 Hello, welcome to this presentation on Compressed Sigma Protocol Theory. My name is Thelma Zathema and this is joint work with Ronald Kramer. In this work we aim to find efficient circuit zero-knowledge protocols. And we know that Sigma Protocol Theory forms a well-established theory for zero-knowledge proofs. However, applying this theory directly to find circuit zero-knowledge protocols results in a communication complexity that is linear in the size of the circuit. However, recently an alternative became available. Bulletproofs. Bulletproofs achieve a logarithmic communication complexity for circuit zero-knowledge. We note that bulletproofs were actually presented as a drop-in replacement for Sigma Protocols. In this work we follow a rather different approach. We aim to reconcile bulletproofs with Sigma Protocol Theory. Namely, we show that bulletproofs, or an adaptation of bulletproofs, forms a significant strengthening of Sigma Protocol Theory rather than a replacement. Our approach follows a linearization strategy. Namely, we solve linear instances first and then the linearized and nonlinear instances. We believe that this linearization strategy is amongst the most natural problem-solving strategies in mathematics. Moreover, it fits seamlessly with Sigma Protocol Theory. In contrast, bulletproof starting point is a protocol for a specific quadratic rather than linear relation. Our approach makes use of the following three observations. First, we show that an adaptation of bulletproofs gives a compression mechanism for standard Sigma Protocols. We start with a compact commitment to a long vector. Second, we show how to prove correctness of the evaluations of arbitrary linear forms in compactly committed vectors. We show how to do this with logarithmic communication. In other words, we show how to solve the linear instances of the circuit zero-knowledge problem. Second, we adapt the techniques from Kramer, Damgard and Pasto. In our adaptation, we start with a single compact commitment to all the coefficients of three long vectors of multiplication triples. Combining arithmetic secret sharing with point one, that is our compressed Sigma Protocol, we obtain logarithmic size proof of correctness for the corresponding multiplicative relations. Finally, we obtain circuit zero-knowledge protocols by reducing the circuit zero-knowledge problem to proven correctness of multiplication triples. Let us consider the following circuit zero-knowledge setting. In this setting, we let the square brackets denote some vector commitment scheme. This commitment scheme allows a prover to commit to n-dimensional z-q factors in a single group element g. In this notation, we leave the commitment randomness implicit. Moreover, we let z be some arithmetic circuit. We will restrict ourselves to arithmetic circuits with output dimension one, but all the results easily generalize to arbitrary output dimensions. Now we aim to find protocols that allow a prover to prove knowledge of some commitment opening x, corresponding to some public commitment, such that C of x equals zero. Moreover, we aim to find a protocol that is honest verifier zero-knowledge. In this work, we will focus on the communication efficiency of the protocols. The remainder of this presentation will contain the following elements. We will start with our main pivot, which is a standard Sigma Protocol for opening linear forms on compactly committed factors. Second, we will show how to reduce the communication complexity of this protocol down to logarithmic. Three, we will show how to prove multiplicative relations. Four, we will show how to combine these ingredients to achieve circuit zero-knowledge protocols. Five, we will supply some compactification techniques that are required for many practical scenarios. Six, we will show that this entire framework can be instantiated from various cryptographic assumptions. And finally, we mentioned recent follow-up work on proofs of partial knowledge. The remainder of this presentation, we let G be a group of primordial Q. Moreover, we let G1 up to Gn be a factor of group elements. For such a factor, we consider multi-exponination G to the power x, where x is an n-dimensional z-q factor. This multi-exponination is defined as the product of Gi to the power xi for i ranging from 1 to n. Moreover, we assume that the proofer does not know a non-trivial discrete log relation for the group elements G1 up to Gn. Non-trivial discrete log relation is simply a non-zero vector x such that G to the power x equals the identity element of the group G. A Pedersen vector commitment is actually a multi-exponination. More precisely, a commitment to a vector x is equal to G to the power x times h to the power gamma, where gamma is some random ring element. The Pedersen vector commitment scheme is compact, meaning that regardless of the dimension n, a commitment is a single group element. It is unconditionally hiding, and it is computationally binding under the assumption that the proofer does not know a non-trivial discrete log relation between the group elements G1 to Gn and h. For notational convenience, we will work with more general multi-exponentations rather than the Pedersen vector commitments. Now we have come to our pivotal sigma protocol for opening linear forms. This protocol is the sigma protocol for the following relation, in which we have a public group element b, a linear form l and a scalar y, and a secret witness x such that G to the power x equals b and l evaluate then x equals y. The sigma protocol therefore allows a proofer to show that the secret witness x satisfies some linear relation. We note that the functionality of this protocol trivially generalizes to opening a fine form, that is linear forms plus a constant. This slide depicts the standard sigma protocol for the aforementioned linear relation r. It takes as input three public elements, the group element p, the linear form l and the scalar y, and has a secret input only known to the proofer, namely the factor x. Without diving into the details, we mention that this sigma protocol is perfectly complete special honest verifier zero knowledge and special sound. We have shown our basic sigma protocol for opening linear forms. Next, we show how to compress its communication complexity from linear down to logarithmic using an adaptation of Bulletproof's compression mechanism. The main bottleneck in the communication complexity of this standard sigma protocol is in the response z. The response z is namely an n-dimensional vector. However, we can also observe that this final response z is actually a witness of another element in exactly the same relation r that we started off with. Hence, sending this final message z, this final response, is actually a trivial proof of knowledge for this relation r. The proofer namely proves knowledge of this witness z by simply revealing this witness z. Any other proof of knowledge for this relation would actually suffice in this stage. Moreover, this proof of knowledge does not have to be zero knowledge, because the trivial one clearly is not. So our aim in the next couple of slides is going to be to replace this final response, this trivial proof of knowledge, by a more efficient proof of knowledge for relation r. To this end, we consider the following notation. For a vector g of group elements g1 up to gn, we consider its left half g1 up to gn over 2. And similarly, we consider its right half gr. We do exactly the same thing for zq vectors and also for linear forms. So for all of these vectors and forms, we consider left and right halves. Given this notation, we can continue to our compression mechanism. This compression mechanism is a proof of knowledge for exactly the same relation r that we started off with. It is an appropriate adaptation of the bulletproof compression mechanism. The protocol now goes as follows. The prover first computes these four cross terms. So the two group elements a and b, then we gr to the power xl and vice versa, gl to the power xr. And similarly, it computes these two cross terms lr, xl and ll, xr. The prover now sends these four cross terms to the verifier who samples a random challenge and sends this challenge back to the prover. The prover now computes the final response xl plus c times xr. And given this response, the verifier performs the following two checks. The protocol can be seen to be perfectly complete. Hence, an honest verifier will accept any conversation with an honest prover. Moreover, it can also be seen to be three special sounds. In addition, we see that this final response set has dimension n over 2. So the total communication complexity is roughly half of the communication complexity of the trivial proof of knowledge that we started off with. Finally, we observe that this final response set is again a witness for a relation very similar to the relation r. The only difference is that dimension in this relation is not n, but n over 2. This final observation implies that we can apply this compression once again and again reduce the dimension of the witness by a factor 2. We can apply this compression mechanism, therefore recursively, until the dimension of the final witness equals 1. Another way to look at this compression mechanism is to see that the final response of the prover is actually in encoding of the secret exponent factor x. This encoding is parametrized by the challenge c. Taking a closer look at this encoding, we see that the encoding of a factor x is actually equal to c times z comma z for some n over 2 dimensional vector z. Hence, the dimension of the image of this encoding function is n over 2 for any challenge c. This property results in the reduction of the communication complexity. Moreover, it is easily seen that by Lagrange interpolation, we can reconstruct secret exponent x from any three different encodings of this vector x. In other words, the protocol is indeed three special sounds. We now denote pi c for the recursive composition of sigma protocol pi 0 and compression protocol pi 1. Pi c is actually a special honest verifier zero-knowledge proof of knowledge for relation r. It has a logarithmic communication complexity and we say it is a compressed sigma protocol. We clearly see that the compression mechanism access an extension to the basic sigma protocol pi 0 and reduces its communication complexity from linear to logarithmic. Thus far, we have seen how to handle linear instances of our circuit sharing knowledge problem. Let us now look at our CDP12 adaptation and show how to prove multiplicative relations. Our approach uses a linearization strategy. More precisely, we linearized this non-linear problem by using a packed secret sharing scheme. This packed secret sharing scheme should have strong multiplicativity and one privacy. In this presentation, we consider Shamir secret sharing scheme, but any other linear secret sharing scheme with these two properties suffices. Our CDP12 adaptation allows us to prove correctness of long vectors of multiplication triples. That is, we have vectors a, b and c such that c is the component-wise product of the vectors a and b. To prove correctness of these long vectors of multiplication triples, we define two polynomials f and g. f is a polynomial of degree at most m that is uniquely defined by these m plus 1 evaluations. Namely, f of i is equal to a i for i ranging from 1 up to m and f of 0 is equal to some random ring element sampled by the prover. The polynomial g is defined in a completely analogous manner. The polynomials f and g define packed secret sharing of the vectors a and b. Namely, any m plus 1 distinct evaluations of these polynomials allow for reconstruction and any evaluation outside 1 up to m is a uniformly random ring element. So this secret sharing scheme has one privacy. Next, we define the polynomial h as the product of the polynomials f and g. h is of degree at most 2 m and it is therefore uniquely defined by any 2 m plus 1 evaluations. Moreover, h i equals c i for all i ranging from 1 up to m. For these reasons, h of x actually defines the secret sharing of the vectors c. Moreover, we observe that for a uniformly random evaluation point alpha, the triple f alpha g alpha h alpha forms a uniformly random multiplication triple. For this reason, revealing these evaluations does not reveal any information about the input vectors a, b and c. Finally, we know that if this multiplicative relation f alpha times g alpha equals h alpha holds for this random evaluation, then it must also hold for the vectors a, b and c with high probability. Combining the above observations with our compressed sigma protocol for opening linear forms results an efficient protocol for proving correctness of multiplication triples. The protocol, namely, goes as follows. First, the proofer commits to the coefficients of the three polynomials f, g and h in a single compact commitment, so in a single vector commitment. Second, the proofer opens the evaluations f alpha, g alpha and h alpha for some random challenge alpha. And here we make use of the fact that these three evaluations can all be computed as linear combinations of the committed coefficients. In other words, we can use our compressed sigma protocol for opening these three evaluations. Thus far, we have seen how to handle linear instances of our circuit-share-knowledge problem and how to prove a specific set of multiplicative relations. Next, we show how to combine these ingredients to construct circuit-share-knowledge protocols for arbitrary arithmetic circuits. We consider the following textbook-share-knowledge scenario. In this scenario, a proofer commits to an input factor x plus some auxiliary information in a single compact commitment and subsequently proves that c of x equals zero. The protocol now goes as follows. The proofer first defines the polynomials f, g and h as before. However, where these polynomials first defined packed secret-sharings corresponding to the multiplication triples in the vectors a, b and c, they now correspond to packed secret-sharings of the inputs and the outputs of the multiplication gates of the circuit c. Second, the proofer commits to the vector x together with some auxiliary information. This auxiliary information contains the evaluations f0 and g0 and the first two ampels won evaluations of the polynomial h. An important observation is that by Lagrange interpolation, any evaluation of the polynomials f, g and h can now be computed as an defined combination of the coefficients of this long vector. Moreover, any wire value can be computed as such an defined combination. For this reason, our compressed sigma protocol allows a proofer to open any wire value and any polynomial evaluation efficiently. So in the third step, the verifier asks the proofer to open the output wire c of x and the evaluations f alpha, g alpha and h alpha for some random challenge alpha. Finally, the verifier checks that c of x is indeed equal to 0 and that f of alpha times g of alpha equals h of alpha. Altogether, circuit serial knowledge is therefore reduced to proven correctness of multiplication triples. In the previous slides, we have restricted ourselves to a textbook serial knowledge scenario. However, many practical scenarios deviate from this textbook scenario and additional techniques are required to handle them. For this reason, we introduce compactification. Compactification allows a proofer to combine various commitments in a single compact commitment, thereby reducing various serial knowledge scenarios to the aforementioned textbook serial knowledge scenario. In particular, compactification allows us to handle the scenario where there already exists a commitment to some input factor x that does not contain any auxiliary information. Moreover, it allows us to handle the scenario where the input x is dispersed over multiple commitments. Additionally, various amortization techniques known from standard sigma protocol theory apply to further improve the efficiency of our protocols. Moreover, we show how to instantiate this entire framework from various cryptographic assumptions. Thus far, we have focused on the discrete log assumption, but we also show how to instantiate this framework from the strong RSA assumption or from the knowledge of exponent assumption. In the latter case, we actually achieve a constant communication complexity, as in z-case snarks. Finally, we mention an application of this approach to other cryptographic protocols such as proofs of partial knowledge. In a follow-up work, we showed that an adaptation of our compressed sigma protocols gives rise to a proof of partial knowledge. That is, for example, proving knowledge of k-out-of-n discrete logarithms. Proofs of partial knowledge have found applications in, for example, ring signature schemes and confidential transaction systems. Thank you for your attention and enjoy the rest of this virtual conference.