10. General goal:
succinct arguments for commitment openings
P V
Common input:
• commitment 𝐶
• commitment key 𝑐𝑘
Succinctness goal:
communication ≪ |𝑚|
⋮
Focus: commitments
with special structure
Claim: ∃ 𝑚 such that
𝐶 = Com 𝑐𝑘, 𝑚
10
11. A new notion :
sumcheck-friendly commitments
Definition: A commitment scheme CM is sumcheck friendly if
Com 𝑐𝑘, 𝑚 =
𝜔1,…,𝜔ℓ∈𝐻
𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ )
Example: Pedersen commitments 𝐶 = 𝑎1 ⋅ 𝑔1 + ⋯ + 𝑎𝑛 ⋅ 𝑔𝑛
𝐻 = −1,1
𝑅 = 𝔽𝑝
message
polynomial
in 𝕄[𝑋1, … , 𝑋ℓ],
𝕄 an 𝑅-module
evaluation
points from
𝐻 ⊆ 𝑅, 𝑅 a ring
key polynomial
in 𝕂[𝑋1, … , 𝑋ℓ],
𝕂 an 𝑅-module
combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ
𝕂 = 𝔾, 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ = σ 𝑔𝑖1,…,𝑖ℓ
𝑋1
𝑖1
… 𝑋ℓ
𝑖ℓ
ℂ = 𝔾
𝑓: 𝑎, 𝑔 → 𝑎 ⋅ 𝑔
commitment
space ℂ is an
𝑅-module
𝕄 = 𝔽𝑝, 𝑝𝑚 𝑋1, … , 𝑋ℓ = σ 𝑎𝑖1,…,𝑖ℓ
𝑋1
𝑖1
… 𝑋ℓ
𝑖ℓ
11
12. Main result: sumcheck arguments
Theorem 1:
Let CM be a commitment scheme which is sumcheck-friendly and
invertible. Given a commitment key 𝑐𝑘 and a commitment 𝐶, the
sumcheck protocol applied to
(with one extra verifier check) is a succinct argument of knowledge for
the claim ∃𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚), with
Sumcheck
works over
rings and
modules
Think 𝑂(log |𝑚|)
𝑝 𝑋1, … , 𝑋ℓ = 𝑓 𝑝𝑚 𝑋1, … , 𝑋ℓ , 𝑝𝑐𝑘 𝑋1, … , 𝑋ℓ ∈ ℂ[𝑋1, … , 𝑋ℓ]
• completeness • soundness • communication ℓ ⋅ deg 𝑝
12
14. Application to R1CS over rings
R1CS problem over a ring 𝑹: given matrices 𝐴, 𝐵, 𝐶 ∈ 𝑅𝑛×𝑛
, does there
exist 𝑧 ∈ 𝑅𝑛
satisfying 𝐴𝑧 ∘ 𝐵𝑧 = 𝐶𝑧?
Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒) be a “secure” bilinear module where 𝑀𝐿 is a
ring. Let 𝐼 ⊆ 𝑀𝐿 be a suitable ideal. There is a ZK succinct argument of
knowledge for R1CS with
R1CS Ring Prover time Verifier time Proof size
𝑀𝐿/𝐼 𝑂 𝑛 ops
in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇
𝑂 𝑛 ops
in 𝑀𝐿, 𝑀𝑅, 𝑀𝑇
𝑂 log 𝑛 elems of 𝑀𝑇
Has enough structure for Pedersen and Schnorr
Bilinear module: a triple of modules (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) over the same ring
with a bilinear map 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇.
14
15. Lattice-based succinct arguments for R1CS
Corollary: Let 𝑑 be a power of 2, 𝑝 ≪ 𝑞 primes, 𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑
+ 1
and similarly for 𝑅𝑞. Then assuming SIS is hard over 𝑅𝑞, there is a zero-
knowledge succinct argument of knowledge for R1CS with
R1CS Ring Prover time Verifier time Proof size
𝑅𝑝 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 𝑛 ops in 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems of 𝑅𝑞
Concurrent work:
• [LA21] gives impossibility results and improvements for lattice POKs
• [ACK21] gives lattice-based succinct arguments for NP
15
16. Open questions
• Analyse the post-quantum
security of sumcheck arguments
• Investigate new lattice
instantiations [LA21] and concrete
performance improvements
• Give instantiations of
[BFS20,Lee21,BHHRS21] in our
framework (or a generalization)
16
18. Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
Many more details
and results in the
paper!
18
22. What kind of soundness? Knowledge soundness
Sumcheck argument: Pedersen
There exists an extractor that given a suitable tree of accepting transcripts for a
commitment key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚 such that 𝐶 = Com(𝑐𝑘, 𝑚).
Soundness (part 1)
⋮ ⋮ ⋮
𝑟1
(1)
𝑟1
(2)
𝑟1
(3)
𝑞1
𝑞2 𝑟1
(1)
𝑞2 𝑟1
(2)
𝑞2 𝑟1
(3)
P V
𝑞1
⋮
𝑟1
𝑞ℓ
𝑟ℓ
E
message
𝑚
22
23. Lemma: There exists an extractor that, given a 3-ary tree of accepting transcripts for
key ഫ
𝐺 and commitment 𝐶, finds an opening 𝑎 such that 𝐶 = 𝑎, 𝐺 .
⋮ ⋮ ⋮
𝑟1
(1)
𝑟1
(2)
𝑟1
(3)
𝑞1
𝑞2 𝑟1
(1)
𝑞2 𝑟1
(2)
𝑞2 𝑟1
(3)
𝟑𝐥𝐨𝐠 𝒏 −𝟏 openings of size 2 for 𝑞ℓ−1 𝑟ℓ −1 with key ഫ
𝐺ℓ−1 ∈ 𝔾2
𝟑𝐥𝐨𝐠 𝒏
openings of size 1 for 𝑞ℓ 𝑟ℓ with key 𝑝𝐺 പ
𝑟 ∈ 𝔾
𝟑𝒊−𝟏 openings of size 𝟐𝐥𝐨𝐠 𝒏 −𝒊+𝟏 for 𝑞𝑖−1 𝑟𝑖−1 with key ഫ
𝐺𝑖−1 ∈ 𝔾2log 𝑛 −𝑖+1
where ഫ
𝐺𝑖−1 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, ഫ
𝑋 .
1 opening of size 𝟐𝐥𝐨𝐠 𝒏
= 𝒏 for 𝑛𝐶 with key ഫ
𝐺 ∈ 𝔾𝑛
Round 1
Round 𝒊
Round 𝐥𝐨𝐠(𝐧)
Sumcheck argument: Pedersen
Soundness (part 2)
23
24. Soundness (part 3)
In the protocol, 𝑞𝑖 𝑋 = σഫ
𝜔∈{−1,1 }ℓ−𝑖 𝑝ഫ
𝑎 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ
𝜔 𝑝𝐺 𝑟1, … , 𝑟𝑖−1, 𝑋, ഫ
𝜔 .
So, 𝑞𝑖 𝑋 is quadratic.
Claim: If ഫ
𝜋(𝑗)
∈ 𝔽2ℓ−𝑖
is opening for 𝑞𝑖(𝑟𝑖
(𝑗)
) for 𝑗 ∈ [3], we can find an opening
of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1).
Sumcheck argument: Pedersen
3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that
∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖
(𝑗)
= ഫ
𝜋(𝑗), ഫ
𝐺𝑖
Then we can find 𝑞𝑖−1 𝑟𝑖−1 = 𝑞𝑖 1 + 𝑞𝑖 −1 = ഫ
𝜋′, ഫ
𝐺𝑖−1
Verifier’s check
24
Goal: find ഫ
𝜋 such that 𝑞𝑖 𝑋 = ഫ
𝜋(Χ), ഫ
𝐺𝑖−1
25. Soundness (part 4)
ഫ
𝐺𝑘 is the vector of coefficients of 𝑝𝐺 𝑟1, … , 𝑟𝑘, ഫ
𝑋
= ഫ
𝜋(𝑗), (ഫ
𝐺𝑖−1,𝐿+ 𝑟𝑖
(𝑗)
ഫ
𝐺𝑖−1,𝑅)
= ഫ
𝜋 𝑗
, 𝑟𝑖
(𝑗)
ഫ
𝜋 𝑗
, ഫ
𝐺𝑖−1
Sumcheck argument: Pedersen
Claim: If ഫ
𝜋(𝑗)
∈ 𝔽2ℓ−𝑖
is opening for 𝑞𝑖(𝑟𝑖
(𝑗)
) for 𝑗 ∈ [3], we can find an opening
of size 2ℓ−𝑖+1 for 𝑞𝑖−1(𝑟𝑖−1).
3-ary tree contains three evaluations of 𝑞𝑖 𝑋 such that
∀𝑗 ∈ 3 , 𝑞𝑖 𝑟𝑖
(𝑗)
= ഫ
𝜋(𝑗)
, ഫ
𝐺𝑖
ഫ
𝜋 such that
𝑞𝑖 𝑋 = ഫ
𝜋(Χ), ഫ
𝐺𝑖−1
linear algebra
25
Pedersen commitment is invertible.
26. Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
26
28. Completeness and soundness
Lemma: The verifier accepts with probability 1.
𝐶 =
പ
𝑎, ഫ
𝐺1
പ
𝑏, ഫ
𝐺2
പ
𝑎, പ
𝑏 𝑈
𝑝ഫ
𝑎 ഫ
𝑋 𝑝ഫ
𝐺1
ഫ
𝑋
𝑝ഫ
𝑏 ഫ
𝑋 𝑝ഫ
𝐺2
ഫ
𝑋
𝑝𝑎 ഫ
𝑋 𝑝𝑏 ഫ
𝑋 𝑈
Follows from completeness for Pedersen
Lemma: If the commitment scheme is binding, there exists an extractor that, given a 4-ary
tree of accepting transcripts for key (ഫ
𝐺1, ഫ
𝐺2) and commitment 𝐶, finds an opening പ
𝑎, പ
𝑏
such that 𝐶 = 𝑎, 𝐺1 , 𝑏, 𝐺2 , 𝑎, 𝑏 𝑈 .
Similarly to Pedersen, we extract opening for each components. Using a computational
assumption and the larger tree, we show that third component is the scalar-product പ
𝑎, പ
𝑏 .
Scalar-product commitment is invertible.
Sumcheck argument:
Scalar-product commitment
28
29. Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
29
30. Sumcheck-friendly commitments
Definition: A commitment scheme CM is sumcheck friendly if
Com 𝑐𝑘, 𝑚 =
𝜔1,…,𝜔ℓ∈𝐻
𝑓(𝑝𝑚 𝜔1, … , 𝜔ℓ , 𝑝𝑐𝑘 𝜔1, … , 𝜔ℓ )
message
polynomial
in 𝕄[𝑋1, … , 𝑋ℓ],
𝕄 an 𝑅-module
evaluation
points from
𝐻 ⊆ 𝑅, 𝑅 a ring
key polynomial
in 𝕂[𝑋1, … , 𝑋ℓ],
𝕂 an 𝑅-module
combiner function 𝑓 ∶ 𝕄 × 𝕂 → ℂ
commitment
space ℂ is an
𝑅-module
Sumcheck arguments for sumcheck-friendly commitments?
30
32. Extractor works inductively as in Pedersen using invertibility in each layer
Completeness and soundness
Lemma: The verifier accepts with probability 1.
Follows directly from definition of sumcheck-friendly commitments
Lemma: If commitment scheme is invertible, there exists an extractor that, given a
suitable tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds an opening 𝑚.
Sumcheck argument:
Sumcheck-friendly commitment
32
33. 𝑟𝑖
(𝑲)
𝑟𝑖
(2)
Given polynomial 𝑞𝑖(𝑋) and “openings’’ 𝑝 1 ഫ
X , … , 𝑝(𝑲) ഫ
X such that
∀𝑗 ∈ 𝐾 ∶ 𝑞𝑖 𝑟(𝑗) = σഫ
𝜔∈𝐻ℓ−𝑖 𝑓 𝑝(𝑗)
ഫ
𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖
(𝑗)
, ഫ
𝜔)
We can find polynomial 𝑝 such that σ𝜔∈𝐻 𝑞𝑖 (𝜔) = σഫ
𝜔∈𝐻ℓ−𝑖+1 𝑓 𝑝 ഫ
𝜔 , 𝑝𝑐𝑘(𝑟1, … , 𝑟𝑖−1, ഫ
𝜔)
Invertibility
𝑟𝑖
(1)
𝑞𝑖
…
Property that allows to climb up the tree from layer to layer.
𝑝(1)
𝑝(2)
𝑝(𝐊)
K-
Invertible commitment schemes:
Pedersen commitments, scalar-product commitments, linear-function commitments
Extra variable 𝑋𝑖: 𝑝 “bigger” than 𝑝(𝑗)
Sumcheck argument:
Sumcheck-friendly commitment
33
34. Sumcheck arguments for commitment schemes
Rings and
modules
Groups
Pedersen
commitments
Scalar-product
commitments
Sumcheck-friendly
commitments
Generalised
sumcheck-friendly
commitments
Today:
34
35. From groups to rings
Goal: an abstraction for mathematical structures where folding techniques can work
Everything so far extends to general 𝔽-vector spaces, e.g., bilinear groups [BMMTV19].
Scalar-product commitments for bilinear groups: ഫ
𝒂, ഫ
𝑮𝟏 , ഫ
𝒃, ഫ
𝑮𝟐 , ഫ
𝒂, ഫ
𝒃 ∈ 𝔾𝑻
𝟑
𝔾1 𝔾2
Lattices and groups of unknown order?
35
36. Messages Keys Commitments Assumption
small 𝑀𝐿 𝑀𝑅 𝑀𝑇 Bilinear Relation Assumption
From groups to rings:
bilinear modules
Norm checks: only “short” elements are valid messages
e.g., for ring-SIS
𝑹-module 𝑴: generalization of vector space over rings
Bilinear module: 𝑀𝐿, 𝑀𝑅, 𝑀𝑇, 𝑒 such that • 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 are 𝑅-modules
• 𝑒 ∶ 𝑀𝐿 × 𝑀𝑅 → 𝑀𝑇 is 𝑅-bilinear
Pedersen example: 𝐶 = 𝑎1𝐺1 + ⋯ + 𝑎𝑛𝐺𝑛 = ⟨𝑎 , 𝐺⟩
‘Multiply’ message and key elements using 𝑒
Add the pieces together
Hard to find small 𝑎
such that 𝑎 , 𝐺 = 0
Can define polynomials over
message and key spaces
36
37. 37
𝑝𝑚(പ
𝑟)
𝑟 ← 𝒞ℓ
𝑟
common input:
• key 𝑐𝑘
• commitment 𝐶
claim: ∃𝑚 with 𝒎 ≤ 𝑩 s.t. 𝐶 = σഫ
𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 ഫ
𝜔 , 𝑝𝑐𝑘 ഫ
𝜔
P
Opening: 𝑚
with 𝒎 ≤ 𝑩
V
consistency check:
𝑓 𝑝𝑚 𝑟 , 𝑝𝑐𝑘 𝑟 = 𝑣?
𝒑𝒎(പ
𝒓) ≤ 𝑩∗?
𝑚
From groups to rings:
sumcheck arguments
Natural bound for
evaluation of 𝒑𝒎 on 𝒞ℓ
𝑞1, … , 𝑞ℓ
⋮
Special challenge set ⊆ 𝑹!
(necessary even for
sumcheck protocol)
σ𝜔∈𝐻 𝑞1 𝜔 = 𝐶?
σ𝜔∈𝐻 𝑞ℓ 𝜔 = 𝑞ℓ−1(𝑟ℓ−1)?
sumcheck protocol for
σ𝜔 ∈ 𝐻ℓ 𝑓 𝑝𝑚 𝜔 , 𝑝𝑐𝑘 𝜔 = 𝐶
38. Arithmetic over rings might cause slackness factors and increase in norm.
e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺:
𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ
𝑎 ≤ 𝑁ℓ ⋅ 𝐵∗
From groups to rings:
soundness
Lemma: If commitment scheme is invertible, there exists an extractor that, given a suitable
tree of accepting transcripts for key 𝑐𝑘 and commitment 𝐶, finds a relaxed opening 𝑚.
Challenges:
1. Linear algebra different over rings and modules
2. Norm considerations arise
Ring 𝒞 𝜉 𝛮
ℤ𝑞 𝑋
< 𝑋𝑑 + 1 >
{𝑋𝑖: 0 ≤ 𝑖 ≤ 2𝑑 − 1 } 8 𝑂(𝑑7)
Parameters for lattices:
Tighter analysis in
[LA21], [ACK21]
Tighter analysis in
[LA21], [ACK21]
38
39. e.g., for Pedersen, the extracted relaxed opening 𝑎 for 𝐶 and 𝐺:
𝝃ℓ ⋅ 𝐶 = 𝑎, 𝐺 with പ
𝑎 ≤ 𝑁ℓ ⋅ 𝐵
From groups to rings:
R1CS over rings
Lemma (soundness): There exists an extractor that finds an R1CS witness.
Without slackness!
𝐶 = 𝑎/𝝃ℓ, 𝐺 with പ
𝑎/𝝃ℓ ≤ 𝐵′
Issues:
1. 𝜉 might not be invertible
2. പ
𝑎/𝜉ℓ might not be small
Ideal 𝐼 such that 𝜉 (mod 𝐼) is invertible, 𝑥 (mod 𝐼) small for all 𝑥
𝐶 = 𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰), 𝐺 with പ
𝑎/𝜉ℓ(𝐦𝐨𝐝 𝑰) ≤ 𝐵′
A remark about our R1CS result:
39
40. Instantiations of bilinear modules
Assumption Messages Keys Commitments Ideal
BRA small 𝑀𝐿 𝑀𝑅 𝑀𝑇 𝐼
DLOG 𝔽𝑝 𝔾 𝔾 {0}
DPAIR[AFGHO10] 𝔾1 𝔾2 𝔾𝑇 {0}
UO [BFS20] small ℤ 𝔾 𝔾 𝑛ℤ for suitable small 𝑛
RSIS [Ajtai94] small 𝑅𝑞 𝑅𝑞
𝑑 𝑅𝑞
𝑑 𝑛ℤ for suitable small 𝑛
40
42. Summary of results
Theorem 1:
The sumcheck protocol applied to a sumcheck-friendly commitment scheme
is a succinct argument of knowledge of commitment openings.
Theorem 2: Let (𝑀𝐿, 𝑀𝑅, 𝑀𝑇) be a
secure bilinear module with 𝑀𝐿 a
ring and 𝐼 ⊆ 𝑀𝐿 an ideal. There is a
ZK succinct argument of knowledge
for R1CS with
Corollary: Let 𝑝 ≪ 𝑞 primes,
𝑅𝑝 ≔ ℤ𝑝[𝑋]/ 𝑋𝑑
+ 1 and similarly
for 𝑅𝑞. Then assuming SIS is hard,
there is a ZK succinct argument of
knowledge for R1CS with
R1CS
Ring
Prover and verifier
time
Proof size
𝑀𝐿/𝐼 𝑂 𝑛 ops 𝑀𝐿, 𝑀𝑅, 𝑀𝑇 𝑂 log 𝑛 elems
R1CS
Ring
Prover and verifier
time
Proof size
𝑅𝑝 𝑂 𝑛 ops 𝑅𝑝, 𝑅𝑞 𝑂 log 𝑛 elems 𝑅𝑞
42
43. Takeaways
• Many commitment schemes are
sumcheck friendly
• We can recast many different
cryptographic settings as bilinear modules
• In the paper: instantiations and
polynomial commitment schemes
43