├── 4elemproofAarhus2019.pdf
├── 4elemproofAarhus2019.tex
├── Kilian.png
├── KrakowJuly2019ZK.pdf
├── PlonkSimonsCorrected.pdf
├── PlonkSimonsCorrected.tex
├── StanfordJan2020UniversalUpdatable.pdf
├── StanfordJan2020UniversalUpdatable.tex
├── ZK-HCC2022.pdf
├── ZK-HCC2022.tex
├── auroralightLondon2019.pdf
├── auroralightLondon2019.tex
├── azteclogo.PNG
├── cqberkeleyjan23.pdf
├── cqberkeleyjan23.tex
├── divisors.pdf
├── divisors.tex
├── divisors2.pdf
├── divisors2.tex
├── fccintro2022.pdf
├── fccintro2022.tex
├── fflonkzkstudyclub2021.pdf
├── fflonkzkstudyclub2021.tex
├── jabba.png
├── jordan.png
├── lookupsstarksessions23.pdf
├── lookupsstarksessions23.tex
├── luke.png
├── merck.png
├── monerokon24gfft.pdf
├── monerokon24gfft.tex
├── numdef.sty
├── pcrfalsepos.png
├── pfizergood1.png
├── pfizergood2.png
├── pfizerinitialallcausemortality.png
├── plookupinactionDystopia2020.pdf
├── plookupinactionDystopia2020.tex
├── plookupzksummit2020.pdf
├── plookupzksummit2020.tex
├── polyprottechnionseminar2020.pdf
├── polyprottechnionseminar2020.tex
├── secondpaperquote.png
├── stackproofs.PNG
├── sumeda.png
├── ujtalksKZG+PLONK.pdf
├── ujtalksKZG+PLONK.tex
├── vaersspike.png
├── vaxrequire.png
├── vioxxfirstsafety.png
├── vioxxfirstsecondtxt.png
├── vsummit24gfft.pdf
├── vsummit24gfft.tex
├── waldo.jpg
├── waldopic.png
├── witness.png
├── zkWarsawJan24.pdf
├── zkWarsawJan24.tex
├── zkproofs2020.tex
├── zksummit12.pdf
├── zksummit12.tex
├── zksummit8.pdf
├── zksummit8.tex
├── zksummit9.pdf
├── zksummit9.tex
├── zkwarsawlookupaug23.pdf
└── zkwarsawlookupaug23.tex


/4elemproofAarhus2019.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/4elemproofAarhus2019.pdf


--------------------------------------------------------------------------------
/4elemproofAarhus2019.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,trans,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | %\usepackage[T1]{fontenc}
  4 | %\usepackage{fourier}
  5 | % Dokumentets sprog
  6 | %\usepackage{mathtools}
  7 | %\usepackage{pxfonts}
  8 | \usepackage{eulervm}
  9 | % Class options include: notes, notesonly, handout, trans,
 10 | %                        hidesubsections, shadesubsections,
 11 | %                        inrow, blue, red, grey, brown
 12 | 
 13 | % Theme for beamer presentation.
 14 | %\usepackage{beamertheme} 
 15 | % Other themes include: beamerthemebars, beamerthemelined, 
 16 | %                       beamerthemetree, beamerthemetreebars  
 17 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 18 | \newcommand{\F}{\ensuremath{\mathbb F}}
 19 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 20 | 
 21 | 
 22 | \title{\LARGE{On knowledge assumptions in recent zk-SNARK constructions}}    % Enter your title between curly braces
 23 | \author{\Large{Ariel Gabizon}}                 % Enter your name between curly braces
 24 | \institute{\normalsize{Protocol Labs}}      % Enter your institute name between curly braces
 25 | \date{}                    % Enter the date or \today between curly braces
 26 | %\usefonttheme{professionalfonts}
 27 | %\usefonttheme[onlymath]{serif}
 28 | \begin{document}
 29 | \boldmath
 30 | % Creates title page of slide show using above information
 31 | \begin{frame}
 32 |   \titlepage
 33 | \end{frame}
 34 | \note{Talk for 30 minutes} % Add notes to yourself that will be displayed when
 35 |                            % typeset with the notes or notesonly class options
 36 | 
 37 | %\section[Outline]{}
 38 | 
 39 | % Creates table of contents slide incorporating
 40 | % all \section and \subsection commands
 41 | %\begin{frame}
 42 |   %\tableofcontents
 43 | %\end{frame}
 44 | 
 45 | \begin{frame}
 46 |   \frametitle{Knowledge assumptions:}   % Insert frame title between curly braces
 47 | \textbf{Standard crypto assumption} - you can't do $X$\\
 48 |  \vspace{0.4in}
 49 | \textbf{Knowledge assumption} - if you did $X$, you must have did it in way $Y$.
 50 |  \vspace{0.4in}
 51 | 
 52 | \end{frame}
 53 | 
 54 | 
 55 | 
 56 | \begin{frame}
 57 |   \frametitle{Basic Knowledge of Exponent Assumption (Damg{\aa}rd 91)}   % Insert frame title between curly braces
 58 |  $\adv$ is given $(g,g^\alpha)$ for uniform $\alpha \in \F$.\\
 59 |  \vspace{0.4in}
 60 | Challenged to make a new pair of ``ratio $\alpha$'' $(g^c,g^{\alpha c})$.
 61 | 
 62 |  \vspace{0.4in}
 63 | 
 64 | \textbf{KEA:} If $\adv$ succeeds then he ``knows'' $c$.
 65 |  
 66 | \end{frame}
 67 | 
 68 | \begin{frame}
 69 |  Suppose $\adv$ is given $(g,g^x,g^\alpha,g^{\alpha \cdot x})$.\\
 70 |  \vspace{0.4in}
 71 | Can output $(g^c,g^{\alpha\cdot c})$ for $c=c_1 + c_2\cdot x$. 
 72 | \end{frame}
 73 | 
 74 | 
 75 | \begin{frame}
 76 |   \frametitle{$d$-power KEA (Groth,10)}   % Insert frame title between curly braces
 77 |  Given $(g,g^x,\ldots, g^{x^d},g^\alpha,g^{\alpha\cdot x},\ldots,g^{\alpha\cdot x^d})$ for uniform $\alpha,x \in \F$.\\
 78 |  \vspace{0.3in}
 79 | If $\adv$ produces $(g^c,g^{\alpha c})$,
 80 | then he ``knows'' polynomial $A$ of degree $\leq d$ with
 81 | $c=A(x)$.
 82 |  
 83 | \end{frame}
 84 | \begin{frame}
 85 |   \frametitle{$d$-power KEA (Groth,10)}   % Insert frame title between curly braces
 86 |  Given $(g,g^x,\ldots, g^{x^d},g^\alpha,g^{\alpha\cdot x},\ldots,g^{\alpha\cdot x^d})$ for uniform $\alpha,x \in \F$.\\
 87 |  \vspace{0.3in}
 88 | If $\adv$ produces $(g^c,g^{\alpha c})$,
 89 | then he ``knows'' polynomial $A$ of degree $\leq d$ with
 90 | $c=A(x)$.\\
 91 |  \vspace{0.4in}
 92 |  \emph{Enables ``blind verifiable polynomial evaluation'' in SNARKs}
 93 | \end{frame}
 94 | 
 95 | 
 96 | \begin{frame}
 97 |  \frametitle{Abstracting and Generalizing KEA}
 98 |  \begin{itemize}
 99 |   \item $[x]:=g^x$ -  \textbf{encoding} of $x$.
100 |   \vspace{0.3in}
101 |  \end{itemize}
102 | \end{frame}
103 | 
104 | \begin{frame}
105 |  \frametitle{Abstracting and Generalizing KEA}
106 |  \begin{itemize}
107 |   \item $[x]:=g^x$ -  \textbf{encoding} of $x$.
108 |   \vspace{0.3in}
109 |   \item Challenge Equation: $Y_2=\alpha\cdot Y_1$.
110 |    \vspace{0.3in}
111 |  \end{itemize}
112 | \end{frame}
113 | \begin{frame}
114 |  \frametitle{Abstracting and Generalizing KEA}
115 |  \begin{itemize}
116 |   \item $[x]:=g^x$ -  \textbf{encoding} of $x$.
117 |   \vspace{0.3in}
118 |   \item Challenge Equation: $Y_2=\alpha\cdot Y_1$.
119 |    \vspace{0.3in}
120 | \item Base set: $\set{1,x,\ldots,x^d,\alpha,\alpha\cdot x,\ldots,\alpha\cdot x^d}$
121 |  \end{itemize}
122 | \end{frame}
123 | 
124 | \begin{frame}
125 |  \frametitle{Abstracting and Generalizing KEA}
126 |  \begin{itemize}
127 |   \item $[x]:=g^x$ -  \textbf{encoding} of $x$.
128 |   \vspace{0.2in}
129 |   \item Challenge Equation: $Y_2=\alpha\cdot Y_1$.
130 |    \vspace{0.2in}
131 | \item Base set: $\set{1,x,\ldots,x^d,\alpha,\alpha\cdot x,\ldots,\alpha\cdot x^d}$
132 |  \end{itemize}
133 | \vspace{0.3in}
134 |  \textbf{Generic Assumption:} \emph{Given encoded challenge set, if $\adv$ outputs encodings of $c,c'$ satisfying challenge equation;\\
135 |  Then he knows to write $c,c'$ as linear combination of base set s.t. equation holds as pol. identity in $\alpha$.}
136 |  \end{frame}
137 | 
138 | 
139 |  \begin{frame}
140 |  \frametitle{Keep the equation, change the challenge set}
141 |  
142 |  \[\alpha_1 \cdot Y_1  = Y_{2}\]
143 |   \vspace{0.3in}
144 | \[\set{u_i(x),\alpha\cdot u_i(x)},\]
145 | for specific polys $u_i(X)$\\
146 |  
147 |  
148 |  
149 |  \end{frame}
150 | 
151 |  
152 |  
153 |  \begin{frame}
154 |  \frametitle{Keep the equation, change the challenge set}
155 |  
156 |  \[\alpha_1 \cdot Y_1  = Y_{2}\]
157 |   \vspace{0.3in}
158 |   
159 |   Base set:
160 | \[\set{u_i(x),\alpha\cdot u_i(x)},\]
161 | for specific polys $u_i(X)$\\
162 |   \vspace{0.3in}
163 |   \emph{Intuition: allows to check $c$ is combination of these specific polynomials evaluted at $x$}
164 |   
165 |   
166 |   
167 |   
168 |   %  
169 | %  \begin{lemma}
170 | %   Doesn't lead to stronger assumption than two-variable version
171 | %  \end{lemma}
172 | 
173 |  
174 |  
175 |  \end{frame}
176 |  
177 | %  \begin{frame}
178 | %  \frametitle{Mutli-variate challenge equations}
179 | %  
180 | %  \[\alpha_1 \cdot Y_1 + \ldots + \alpha_t \cdot Y_t = Y_{t+1}\]
181 | %   \vspace{0.3in}
182 | %  
183 | %  \begin{lemma}
184 | %   Doesn't lead to stronger assumption than two-variable version
185 | %  \end{lemma}
186 | % 
187 | %  
188 | %  \emph{Intuition: allows to batch-verify many blind evaluations}
189 | %  
190 | %  \end{frame}
191 | % 
192 |  
193 |  
194 |  
195 |  \begin{frame}
196 |  \frametitle{Quadratic equation assumptions [Implicit in Groth, 2016]}
197 |  
198 |  
199 |  \[Y_1\cdot Y_2= \alpha\beta + \delta \cdot Y_{3}\]
200 |   \vspace{0.3in}
201 |  
202 | %[Groth,2016] zk-SNARK in GG model (implicitly) based on  assumption from this equation.
203 |  
204 |  Base set: $\set{\beta\cdot u_i(X),\alpha\cdot v_i(X), w_i(X),
205 |  \frac{\beta \cdot u_i+\alpha\cdot v_i+w_i}{\delta}}$
206 |   \vspace{0.3in}
207 |  
208 |  
209 |  \end{frame}
210 | 
211 |  
212 |  
213 |  
214 |  \begin{frame}
215 |  \frametitle{Quadratic equation assumptions [Implicit in Groth, 2016]}
216 |  
217 |  
218 |  \[Y_1\cdot Y_2= \alpha\beta + \delta \cdot Y_{3}\]
219 |   \vspace{0.3in}
220 |  
221 | %[Groth,2016] zk-SNARK in GG model (implicitly) based on  assumption from this equation.
222 |  
223 |  Base set: $\set{\beta\cdot u_i(X),\alpha\cdot v_i(X), w_i(X),
224 |  \frac{\beta \cdot u_i+\alpha\cdot v_i+w_i}{\delta}}$
225 |   \vspace{0.3in}
226 |  
227 |  \emph{Intuition: allows to check at once three proof elements are the same combination of three sets of polynomials }
228 |  
229 |  \end{frame}
230 | \begin{frame}
231 |  \textbf{Generic Group Model:}
232 |  $\adv$ can only generate new elements via natural group operations.\\
233 |  
234 | \vspace{0.3in}
235 | % \textbf{Algebraic Group Model [Fuchsbauer, Kiltz, Loss]:}
236 | % $\adv$ can generate arbitrary new elements, but must then 
237 |  
238 |  \begin{definition}
239 |   A ``low-degree world'' is one where all information seen by $\adv$ is encodings of uniform inputs evaluated at low-degree polynomials. 
240 |  \end{definition}
241 |  
242 | 
243 |  \end{frame}
244 | \begin{frame}
245 |  \vspace{0.3in}
246 |  \begin{lemma}[implicit - Groth, 2016]
247 |   In a low-degree world, generic assumption holds for any polynomial-degree challenge equation and challenge set.
248 |  \end{lemma}
249 | 
250 |  
251 | 
252 |  \end{frame}
253 | 
254 |  \begin{frame}
255 |  \frametitle{``Asymmetric'' assumptions [Groth-Maller, 2017]:}
256 | Use trivial equation
257 | \[Y_1=Y_2,\]
258 | but require encoding in distinct groups with no homomorphism.
259 | 
260 |  
261 | 
262 |  \end{frame}
263 | 
264 |   \begin{frame}
265 |  \frametitle{``Asymmetric'' assumptions [Groth-Maller, 2017]:}
266 | 
267 | 
268 | \textbf{[GM]:}Using circuits with squaring instead of mult. gives  simulation-extractable zk-SNARKs as small as [Groth,2016] - 3 group elements.
269 |  \vspace{0.3in}
270 | 
271 | \emph{However, prover computations significantly larger than [Groth,2016] cause of move to squarings}
272 |  
273 | 
274 |  \end{frame}
275 | 
276 | 
277 |  \begin{frame}
278 |   \textbf{New result:}
279 |   Assuming only $d-PKE$.
280 |   zk-SNARK with $4$-group element proofs; prover run time close to [Groth,2016]\\
281 |   
282 |   Same num. of $G_2$ operations. $n$ more $G_1$ operations.\\
283 |   
284 |   $n$= num. of mult gates.
285 |   
286 | 
287 |   
288 |  \end{frame}
289 | 
290 |  
291 |  
292 |  \begin{frame}
293 |  \frametitle{Result based on multivariate challenge equation:}
294 |  
295 |  \[\alpha_1 \cdot Y_1 + \ldots + \alpha_t \cdot Y_t = Y_{t+1}\]
296 |   \vspace{0.3in}
297 | 
298 |  
299 |    \emph{Intuition: can allow to verify many blind evaluations with one extra element}
300 | 
301 |  
302 | 
303 |  
304 | \end{frame}  
305 |  
306 |  
307 |  
308 |  
309 | %  \begin{frame}
310 | %  \frametitle{Result based on:}
311 | %  \begin{lemma}
312 | %   Assumption from multivariate 
313 | %  \[\alpha_1 \cdot Y_1 + \ldots + \alpha_t \cdot Y_t = Y_{t+1}\]
314 | %  not stronger than bi-variate version.
315 | %  \end{lemma}
316 | % 
317 | %  
318 | % \end{frame}  
319 | %  
320 | %  
321 |  \begin{frame}
322 |  
323 |  
324 |  
325 |  
326 |  
327 |  \begin{lemma}
328 |   Assumption from multivariate 
329 |  \[\alpha_1 \cdot Y_1 + \ldots + \alpha_t \cdot Y_t = Y_{t+1}\]
330 |  not stronger than bi-variate version.
331 |  \end{lemma}
332 | 
333 |  
334 | \end{frame}  
335 |   
336 |   
337 |   
338 |   %  
339 | %  \begin{lemma}
340 | %   Doesn't lead to stronger assumption than two-variable version
341 | %  \end{lemma}
342 | 
343 |  
344 |  
345 | 
346 |  
347 |  
348 |  
349 | % 
350 | % \subsection{Simple slide with three points shown in succession}
351 | % 
352 | % \begin{frame}
353 | %   \frametitle{Simple slide with three points shown in succession}   % Insert frame title between curly braces
354 | % 
355 | %   \begin{itemize}
356 | %   \item<1-> Point 1 (Click ``Next Page'' to see Point 2) % Use Next Page to go to Point 2
357 | %   \item<2-> Point 2  % Use Next Page to go to Point 3
358 | %   \item<3-> Point 3
359 | %   \end{itemize}
360 | % \end{frame}
361 | % \note{Speak clearly}  % Add notes to yourself that will be displayed when
362 | %                       % typeset with the notes or notesonly class options
363 | % 
364 | % 
365 | % \section{Slide with two columns: items and a graphic}
366 | % 
367 | % \begin{frame}
368 | %   \frametitle{Slide with two columns: items and a graphic}   % Insert frame title between curly braces
369 | %   \begin{columns}[c]
370 | %   \column{2in}  % slides are 3in high by 5in wide
371 | %   \begin{itemize}
372 | %   \item<1-> First item
373 | %   \item<2-> Second item
374 | %   \item<3-> ...
375 | %   \end{itemize}
376 | %   \column{2in}
377 | %   \framebox{Insert graphic here % e.g. \includegraphics[height=2.65in]{graphic}
378 | %   }
379 | %   \end{columns}
380 | % \end{frame}
381 | % \note{The end}       % Add notes to yourself that will be displayed when
382 | % 		     % typeset with the notes or notesonly class options
383 | 
384 | \end{document}
385 | 


--------------------------------------------------------------------------------
/Kilian.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/Kilian.png


--------------------------------------------------------------------------------
/KrakowJuly2019ZK.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/KrakowJuly2019ZK.pdf


--------------------------------------------------------------------------------
/PlonkSimonsCorrected.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/PlonkSimonsCorrected.pdf


--------------------------------------------------------------------------------
/StanfordJan2020UniversalUpdatable.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/StanfordJan2020UniversalUpdatable.pdf


--------------------------------------------------------------------------------
/ZK-HCC2022.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/ZK-HCC2022.pdf


--------------------------------------------------------------------------------
/ZK-HCC2022.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | 
 16 | % Class options include: notes, notesonly, handout, trans,
 17 | %                        hidesubsections, shadesubsections,
 18 | %                        inrow, blue, red, grey, brown
 19 | 
 20 | % Theme for beamer presentation.
 21 | %\usepackage{beamertheme} 
 22 | % Other themes include: beamerthemebars, beamerthemelined, 
 23 | %                       beamerthemetree, beamerthemetreebars  
 24 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 25 | \newcommand{\F}{\ensuremath{\mathbb F}}
 26 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 27 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 28 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 29 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 30 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 31 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 32 | \newcommand{\defeq}{\ensuremath{:=}}
 33 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 34 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 35 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 36 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 37 |  \newcommand{\polys}{\F[X]}
 38 | \newcommand{\acc}{{\mathbf{acc}}}
 39 | \newcommand{\ideal}{\mathbf{I}}
 40 | \newcommand{\gen}{\alpha}
 41 | 
 42 | \title{\LARGE{zk-proofs - from novice to master}}    % Enter your title between curly braces
 43 | \author{\Large{Ariel Gabizon}}                 % Enter your name between curly braces
 44 | \institute{\normalsize{Aztec}}      % Enter your institute name between curly braces
 45 | \date{}                    % Enter the date or \today between curly braces
 46 | %\usefonttheme{professionalfonts}
 47 | %\usefonttheme[onlymath]{serif}
 48 | \begin{document}
 49 | \boldmath
 50 | % Creates title page of slide show using above information
 51 | \begin{frame}
 52 |   \titlepage
 53 | \end{frame}
 54 | \note{Talk for 30 minutes} % Add notes to yourself that will be displayed when
 55 |                            % typeset with the notes or notesonly class options
 56 | 
 57 | %\section[Outline]{}
 58 | 
 59 | % Creates table of scontents slide incorporating
 60 | % all \section and \subsection commands
 61 | \begin{frame}
 62 | \emph{``If encryption is  a light switch - on or off, zero-knowledge proofs are a dimmer allowing you to control exactly how much you information expose''} 
 63 | \end{frame}
 64 | 
 65 | \begin{frame}
 66 |   \frametitle{The deck of cards:}   % Insert frame title between curly braces
 67 | \textbf{A full deck with red and black cards, face down.}\\
 68 |  \vspace{0.4in}
 69 | \textbf{I take out a red three of hearts.}
 70 |  \vspace{0.4in}
 71 | \textbf{How to convince you I took a red card, without showing which one}
 72 | \end{frame}
 73 | \begin{frame}
 74 |   \frametitle{Proving color to the color blind:}   % Insert frame title between curly braces
 75 | \textbf{A red and green ball, otherwise indentical}\\
 76 |  \vspace{0.4in}
 77 | \textbf{How to convince a color-blind friend they are different?.}
 78 |  \vspace{0.4in}
 79 | 
 80 | \end{frame}
 81 | 
 82 | \begin{frame}
 83 |   \frametitle{Counting leaves in a tree:}   % Insert frame title between curly braces
 84 | How to prove you can instantly count the number of leaves on a tree, without disclosing the number of leaves?
 85 | \end{frame}
 86 | 
 87 | 
 88 | \begin{frame}
 89 |   \frametitle{Visual example: Where's Waldo?}   % Insert frame title between curly braces
 90 |  \begin{figure}
 91 |   \includegraphics[width=40pt]{waldopic.png}
 92 |   \includegraphics[width=250pt]{waldo.jpg}
 93 | \end{figure}
 94 | 
 95 | \end{frame}
 96 | 
 97 | 
 98 | % \begin{frame}
 99 | %   \frametitle{Video: the cave}   % Insert frame title between curly braces
100 | % \end{frame}
101 | 
102 | 
103 | \begin{frame}
104 |  \frametitle{3-coloring}
105 |  How can we prove to someone we can color a graph with 3 colors without leaking the coloring?
106 |  %Example to use: https://web.mit.edu/~ezyang/Public/graph/svg.html
107 | \end{frame}
108 | 
109 | 
110 | 
111 | % \begin{frame}
112 | %   \frametitle{From interactive to non-interactive}
113 | % \textbf{Fiat-Shamir hueristic:} simulate challenges of the verifier by hash of messages so far
114 | %  \vspace{0.4in}
115 | %   
116 | %   
117 | % \end{frame}
118 | % \begin{frame}
119 | %   \frametitle{From interactive to non-interactive}
120 | % \textbf{Fiat-Shamir hueristic:} simulate challenges of the verifier by hash of messages so far\\
121 | %  \vspace{0.4in}
122 | % \textbf{Homomorphic encryption:} Give challenge in advance in homomorphically encoded form (Craig Gentry video)
123 | %  \vspace{0.4in}
124 | % \end{frame}
125 | % 
126 | 
127 | \begin{frame}
128 |   \frametitle{ZK + bitcoin: Zero-Knowledge contingent payments \small{(by Greg Maxwell)}}
129 | \textbf{Chicken and egg problem:} Alice has sudoku puzzle solution, Bob wants to buy it - who goes first?.\\
130 |  \vspace{0.4in}
131 | \textbf{ZKCP:} Protocol where money and solution change hands at exactly same time.
132 |  \vspace{0.4in}
133 | \end{frame}
134 | 
135 | 
136 | \begin{frame}
137 |   \frametitle{ZK + bitcoin: Zero-Knowledge contingent payments \small{(by Greg Maxwell)}}
138 | \begin{enumerate}
139 |  \item Alice chooses cryptographic key  $K$, sends $h =HASH(K)$.\pause
140 |  \item Alice sends encrypted solution $C=E_K(S)$ to Bob; and proves in ZK: ``C is encryption of sudoku solution under key who's hash is $h$.\pause
141 |   \item Bob makes bitcoin ``hash-locked-transaction'' to Alice with $h$.\pause
142 |  \item Alice reveals $K$ to unlock her funds.\pause
143 |  \item Bob can now use $K$ to decrypt solution.\pause
144 | \end{enumerate}
145 | 
146 | \end{frame}
147 | 
148 | 
149 | \begin{frame}
150 |   \frametitle{More on the mathy side: Schnorr's discrete log protocol}
151 | Given $g^x$, prove you know $x$ without revealing it.
152 | \end{frame}
153 | \begin{frame}
154 |   \frametitle{More on the mathy side: Schnorr's discrete log protocol}
155 | Given $X\defeq g^x$, prove you know $x$ without revealing it.
156 | \vspace{0.4in}
157 | \begin{enumerate}
158 |  \item Prover chooses random $r$, sends $R\defeq g^r$.\pause
159 |  \item Verifier chooses random $c$\pause
160 |  \item Prover sends $u\defeq x\cdot c +r$\pause
161 | \item Verifier checks $X\cdot R = g^u$. 
162 | \end{enumerate}
163 | 
164 | \end{frame}
165 | \begin{frame}
166 |  \frametitle{In parallel to ZK, a  big breakthrough: succinct verification}
167 |  \begin{itemize}
168 |   \item  1990, sumcheck - ``Can prove a sudoku \emph{doesn't} have a solution without verifier going through all options''\pause
169 |   \item 1998, PCP theorem - ``The proof that a sudoku puzzle has a solution can be encoded such that the verifier only needs to read three bits'' 
170 |  \end{itemize}
171 | 
172 | \end{frame}
173 | 
174 | \begin{frame}
175 |  \frametitle{Zero-knowledge and succinctness - a love story}
176 | \begin{itemize}
177 |  \item Succinct verification+merkle trees $\rightarrow$ small proofs
178 |  \item When the proof is small easier to make it zk - less places information can hide.
179 | \end{itemize}
180 |  
181 |  \begin{figure}
182 |   \includegraphics[width=150pt]{kilian.png}
183 | \end{figure}
184 | \end{frame}
185 | 
186 | \begin{frame}
187 |  \frametitle{Succinct arguments in a nutshell}   % Insert frame title between curly braces
188 |  Public program $T$, public output $z$.\\ \pause
189 |  \vspace{0.4in}
190 |  Want to prove ``I know input $x$ for program $T$ that generates output $z$.\\ \pause
191 |  \vspace{0.4in}
192 | Want proof size and verification time to be much smaller than run time of $T$. \\ 
193 | {\small (SNARK:=Succinct Non-Interactive Argument of Knowledge)}\\ \pause
194 |  \vspace{0.4in}
195 |  Arithmetization {\small [LFKN,......]}: Reduce claim to claim of form ''I know polynomials that satisfy some identity`` \pause
196 | \end{frame}
197 | \begin{frame}
198 |  \frametitle{Succinct arguments in a nutshell}   % Insert frame title between curly braces
199 |  Advantage of claims about polynomials is that suffice to check at one random point \\ \pause
200 |  \vspace{0.4in}
201 |  But need to solve ''chicken and egg problem``: Prover must commit to polynomials before knowing the challenge point. 
202 |  \vspace{0.4in}
203 |  
204 | \end{frame}
205 | \begin{frame}
206 |  \frametitle{Polynomial commitment schemes {\small [KZG, 10]}}   % Insert frame title between curly braces
207 | \begin{itemize}
208 |  \item Prover send short commitment $\cm(f)$ to polynomial.\pause
209 |  \item Later Verifier can choose value $i\in \F$.\pause
210 |  \item Prover sends back $z=f(i)$ ; together with proof $\open{f,i}$ that $z$ is correct.\pause
211 | \end{itemize}
212 | KZG give us PCS with commitments and openings are practically 32 bytes.\\ 
213 | Notation: $\enc{x}=g^x$ where $g$ generator of elliptic curve group.
214 | \end{frame}
215 | 
216 | 
217 | \begin{frame}
218 |  \frametitle{Elliptic curve pairings - some serious math magic}
219 |  Groups $G,G_t$
220 |  such that
221 |  \begin{itemize}
222 |   \item $G$ is an EC with hard discrete log - from $g^x$ hard to find $x$, for generator $g\in G$.\pause %/- written *additively* - $x\cdot g$ , instead of $g^x$.
223 |   \item We have a map $e:G:\rightarrow G_t$ such that
224 |   \[e( g^a, g^b) = g_t^{a\cdot b}\]
225 |   
226 |  \end{itemize}
227 | 
228 | \end{frame}
229 | 
230 | \begin{frame}
231 | Notation: $\enc{x}=g^x$ where $g$ generator of elliptic curve group.
232 | \end{frame}
233 | 
234 | 
235 | \begin{frame}
236 | \frametitle{The KZG polynomial commitment scheme}
237 |  Setup: $\enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\\ \pause
238 |  \vspace{0.4in}
239 |  $\cm(f)\defeq   \enc{f(x)}$\\ \pause
240 |  \vspace{0.4in}
241 | $\open{f,i}\defeq \enc{h(x)}$, where
242 |  $h(X)\defeq \frac{f(X)-f(i)}{X-i}$\\ \pause
243 |  \vspace{0.4in}
244 |  $\verify{\cm,\pi,z,i}:$
245 | \[e(\cm-\enc{z},\enc{1}) \stackrel{?}{=} e(\pi, \enc{x-i})\]
246 | \end{frame}
247 | \begin{frame}
248 | \frametitle{Multiset equality check}
249 | Given $a,b\in \F^3$, want to check $\{b_1,b_2,b_3\} \stackrel{?}{=} \{a_1,a_2,a_3\}$ \\ \pause
250 |  \vspace{0.2in}
251 | 
252 |   
253 |  Choose random $\gamma\in \F$. Check
254 |   \[(a_1 + \gamma)(a_2+ \gamma)(a_3 + \gamma) \stackrel{?}{=} (b_1+\gamma)(b_2+\gamma)(b_3+\gamma)\]\pause
255 | %   \[a'_1 = a_1 + \gamma, a'_2 = a_2 + \gamma, a'_3 = a_3 + \gamma\]
256 | %  \[b'_1 = b_1 + \gamma, b'_2 = b_2 + \gamma, b'_3 = b_3 + \gamma\]\pause
257 | 
258 |  \vspace{0.2in}
259 |  If $a,b$ different as sets then w.h.p products different.\pause
260 |  
261 | \end{frame}
262 | 
263 | 
264 | 
265 | \begin{frame}
266 | \frametitle{Multiset equality check - polynomial version}
267 | Given $f,g\in \polysofdeg{d}$, want to check $\sett{f(x)}{x\in H} \stackrel{?}{=} \sett{g(x)}{x\in H}$ as multisets \\ 
268 |  
269 | \end{frame}
270 | \begin{frame}
271 | \frametitle{Reduces to:}   % Insert frame title between curly braces
272 |  $H=\set{\gen,\gen^2,\ldots,\gen^n}$.\\
273 |  \vspace{0.2in}
274 |  
275 |  $\prv$ has sent $f',g'\in \polysofdeg{n}$.\\
276 |  \vspace{0.2in}
277 |  Wants to prove:
278 |  \[\prod_{i\in [n]}  f(\gen^i) = \prod_{i\in [n]} g(\gen^i)\]
279 | 
280 |  $f\defeq f' +\gamma,g\defeq g'+\gamma$
281 | 
282 | \end{frame}
283 | 
284 | \begin{frame}
285 | \frametitle{Multiplicative subgroups:}   % Insert frame title between curly braces
286 |  $H=\set{\gen,\gen^2,\ldots,\gen^n=1}$.\\
287 |  \vspace{0.2in}
288 |  $L_i$ is i'th lagrange poly of $H$:
289 |  \[L_i(\alpha^i)=1,L_i(\alpha^j) =0, j\neq i\]
290 | \end{frame}
291 | 
292 | 
293 | \begin{frame}
294 | \frametitle{Checking products with $H$-ranged protocols \small{[GWC19]}}   % Insert frame title between curly braces
295 |  \begin{enumerate}
296 |   \item $\prv$ computes $Z$ with 
297 |   $ Z(\gen)=1, Z(\gen^i) = \prod_{j<i}  f(\gen^j)/g(\gen^j)$.
298 |   \item Sends $Z$ to $\ideal$.   \pause
299 |   \item $\ver$ checks following identities on $H$.
300 |   \begin{enumerate}
301 |    \item $L_1(X) (Z(X)-1) =0$
302 |    \item $Z(X) f(X) = Z(\gen\cdot X)g(X)$\pause
303 |  \end{enumerate}
304 | 
305 |  \end{enumerate}
306 |  \vspace{0.2in}
307 | % We get $\aggdeg{\prot}=n+2n -|H| = 2n$.
308 | 
309 | 
310 | \end{frame}
311 | 
312 | % \begin{frame}
313 | % 
314 | %  $\cm(f)\defeq   \enc{f(x)}$\\
315 | %  \vspace{0.4in}
316 | % $\open{f,i}\defeq \enc{h(x)}$, where
317 | %  $h(X)\defeq \frac{f(X)-f(i)}{X-i}$\\
318 | %  \vspace{0.4in}
319 | %  $\verify{\cm,\pi,z,i}:$
320 | % \[e(\cm-\enc{z},\enc{1}) \stackrel{?}{=} e(\pi, \enc{x-i})\]
321 | % \end{frame}
322 | % 
323 | % 
324 | %  
325 | % 
326 | % 
327 | % \begin{frame}
328 | % 
329 | %  $\cm(f)\defeq   \enc{f(x)}$\\
330 | %  \vspace{0.4in}
331 | % $\open{f,i}\defeq \enc{h(x)}$, where
332 | %  $h(X)\defeq \frac{f(X)-f(i)}{X-i}$\\
333 | %  \vspace{0.4in}
334 | %  $\verify{\cm,\pi,z,i}:$
335 | % \[e(\cm-\enc{z},\enc{1}) \stackrel{?}{=} e(\pi, \enc{x-i})\]
336 | %  \vspace{0.4in}
337 | % \textbf{Thm}{\footnotesize{[KZG,MBKM]}}: \emph{This works in the Algebraic Group Model.}
338 | %  \end{frame}
339 | % 
340 | % 
341 | 
342 | \end{document}
343 | 


--------------------------------------------------------------------------------
/auroralightLondon2019.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/auroralightLondon2019.pdf


--------------------------------------------------------------------------------
/auroralightLondon2019.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,trans,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | %\usepackage[T1]{fontenc}
  4 | %\usepackage{fourier}
  5 | % Dokumentets sprog
  6 | %\usepackage{mathtools}
  7 | %\usepackage{pxfonts}
  8 | \usepackage{eulervm}
  9 | % Class options include: notes, notesonly, handout, trans,
 10 | %                        hidesubsections, shadesubsections,
 11 | %                        inrow, blue, red, grey, brown
 12 | 
 13 | % Theme for beamer presentation.
 14 | %\usepackage{beamertheme} 
 15 | % Other themes include: beamerthemebars, beamerthemelined, 
 16 | %                       beamerthemetree, beamerthemetreebars  
 17 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 18 | \newcommand{\F}{\ensuremath{\mathbb F}}
 19 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 20 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 21 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 22 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 23 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 24 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 25 | \newcommand{\defeq}{\ensuremath{:=}}
 26 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 27 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 28 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 29 | 
 30 | \title{\LARGE{Components of recent universal SNARKs}}    % Enter your title between curly braces
 31 | \author{\Large{Ariel Gabizon}}                 % Enter your name between curly braces
 32 | \institute{\normalsize{Protocol Labs}}      % Enter your institute name between curly braces
 33 | \date{}                    % Enter the date or \today between curly braces
 34 | %\usefonttheme{professionalfonts}
 35 | %\usefonttheme[onlymath]{serif}
 36 | \begin{document}
 37 | \boldmath
 38 | % Creates title page of slide show using above information
 39 | \begin{frame}
 40 |   \titlepage
 41 | \end{frame}
 42 | \note{Talk for 30 minutes} % Add notes to yourself that will be displayed when
 43 |                            % typeset with the notes or notesonly class options
 44 | 
 45 | %\section[Outline]{}
 46 | 
 47 | % Creates table of contents slide incorporating
 48 | % all \section and \subsection commands
 49 | %\begin{frame}
 50 |   %\tableofcontents
 51 | %\end{frame}
 52 | 
 53 | 
 54 | \begin{frame}
 55 |   \frametitle{30 seconds of philosophy: \\ SNARKs and the meaning of life}   % Insert frame title between curly braces
 56 | 
 57 |   
 58 |   As the world gets increasingly distributed and digital, SNARKs help us ``keep a grip on reality'', by ensuring the data we receive is anchored in reality.\\
 59 |  \vspace{0.4in}
 60 |  In this context, they are vast generalization of hashes and digital signatures.
 61 |  \vspace{0.4in}
 62 | 
 63 | \end{frame}
 64 | 
 65 | 
 66 | 
 67 | \begin{frame}
 68 | \frametitle{Evaluating prover polynomials succinctly}   % Insert frame title between curly braces
 69 | Since the beginning of time (LFKN, 1990) humanity has been trying to verify prover polynomial evaluations.\\
 70 | \end{frame}
 71 | 
 72 | 
 73 | \begin{frame}
 74 | \frametitle{Evaluating prover polynomials succinctly}   % Insert frame title between curly braces
 75 | %Since the beginning of time (LFKN, 1989) humanity has been trying to verify prover polynomial evaluations.\\
 76 |  \vspace{0.4in}
 77 | \textbf{Verifer:} - ``Choose a degree 10 polynomial $f$ and keep it in your head''\\
 78 | \textbf{Prover:} - ``OK''\\
 79 |  \textbf{Verifer:} - ``What is $f(7)$?''\\
 80 | \textbf{Prover:} - ``$10$''\\
 81 | \end{frame}
 82 | 
 83 | 
 84 | \begin{frame}
 85 |   \frametitle{Evaluating prover polynomials succinctly}   % Insert frame title between curly braces
 86 |  
 87 | \textbf{The hard-working honest way} - Low degree testing [BFL91,...] \small{(also PCPPs/IOPPs)}
 88 | %(\footnotesize{(and PCPPs,IOPPS)}) 
 89 | 
 90 | \end{frame}
 91 | 
 92 | 
 93 | 
 94 | 
 95 | \begin{frame}
 96 |   \frametitle{Evaluating prover polynomials succinctly}   % Insert frame title between curly braces
 97 | %Since the beginning of time (1989) humanity has been trying to verify prover polynomial evaluations.
 98 |  %\vspace{0.4in}
 99 |  
100 | \textbf{The hard-working honest way} - Low degree testing/PCPP/IOPPs
101 | 
102 |  \vspace{0.4in}
103 | \textbf{The correct* way} - Polynomial commitment scheme (with SRS).
104 | 
105 | 
106 | \vspace{0.8in}
107 | \footnotesize{*The opinions expressed in this presentation are objective reality}
108 | \end{frame}
109 | 
110 | 
111 | 
112 | \begin{frame}
113 | \frametitle{Notation:``an encoding of $x$''}   % Insert frame title between curly braces
114 | %Since the beginning of time (1989) humanity has been trying to verify prover polynomial evaluations.
115 |  %\vspace{0.4in}
116 |  
117 | %\textbf{Notation:}
118 | $\enc{x}\defeq x\cdot g = g+\ldots+g$ ($x$ times).
119 |  \vspace{0.4in}
120 |  
121 | \end{frame}
122 | 
123 | \begin{frame}
124 | \frametitle{Notation:``an encoding of $x$''}   % Insert frame title between curly braces
125 | %Since the beginning of time (1989) humanity has been trying to verify prover polynomial evaluations.
126 |  %\vspace{0.4in}
127 |  
128 | %\textbf{Notation:}
129 | $\enc{x}\defeq x\cdot g = g+\ldots+g$ ($x$ times).\\
130 |  \vspace{1in}
131 | \emph{\small{You can imagine it means $g^x$, if it helps you sleep better.}} 
132 | \end{frame}
133 | 
134 | 
135 | 
136 | \begin{frame}
137 |   \frametitle{The KZG polynomial commitment scheme}   % Insert frame title between curly braces
138 |  SRS: \enc{1},\enc{x},\ldots,\enc{x^d}, for random $x\in \F$.\\
139 |  \vspace{0.4in}
140 |  $f(X) = \sum_{i=0}^d a_i X^i$\\
141 |  \vspace{0.4in}
142 |  $\cm(f)\defeq  \sum_{i=0}^d a_i \enc{x^i}=  \enc{f(x)}$\\
143 |  \vspace{0.4in}
144 |  
145 | \end{frame}
146 | \begin{frame}
147 |  SRS: \enc{1},\enc{x},\ldots,\enc{x^d},\\
148 |  for random $x\in \F$.
149 |  \vspace{0.4in}
150 |  
151 |  $\cm(f)\defeq   \enc{f(x)}$\\
152 |  \vspace{0.4in}
153 | $\open{f,i}\defeq \enc{h(x)}$, where
154 | $h(X)\defeq \frac{f(X)-f(i)}{X-i}$
155 |  \vspace{0.4in}
156 |  
157 | \end{frame}
158 | 
159 | 
160 | \begin{frame}
161 |  $\cm(f)\defeq   \enc{f(x)}$\\
162 |  \vspace{0.4in}
163 | $\open{f,i}\defeq \enc{h(x)}$, where
164 |  $h(X)\defeq \frac{f(X)-f(i)}{X-i}$\\
165 |  \vspace{0.4in}
166 | \textbf{exercise} - using pairing, define:\\
167 |  \vspace{0.2in}
168 |  $\verify{\cm,\pi,z,i}$,
169 |  where $z$ is allegedly $f(i)$
170 |  \end{frame}
171 | 
172 | 
173 | 
174 | 
175 | \begin{frame}
176 | 
177 |  $\cm(f)\defeq   \enc{f(x)}$\\
178 |  \vspace{0.4in}
179 | $\open{f,i}\defeq \enc{h(x)}$, where
180 |  $h(X)\defeq \frac{f(X)-f(i)}{X-i}$\\
181 |  \vspace{0.4in}
182 |  $\verify{\cm,\pi,z,i}:$
183 | \[e(\cm-\enc{z},\enc{1}) \stackrel{?}{=} e(\pi, \enc{x-i})\]
184 | \end{frame}
185 | 
186 | 
187 |  
188 | 
189 | 
190 | \begin{frame}
191 | 
192 |  $\cm(f)\defeq   \enc{f(x)}$\\
193 |  \vspace{0.4in}
194 | $\open{f,i}\defeq \enc{h(x)}$, where
195 |  $h(X)\defeq \frac{f(X)-f(i)}{X-i}$\\
196 |  \vspace{0.4in}
197 |  $\verify{\cm,\pi,z,i}:$
198 | \[e(\cm-\enc{z},\enc{1}) \stackrel{?}{=} e(\pi, \enc{x-i})\]
199 |  \vspace{0.4in}
200 | \textbf{Thm}{\footnotesize{[KZG,MBKM]}}: \emph{This works.}
201 |  \end{frame}
202 | 
203 | \begin{frame}
204 |   \frametitle{Application: Proof of retrievability}
205 | \end{frame}
206 | 
207 | \begin{frame}
208 |   \frametitle{Application: Proof of retrievability}
209 |  \emph{Server:} Commit to file as coefficients \set{a_0,\ldots,a_d} of polynomial $f$.\\
210 |  \vspace{0.4in}
211 |  \emph{Client:} Time-to-time query $f$ at a random point $r$.\\
212 |  \vspace{0.4in}
213 | \end{frame}
214 | 
215 | 
216 | \begin{frame}
217 |   \frametitle{Application: Proof of retrievability}
218 |  \emph{Server:} Commit to file as coefficients \set{a_0,\ldots,a_d} of polynomial $f$.\\
219 |  \vspace{0.4in}
220 |  \emph{Client:} Time-to-time query $f$ at a random point $r$.\\
221 |  \vspace{0.4in}
222 |  \emph{Probability of server computing $f(r)$ correctly w/o remembering all coeffs of $f$ is negligible.}
223 | \end{frame}
224 | 
225 | 
226 | 
227 | 
228 | \begin{frame}
229 |   \frametitle{Application: The Sonic helper \small{[MBKM19]}}
230 |  Bi-variate $S(X,Y)$, evaluation points \sett{(x_j,y_j)}{j\in \set{1..t}}, values \set{z_j} \\
231 |  \end{frame}
232 | 
233 | \begin{frame}
234 |   \frametitle{Application: The Sonic helper \small{[MBKM19]}}
235 |  Bi-variate $S(X,Y)$, evaluation points \sett{(x_j,y_j)}{j\in \set{1..t}}, values \set{z_j} \\
236 |  \vspace{0.4in}
237 |  Helper $\helper$ wants to convince verifier $\ver$ that $\forall j\in \set{1..t}$, $S(x_j,y_j)=z_j$.\\
238 |  \vspace{0.4in}
239 | \end{frame}
240 | 
241 | \begin{frame}
242 |   \frametitle{Application: The Sonic helper \small{[MBKM19]}}
243 |  Bi-variate $S(X,Y)$, evaluation points \sett{(x_j,y_j)}{j\in \set{1..t}}, values \set{z_j} \\
244 |  \vspace{0.4in}
245 |  Helper $\helper$ wants to convince verifier $\ver$ that $\forall j\in \set{1..t}$, $S(x_j,y_j)=z_j$.\\
246 |  \vspace{0.4in}
247 | $\ver$'s work: only \emph{one} evaluation of $S$!
248 |  \end{frame}
249 | 
250 |  
251 | \begin{frame}
252 |   \frametitle{The Sonic helper \small{[MBKM19]}}
253 |  \begin{enumerate}
254 |   \item $\forall j$, $\helper$ sends $S_j \defeq \cm(S(X,y_j))$.
255 |  \end{enumerate}
256 |  
257 |  \end{frame}
258 | \begin{frame}
259 |   \frametitle{The Sonic helper \small{[MBKM19]}}
260 |  \begin{enumerate}
261 |   \item $\forall j$, $\helper$ sends $S_j \defeq \cm(S(X,y_j))$.
262 |  \end{enumerate}
263 |  \vspace{0.4in}
264 | \emph{If $\helper$ would convince $\ver$ $S_j$'s are correct, he could just open them at $x_j$. } 
265 |  \end{frame}
266 | 
267 | \begin{frame}
268 |   \frametitle{The Sonic helper \small{[MBKM19]}}
269 |  \begin{enumerate}
270 |   \item $\forall j$, $\helper$ sends $S_j \defeq \cm(S(X,y_j))$.
271 | \item $\ver$ chooses random $u\in \F$.
272 | \item $\helper$ sends $C\defeq \cm(S(u,Y))$.
273 | 
274 |   \end{enumerate}
275 |  \vspace{0.4in}
276 |  \end{frame}
277 | 
278 |  
279 |  \begin{frame}
280 |   \frametitle{The Sonic helper \small{[MBKM19]}}
281 |  \begin{enumerate}
282 |   \item $\forall j$, $\helper$ sends $S_j \defeq \cm(S(X,y_j))$.
283 | \item $\ver$ chooses random $u\in \F$.
284 | \item $\helper$ sends $C\defeq \cm(S(u,Y))$.
285 | \item $\forall j$, $\helper$ opens $C$ at $y_j$ and $S_j$ at $u$. $\ver$ checks they open to same value.
286 |   \end{enumerate}
287 |  \vspace{0.4in}
288 | \emph{At this point $\ver$ knows $S_j$'s are correct \textbf{if} $C$ is correct.}
289 |  \end{frame}
290 | 
291 |  \begin{frame}
292 |   \frametitle{The Sonic helper \small{[MBKM19]}}
293 |  \begin{enumerate}
294 |   \item $\forall j$, $\helper$ sends $S_j \defeq \cm(S(X,y_j))$.
295 | \item $\ver$ chooses random $u\in \F$.
296 | \item $\helper$ sends $C\defeq \cm(S(u,Y))$.
297 | \item $\forall j$, $\helper$ opens $C$ at $y_j$ and $S_j$ at $x_j$. $\ver$ checks they open to same value.
298 | \item $\ver$ chooses random $v\in \F$ and computes $s(u,v)$.
299 | \end{enumerate}
300 |  \vspace{0.4in}
301 |  \end{frame}
302 | 
303 |  
304 |  
305 |  \begin{frame}
306 | \frametitle{The Sonic helper \small{[MBKM19]}}
307 |  \begin{enumerate}
308 |   \item $\forall j$, $\helper$ sends $S_j \defeq \cm(S(X,y_j))$.
309 | \item $\ver$ chooses random $u\in \F$.
310 | \item $\helper$ sends $C\defeq \cm(S(u,Y))$.
311 | \item $\forall j$, $\helper$ opens $C$ at $y_j$ and $S_j$ at $x_j$. $\ver$ checks they open to same value.
312 | \item $\ver$ chooses random $v\in \F$ and computes $s(u,v)$.
313 | \item $\helper$ opens $C$ at $v$, and $\ver$ checks it opens to $s(u,v)$.
314 | \end{enumerate}
315 |  \vspace{0.4in}
316 |  \end{frame}
317 | 
318 |  %\small{[BCRSVW19, G19]}
319 |   \begin{frame}
320 | \frametitle{3rd application: sumchecks }
321 |  \end{frame}
322 |  
323 |   \begin{frame}
324 | \frametitle{3rd application: sumchecks}
325 | $\prv$ has polynomial $f$. $H\subset \F$. \\
326 |  \vspace{0.4in}
327 | $\ver$ wants to check:
328 | \[\sum_{x\in H} f(x) =0\]
329 | 
330 | \end{frame}
331 | 
332 | 
333 |   \begin{frame}
334 | \frametitle{The Aurora trick for sumcheck \small{[BCRSVW19]}}
335 | \begin{lemma}
336 |  When $H\subset \F$ is a multiplicative subgroup of size $n$, and $deg(g)<n$
337 | \[\sum_{x\in H} g(x) =0\]
338 | iff $g$ has constant coefficient $0$.
339 | \end{lemma}
340 |  \vspace{0.4in}
341 | 
342 | \end{frame}
343 | 
344 | 
345 |   \begin{frame}
346 | \frametitle{The Aurora trick for sumcheck \small{[BCRSVW19]}}
347 | $Z_H \defeq \prod_{x\in H}(X-x)$
348 |  \vspace{0.4in}
349 | 
350 | By lemma suffices to show $g_1,g_2$, $deg(g_2)<n-1$ such that
351 |  \[ f(X)\equiv g_1(X)\cdot Z_H(X) +X\cdot g_2(X) \]
352 | \end{frame}
353 | 
354 | 
355 |   \begin{frame}
356 | \frametitle{AuroraLight \small{[G19]}}
357 | Check $f$ has this form by sending commitments to $g_1,g_2$,
358 | and openning $f,g_1,g_2$ at random point.\\
359 |  \vspace{0.4in}
360 | % Using Aurora+Sonic ideas:
361 | % \begin{corollary}
362 | %  Universal SNARK with prover almost as fast as {\small{[Groth16]}}
363 | %  (But longer proofs than Sonic, and no fully succinct mode).
364 | % \end{corollary}
365 | % 
366 | \end{frame}
367 | 
368 |   \begin{frame}
369 | \frametitle{AuroraLight \small{[G19]}}
370 | Check $f$ has this form by sending commitments to $g_1,g_2$,
371 | and openning $f,g_1,g_2$ at random point.\\
372 |  \vspace{0.4in}
373 | Using Aurora+Sonic ideas:
374 | \begin{corollary}
375 |  Universal SRS SNARK with prover almost as fast as {\small{[Groth16]}}
376 |  (But longer proofs than Sonic, and no fully succinct mode).
377 | \end{corollary}
378 | 
379 | \end{frame}
380 | 
381 | 
382 | 
383 | \end{document}
384 | 


--------------------------------------------------------------------------------
/azteclogo.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/azteclogo.PNG


--------------------------------------------------------------------------------
/cqberkeleyjan23.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/cqberkeleyjan23.pdf


--------------------------------------------------------------------------------
/cqberkeleyjan23.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm,amsfonts}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | 
 16 | % Class options include: notes, notesonly, handout, trans,
 17 | %                        hidesubsections, shadesubsections,
 18 | %                        inrow, blue, red, grey, brown
 19 | 
 20 | % Theme for beamer presentation.
 21 | %\usepackage{beamertheme} 
 22 | % Other themes include: beamerthemebars, beamerthemelined, 
 23 | %                       beamerthemetree, beamerthemetreebars  
 24 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 25 | \newcommand{\F}{\ensuremath{{\mathbb F}}}
 26 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 27 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 28 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 29 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 30 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 31 | \newcommand{\kzg}[1]{\ensuremath{\enc{#1(x)}}}
 32 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 33 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 34 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 35 | \newcommand{\defeq}{\ensuremath{:=}}
 36 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 37 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 38 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 39 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 40 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 41 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 42 |  \newcommand{\polys}{\F[X]}
 43 | \newcommand{\acc}{{\mathbf{acc}}}
 44 | \newcommand{\ideal}{\mathbf{I}}
 45 | \newcommand{\gen}{\alpha}
 46 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 47 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 48 | % \renewcommand{\bf}{\begin{frame}}
 49 | % \newcommand{\ef}{\end{frame}}
 50 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 51 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 52 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 53 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 54 | \DeclareMathAlphabet{\mathpgoth}{OT1}{pgoth}{m}{n}	
 55 | \newcommand{\cq}{\mathpgoth{cq} }
 56 | \newcommand{\cqstar}{\ensuremath{\mathpgoth{cq^{\mathbf{*}} }}\xspace}
 57 | \newcommand{\flookup}{\ensuremath{\mathsf{\mathpgoth{Flookup}}}\xspace}
 58 | \newcommand{\baloo}{\ensuremath{\mathrm{ba}\mathit{loo}}\xspace}
 59 | \newcommand{\caulkp}{\ensuremath{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}\xspace}
 60 | \newcommand{\caulk}{\ensuremath{\mathsf{Caulk}}\xspace}
 61 | \newcommand{\plookup}{\ensuremath{\mathpgoth{plookup}}\xspace}
 62 | \newcommand{\srs}{\ensuremath{\mathsf{srs}}}
 63 | \newcommand{\tablegroup}{\ensuremath{\mathbb{H}}\xspace}
 64 | \newcommand{\V}{\ensuremath{\mathbf{V} }\xspace}
 65 | \newcommand{\bigspace}{\ensuremath{\mathbb{V}}}
 66 | \newcommand{\papertitle}{$\mathfrak{cq}$: Cached quotients for fast lookups}
 67 | %\newcommand{\authorname}}
 68 | \newcommand{\company}{}
 69 | \title{ \bf \papertitle \\[0.72cm]}
 70 | \author{ Liam Eagen \and Dario Fiore \and \textbf{Ariel Gabizon} } 
 71 | 
 72 | %\usefonttheme{professionalfonts}
 73 | %\usefonttheme[onlymath]{serif}
 74 | \begin{document}
 75 | \boldmath
 76 | % Creates title page of slide show using above information
 77 | \begin{frame}
 78 |   \titlepage
 79 | \end{frame}
 80 |                            % typeset with the notes or notesonly class options
 81 | 
 82 | %\section[Outline]{}
 83 | 
 84 | % Creates table of contents slide incorporating
 85 | % all \section and \subsection commands
 86 | \begin{frame}
 87 |   \tableofcontents
 88 | \end{frame}
 89 | \begin{frame}
 90 | \frametitle{Outline}
 91 |  
 92 | \begin{itemize}
 93 |  \item 
 94 | PCS/KZG review\pause
 95 | \item
 96 | KZG shenanigans 
 97 | \begin{enumerate}
 98 |  \item Committing to sparse polys.
 99 | \item ``cached quotients''\pause
100 | 
101 | \end{enumerate}
102 | \item Lookups
103 | \begin{enumerate}
104 |  \item Motivation
105 | \item log derivative protocol[Eagen, Hab\"ock,..]
106 | \item  $\cq$
107 | \end{enumerate}
108 | \end{itemize}
109 | \end{frame}
110 | 
111 | \begin{frame}
112 |  \frametitle{Polynomial commitment schemes {\small [KZG, 10]}}   % Insert frame title between curly braces
113 | \begin{itemize}
114 |  \item Prover send short commitment $\cm(f)$ to polynomial.\pause
115 |  \item Later Verifier can choose value $i\in \F$.\pause
116 |  \item Prover sends back $z=f(i)$ ; together with proof $\open{f,i}$ that $z$ is correct.\pause
117 | \end{itemize}
118 | KZG give us PCS with commitments and openings are practically 32-48 bytes.\\ 
119 | Notation: $\enc{x}=x\cdot g$ where $g$ generator of (an additive) elliptic curve group.
120 | \end{frame}
121 | \begin{frame}
122 | \frametitle{KZG10:}
123 |  $\srs \defeq \enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\\ \pause
124 |  \vspace{0.4in}
125 |  $\cm(f)\defeq   \enc{f(x)}$\\ \pause
126 |  \vspace{0.4in}
127 | $\open{f,i}\defeq \enc{h(x)}$, where
128 |  $h(X)\defeq \frac{f(X)-f(i)}{X-i}$\\ \pause
129 |  \vspace{0.4in}
130 |  $\verify{\cm,\pi,z,i}:$
131 | \[e(\cm-\enc{z},\enc{1}) \stackrel{?}{=} e(\pi, \enc{x-i})\]
132 | \end{frame}
133 | 
134 | \begin{frame}
135 |  \frametitle{Shenanigan $\#1$: Committing to sparse polys}
136 | \textbf{notation:} parameters $n<<N$, $d\defeq N-1$.
137 |  \\
138 |  \vspace{0.4in}
139 |  $\bigspace=\set{\omega,\ldots,\omega^N}\subset \F$ subgroup of size $N$.\nl
140 | Say $A\in \polysofdeg{N}$  is $n$-sparse if has at most $n$ non-zeroes on $\bigspace$.\nl
141 | For $i\in [N]$, denote $A_i\defeq A(\omega^i)$\\
142 | $L_1(X),\ldots,L_N(X)$ - Lagrange basis of $\bigspace$ - $(L_i)_j=0$ when $i\neq j$.
143 | \end{frame}
144 | 
145 | \begin{frame}
146 |  \frametitle{Committing to sparse polys}
147 | From $\srs \defeq \enc{1},\enc{x},\ldots,\enc{x^d}$, we can precompute in $O(N\log N)$ operations 
148 | the KZG commitments of $\bigspace$'s Lagrange Base:\\
149 | $\srs_L \defeq \set{\enc{L_1(x)},\ldots,\enc{L_N(x)}}$\nl
150 | 
151 | Now for $n$-sparse $A(X)$ of degree$<N$ compute 
152 | \[\cm(A)=\enc{A(x)}=\sum_{i\in [N], A_i\neq 0} A_i\cdot \kzg{L_i}
153 | \]
154 | 
155 | \end{frame}
156 |  
157 | \begin{frame}
158 |  \frametitle{Shenanigan $\#2$: ``Cached quotients'' method}
159 |  \textbf{Scenario:}
160 | $T(X)\in \polysofdeg{N}$ preprocessed poly.
161 | $Z_\bigspace(X)$-vanishing poly of $\bigspace$.\\
162 | Input: $n$-sparse $A(X)\in\polysofdeg{N}$.\nl
163 | 
164 | $V$ has $\cm(A)$. Want to prove to $V$ that:\\
165 | $Z_V(X)$ divides $A(X)T(X)$ \textit{using $O(n)$ prover operations}.
166 | 
167 | \end{frame}
168 | \begin{frame}
169 | \frametitle{``Cached quotients'' method}
170 | There exists quotient $Q_A(X)$ such that $A\cdot T\equiv Z_V\cdot Q_A$.\nl
171 | 
172 | We'll compute $\kzg{Q_A}$ in $O(n)$ operations:\nl
173 | 
174 | 
175 | \textbf{preprocessing:}
176 | For each $i\in [N]$, compute $\kzg{Q_i}$ such that for some $R_i(X)\in \polysofdeg{N}$
177 | \[L_i(X)\cdot T(X) = Q_i(X)\cdot Z_\bigspace(X) +R_i(X)\]\nl
178 | 
179 | Also precompute $\kzg{Z_\bigspace},\kzg{T}$
180 | \end{frame}
181 | \begin{frame}
182 | \frametitle{``Cached quotients'' method}
183 | After preprocessing, prover can compute
184 | \[\kzg{Q_A}=\sum_{i\in [N],A_i\neq 0} A_i \cdot \kzg{Q_i}\]\nl
185 | Verifier can check:
186 | \[e(\kzg{A},\kzg{T})=e(\kzg{Q_A},\kzg{Z_{\bigspace}})\]\nl
187 | In algebraic group model[FKL] can prove this is sound.
188 | \end{frame}
189 | 
190 |     
191 | 
192 | \begin{frame}
193 | {\huge{Lookup protocols}}
194 |  \end{frame}
195 | 
196 | 
197 | 
198 | 
199 | 
200 | 
201 | 
202 | \begin{frame}
203 | \frametitle{Constraints vs Lookups}
204 | \textbf{Example:} Check $0\leq x \leq 2^n-1$\nl
205 | Constraint approach:
206 | $\prv$ sends $x_0,\ldots,x_{n-1}$
207 | Proves
208 | \begin{itemize}
209 |  \item 
210 | $\forall i, x_i\in \set{0,1}$
211 | \item
212 | $\sum_{i} x_i2^i =x$.\nl
213 | \end{itemize}
214 | Requires $n+1$ ``gates''.
215 | 
216 | \end{frame}
217 | \begin{frame}
218 | \frametitle{Lookup approach}
219 | Preprocess table $T=\set{0,\ldots,2^n-1}$
220 | Devise protocol to check $x\in T$.\nl
221 | \textbf{Thm-informal [Arya..plookup]:} Check can be done in amortized $O(1)$ constraints 
222 | per check, when have $O(|T|)$ checks.\nl
223 | 
224 | \textbf{Thm [Caulk..$\cq$]:} Can be done in $O(1)$ constraints without need of amortization!
225 | \end{frame}
226 | \begin{frame}
227 |  \frametitle{The question in polynomials:}
228 |  \textbf{Preprocessed:} $\bigspace\subset \F$ subgroup of size $N$. $H\subset \F$ subgroup of size $n$. $T\in \polysofdeg{N}$.\nl
229 |  Input: $f\in \polysofdeg{n}$.  $\cm(f)$ given to $V$.\pause
230 |  
231 | \vspace{0.4in}
232 |  Want to convince $V$ that $f|_H\subset T|_\bigspace$ in $O(n)$ prover operations.
233 |  
234 | \end{frame}
235 | \begin{frame}
236 | \frametitle{Log-derivative approach:}
237 | \textbf{Lemma[Hab\"ock]:}
238 | $f|_H\subset T|_\bigspace$ if and only if there exists $m(X)\in \polysofdeg{N}$ s.t.  as rational functions
239 | \[\sum_{i\in [N]} \frac{m_i}{X+ T_i}=  \sum_{a\in H} \frac{1}{X+f(a)}   \]\nl
240 | \textit{Strategy: check this identity at random $\beta \in \F$.}
241 | 
242 | \end{frame}
243 | \begin{frame}
244 | \frametitle{$\cq$}
245 | \textbf{Main prover task:}
246 | Compute polynomial $A(X)$ that interpolates RHS on $\bigspace$, and
247 | prove it correct:
248 | \[A_i=\frac{m_i}{\beta+T_i}, \forall i\in [N]\]\nl
249 | 
250 | Can be done via the ``KZG shenanigans'' we described before.\nl Must compute $\kzg{Q_A}$ where
251 | \[A(X)(\beta+T(X))-m(X)=Q_A(X)Z_\bigspace(X).\]
252 | 
253 | \end{frame}
254 | \end{document}
255 | 


--------------------------------------------------------------------------------
/divisors.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/divisors.pdf


--------------------------------------------------------------------------------
/divisors.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | 
  9 | %\usepackage[T1]{fontenc}
 10 | %\usepackage{fourier}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | % Class options include: notes, notesonly, handout, trans,
 16 | %                        hidesubsections, shadesubsections,
 17 | %                        inrow, blue, red, grey, brown
 18 | 
 19 | % Theme for beamer presentation.
 20 | %\usepackage{beamertheme} 
 21 | % Other themes include: beamerthemebars, beamerthemelined, 
 22 | %                       beamerthemetree, beamerthemetreebars  
 23 |  \newcommand{\prot}{\mathbf{P}}
 24 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 25 | \newcommand{\aggdeg}[1]{\mathfrak{d}(#1)}
 26 | \renewcommand{\deg}{\mathrm{deg}}
 27 | \newcommand{\xor}{\ensuremath{\oplus}}
 28 | \newcommand{\plonk}{\ensuremath{\mathcal{P} \mathfrak{lon}\mathcal{K}}}
 29 | \newcommand{\F}{\ensuremath{\mathbb F}}
 30 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 31 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 32 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 33 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 34 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 35 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 36 | \newcommand{\defeq}{\ensuremath{:=}}
 37 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 38 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 39 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 40 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 41 |  \newcommand{\polys}{\F[X]}
 42 | \newcommand{\acc}{{\mathbf{acc}}}
 43 | \newcommand{\ideal}{\mathbf{I}}
 44 | \newcommand{\gen}{\alpha}
 45 | \newcommand{\plookup}{\mathsf{plookup}}
 46 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 47 | \title{\large{Into the weeds of EC pairings}}    % Enter your title between curly braces
 48 | \author{\small{Ariel Gabizon}\\                 % Enter your name between curly braces
 49 | \tt{\footnotesize{\textbf{Aztec})                                        } }      }% Enter your institute name between curly braces
 50 | \date{}                    % Enter the date or \today between curly braces
 51 | %\usefonttheme{professionalfonts}
 52 | %\usefonttheme[onlymath]{serif}
 53 | \begin{document}
 54 | \boldmath
 55 | % Creates title page of slide show using above information
 56 | \begin{frame}
 57 |   \titlepage
 58 | \end{frame}
 59 | 
 60 | 
 61 | 
 62 | \begin{frame}
 63 | \frametitle{Divisors on $k(X)$}   % insert frame title between curly braces
 64 | 
 65 | % \textbf{Preprocessing/inputs:} Predefined polynomials $g_1,\ldots,g_t\in \polysofdeg{d}$\\
 66 | % \textbf{Range:} $H\subset\F$.\\ \pause
 67 | % \vspace{0.4in}
 68 | % \textbf{Protocol:}
 69 | $P\defeq  k\cup\infty$.\pause \\ 
 70 | \vspace{0.2in}
 71 | A divisor is a formal sum
 72 | $$D=\sum_{a\in P}d_a \cdot [a]$$
 73 | where $d_a\in\mathbb{Z}$ is non-zero except for finitely many $a$.
 74 | 
 75 | %  \begin{itemize}
 76 | % 
 77 | % \item  
 78 | % \item At end, $\ver$ asks $\ideal$ if some identity holds between $\set{f_1,\ldots,f_\ell,g_1,\ldots,g_t}$   \textbf{\textit{on $H$}}. 
 79 | % 
 80 | % \end{itemize}
 81 | % 
 82 | \end{frame}
 83 | \begin{frame}
 84 | \frametitle{Evaluating at $\infty$ via projective space}   
 85 | 
 86 | Evaluating $f(x)=\frac{x^2+x+1}{3x^2+1}$ at $\infty$:\\ \pause
 87 | \vspace{0.2in}
 88 | \textbf{Homogenize:} $--> \frac{x^2+xz+z^2}{3x^2+z^2}$ \\ \pause
 89 | 
 90 | \vspace{0.2in}
 91 | \textbf{Evaluate at $(x,z)=(1,0)$:}$\frac{1}{3}$
 92 | \end{frame}
 93 | \begin{frame}
 94 | \frametitle{Divisors of functions}   % insert frame title between curly braces
 95 | 
 96 | $f\in k(X)$
 97 | $$div(f)=\sum o_a(f)\cdot [a]$$
 98 | where $o_a(f)$ is the order of $f$ at $a$:\pause
 99 | $$f=(x-a)^{o_a(f)} (g(x))$$ 
100 | where $g(a)\neq 0,\infty$ \\ \pause
101 | \vspace{0.2in}
102 | How to compute $o_{\infty}(f)$? If $f=g/h$ for polys $g,h$, $o_{\infty}(f) = deg(h)-deg(g)$
103 | 
104 | 
105 | \end{frame}
106 | \begin{frame}
107 | \textbf{example:}
108 | $$f=\frac{(X-1)^2(X-2)}{X-3}$$
109 | $div(f)=2\cdot[1]+[2]-[3]-2[\infty]$.\pause
110 | 
111 | Define $deg(D)\defeq \sum_{a\in P} d_a$.\\  
112 | For $f\in k(X)$ we always have $deg(div(f))=0$.
113 | 
114 | \end{frame}
115 | \begin{frame}
116 |  \frametitle{The divisor class group}
117 |  \begin{itemize}
118 |   \item The set of divisors is a group under coordinate wise addition\pause
119 |   \item The set of divisors of degree zero is a subgroup $Div^0$ under this rule.\pause
120 |   \item If $D=div(f)$ for $f\in k(x)$ we call $D$ a principal divisor.\pause
121 |   \item The \emph{divisor class group of degree 0} is: $Div^0/$(principal divisors).
122 |   
123 |  \end{itemize}
124 | Is this an interesting group?\pause
125 | No, its trivial!
126 | But this gets more interesting when we do it over an elliptic curve instead of a field.
127 | \end{frame}
128 | \begin{frame}
129 | Suppose our curve $E$ is $y^2=x^3-x$.
130 | Instead of $k(X)$ we'll work now over $H\defeq k(x,y)/(y^2-x^3-x)$. \\ \pause
131 | \vspace{0.2in}
132 | For example in $H$, $x=y^2\cdot\frac{1}{x^2-1}$.\\ \pause
133 | \vspace{0.2in}
134 | Now, a divisor is $D=\sum_{P\in E}d_j [P]$,
135 | and for $f\in H$
136 | $div(f)=\sum_{P\in E} o_P(f)[P]$\\ \pause
137 | How to compute $o_P(f)$? \\
138 | $$f=u^{o_P(f)} \cdot g$$ 
139 | for $g$ with $g(P)\neq 0,\infty$
140 | and $u$ with $o_P(u)=1$.
141 | 
142 | \end{frame}
143 | \begin{frame}
144 | It can be shown, like in $k(X)$ we always have $deg(div(f))=0$.\\ \pause
145 | \vspace{0.2in}
146 |  \textbf{Example:$f=x$}
147 |  Compute $div(x)$.
148 |  Can be shown $o_{\infty}(x) =-2$,$o_{(0,0)}(y)=1$.\\ \pause
149 |  \vspace{0.2in}
150 |  Since $x=y^2\cdot\frac{1}{x^2-1}$, we have $o_{(0,0)} (x)= 2$.\\
151 |  \vspace{0.2in}
152 | So $div(x) = 2([0,0]) - 2[\infty]$. 
153 |  
154 | \end{frame}
155 | \begin{frame}
156 | \frametitle{The cool theorem}
157 | As before, we can define $C\defeq Div^0/(\textrm{principal divisors})$.\\ \pause
158 | \vspace{0.2in}
159 | It turns out $C$ is isomorphic to $E$ as a group!\\ \pause
160 | \vspace{0.2in}
161 | \end{frame}
162 | \begin{frame}
163 | \textbf{Proof sketch:}
164 | We will show that every divisor $D$ of degree zero 
165 | can be written as $D= div(g)+ [P]-[\infty]$.\\ \pause
166 | \vspace{0.2in}
167 | The idea is that divisors of line functions allow us to compress two points into one:
168 | If we have $[P_1]+[P_2]$ as part of divisor
169 | and $l(x,y)$ is the line passing through $P_1,P_2$
170 | then 
171 | $$div(l)=[P_1]+[P_2]+[P_3]-3[\infty]$$\\ \pause
172 | So can switch: $[P_1]+[P_2]--> div(l)-[P_3]-3\cdot [\infty]$
173 | 
174 | 
175 | 
176 | 
177 | \end{frame}
178 | 
179 | \end{document}
180 | 


--------------------------------------------------------------------------------
/divisors2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/divisors2.pdf


--------------------------------------------------------------------------------
/divisors2.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm}
  9 | %\usepackage[T1]{fontenc}
 10 | %\usepackage{fourier}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | % Class options include: notes, notesonly, handout, trans,
 16 | %                        hidesubsections, shadesubsections,
 17 | %                        inrow, blue, red, grey, brown
 18 | 
 19 | % Theme for beamer presentation.
 20 | %\usepackage{beamertheme} 
 21 | % Other themes include: beamerthemebars, beamerthemelined, 
 22 | %                       beamerthemetree, beamerthemetreebars  
 23 |  \newcommand{\prot}{\mathbf{P}}
 24 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 25 | \newcommand{\aggdeg}[1]{\mathfrak{d}(#1)}
 26 | \renewcommand{\deg}{\mathrm{deg}}
 27 | \newcommand{\xor}{\ensuremath{\oplus}}
 28 | \newcommand{\plonk}{\ensuremath{\mathcal{P} \mathfrak{lon}\mathcal{K}}}
 29 | \newcommand{\F}{\ensuremath{\mathbb F}}
 30 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 31 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 32 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 33 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 34 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 35 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 36 | \newcommand{\defeq}{\ensuremath{:=}}
 37 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 38 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 39 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 40 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 41 |  \newcommand{\polys}{\F[X]}
 42 | \newcommand{\acc}{{\mathbf{acc}}}
 43 | \newcommand{\ideal}{\mathbf{I}}
 44 | \newcommand{\gen}{\alpha}
 45 | \newcommand{\plookup}{\mathsf{plookup}}
 46 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 47 | \newcommand{\roots}{\ensuremath\textrm{roots}}
 48 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 49 | \title{\large{Into the weeds of EC pairings - part 2}}    % Enter your title between curly braces
 50 | \author{\small{Ariel Gabizon}\\                 % Enter your name between curly braces
 51 | \tt{\footnotesize{\textbf{Aztec} }}  }                                     
 52 | \begin{document}
 53 | \boldmath
 54 | % Creates title page of slide show using above information
 55 | \begin{frame}
 56 |   \titlepage
 57 | \end{frame}
 58 | 
 59 | 
 60 | 
 61 | \begin{frame}
 62 | \frametitle{Recap (paraphrased)}   % insert frame title between curly braces
 63 | $E: y^2=x^3-x$.  
 64 | 
 65 | $H=\set{\frac{f}{g}}$, where $f,g\in k[x,y]/(y^2-x^3-x)$. \\ \pause
 66 | \vspace{0.2in}
 67 | For $h\in H$,
 68 | $div(h)=\sum_{P\in E} a_P[P]$,
 69 | where $a_P$ is the order of $h$ at $P$.\\ \pause
 70 | Define function $\mathrm{sum}:\mathrm{Divisors}\to E$ by
 71 | $$\mathrm{sum}\left(\sum_{P\in E} a_P[P]\right) = \sum_{P\in E} a_P P$$\pause
 72 | \textbf{cool lemma:} Given a divisor $D$ there exists $h\in H$ with $div(h)=D$ iff
 73 | $deg(D)=0$ and $\mathrm{sum}(D)=\infty$.
 74 | 
 75 | \end{frame}
 76 | \begin{frame}
 77 | \frametitle{Torsion points}
 78 | Fix integer $n$ with $gcd(n,p)=1$.\\
 79 | $E[n]\defeq \set{P\in E|n P = \infty}$ \nl
 80 | \begin{theorem}
 81 |  $|E[n]|=n^2$ and $E[n]=\mathbb{Z}_n\times \mathbb{Z}_n$.\nl
 82 |  \end{theorem}
 83 | For $T\in E$ define $\roots(T)\defeq \set{P\in E\;| \;n P = T}$ \nl
 84 | $n:P\to n P$ is surjective, so  there is always some $Q_T\in \roots(T)$. \nl
 85 | Thus, $\roots(T)=\set{Q_T+P}_{P\in E[n]}$.
 86 | 
 87 | \end{frame}
 88 | \begin{frame}
 89 | \frametitle{Defining the Weil pairing}
 90 | \pause
 91 | Given $T\in E[n]$, we show there exists $g\in H$ with divisor
 92 | $D\defeq \sum_{P\in \roots(T)} [P] - \sum_{P\in E[n]} [P]$:\nl
 93 | $$D= \sum_{P\in E[n]} [Q_T+P] - \sum_{P\in E[n]} [P]$$\\ \pause
 94 | so $$\mathrm{sum}(D) =\sum_{P\in E[n]}(Q_T+P-P) = n^2\cdot Q_T = n\cdot T = \infty$$\\ \pause 
 95 | Now, given $S\in E[n]$ define
 96 | $$e(S,T)\defeq \frac{g(S)}{g(\infty)}$$
 97 | 
 98 | 
 99 | \end{frame}
100 | \begin{frame}
101 |  \begin{lemma} For any $S,T\in E[n]$ $e(S,T)\in \mu_n$ -  $\scriptstyle{\mu_n \defeq \set{a\in k, a^n=1}}$
102 |  \end{lemma}
103 |  There exists $f\in H$ with $div(f) = n\cdot [T] - n\cdot[\infty]$.\\ \pause
104 |  $$div(f\circ n) = n\sum_{Q\in \roots(T)} [Q] - n \sum_{Q\in E[n]} [Q]$$
105 |  $$= n\cdot div(g)= div(g^n)$$\pause
106 |  So $f\circ n = c\cdot g^n$ for some $c\in k$.\nl
107 |  So
108 |     $g(S)^n = f(n\cdot S) = f(\infty) = f(n\cdot \infty) = g^n(\infty)$.\\ \pause
109 |     Thus, $\left(\frac{g(S)}{g(\infty)}\right)^n =1 \Rightarrow e(S,T)\in \mu_n$.
110 |  \end{frame}
111 | \begin{frame}
112 |  \textbf{Showing bilinearity:}
113 | We use: For any $P\in E, S\in E[n]$, $\frac{g(S)}{g(\infty)}=\frac{g(P+S)}{g(P)}$. \nl
114 | In $S:$
115 | $$ e(S_1,T)\cdot e(S_2,T) = \frac{g(S_1)}{g(\infty)}\frac{g(S_1+S_2)}{g(S_1)}$$\pause
116 | $$= \frac{g(S_1+S_2)}{g(\infty)}= e(S_1+S_2,T)$$\pause
117 | 
118 | \end{frame}
119 | \begin{frame}
120 |  In $T:$
121 |  Choose $T_1,T_2$ and let $T_3\defeq T_1+T_2$. Let $f_i\in H$ have $div(f_i) = n[T_i]-n[\infty]$
122 |  for $i=1,2,3$.\nl
123 |  By Lemma, there exists $h\in H$ with $div(h)=[T_3]-[T_1]-[T_2]+[\infty]$.\nl
124 |  We have
125 |  $$n\cdot div(h) = div(f_3)-div(f_1)-div(f_2) = div\left(\frac{f_3}{f_1 f_2}\right)$$\pause
126 |  So $h^n = c \frac{f_3}{f_1 f_2} \rightarrow c f_3=h^n f_1 f_2$.\nl
127 |  Composing inside with $n$:
128 |  $$(f_3\circ n) = (h\circ n )^n (f_1\circ n) (f_2 \circ n)$$\pause
129 |  
130 | \end{frame}
131 | \begin{frame}
132 |  Equivalently, $g_3^n = (h\circ n)^n g_1 ^n g_2^n \Rightarrow g_3 = \gamma (h \circ n) g_1 g_2$,
133 |  for some $\gamma\in \mu_n$\nl
134 |  So 
135 |  $$e(S,T_1+T_2) = \frac{g_3(S)}{g_3(\infty)}= \frac{g_1(S)}{g_1(\infty)}\frac{g_2(S)}{g_2(\infty)}\frac{h(nS)}{h(\infty)}$$\pause
136 |  $$=e(S,T_1)e(S,T_2).$$
137 | \end{frame}
138 | 
139 | 
140 | 
141 | 
142 | \end{document}
143 | 


--------------------------------------------------------------------------------
/fccintro2022.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/fccintro2022.pdf


--------------------------------------------------------------------------------
/fccintro2022.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm}
  9 | %\usepackage[T1]{fontenc}
 10 | %\usepackage{fourier}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | % Class options include: notes, notesonly, handout, trans,
 16 | %                        hidesubsections, shadesubsections,
 17 | %                        inrow, blue, red, grey, brown
 18 | 
 19 | % Theme for beamer presentation.
 20 | %\usepackage{beamertheme} 
 21 | % Other themes include: beamerthemebars, beamerthemelined, 
 22 | %                       beamerthemetree, beamerthemetreebars  
 23 |  \newcommand{\prot}{\mathbf{P}}
 24 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 25 | \newcommand{\aggdeg}[1]{\mathfrak{d}(#1)}
 26 | \renewcommand{\deg}{\mathrm{deg}}
 27 | \newcommand{\xor}{\ensuremath{\oplus}}
 28 | \newcommand{\plonk}{\ensuremath{\mathcal{P} \mathfrak{lon}\mathcal{K}}}
 29 | \newcommand{\F}{\ensuremath{\mathbb F}}
 30 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 31 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 32 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 33 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 34 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 35 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 36 | \newcommand{\defeq}{\ensuremath{:=}}
 37 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 38 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 39 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 40 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 41 |  \newcommand{\polys}{\F[X]}
 42 | \newcommand{\acc}{{\mathbf{acc}}}
 43 | \newcommand{\ideal}{\mathbf{I}}
 44 | \newcommand{\gen}{\alpha}
 45 | \newcommand{\plookup}{\mathsf{plookup}}
 46 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 47 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 48 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 49 | \newcommand{\roots}{\ensuremath\textrm{roots}}
 50 | \setbeamersize{text margin left=3mm,text margin right=3mm} 
 51 | \title{\large{Medfree is the new vegan, vioxx shenaningans and futarchy}}    % Enter your title between curly braces
 52 | \author{\small{Ariel Gabizon}\\                 % Enter your name between curly braces
 53 | \tt{\footnotesize{\textbf{Aztec - which doesn't necessarily endorse the following messages ;)} }}  }                                     
 54 | \begin{document}
 55 | \boldmath
 56 | % Creates title page of slide show using above information
 57 | \begin{frame}
 58 | \maketitle
 59 | \end{frame}
 60 | 
 61 | 
 62 | 
 63 | \begin{frame}
 64 | Like most restaurants have one or two vegetarian and vegan option, every community
 65 | should have a \emph{MedFree} option.\nl
 66 | \textbf{MedFree} - Participation does not require mandatory medical interventions, including invasive tests.\nl
 67 | \emph{A goal of this conference is to put such an option ``on the menu'' of the zero-knowledge community.}
 68 | \end{frame}
 69 | 
 70 | \begin{frame}
 71 | \large{\textcolor{purple}{\emph{The ``zero-knowledge'' community?...A community of people who don't know anything?}}}\nl
 72 | 
 73 | Zero-Knowledge proofs are a cryptographic tool an order of magnitude more powerful than encryption.\\
 74 | \vspace{0.2in}
 75 | \emph{``If encryption is a light switch, zk proofs are a dimmer''}\nl
 76 | \end{frame}
 77 | \begin{frame}
 78 |  First conceived in 1985, zk-proofs lived mainly in theory papers for 30 years.\nl
 79 |  In the last decade, they've become more practical, and a multititude of companies are writing zkp software.\nl
 80 |  \textcolor{blue}{Many consider zk-snarks, a type of zkp, \textbf{the} tool for blockchain privacy and scalability solutions. Hence, the zk community heavily overlaps with several blockchain communities like Ethereum.}
 81 | \end{frame}
 82 | \begin{frame}
 83 | \large{\textcolor{purple}{\emph{Why MedFree?}}}\nl
 84 | %  \smalltitle{Why MedFree?}
 85 |  Let's go back in history 20 years and talk about Vioxx (we're all sick of talking about covid, right?) \nl
 86 |  \textcolor{blue}{..but let's stop and talk about Theranos one sec..
 87 |  that story alway gave me a warm and fuzzy feeling..why?\nl}
 88 |  \textbf{The subtext:}This was a very extreme exception $\Rightarrow$ the system is fine!!
 89 | \end{frame}
 90 | \begin{frame}
 91 |  \stitle{Credits}
 92 |  \emph{Based on Chapter one of ``Sickening'' by John Abramson}\nl
 93 | Anecdotally, a notorious covid \textbf{pro}-vaxer.
 94 | \end{frame}
 95 | \begin{frame}
 96 |  \frametitle{Vioxx}
 97 |  \begin{itemize}
 98 |   \item Developed by Merck for arthritis; approved in 1999.
 99 |   \item Used by 25 million Americans.
100 |   \item Last year on market - 2.5 Billion usd in revenue.\pause
101 |   
102 |   \item \textcolor{red}{Sept 2004 - taken off market after study showing it doubles risk of heart attack and stroke.}
103 |   \item estimated deaths caused: 40,000 - 60,000  \emph{``..roughly the number of American soldiers who died in the Vietnam War''}.\pause
104 | \item 2007 - Merck pays 4.85 Bil to settle civil suit of 27k plaintiffs claiming Vioxx caused their storke/heart attack.
105 | \item 2011 - Merck pays another 1B to settle other allegations.
106 |  \end{itemize}
107 | 
108 | \end{frame}
109 | \begin{frame}
110 |  \stitle{How it began:}\\
111 |  NSAIDs (Ibuprofen,Naproxen,..)
112 |  \begin{itemize}
113 |   \item 
114 |  Work by inhibiting an enzyme called Cyclooxygenase (COX). Results in reduction of pain, inflammation, fever.\nl
115 |  \item But since COX protects the stomach lining, this inhibition can cause GI/stomach problems, at worst case a \emph{hole} in your colon (perforated ulcer).
116 |  \end{itemize}
117 | 
118 |  
119 | \end{frame}
120 | \begin{frame}
121 |  \stitle{The COX-2 hypothesis}
122 |  Scientists discovered COX has two forms
123 |  \begin{itemize}
124 |   \item COX-1 protects lining of stomach.
125 |   \item COX-2 leads to inflammation.\nl
126 |  \end{itemize}
127 | So let's develop drugs that only inhibit COX-2!\nl
128 | \emph{The catch:} COX-1 and COX-2 balance each other in vascular system.COX-1 makes blood clots more likely, COX-2 opens blood vessels, makes them less likely.
129 | \end{frame}
130 | \begin{frame}
131 |  \stitle{Side thought: Is modern drug therapy an 8 year-old debugging code?}\\
132 |  $\vdots$\\
133 |  \emph{100 lines of code}\\
134 |  $\vdots$\\
135 | \texttt{ i++;}\\
136 |  $\vdots$\\
137 |  \emph{100 lines of code\\}
138 |  $\vdots$\\
139 | \texttt{print(i);}\nlnp
140 |  
141 |  \emph{\textcolor{blue}{``Hmmm..the computer printed 5 when I wanted 4 so I'll delete that i++..''}}
142 | \end{frame}
143 | \begin{frame}
144 |  \frametitle{The first Vioxx paper - Nov, 2000}
145 |  \emph{The VIGOR study showed 4 times more heart attacks, and 25$\%$ higher all-cause mortality when
146 |  using Vioxx vs a traditional NSAID (Naproxen).}
147 |  \begin{figure}
148 |   \includegraphics[width=300pt]{vioxxfirstsafety.png}
149 | %   \caption{A boat.}
150 | %   \label{fig:boat1}
151 | \end{figure}
152 | \end{frame}
153 | \begin{frame}
154 |  \stitle{Michael Jordan level moves - explaining away a 4X increase in heart attacks.}
155 |  \begin{figure}
156 |   \includegraphics[width=30pt]{jordan.png}
157 | %   \caption{A boat.}
158 | %   \label{fig:boat1}
159 | \end{figure}
160 | \textcolor{brown}{4\% of participants where prone to heart attack, so ``met FDA criteria'' for use of Aspirin as protection..but couldn't take it during study. The statistical significance was only in that group:}
161 |  \begin{figure}
162 |   \includegraphics[height=90pt]{vioxxfirstsecondtxt.png}
163 | \end{figure}\pause
164 | {\tiny\emph{Remark: These were not people actually \textbf{taking} Aspirin - those were already excluded from the trial}}
165 | 
166 |  
167 | \end{frame}
168 | \begin{frame}
169 |  \frametitle{Except that even that questionable logic was a flat out \textbf{lie}}\pause
170 | %  https://www.nejm.org/doi/full/10.1056/NEJMe068054
171 |  \begin{figure}
172 |   \includegraphics[width=300pt]{3missing.png}
173 | \end{figure}
174 |  
175 |  
176 |  
177 | \end{frame}
178 | \begin{frame}
179 |  \frametitle{Brought to you by Pfizer!..I mean Merck}
180 |  \begin{figure}
181 |   \includegraphics[width=300pt]{merck.png}
182 | \end{figure}
183 |  
184 | \end{frame}
185 | \begin{frame}
186 |  \frametitle{The second paper in NEJM - Aug, 2001}
187 |  \begin{figure}
188 |   \includegraphics[width=300pt]{secondpaperquote.png}
189 | \end{figure}
190 | % total 53  GI events https://www.nejm.org/doi/full/10.1056/nejm200011233432103
191 | 
192 | %16 vs 37 in second row of table 4
193 |  
194 | \end{frame}
195 | \begin{frame}
196 |  \frametitle{Ad Laundering}
197 |  Merck purchased 929,000 reprints of these articles from the NEJM for a price of between 697k to 836k usd, which it sent
198 |  to doctors.
199 | \end{frame}
200 | \begin{frame}
201 |  \frametitle{The information lag}
202 |  \textbf{2001:} FDA warning to Merck to stop marketing Vioxx as safe.\nlnp
203 |  \textbf{2004:} Stacey Palmer dies at 17; a healthy girl getting Vioxx for a headache from her doctor - samples he got from Merck.
204 |  \end{frame}
205 | \begin{frame}
206 |  \emph{Now coming to covid..}\nl
207 |  %Show Kratos animation
208 |  %https://youtu.be/JmhZZOH6IZ4?t=63
209 | The pharma moster has been turbo-charged with the power of government mandates.
210 | \end{frame}
211 | \begin{frame}
212 |  Pfizer trial - the impressive part:
213 |  %https://www.nejm.org/doi/suppl/10.1056/NEJMoa2110345/suppl_file/nejmoa2110345_appendix.pdf
214 |  \begin{figure}
215 |   \includegraphics[width=200pt]{pfizergood1.png}
216 |   \includegraphics[width=200pt]{pfizergood2.png}
217 | \end{figure}
218 | 
219 | \end{frame}
220 | 
221 | \begin{frame}
222 | Pfizer trial all cause mortality after \textbf{early unblinding}:
223 |  \begin{figure}
224 |   \includegraphics[width=300pt]{pfizerinitialallcausemortality.png}
225 | \end{figure}
226 | 
227 | \end{frame}
228 | \begin{frame}
229 |  \stitle{Except that that those numbers turned out to be wrong}\\
230 |  From  report on FDA site a few months later:
231 |  \begin{figure}
232 |   \includegraphics[width=300pt]{allcauseupdated.png}
233 | \end{figure}
234 |  
235 | \end{frame}
236 | \begin{frame}
237 |  \stitle{Even my once beloved meditation school is now mandating vaccines and giving medical advice}\\
238 |  \begin{figure}
239 |   \includegraphics[width=300pt]{dhara.png}
240 | \end{figure}
241 |  
242 | \end{frame}
243 | \begin{frame}
244 | \frametitle{A word about tests}
245 | Are we going to use tests that exclude almost as many healthy people from events as sick?
246 |  \begin{figure}
247 |   \includegraphics[width=300pt]{antigenfalse.png}
248 | %  \includegraphics[width=300pt]{pcrfalsepos.png}
249 | \end{figure}
250 |  
251 | \end{frame}
252 | \begin{frame}
253 | \stitle{In cryptographic terms - the prover and verifier got mixed up. Pharma company does the trial, and decides which
254 | data to represent to journal reviewers - which questions to answer.}
255 | \end{frame}
256 | \begin{frame}
257 |  \frametitle{Little Chariot vs Big Chariot}
258 |   \includegraphics[width=300pt]{sumeda.png}
259 | \end{frame}
260 | \begin{frame}
261 | \begin{itemize}
262 |  \item Little chariot - DYOR; avoid medical interventions with more risk than benefit. Go to MedFree events, travel to where individual rights are more respected.\pause
263 |  \item Big chariot - make ``The system'' work for benefit of the collective wellfare of the people.\emph{imo: very hard to do...maybe impossible?}
264 | \end{itemize}
265 | 
266 | \end{frame}
267 | \begin{frame}
268 |  \frametitle{The great divide - as I see it}
269 |  \begin{itemize}
270 |   \item \textbf{One group}  - follows the rules, is mad at the other group for being selfish and not willing to sacrifice for the 
271 |   social good.\pause
272 |   \item \textbf{Second group} - doesn't believe the rules are for the social good.\pause
273 |  \end{itemize}
274 | %anecdotes - Asaf in store.
275 | \textit{My view: Our cooperation and governance technologies are extremely primitive...can we do better?}\nl
276 | \textit{One answer I like:Futarchy and Democracy DAOs}
277 | 
278 | \end{frame}
279 | 
280 | \begin{frame}
281 |  \stitle{Before talking about futarchy - good time for break}
282 | \end{frame}
283 | \begin{frame}
284 |  \frametitle{Prediction Markets}
285 |  \begin{itemize}
286 |   \item Bank sells for 1\$ pairs of bonds ($A$,$B$), e.g. signifying two candidates in an election.\pause
287 |   \item After elections bank buys back bond of winning candidate for $1\$ $.\pause
288 |   \item During election people trade these two bond types  on the free market - their price gives a prediction of 
289 |   election result from people with \emph{skin in the game}
290 |  \end{itemize}
291 | 
292 | \end{frame}
293 | \begin{frame}
294 |  \frametitle{Democracy DAO - Merkle (over simplified)}
295 |  \textcolor{blue}{Instead of voting for a candidate or bill (e.g. brexit), people vote once a year by
296 |  a number from zero to one saying ``How good was my last year''.}\nlnp
297 |  $ACW_i\defeq$ the average of these numbers in year $i$. It's the Annual Collective Wellfare.
298 | \end{frame}
299 | \begin{frame}
300 |  \frametitle{Prediction markets based on $ACW$}
301 |  \begin{itemize}
302 |   \item In beginning of year, bank sells for 1\$ pairs of bonds $(P,N)$. 
303 |   \item At end of year bank redeems a $P$ for $ACW$ dollars and $N$ for $1-ACW$ dollars.
304 |  \end{itemize}
305 |  
306 | \end{frame}
307 | \begin{frame}
308 |  \frametitle{Conditional Prediction markets}
309 | \begin{itemize}
310 |  \item We have a future event $E$, e.g. $E=$ ``brexit bill will pass''.\pause
311 |  \item Bank sells for 1\$ a pair of bonds $(P_E,N_E)$.\pause
312 |  \item If $E$ didn't happen, bank reimburses a dollar to buyers of bond pairs.\pause
313 |  \item IF $E$ did happen - as before bank redeems $P_E$ for $ACW$ dollars and $N_E$ for $1-ACW$ dollars.
314 | \end{itemize}
315 | \end{frame}
316 | \begin{frame}
317 |  \frametitle{Governing in democracy DAO/futarchy}
318 |  \begin{itemize}
319 |   \item Given proposed law $L$, we start two conditional prediction markets - one with event $E=$``L was passed'',
320 |   the other with event $F=$``L didn't pass''.\pause
321 |   \item If after a while $P_E$ is worth more on the market than $P_F$, we pass the law; otherwise we don't.
322 |  \end{itemize}
323 | 
324 | \end{frame}
325 | 
326 | \end{document}
327 | 


--------------------------------------------------------------------------------
/fflonkzkstudyclub2021.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/fflonkzkstudyclub2021.pdf


--------------------------------------------------------------------------------
/fflonkzkstudyclub2021.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | 
  9 | %\usepackage[T1]{fontenc}
 10 | %\usepackage{fourier}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{amssymb, eulervm}
 15 | % Class options include: notes, notesonly, handout, trans,
 16 | %                        hidesubsections, shadesubsections,
 17 | %                        inrow, blue, red, grey, brown
 18 | 
 19 | % Theme for beamer presentation.
 20 | %\usepackage{beamertheme} 
 21 | % Other themes include: beamerthemebars, beamerthemelined, 
 22 | %                       beamerthemetree, beamerthemetreebars  
 23 |  \newcommand{\prot}{\mathbf{P}}
 24 | \newcommand{\aggdeg}[1]{\mathfrak{d}(#1)}
 25 | \renewcommand{\deg}{\mathrm{deg}}
 26 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 27 | \newcommand{\xor}{\ensuremath{\oplus}}
 28 | \newcommand{\plonk}{\ensuremath{\mathcal{P} \mathfrak{lon}\mathcal{K}}}
 29 | \newcommand{\F}{\ensuremath{\mathbb F}}
 30 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 31 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 32 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]_1}}
 33 | \newcommand{\enctwo}[1]{\ensuremath{\left[#1\right ]_2}}
 34 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 35 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 36 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 37 | \newcommand{\defeq}{\ensuremath{:=}}
 38 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 39 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 40 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 41 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 42 |  \newcommand{\polys}{\F[X]}
 43 | \newcommand{\acc}{{\mathbf{acc}}}
 44 | \newcommand{\ideal}{\mathbf{I}}
 45 | \newcommand{\gen}{\alpha}
 46 | 
 47 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 48 | \title{\large{fflonk: cheaply opening many polynomials using the fast-fourier equation }}    % Enter your title between curly braces
 49 | \author{\small{Ariel Gabizon (based on work with Zac Williamson) }\\                 % Enter your name between curly braces
 50 |                                        }      % Enter your institute name between curly braces
 51 | \date{}                    % Enter the date or \today between curly braces
 52 | %\usefonttheme{professionalfonts}
 53 | %\usefonttheme[onlymath]{serif}
 54 | \begin{document}
 55 | \boldmath
 56 | % Creates title page of slide show using above information
 57 | \begin{frame}
 58 |   \titlepage
 59 |   \includegraphics{azteclogo.png}
 60 | \end{frame}
 61 | \begin{frame}
 62 |  \frametitle{ Motivation: Save gas on Ethereum}   % Insert frame title between curly braces
 63 |  \begin{itemize}
 64 |   \item Recent polynomial IOP based snarks (Sonic, Marlin, Plonk,..) verification consists of two pairings and some number $t$ of $G_1$ scalar multiplications.\pause
 65 |   \item Each $G_1$ scalar mult - 6000 gas 5usd.
 66 |   \item That's 76800usd  per scalar mult when doing an on chain proof once in half an our per scalar mult.\pause
 67 |   \item \textbf{This work:}  Getting $t$ down from 16 to 5 in plonk (at the cost of trippling prover time) .
 68 |  \end{itemize}
 69 | 
 70 | \end{frame}
 71 | \begin{frame}
 72 | \textit{snark verification reduces to polynomial commitment scheme (PCS) opening verification -}\\
 73 |  \vspace{0.4in}
 74 | a 3 minute reminder on the Kate-Zaverucha-Goldberg PCS
 75 | \end{frame}
 76 | \begin{frame}
 77 |  \frametitle{Polynomial commitment schemes {\small [KZG, 10]}}   % Insert frame title between curly braces
 78 | \begin{itemize}
 79 |  \item Prover send short commitment $\cm(f)$ to polynomial.\pause
 80 |  \item Later Verifier can choose value $s\in \F$.\pause
 81 |  \item Prover sends back $z=f(s)$ ; together with proof $\open{f,s}$ that $z$ is correct.\pause
 82 | \end{itemize}
 83 | KZG give us PCS with commitments and openings are practically 32 bytes.\\ 
 84 | \textit{Notation:} $\enc{x}=x\cdot g$ where $g$ generator of (first source group of) elliptic curve group with pairing.
 85 | \end{frame}
 86 | 
 87 | 
 88 | \begin{frame}
 89 | 
 90 |  Setup: $\enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\\ \pause
 91 |  \vspace{0.4in}
 92 |  $\cm(f)\defeq   \enc{f(x)}$\\ \pause
 93 |  \vspace{0.4in}
 94 | $\open{f,s}\defeq \enc{h(x)}$, where
 95 |  $h(X)\defeq \frac{f(X)-f(s)}{X-s}$\\ \pause
 96 |  \vspace{0.4in}
 97 |  $\verify{\cm,\pi,z,s}:$
 98 | \[e(\cm-\enc{z},\enc{1}) \stackrel{?}{=} e(\pi, \enc{x-s})\]
 99 | \end{frame}
100 | 
101 | 
102 | \begin{frame}
103 | \frametitle{Opening many polynomials at $s$}
104 | 
105 |  Input: $f_0,\ldots f_{d-1}$, $z_0=f_0(s),\ldots, z_{d-1}=f_{d-1}(s)$.\\ 
106 |  Verifier has commitments $\cm_i$ to $f_i$'s wants to verifier correctness of $z$'s.\\ \pause
107 | 
108 |  \vspace{0.4in}
109 |  
110 |  Naive solution: Run KZG for each $f_i$.\\
111 |  Cost: $d$ group elements in proof, $d$ pairings for verifier
112 |  
113 | \end{frame}
114 |  
115 | \begin{frame}
116 | \frametitle{Batched opening (Sonic,Marlin,Plonk)}
117 | \begin{itemize}
118 |  \item Verifier sends random $\gamma\in\F$\pause
119 |  \item Prover computes combination $f(X)\defeq \sum_{i<d} \gamma^i f_i(X)$
120 |  \item Verifier computes commitment to $f$ as $\cm(f)\defeq \sum_{i<d} \gamma^i \cm_i$
121 |  \item Prover and verifier use KZG to verify $f(s)=z$ for $z=\sum_{i<d} \gamma^i z_i$
122 | \end{itemize}
123 | \textit{cost:} $d-1$ verifier scalar muls to compute $\cm(f)$
124 | \textit{Punchline of this work:} can get rid of this $d$ dependence when $s$ is a $d$'th power
125 | \end{frame}
126 | \begin{frame}
127 | \frametitle{A useful tool from BDFG/Halo infinite}
128 | \textit{thm{\small [BDFG]}:} We can open a polynomial $f$ at points $s_0,\ldots,s_{d-1}$ with $2$ verifier scalar mults no matter how large $d$ is.\\ \pause
129 |  \vspace{0.4in}
130 |  \textit{If we can reduce opening many polys at $s$ to opening *one poly* at many points, we can use BDFG to get our desired result}
131 | \end{frame}
132 | \begin{frame}
133 | \frametitle{fflonk central idea: reduce opening many polys to one using the FFT identity}
134 | polys $f_0,f_1$, $a=f_0(s),b=f_1(s)$\\ \pause
135 |  \vspace{0.2in}
136 | \textit{First attempt:}
137 | Only open the sum -
138 | $F(X)\defeq f_0(X)+f_1(X)$.
139 | Prove that $F(s)=c=a+b$.\\ \pause
140 | \textit{problem:} Doesn't constrain $a,b$ individually - for any $a'$, $(a',c-a')$ will also verify \\ \pause
141 |  \vspace{0.2in}
142 | % \[F(X)=f_0(X)
143 | 
144 | \end{frame}
145 | \begin{frame}
146 | \textit{Solution:} Use ``FFT equation in reverse direction'':
147 |  \[F(X)=f_0(X^2)+X f_1(X^2)\]
148 | To commit to $f_0,f_1$ send $\cm(F)$.\\ \pause 
149 |  \vspace{0.2in}
150 | Assume $s=t^2$.\\
151 | To open $f_0(s),f_1(s)$ open $F$ at $\{t,-t\}$:\\ \pause
152 | \[b_0\defeq F(t) = f_0(s)+t f_1(s)=a+tb\]
153 | \[b_1\defeq F(-t) = f_0(s)-t f_1(s)=a-tb\]
154 | i.e. $(b_0,b_1)$ give two independent constraints on $(a,b)$!
155 | \end{frame}
156 | \begin{frame}
157 | Assume $s=t^2$.\\
158 | To open $f_0(s),f_1(s)$ open $F$ at $\{t,-t\}$:\\ \pause
159 | \[b_0\defeq F(t) = f_0(s)+t f_1(s)=a+tb\]
160 | \[b_1\defeq F(-t) = f_0(s)-t f_1(s)=a-tb\]
161 | i.e. $(b_0,b_1)$ give two independent constraints on $(a,b)$!
162 |  \vspace{0.2in}
163 | \begin{itemize}
164 |  \item Similar construction can open $d$ polys at any $s=t^d$
165 |  \item \textit{Important:} poly-iop based snarks work fine with a PCS that can only open $d$'th powers.
166 | \end{itemize}
167 | 
168 | \end{frame}
169 |  
170 | \begin{frame}
171 | \frametitle{Cheaply opening a poly at $d$ points \href{https://eprint.iacr.org/2020/081.pdf}{[BDFG]}}
172 | Given poly $f$ with commitment $\cm$, $s_0,\ldots,s_{d-1}\in \F$, suppose $z_i=f(s_i)$ for $i<d$.
173 | \begin{itemize}
174 |  \item Define poly $r$ of degree $<d$ with
175 | $r(s_i)=z_i$ for $i<d$.\pause
176 | \item Define $Z(X)=\prod_{i<d} (X-s_i)$. Then we have $Z|(f-r)$. \pause
177 | \item Let $h(X)\defeq (f(X)-r(X))/(Z(X)$. Prover sends $\pi = \enc{h(x)}$. \pause
178 | \item From [KZG]: Verifier can now check
179 | \[e(\cm-\enc{r(x)},1)=e(\pi,\enctwo{Z(x)}\]\pause 
180 | \end{itemize}
181 | \textit{This requires $d$ G1 and G2 verifier scalar muls!}
182 | \end{frame}
183 | \begin{frame}
184 | In [BDFG] we trade these scalar mults for an extra group element in the proof:
185 | \begin{itemize}
186 |  \item Verifier chooses random $\alpha\in \F$ and sends to prover.
187 |  \item Define the polynomial 
188 |  \[L(X)\defeq f(X)-r(\alpha)-Z(\alpha)h(X)\]\pause
189 | \item If evals are correct, $L(X)$ should be zero at $\alpha$\pause
190 | \item Verifer can compute $\cm(L)$ with only two scalar muls:
191 | \[\cm(L)= \cm -\enc{r(\alpha)}-Z(\alpha)\pi\]
192 | \item Prover and verifier can now use KZG to check $L(\alpha)=0$.
193 | \end{itemize}
194 | \end{frame}
195 | 
196 | 
197 | \end{document}
198 | 


--------------------------------------------------------------------------------
/jabba.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/jabba.png


--------------------------------------------------------------------------------
/jordan.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/jordan.png


--------------------------------------------------------------------------------
/lookupsstarksessions23.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/lookupsstarksessions23.pdf


--------------------------------------------------------------------------------
/lookupsstarksessions23.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | % \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm,amsfonts,amsmath}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 |  \usepackage{numdef,graphicx}
 16 | \usepackage{framed} 
 17 | 
 18 | % Class options include: notes, notesonly, handout, trans,
 19 | %                        hidesubsections, shadesubsections,
 20 | %                        inrow, blue, red, grey, brown
 21 | 
 22 | % Theme for beamer presentation.
 23 | %\usepackage{beamertheme} 
 24 | % Other themes include: beamerthemebars, beamerthemelined, 
 25 | %                       beamerthemetree, beamerthemetreebars  
 26 | %  \usepackage[latexcolors]
 27 | \everymath{\color{purple}}
 28 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 29 | \newcommand{\F}{\ensuremath{{\mathbb F}}}
 30 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 31 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 32 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 33 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 34 | % \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 35 | \newcommand{\enc}[1]{\ensuremath{#1\cdot G}}
 36 | \newcommand{\kzg}[1]{\ensuremath{\enc{#1(x)}}}
 37 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 38 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 39 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 40 | \newcommand{\defeq}{\ensuremath{:=}}
 41 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 42 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 43 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 44 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 45 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 46 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 47 |  \newcommand{\polys}{\F[X]}
 48 | \newcommand{\acc}{{\mathbf{acc}}}
 49 | \newcommand{\ideal}{\mathbf{I}}
 50 | \newcommand{\gen}{\alpha}
 51 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 52 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 53 | % \renewcommand{\bf}{\begin{frame}}
 54 | % \newcommand{\ef}{\end{frame}}
 55 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 56 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 57 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 58 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 59 | \DeclareMathAlphabet{\mathpgoth}{OT1}{pgoth}{m}{n}	
 60 | \newcommand{\cq}{\mathpgoth{cq} }
 61 | \newcommand{\cqstar}{\ensuremath{\mathpgoth{cq^{\mathbf{*}} }}}
 62 | \newcommand{\flookup}{{\mathsf{\mathpgoth{Flookup}}}}
 63 | \newcommand{\baloo}{{\mathrm{ba}\mathit{loo}}}
 64 | \newcommand{\caulkp}{{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}}
 65 | \newcommand{\caulk}{{\mathsf{Caulk}}}
 66 | \newcommand{\plookup}{\ensuremath{\mathpgoth{plookup}}\xspace}
 67 | \newcommand{\srs}{\ensuremath{\mathsf{srs}}}
 68 | \newcommand{\tablegroup}{\ensuremath{\mathbb{H}}\xspace}
 69 | \newcommand{\V}{\ensuremath{\mathbf{V} }\xspace}
 70 | \newcommand{\bigspace}{\ensuremath{\mathbb{V}}}
 71 | \newcommand{\papertitle}{Cached quotients and lookups}
 72 | %\newcommand{\authorname}}
 73 | \newcommand{\company}{}
 74 | \newcommand{\witsize}{{n}}
 75 | \newcommand{\witruntime}{\ensuremath{\witsize\log\witsize}\xspace}
 76 | \newcommand{\tabsize}{{N}}
 77 | \newcommand{\tabruntime}{\ensuremath{\tabsize\log\tabsize}\xspace}
 78 | \newcommand{\Gone}{{\mathbb G}_1}
 79 | \newcommand{\Gi}{\ensuremath{{\mathbb G}_i}\xspace}
 80 | \title{ \bf \papertitle \\[0.72cm]}
 81 | \author{Ariel Gabizon} 
 82 | 
 83 | %\usefonttheme{professionalfonts}
 84 | %\usefonttheme[onlymath]{serif}
 85 | \begin{document}
 86 | \boldmath
 87 | % Creates title page of slide show using above information
 88 | \begin{frame}
 89 |   \titlepage
 90 | \end{frame}
 91 |                            % typeset with the notes or notesonly class options
 92 | \begin{frame}
 93 | \frametitle{Constraints vs Lookups}
 94 | \textbf{Example:} Check $0\leq x \leq 2^n-1$\nl
 95 | \textbf{Constraint approach:}\\
 96 | Prover sends $b_0,\ldots,b_{n-1}$. Shows:
 97 | \begin{itemize}
 98 |  \item 
 99 | $\forall i, b_i\in \set{0,1}$
100 | \item
101 | $\sum_{i} b_i2^i =x$.\nl
102 | \end{itemize}
103 | Requires $n+1$ constraints.
104 | 
105 | \end{frame}
106 | \begin{frame}
107 | \frametitle{Lookup approach}
108 | Preprocess table $T=\set{0,\ldots,2^n-1}$.Let $N:=|T|$. \\ \noindent 
109 | Devise protocol to check $x\in T$.\nl
110 | \textit{\color{blue}{Old results - good when amortized:}}\\ \noindent
111 | \noindent
112 | \textbf{Thm[plookup]:}  Can check $m$ different $x$'s are in $T$ in $O(m+ N)$
113 |  constraints.\nl
114 | 
115 | \textit{\color{blue}{New results - prover doesn't pay for table size!!\\}}
116 | \textbf{Thm [Caulk...$\cq$]:} After $O(N\log N)$ preprocessing, can check $x\in T$, in $O(1)$ constraints. 
117 | \end{frame}
118 | %\section[Outline]{}
119 | 
120 | % Creates table of contents slide incorporating
121 | % all \section and \subsection commands
122 | % \begin{frame}
123 | %   \tableofcontents
124 | % \end{frame}
125 | % \begin{frame}
126 | % \frametitle{Outline}
127 | %  
128 | % \begin{itemize}
129 | %  \item 
130 | % PCS/KZG review\pause
131 | % \item
132 | % KZG shenanigans 
133 | % \begin{enumerate}
134 | %  \item Committing to sparse polys.
135 | % \item ``cached quotients''\pause
136 | % 
137 | % \end{enumerate}
138 | % \item Lookups
139 | % \begin{enumerate}
140 | %  \item Motivation
141 | % \item  New results:$\cq$
142 | % \end{enumerate}
143 | % \end{itemize}
144 | % \end{frame}
145 | % 
146 | \begin{frame}
147 | {\large{\textbf{Rest of talk:} explain main technical component of new works - \emph{cached quotients}}}\pause
148 | \emph{First - a brief recap of polynomial commitment schemes..}
149 | 
150 |  \end{frame}
151 | \begin{frame}
152 |  \frametitle{The KZG Polynomial commitment scheme}   % Insert frame title between curly braces
153 |  $G$ - generator of pairing friendly elliptic curve group.\\
154 |  \vspace{0.2in}
155 |  $\srs \defeq \enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\nl
156 |  For $f\in \F[X]$ of degree $d$: 
157 | $$\color{purple} \cm(f)\defeq   \enc{f(x)}$$\nl
158 |  \textbf{Central Feature:}
159 |  Given $\cm(f)$ and any $a\in \F$; there is short proof for correctness of $z=f(a)$. 
160 | \end{frame}
161 | \begin{frame}
162 |  \frametitle{The KZG Polynomial commitment scheme}   % Insert frame title between curly braces
163 |  $\srs \defeq \enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\\ 
164 |  $\cm(f)\defeq   \enc{f(x)}$\\ 
165 |  \vspace{0.2in}
166 |  Nice features:\pause
167 |  \begin{itemize}
168 |   \item \textbf{Linearity:} $\cm(f+g) = \cm(f)+\cm(g)$\pause
169 |   \item \textbf{Product checks:} Given $\cm(f_1),\cm(f_2),\cm(g_1),\cm(g_2)$ can check $f_1(X)f_2(X)\stackrel{?}{\equiv} g_1(X)g_2(X)$ via pairings.\\
170 |   (Secure in the Algebraic Group Model)
171 |  \end{itemize}
172 | 
173 | \end{frame}
174 | \begin{frame}
175 |  \frametitle{Cached Quotients - a motivating example from $\caulk$[ZBKMN]}\pause
176 |  $Z_T(X)=\prod_{a\in T} (X-a)$ 
177 |  a vanishing polynomial of a subset $T\subset \F$ .\nl
178 |  $\cm(Z_T),\cm(f)$ given to verifier.\pause \\
179 |  Prover wants to show $f=Z_S$ for some $S\subset T$.\nl
180 |  
181 |  Can we do this in $O(|S|)$ prover operations?(think $|S|<<|T|$)
182 | \end{frame}
183 | \begin{frame}
184 | \frametitle{Cached quotients idea:}
185 |  The quotient $Z_{T\setminus S}(X) =\frac{Z_T(X)}{Z_S(X)}$ is a ``witness'' to $S\subset T$. \nl
186 | \begin{itemize}
187 |  \item Enough to compute \textbf{commitment} to $Z_{T\setminus S}$. \pause
188 |  \item This commitment is a \textbf{sparse combination} of commitments we can \textbf{precompute}.
189 | \end{itemize}
190 | \emph{details in next slide..}
191 | \end{frame}
192 | 
193 | \begin{frame}
194 | % \frametitle{Fractional decomposition:}
195 |  For each $i\in T$, let $g_i(X)\defeq Z_{T\setminus\set{i}}(X)$.\nl
196 |  We have {\small[Tomescu et. al]}
197 |  \[Z_{T\setminus S} (X) = \sum_{i\in S} c_i\cdot g_i(X)\]
198 |  for some $c_i\in \F$.\nl
199 |  
200 | 
201 |  We precompute $\cm(Z_T),\sett{\cm(g_i)}{i\in T}$.\nlnp
202 | \end{frame} 
203 |  \begin{frame}
204 |  Prover then computes in $|S|$ operations:
205 |  \[\color{purple}\pi:=\cm(Z_{T\setminus S}) = \sum_{i\in S} c_i\cdot \cm(g_i)\]\nl
206 | Verifier checks with pairing that:
207 | \[\color{purple}e(\cm(f),\pi) =e(\cm(Z_T),\enc{1})\]
208 | \end{frame}
209 | 
210 | 
211 | \end{document}
212 | 


--------------------------------------------------------------------------------
/luke.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/luke.png


--------------------------------------------------------------------------------
/merck.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/merck.png


--------------------------------------------------------------------------------
/monerokon24gfft.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/monerokon24gfft.pdf


--------------------------------------------------------------------------------
/monerokon24gfft.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz,circuitikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm,amsfonts}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | \usepackage[export]{adjustbox}
 16 | \everymath{\color{purple}}
 17 | % Class options include: notes, notesonly, handout, trans,
 18 | %                        hidesubsections, shadesubsections,
 19 | %                        inrow, blue, red, grey, brown
 20 | 
 21 | % Theme for beamer presentation.
 22 | %\usepackage{beamertheme} 
 23 | % Other themes include: beamerthemebars, beamerthemelined, 
 24 | %                       beamerthemetree, beamerthemetreebars  
 25 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 26 | \newcommand{\F}{\ensuremath{{\mathbb F}}}
 27 | \renewcommand{\P}{\ensuremath{{\mathbb P}}}
 28 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 29 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 30 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 31 | \newcommand{\bin}{\ensuremath{\set{0,1}}}
 32 | \newcommand{\cube}{\ensuremath{\bin^n}}
 33 | 
 34 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 35 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 36 | % \newcommand{\kzg}[1]{\ensuremath{\enc{#1(x)}}}
 37 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 38 | \newcommand{\kzg}[1]{\cm(#1)}
 39 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 40 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 41 | \newcommand{\defeq}{\ensuremath{:=}}
 42 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 43 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 44 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 45 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 46 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 47 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 48 |  \newcommand{\polys}{\F[X]}
 49 | \newcommand{\acc}{{\mathbf{acc}}}
 50 | \newcommand{\ideal}{\mathbf{I}}
 51 | \newcommand{\gen}{\alpha}
 52 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 53 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 54 | % \renewcommand{\bf}{\begin{frame}}
 55 | % \newcommand{\ef}{\end{frame}}
 56 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 57 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 58 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 59 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 60 | \DeclareMathAlphabet{\mathpgoth}{OT1}{pgoth}{m}{n}	
 61 | \newcommand{\cq}{\mathpgoth{cq} }
 62 | \newcommand{\cqstar}{\ensuremath{\mathpgoth{cq^{\mathbf{*}} }}\xspace}
 63 | \newcommand{\flookup}{\ensuremath{\mathsf{\mathpgoth{Flookup}}}\xspace}
 64 | \newcommand{\baloo}{\ensuremath{\mathrm{ba}\mathit{loo}}\xspace}
 65 | % \newcommand{\caulkp}{\ensuremath{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}\xspace}
 66 | \newcommand{\caulk}{\ensuremath{\mathsf{Caulk}}\xspace}
 67 | \newcommand{\plookup}{\ensuremath{\mathpgoth{plookup}}\xspace}
 68 | \newcommand{\srs}{\ensuremath{\mathsf{srs}}}
 69 | \newcommand{\tablegroup}{\ensuremath{\mathbb{H}}\xspace}
 70 | \newcommand{\V}{\ensuremath{\mathbf{V} }\xspace}
 71 | % \newcommand{\caulk}{{\mathsf{Caulk}}}
 72 | % \newcommand{\caulkp}{{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}}
 73 | \newcommand{\bigspace}{\ensuremath{\mathbb{V}}}
 74 | 
 75 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 76 | \title{\large{GFFT on projective line}}    % Enter your title between curly braces
 77 | \author{\small{Ariel Gabizon}\\                 % Enter your name between curly braces
 78 | \tt{\footnotesize{Zeta Function Technologies}                                       } }      % Enter your institute name between curly braces
 79 | \date{}                    % Enter the date or \today between curly braces
 80 | %\usefonttheme{professionalfonts}
 81 | %\usefonttheme[onlymath]{serif}
 82 | \begin{document}
 83 | \boldmath
 84 | % Creates title page of slide show using above information
 85 | \begin{frame}
 86 |   \titlepage
 87 | \end{frame}
 88 | 
 89 | 
 90 | % \begin{frame}
 91 | % \large{plonk is a protocol to make short proofs about circuit satisfiability.}
 92 | %  \begin{figure}
 93 | %   \includegraphics[width=260pt]{circuit.png}
 94 | % \end{figure}
 95 | % \end{frame}
 96 | \begin{frame}
 97 |  \frametitle{FFT Reminder}
 98 |  
 99 |  
100 |  
101 |  $S=\set{g,g^2,\ldots,g^{n}=1},n=2^k$\nl
102 |  Want to evaluate $f(X)\in \F[X]$ of deg $<n$ on $S$.\pause
103 |  Use recursive formula
104 |  \[f(X)=f_e(X^2)+X\cdot f_o(X^2)\]
105 |  
106 |  Since the map $x\to x^2$ is 2-to-1 on $S$, this reduces $n$ evals of $f$ to $n/2$ evals of two deg $n/2$ polys.\nl
107 | 
108 |  
109 |  Requires $n|p-1$, where $p=|\F|$.
110 |  
111 |  Can we do something when  $n|(p+1)$ instead?? 
112 |  % \begin{itemize}
113 | %  \item 
114 | % \end{itemize}
115 |  
116 | \end{frame}
117 | \begin{frame}
118 |  \frametitle{Reflection - why does FFT work?}
119 |  $S=\set{g,g^2,\ldots,g^{n}=1},n=2^k$\nl
120 | The map $\sigma(x)=g\cdot x$ goes over $S$ as a cycle.\nl
121 | \begin{itemize}
122 | \item Let $\tau = \sigma^{n/2}$. So $\tau(x)=-x$, and $\tau^2(x)=x$.
123 | \item The elements of $S$ split into disjoint pairs $(a,-a)$.\pause
124 | \item Define $N(X)=X \cdot \tau(X)=-X^2$. $N$ maps elements of a pair to the same output.\nl  
125 | \textit{Can we find a set of size $p+1$ with a similar cyclical $\sigma$?}
126 | \end{itemize}
127 | 
128 | \end{frame}
129 | \begin{frame}
130 |  \frametitle{The Projective line and fractional transformations}
131 |  
132 |  How to get set $\P$ of size $2^k$?
133 |  Look at \emph{projective line} $\P\defeq \F\cup\infty$\nl
134 |  Take fractional map:
135 |  $\sigma(x)= \frac{1}{ax+b}$
136 |  
137 |  Define: $\sigma(-b/a)=\infty,\sigma(\infty)=0$.\nl
138 |  
139 |  \textbf{claim:}For the right choice of $a,b$ $\sigma$ makes a cycle over all of \P!
140 |  
141 |  
142 |  
143 | \end{frame}
144 | \begin{frame}
145 |  \frametitle{How do people formally represent the projective line?}
146 |  \textbf{Projective coordinates:}
147 |  Represent $a\in F$ by  $(c,d)$ with $a=c/d$ e.g. $(a,1)$.\nlnp
148 |  So $\infty=(1,0)$.\nl
149 |  
150 | 
151 | \end{frame}
152 | 
153 | \begin{frame}
154 |  \frametitle{How do people formally represent the projective line?}
155 | \textbf{As a circle in the plane:}\nlnp
156 | \begin{circuitikz}
157 |     % Draw the real line
158 |     \draw[thick] (-2,0) -- (2,0);
159 |     \node at (2.5,0) {};
160 |     
161 |     % Draw the larger circle a bit lower above the real line
162 |     \draw (0,1.5) node[circle,draw,minimum size=1.5cm] (circle) {};
163 |     \node at (0,1.5) {};
164 | \filldraw (circle.north) circle (2pt) node[above] {$\infty$};
165 |     % Draw a line from the top of the circle to somewhere on the real line
166 |     \draw (circle.north) -- (1,0);
167 | 
168 |     % Add little black dots at the connection points
169 |     \filldraw (circle.north) circle (2pt);
170 |     \filldraw (1,0) circle (2pt);
171 | 
172 |     % Connect the circle to the real line with a dashed line
173 |     \draw[dashed] (0,0) -- (circle);
174 | 
175 |     % Calculate the intersection point of the line and the circle
176 |     \coordinate (intersection) at ($(circle) + (-41:0.75cm)$);
177 |     \filldraw (intersection) circle (2pt);
178 | \end{circuitikz}
179 | \vspace{0.3in}\nlnp
180 | \textit{See Circle STARK paper [HLP24] for this approach}
181 | \end{frame}
182 | \begin{frame}
183 |  \frametitle{How do people formally represent the projective line?}
184 | \textbf{As places of the field $K=\F(X)$:}\nl
185 | {\textcolor{green} {Dfn:}} A \emph{valuation ring} of $R\subset \F(X)$ is a subring such that
186 | $\forall y\in K$ $y\in R$ or $1/y\in R$ (or both).\nl
187 | % \textit{\small{ Reminder:ring is set of elements closed under add/mult but maybe no divide}}\nl
188 | 
189 | \textbf{Example:}  Choose $a\in F$, take $R_a=\{f(X)/g(X)| f,g\in \F[X], g(a)\neq 0 \}$.\nl
190 | 
191 | % \textit{Reminder: an ideal $I\subset R$ is closed under addition; and multiplication by \emph{any element of $R$}}
192 | 
193 | % The unique maximal ideal of $R_a$ is $I_a=\set{(X-a)\cdot r|r\in R}$
194 | 
195 | 
196 | % \textit{Cool thing: $R_a/I_a=\F$. And we can evaluate $r\in R$ at $a$ by taking $r\;\mod\; I$}\nl
197 | 
198 | 
199 | Valuation rings in $K$, are also called ``places'' of $K$. 
200 | 
201 | 
202 | \end{frame}
203 | \begin{frame}
204 | The unique maximal ideal of $R_a$ is $I_a=\set{(X-a)\cdot r|r\in R}$\nl
205 | \textit{Cool thing: $R_a/I_a=\F$. And we can evaluate $r\in R_a$ at $a$ by taking $r\;\mod\; I_a$}\nl
206 | This gives the same result as ``normal'' evaluation!
207 |  
208 | \end{frame}
209 | 
210 | \begin{frame}
211 |  \frametitle{The infinity point in the algebraic representation}
212 |  There is \emph{one more} place of degree one in $K$:
213 |  $R_{\infty}=\set{f(X)/g(X)|deg(f)\leq deg(g)}$. \nl
214 |  $R_{\infty}=$ ``the set of functions that can be evaluated at infinity''
215 |  
216 | \end{frame}
217 | \begin{frame}
218 |  \textit{What does this last part have to do with FFT?}\nlnp
219 | Like in regular FFT - we'll end up needing to represent $f(X)$ as a combination of two functions $f_e(N(X)), f_o(N(X))$
220 | of half the ``degree''; where $N$ will be a degree two rational function.\nl
221 | Working within the function field gives us convenient tools to construct the right bases for representing $f,f_e,f_o$,
222 | and defining degree in the right way.
223 | 
224 |  
225 | \end{frame}
226 | 
227 | 
228 | \end{document}
229 | 


--------------------------------------------------------------------------------
/numdef.sty:
--------------------------------------------------------------------------------
  1 | % Save file as: NUMDEF.STY             Source: FILESERV@SHSU.BITNET  
  2 | %                    numdef.sty
  3 |                      %%%%%%%%%%
  4 | 
  5 | % Prefixing a macro definition with \num allows numbers at the end of
  6 | % the command name ( At first glance )
  7 | 
  8 | % eg:
  9 | % \num\def\x1{x one}
 10 | % \num\def\x2{x two}
 11 | % \num\newcommand{\y100}[1]{y one hundred, with argument #1}
 12 | 
 13 | %                   David Carlisle
 14 | %                   carlisle@uk.ac.man.cs
 15 | 
 16 | % NOTE: this is a LaTeX style option, but may be used with plain TeX.
 17 | %   \catcode`\@=11 \input numdef.sty \catcode`\@=12
 18 | 
 19 | % SEE NOTES AT END OF FILE
 20 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 21 | 
 22 | \def\num@def#1{\def\num@name{#1}\edef\num@str{\string #1}%
 23 |   \expandafter\ifx\csname\num@str{*}\endcsname
 24 |                   \relax\num@start\fi\futurelet\next\num@d@f}%
 25 | 
 26 | \def\num@d@f{\ifx\next*\let\@tempa\num@defA
 27 |                 \else\ifx\next\bgroup\let\@tempa\num@defB
 28 |                 \else\let\@tempa\num@defC \fi\fi\@tempa}%
 29 | 
 30 | \newcount\num@count
 31 | \def\N{\number\num@count}%
 32 | 
 33 | \def\num@defA*{\def\num@{*}\num@def@}%
 34 | \def\num@defB#1{\let\num@=\N\num@count= #1 \num@def@}%
 35 | \def\num@defC{\let\num@=\N\afterassignment\num@def@\num@count= }%
 36 | 
 37 | \def\num@def@{\expandafter\num@define\csname\num@str{\num@}\endcsname}%
 38 | 
 39 | %%
 40 | \def\num#1#2{\let\num@define=#1\num@def#2}%
 41 | %%
 42 | 
 43 | \def\num@start{%
 44 |   \expandafter\ifx\num@name\@undefined\let\next\num@st@rt
 45 |   \else\def\next{\errmessage{numdef: \num@str\space is already defined}}%
 46 |   \fi\next}%
 47 | 
 48 | \def\num@st@rt{\expandafter\def\csname\num@str{*}\endcsname
 49 |     {\errmessage{numdef: \num@str\N\space is not defined}}%
 50 |  \expandafter\num@use\num@name}%
 51 | 
 52 | \def\num@use#1{\def#1{\edef\num@str{\string #1}\futurelet\@tempa\num@us@}}
 53 | \def\num@us@{%
 54 |   \ifx\@tempa\bgroup\let\next\num@useA\else\let\next\num@useB\fi\next}
 55 | 
 56 | \def\num@useA#1{\num@count= #1 \num@use@}%
 57 | \def\num@useB{\afterassignment\num@use@\num@count= }%
 58 | \def\num@use@{\expandafter\ifx\csname\num@str{\N}\endcsname\relax
 59 |   \def\num@{*}\else\let\num@=\N\fi\csname\num@str{\num@}\endcsname}%
 60 | 
 61 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 62 | \endinput
 63 | 
 64 | \num takes a liberal view of where to put { } pairs. In particular
 65 | the <number> and/or the command name may be surrounded by { }.
 66 | 
 67 | The token after \num must be a command for defining macros. If a \long
 68 | (or \outer) def is required, first define, eg, \def\ldef{\long\def} as
 69 | \num\long\def ... does NOT work.
 70 | All of the following definitions are equivalent:
 71 | \num\ldef\x10#1{x ten (#1)}              \num\ldef\x{10}#1{x ten (#1)}
 72 | \num\ldef\x{"A}#1{x ten (#1)}            \num\ldef\x'12#1{x ten (#1)}
 73 | \num\newcommand{\x10}[1]{x ten (#1)} \num\newcommand{\x{10}}[1]{x ten (#1)}
 74 | 
 75 | To use the macro defined via \num just type the name followed by the
 76 | <number>, optionally enclosed by { }.
 77 | eg   \x10{abc}   \x{10}{abc}  \X"A{abc}   all produce "x ten (abc)".
 78 | If the <number> is not surrounded by { }, the command name gobbles spaces
 79 | 
 80 | If there has not been a definition corresponding to the <number>, then a
 81 | default command is run, initially this produces an error message, but it
 82 | can be redefined using `*' instead of a <number> thus after one of the
 83 | above definitions \x2 would generate an error "\x2 is not defined"
 84 | If a default definition for \x<number> is required, use a definition
 85 | such as
 86 | \num\def\x*{the replacement text for x\N}
 87 | Here \N stands for the value of the <number>, so now \x2 expands to
 88 | "the replacement text for x2"
 89 | eg:
 90 | \num\def\poly1{degenerate case (n=1)} \num\def\poly2{degenerate case (n=2)}
 91 | \num\def\poly3{triangle}              \num\def\poly4{quadrilateral}
 92 | \num\def\poly*{$\N$-gon}
 93 | 
 94 | Note that this example could more easily be achieved by
 95 | \def\poly#1{\ifcase #1\or degenerate case (n=1) \or ...\else $#1$-gon\fi}
 96 | 
 97 | \num is only really useful if one needs to have an `array' of macros and
 98 | need to update the definition of one macro in the array without altering
 99 | the expansions of the others.
100 | 
101 | Warning, if you use the * form to define a macro with arguments, make sure
102 | that any macro that might change the value of \N is kept local to a { } group
103 | eg
104 | \num\def\z1{NOW}   \num\def\y*#1{N is \N, #1\  N is \N}
105 | 
106 | \y3{\z1}  % produces "N is 3 NOW N is 1"  \z1 has made \N be 1
107 | \y3{{\z1}}% produces "N is 3 NOW N is 3"  changes to \N are local to a group.
108 | 
109 | 


--------------------------------------------------------------------------------
/pcrfalsepos.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/pcrfalsepos.png


--------------------------------------------------------------------------------
/pfizergood1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/pfizergood1.png


--------------------------------------------------------------------------------
/pfizergood2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/pfizergood2.png


--------------------------------------------------------------------------------
/pfizerinitialallcausemortality.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/pfizerinitialallcausemortality.png


--------------------------------------------------------------------------------
/plookupinactionDystopia2020.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/plookupinactionDystopia2020.pdf


--------------------------------------------------------------------------------
/plookupinactionDystopia2020.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | 
  9 | %\usepackage[T1]{fontenc}
 10 | %\usepackage{fourier}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{amssymb, eulervm}
 15 | % Class options include: notes, notesonly, handout, trans,
 16 | %                        hidesubsections, shadesubsections,
 17 | %                        inrow, blue, red, grey, brown
 18 | 
 19 | % Theme for beamer presentation.
 20 | %\usepackage{beamertheme} 
 21 | % Other themes include: beamerthemebars, beamerthemelined, 
 22 | %                       beamerthemetree, beamerthemetreebars  
 23 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 24 | \newcommand{\xor}{\ensuremath{\oplus}}
 25 | \newcommand{\plonk}{\ensuremath{\mathcal{P} \mathfrak{lon}\mathcal{K}}}
 26 | \newcommand{\F}{\ensuremath{\mathbb F}}
 27 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 28 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 29 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 30 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 31 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 32 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 33 | \newcommand{\defeq}{\ensuremath{:=}}
 34 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 35 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 36 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 37 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 38 |  \newcommand{\polys}{\F[X]}
 39 | \newcommand{\acc}{{\mathbf{acc}}}
 40 | \newcommand{\ideal}{\mathbf{I}}
 41 | \newcommand{\gen}{\alpha}
 42 | 
 43 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 44 | \title{\large{Plookup in action}}    % Enter your title between curly braces
 45 | \author{\small{Ariel Gabizon  \; Zachary J. Williamson}\\                 % Enter your name between curly braces
 46 |                                       } }      % Enter your institute name between curly braces
 47 | \date{}                    % Enter the date or \today between curly braces
 48 | %\usefonttheme{professionalfonts}
 49 | %\usefonttheme[onlymath]{serif}
 50 | \begin{document}
 51 | \boldmath
 52 | % Creates title page of slide show using above information
 53 | \begin{frame}
 54 |   \titlepage
 55 |   \includegraphics{azteclogo.png}
 56 | \end{frame}
 57 | 
 58 | \begin{frame}
 59 | \frametitle{Turbo-PLONK programs {\small (based on PLONK[GWC])} }   % Insert frame title between curly braces
 60 | \begin{table}[!htbp]
 61 | \[	\begin{tabular}{l|l|l|l|}
 62 | 	 a_{1} & b_{1}&c_{1}&d_{1}\\ \hline
 63 | 	  \vdots & \vdots&\vdots & \vdots \\ \hline
 64 | 	 a_{i} & b_{i}&c_{i}&d_{i}\\ \hline
 65 | 	 a_{i+1} & b_{i+1}&c_{i+1}&d_{i+1}\\ \hline
 66 | % 	  w_{i+1,1} & w_{i+1,2}&w_{i+1,3}& w_{i+1,4}\\ \hline
 67 | 	  \vdots & \vdots&\vdots & \vdots \\ 
 68 | 
 69 | 	\end{tabular}
 70 | \]
 71 | \end{table}
 72 | 
 73 | \begin{itemize}
 74 |  \item Local low-degree constraints between rows (e.g. $a_{i+1}=b_i^2 + c_i$)
 75 |  \item Global equality constraints between any two cells (e.g. $a_{100} = d_2$).
 76 | \end{itemize}
 77 | 
 78 | \end{frame}
 79 | \begin{frame}
 80 | \frametitle{ \textbf{Ultra}-PLONK  programs }   % Insert frame title between curly braces
 81 | % \begin{table}[!htbp]
 82 | % \[	\begin{tabular}{l|l|l|l|}
 83 | % 	 a_{1} & b_{1}&c_{1}&d_{1}\\ \hline
 84 | % 	  \vdots & \vdots&\vdots & \vdots \\ \hline
 85 | % 	 a_{i} & b_{i}&c_{i}&d_{i}\\ \hline
 86 | % 	 a_{i+1} & b_{i+1}&c_{i+1}&d_{i+1}\\ \hline
 87 | % % 	  w_{i+1,1} & w_{i+1,2}&w_{i+1,3}& w_{i+1,4}\\ \hline
 88 | % 	  \vdots & \vdots&\vdots & \vdots \\ 
 89 | % 
 90 | % 	\end{tabular}
 91 | % \]
 92 | % \end{table}
 93 | 
 94 | \begin{itemize}
 95 |  \item Local low-degree constraints between rows (e.g. $a_{i+1}=b_i^2 + c_i$).
 96 |  \item Global equality constraints between any two cells (e.g. $a_{100} = d_2$).
 97 |  \item \textbf{Lookup constraints} - e.g. $(a_5,b_5,c_5)$ is contained in the rows of a predefined table $T$.
 98 | \end{itemize}
 99 | 
100 | \end{frame}
101 | \begin{frame}
102 | \frametitle{Lookup constraints in SNARKs}   % Insert frame title between curly braces
103 | %Since the beginning of time (LFKN, 1989) humanity has been trying to verify prover polynomial evaluations.\\
104 | First used in Arya{\footnotesize [Bootle, Cerulli, Groth, Jakobsen, Maller]}\\ \pause
105 |     \vspace{0.4in}
106 | Plookup [GW20] gives improved efficiency:\\
107 | 
108 | ~$2(|T|+|w|)$ prover group exp\\
109 |     \vspace{0.4in}
110 | $|T|$ - number of rows in table\\
111 | $|w|$ - length of witness
112 | \end{frame}
113 | \begin{frame}
114 | \frametitle{Example: bitwise XOR with ``direct'' table}   % Insert frame title between curly braces
115 | %Since the beginning of time (LFKN, 1989) humanity has been trying to verify prover polynomial evaluations.\\
116 | For row values $(a,b,c)$ want to show $c=a\oplus b$ as $11$-bit strings.\pause
117 | 
118 |     \vspace{0.2in}
119 |  Use table $T$ of all triplets $(a,b,c)$
120 |   
121 |   s.t. $c=a\;\;\oplus\;\;b$.\pause
122 |   
123 |     \vspace{0.2in}
124 | $|T| = 2^{22}$
125 | 
126 | \end{frame}
127 | \begin{frame}
128 | \frametitle{Another approach - Sparse representations }   
129 | Table $T_1$ of pairs $(a,a_s)$ - $a$ is 10-bit string, $a_s$ is ``$a$ with zeroes in between bits'' - 
130 | % \begin{block}{Formula}
131 | \begin{equation}
132 | a=  \Sigma a_i \cdot 2^i, a_s =  \Sigma a_i \cdot 4^i
133 | \end{equation}\pause
134 | % \end{block}
135 | 
136 | Field addition on sparse form now gives bitwise XOR :
137 | 
138 | $a=(1 1) $
139 | $\;\;\;\;\;b=(1 0) $\\ \pause
140 | 
141 | $a_s = (0 1 0 1)$\\
142 | $b_s = (0 1 0 0)$\\ \pause
143 | \vspace{0.2in}
144 | $a_s + b_s = (1 0 0 1)$\\ \pause
145 | Odd bits are XORs
146 | \end{frame}
147 | \begin{frame}
148 | \frametitle{Another approach - Sparse representations}   % Insert frame title between curly braces
149 | %Since the beginning of time (LFKN, 1989) humanity has been trying to verify prover polynomial evaluations.\\
150 | After adding in sparse form, can use another lookup to ``decode'' XOR result
151 | $T_2 = \set{c_s,c_{XOR}}$ so
152 | \[c_s=\Sigma  c_i 4^i, c_{XOR}=\Sigma \phi(c_i) 4^i,\]
153 | \[\phi(0)=0,\phi(1)=1,\phi(2)=0,\phi(3)=1\]\pause
154 | 
155 | \vspace{0.4in}
156 | {\small \textit{Can get AND at same time (see Arya paper)}}
157 | \end{frame}
158 | \begin{frame}
159 | \frametitle{SHA-256 with Sparse representations on Steroids }   
160 | % \textit{Motivation: Suppose all SNARK-friendly hash functions got covid from the SNARK}
161 | \end{frame}
162 | \begin{frame}
163 | $MAJ'$ is one of the two main ``chunks'' of a SHA round:
164 | \begin{itemize}
165 |  \item $a,b,c$ 32-bit values 
166 | \item $>>>$ is right rotation.\pause
167 | \end{itemize}
168 | \vspace{0.2in}
169 | \[MAJ'(a,b,c) :=\]
170 | \[(a >>> 2) \oplus (a >>>13) \oplus (a>>> 22) \oplus MAJ(a,b,c)\]\pause
171 | % Assume we've managed to compute the rotations (addressed next)
172 | 
173 | \end{frame}
174 | \begin{frame}
175 | 
176 | We map $a,b,c$ into 16-sparse form:\\
177 | $\Sigma a_i 2^i\rightarrow\Sigma a_i 16^i$ \\ \pause
178 | \vspace{0.2in}
179 | In sparse form we simply add in field:\\
180 | \[4*(  (a>>>2)+(a>>>13)+(a>>>22) ) + (a+b+c)\]\pause
181 | Addition result is ``injective enough'' to retrieve output of $MAJ'$.
182 | \end{frame}
183 | % \begin{frame}
184 | % \frametitle{SHA-256 with sparse representations on Steroids }   % Insert frame title between curly braces
185 | % Since the beginning of time (LFKN, 1989) humanity has been trying to verify prover polynomial evaluations.\\
186 | % One of the two main ``chunks'' of a SHA round:
187 | % \[MAJ'(a,b,c) \defeq  a >>> 2 \oplus a >>>13 \oplus a>>> 22 \oplus MAJ(a,b,c)\]
188 | % $a,b,c$ 32-bit values, $>>>$ is right rotation.
189 | % Assume we've managed to compute the rotations (addressed next)
190 | % 
191 | % We map $a,b,c$ into 16-sparse form:
192 | % \[\sum a_i 2^i\rightarrow\sum a_i 16^i\]
193 | % In sparse form we simply add in field:
194 | % \[4*(  (a>>>2)+(a>>>13)+(a>>>22) ) + (a+b+c)\]
195 | % Addition result is ``injective enough'' to retrieve $MAJ'(a,b,c)$.
196 | % \end{frame}
197 | \begin{frame}
198 | \frametitle{Getting the rotations}   
199 | Split 32-bit $a$ to limbs $(a_2,a_1,a_0)$ of $10,11,11$ bits respectively.\\ \pause
200 | 
201 | \vspace{0.2in}
202 | We have in total 9 ``rotate contributions'': 3 right-rotates  - $2,13,22$ of the three limbs.\\ \pause
203 | 
204 | \vspace{0.2in}
205 | \emph{But} only two ``non-trivial'' contributions: $(a_1,13),(a_0,2)$ \\ \pause
206 | both can be computed with a table of right rotate by $2$.\\ \pause
207 | 
208 | \vspace{0.2in}
209 | In total for $MAJ'$- 3 tables of size  $\leq 2^{11}$
210 | 
211 | \end{frame}
212 | \end{document}
213 | 


--------------------------------------------------------------------------------
/plookupzksummit2020.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/plookupzksummit2020.pdf


--------------------------------------------------------------------------------
/plookupzksummit2020.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | 
  9 | %\usepackage[T1]{fontenc}
 10 | %\usepackage{fourier}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | % Class options include: notes, notesonly, handout, trans,
 16 | %                        hidesubsections, shadesubsections,
 17 | %                        inrow, blue, red, grey, brown
 18 | 
 19 | % Theme for beamer presentation.
 20 | %\usepackage{beamertheme} 
 21 | % Other themes include: beamerthemebars, beamerthemelined, 
 22 | %                       beamerthemetree, beamerthemetreebars  
 23 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 24 | \newcommand{\xor}{\ensuremath{\oplus}}
 25 | \newcommand{\plonk}{\ensuremath{\mathcal{P} \mathfrak{lon}\mathcal{K}}}
 26 | \newcommand{\F}{\ensuremath{\mathbb F}}
 27 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 28 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 29 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 30 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 31 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 32 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 33 | \newcommand{\defeq}{\ensuremath{:=}}
 34 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 35 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 36 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 37 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 38 |  \newcommand{\polys}{\F[X]}
 39 | \newcommand{\acc}{{\mathbf{acc}}}
 40 | \newcommand{\ideal}{\mathbf{I}}
 41 | \newcommand{\gen}{\alpha}
 42 | 
 43 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 44 | \title{\large{plookup: speeding up SNARKs on non-friendly functions with lookup tables}}    % Enter your title between curly braces
 45 | \author{\small{Ariel Gabizon  \; Zachary J. Williamson}\\                 % Enter your name between curly braces
 46 | \tt{\footnotesize{\;\;\;\;\;\; \textbf{Aztec}   \;\;\;\;\;\;\;\;\;\;\;\; }                                       } }      % Enter your institute name between curly braces
 47 | \date{}                    % Enter the date or \today between curly braces
 48 | %\usefonttheme{professionalfonts}
 49 | %\usefonttheme[onlymath]{serif}
 50 | \begin{document}
 51 | \boldmath
 52 | % Creates title page of slide show using above information
 53 | \begin{frame}
 54 |   \titlepage
 55 | \end{frame}
 56 | 
 57 | \begin{frame}
 58 | \frametitle{SNARKs are easy prey in a  world full of nasty binary functions}
 59 | $a,b,c\in \F$
 60 |   \vspace{0.2in}
 61 | 
 62 | Want to show $c = a\;\; \xor\;\; b $ as 8-bit strings\pause
 63 |   \vspace{0.2in}
 64 | 
 65 | Standard way requires 25-32 constraints: Give bit decomposition of $a,b,c$, check bitwise xor.
 66 | \end{frame}
 67 | 
 68 | 
 69 | \begin{frame}
 70 | 
 71 | Want to show $c = a\;\; \xor\;\; b $ as 8-bit strings.
 72 |   \vspace{0.2in}
 73 | 
 74 | Standard way requires 25-32 constraints: Give bit decomposition of $a,b,c$, check bitwise xor.\\
 75 |   \vspace{0.2in}
 76 | \emph{This is a \textbf{multiplicative} factor you pay on each small operation while computing SHA/BLAKE}
 77 | 
 78 | \end{frame}
 79 | 
 80 | 
 81 | 
 82 | 
 83 | \begin{frame}
 84 |  \frametitle{Approach 1: Keep SNARKs in friendly neighborhoods}
 85 |  
 86 |   
 87 |   
 88 | \begin{tikzpicture}[ball/.style={circle, minimum width=5cm, minimum height=5cm, draw}]
 89 | Blake
 90 | 
 91 | 
 92 | 
 93 | 
 94 | % \node[ball] (gate1) {+};
 95 | % \node[ball, above right=1.25cm of gate1] (gate2) {$\times$};
 96 | \node[ball] (text1){ MIMC \linebreak Poseidon \linebreak Rescue   
 97 | };
 98 | \node[right=2cm of text1] (text2) {Blake};
 99 | 
100 | % \node[ below=3cm of input1] (input3) {no trusted setup};   
101 | % \node[ right=0.1cm of input3] (text3) {\footnotesize{(STARKs, bulletproofs,DARKs,Redshift)}};   
102 | 
103 | % \draw[->] (input1) -- (input3);
104 | % \node[above = 0.2cm of text1] (pic1){
105 | 
106 | %   \node[anchor=south west,inner sep=0cm] at ($(current page.south west)$) {
107 | %      \includegraphics[width=80]{nicehouse.jpg}
108 | %   };
109 | \end{tikzpicture}
110 |   
111 |   
112 |   SHA                            
113 |   
114 |   
115 | \end{frame}
116 | 
117 | \begin{frame}
118 |  \frametitle{Our Approach: lookup tables {\normalsize (see also: Arya{\footnotesize [Bootle, Cerulli, Groth, Jakobsen, Maller]})}}
119 |  
120 |  
121 |  Precompute table $T$ of all triplets $(a,b,c)$
122 |   
123 |   s.t. $c=a\;\;\xor\;\;b$.\pause
124 |   
125 |     \vspace{0.2in}
126 | 
127 | Instead of representing
128 | $\xor$ logic, check that $(a,b,c)\in T$\pause
129 |     \vspace{0.2in}
130 |   
131 | After enough lookups, has amortized cost of $\sim 1$ constraint per $\xor$.
132 | 
133 |     
134 | \end{frame}
135 | 
136 | 
137 | 
138 | \begin{frame}
139 |  \center{The plookup protocol in a nutshell}    
140 |  
141 |  \center{\emph{\footnotesize (a simpler protocol we came up with while preparing the slides)}}
142 | \end{frame}
143 | 
144 |  
145 | \begin{frame}
146 | \frametitle{Basic tool: The multiset check}
147 | %Since the beginning of time (LFKN, 1989) humanity has been trying to verify prover polynomial evaluations.\\
148 | \textbf{example:} Given $a,b\in \F^3$, want to check $\{b_1,b_2,b_3\} \stackrel{?}{=} \{a_1,a_2,a_3\}$ \\ \pause
149 |  \vspace{0.2in}
150 | 
151 |   
152 |  Choose random $\gamma\in \F$. Check
153 |   \[(a_1 + \gamma)(a_2+ \gamma)(a_3 + \gamma) \stackrel{?}{=} (b_1+\gamma)(b_2+\gamma)(b_3+\gamma)\]\pause
154 | %   \[a'_1 = a_1 + \gamma, a'_2 = a_2 + \gamma, a'_3 = a_3 + \gamma\]
155 | %  \[b'_1 = b_1 + \gamma, b'_2 = b_2 + \gamma, b'_3 = b_3 + \gamma\]\pause
156 | 
157 |  \vspace{0.2in}
158 |  If $a,b$ different as sets then w.h.p products different.\pause
159 |  
160 |   \vspace{0.2in}
161 | 
162 |  \plonk's grand product implements this super efficiently
163 | \end{frame}
164 | 
165 | 
166 | 
167 | \begin{frame}
168 | Witness $f=\sett{f_i}{i\in [n]}$
169 | Table $t=\sett{t_i}{i\in [d]}$
170 | 
171 | Want to prove $f\subset t$.
172 | {\small (using randomness we can reduce tuples to single elements)}.
173 | \end{frame}
174 | 
175 | 
176 | \begin{frame}
177 | 
178 | Witness $f=\set{3,1,1}$
179 | Table $t=\set{1,3,4}$
180 | 
181 | \begin{enumerate}
182 |  \item Prover commits to $s\defeq$ \emph{sorted} version of $f\cup t$. $s\defeq (1,1,1,3,3,4)$  \pause
183 |  \item Prover shows $s=f\cup t$. \pause
184 |  \item Look at difference multiset of $s$ $s'\defeq \set{0,0,2,0,1}$, and difference multiset of $t$ $t'\defeq \set{2,1}$\pause
185 |  \item Prover shows $s'=t'\cup \set{0,0,0}$.
186 | \end{enumerate}
187 | 
188 | \end{frame}
189 | % 
190 | % \begin{frame}
191 | %  Arya approach
192 | %  
193 | %  \[F=\prod_{i\in [n]}(X-f_i), T=\prod_{i\in [d] (X-t_i)\]
194 | % \end{frame}
195 | % 
196 | 
197 | 
198 | 
199 | 
200 | % \begin{frame}
201 | %  For security, SNARKs require a setup phase.\\ \linebreak
202 | %   \vspace{0.2in}
203 | %  \includegraphics[width=300, valign=m]{zcashsetup.png}
204 | %  
205 | % \end{frame}
206 | 
207 | 
208 | 
209 | 
210 |                            % typeset with the notes or notesonly class options
211 | 
212 | %\section[Outline]{}
213 | 
214 | % Creates table of contents slide incorporating
215 | % all \section and \subsection commands
216 | %\begin{frame}
217 |   %\tableofcontents
218 | %\end{frame}
219 | \end{document}
220 | 


--------------------------------------------------------------------------------
/polyprottechnionseminar2020.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/polyprottechnionseminar2020.pdf


--------------------------------------------------------------------------------
/polyprottechnionseminar2020.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | 
  9 | %\usepackage[T1]{fontenc}
 10 | %\usepackage{fourier}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{amssymb, eulervm}
 15 | % Class options include: notes, notesonly, handout, trans,
 16 | %                        hidesubsections, shadesubsections,
 17 | %                        inrow, blue, red, grey, brown
 18 | 
 19 | % Theme for beamer presentation.
 20 | %\usepackage{beamertheme} 
 21 | % Other themes include: beamerthemebars, beamerthemelined, 
 22 | %                       beamerthemetree, beamerthemetreebars  
 23 |  \newcommand{\prot}{\mathbf{P}}
 24 | \newcommand{\aggdeg}[1]{\mathfrak{d}(#1)}
 25 | \renewcommand{\deg}{\mathrm{deg}}
 26 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 27 | \newcommand{\xor}{\ensuremath{\oplus}}
 28 | \newcommand{\plonk}{\ensuremath{\mathcal{P} \mathfrak{lon}\mathcal{K}}}
 29 | \newcommand{\F}{\ensuremath{\mathbb F}}
 30 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 31 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 32 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 33 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 34 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 35 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 36 | \newcommand{\defeq}{\ensuremath{:=}}
 37 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 38 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 39 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 40 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 41 |  \newcommand{\polys}{\F[X]}
 42 | \newcommand{\acc}{{\mathbf{acc}}}
 43 | \newcommand{\ideal}{\mathbf{I}}
 44 | \newcommand{\gen}{\alpha}
 45 | 
 46 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 47 | \title{\large{Ranged Polynomial Protocols}}    % Enter your title between curly braces
 48 | \author{\small{Ariel Gabizon }\\                 % Enter your name between curly braces
 49 |                                        }      % Enter your institute name between curly braces
 50 | \date{}                    % Enter the date or \today between curly braces
 51 | %\usefonttheme{professionalfonts}
 52 | %\usefonttheme[onlymath]{serif}
 53 | \begin{document}
 54 | \boldmath
 55 | % Creates title page of slide show using above information
 56 | \begin{frame}
 57 |   \titlepage
 58 |   \includegraphics{azteclogo.png}
 59 | \end{frame}
 60 | \begin{frame}
 61 |  \frametitle{Outline}   % Insert frame title between curly braces
 62 |  \begin{itemize}
 63 |   \item A few slides of motivation and context
 64 |   \item Polynomial Protocols -  dfns,results + open question.
 65 |  \end{itemize}
 66 | 
 67 | \end{frame}
 68 | \begin{frame}
 69 |  \frametitle{Succinct arguments in a nutshell}   % Insert frame title between curly braces
 70 |  Public program $T$, public output $z$.\\ \pause
 71 |  \vspace{0.4in}
 72 |  Want to prove ``I know input $x$ for program $T$ that generates output $z$.\\ \pause
 73 |  \vspace{0.4in}
 74 | Want proof size and verification time to be much smaller than run time of $T$. \\ 
 75 | {\small (SNARK:=Succinct Non-Interactive Argument of Knowledge)}\\ \pause
 76 |  \vspace{0.4in}
 77 |  Arithmeitization {\small [LFKN,......]}: Reduce claim to claim of form ''I know polynomials that satisfy some identity`` \pause
 78 | \end{frame}
 79 | \begin{frame}
 80 |  \frametitle{Succinct arguments in a nutshell}   % Insert frame title between curly braces
 81 |  Advantage of claims about polynomials is that suffice to check at one random point \\ \pause
 82 |  \vspace{0.4in}
 83 |  But need to solve ''chicken and egg problem``: Prover must commit to polynomials before knowing the challenge point. 
 84 |  \vspace{0.4in}
 85 |  
 86 | \end{frame}
 87 | \begin{frame}
 88 |  \frametitle{Polynomial commitment schemes {\small [KZG, 10]}}   % Insert frame title between curly braces
 89 | \begin{itemize}
 90 |  \item Prover send short commitment $\cm(f)$ to polynomial.\pause
 91 |  \item Later Verifier can choose value $i\in \F$.\pause
 92 |  \item Prover sends back $z=f(i)$ ; together with proof $\open{f,i}$ that $z$ is correct.\pause
 93 | \end{itemize}
 94 | KZG give us PCS with commitments and openings are practically 32 bytes.\\ 
 95 | Notation: $\enc{x}=g^x$ where $g$ generator of elliptic curve group.
 96 | \end{frame}
 97 | 
 98 | 
 99 | \begin{frame}
100 | 
101 |  Setup: $\enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\\ \pause
102 |  \vspace{0.4in}
103 |  $\cm(f)\defeq   \enc{f(x)}$\\ \pause
104 |  \vspace{0.4in}
105 | $\open{f,i}\defeq \enc{h(x)}$, where
106 |  $h(X)\defeq \frac{f(X)-f(i)}{X-i}$\\ \pause
107 |  \vspace{0.4in}
108 |  $\verify{\cm,\pi,z,i}:$
109 | \[e(\cm-\enc{z},\enc{1}) \stackrel{?}{=} e(\pi, \enc{x-i})\]
110 | \end{frame}
111 | 
112 | 
113 |  
114 | 
115 | 
116 | \begin{frame}
117 | \frametitle{Idealized Polynomials Protocols}   % Insert frame title between curly braces
118 |  
119 |  \textbf{Preprocessing/inputs:} : $\prv$ and $\ver$ agree in advance on $g_1,\ldots,g_t\in \polysofdeg{d}$.\\
120 |  \vspace{0.4in}
121 | \textbf{Protocol:}
122 |   \begin{enumerate}
123 | %\item The protocol definition includes a set of \emph{preprocessed polynomials} $g_1,\ldots,g_\ell \in \polysofdeg{d}$.
124 | 
125 | \item 
126 | $\prv$'s  msgs are to ideal party $\ideal$. Must be $f_i\in \polysofdeg{d}$.
127 |  \item At protocol end $\ver$ asks $\ideal$ if some (constant number) of identities hold between $\set{f_1,\ldots,f_\ell,g_1,\ldots,g_t}$.  Outputs $\acc$ iff they do.
128 | \end{enumerate}
129 | \end{frame}
130 | \begin{frame}
131 | 
132 | 
133 | $$\aggdeg{\prot}\defeq\left(\sum_{i\in [\ell]} \deg(f_i)+1\right)$$.\pause \\
134 |  \vspace{0.2in}
135 | \textbf{Thm:\footnote{similar statements in Marlin/Fractal/Supersonic}}
136 | Can compile to ``real'' protocol in Algebraic Group Model, where prover complexity  $\sim \aggdeg{\prot}$ .\\ \pause
137 |  \vspace{0.2in}
138 | \textbf{proof sketch:}
139 |  Use [KZG] polynomial commitment scheme. $\prv$ commits to all polys. $\ver$ checks identity at random challenge point. 
140 | \end{frame}
141 | \begin{frame}
142 | \frametitle{Ranged polynomials protocols}   % insert frame title between curly braces
143 | 
144 | \textbf{Preprocessing/inputs:} Predefined polynomials $g_1,\ldots,g_t\in \polysofdeg{d}$\\
145 | \textbf{Range:} $H\subset\F$.\\ \pause
146 | \vspace{0.4in}
147 | \textbf{Protocol:}
148 |  
149 |  \begin{enumerate}
150 | \item $\prv$'s  msgs are to ideal party $\ideal$. Must be $f_i\in \polysofdeg{d}$.
151 | \item At end, $\ver$ asks $\ideal$ if some identity holds between $\set{f_1,\ldots,f_\ell,g_1,\ldots,g_t}$   \textbf{\textit{on $H$}}. 
152 | 
153 | \end{enumerate}
154 | \end{frame}
155 | 
156 | \begin{frame}
157 | \frametitle{$H$-ranged protocol using polynomial protocol:}   % Insert frame title between curly braces
158 |  
159 |  
160 |  $\ver$ wants to check identities $P_1,P_2$ on $H$.\\
161 |  \vspace{0.2in}
162 | \begin{itemize}
163 | \item  After $\prv$ finished sending \set{f_i}, $\ver$ sends random $a_1,a_2\in \F$.\\ \pause
164 | \item $\prv$ sends  $T\in \polysofdeg{d}$.\\ \pause
165 | \item $\ver$ checks identity
166 | $a_1\cdot P_1 + a_2\cdot P_2 \equiv T\cdot Z_H$.
167 | \end{itemize}
168 |  \vspace{0.2in}
169 | $Z_H(X)\defeq \prod_{a\in H}(X-a)$. \\
170 | ($Z_H$ will be a preprocessed polynomial).\\
171 |  \vspace{0.2in}
172 |  
173 | 
174 | \end{frame}
175 | \begin{frame}
176 | \frametitle{$H$-ranged protocol using polynomial protocol:}   % Insert frame title between curly braces
177 | Motivates - for $H$-ranged protocol $\prot$ define
178 |  \[\aggdeg{\prot}\defeq \left(\sum_{i\in [\ell]} \deg(f_i)+1\right) + D- |H|.\]
179 | 
180 | $D\defeq$ max degree of identity $C$ checked in exec with honest $\prv$.\\
181 |  \vspace{0.2in}
182 |  
183 | 
184 | \end{frame}
185 | 
186 | \begin{frame}
187 | \frametitle{Multiset equality check}
188 | Given $a,b\in \F^3$, want to check $\{b_1,b_2,b_3\} \stackrel{?}{=} \{a_1,a_2,a_3\}$ \\ \pause
189 |  \vspace{0.2in}
190 | 
191 |   
192 |  Choose random $\gamma\in \F$. Check
193 |   \[(a_1 + \gamma)(a_2+ \gamma)(a_3 + \gamma) \stackrel{?}{=} (b_1+\gamma)(b_2+\gamma)(b_3+\gamma)\]\pause
194 | %   \[a'_1 = a_1 + \gamma, a'_2 = a_2 + \gamma, a'_3 = a_3 + \gamma\]
195 | %  \[b'_1 = b_1 + \gamma, b'_2 = b_2 + \gamma, b'_3 = b_3 + \gamma\]\pause
196 | 
197 |  \vspace{0.2in}
198 |  If $a,b$ different as sets then w.h.p products different.\pause
199 |  
200 | \end{frame}
201 | 
202 | 
203 | 
204 | \begin{frame}
205 | \frametitle{Multiset equality check - polynomial version}
206 | Given $f,g\in \polysofdeg{d}$, want to check $\sett{f(x)}{x\in H} \stackrel{?}{=} \sett{g(x)}{x\in H}$ as multisets \\ 
207 |  
208 | \end{frame}
209 | \begin{frame}
210 | \frametitle{Reduces to:}   % Insert frame title between curly braces
211 |  $H=\set{\gen,\gen^2,\ldots,\gen^n}$.\\
212 |  \vspace{0.2in}
213 |  
214 |  $\prv$ has sent $f',g'\in \polysofdeg{n}$.\\
215 |  \vspace{0.2in}
216 |  Wants to prove:
217 |  \[\prod_{i\in [n]}  f(\gen^i) = \prod_{i\in [n]} g(\gen^i)\]
218 | 
219 |  $f\defeq f' +\gamma,g\defeq g'+\gamma$
220 | 
221 | \end{frame}
222 | 
223 | \begin{frame}
224 | \frametitle{Multiplicative subgroups:}   % Insert frame title between curly braces
225 |  $H=\set{\gen,\gen^2,\ldots,\gen^n=1}$.\\
226 |  \vspace{0.2in}
227 |  $L_i$ is i'th lagrange poly of $H$:
228 |  \[L_i(\alpha^i)=1,L_i(\alpha^j) =0, j\neq i\]
229 | \end{frame}
230 | 
231 | 
232 | \begin{frame}
233 | \frametitle{Checking products with $H$-ranged protocols \small{[GWC19]}}   % Insert frame title between curly braces
234 |  \begin{enumerate}
235 |   \item $\prv$ computes $Z$ with 
236 |   $ Z(\gen)=1, Z(\gen^i) = \prod_{j<i}  f(\gen^j)/g(\gen^j)$.
237 |   \item Sends $Z$ to $\ideal$.   \pause
238 |   \item $\ver$ checks following identities on $H$.
239 |   \begin{enumerate}
240 |    \item $L_1(X) (Z(X)-1) =0$
241 |    \item $Z(X) f(X) = Z(\gen\cdot X)g(X)$\pause
242 |  \end{enumerate}
243 | 
244 |  \end{enumerate}
245 |  \vspace{0.2in}
246 | We get $\aggdeg{\prot}=n+2n -|H| = 2n$.
247 | 
248 | 
249 | \end{frame}
250 | \begin{frame}
251 | \frametitle{Example 2: Range checks}
252 | Integer $M<n$. Given $f\in \polysofdeg{n}$, want to check $f(x)\in [1..M]$ for each $x\in H$.\\ \pause
253 | (most?) common SNARK operation: SNARK recursion requires simulating one field using another \\ 
254 | 
255 | \end{frame}
256 | \begin{frame}
257 | \frametitle{Example 2: Range checks}
258 | 
259 | \textbf{Simplifying assumption:} $[1..M]\subset \sett{f(x)}{x\in H}$\\ \pause
260 | \textbf{Protocol:}
261 |  \begin{enumerate}
262 |  \item $\prv$ computes ''sorted version of $f$``: $s\in \polysofdeg{n}$ with
263 |  $\sett{s(x)}{x\in H}=\sett{f(x)}{x\in H}$, $s(\alpha^i)\leq s(\alpha^{i+1})$.\pause
264 |  \item $\prv$ sends $s$ to $\ideal$.\pause
265 |  \item $\ver$ checks that
266 |  \begin{enumerate}
267 |   \item Mutli-set equality between $s$ and $f$.\pause
268 |   \item $s(\alpha)=1$
269 |   \item $s(\alpha^n) = M$\pause
270 |   \item For each $x\in H\setminus \set{1}$,\pause
271 |   \[ (s(x\cdot \alpha) - s(x))^2 = s(x\cdot \alpha) - s(x)\]
272 |  \end{enumerate}
273 | 
274 | \end{enumerate}
275 | 
276 | 
277 | We get $\aggdeg{\prot}=3n$ \\
278 | \end{frame}
279 | \begin{frame}
280 | To remove assumption use preprocessed ''table poly`` $t$ with $\sett{t(x)}{x\in H}=[1..M]$\\
281 | (details on next slide)
282 |  \vspace{0.2in}
283 | 
284 | 
285 | 
286 | \end{frame}
287 | 
288 | \begin{frame}
289 | % \frametitle{Example 2: Range checks}
290 | 
291 | \textbf{Preprocessed poly:} $t\in \polysofdeg{M}$ with $\sett{t(x)}{x\in H}=[1..M]$ \\ \pause
292 | \textbf{Protocol:}
293 |  \begin{enumerate}
294 |  \item $\prv$ computes ''sorted version of $f\cup t$``: $s\in \polysofdeg{n+M}$ with
295 |  $\sett{s(x)}{x\in H}=\sett{f(x),t(x)}{x\in H}$, $s(\alpha^i)\leq s(\alpha^{i+1})$.\pause
296 |  \item $\prv$ sends $s$ to $\ideal$.\pause
297 |  \item $\ver$ checks that
298 |  \begin{enumerate}
299 |   \item Mutli-set equality between $s$ and $f\cup t$.\pause
300 |   \item $s(\alpha)=1$
301 |   \item $s(\alpha^n) = M$
302 |   \item For each $x\in H\setminus \set{1}$,\pause
303 |   \[ (s(x\cdot \alpha) - s(x))^2 = s(x\cdot \alpha) - s(x)\]
304 |  \end{enumerate}
305 | 
306 | \end{enumerate}
307 | 
308 | 
309 | We get $\aggdeg{\prot}= \deg(s)+\deg(Z)+D-|H| = 3n+4M$.
310 | \end{frame}
311 | \begin{frame}
312 | Given integer $d$ decomposing each element to $d$ elements in range $[1..M^{1/d}]$ can 
313 | give us $$\aggdeg{\prot} = 4dn+4M^{1/d}$$(by sending an auxiliary polynomial of degree $<dn$ with the decomposition of each element and then running the $M^{1/d}$ size range proof on this polynomial).\\
314 | 
315 |  \vspace{0.2in}
316 | \textbf{Question: can we do better?}
317 | 
318 | 
319 | \end{frame}
320 | 
321 | 
322 | \end{document}
323 | 


--------------------------------------------------------------------------------
/secondpaperquote.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/secondpaperquote.png


--------------------------------------------------------------------------------
/stackproofs.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/stackproofs.PNG


--------------------------------------------------------------------------------
/sumeda.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/sumeda.png


--------------------------------------------------------------------------------
/ujtalksKZG+PLONK.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/ujtalksKZG+PLONK.pdf


--------------------------------------------------------------------------------
/vaersspike.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/vaersspike.png


--------------------------------------------------------------------------------
/vaxrequire.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/vaxrequire.png


--------------------------------------------------------------------------------
/vioxxfirstsafety.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/vioxxfirstsafety.png


--------------------------------------------------------------------------------
/vioxxfirstsecondtxt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/vioxxfirstsecondtxt.png


--------------------------------------------------------------------------------
/vsummit24gfft.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/vsummit24gfft.pdf


--------------------------------------------------------------------------------
/vsummit24gfft.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz,circuitikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm,amsfonts}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | \usepackage[export]{adjustbox}
 16 | \everymath{\color{purple}}
 17 | % Class options include: notes, notesonly, handout, trans,
 18 | %                        hidesubsections, shadesubsections,
 19 | %                        inrow, blue, red, grey, brown
 20 | 
 21 | % Theme for beamer presentation.
 22 | %\usepackage{beamertheme} 
 23 | % Other themes include: beamerthemebars, beamerthemelined, 
 24 | %                       beamerthemetree, beamerthemetreebars  
 25 | \newcommand{\minus}{\scalebox{0.5}[1.0]{\( - \)}}
 26 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 27 | \newcommand{\F}{\ensuremath{{\mathbb F}}}
 28 | \renewcommand{\P}{\ensuremath{{\mathbb P}}}
 29 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 30 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 31 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 32 | \newcommand{\bin}{\ensuremath{\set{0,1}}}
 33 | \newcommand{\cube}{\ensuremath{\bin^n}}
 34 | 
 35 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 36 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 37 | % \newcommand{\kzg}[1]{\ensuremath{\enc{#1(x)}}}
 38 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 39 | \newcommand{\kzg}[1]{\cm(#1)}
 40 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 41 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 42 | \newcommand{\defeq}{\ensuremath{:=}}
 43 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 44 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 45 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 46 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 47 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 48 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 49 |  \newcommand{\polys}{\F[X]}
 50 | \newcommand{\acc}{{\mathbf{acc}}}
 51 | \newcommand{\ideal}{\mathbf{I}}
 52 | \newcommand{\gen}{\alpha}
 53 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 54 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 55 | % \renewcommand{\bf}{\begin{frame}}
 56 | % \newcommand{\ef}{\end{frame}}
 57 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 58 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 59 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 60 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 61 | \DeclareMathAlphabet{\mathpgoth}{OT1}{pgoth}{m}{n}	
 62 | \newcommand{\cq}{\mathpgoth{cq} }
 63 | \newcommand{\cqstar}{\ensuremath{\mathpgoth{cq^{\mathbf{*}} }}\xspace}
 64 | \newcommand{\flookup}{\ensuremath{\mathsf{\mathpgoth{Flookup}}}\xspace}
 65 | \newcommand{\baloo}{\ensuremath{\mathrm{ba}\mathit{loo}}\xspace}
 66 | % \newcommand{\caulkp}{\ensuremath{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}\xspace}
 67 | \newcommand{\caulk}{\ensuremath{\mathsf{Caulk}}\xspace}
 68 | \newcommand{\plookup}{\ensuremath{\mathpgoth{plookup}}\xspace}
 69 | \newcommand{\srs}{\ensuremath{\mathsf{srs}}}
 70 | \newcommand{\tablegroup}{\ensuremath{\mathbb{H}}\xspace}
 71 | \newcommand{\V}{\ensuremath{\mathbf{V} }\xspace}
 72 | % \newcommand{\caulk}{{\mathsf{Caulk}}}
 73 | % \newcommand{\caulkp}{{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}}
 74 | \newcommand{\bigspace}{\ensuremath{\mathbb{V}}}
 75 | 
 76 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 77 | \title{\large{GFFT on the projective line}}    % Enter your title between curly braces
 78 | \author{\small{Ariel Gabizon}\\                 % Enter your name between curly braces
 79 | \tt{\footnotesize{Aztec Labs}                                       } }      % Enter your institute name between curly braces
 80 | \date{}                    % Enter the date or \today between curly braces
 81 | %\usefonttheme{professionalfonts}
 82 | %\usefonttheme[onlymath]{serif}
 83 | \begin{document}
 84 | \boldmath
 85 | % Creates title page of slide show using above information
 86 | \begin{frame}
 87 |   \titlepage
 88 | \end{frame}
 89 | 
 90 | 
 91 | % \begin{frame}
 92 | % \large{plonk is a protocol to make short proofs about circuit satisfiability.}
 93 | %  \begin{figure}
 94 | %   \includegraphics[width=260pt]{circuit.png}
 95 | % \end{figure}
 96 | % \end{frame}
 97 | \begin{frame}
 98 |  \frametitle{FFT Reminder}
 99 |  
100 |  
101 |  
102 |  $S=\set{g,g^2,\ldots,g^{n}=1},n=2^k$\nl
103 |  Want to evaluate $f(X)\in \F[X]$ of deg $<n$ on $S$.\pause
104 |  Use recursive formula
105 |  \[f(X)=f_e(X^2)+X\cdot f_o(X^2)\]
106 |  
107 |  Since the map $x\to x^2$ is 2-to-1 on $S$, this reduces $n$ evals of $f$ to $n/2$ evals of two deg $n/2$ polys.\nl
108 | 
109 |  
110 |  Requires $n|p-1$, where $p=|\F|$.
111 |  
112 |  Can we do something when  $n|(p+1)$ instead?? 
113 |  % \begin{itemize}
114 | %  \item 
115 | % \end{itemize}
116 |  
117 | \end{frame}
118 | \begin{frame}
119 |  \frametitle{GFFT idea: All you need is cyclic operation}
120 |  $S=\set{g,g^2,\ldots,g^{n}=1},n=2^k$\\ \pause
121 | The map $\sigma(x)=g\cdot x$ goes over $S$ as a cycle.\nl
122 | \begin{itemize}
123 | \item Let $\tau = \sigma^{n/2}$. So $\tau(x)=-x$, and $\tau^2(x)=x$.\pause
124 | \item $S$ splits into disjoint pairs $(a,\tau(a))$.\pause
125 | \item Let $N(X)\defeq X \cdot \tau(X)$.\\ \pause 2-1 on $S$: $N(a)=a \cdot \tau(a) = N(\tau(a))$.\nl %\\
126 | % $N$ is our 2-to-1 map.\nl
127 | 
128 | \textit{Can we find a set of size $p+1$ with a cyclical $\sigma$?}
129 | \end{itemize}
130 | 
131 | \end{frame}
132 | \begin{frame}
133 |  \frametitle{The Projective line and fractional transformations}
134 |  
135 | %  How to get set $\P$ of size $2^k$?
136 |  Look at \emph{projective line} $\P\defeq \F\cup\infty$\nl
137 |  Take fractional map:
138 |  $\sigma(x)= \frac{1}{ax+b}$
139 |  
140 |  Define: $\sigma(-b/a)=\infty,\sigma(\infty)=0$.\nl
141 |  
142 |  \textbf{claim:}For the right choice of $a,b$, $\sigma$ makes a cycle over all of \P.
143 |  
144 |  
145 |  
146 | \end{frame}
147 | 
148 | \begin{frame}
149 |  \frametitle{Detour: The projective line as a circle in the plane}
150 | % \textbf{As a circle in the plane:}\nlnp
151 | \begin{circuitikz}
152 |     % Draw the real line
153 |     \draw[thick] (-2,0) -- (2,0);
154 |     \node at (2.5,0) {};
155 |     
156 |     % Draw the larger circle a bit lower above the real line
157 |     \draw (0,1.5) node[circle,draw,minimum size=1.5cm] (circle) {};
158 |     \node at (0,1.5) {};
159 | \filldraw (circle.north) circle (2pt) node[above] {$\infty$};
160 |     % Draw a line from the top of the circle to somewhere on the real line
161 |     \draw (circle.north) -- (1,0);
162 | 
163 |     % Add little black dots at the connection points
164 |     \filldraw (circle.north) circle (2pt);
165 |     \filldraw (1,0) circle (2pt);
166 | 
167 |     % Connect the circle to the real line with a dashed line
168 |     \draw[dashed] (0,0) -- (circle);
169 | 
170 |     % Calculate the intersection point of the line and the circle
171 |     \coordinate (intersection) at ($(circle) + (-41:0.75cm)$);
172 |     \filldraw (intersection) circle (2pt);
173 | \end{circuitikz}
174 | \vspace{0.3in}\nlnp
175 | \textit{See Circle STARK paper [HLP24] for this approach}
176 | \end{frame}
177 | \begin{frame}
178 | \textit{Let's try to proceed as before:}\\ 
179 | The map $\sigma(x)=\frac{1}{ax+b}$ goes over $\P$ as a cycle.\pause%\nl
180 | \begin{itemize}
181 | \item Let $\tau = \sigma^{n/2}$. %So $\tau(x)=-x$, and $\tau^2(x)=x$.\pause
182 | \item $\P$ splits into disjoint pairs $(a,\tau(a))$.\pause
183 | \item Let $N(X)\defeq X \cdot \tau(X)$.\\ \pause 2-1 on $\P$: $N(a)=?$\nl
184 | \textit{$\P$ is not a group, so $N(a)$ is not defined!}
185 | \end{itemize}
186 | \end{frame}
187 | \begin{frame}
188 |  \frametitle{The point $a$ as a ``place''}
189 | \textbf{Let $K=\F(X)$.}\nl
190 | 
191 | Given $a\in \F$, let $P_a=\{r(X)\in K| r(a)=0 \}$.\nl
192 | $P_a$ is called a \emph{place}  of $K$.\nl
193 | \textit{($P_a$ is the unique maximal ideal of the subring of elements $r$ with $r(a)\neq \infty$.)}
194 | \end{frame}
195 | 
196 | \begin{frame}
197 | \frametitle{Evaluating at $a$ with $P_a$}
198 | % \textbf{example:}
199 | Fix poly $f=\sum_{i=0}^n b_i X^i$.\\ \pause Write
200 | $f(X) = c + \sum_{i=1}^n c_i(X-a)^i$ .\nl
201 | Let $g\defeq \sum_{i=1}^n c_i(X-a)^i$.\nl
202 | 
203 | So $f(a)=c$ and $g(X)\in P_a$.\nl
204 | 
205 | I.e. - taking $f$ mod $P_a$ gives $f(a)$.
206 | \end{frame}
207 | 
208 | \begin{frame}
209 |  \frametitle{The infinity point in the algebraic representation}
210 |  There is \emph{one more} place of degree one in $K$:
211 |  $P_{\infty}=\set{f(X)/g(X)|deg(f)< deg(g)}$. \nl
212 |  $P_{\infty}=$ ``the set of functions that are zero at infinity''
213 |  
214 | \end{frame}
215 | \begin{frame}
216 |  \textit{To exemplify ideas focus from now on map $\tau(x)=\minus x$ from regular FFT.}
217 | \end{frame}
218 | 
219 | \begin{frame}
220 |  Defining $\tau$ on places:\pause
221 |  \begin{enumerate}
222 |   \item Define $\tau$ as operation on $K$: $\tau(r(X)) \defeq  r(\minus X)$.\pause
223 |   \item Define $\tau$ on  place $P_a$ element-wise: $\tau(P_a)\defeq \sett{\tau(r)}{ r\in P_a}$\\ \pause
224 | $  =\set{ {r(\minus X)}| r(a)=0} = P_{\minus a}$
225 |  \end{enumerate}
226 | % 
227 | \end{frame}
228 | \begin{frame}
229 |  \frametitle{Galois subfields}
230 | %  \begin{enumerate}
231 | %   \item 
232 | Look at the \emph{subfield} of $K$ fixed by $\tau$ - $\set{r\in K|\tau(r)=r}$. \nl
233 | This is exactly $\F(X^2)$.\\
234 | e.g. $\tau(X^2)=(-X)^2 = X^2$.
235 | 
236 | %   \item Recursively evaluate relevant polys on places of subfield, and then expand into places of $K$ they split into. 
237 | %  \end{enumerate}
238 |  
239 | \end{frame}
240 | \begin{frame}
241 |  \frametitle{Places ``splitting'' in extensions:}
242 |  Let $b=a^2$. Look at place $P'_b$ of $\F(X^2)$. \\ \pause
243 |  $P'_b=\set{r(X^2)|r(b)=0}$.\nl
244 |  
245 |  Poly $f\in P'_b$ looks like:\\
246 |  $f=\sum_{i=1}^n c_i(X^2-b)^i$ \\ \pause 
247 |  $=\sum_{i=1}^n c_i(X+a)^i(X-a)^i$.\nl
248 |  
249 | 
250 | So $P'_b\subset P_a$ and $P'_b\subset P_{\minus a}$.\nl
251 | 
252 | We say $P'_b$ \emph{splits} in $K$ into $P_a$ and $P_{\minus a}$.
253 | \end{frame}
254 | 
255 | \begin{frame}
256 | \frametitle{Tying it together}
257 | \textit{Let's try to define $N$ again:}\\ 
258 | $\P \defeq \set{P_a}_{a\in \F} \cup P_{\infty}$.\\ \pause
259 | The map $\sigma(x)=\frac{1}{ax+b}$ goes over $\P$ as a cycle.
260 | \begin{itemize}
261 | \item Let $\tau = \sigma^{n/2}$. %So $\tau(x)=-x$, and $\tau^2(x)=x$.\pause
262 | \item $\P$ splits into disjoint pairs $(P,\tau(P))$.\pause
263 | \item  
264 | Let $K'$ be the subfield of $K$ fixed by $\tau$. Define $N(P)$ to be the place of $K'$ splitting in $K$ into $P,\tau(P)$.
265 | \end{itemize}
266 | \end{frame}
267 | 
268 | 
269 | \begin{frame}
270 | 
271 |  For more details see:
272 |  \begin{figure}
273 |   \includegraphics[width=260pt]{lx23.png}
274 | \end{figure}
275 |  \textit{For more elementary approach with better final constants see Circle STARK[HLP24]}
276 | \end{frame}
277 | 
278 | \end{document}
279 | % \begin{frame}
280 | % \frametitle{The places of $K=\F(X)$: }
281 | %   Choose $a\in F$. Write $r\in K$ as\\
282 | %   $r(X)=(X-a)^{v_a} \frac{f(X)}{g(X)}$, $f,g\in \F[X]; f(a),g(a)\neq 0$.\nl
283 | % 
284 | % $v$ is the \emph{valuation of $r$ at $a$}.
285 | % Take $R_a\defeq \{r\in K| v_a(r)\geq 0 \}$.\nl
286 | % $R_a$ is a place of $K$.
287 | % \end{frame}
288 | % \begin{frame}
289 | % The unique maximal ideal of $R_a$ is $I_a=\set{(X-a)\cdot r|r\in R_a}$\nl
290 | % \textit{Cool thing: $R_a/I_a=\F$. And we can evaluate $r\in R_a$ at $a$ by taking $r\;\mod\; I_a$}\nl
291 | % This gives the same result as ``normal'' evaluation!
292 | %  
293 | % \end{frame}
294 | % \begin{frame}
295 | %  \frametitle{Regular FFT via GFFT}
296 | % \begin{enumerate}
297 | %  \item Applying the map $\tau(x)=-x$.
298 | %  \item Applying 2-1 map $x\to x^2$.\nl
299 | % \end{enumerate}
300 | % \emph{How do these operations look in the framework of places?} 
301 | % \end{frame}
302 | 


--------------------------------------------------------------------------------
/waldo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/waldo.jpg


--------------------------------------------------------------------------------
/waldopic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/waldopic.png


--------------------------------------------------------------------------------
/witness.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/witness.png


--------------------------------------------------------------------------------
/zkWarsawJan24.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/zkWarsawJan24.pdf


--------------------------------------------------------------------------------
/zkWarsawJan24.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz,circuitikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm,amsfonts}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | \usepackage[export]{adjustbox}
 16 | \everymath{\color{purple}}
 17 | % Class options include: notes, notesonly, handout, trans,
 18 | %                        hidesubsections, shadesubsections,
 19 | %                        inrow, blue, red, grey, brown
 20 | 
 21 | % Theme for beamer presentation.
 22 | %\usepackage{beamertheme} 
 23 | % Other themes include: beamerthemebars, beamerthemelined, 
 24 | %                       beamerthemetree, beamerthemetreebars  
 25 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 26 | \newcommand{\F}{\ensuremath{{\mathbb F}}}
 27 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 28 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 29 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 30 | \newcommand{\bin}{\ensuremath{\set{0,1}}}
 31 | \newcommand{\cube}{\ensuremath{\bin^n}}
 32 | 
 33 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 34 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 35 | % \newcommand{\kzg}[1]{\ensuremath{\enc{#1(x)}}}
 36 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 37 | \newcommand{\kzg}[1]{\cm(#1)}
 38 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 39 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 40 | \newcommand{\defeq}{\ensuremath{:=}}
 41 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 42 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 43 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 44 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 45 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 46 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 47 |  \newcommand{\polys}{\F[X]}
 48 | \newcommand{\acc}{{\mathbf{acc}}}
 49 | \newcommand{\ideal}{\mathbf{I}}
 50 | \newcommand{\gen}{\alpha}
 51 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 52 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 53 | % \renewcommand{\bf}{\begin{frame}}
 54 | % \newcommand{\ef}{\end{frame}}
 55 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 56 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 57 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 58 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 59 | \DeclareMathAlphabet{\mathpgoth}{OT1}{pgoth}{m}{n}	
 60 | \newcommand{\cq}{\mathpgoth{cq} }
 61 | \newcommand{\cqstar}{\ensuremath{\mathpgoth{cq^{\mathbf{*}} }}\xspace}
 62 | \newcommand{\flookup}{\ensuremath{\mathsf{\mathpgoth{Flookup}}}\xspace}
 63 | \newcommand{\baloo}{\ensuremath{\mathrm{ba}\mathit{loo}}\xspace}
 64 | % \newcommand{\caulkp}{\ensuremath{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}\xspace}
 65 | \newcommand{\caulk}{\ensuremath{\mathsf{Caulk}}\xspace}
 66 | \newcommand{\plookup}{\ensuremath{\mathpgoth{plookup}}\xspace}
 67 | \newcommand{\srs}{\ensuremath{\mathsf{srs}}}
 68 | \newcommand{\tablegroup}{\ensuremath{\mathbb{H}}\xspace}
 69 | \newcommand{\V}{\ensuremath{\mathbf{V} }\xspace}
 70 | % \newcommand{\caulk}{{\mathsf{Caulk}}}
 71 | % \newcommand{\caulkp}{{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}}
 72 | \newcommand{\bigspace}{\ensuremath{\mathbb{V}}}
 73 | 
 74 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 75 | \title{\large{The GKR method}}    % Enter your title between curly braces
 76 | \author{\small{Ariel Gabizon}\\                 % Enter your name between curly braces
 77 | \tt{\footnotesize{Zeta Function Technologies}                                       } }      % Enter your institute name between curly braces
 78 | \date{}                    % Enter the date or \today between curly braces
 79 | %\usefonttheme{professionalfonts}
 80 | %\usefonttheme[onlymath]{serif}
 81 | \begin{document}
 82 | \boldmath
 83 | % Creates title page of slide show using above information
 84 | \begin{frame}
 85 |   \titlepage
 86 | \end{frame}
 87 | 
 88 | 
 89 | % \begin{frame}
 90 | % \large{plonk is a protocol to make short proofs about circuit satisfiability.}
 91 | %  \begin{figure}
 92 | %   \includegraphics[width=260pt]{circuit.png}
 93 | % \end{figure}
 94 | % \end{frame}
 95 | \begin{frame}
 96 |  \frametitle{Overview}
 97 |  \begin{itemize}
 98 |   \item Mutlilinear functions and sumcheck basics
 99 |   \item GKR - motivation and example.
100 |  \end{itemize}
101 | 
102 | \end{frame}
103 | 
104 | 
105 | \begin{frame}
106 |  \frametitle{Multilinear polynomials}
107 |  Polynomials that are linear in each variable:\nl 
108 |  \textbf{Example:}
109 |  equality  function\pause
110 | %  $eq:\F^{2n}\to \F$.
111 |  \[eq(x,y)=\prod_{i\in [n]} (x_i y_i +(1-x_i)(1-y_i))\]\pause
112 | For $x,y \in \{0,1\}^n$, $eq(x,y)=1$ iff $x=y$. \nl
113 |  ``Multilinear Lagranges'': $L_x(Y)=eq(x,Y)$ for some $x\in \cube.$\nl
114 |  We have $L_x(x)=1$ and $L_x(y)=0$ for any $y\neq x$ in $\cube$.
115 |  % \begin{itemize}
116 | %  \item 
117 | % \end{itemize}
118 |  
119 | \end{frame}
120 | 
121 | \begin{frame}
122 |  \frametitle{Sumcheck basics}
123 |  $\prv$ has $n$-variate poly $f$ of degree$\leq 3$ in each variable.\nl
124 |  Wants to prove to \ver
125 |  \[\sum_{x\in\cube} f(x)=0\]\nl
126 |  The {\small \color{green}[LFKN]} \textbf{sumcheck protocol} between $\prv$ and $\ver$ reduces this claim
127 |  to claim of form $f(r)=v$ for random $r\in \F^n$.\nl
128 |  
129 |  \emph{Reduction doesn't require $\prv$ to do FFT's or commit to other polynomials }
130 | 
131 | \end{frame}
132 | \begin{frame}
133 |  \frametitle{Main application: Zero Testing}
134 |  \begin{itemize}
135 |   \item  $\prv$ wants to prove to $\ver$ that $f(x)=0$, $\forall x\in \cube$.\pause
136 |   \item $\ver$ chooses random $\beta \in \F^n$.
137 |   \item Define $f'(X)\defeq eq(\beta,X) f(X)$.\pause
138 |   \item $\prv$ shows using sumcheck protocol that $\sum_{x\in \cube} f'(x)=0$. This implies desired claim on $f$ w.h.p.
139 |   
140 |  \end{itemize}
141 | 
142 | \end{frame}
143 | 
144 | \begin{frame}
145 |  \frametitle{Polynomials commitment schemes[KZG] (for mutlilinear polynomials)}
146 | \begin{itemize}
147 |  \item $\prv$ sends short commitment $\cm(h)$ to $n$-variate mutlilinear  polynomial $h$.\pause
148 |  \item Later $\ver$  chooses  $r\in \F^n$.\pause
149 |  \item $\prv$ sends back $z=f(r)$; together with \emph{short} proof $\open{f,r}$ that $z$ is correct.\pause
150 | \end{itemize}
151 |  State of the art: Basefold, Binius, Brakedown, Gemini,Zeromorph,...
152 | \end{frame}
153 | 
154 | \begin{frame}
155 |  \frametitle{ Zero Testing - typical example}
156 |  $\prv$ has multilinears $f_1,f_2,f_3$. $\ver$ has $\cm(f_1),\cm(f_2),\cm(f_3)$.\nl
157 |  
158 |  $\prv$ wants to prove to $\ver$ that 
159 |  \[\forall x\in\cube: f_1(x)f_2(x)-f_3(x) =0.\]
160 | \end{frame}
161 | 
162 | 
163 | \begin{frame}
164 | \frametitle{GKR Motivation}   % Insert frame title between curly braces
165 | GKR=``Delegating Computation: Interactive Proofs for Muggles'' by Goldwasser, Kalai and Rothblum.\nl
166 | \emph{Committing to polynomials is expensive. Can we use sumcheck for polynomials we \textbf{don't} have a commitment to?}
167 | 
168 | \end{frame}
169 | \begin{frame}
170 |  \frametitle{GKR idea - iterative sumcheck}
171 |  When we don't have a commitment to the polynomial we're summing, reduce the random evaluation at the end
172 |  to \emph{another} sumcheck over a different polynomial\nlnp
173 |  
174 |  \[\mathrm{sum}\stackrel{sumcheck}{\to}\mathrm{rand eval} \stackrel{reduction}{\to}\mathrm{sum}\stackrel{sumcheck}{\to}\ldots\]
175 | \end{frame}
176 | 
177 | \begin{frame}
178 | 
179 | \frametitle{Example from [Thaler13]}
180 |     \begin{circuitikz}
181 |         % Multiplication node
182 |         \draw (3,3.5) node[draw,circle,minimum size=0.1 cm,label=$a_1\cdot a_2\cdot a_3\cdot a_4$] (mul3) {$\times$};
183 |         % Multiplication node
184 |         \draw (1,1.75) node[draw,circle,minimum size=0.1 cm] (mul2) {$\times$};
185 |         
186 |         
187 |         % Inputs with arrows at the bottom
188 |         \draw[-{Triangle[length=3mm,width=2mm]}] (0,0) node[left] {$a_1$} -- (mul2.south);
189 |         \draw[-{Triangle[length=3mm,width=2mm]}] (2,0) node[right] {$a_2$} -- (mul2.south);
190 |         % Multiplication node
191 |         \draw (5,1.75) node[draw,circle,minimum size=0.1 cm] (mul) {$\times$};
192 |         
193 |         
194 |         % Inputs with arrows at the bottom
195 |         \draw[-{Triangle[length=3mm,width=2mm]}] (4,0) node[left2] {$a_3$} -- (mul.south);
196 |         \draw[-{Triangle[length=3mm,width=2mm]}] (6,0) node[right2] {$a_4$} -- (mul.south);
197 |         % arrows to final mult gate 
198 |         \draw[-{Triangle[length=3mm,width=2mm]}] (mul.north) -- (mul3.south);
199 |         \draw[-{Triangle[length=3mm,width=2mm]}] (mul2.north) -- (mul3.south);
200 |     \end{circuitikz}
201 |     \end{frame}
202 | 
203 | \begin{frame}
204 | 
205 | \frametitle{Example from [Thaler13]}
206 |     \begin{circuitikz}
207 |         % Multiplication node
208 |         \draw (3,3.5) node[draw,circle,minimum size=0.1 cm,label=$a_1\cdot a_2\cdot a_3\cdot a_4$] (mul3) {$\times$};
209 |         % Multiplication node
210 |         \draw (1,1.75) node[draw,circle,minimum size=0.1 cm] (mul2) {$\times$};
211 |         
212 |         
213 |         % Inputs with arrows at the bottom
214 |         \draw[-{Triangle[length=3mm,width=2mm]}] (0,0) node[left] {$a_1$} -- (mul2.south);
215 |         \draw[-{Triangle[length=3mm,width=2mm]}] (2,0) node[right] {$a_2$} -- (mul2.south);
216 |         % Multiplication node
217 |         \draw (5,1.75) node[draw,circle,minimum size=0.1 cm] (mul) {$\times$};
218 |         
219 |         
220 |         % Inputs with arrows at the bottom
221 |         \draw[-{Triangle[length=3mm,width=2mm]}] (4,0) node[left2] {$a_3$} -- (mul.south);
222 |         \draw[-{Triangle[length=3mm,width=2mm]}] (6,0) node[right2] {$a_4$} -- (mul.south);
223 |         % arrows to final mult gate 
224 |         \draw[-{Triangle[length=3mm,width=2mm]}] (mul.north) -- (mul3.south);
225 |         \draw[-{Triangle[length=3mm,width=2mm]}] (mul2.north) -- (mul3.south);
226 |     \end{circuitikz}\nlnp
227 |     $\prv$ has $f(Y_1,Y_2)$. $\ver$ has $\cm(f)$\nl
228 |     Wants to prove to  $\ver$ correctness of   $u\defeq f(0,0)\cdot f(0,1)\cdot f(1,0)\cdot f(1,1)$.
229 |     \end{frame}
230 | 
231 | \begin{frame}
232 |  Define multilinear  ``Intermediate layer function'' $g$:\\
233 |  $g(0)\defeq f(0,0)\cdot f(0,1)$\\
234 |  $g(1)\defeq f(1,0)\cdot f(1,1)$.\nl
235 |  Our claim is $g(0)\cdot g(1)=u$.\nl
236 | Exercise: Can reduce this to evaluating $g(r)$ for one random $r\in \F$.\nl
237 | \textbf{Main goal:} Avoid needing to compute  $\cm(g)$ as ``traditional SNARKs'' would do!
238 | \end{frame}
239 | \begin{frame}
240 |  \frametitle{Interlude: Representing mutlilinear functions via $eq$}
241 |  Recall
242 |  \[eq(x,y)=\prod_{i\in [n]} (x_i y_i +(1-x_i)(1-y_i))\]\pause
243 | \textbf{Claim:} When $h$ is multilinear, we have for any $r$
244 | \[h(r)=\sum_{x\in \cube} eq(r,x)h(x)\]
245 | \end{frame}
246 | 
247 | \begin{frame}
248 |  \frametitle{Heart of GKR - representing $g(r)$ as sum over $f$}
249 |  \[\color{purple}{g(r)=eq(r,0) f(0,0)f(0,1) +eq(r,1)f(1,0)f(1,1)}\]\pause
250 |  \[\color{purple}=\sum_{x\in \bin} f'(x)\]
251 |  where $f'(X)\defeq eq(r,X)f(X,0)f(X,1)$.\nl
252 |  Thus, using SCP can reduce evaluating $g(r)$ to evaluating $f'(r_2)$ for a random $r_2\in \F$.
253 | \end{frame}
254 | 
255 | \begin{frame}
256 |  \frametitle{Evaluating $f'(r_2)$}
257 |  \[f'(r_2)=eq(r,r_2) f(r_2,0) f(r_2,1)\]
258 |  $\ver$ can evaluate $eq(r,r_2)$ itself.\nlnp
259 |  Since it has $\cm(f)$ it can ask $\prv$ for $f(r_2,0),f(r_2,1)$ with proofs of correctness.
260 | \end{frame}
261 | 
262 |  
263 | \end{document}
264 | 


--------------------------------------------------------------------------------
/zkproofs2020.tex:
--------------------------------------------------------------------------------
 1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
 2 | \usepackage[danish]{babel}	
 3 | \usepackage{tikz}
 4 | \usetikzlibrary{shapes, positioning}
 5 | \usenavigationsymbolstemplate{}
 6 | \usepackage{pgfplots}
 7 | \usepackage[absolute,overlay]{textpos}
 8 | 
 9 | %\usepackage[T1]{fontenc}
10 | %\usepackage{fourier}
11 | % Dokumentets sprog
12 | %\usepackage{mathtools}
13 | %\usepackage{pxfonts}
14 | \usepackage{eulervm}
15 | % Class options include: notes, notesonly, handout, trans,
16 | %                        hidesubsections, shadesubsections,
17 | %                        inrow, blue, red, grey, brown
18 | 
19 | % Theme for beamer presentation.
20 | %\usepackage{beamertheme} 
21 | % Other themes include: beamerthemebars, beamerthemelined, 
22 | %                       beamerthemetree, beamerthemetreebars  
23 |  \newcommand{\prot}{\mathbf{P}}
24 | \newcommand{\adv}{\ensuremath{\mathcal A}}
25 | \newcommand{\aggdeg}[1]{\mathfrak{d}(#1)}
26 | \renewcommand{\deg}{\mathrm{deg}}
27 | \newcommand{\xor}{\ensuremath{\oplus}}
28 | \newcommand{\plonk}{\ensuremath{\mathcal{P} \mathfrak{lon}\mathcal{K}}}
29 | \newcommand{\F}{\ensuremath{\mathbb F}}
30 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
31 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
32 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
33 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
34 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
35 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
36 | \newcommand{\defeq}{\ensuremath{:=}}
37 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
38 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
39 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
40 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
41 |  \newcommand{\polys}{\F[X]}
42 | \newcommand{\acc}{{\mathbf{acc}}}
43 | \newcommand{\ideal}{\mathbf{I}}
44 | \newcommand{\gen}{\alpha}
45 | \newcommand{\plookup}{\mathsf{plookup}}
46 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
47 | \title{\large{Ranged Polynomial Protocols}}    % Enter your title between curly braces
48 | \author{\small{Ariel Gabizon}\\                 % Enter your name between curly braces
49 | \tt{\footnotesize{\textbf{Aztec}\\ (Based on work with Zachary J. Williamson)                                        } }      }% Enter your institute name between curly braces
50 | \date{}                    % Enter the date or \today between curly braces
51 | %\usefonttheme{professionalfonts}
52 | %\usefonttheme[onlymath]{serif}
53 | \begin{document}
54 | \boldmath
55 | % Creates title page of slide show using above information
56 | \begin{frame}
57 |   \titlepage
58 | \end{frame}
59 | 
60 | 
61 | 
62 | \begin{frame}
63 | \frametitle{Divisors on $k(X)$}   % insert frame title between curly braces
64 | 
65 | % \textbf{Preprocessing/inputs:} Predefined polynomials $g_1,\ldots,g_t\in \polysofdeg{d}$\\
66 | % \textbf{Range:} $H\subset\F$.\\ \pause
67 | % \vspace{0.4in}
68 | % \textbf{Protocol:}
69 | $P\defeq = k\cup\infty$. \\ \pause
70 | A divisor is
71 | \[D=\sum_{a\in P}{d_a \cdot [P]\]
72 | where $d_a\in\mathbb{Z}$ is non-zero for finitely many $a$.
73 | 
74 | %  \begin{itemize}
75 | % 
76 | % \item  
77 | % \item At end, $\ver$ asks $\ideal$ if some identity holds between $\set{f_1,\ldots,f_\ell,g_1,\ldots,g_t}$   \textbf{\textit{on $H$}}. 
78 | % 
79 | % \end{itemize}
80 | % 
81 | \end{frame}
82 | \end{document}
83 | 


--------------------------------------------------------------------------------
/zksummit12.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/zksummit12.pdf


--------------------------------------------------------------------------------
/zksummit12.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz,circuitikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{xcolor,pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm,amsfonts}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | \usepackage[export]{adjustbox}
 16 | \everymath{\color{purple}}
 17 | \definecolor{darkred}{rgb}{0.75, 0, 0.25} 
 18 | % Class options include: notes, notesonly, handout, trans,
 19 | %                        hidesubsections, shadesubsections,
 20 | %                        inrow, blue, red, grey, brown
 21 | 
 22 | % Theme for beamer presentation.
 23 | %\usepackage{beamertheme} 
 24 | % Other themes include: beamerthemebars, beamerthemelined, 
 25 | %                       beamerthemetree, beamerthemetreebars  
 26 | \newcommand{\minus}{\scalebox{0.5}[1.0]{\( - \)}}
 27 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 28 | \newcommand{\F}{\ensuremath{{\mathbb F}}}
 29 | \newcommand{\G}{\ensuremath{{\mathbb G}}}
 30 | \renewcommand{\P}{\ensuremath{{\mathbb P}}}
 31 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 32 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 33 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 34 | \newcommand{\bin}{\ensuremath{\set{0,1}}}
 35 | \newcommand{\cube}{\ensuremath{\bin^n}}
 36 | 
 37 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 38 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 39 | % \newcommand{\kzg}[1]{\ensuremath{\enc{#1(x)}}}
 40 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 41 | \newcommand{\kzg}[1]{\cm(#1)}
 42 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 43 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 44 | \newcommand{\defeq}{\ensuremath{:=}}
 45 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 46 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 47 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 48 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 49 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 50 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 51 |  \newcommand{\polys}{\F[X]}
 52 | \newcommand{\acc}{{\mathbf{acc}}}
 53 | \newcommand{\rej}{{\mathbf{rej}}}
 54 | \newcommand{\ideal}{\mathbf{I}}
 55 | \newcommand{\gen}{\alpha}
 56 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 57 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 58 | % \renewcommand{\bf}{\begin{frame}}
 59 | % \newcommand{\ef}{\end{frame}}
 60 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 61 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 62 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 63 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 64 | \DeclareMathAlphabet{\mathpgoth}{OT1}{pgoth}{m}{n}	
 65 | \newcommand{\cq}{\mathpgoth{cq} }
 66 | \newcommand{\cqstar}{\ensuremath{\mathpgoth{cq^{\mathbf{*}} }}\xspace}
 67 | \newcommand{\flookup}{\ensuremath{\mathsf{\mathpgoth{Flookup}}}\xspace}
 68 | \newcommand{\baloo}{\ensuremath{\mathrm{ba}\mathit{loo}}\xspace}
 69 | % \newcommand{\caulkp}{\ensuremath{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}\xspace}
 70 | \newcommand{\caulk}{\ensuremath{\mathsf{Caulk}}\xspace}
 71 | \newcommand{\plookup}{\ensuremath{\mathpgoth{plookup}}\xspace}
 72 | \newcommand{\srs}{\ensuremath{\mathsf{srs}}}
 73 | \newcommand{\tablegroup}{\ensuremath{\mathbb{H}}\xspace}
 74 | \newcommand{\V}{\ensuremath{\mathbf{V} }\xspace}
 75 | \newcommand{\zfin}{\ensuremath{z_{\mathrm{final}}}}
 76 | \newcommand{\rel}{\ensuremath{\mathcal{R}}}
 77 | \newcommand{\vk}{\ensuremath{\mathrm{vk} }}
 78 | \newcommand{\repr}{\ensuremath{\mathrm{repr} }}
 79 | \newcommand{\numreads}{\ensuremath{\mathbf{numreads} }}
 80 | \newcommand{\add}{\ensuremath{\mathbf{add} }}
 81 | \newcommand{\adds}{\ensuremath{\mathbf{adds} }}
 82 | \newcommand{\cnt}{\ensuremath{\mathpgoth{t} }}
 83 | \newcommand{\addcount}{\ensuremath{\mathpgoth{at} }}
 84 | \renewcommand{\read}{\ensuremath{\mathbf{read} }}
 85 | \newcommand{\reads}{\ensuremath{\mathbf{reads} }}
 86 | \renewcommand{\note}{\ensuremath{\mathfrak{n} }}
 87 | \newcommand{\vknext}{\ensuremath{\mathrm{vk_{next}} }}
 88 | \newcommand{\vkcur}{\ensuremath{\mathrm{vk_{cur}} }}
 89 | \newcommand{\args}{\ensuremath{\mathrm{args} }}
 90 | \newcommand{\stack}{\ensuremath{\mathsf{stack} }}
 91 | \newcommand{\argscur}{\ensuremath{\mathrm{args_{cur}} }}
 92 | \newcommand{\argsnext}{\ensuremath{\mathrm{args_{next}} }}
 93 | % \newcommand{\caulk}{{\mathsf{Caulk}}}
 94 | % \newcommand{\caulkp}{{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}}
 95 | \newcommand{\bigspace}{\ensuremath{\mathbb{V}}}
 96 | 
 97 | %\setbeamersize{text margin left=3mm,text margin right=3mm} 
 98 | \title{\large{From IVCs to RCGs}}    % Enter your title between curly braces
 99 | \author{\small{Ariel Gabizon}\\                 % Enter your name between curly braces
100 | \tt{\footnotesize{Aztec Labs}                                       } }      % Enter your institute name between curly braces
101 | \date{}                    % Enter the date or \today between curly braces
102 | %\usefonttheme{professionalfonts}
103 | %\usefonttheme[onlymath]{serif}
104 | \begin{document}
105 | \boldmath
106 | % Creates title page of slide show using above information
107 | \begin{frame}
108 |   \titlepage
109 | \end{frame}
110 | 
111 | 
112 | \begin{frame}
113 |  \frametitle{Outline}
114 |  
115 |  \begin{itemize}
116 |   \item The Aztec Smart Contract system
117 |   \item RCG
118 |   \item Global state via log derivative
119 |   \item A theoretical issue
120 |  \end{itemize}
121 | \end{frame}
122 | \begin{frame}
123 |  \frametitle{The Aztec Private Smart Contract System}
124 | A \emph{contract} has functions - represented by \emph{verification keys} .\nlnp
125 | 
126 | $A - \vk_A$\\
127 | $B - \vk_B$\nl
128 | 
129 | Function contracts can 
130 | \begin{itemize}
131 |  \item call other functions in same/other contract
132 |  \end{itemize}
133 |  
134 |  \end{frame}
135 |  
136 | \begin{frame}
137 | \frametitle{How do circuits  ``call each other''?}\pause
138 | \textbf{Example:} Want to prove execution of\nlnp
139 | $A(\args_A)\{$\\
140 | \;\;\;\;..\\
141 | \;\;\;\;..\\
142 | \;\;\;\;$B(\args_B);$\\
143 | \;\;\;\;..\\
144 | \;\;\;\;..\\
145 | $\}$\pause
146 | 
147 | \textit{Idea: $A$'s public input will contain $\vk_B$ and $\args_B$}
148 | 
149 | \end{frame}
150 | \begin{frame}
151 | \frametitle{How do circuits  ``call each other''?}
152 | % \textit{Idea: $A$'s public input will contain $\vk_B$ and $\args_B$}\\
153 | % $x_A=(\args_A,\vk_B,\args_B)$\\
154 | % $x_B=(\args_B)$\nl
155 | Construct proofs - 
156 | \begin{itemize}
157 | \item$\pi_A$ for $A$ with public input $x_A=(\args_A,\vk_B,\args_B)$\pause
158 | \item$\pi_B$ for $B$ with public input $x_B=(\args_B)$\nl
159 |  \end{itemize}
160 |   
161 |   $\ver$ checks 
162 |   \begin{itemize}
163 |    \item 
164 | $(x_A,\pi_A)$ with $\vk_A$\\
165 |        \item     $(x_B,\pi_B)$ with $\vk_B$\nl
166 |   \end{itemize}
167 |   \emph{As $\ver$ enforces $\args_B,\vk_B$ used are \emph{the same} in both checks - corresponds to $A$ ``calling'' $B$. }
168 | \end{frame}
169 |  
170 | \begin{frame}
171 |  \frametitle{Casting as IVC of a fixed function:}
172 |  $\underline{F(\vkcur,x=(\argscur,\vknext,\argsnext),\pi,\stack)}:$\pause
173 |  \begin{enumerate}
174 |   \item Check $(\vkcur,\argscur)$ is top element in $\stack$ and pop it off.\pause
175 |   \item Check that $\ver(\vkcur,x,\pi)=\acc$.\pause
176 |   \item Push $(\vknext,\argsnext)$ to top of \stack.
177 |  \end{enumerate}
178 | 
179 | \end{frame}
180 |  
181 | \begin{frame}
182 |  \frametitle{ But we forgot global state! }
183 | A \emph{contract} has functions - represented by \emph{verification keys} .\nlnp
184 | 
185 | $A - \vk_A$\\
186 | $B - \vk_B$\nlnp
187 | 
188 | {\textcolor{red}{and \emph{notes} representing its state:}}\\
189 | $\note_1$\\
190 | $\note_2$\nl
191 | Function contracts can 
192 | \begin{itemize}
193 |  \item call other functions in same/other contract
194 |  \item \textcolor{red}{add/read/delete contract notes}
195 |  \end{itemize}
196 |  \end{frame}
197 | \begin{frame}
198 |  \frametitle{Global State}
199 |  We add the  note operations \emph{with time stamps} to the public inputs:
200 |  \begin{itemize}
201 | \item $x_A=(\args_A,\vk_B,\args_B,[\read,\note,8])$
202 | \item $x_B=(\vk_B,\args_B,[\add,\note,3])$\nl
203 | \end{itemize} 
204 |  \emph{Problem:} When verifying proof for $A$ we don't know whether in a future IVC iteration we'll see $\note$ created with earlier timestamp.\nl
205 |  
206 |  
207 |  {\fontfamily{garamond}\selectfont ``Order of proving is different than order of execution''}
208 | \end{frame}
209 | \begin{frame}
210 |  \frametitle{RCG - Repeated Computation with Global state}
211 |  Like IVC...but\pause
212 |  \begin{itemize}
213 |   \item Computation ends before proving starts.\pause
214 |   \item Prover memory allowed to depend on size of global state in addition to memory for one iteration.
215 |  \end{itemize}
216 | 
217 | \end{frame}
218 | \begin{frame}
219 |  \frametitle{RCG - Simplified dfn}\pause
220 | \noindent
221 | \begin{itemize}
222 | \item \emph{Transition predicate:} $F\to \{\acc,\rej\}$. 
223 | \item \emph{Final predicate:} $f\to \set{\acc,\rej}$.\pause
224 | \end{itemize}
225 | The RCG relation $\rel_{F,f}$ consists of pairs $(X,W)$ 
226 | $X=(\zfin,n),W=(z=(z_0,\ldots,z_n),$ $w=(w_1\ldots,w_n),s=(s_1,\ldots,s_n))$ such that\pause
227 | \begin{itemize}
228 |  \item $z_n=\zfin$.\pause
229 |  \item For each $i\in [n]$, $F(z_{i-1},w_i,z_i,s_i)=\acc$.\pause
230 |  \item $f(s_1,\ldots,s_n)=\acc$.\pause
231 | \end{itemize}
232 | 
233 | 
234 | We say a zk-SNARK for $\rel_{F,f}$ is \emph{space-efficient} if $\prv$ requires space $\sim$ $O(|F|+|s|)$.
235 | \end{frame}
236 | \begin{frame}
237 | \frametitle{ D\'ej\`a vu from previous talk: Memory checks with log-derivative {\small [Eagen22, Hab{\"{o}}ck22]}}
238 | In $\add$ op, add the number of times $\note$ is read
239 |  $a=(\add,\note,\cnt,\numreads)$\nl
240 | In $\read$ op, add the timestamp $\addcount$ of $\note$'s addition.
241 |  $r=(\read,\note,\addcount,\cnt)$.\nl
242 | 
243 | \begin{itemize}
244 |  \item For each read $r$ we check that $\addcount<\cnt$.\pause
245 |  \item Prover hashes note operations from all function calls to get challenge $\beta\in \F$.\pause
246 |  \item Final predicate will check that
247 |  \[\textcolor{darkred}{\sum_{r\in \reads} \frac{1}{\note + \beta \cdot \addcount} = \sum _{a\in \adds}\frac{\numreads}{\note+\beta \cdot \cnt}} \]
248 | \end{itemize}
249 | 
250 | \end{frame}
251 | \begin{frame}
252 |  \frametitle{Theoretical interlude - The recursive Algebraic Model {\small [LS23]}}
253 |  AGM{\small [FKL]} - Given SRS $v\in \G^n$,
254 |  when $\adv$ outputs $a\in \G$ it must output
255 |  $c\in \F^n$ such that $a=\sum_{i=1}^n c_i v_i$.\nl
256 |  
257 |  Fix in advance $\repr:\G\to \F^2$.\nl 
258 |  What if for some $i<n$, $(c_i,c_{i+1}) = \repr(b)$ for some $b\in \G$?\\ \pause
259 |  Then a \emph{recursive algebraic adversary} must also output $c'\in \F^n$ with
260 |  $b=\sum_{i=1}^n c'_i v_i$.\nl
261 |  \textbf{Is this legit?}
262 | \end{frame}
263 | 
264 | \begin{frame}
265 | 
266 |  For more details see:
267 |  \begin{figure}
268 |   \includegraphics[width=260pt]{stackproofs.png}
269 | \end{figure}
270 | \end{frame}
271 | % 
272 | \end{document}
273 | 


--------------------------------------------------------------------------------
/zksummit8.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/zksummit8.pdf


--------------------------------------------------------------------------------
/zksummit8.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | 
 16 | % Class options include: notes, notesonly, handout, trans,
 17 | %                        hidesubsections, shadesubsections,
 18 | %                        inrow, blue, red, grey, brown
 19 | 
 20 | % Theme for beamer presentation.
 21 | %\usepackage{beamertheme} 
 22 | % Other themes include: beamerthemebars, beamerthemelined, 
 23 | %                       beamerthemetree, beamerthemetreebars  
 24 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 25 | \newcommand{\F}{\ensuremath{{\mathbb F}_p}}
 26 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 27 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 28 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 29 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 30 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 31 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 32 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 33 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 34 | \newcommand{\defeq}{\ensuremath{:=}}
 35 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 36 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 37 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 38 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 39 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 40 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 41 |  \newcommand{\polys}{\F[X]}
 42 | \newcommand{\acc}{{\mathbf{acc}}}
 43 | \newcommand{\ideal}{\mathbf{I}}
 44 | \newcommand{\gen}{\alpha}
 45 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 46 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 47 | % \renewcommand{\bf}{\begin{frame}}
 48 | % \newcommand{\ef}{\end{frame}}
 49 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 50 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 51 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 52 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 53 | \title{\large{A gentle  introduction to Hasse's theorem}}    % Enter your title between curly braces
 54 | \author{{Ariel Gabizon}\\                 % Enter your name between curly braces
 55 | \tt{\small{Aztec} } }      % Enter your institute name between curly braces
 56 | \date{}                    % Enter the date or \today between curly braces
 57 | %\usefonttheme{professionalfonts}
 58 | %\usefonttheme[onlymath]{serif}
 59 | \begin{document}
 60 | \boldmath
 61 | % Creates title page of slide show using above information
 62 | \begin{frame}
 63 |   \titlepage
 64 | \end{frame}
 65 |                            % typeset with the notes or notesonly class options
 66 | 
 67 | %\section[Outline]{}
 68 | 
 69 | % Creates table of contents slide incorporating
 70 | % all \section and \subsection commands
 71 | %\begin{frame}
 72 |   %\tableofcontents
 73 | %\end{frame}
 74 | 
 75 | \begin{frame}
 76 | \frametitle{Motivation}
 77 | Opening the black-box of elliptic curves can 
 78 | bring interesting results.
 79 |  \begin{figure}
 80 |   \includegraphics[width=150pt]{zkecc.png}
 81 | % \end{figure}
 82 | %  \begin{figure}
 83 |   \includegraphics[width=150pt]{ecfft.png}
 84 | \end{figure}
 85 | 
 86 | \end{frame}
 87 | \begin{frame}
 88 | Curve $E$ over \F.
 89 | \[y^2=x^3+ax+b\]\pause
 90 |  $N\defeq$ number of points over \F.\pause
 91 |  \begin{itemize}
 92 |  \item $N\geq 1$ - cause always have point at infinity.\pause
 93 |  \item $N\leq 2p+1$ - cause at most two $y$'s for each $x\in \F$.\nl
 94 | \end{itemize}
 95 | \hl{Hasse's thm:} Set $a\defeq p+1-N$. Then $|a|\leq 2\sqrt p$.
 96 | \end{frame}
 97 | \begin{frame}
 98 | \frametitle{Hasse's thm is foundational for EC cryptography}
 99 | \hl{Hasse's thm:} $|p+1 -N|\leq 2\sqrt p$.\nlnp
100 | \textit{Want $E$ of size $N\sim 2^m$?} \nl
101 | 
102 | 
103 | Just pick prime $p$ with $m$ bits,
104 | and take \emph{any} elliptic curve $E$ over \F.\nl
105 | % any $a,b\in\F$  with $4a^3+27b^2\neq 0$\nlnp
106 | 
107 | % and take curve $y^2=x^3+ax+b$.\nl
108 | \end{frame}
109 | 
110 | \begin{frame}
111 | \frametitle{The proof begins with some junior-high algebra}
112 | set $a\defeq p+1-N$.
113 | 
114 | and $L(X)
115 | \defeq X^2-aX+p
116 | $\nl
117 | 
118 | 
119 | % Write $L(X)=(X-\omega_1)(X-\omega_2), \omega_i\in \mathbb{C}$. \pause
120 | % Enough to show $\omega_1,\omega_2\notin {\mathbb R}$:\nl
121 | Enough to show $L$'s roots are not in $\mathbb{R}$:\nl
122 | 
123 | It would imply:
124 | \[\Delta=
125 | a^2-4p<0
126 | \rightarrow |a|<2\sqrt p\]\nl
127 | % (for prime p cannot hit the = case cause 2sqrt(p) is not an integer)
128 | % We begin by showing an \textbf{endomorphism} is a ``root'' of $L$.
129 | \end{frame}
130 | \begin{frame}
131 | $a\defeq p+1-N$. $L(X)= X^2-aX+p$\nl
132 |  \hl{Claim:} When $p$ is prime, $L$'s roots cannot be in $\mathbb{Z}$.\nl
133 |  \hl{proof:}
134 |  Write $L(X)=(X-\omega_1)(X-\omega_2)$.
135 | %  where $\omega_1,\omega_2\in \mathbb{C}$.
136 |  We have $p=\omega_1\cdot \omega_2$, $a=\omega_1+\omega_2$.\nl
137 |  Only options for $\set{\omega_1,\omega_2}$:\nl
138 |  \begin{itemize}
139 |   \item $\set{1,p}$,  but then $a=p+1\Rightarrow N=0$.\pause
140 |   \item $\set{-1,-p}$, but then $N=2p+2$. 
141 |  \end{itemize}
142 | 
143 | \end{frame}
144 | 
145 | 
146 | \begin{frame}
147 | \frametitle{Elliptic curve endomorphisms}
148 | 
149 | % \textbf{EC Endomorphisms:} 
150 | \emph{Homomorphisms $\psi:E(\Fclosure)  \to E(\Fclosure)$ that ``know'' $E$ is an EC}\nl
151 | \begin{itemize}
152 |  \item 
153 | $\psi(P+Q) = \psi(P)+\psi(Q)$
154 | \item $\psi(0) = 0$\pause
155 | \item When $P=(x,y)$,
156 | $\psi(x,y) = (r(x,y),s(x,y))$
157 | for some rational functions $r,s$ over \F.\pause
158 | \end{itemize}
159 | EC endomorphisms are a \emph{ring} $\mathrm{END}_E$: $\psi_1\cdot \psi_2(P) \defeq \psi_1(\psi_2(P))$.
160 | \end{frame}
161 | \begin{frame}
162 | \frametitle{Elliptic curve endomorphisms}
163 | 
164 | \hl{Example 1:}
165 | $P-> c\cdot P$   for  integer c. \pause
166 | 
167 | % In fact, except for super-singular curves, all endomorphisms over $\F$ are combinations 
168 | % of these two.
169 | % \textit{(Let's assume $E$'s not super-singular from now on)}
170 | \end{frame}
171 | 
172 | \begin{frame}
173 | \frametitle{The Frobenius endomorphism}
174 | 
175 | \hl{Example 2:}
176 |  $\phi(x,y)=(x^p,y^p)$.\pause
177 |  \begin{itemize}
178 |   \item Not the identity map because we're looking at points over \Fclosure.\pause
179 |   \item It's really an endomorphism, basically cause $(A+B)^p = A^p+B^p$:\pause
180 |   \[y^2-x^3-ax-b=0\]\pause
181 |   \[\Rightarrow \left(y^2-x^3-ax-b\right)^p=0\]\pause
182 |   \[\Rightarrow (y^p)^2-(x^p)^3-a(x^p)-b =0\]\pause
183 |   \[\Rightarrow (x^p,y^p)\in E.\]
184 | 
185 |  \end{itemize}
186 | 
187 | \end{frame}
188 | 
189 | 
190 | 
191 | \begin{frame}
192 | % \frametitle{First we find a root in $\mathrm{END}_E$..}
193 | $\phi(x,y)=(x^p,y^p)$. $L(X)=X^2-aX+p$.\nlnp
194 | % Reminder: $L
195 | 
196 | \hl{Lemma:} $\phi$ is a ``root'' of $L$.\nl
197 | I.e., $\phi^2-a\cdot \phi + p$ is the all zero map.\nl
198 | i.e.,  $\forall (x,y)\in E$:
199 | \[ (x^{p^2},y^{p^2})-a\cdot (x^p,y^p)+p\cdot (x,y)=0_E\]\nl
200 | 
201 | maybe interesting for snark optimizers: 
202 | 
203 | $p\cdot (x,y) = a\cdot (x^p,y^p) - (x^{p^2},y^{p^2})$
204 | \end{frame}
205 | 
206 | % \begin{frame}
207 | % \textit{Interesting proof elements of lemma:}
208 | % 
209 | % $E_n\defeq \set{P\in E,n\cdot P=0}$. When $gcd(n,p)=1$, $E_n=\mathbb{Z}_n\times \mathbb{Z}_n$ .\nl
210 | % $\rightarrow$ $\phi$ action on $E_n$ can be described by $2\times 2$ matrix $\phi_n$ over $\mathbb{Z}_n$.\nl
211 | %  Can show: 
212 | % $\mathrm{det}(\phi_n) = p\; \mathrm{mod}\; n$,   $\mathrm{trace}(\phi_n) = a\; \mathrm{mod} \;n$\nlnp
213 | % Using Cayley-Hamilton follows that $L(\phi_n)=0$.
214 | % 
215 | % 
216 | % \end{frame}
217 | \begin{frame}
218 |  $\phi$ is a ``root'' of $L$. Left to show it corresponds to a complex imaginary number that is also a root of $L$.\nl
219 |  This is where \emph{complex multiplication} comes in.
220 | \end{frame}
221 | 
222 | \begin{frame}
223 | \frametitle{Complex multiplication over characteristic $p$}
224 | \hl{Thm:}There is an isomorphism $T$ from
225 |  $\mathrm{END}_E$ to a ring
226 | $R_E = \mathbb{Z}+\mathbb{Z}\cdot d$, for some $d\in \mathbb{C}\setminus \mathbb{R}$.\nl
227 | % (p. 314, a = c*sqrt(-d) for pos integer c)
228 | 
229 | \[L(T(\phi))=T(L(\phi))=T(0_{\mathrm{END}_E})=0\]\nl
230 | So $\omega\defeq T(\phi)$ is a root of $L$!\nl
231 | We showed before $\omega \notin \mathbb{Z}$ so must have 
232 | $\omega\notin \mathbb{R}$ and we're done!
233 | \end{frame}
234 | \begin{frame}
235 | \frametitle{Historical context}
236 | Where did this last thm come from?
237 | Torus/curve equivalence over complex numbers.\nl
238 | $L$ is related to the zeta function of the elliptic curve, and RH for curve actually shows
239 | $|\omega_1|=|\omega_2|=\sqrt p$. 
240 | 
241 | \end{frame}
242 | 
243 | 
244 | 
245 | \begin{frame}
246 |  \hl{Sources:}
247 |  \begin{itemize}
248 |   \item 
249 | 
250 |  \emph{Elliptic curves number theory and cryptography} - Lawrence C. Washington.
251 |   \item 
252 |  \emph{The Riemann Hypothesis in Characteristic $p$ in Historical Perspective} - Peter Roquette
253 |  \end{itemize}
254 |  \vspace{0.5in}
255 |   Thanks to Aztec crypto team for comments!
256 | \end{frame}
257 | 
258 | 
259 | 
260 | 
261 | 
262 | 
263 | 
264 | 
265 | 
266 | 
267 | % \begin{frame}
268 | % Sidenote: exists curves over extension field where$ (x^p,y^p) = b(x,y)$ for some b
269 | % i.e. frob is integer
270 | % \end{frame}
271 | 
272 | \end{document}
273 | 


--------------------------------------------------------------------------------
/zksummit9.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/zksummit9.pdf


--------------------------------------------------------------------------------
/zksummit9.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm,amsfonts}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 | \usepackage[export]{adjustbox}
 16 | \everymath{\color{purple}}
 17 | % Class options include: notes, notesonly, handout, trans,
 18 | %                        hidesubsections, shadesubsections,
 19 | %                        inrow, blue, red, grey, brown
 20 | 
 21 | % Theme for beamer presentation.
 22 | %\usepackage{beamertheme} 
 23 | % Other themes include: beamerthemebars, beamerthemelined, 
 24 | %                       beamerthemetree, beamerthemetreebars  
 25 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 26 | \newcommand{\F}{\ensuremath{{\mathbb F}}}
 27 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 28 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 29 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 30 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 31 | \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 32 | % \newcommand{\kzg}[1]{\ensuremath{\enc{#1(x)}}}
 33 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 34 | \newcommand{\kzg}[1]{\cm(#1)}
 35 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 36 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 37 | \newcommand{\defeq}{\ensuremath{:=}}
 38 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 39 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 40 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 41 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 42 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 43 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 44 |  \newcommand{\polys}{\F[X]}
 45 | \newcommand{\acc}{{\mathbf{acc}}}
 46 | \newcommand{\ideal}{\mathbf{I}}
 47 | \newcommand{\gen}{\alpha}
 48 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 49 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 50 | % \renewcommand{\bf}{\begin{frame}}
 51 | % \newcommand{\ef}{\end{frame}}
 52 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 53 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 54 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 55 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 56 | \DeclareMathAlphabet{\mathpgoth}{OT1}{pgoth}{m}{n}	
 57 | \newcommand{\cq}{\mathpgoth{cq} }
 58 | \newcommand{\cqstar}{\ensuremath{\mathpgoth{cq^{\mathbf{*}} }}\xspace}
 59 | \newcommand{\flookup}{\ensuremath{\mathsf{\mathpgoth{Flookup}}}\xspace}
 60 | \newcommand{\baloo}{\ensuremath{\mathrm{ba}\mathit{loo}}\xspace}
 61 | % \newcommand{\caulkp}{\ensuremath{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}\xspace}
 62 | \newcommand{\caulk}{\ensuremath{\mathsf{Caulk}}\xspace}
 63 | \newcommand{\plookup}{\ensuremath{\mathpgoth{plookup}}\xspace}
 64 | \newcommand{\srs}{\ensuremath{\mathsf{srs}}}
 65 | \newcommand{\tablegroup}{\ensuremath{\mathbb{H}}\xspace}
 66 | \newcommand{\V}{\ensuremath{\mathbf{V} }\xspace}
 67 | % \newcommand{\caulk}{{\mathsf{Caulk}}}
 68 | % \newcommand{\caulkp}{{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}}
 69 | \newcommand{\bigspace}{\ensuremath{\mathbb{V}}}
 70 | \newcommand{\papertitle}{Speeding up SNARKs with cached quotients}
 71 | %\newcommand{\authorname}}
 72 | \newcommand{\company}{}
 73 | \title{ \bf \papertitle \\[0.72cm]}
 74 |     \author{Ariel Gabizon} 
 75 | 
 76 | %\usefonttheme{professionalfonts}
 77 | %\usefonttheme[onlymath]{serif}
 78 | \begin{document}
 79 | \boldmath
 80 | % Creates title page of slide show using above information
 81 | \begin{frame}
 82 |   \titlepage
 83 | \end{frame}
 84 |                            % typeset with the notes or notesonly class options
 85 | 
 86 | %\section[Outline]{}
 87 | 
 88 | % Creates table of contents slide incorporating
 89 | % all \section and \subsection commands
 90 | \begin{frame}
 91 | \frametitle{The triology of pairing-based SNARKs}\pause
 92 | 
 93 | \begin{enumerate}
 94 |  \item \textbf{A new hope (for SNARKs, not the universe)} - [Groth10,\textbf{GGPR},...,Groth16]\pause 
 95 |  \vspace{0.2in}
 96 |  \item  \textbf{The polynomial commitment scheme strikes back} - [vsql,\textbf{Sonic},Plonk,Marlin,...]\pause 
 97 |  \vspace{0.2in}
 98 |  
 99 |  \item  \textbf{Return of the pairing} - [Caulk,...]
100 |  
101 | \end{enumerate}
102 | 
103 | \end{frame}
104 | \begin{frame}
105 |  \frametitle{First a short KZG Reminder..}   % Insert frame title between curly braces
106 |  $\srs \defeq \enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\\ 
107 |  $\cm(f)\defeq   \enc{f(x)}$\\ 
108 |  \vspace{0.2in}
109 |  Nice features:\pause
110 |  \begin{itemize}
111 |   \item \textbf{Linearity:} $\cm(f+g) = \cm(f)+\cm(g)$\pause
112 |   \item \textbf{Product checks:} Given $\cm(f_1),\cm(f_2),\cm(g_1),\cm(g_2)$ can check $f_1(X)f_2(X)\stackrel{?}{\equiv} g_1(X)g_2(X)$ via pairings.\\
113 |   (Secure in the Algebraic Group Model)
114 |  \end{itemize}
115 | 
116 | \end{frame}
117 | 
118 | \begin{frame}
119 |  \frametitle{ The first scene of chapter three from $\mathsf{Caulk}$}\pause
120 |  $Z_T(X)=\prod_{a\in T} (X-a)$ 
121 |  a vanishing polynomial of a subset $T\subset \F$.\nl
122 |  $\cm(Z_T),\cm(f)$ given to verifier.\pause \\
123 |  Prover wants to show $f=Z_S$ for some $S\subset T$.\pause
124 |  \begin{figure}
125 |   \includegraphics[width=80pt]{jabba.png}
126 |   \includegraphics[width=120pt]{luke.png}
127 | \end{figure}
128 |  
129 |  \textit{``Do it in  $O(|S|)$ prover operations or  be thrown in the pit!''} (think $|S|<<|T|$)
130 | \end{frame}
131 | \begin{frame}
132 |  The quotient $Z_{T\setminus S}(X) =\frac{Z_T(X)}{Z_S(X)}$ is a ``witness'' to $S\subset T$. \nl
133 | \begin{itemize}
134 |  \item Enough to compute \textbf{commitment} to $Z_{T\setminus S}$. \pause
135 |  \item This commitment is a \textbf{sparse combination} of commitments we can \textbf{precompute}.
136 | \end{itemize}
137 | \emph{details in next slide..}
138 | \end{frame}
139 | 
140 | \begin{frame}
141 | % \frametitle{Fractional decomposition:}
142 |  For each $i\in T$, let $g_i(X)\defeq Z_{T\setminus\set{i}}(X)$.\nl
143 |  We have {\small[Tomescu et. al]}
144 |  \[\color{purple}Z_{T\setminus S} (X) = \sum_{i\in S} c_i\cdot g_i(X)\]
145 |  for some $c_i\in \F$.\nl
146 |  
147 | 
148 |  We precompute $\cm(Z_T),\sett{\cm(g_i)}{i\in T}$.\nlnp
149 | \end{frame} 
150 |  \begin{frame}
151 |  Prover then computes in $|S|$ operations:
152 |  \[\color{purple}\pi:=\cm(Z_{T\setminus S}) = \sum_{i\in S} c_i\cdot \cm(g_i)\]\nl
153 | Verifier checks with pairing that:
154 | \[\color{purple}e(\cm(f),\pi) =e(\cm(Z_T),\enc{1})\]
155 | \end{frame}
156 | 
157 | 
158 | 
159 |  
160 | \begin{frame}
161 |  \frametitle{Sparse polynomials}
162 |  parameters $n<<N$.\nl
163 |  $B=\set{B_1(X),\ldots,B_N(X)}$ linearly independent set of polynomials.\nl
164 | \textbf{Dfn:} $A\in \F[X]$  is \emph{$n$-sparse} in base $B$, if we can write
165 | \[\color{purple} A(X)=\sum_{i\in [N]} a_i\cdot B_i(X)\]
166 | where only $n$ $a_i$'s are non-zero.\nl
167 | 
168 | \emph{Default case:} $B$ is Lagrange base of subgroup of size $N$.
169 | \end{frame}
170 | % 
171 | \begin{frame}
172 |  \frametitle{Committing to sparse polynomials}
173 |  We can precompute the KZG commitments for $B$:\\
174 | $\srs_B \defeq \set{\kzg{B_1},\ldots,\kzg{B_N}}$\nl
175 | 
176 | Later, for $n$-sparse $A(X)$ we can compute 
177 | \[\color{purple}\cm(A)=\sum_{i\in [N], a_i\neq 0} a_i\cdot \kzg{B_i}
178 | \]
179 | in $n$ operations. 
180 | \end{frame}
181 | \begin{frame}
182 |  \frametitle{Cached quotients method}
183 |  \textbf{Scenario:}
184 | $T(X),Z(X)$ preprocessed polys. $\deg(Z)=N$.\nl
185 | {\color{blue} Input:} $n$-sparse $A(X)$, and some $R(X)$ of deg$<N$.\\
186 | 
187 | $V$ has $\cm(A),\cm(R)$. \nl
188 | Want to prove to $V$ that:
189 | \[\color{purple}A(X)T(X)\equiv R(X) \; \mod\; Z(X)\]
190 |  \textit{using $O(n)$ prover operations}.
191 | 
192 | \end{frame}
193 | \begin{frame}
194 | \frametitle{Cached quotients method}
195 | There exists quotient $Q(X)$ such that $A\cdot T= Z\cdot Q+R$.\nl
196 | 
197 | We'll compute $\kzg{Q}$ in $n$ operations:\nl
198 | 
199 | 
200 | \textbf{preprocessing:}
201 | For each $i\in [N]$, compute $\kzg{Q_i}$ such that for some $R_i(X)\in \polysofdeg{N}$
202 | \[\color{purple} B_i(X)\cdot T(X) = Q_i(X)\cdot Z(X) +R_i(X)\]\pause
203 | 
204 | Also precompute $\kzg{Z},\kzg{T}$
205 | \end{frame}
206 | \begin{frame}
207 | \frametitle{$Q$ ``inherits'' $A$'s sparseness}
208 | {\small \emph{$A(X)=\sum_{i} a_i B_i(X)$}}\\
209 | After preprocessing, prover can compute and send
210 | \[\color{purple} \kzg{Q}=\sum_{i\in [N],a_i\neq 0} a_i \cdot \kzg{Q_i}\]\nl
211 | Verifier can then check with pairings:
212 | \[\color{purple} AT\stackrel{?}{=}QZ+R\]
213 | % \[\color{purple} e(\kzg{A},\kzg{T})=e(\kzg{Q},\kzg{Z})e(\kzg{R},\enc{1})\]
214 | \end{frame}
215 | 
216 |     
217 | 
218 | \begin{frame}
219 | \frametitle{Application  1: lookups }
220 | Preprocessed table $T$ of size $N$, witness $f$ of size $n$, $n<<N$. Want to check $f_i\in T$ for each $i\in [n]$\nl 
221 | {\color{blue} \small{[Caulk,...,$\cq$]}}: Can be done in  prover time $O(n\log n)$. \\
222 | \emph{\small (improved plookup's $O(N\cdot \log N)$)}\nl
223 | \textbf{proof sketch:} In log-derivative lookup {\color{blue} \small [Eagen,Hab{\"{o}}ck,..]} prover multiplies $n$-sparse poly with 
224 | a preprocessed poly representing the table - \emph{good fit for cached quotients method.}
225 |  
226 | \end{frame}
227 | \begin{frame}
228 | \frametitle{Application 2: lincheck}
229 | Fixed $n\times n$ matrix $M$.\nl
230 | Prover has poly $f\in \polysofdeg{n}$.
231 | Verifier $\cm(f)$.
232 | $a\defeq f|_H$ for subgroup $H$ of size $n$.\nl
233 | 
234 | Prover wants to show $M\cdot a =0$
235 | \emph{in $O(n)$ operations.}\nl
236 | 
237 | Let $L_1,\ldots,L_n$ be a Lagrange basis for $H$.
238 | 
239 | 
240 | \end{frame}
241 | \begin{frame}
242 |  \frametitle{Reducing to cached quotients:}
243 |  Represent $M$ by degree $\sim n^2$ polynomial
244 |  \[\color{purple} M(X)\defeq \sum_{i,j \in [n]} M_{i,j} L_i(X^n)L_j(X)\]
245 | Let $Z(X)\defeq X^{n^2}-1$.\nl
246 | Let $A(X)\defeq f(X^n)$, $R\defeq A\cdot M \mod Z$.\nl
247 | We have
248 | \[\color{purple} R(X)=\sum_{j\in [n]}L_j(X) \sum_{i\in [n]} a_i\cdot M_{i,j}L_i(X^n).\]\pause
249 | So $M\cdot a =0$ iff $R(X)\equiv 0 \mod X^n$.
250 | % 
251 | \end{frame}
252 | \begin{frame}
253 | Note that $A$ is $n$-sparse in the basis $\set{L_i(X^n)}$\nl
254 | Use cached quotients twice to show
255 | \begin{enumerate}
256 |  \item 
257 |  $A(X)\cdot M(X) \equiv R(X) \mod Z(X).$
258 |  \item $R(X)\equiv 0 \mod X^n$.\nl
259 | \end{enumerate}
260 | \textit{Important point:} $R(X)$ is sparse in appropriate base of remainders in multiplication of $M$ modulu $Z$.
261 |   
262 | \end{frame}
263 | 
264 | \begin{frame}
265 | \frametitle{Generalizing: The ``cached commitments methodology''}
266 |  Given a polynomial IOP using prover poly $f$ that
267 |  \begin{itemize}
268 |   \item has high degree, but
269 |   \item \emph{low sparsity} in a preknown basis of polynomials $B_1,\ldots,B_d$
270 |   \item Is only used in degree$\leq 2$ verifier equations.
271 |  \end{itemize}
272 |  we can\pause
273 |  \begin{enumerate}
274 |   \item Precompure the KZG commitments to $B_1,\ldots,B_d$.
275 |   \item In protocol time, only compute \emph{commitment} to $f$ from pre-computed commitments
276 |   \item Use pairings to directly check verifier equations between commitments.
277 |  \end{enumerate}
278 |  \end{frame}
279 | \end{document}
280 | 


--------------------------------------------------------------------------------
/zkwarsawlookupaug23.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/arielgabizon/Lectures/f08d9649c29d8c181184df97aa29c11996086c1e/zkwarsawlookupaug23.pdf


--------------------------------------------------------------------------------
/zkwarsawlookupaug23.tex:
--------------------------------------------------------------------------------
  1 | \documentclass[shadesubsections,compress,14pt,mathserif]{beamer}
  2 | \usepackage[danish]{babel}	
  3 | \usepackage{tikz}
  4 | \usetikzlibrary{shapes, positioning}
  5 | \usenavigationsymbolstemplate{}
  6 | % \usepackage{pgfplots}
  7 | \usepackage[absolute,overlay]{textpos}
  8 | \usepackage{amsthm,amsfonts,amsmath}
  9 | %\usepackage[T1]{fontenc}
 10 | % \usepackage{fullpage}
 11 | % Dokumentets sprog
 12 | %\usepackage{mathtools}
 13 | %\usepackage{pxfonts}
 14 | \usepackage{eulervm}
 15 |  \usepackage{numdef,graphicx}
 16 | \usepackage{framed} 
 17 | 
 18 | % Class options include: notes, notesonly, handout, trans,
 19 | %                        hidesubsections, shadesubsections,
 20 | %                        inrow, blue, red, grey, brown
 21 | 
 22 | % Theme for beamer presentation.
 23 | %\usepackage{beamertheme} 
 24 | % Other themes include: beamerthemebars, beamerthemelined, 
 25 | %                       beamerthemetree, beamerthemetreebars  
 26 | %  \usepackage[latexcolors]
 27 | \everymath{\color{purple}}
 28 | \newcommand{\adv}{\ensuremath{\mathcal A}}
 29 | \newcommand{\F}{\ensuremath{{\mathbb F}}}
 30 | \newcommand{\Z}{\ensuremath{{\mathbb Z}}\xspace}
 31 | \newcommand{\Fclosure}{\ensuremath{{\overline{\mathbb{F}}}_p}}
 32 | \newcommand{\set}[1]{\ensuremath{\left\{#1\right\}}}
 33 | \newcommand{\sett}[2]{\ensuremath{\left\{#1\right\}_{#2}}}
 34 | % \newcommand{\enc}[1]{\ensuremath{\left[#1\right ]}}
 35 | \newcommand{\enc}[1]{\ensuremath{#1\cdot G}}
 36 | \newcommand{\kzg}[1]{\ensuremath{\enc{#1(x)}}}
 37 | \newcommand{\cm}{\ensuremath{\mathsf{cm}}}
 38 | \newcommand{\open}[1]{\ensuremath{\mathsf{open}(#1)}}
 39 | \newcommand{\verify}[1]{\ensuremath{\mathsf{verify}(#1)}}
 40 | \newcommand{\defeq}{\ensuremath{:=}}
 41 | \newcommand{\helper}{\ensuremath{\mathcal{H}}}
 42 | \newcommand{\ver}{\ensuremath{\mathcal{V}}}
 43 | \newcommand{\prv}{\ensuremath{\mathcal{P}}}
 44 |  \newcommand{\polysofdeg}[1]{\F_{< #1}[X]}
 45 | %  \newcommand{\endoss}{\ensuremath{\mathrm{END}_E}}
 46 |  \newcommand{\hl}[1]{\textbf{\textit{#1}}}
 47 |  \newcommand{\polys}{\F[X]}
 48 | \newcommand{\acc}{{\mathbf{acc}}}
 49 | \newcommand{\ideal}{\mathbf{I}}
 50 | \newcommand{\gen}{\alpha}
 51 | \newcommand{\spac}{\\  \vspace{0.2in} \noindent}
 52 | \newcommand{\polylog}{\ensuremath{\mathsf{polylog}}\xspace}
 53 | % \renewcommand{\bf}{\begin{frame}}
 54 | % \newcommand{\ef}{\end{frame}}
 55 | %\setbeamersize{text margin left=3mm,text margin right=3mm}  
 56 | \newcommand{\nl}{\\ \pause \vspace{0.2in}}
 57 | \newcommand{\nlnp}{\\ \vspace{0.2in}}
 58 | \newcommand{\stitle}[1]{{\large{\textcolor{purple}{\emph{#1}}}}}
 59 | \DeclareMathAlphabet{\mathpgoth}{OT1}{pgoth}{m}{n}	
 60 | \newcommand{\cq}{\mathpgoth{cq} }
 61 | \newcommand{\cqstar}{\ensuremath{\mathpgoth{cq^{\mathbf{*}} }}}
 62 | \newcommand{\flookup}{{\mathsf{\mathpgoth{Flookup}}}}
 63 | \newcommand{\baloo}{{\mathrm{ba}\mathit{loo}}}
 64 | \newcommand{\caulkp}{{\mathsf{\mathrel{Caulk}\mathrel{\scriptstyle{+}}}}}
 65 | \newcommand{\caulk}{{\mathsf{Caulk}}}
 66 | \newcommand{\plookup}{\ensuremath{\mathpgoth{plookup}}\xspace}
 67 | \newcommand{\srs}{\ensuremath{\mathsf{srs}}}
 68 | \newcommand{\tablegroup}{\ensuremath{\mathbb{H}}\xspace}
 69 | \newcommand{\V}{\ensuremath{\mathbf{V} }\xspace}
 70 | \newcommand{\bigspace}{\ensuremath{\mathbb{V}}}
 71 | \newcommand{\papertitle}{Cached quotients and lookups}
 72 | %\newcommand{\authorname}}
 73 | \newcommand{\company}{}
 74 | \newcommand{\witsize}{{n}}
 75 | \newcommand{\witruntime}{\ensuremath{\witsize\log\witsize}\xspace}
 76 | \newcommand{\tabsize}{{N}}
 77 | \newcommand{\tabruntime}{\ensuremath{\tabsize\log\tabsize}\xspace}
 78 | \newcommand{\Gone}{{\mathbb G}_1}
 79 | \newcommand{\Gi}{\ensuremath{{\mathbb G}_i}\xspace}
 80 | \title{ \bf \papertitle \\[0.72cm]}
 81 | \author{Ariel Gabizon \\
 82 | Zeta Function Technologies} 
 83 | 
 84 | %\usefonttheme{professionalfonts}
 85 | %\usefonttheme[onlymath]{serif}
 86 | \begin{document}
 87 | \boldmath
 88 | % Creates title page of slide show using above information
 89 | \begin{frame}
 90 |   \titlepage
 91 | \end{frame}
 92 |                            % typeset with the notes or notesonly class options
 93 | \begin{frame}
 94 | \frametitle{Constraints vs Lookups}
 95 | \textbf{Example:} Check $0\leq x \leq 2^n-1$\nl
 96 | \textbf{Constraint approach:}\\
 97 | Prover sends $b_0,\ldots,b_{n-1}$. Shows:
 98 | \begin{itemize}
 99 |  \item 
100 | $\forall i, b_i\in \set{0,1}$
101 | \item
102 | $\sum_{i} b_i2^i =x$.\nl
103 | \end{itemize}
104 | Requires $n+1$ constraints.
105 | 
106 | \end{frame}
107 | \begin{frame}
108 | \frametitle{Lookup approach}
109 | Preprocess table $T=\set{0,\ldots,2^n-1}$.Let $N:=|T|$. \\ \noindent 
110 | Devise protocol to check $x\in T$.\nl
111 | \textit{\color{blue}{Old results - good when amortized:}}\\ \noindent
112 | \noindent
113 | \textbf{Thm[plookup]:}  Can check $m$ different $x$'s are in $T$ in $O(m+ N)$
114 |  constraints.\nl
115 | 
116 | \textit{\color{blue}{New results - prover doesn't pay for table size!!\\}}
117 | \textbf{Thm [Caulk...$\cq$]:} After $O(N\log N)$ preprocessing, can check $x\in T$, in $O(1)$ constraints. 
118 | \end{frame}
119 | %\section[Outline]{}
120 | 
121 | % Creates table of contents slide incorporating
122 | % all \section and \subsection commands
123 | % \begin{frame}
124 | %   \tableofcontents
125 | % \end{frame}
126 | % \begin{frame}
127 | % \frametitle{Outline}
128 | %  
129 | % \begin{itemize}
130 | %  \item 
131 | % PCS/KZG review\pause
132 | % \item
133 | % KZG shenanigans 
134 | % \begin{enumerate}
135 | %  \item Committing to sparse polys.
136 | % \item ``cached quotients''\pause
137 | % 
138 | % \end{enumerate}
139 | % \item Lookups
140 | % \begin{enumerate}
141 | %  \item Motivation
142 | % \item  New results:$\cq$
143 | % \end{enumerate}
144 | % \end{itemize}
145 | % \end{frame}
146 | % 
147 | \begin{frame}
148 | {\large{\textbf{Rest of talk:} explain main technical component of new works - \emph{cached quotients}}}\pause
149 | \emph{First - a brief recap of polynomial commitment schemes..}
150 | 
151 |  \end{frame}
152 | \begin{frame}
153 |  \frametitle{The KZG Polynomial commitment scheme}   % Insert frame title between curly braces
154 |  $G$ - generator of pairing friendly elliptic curve group.\\
155 |  \vspace{0.2in}
156 |  $\srs \defeq \enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\nl
157 |  For $f\in \F[X]$ of degree $d$: 
158 | $$\color{purple} \cm(f)\defeq   \enc{f(x)}$$\nl
159 |  \textbf{Central Feature:}
160 |  Given $\cm(f)$ and any $a\in \F$; there is short proof for correctness of $z=f(a)$. 
161 | \end{frame}
162 | \begin{frame}
163 |  \frametitle{The KZG Polynomial commitment scheme}   % Insert frame title between curly braces
164 |  $\srs \defeq \enc{1},\enc{x},\ldots,\enc{x^d}$, for random $x\in \F$.\\ 
165 |  $\cm(f)\defeq   \enc{f(x)}$\\ 
166 |  \vspace{0.2in}
167 |  Nice features:\pause
168 |  \begin{itemize}
169 |   \item \textbf{Linearity:} $\cm(f+g) = \cm(f)+\cm(g)$\pause
170 |   \item \textbf{Product checks:} Given $\cm(f_1),\cm(f_2),\cm(g_1),\cm(g_2)$ can check $f_1(X)f_2(X)\stackrel{?}{\equiv} g_1(X)g_2(X)$ via pairings.\\
171 |   (Secure in the Algebraic Group Model)
172 |  \end{itemize}
173 | 
174 | \end{frame}
175 | \begin{frame}
176 |  \frametitle{Cached Quotients - a motivating example from $\caulk$[ZBKMN]}\pause
177 |  $Z_T(X)=\prod_{a\in T} (X-a)$ 
178 |  a vanishing polynomial of a subset $T\subset \F$ .\nl
179 |  $\cm(Z_T),\cm(f)$ given to verifier.\pause \\
180 |  Prover wants to show $f=Z_S$ for some $S\subset T$.\nl
181 |  
182 |  Can we do this in $O(|S|)$ prover operations?(think $|S|<<|T|$)
183 | \end{frame}
184 | \begin{frame}
185 | \frametitle{Cached quotients idea:}
186 |  The quotient $Z_{T\setminus S}(X) =\frac{Z_T(X)}{Z_S(X)}$ is a ``witness'' to $S\subset T$. \nl
187 | \begin{itemize}
188 |  \item Enough to compute \textbf{commitment} to $Z_{T\setminus S}$. \pause
189 |  \item This commitment is a \textbf{sparse combination} of commitments we can \textbf{precompute}.
190 | \end{itemize}
191 | \emph{details in next slide..}
192 | \end{frame}
193 | 
194 | \begin{frame}
195 | % \frametitle{Fractional decomposition:}
196 |  For each $i\in T$, let $g_i(X)\defeq Z_{T\setminus\set{i}}(X)$.\nl
197 |  We have {\small[Tomescu et. al]}
198 |  \[Z_{T\setminus S} (X) = \sum_{i\in S} c_i\cdot g_i(X)\]
199 |  for some $c_i\in \F$.\nl
200 |  
201 | 
202 |  We precompute $\cm(Z_T),\sett{\cm(g_i)}{i\in T}$.\nlnp
203 | \end{frame} 
204 |  \begin{frame}
205 |  Prover then computes in $|S|$ operations:
206 |  \[\color{purple}\pi:=\cm(Z_{T\setminus S}) = \sum_{i\in S} c_i\cdot \cm(g_i)\]\nl
207 | Verifier checks with pairing that:
208 | \[\color{purple}e(\cm(f),\pi) =e(\cm(Z_T),\enc{1})\]
209 | \end{frame}
210 | 
211 | \begin{frame}
212 | \frametitle{Historical perspective: A trilogy of pairing-based SNARKs}\pause
213 | 
214 | \begin{enumerate}
215 |  \item \textbf{A new hope (for SNARKs, not the universe)} - [Groth10,\textbf{GGPR},...,Groth16]\pause 
216 |  \vspace{0.2in}
217 |  \item  \textbf{The polynomial commitment scheme strikes back} - [vsql,\textbf{Sonic},Plonk,Marlin,...]\pause 
218 |  \vspace{0.2in}
219 |  
220 |  \item  \textbf{Return of the pairing} - [Caulk,...,cq,..]
221 |  
222 | \end{enumerate}
223 | 
224 | \end{frame}
225 | \begin{frame}
226 | \frametitle{Other Application in Chapter 3: lincheck }
227 | Fixed $n\times n$ matrix $M$.\nl
228 | Prover has poly $f\in \polysofdeg{n}$.
229 | Verifier $\cm(f)$.
230 | $a\defeq f|_H$ for subgroup $H$ of size $n$.\nl
231 | 
232 | \textbf{cq-lin:} After preprocessing of $M$, prover can show $M\cdot a =0$
233 | \emph{in $O(n)$ operations.}\nl
234 | 
235 | 
236 | 
237 | \end{frame}
238 | 
239 | \end{document}
240 | 


--------------------------------------------------------------------------------