p.s. A Brief History of Folding Schemes (update)

zkDL: Efficient Zero-Knowledge Proofs of Deep Learning Training

by Haochen Sun and Hongyang Zhang

• present zkDL, an efficient zero-knowledge proof of deep learning training.

  • At the core of zkDL is zkReLU, a specialized zero-knowledge proof protocol with optimized proving time and proof size for the ReLU activation function

  • devise a novel construction of an arithmetic circuit from neural networks, reduces proving time and proof sizes by a factor of the network depth.

SwiftRange: A Short and Efficient Zero-Knowledge Range Argument For Confidential Transactions and More

by Nan Wang and Sid Chi-Kin Chau and Dongxi Liu (The 45th IEEE Symposium on Security and Privacy)

• propose SwiftRange, a new type of logarithmic-sized zero-knowledge range argument with a transparent setup in the discrete logarithm setting.

• Compared with Bulletproofs, has higher computational efficiency and lower round complexity while incurring comparable communication overheads for CT-friendly ranges

Improving logarithmic derivative lookups using GKR

Shahar Papini and Ulrich Haböck

• instantiate the Goldwasser-Kalai-Rothblum (GKR) protocol to prove fractional sumchecks as present in lookup arguments based on logarithmic derivatives, with the following impact on the prover cost of logUp (IACR eprint 2022/1530):

  • When looking up M columns in a single column table, the prover has to commit only to a single extra column

• introduce a novel transformation for turning a univariate polynomial commitment scheme into a multilinear one. to prove arbitrary powers of the lexicographic shift over the Boolean hypercube.

Pianist: Scalable zkRollups via Fully Distributed Zero-Knowledge Proofs

Tianyi Liu and Tiancheng Xie and Jiaheng Zhang and Dawn Song and Yupeng Zhang (S&P 2024)

• proposing new schemes of fully distributed ZKPs.

• improve the efficiency and the scalability of ZKPs using multiple machines, while the communication among the machines is minimal. With our schemes, the ZKP generation can be distributed to multiple participants in a model similar to the mining pools.

Instant Zero Knowledge Proof of Reserve

Xiang Fu

• present two zero knowledge protocols that allow one to assert solvency of a financial organization instantly with high throughput.

Succinct Proofs and Linear Algebra

Alex Evans and Guillermo Angeris

• show that using some simple abstractions, a number of commonly-used tools used in the construction of succinct proof systems may be viewed as basic consequences of linear algebra over finite fields.

• build a toolkit of useful techniques that can be combined to create different protocols.

• give a short proof of the security of the FRI protocol.

Cicada: A framework for private non-interactive on-chain auctions and voting

Noemi Glaeser and István András Seres and Michael Zhu and Joseph Bonneau

• introduce Cicada, a general framework for using linearly homomorphic time-lock puzzles (HTLPs) to enable provably secure, non-interactive private auction and voting protocols.

• instantiate our framework with an efficient new HTLP construction and novel packing techniques that enable succinct ballot correctness proofs independent of the number of candidates.

Naysayer proofs

István András Seres and Noemi Glaeser and Joseph Bonneau

• introduces the notion of naysayer proofs.

• show that every NP language has constant-size and constant-time naysayer proofs.

• show practical constructions for several example proof systems, including FRI polynomial commitments, post-quantum secure digital signatures, and verifiable shuffles.

Zero-Knowledge Systems from MPC-in-the-Head and Oblivious Transfer

Cyprien Delpech de Saint Guilhem and Ehsan Ebrahimi and Barry van Leeuwen (IMA Cryptography and Coding 2023)

• presents a novel method to construct zero-knowledge protocols which takes advantage of the unique properties of MPC-in-the-Head and replaces commitments with an oblivious transfer protocol.

• The security of the new construction is proven in the Universal Composability framework of security

• suitable choices of oblivious transfer protocols are discussed

SLAP: Succinct Lattice-Based Polynomial Commitments from Standard Assumptions

Martin R. Albrecht and Giacomo Fenzi and Oleksandra Lapiha and Ngoc Khanh Nguyen

• propose the first lattice-based non-interactive extractable polynomial commitment scheme which achieves polylogarithmic proof size and verifier runtime (in the length of the committed message) under standard assumptions.

• a new tree-based commitment scheme, along with an efficient proof of polynomial evaluation inspired by FRI.

Commitments with Efficient Zero-Knowledge Arguments from Subset Sum Problems

Jules Maire and Damien Vergnaud (ESORICS 2023)

• present a cryptographic string commitment scheme that is computationally hiding and binding based on (modular) subset sum problems.

• Using techniques recently introduced by Feneuil, Maire, Rivain and Vergnaud, this simple commitment scheme enables an efficient zero-knowledge proof of knowledge for committed values as well as proofs showing Boolean relations amongst the committed bits.

Rogue-Instance Security for Batch Knowledge Proofs

Gil Segev and Amit Sharabi and Eylon Yogev (TCC 2023)

• propose a new notion of knowledge soundness, denoted rogue-instance security, for interactive and non-interactive batch knowledge proofs.

• present a highly-efficient generic construction of a batch proof-of-knowledge applicable to any algebraic Sigma protocols.

On Black-Box Knowledge-Sound Commit-And-Prove SNARKs

Helger Lipmaa (ASIACRYPT 2023)

• define and construct a fully algebraic F-position-binding vector commitment scheme VCF.

• construct a concretely efficient commit-and-prove zk-SNARK Punic, a version of FANA with an additional VCF commitment to the witness.

zk-SNARKs from Codes with Rank Metrics

Xuan-Thanh Do and Dang-Truong Mac and Quoc-Huy Vu (IMA International Conference on Cryptography and Coding 2023)

• propose a code-based zk-SNARK scheme, whose security is based on the rank support learning (RSL) problem, a variant of the random linear code decoding problem in the rank metric.

Sigmabus: Binding Sigmas in Circuits for Fast Curve Operations

George Kadianakis and Mary Maller and Andrija Novakovic

• introduces Sigmabus, a technique designed to enhance the efficiency of zero-knowledge circuits by relocating computationally expensive operations outside the circuit.

  • moving elliptic curve group operations to external computations.

• By leveraging Sigma protocols, elliptic curve group operations are proven outside the circuit, while additional constraints are applied to the circuit to ensure correct execution of the Sigma protocol.

Incrementally Verifiable Computation via Rate-1 Batch Arguments

Omer Paneth and Rafael Pass (FOCS 2023)

• present a provably secure mergeable delegation construction based on the standard LWE assumption.

• obtain a construction of incrementally verifiable computation (IVC) (with polylogarithmic length proofs) for any (unbounded) polynomial number of steps based on LWE

• The central building block is rate-1 batch argument (BARG)

On the Security of KZG Commitment for VSS

Atsuki Momose and Sourav Das and Ling Ren (ACM CCS 2023)

• point out, however, that the KZG commitment is missing two important properties that are crucial for VSS protocols.

  • First, the KZG commitment has not been proven to be degree binding in the standard adversary model without idealized group assumptions.

  • Second, the KZG commitment does not support polynomials with different degrees at once with a single setup.

• augment the KZG commitment to address both of these limitations.

  • scheme is degree-binding in the standard model under the strong Diffie-Hellman (SDH) assumption.

Experimenting with Zero-Knowledge Proofs of Training

Sanjam Garg and Aarushi Goel and Somesh Jha and Saeed Mahloujifar and Mohammad Mahmoody and Guru-Vamsi Policharla and Mingyuan Wang (ACM CCS 2023)

• formulate the notion of zero-knowledge proof of training (zkPoT)

• propose the idea of combining techniques from MPC-in-the-head and zkSNARKs literature to strike an appropriate trade-off between proof size and proof computation time.

• instantiate this idea and propose a concretely efficient, novel zkPoT protocol for logistic regression.

Modular Sumcheck Proofs with Applications to Machine Learning and Image Processing

David Balbás and Dario Fiore and Maria Isabel González Vasco and Damien Robissout and Claudio Soriente (ACM CCS 2023)

• introducing a modular framework for verifiable computation of sequential operations.

• The main tool is a new information-theoretic primitive called Verifiable Evaluation Scheme on Fingerprinted Data (VE) that captures the properties of diverse sumcheck-based interactive proofs, including the well-established GKR protocol.

• propose a novel VE for convolution operations that can handle multiple input-output channels and batching,

• use it in our framework to build proofs for (convolutional) neural networks and image processing.

An optimization of the addition gate count in Plonkish circuits

Steve Thakur

• generalize Plonk's ([GWC19]) permutation argument by replacing permutations with (possibly non-injective) self-maps of an interval.

• use this succinct argument to obtain a protocol for weighted sums on committed vectors, which, in turn, allows us to eliminate the intermediate gates arising from high fan-in additions in Plonkish circuits.

Recursion over Public-Coin Interactive Proof Systems; Faster Hash Verification

Alexandre Belling and Azam Soleimanian and Olivier Bégassat

• present a recursive technique that can improve the efficiency of the prover by an order of magnitude compared to proving MiMC hashes with a Groth16 proof.

• use GKR to prove the integrity of hash computations and embed the GKR verifier inside a SNARK circuit.

ZKROWNN: Zero Knowledge Right of Ownership for Neural Networks

Nojan Sheybani Zahra Ghodsi Ritvik Kapila Farinaz Koushanfar

• present ZKROWNN, the first automated end-to-end framework utilizing Zero-Knowledge Proofs (ZKP) that enable an entity to validate their ownership of a model, while preserving the privacy of the watermarks.

Succinctness

SNARGs for Monotone Policy Batch NP

Zvika Brakerski Maya Farber Brodsky Yael Tauman Kalai Alex Lombardi Omer Paneth

• construct a SNARG for the class of monotone policy batch NP languages, under the LWE assumption.

  • arguments of knowledge in the non-adaptive setting, and satisfy a new notion of somewhere extractability against adaptive adversaries.

  • combines existing quasi-arguments for NP (based on batch arguments for NP) with a new type of cryptographic encoding of the instance and a new analysis going from local to global soundness.

• The main novel ingredient : predicate-extractable hash (PEH) family, which is a primitive that generalizes the notion of a somewhere extractable hash.

Lattice-based Succinct Arguments from Vanishing Polynomials

Valerio Cini Russell W. F. Lai Giulio Malavolta

• present some new approaches to constructing efficient lattice-based succinct arguments.

• a new commitment scheme based on vanishing polynomials

• The first recursive folding (i.e. Bulletproofs-like) protocol for linear relations with polylogarithmic verifier runtime.

• The first verifiable delay function (VDF) based on lattices

• The first lattice-based linear-time prover succinct argument for NP, in the preprocessing model. The soundness of the scheme is based on (knowledge)-k-R-ISIS assumption.

Orbweaver: Succinct Linear Functional Commitments from Lattices

Ben Fisch Zeyu Liu Psi Vesely

• present Orbweaver, the first plausibly post-quantum functional commitment to achieve quasilinear prover time together with O(log(n)) proof size and O(log(n)loglog(n)) verifier time.

• Orbweaver enables evaluation of linear maps on committed vectors over cyclotomic rings or the integers.

  • It is extractable, preprocessing, non-interactive, structure-preserving, amenable to recursive composition, and supports logarithmic public proof aggregation.

  • The security of our scheme is based on the k-R-ISIS assumption (and its knowledge counterpart), whereby require a trusted setup to generate a universal structured reference string.

• use Orbweaver to construct a succinct polynomial commitment for integer polynomials.

Non-interactive Universal Arguments

Nir Bitansky Omer Paneth Dana Shamir Tomer Solomon

• Assuming polynomially hard fully homomorphic encryption and a widely believed worst-case complexity assumption, prove a general lifting theorem showing that all existing non-interactive succinct arguments can be made universal.

Non-Interactive Zero-Knowledge from Non-Interactive Batch Arguments

Jeffrey Champion David J. Wu

• leveraging succinctness for zero-knowledge.

• show how to combine a batch argument for NP with a local pseudorandom generator and a dual-mode commitment scheme to obtain a NIZK for NP.

Succinct Arguments for RAM Programs via Projection Codes

Yuval Ishai Rafail Ostrovsky Akash Shah

• a construction of projection codes with a near-optimal increase in the length of x and size of s.

• succinct arguments for the computation of a RAM program on a (big) committed database, where the communication and the run-time of both the prover and the verifier are close to optimal even when the RAM program run-time is much smaller than the database size.

Brakedown: Linear-time and field-agnostic SNARKs for R1CS

Alexander Golovnev Jonathan Lee Srinath Setty Justin Thaler Riad Wahby

• introduces a SNARK called Brakedown.

  • Brakedown targets R1CS.

  • linear-time prover

  • It does not require a trusted setup

  • and may be post-quantum secure.

  • compatible with arbitrary finite fields of sufficient size

• a linear-time encodable code.

• Shockwave: a variant of Brakedown that uses Reed-Solomon codes

Lattice-Based Succinct Arguments for NP with Polylogarithmic-Time Verification

Jonathan Bootle Alessandro Chiesa Katerina Sotiraki

• construct the first lattice-based succinct interactive argument system for NP statements with succinct verification exploits the homomorphic properties of lattice-based commitments.

  • based on the hardness of the RSIS problem.

• a delegation protocol built from commitment schemes based on leveled bilinear modules.

Revisiting cycles of pairing-friendly elliptic curves

Marta Bellés Muñoz Jorge Jiménez Urroz Javier Silva

• explore 2-cycles composed of curves from families parameterized by polynomials, and show that such cycles do not exist unless a strong condition holds.

• prove that no 2-cycles can arise from the known families, except for those cycles already known.

Post-Quantum ZK

Efficient Hybrid Exact/Relaxed Lattice Proofs and Applications to Rounding and VRFs

Muhammed F. Esgin Ron Steinfeld Dongxi Liu Sushmita Ruj

• study hybrid exact/relaxed zero-knowledge proofs from lattices, where the proved relation is exact in one part and relaxed in the other.

• introduce a general framework, LANES+, for realizing such hybrid proofs efficiently by combining standard relaxed proofs of knowledge RPoK and the LANES framework

• construct substantially shorter proofs of rounding

• design an efficient long-term verifiable random function (VRF), named LaV. LaV leads to the shortest VRF outputs among the proposals of standard VRFs based on quantum-safe assumptions.

LaBRADOR: Compact Proofs for R1CS from Module-SIS

Ward Beullens Gregor Seiler

• introducing a Lattice-Based Recursively Amortized Demonstration Of R1CS (LaBRADOR), with more compact proof sizes than known hash-based proof systems.

• At the 128 bits security level, LaBRADOR proves knowledge of a solution for an R1CS mod 2^64+1 with 2^20 constraints, with a proof size of only 58 KB

Toward Practical Lattice-based Proof of Knowledge from Hint-MLWE

Duhyeong Kim Dongwon Lee Jinyeong Seo Yongsoo Song

• improve the state-of-the-art proof of knowledge protocols for RLWE-based public-key encryption and BDLOP commitment schemes.

• present new proof of knowledge protocols without using noise flooding or rejection sampling which are provably secure under a computational hardness assumption, called Hint-MLWE.

  • no computational overhead from repetition (abort) and achieves a polynomial overhead between the honest and proven languages.

Publicly Verifiable Zero-Knowledge and Post-Quantum Signatures From VOLE-in-the-Head

Carsten Baum Lennart Braun Cyprien Delpech de Saint Guilhem Michael Klooß Emmanuela Orsini Lawrence Roy Peter Scholl

• present a new method for transforming zero-knowledge protocols in the designated verifier setting into public-coin protocols, which can be made non-interactive and publicly verifiable.

• show that it can be applied to protocols based on vector oblivious linear evaluation (VOLE), with a technique call VOLE-in-the-head, upgrading these protocols to support public verifiability.

• present 𝖥𝖠𝖤𝖲𝖳, a post-quantum signature scheme based on AES.

ZK Based on DL

Algebraic Reductions of Knowledge

Abhiram Kothapalli Bryan Parno

• introduce reductions of knowledge, a generalization of arguments of knowledge, which reduce checking knowledge of a witness in one relation to checking knowledge of a witness in another (simpler) relation.

• unify a growing class of modern techniques as well as provide a compositional framework to modularly reason about individual steps in complex arguments of knowledge. simplify and unify recursive arguments over linear algebraic statements by decomposing them as a sequence of reductions of knowledge.

• develop the tensor reduction of knowledge, which generalizes the central reductive step common to many recursive arguments.

Correlation Intractability and SNARGs from Sub-exponential DDH

Arka Rai Choudhuri Sanjam Garg Abhishek Jain Zhengzhong Jin Jiaheng Zhang

• first constructions of SNARGs for Batch-NP and P based solely on the sub-exponential Decisional Diffie Hellman (DDH) assumption.

  • achieve poly-logarithmic proof sizes.

• following the correlation-intractability framework for secure instantiation of the Fiat-Shamir paradigm.

• a new construction of correlation-intractable hash functions for small input product relations verifiable in TC0, based on sub-exponential DDH.

On the Impossibility of Algebraic NIZK In Pairing-Free Groups

Emanuele Giunta

• prove that for a large class of NIZK either a pairing-free group is used non black-box by relying on element representation, or security reduces to external hardness assumptions.

• applies to two incomparable cases.

  • The first one covers Arguments of Knowledge (AoK) which proves that a preimage under a given one way function is known.

  • The second one covers NIZK (not necessarily AoK) for hard subset problems, which captures relations such as DDH, Decision-Linear and Matrix-DDH.

A Note on Non-Interactive Zero-Knowledge from CDH

Geoffroy Couteau Abhishek Jain Zhengzhong Jin Willy Quach

• build non-interactive zero-knowledge (NIZK) and ZAP arguments for all NP where soundness holds for infinitely-many security parameters, and against uniform adversaries, assuming the subexponential hardness of the Computational Diffie-Hellman (CDH) assumption.

• prove the existence of NIZK arguments with these same properties assuming the polynomial hardness of both CDH and the Learning Parity with Noise (LPN) assumption.

Again, in this issue, I intentionally excluded huge amount of important works that will appear in Crypto 2023. There will be a special issue to present those works.

Zero Knowledge Virtual Machine step by step

by Tim Dokchitser and Alexandr Bulkin

• provide a source of introductory information into building a zero knowledge proof system for general computation.

  • review how to build such a system with a polynomial commitment scheme, and how to implement a fully functional command set in terms of zero knowledge primitives.

ProtoGalaxy: Efficient ProtoStar-style folding of multiple instances

by Liam Eagen and Ariel Gabizon

• Building on ideas from ProtoStar [BC23] we construct a folding scheme where the recursive verifier's ``marginal work'', beyond linearly combining witness commitments, consists only of a logarithmic number of field operations and a constant number of hashes.

• performs well when folding multiple instances at one step, in which case the marginal number of verifier field operations per instance becomes constant, assuming constant degree gates.

Foundations of Data Availability Sampling

by Mathias Hall-Andersen and Mark Simkin and Benedikt Wagner

• define data availability sampling precisely as a clean cryptographic primitive.

• show how data availability sampling relates to erasure codes.

• defining a new type of commitment schemes which naturally generalizes vector commitments and polynomial commitments.

• analyze existing constructions and prove them secure.

• give new constructions which are based on weaker assumptions, computationally more efficient, and do not rely on a trusted setup, at the cost of slightly larger communication complexity.

Oblivious Accumulators

by Foteini Baldimtsi and Ioanna Karantaidou and Srinivasan Raghuraman

• define oblivious accumulators, a set commitment with concise membership proofs that hides the elements and the set size from every entity

  • two properties: element hiding and add-delete indistinguishability.

• define almost-oblivious accumulators, that only achieve add-delete unlinkability, hide the elements but not the set size.

• give a generic construction of an oblivious accumulator based on key-value commitments (KVC).

• show a generic way to construct KVCs from an accumulator and a vector commitment scheme.

• give lower bounds on the communication (size of update messages) required for oblivious accumulators and almost-oblivious accumulators.

Private Timestamps and Selective Verification of Notarised Data on a Blockchain

by Enrique Larraia and Owen Vaughan (IEEE IST-Africa 2023)

• suggest using on-chain Pedersen commitments and off-chain zero knowledge proofs (ZKP) for designated verifiers to prove the link between the data and the on-chain commitment.

EDEN - a practical, SNARK-friendly combinator VM and ISA

by Logan Allen and Brian Klatt and Philip Quirk and Yaseen Shaikh

• Nock is a minimal, homoiconic combinator function, a Turing-complete instruction set that is practical for general computation, and is notable for its use in Urbit.

• introduce Eden, an Efficient Dyck Encoding of Nock that serves as a practical, SNARK-friendly combinator function and instruction set architecture.

• describe arithmetization techniques and polynomial equations used to represent the Eden ISA in an Interactive Oracle Proof.

• present the Eden zkVM, a particular instantiation of Eden as a zk-STARK.

Zombie: Middleboxes that Don’t Snoop

by Collin Zhang and Zachary DeStefano and Arasu Arun and Joseph Bonneau and Paul Grubbs and Michael Walfish

• Zombie, the first system built using the Zero-knowledge middleboxes (ZKMB) paradigm.

  • preprocessing (to move the bulk of proof generation to idle times between requests),

  • asynchrony (to remove proving and verifying costs from the critical path),

  • batching (to amortize some of the verification work).

• introduces a portfolio of techniques to efficiently encode regular expressions in probabilistic (and zero knowledge) proofs;

  • to support policies based on regular expressions, such as data loss prevention.

Hash Functions Monolith for ZK Applications: May the Speed of SHA-3 be With You

by Lorenzo Grassi and Dmitry Khovratovich and Reinhard Lüftenegger and Christian Rechberger and Markus Schofnegger and Roman Walch

• propose a new 2-to-1 compression function and a SAFE hash function, instantiated by the Monolith permutation.

  • The permutation is significantly more efficient than its competitors, Reinforced Concrete and Tip5.

• instantiate the lookup tables as functions defined over F2 while ensuring that the outputs are still elements in Fp.

• performance comparable to SHA3-256

XHash8 and XHash12: Efficient STARK-friendly Hash Functions

by Tomer Ashur and Al Kindi and Mohammad Mahzoun

• propose two new Arithmetization-Oriented(AO) hash functions, XHash8 and XHash12 which are designed based on improving the bottlenecks in RPO [ePrint 2022/1577].

  • XHash8 performs ≈2.75 times faster than RPO, and XHash12 performs ≈2 times faster than RPO

  • inheriting the security and robustness of the Marvellous design strategy.

Implementation and performance of a RLWE-based commitment scheme and ZKPoK for its linear and multiplicative relations

by Ramiro Martínez and Paz Morillo and Sergi Rovira

• provide the implementation details and performance analysis of the lattice-based post-quantum commitment scheme introduced by Martínez and Morillo in their work titled «RLWE-Based Zero-Knowledge Proofs for Linear and Multiplicative Relations»

  • obtain tight conditions that allow us to find the best sets of parameters for actual instantiations of the commitment scheme and its companion ZKPoK.

• very flexible and its parameters can be adjusted to obtain a trade-off between speed and memory usage

• further extends the literature of exact Zero-Knowledge proofs, providing ZKPoK of committed elements without any soundness slack.

Automated Analysis of Halo2 Circuits

by Fatemeh Heidari Soureshjani and Mathias Hall-Andersen and MohammadMahdi Jahanara and Jeffrey Kam and Jan Gorzny and Mohsen Ahmadvand; Satisfiability Modulo Theories 2023 (SMT 2023)

• describe methods for checking Halo2.

  • use abstract interpretation and an SMT solver to check various properties of Halo2 circuits.

    • abstract interpretation can detect unused gates, unconstrained cells, and unused columns.

    • SMT solver can detect under-constrained (in the sense that for the same public input they have two efficiently computable satisfying assignments) circuits.

ZK-for-Z2K: MPC-in-the-Head Zero-Knowledge Proofs

by Lennart Braun and Cyprien Delpech de Saint Guilhem and Robin Jadoul and Emmanuela Orsini and Nigel P. Smart and Titouan Tanguy

• extend the MPC-in-the-head framework, used in recent efficient zero-knowledge protocols, to work over the ring which is the primary operating domain for modern CPUs.

• explore various batching methodologies, leveraging Shamir's secret sharing schemes and Galois ring extensions, and show the applicability of our approach in RAM program verification.

• analyse different options for instantiating the resulting ZK scheme over rings and compare their communication costs.

IOPs with Inverse Polynomial Soundness Error

by Gal Arnon and Alessandro Chiesa and Eylon Yogev , FOCS 2023

• show that every language in NP has an Interactive Oracle Proof (IOP) with inverse polynomial soundness error and small query complexity.

Efficient Arguments and Proofs for Batch Arithmetic Circuit Satisfiability

by Jieyi Long

• for the batch satisfiability problem, provide a construction of succinct interactive argument of knowledge for generic log-space uniform circuits based on the bilinear pairing and common reference string assumption.

• For the evaluation problem, construct statistically sound interactive proofs for various special yet highly important types of circuits, including linear circuits, and circuits representing sum of polynomials.

• describe protocols optimized specifically for batch FFT and batch matrix multiplication which achieve desirable properties, including lower prover time and better composability.

How to Compile Polynomial IOP into Simulation-Extractable SNARKs: A Modular Approach

by Markulf Kohlweiss and Mahak Pancholi and Akira Takahashi

• Most SNARKs are initially only proven knowledge sound (KS). show that the commonly employed compilation strategy from polynomial interactive oracle proofs (PIOP) via polynomial commitments to knowledge sound SNARKS actually also achieves other desirable properties:

  • weak unique response (WUR)

  • and trapdoorless zero-knowledge (TLZK);

  • and that together they imply simulation extractability (SIM-EXT).

• The factoring of SIM-EXT into KS + WUR + TLZK is becoming a cornerstone of the analysis of non-malleable SNARK systems.

Fiat-Shamir Security of FRI and Related SNARKs

by Alexander R. Block and Albert Garreta and Jonathan Katz and Justin Thaler and Pratyush Ranjan Tiwari and Michał Zając

• prove the FS security of the FRI and batched FRI protocols;

  • by analyzing the round-by-round (RBR) soundness and RBR knowledge soundness of FRI.

• analyze a general class of protocols, which we call \delta-correlated, that use low-degree proximity testing as a subroutine (this includes many "Plonk-like" protocols (e.g., Plonky2 and Redshift), ethSTARK, RISC Zero, etc.);

  • prove that if a \delta-correlated protocol is RBR (knowledge) sound under the assumption that adversaries always send low-degree polynomials, then it is RBR (knowledge) sound in general.

• prove FS security of the aforementioned "Plonk-like" protocols

Bulletproofs With Stochastic Equation Sets

by Michael Brand and Benoit Poletti

• present a protocol extending the standard Bulletproof protocol, allowing the Verifier to choose the set of equations after the Prover has already committed to portions of the solution.

• Verifier-chosen (or stochastically-chosen) equation sets can be used to design smaller equation sets with less variables that are orders of magnitude faster both in proof generation and in proof verification, and even reduce the size

On One-way Functions and the Worst-case Hardness of Time-Bounded Kolmogorov Complexity

by Yanyi Liu and Rafael Pass

• present the first “OWF-complete” promise problem---a promise problem whose worst-case hardness w.r.t. BPP (resp. P/poly) is equivalent to the existence of OWFs secure against PPT (resp. nuPPT) algorithms. The problem is a variant of the Minimum Time-bounded Kolmogorov Complexity problem.

Intmax2: A ZK-rollup with Minimal Onchain Data and Computation Costs Featuring Decentralized Aggregators

by Erik Rybakken and Leona Hioki and Mario Yaksetig

• present a novel stateless ZK-rollup protocol with client-side validation called Intmax2. all of the data availability and computational costs are shifted to the client-side.

ARITHMETIZATION-ORIENTED APN FUNCTIONS

by Lilya Budaghyan and Mohit Pal

• investigate arithmetization-oriented APN functions, APN permutations in the CCZ-classes of known families of APN power functions over prime field Fp.

• present a new class of APN binomials over Fq obtained by modifying the planar function x^2 over Fq.

• present a class of binomials having differential uniformity at most 5 defined via the quadratic character over finite fields of odd characteristic.

Two Shuffles Make a RAM: Improved Constant Overhead Zero Knowledge RAM

by Yibin Yang and David Heath

• optimize arithmetic-circuit-based read/write memory uses only 4 input gates and 6 multiplication gates per memory access.

• implemented our memory in the context of ZK proofs based on vector oblivious linear evaluation (VOLE)

AfricaCrypt 2023

MinRank in the Head: Short Signatures from Zero-Knowledge Proofs

by Gora Adj, Luis Rivera-Zamarripa and Javier Verbel

• introduces the first MinRank-based digital signature scheme that uses the MPC-in-the-head, enabling it to achieve small signature sizes and running times.

Impossibilities in Succinct Arguments: Black-box Extraction and More

by Matteo Campanelli, Chaya Ganesh, Hamidreza Khoshakhlagh and Janno Siim

• formalizing a folklore lower bound for the proof size of black-box extractable arguments based on the hardness of the language. This separates knowledge-sound SNARGs (SNARKs) in the random oracle model (that can have black-box extraction) and those in the standard model.

• Under the existence of non-adaptively sound SNARGs (without extractability) and from standard assumptions, it is possible to build SNARKs with black-box extractability for a non-trivial subset of NP.

• show that (under some mild assumptions) all NP languages cannot have SNARKs with black-box extractability even in the non-adaptive setting.

• The Gentry-Wichs result does not account for the preprocessing model, under which fall several efficient constructions.

Poseidon2: A Faster Version of the Poseidon Hash Function

by Lorenzo Grassi, Dmitry Khovratovich and Markus Schofnegger

• propose an optimized version of Poseidon, called Poseidon2.

  • Poseidon is a sponge hash function, while Poseidon2 can be either a sponge or a compression function depending on the use case.

  • Poseidon2 is instantiated by new and more efficient linear layers with respect to Poseidon.

HyperPlonk: Plonk with Linear-Time Prover and High-Degree Custom Gates

Binyi Chen Benedikt Bünz Dan Boneh Zhenfei Zhang

• present HyperPlonk, an adaptation of Plonk to the boolean hypercube, using multilinear polynomial commitments.

  • avoids the need for an FFT during proof generation.

  • supports custom gates of much higher degree than Plonk.

• revisit two elegant multilinear polynomial commitments constructions: one from Orion and one from Virgo.

  • show how to reduce the Orion opening proof size to less than 10 KB

  • show how to make the Virgo FRI-based opening proof simpler and shorter

Succinct Vector, Polynomial, and Functional Commitments from Lattices

Hoeteck Wee David J. Wu

• introduce a new framework for constructing non-interactive lattice-based vector commitments

• A simple instantiation yields a new vector commitment scheme from the SIS assumption that supports private openings and large messages.

• show how to use our framework to obtain the first succinct functional commitment scheme that supports openings with respect to arbitrary bounded-depth Boolean circuits.

• security is based on a new falsifiable family of "basis-augmented" SIS assumptions (BASIS)

Speed-Stacking: Fast Sublinear Zero-Knowledge Proofs for Disjunctions

Aarushi Goel Mathias Hall-Andersen Gabriel Kaptchuk Nicholas Spooner

• propose a new compiler that, when applied to sublinear-sized proofs, can result in sublinear-size disjunctive zero-knowledge with sublinear proving times.

  • key observation is that simulation in sublinear-size zero-knowledge proof systems can be much faster than the honest prover.

• applying to two classes of protocols: interactive oracle proofs, specifically Aurora and Fractal, and folding arguments, specifically Compressed Σ-protocols and Bulletproofs.

Spartan and Bulletproofs are Simulation-Extractable (for free!)

Quang Dao Paul Grubbs

• prove that two transparent, discrete-log-based zkSNARKs, Spartan and Bulletproofs, are simulation-extractable (𝖲𝖨𝖬-𝖤𝖷𝖳) in the random oracle model if the discrete logarithm assumption holds. show that 𝖲𝖨𝖬-𝖤𝖷𝖳 is, surprisingly, “for free” with these schemes.

• develop a generalization of the tree-builder extraction theorem of Attema et al. (TCC’22).

Supersingular Curves You can Trust

Andrea Basso Giulio Codogni Deirdre Connolly Luca De Feo Tako Boris Fouotsa Guido Maria Lido Travis Morrison Lorenz Panny Sikhar Patranabis Benjamin Wesolowski

• first statistically zero-knowledge proof of isogeny knowledge that is compatible with any base field.

  • introduce isogeny graphs with Borel level structure and prove they have the Ramanujan property.

• analyze the security of a distributed trusted-setup protocol based on our ZK proof in the simplified universal composability framework.

• https://github.com/trusted-isogenies/

On Valiant’s Conjecture: Impossibility of Incrementally Verifiable Computation from Random Oracles

Jesper Buus Nielsen Mathias Hall-Andersen

• prove that under some mild extra assumptions on the proof system the Valiant’s conjecture is true: the standard random-oracle model does not allow incrementally verifiable computation without making computational assumptions.

• Two extra assumptions under which we can prove the conjecture are

  • 1) the proof system is also zero-knowledge or

  • 2) when the proof system makes a query to its random oracle it can know with non-negligible probability whether the query is fresh or was made by the proof system earlier in the construction of the proof.

Witness-Succinct Universally-Composable SNARKs

Chaya Ganesh Yashvanth Kondi Claudio Orlandi Mahak Pancholi Akira Takahashi Daniel Tschudi

• provide a compiler lifting any simulation-extractable NIZKAoK into a UC-secure one in the global random oracle model, importantly, while preserving the same level of witness succinctness.

• Combining this with existing zkSNARKs achieve first zkSNARKs simultaneously achieving UC-security and constant sized proofs.

SNARGs and PPAD Hardness from the Decisional Diffie-Hellman Assumption

Yael Tauman Kalai Alex Lombardi Vinod Vaikuntanathan

• construct SNARGs for bounded-depth computations assuming that the decisional Diffie-Hellman (DDH) problem is sub-exponentially hard.

• showing how to instantiate the Fiat-Shamir heuristic, under DDH, for a variant of the Goldwasser-Kalai-Rothblum (GKR) interactive proof system.

  • giving a circuit family for finding roots of cubic polynomials over a special family of characteristic 2 fields

  • constructing a variant of the GKR protocol whose invocations of the sumcheck protocol only involve degree 3 polynomials over said fields.

• show the existence of (sub-exponentially) computationally hard problems in the complexity class PPAD, assuming the sub-exponential hardness of DDH.

Proof-Carrying Data From Arithmetized Random Oracles

Megan Chen Alessandro Chiesa Tom Gur Jack O'Connor Nicholas Spooner

• introduce a new model: the arithmetized random oracle model (AROM).

  • provide a plausible standard-model (software-only) instantiation of the AROM, and construct PCD in the AROM, given only a standard-model collision-resistant hash function.

  • construct an accumulation scheme for the AROM.

• give an efficient “lazy sampling” algorithm (an emulator) for the ARO up to some error.

  • to prove the security of cryptographic constructs in the AROM and that zkSNARKs in the ROM also satisfy zero-knowledge in the AROM.

In this issue, I intentionally excluded huge amount of important works that will appear in Crypto 2023. There will be a special issue to present these works.

zkSaaS: Zero-Knowledge SNARKs as a Service

by Sanjam Garg, Aarushi Goel, Abhishek Jain, Guru-Vamsi Policharla, and Sruthi Sekar (USENIX Security 2023)

• introduce a framework called zk-SNARKs-as-a-service (zkSaaS).

  • distributing proof computation across multiple servers such that each server is expected to run for a shorter duration than a single prover.

  • instantiate this framework with custom protocols to obtain faster runtimes than local provers for widely used zk-SNARKs, such as Groth16 , Marlin and Plonk. get ≈22× speed-up when run with 128 parties for 2^25 constraints with Groth16 and 2^21 gates with Plonk.

  • Rust implementation

• the privacy of the prover's witness is ensured against any minority of colluding servers.

Reed-Solomon Codes over the Circle Group

by Ulrich Habock and Daniel Lubarov and Jacqueline Nabaglo

• discuss Reed-Solomon codes with domain of definition within the unit circle of the complex extension C(F) of a Mersenne prime field F.

• expect these "almost native" Reed-Solomon codes to perform as native ones based on prime fields with high two-adicity, but less processor-friendly arithmetic.

Efficient Zero Knowledge for Regular Language

by Michael Raymond and Gillian Evers and Jan Ponti and Diya Krishnan and Xiang Fu

• present zkreg, a distributed commit-and-prove system ,a succinct zero knowledge proof for regular language membership

• cryptographic operations are encoded using arithmetic circuits, and input acceptance is modeled as a zero knowledge subset problem using Σ-protocols.

• introduce a Feedback Commit-and-Prove (FB-CP) scheme, which connects Σ-protocols and the Groth16 system with O(1) proof size and verifier cost.

• present a close-to-optimal univariate instantiation of zk-VPD, a zero knowledge variation of the KZG polynomial commitment scheme, based on which an efficient zk-subset protocol is developed.

SublonK: Sublinear Prover PlonK

by Arka Rai Choudhuri and Sanjam Garg and Aarushi Goel and Sruthi Sekar and Rohit Sinha

• propose SublonK - a new zkSNARK, builds on PlonK

• achieves improved prover running time over PlonK. prover runtime grows with the size of the "active part" of the circuit.

UniPlonk: Plonk with Universal Verifier

by Shumo Chu and Brandon H. Gomes and Francisco Hernandez Iglesias and Todd Norton and Duncan Tebbs

• propose UniPlonK, a modification of the PlonK protocol that uniformizes the Verifier’s work for families of circuits.

• extends the universality of PlonK beyond the SRS; it enables a single “Universal Verifier Circuit” capable of verifying proofs from different PlonK circuits.

SoK: Vector OLE-Based Zero-Knowledge Protocols

by Carsten Baum and Samuel Dittmer and Peter Scholl and Xiao Wang

• a survey of recent developments in building practical systems for zero-knowledge proofs of knowledge using vector oblivious linear evaluation (VOLE), a tool from secure two-party computation.

Lattice-Based Polynomial Commitments: Towards Asymptotic and Concrete Efficiency

by Giacomo Fenzi and Ngoc Khanh Nguyen

• propose a lattice-based polynomial commitment that achieves succinct proof size and verification time.

• Extractability of our scheme holds in the random oracle model under a natural ring version of the BASIS assumption introduced by Wee and Wu (EUROCRYPT 2023).

• do not require any expensive preprocessing steps

• instantiate polynomial commitment, together with the Marlin PIOP (Eurocrypt 2020), to obtain a publicly-verifiable trusted-setup succinct argument for Rank-1 Constraint System (R1CS).

Zeromorph: Zero-Knowledge Multilinear-Evaluation Proofs from Homomorphic Univariate Commitments

by Tohru Kohrita and Patrick Towa

• presents a scheme to commit to multilinear polynomials and to later prove evaluations of committed polynomials.

  • relies on additively homomorphic schemes to commit to univariate polynomials.

• gives a method to batch executions of any degree-check protocol on homomorphic commitments.

Testudo: Linear Time Prover SNARKs with Constant Size Proofs and Square Root Size Universal Setup

by Matteo Campanelli and Nicolas Gailly and Rosario Gennaro and Philipp Jovanovic and Mara Mihali and Justin Thaler

• present Testudo, a new FFT-less SNARK with a near linear-time prover, constant-time verifier, constant-size proofs and a square-rootsize universal setup.

  • based on a variant of Spartan

  • a new, fast multivariate polynomial commitment scheme (PCS) with a square-root-sized trusted setup that is derived from PST (TCC 2013) and IPPs (Asiacrypt 2021).

  • combine PCS openings proofs recursively with a Groth16 SNARK.

• achieves a 110x speed-up compared to PST and 3x compared to Gemini (Eurocrypt 2022)

Revisiting the Nova Proof System on a Cycle of Curves

by Wilson Nguyen and Dan Boneh and Srinath Setty

• point out a soundness vulnerability in the original implementation of the 2-cycle Nova system.

• present a modification of the 2-cycle Nova system and formally prove its security.

  • the modification eliminates an R1CS instance-witness pair from the recursive proof.

• show that Nova's IVC proofs are malleable and discuss several mitigations.

Lightweight Authentication of Web Data via Garble-Then-Prove

by Xiang Xie and Kang Yang and Xiao Wang and Yu Yu

• proposes the garble-then-prove technique without using any heavy mechanism like generic malicious 2PC.

• shows 14× improvement in communication and an order of magnitude improvement in computation over the state-of-the-art protocol;

• show worldwide performance when using our protocol to authenticate payload data from Coinbase and Twitter APIs.

• propose an efficient gadget to privately convert the above authenticated TLS payload to Pedersen commitments so that the properties of the payload can be proven efficiently using zkSNARKs.

VSS from Distributed ZK Proofs and Applications

by Shahla Atapoor and Karim Baghery and Daniele Cozzo and Robi Pedersen

• present an efficient NI-VSS scheme using ZK proofs on secret shared data.

• uses a quantum random oracle and a quantum computationally hiding commitment scheme in a black-box manner, which ensures its ease of use, especially in post-quantum threshold protocols.

• present two DKG protocols for CSIDH-based primitives

• show similar improvements in some threshold signatures built based on Schnorr and CSI-FiSh signature schemes.

MUXProofs: Succinct Arguments for Machine Computation from Tuple Lookups

by Zijing Di and Lucas Xia and Wilson Nguyen and Nirvan Tyagi

• present a new protocol for proving machine execution allowing for prover efficiency on the order of executed instructions while achieving zero-knowledge and avoiding the use of proof recursion.

• a new primitive tuple lookup argument which is used to allow a prover to build up a machine execution “on-the-fly”.

  • relies on univariate polynomial commitments in which tuples are encoded as evaluations on cosets of a multiplicative subgroup.

• instantiate our protocol by combining our tuple lookup with the popular Marlin succinct non-interactive proof system.

An Introduction to Zero-Knowledge Proofs in Blockchains and Economics

by Aleksander Berentsen, Jeremias Lenzi, and Remo Nyffenegger

• review article on what ZKPs are and how they improve privacy and efficiency and describe applications for blockchains and other use cases.

Weak Fiat-Shamir Attacks on Modern Proof Systems

by Quang Dao, Jim Miller, Opal Wright and Paul Grubbs (IEEE S&P 2023)

• study of F-S in implementations of modern proof systems.

  • perform a survey of open-source implementations and find 36 weak F-S implementations affecting 12 different proof systems.

• For Bulletproofs, Plonk, Spartan, and Wesolowski’s VDF— develop novel knowledge soundness attacks accompanied by rigorous proofs of their efficacy.

• discuss possible mitigations and takeaways

Formalizing Soundness Proofs of SNARKs

by Bolton Bailey and Andrew Miller

• formal methods on soundness of a widespread class of SNARKs, formalize proofs for six different constructions, including the Groth '16.

• written in the Lean 3 theorem proving language

Bounded Verification for Finite-Field-Blasting (In a Compiler for Zero Knowledge Proofs)

by Alex Ozdemir, Riad S. Wahby, Fraser Brown and Clark Barrett

• ZKP compiler correctness by partially verifying a field-blasting compiler pass, a pass that translates Boolean and bit-vector logic into equivalent operations in a finite field.

• implemented in the CirC ZKP compiler and have proved bounded versions of the corresponding verification conditions.

Study of Arithmetization Methods for STARKs

by Tiago Martins and João Farinha

• explores two solutions for arithmetization of computational integrity statements in STARKs the algebraic intermediate representation, AIR, and is preprocessed variant, PAIR.

• their soundness implications for Reed-Solomon proximity testing.

• deriving the degree bounds for low-degree proximity testing.

• reducing the degree bound with multiple selector columns

• qualitatively comparing computational demands of the components of both arithmetization methods, particularly their impact on the low-degree extensions.

Arithmetization of predicates into Halo 2 using application specific trace types

by Morgan Thomas

• update on the Open Specification Language (OSL) circuit compiler.

• OSL is a language based on predicate logic which is amenable to compilation to arithmetic constraint systems. This system provides an alternative to universal zk-VMs and low level ad hoc constructions of arithmetic constraint systems.

ProtoStar: Generic Efficient Accumulation/Folding for Special Sound Protocols

by Benedikt Bünz and Binyi Chen

• provide a generic, efficient accumulation (or folding) scheme for any special-sound protocol. The accumulation verifier only performs k+2 elliptic curve multiplications and k+d+O(1) field/hash operations.

• ProtoStar is a non-uniform IVC scheme for Plonk that supports high-degree gates and (vector) lookups. The scheme does not require a trusted setup or pairings, and the prover does not need to compute any FFTs.

Non-Interactive Zero-Knowledge from Non-Interactive Batch Arguments

by Jeffrey Champion and David J. Wu (CRYPTO 2023)

• leveraging succinctness for zero-knowledge.

• show how to combine a batch argument for NP with a local pseudorandom generator and a dual-mode commitment scheme to obtain a NIZK for NP.

Batch Proofs are Statistically Hiding

by Nir Bitansky, Chethan Kamath, Omer Paneth, Ron Rothblum and Prashant Nalini Vasudevan

• study the necessary conditions for the existence of batch proofs in these two settings: Statistical Soundness/ Computational Soundness

• Non-interactive: the existence of non-interactive BARGs for NP and one-way functions, implies NISZKA for NP, with negligible soundness error, inverse polynomial zero-knowledge error, and non-uniform honest prover.

Benchmarking ZK-Circuits in Circom

by Colin Steidtmann and Sanjay Gollapudi

• presenting comprehensive benchmarking results for a range of signature schemes and hash functions implemented in Circom

• Poseidon, Pedersen, MiMC, SHA-256, ECDSA, EdDSA, Sparse Merkle Tree, and Keccak-256.

• new Circom circuit and a full JavaScript test suite for the Schnorr signature scheme.

Ou: Automating the Parallelization of Zero-Knowledge Protocols

by Yuyang Sang, Ning Luo, Samuel Judson, Ben Chaimberg, Timos Antonopoulos, Xiao Wang, Ruzica Piskac and Zhong Shao (CCS 2023)

• A front-end language Ou where users can write proof statements as imperative programs in a familiar syntax;

• A compiler architecture Lian and implementation that automatically analyzes the program and compiles it into an optimized IR that can be lifted to a variety of ZKP constructions; and

• A cutting algorithm, based on Pseudo-Boolean optimization and Integer Linear Programming, that reorders instructions and then partitions the program into efficiently sized chunks for parallel evaluation and efficient state reconciliation.

Privacy-preserving Attestation for Virtualized Network Infrastructures

by Ghada Arfaoui, Thibaut Jacques, Marc Lacoste, Cristina Onete and Léo Robert

• propose a privacy preserving TPM(Trusted Platform Module)-based deep-attestation solution in multi-tenant environments

• relies on vector commitments and ZK-SNARKs.

The Referendum Problem in Anonymous Voting for Decentralized Autonomous Organizations

by Artem Grigor, Vincenzo Iovino and Giuseppe Visconti (DLT 2023)

• naive approach to run referenda over Ethereum can incur severe security problems.

• propose both mitigations and hardness results for achieving voting procedures in which the proofs submitted on-chain are either ZK or succinct.

Lattice-based Commit-Transferrable Signatures and Applications to Anonymous Credentials

by Qiqi Lai, Feng-Hao Liu, Anna Lysyanskaya and Zhedong Wang

• propose a new primitive to instantiate signature with protocols, called commit-transferrable signature (CTS).

• When combined with a multi-theorem straight-line extractable NIZKPoK, CTS gives a modular approach to construct anonymous credentials.

• show efficient instantiations of CTS and the required NIZKPoK from lattices

• propose concrete parameters for the CTS, NIZKPoK, and the overall Anonymous Credentials, based on Module-SIS and Ring-LWE.

Curve Trees: Practical and Transparent Zero-Knowledge Accumulators

by Matteo Campanelli, Mathias Hall-Andersen and Simon Holmgaard Kamp (USENIX 2023)

• zero-knowledge for set membership allows a user to show knowledge of an element in a large set without leaking the specific element. Zcash Sapling strong trust assumption: an underlying setup that must be generated by a trusted third party.

• propose novel, more efficient and fully transparent constructions for accumulators supporting zero-knowledge proofs for set membership. inspired by commit-and-prove techniques to combine shallow Merkle trees and 2-cycles of elliptic curves into a highly practical construction.

• basic accumulator construction---dubbed Curve Trees---is completely transparent (does not require a trusted setup) and is based on simple and widely used assumptions (DLOG and Random Oracle Model).

• design a simple and concretely efficient anonymous cryptocurrency with full anonymity set, which we dub Vcash. Its transactions can be verified in ≈80ms or ≈5ms when batch-verifying multiple (>100) transactions; transaction sizes are 4KB.

A flexible Snark via the monomial basis

by Steve Thakur

• describe a pairing-based SNARK with a universal updateable CRS that can be instantiated with any pairing-friendly curve endowed with a sufficiently large prime scalar field.

• use the monomial basis, thus sidestepping the need for large smooth order subgroups in the scalar field. can be instantiated with outer curves to widely used curves such as Ed25519, secp256k1 and BN254.

• relies on homomorphic table commitments, which makes them amenable to vector lookups.