 Hi, I'm Alex and this is the abstract presentation for Monsignorilla, Efficient Vactoli and Serial Launch Proofs Overset UK. This is joint work together with Karsten Baum, Dana Braun and Peter Joll. We consider Serial Launch Proofs for circuits, where the prover has a witness W, so when this witness is input into circuit C, the circuit outputs either except the reject. This must satisfy the three security properties called completeness, soundness and serial knowledge. We always consider the circuit as arithmetic over a large ring. We achieve serial knowledge by using the commit and prove paradigm, where the prover commits to the entire witness and then finally you open the W out value to show that it's except the reject. This can be done using only linear and homomorphic commitments, provided the prover proves consistency of the commitments throughout the computations. We always consider computation over C2K rather than finite fields, so this is the ring of the integers modular to decay. This has several advantages, primarily it maps naturally to data types used by CPUs in programming languages, so that it's easier to convert programs to corresponding circuits and in turn leads to more efficient protocol implementations. It has several disadvantages however, C2K is not a field, so you have serial devices meaning that polynomials can have lots of roots as well. This means that common tricks don't work and protocols get more complicated, but also the proofs of security can be quite a bit harder. The way you usually generate these linear and homomorphic commitments is through vectorally. Vectorally is meaning that it's a black box where the sender can input a vector x and then get out a vector m, so that this causes the linear and homomorphic commitments to x, provided that the receiver inputs are so-called global key delta and a local key k. The way you usually generate vectorally however, is through pseudo-random correlation generators. This is where the prover and the verifier, they interact to generate a short seed, but then they can non interactively expand this into a non-correlate string of length n. This is usually done with only sublinear communication in the vector length n. It's based on the variance of learning parity with noise and through this it has been proven actively secure only for fields. In this paper we provide the first actively secure vector, a leaf or rings set to k, with sublinear communication. So first recap LPN. This is where you have a short seed s, you have a long and big public generating matrix a, and then you have a sparse error vector e. If you do this computation you get out a vector x that looks completely uniform. The way we use this is by starting out with m vector least that we call the seed, and then we expand these into s that a vector of length n, so that the vector only correlation still works for each of the indices in n. So we start out with a base vector least of length n, then we generate this error which sparse it has exactly t errors where t is significantly less than n. But this has three main issues though. The way you usually do this is by using a sub protocol called single point vector only which uses a ggm tree. Now overrings establishing consistency is much more tricky than over a field when you use a ggm method. So therefore we create a new consistency check so that neither party can cheat. This new consistency check however leaks the index of a single error with probability a half. So this requires an analysis of the parameters used within the LPN instance to ensure it's still secure. Now finally the noise values within this noise vector must be chosen very carefully so that you cannot break this through a recent attack. Now after all of this is done the proven the verifier simply apply the generating matrix to all to the seed vector least and add the error vector least and out you get a vector x that looks completely uniformly random and then you simply save m and repeat. We also provide a way of verifying multiplications instead to k efficiently. This stems from an observation from quicksilver where you can convert the MAC equations of a multiplication triple a, b and c into a polynomial and delta instead. Now the perks of having this as a polynomial and delta means that you have a linear relationship between multiple of these multiplication triples. So now the prover can simply send a0 and a1 and then we can check the following equation by using a random linear combination. The issue however is that over a ring this is not as straightforward as over a field since many roots may exist so we create a new consistency check and a new analysis to ensure that this is still good. So our results are the following we are the first to provide an efficient vector leaf asset to k which is actively secure. This only requires one bit to 1.3 bits communication perfect to leave a large batches and we can generate up to 50 million of these per second. We also provide the first way of efficiently checking multiplications instead to k. This only requires one ring element communication per multiplication. You can watch the full presentation on august 18th or you can read the full version on e-print if you follow the link. Thank you so much for listening.