 Hi, my name is Valerio and I will be talking about the paper Lattice-based snarks, publicly verifiable, preprocessing and recursively composable. This is a joint work with Martin Albert, Russell Lai, Julio Malavalta, and Aravind Tayyagarajan. Before describing what we do in this work, let us first fix some notation. Snark stands for a succinct and interactive argument of knowledge. This is a proof system defined with respect to some NP-language L with the following interface. The public parameters are generated by running the setup algorithm and are distributed to both prover and verifier. Whenever the prover wants to prove that some statement is in the language, it runs the proof algorithm, using the corresponding witness, and obtains a proof pi, which is sent to the verifier. Using such a proof, the verifier can run the verified algorithm and decide whether to accept or reject. The properties that we require from such a proof system are completeness. That is, whenever the statement, witness tuple, used by the prover, satisfies the relation R, defined in the NP-language L, the verifier should accept. Knowledge soundness, that is, whenever an adversary makes the verifier accept, it should be possible to extract from such an adversary the witness corresponding to the statement being proven. These two properties alone are trivial to achieve by having the prover sending the witness to the verifier. What makes the construction non-trivial are the efficiency requirements. The first one is what we call succinctness and requires that the size of the proof should be polylogarithmic in the size of the statement. An even stronger requirement is what we call pre-processing. Here the verifier can pre-process in an offline phase the public parameters so that the online verification runs in time polylogarithmic in the size of the statement. Now that we have recalled what a snark is, we can state the question that we try to address in this work. The question is, is it possible to construct a snark that satisfies all these properties at the same time? The properties are post-quantum secure by which in a very liberal interpretation we mean any scheme not based on groups, publicly verifiable, which means that anyone could run the verification algorithm, pre-processing, which I have defined in the previous slide, algebraic by which we mean that the construction uses only algebraic operations defined over the mathematical structure that the scheme is constructed over, and structure preserving by which we mean that the relation checked by the verification algorithm should be supported by the snark itself. In this work we answer positively to such a question and to the best of our knowledge this is the first construction achieving all these properties at the same time. In particular, we show how to construct a lattice-based snark which is publicly verifiable, pre-processing, algebraic, and structure preserving. All these properties lead to a snark that is friendly to a grassy composition, that is a snark where it is possible to prove knowledge of a snark proof using the snark itself. This enables very powerful applications such as incremental verifiable computation. We show that the main and only ingredient to obtain such a primitive is a lattice-based vector commitment which supports opening to constant degree multivariate polynomial and which is extractable and compact. I do not have the time here to define all these properties but you can watch the long representation if you are interested. In our work we show that it is possible to compile such a VC scheme into a snark that satisfies their prior properties. In this way we reduce the task of constructing a snark to that of constructing a VC scheme. I will now sketch how to construct such a lattice-based vector commitment. This requires the introduction of a new binatural class of lattice-based knowledge and unknowledge assumptions. The roadmap that we use to obtain a VC scheme with the required properties is the following. We start by translating a pairing-based VC scheme that supports opening to linear function to the lattice word. But doing so we obtain a lattice-based VC which also supports opening to linear function that is weak binding and succinct. While translating the construction we also have to map the underlying assumption under which the scheme is proved secure. In doing so we obtain a new class of lattice-based assumptions that we call K ring in homogeneous short integer solution or crisis for short. Then using the fact that we are now working over rings we can show that the VC scheme actually supports opening to any polynomial map of constant degree. Then by introducing a knowledge version of the crisis assumption we show that the security of the VC scheme can be improved from weak binding to extractability. The only property left to upgrade is now succinctness. We achieve this by introducing an aggregation trick that involves embedding a ring SIS instance in the public parameters. In this way we obtain a VC scheme that satisfies all the properties required and that can be compiled into a snark. In the paper we also show other results. In particular we study the hardness of this new familiar lattice-based assumption and outline some native application of our snark. If you are interested in knowing more about this work you can read our full paper on a print or watch the full presentation of this work.