 Hi, I'm Sy Vessely, they-them, and today I'll be presenting proofs for inner pairing products and applications. This is a joint work with my excellent collaborators, Benedict Boons, Mary Mallor, Pratush Mishra, and Nervan Tyagi. So in this work, we use pairing-based commitments with a structured reference string to achieve linear time-prover and log time-proof and verify our arguments of knowledge for several relations. First, we have TIP where we have a vector of G1 and a vector of G2 elements for a pairing-friendly elliptic curve equipped with a bilinear pairing, and we show that the inner pairing product of the these witness vectors is equal to some public value Z not shown here is that we first have a commitment to these A and B vectors. We also construct inner product arguments for multi-exponentiation or multi-scalar multiplication, depending on how you like to write your group operation. Don't worry, in our paper we use both addition and multiplication, so you'll be happy either way. We actually present two multi-exponentiation inner product arguments, one for a known vector of exponents and one for an unknown and committed vector of exponents. All these schemes are given as an instantiation of a protocol JIPPA, which generalizes BCC GP16. This was the precursor to the better known bullet proofs. In LMR-19, which first extended this to the pairing setting, so the main difference between our protocols and the ones in LMR is that we achieve a log-time verifier, whereas using PIP-ingers, you get an O-N divided by log-N group aberrations verifier for LMR-19. We also reduce prover complexity and proof size by a constant factor. We also show a lot of applications of our inner product arguments in our paper, so for example, we build a polynomial commitment for people who are not familiar with these. The idea is that Alice knows some polynomial over a finite field of degree at most D. She is able to make a short commitment C to f of x and send that to Bob, who will then send a challenge point to C, maybe multiple, but for simplicity, we'll say single one. Alice responds with an evaluation v and an evaluation proof pi, which is an argument of knowledge of f of x such that f of z is equal to v. And applications of polynomial commitments include Snark's friend P, accumulators, vector commitments, verifiable secret sharing, and a lot more. So to look at our polynomial commitment, we get constant size commitments, logarithmic, proof sizes, and verifier time. And interestingly, we get square root CRS and evaluation prover complexity. So for applications where we need to deal with really high degree polynomials such as proofs of replication, or applications where we need to make numerous or frequent openings of these polynomials such as accumulators, this provides a good option. To give a concrete example, we compare our work to the state of the art KZG 10 polynomial commitment scheme for polynomials of degree to the 26. So we see the CRS is dramatically smaller at 3.2 gigabytes versus four megabytes, that evaluation prover time shrink drastically also from 16 minutes to 15 seconds. And then KZG 10 does have better proof size and verifier time both by a factor of about 10x. But that concretely, our proof size is only a few kilobytes and our verification time is only 46 milliseconds for these large polynomials. And for a lot of applications, that might be a lot more acceptable than 16 minute prover time, for example. Our next application is the KSNARC aggregation. In particular, we look at public aggregation of n-gross 16 SNARCs into a log size proof that's verifiable in log time. Previously, we only knew how to do this using recursive proof composition, which is pretty inefficient, as we can see in this comparison. In general, our inner product arguments are really good for aggregation of any pairing based cryptography where the verification equation is a pairing based language. When we look at the verification of interactive SNARCs that are made on interactive via the Fiat-Chemere transform, we see that because of the need to make these hash function calls to get the challenges that we are no longer in a pairing based language. And we just run into complications with these. But for graph 16, which is built from non-interactive linear proofs, this works well. In recursive proof composition, we take one more SNARC and we use it to prove knowledge of the n-gross 16 SNARCs that satisfy the n instances. This means that we're proving the verification circuit for graph 16. So we have to first arithmatize that in particular. We need to express it in R1CS where a pairing costs about 20,000 constraints. So this is a major cause of blow up for this approach. And this is avoided by our inner pairing product, which is essentially for exactly the graph 16 verification equation relation. So another major cause of blow up in prover time for the recursive proof composition approach is the fact that I won't get into the technical details of why, but you need to use a two chain or a cycle of pairing friendly elliptic curves. The two chain is a little bit more efficient. And that's what we compare to here, where the proof of the proofs in the outer curve is done over a 760 bit curve. Unfortunately, we do not have smaller outer curves for two chains or cycles. And for comparison, we use 380 bit curves for pairing based cryptography when we don't need recursion. And this is for the 128 bit security level. So we actually see because of this big blow up that benchmark stop at 64 for the two chain approach, because we ran out of memory on a laptop. And we see though for 64 proofs that aggregation using our inner pairing product arguments is about 900 times faster. And in fact, in the time it takes to make a recursive proof of 64 proofs, we can aggregate 65,000 proofs to a 35 kilobyte proof that takes 300 milliseconds to verify. The third and final application that we look at is low memory snarks for machine computations. For a computation that takes time t in space s, a monolithic snark proof takes space that is quasi linear and s times t. Our approach is to create t snarks each of a single transition. And we use inner product arguments to aggregate the results. If we were to apply the techniques of last section directly here, then we would end up with proof size that were linear in the size of the instance x times t, because we would be including all the intermediate values of the register, the intermediate instances. Instead, we recognize that the verifier doesn't need to know these intermediate values, and doesn't care about them. Instead, what they care about is the fact that the output of one transition snark matches the input of the next. So what we do is commit to all these intermediate register values, and then we create a proof that this is the case, that this match up happens. And doing so, we are able to instead get proofs that are linear in just the x that we care about and logarithmic in t. And we get the same verifier time complexity as well. And this only requires space that is quasi linear and s plus t. So previous results used recursive proof composition. And as we saw before, this is concretely inefficient. Building up to our inner product arguments, our inner product arguments, we're going to first look at an argument of knowledge for a pairing based commitment opening, specifically the AFG HO16 commitment scheme, which is what we base our commitment scheme off of. The prover is given a common reference string, which is a vector of n random g two elements. And they hold a witness, which is a vector of n g one elements. The commitment is the inner pairing product between the A and V vectors, which we write as this a asterisk V notation. Next, the prover parses the V vector and a vector into a left and right half each of equal length. The prover then sends these cross terms TL and TR, which is the right half of the a inner pairing product with the left half of V and vice versa, prior response with a random challenge x from the field. And then the prover outputs a witness a prime. So in practice, we keep folding a logarithmic number of times until a prime is just a single group one element, just to show how the math works. We look at a single round here. The verifier computes the scaled CRS V prime. And then checks that a prime inner product V prime is equal to x times TL plus T plus X inverse times TR. And we show how the left hand side expands here. And basically that the math works out. I'll give you a second just to check that. Great. So now we're going to look at how to extend this to get an inner pairing product argument. When we have another witness vector, which is a vector of n g two elements. And we have a commitment and a f g h o 16 commitment you to that. We want to show that for some public Z. We know witness vectors a and b such that their inner pairing product is Z. So what we do is we perform the two opening argument of knowledge in parallel using the same challenges, the opening of T and U. And we also in each round send these ZL and ZR cross terms between the A and B vectors. Okay, is for a f g o 16 commitment openings, ensure that the final a prime and B prime are correct. Finally, we check the inner product claim with this last equation. Where again, things work out because of the bilinear property. This protocol is pretty much the pairing analog to the discrete log based BCC GP 16 protocol. So bullet proofs improved on BCC GP 16 by committing to the A and B vectors with a single commitment as well as to the Z value. You can't commit to both one and group two elements with a single target group element. It wouldn't be binding. So we get six log n versus two log n for bullet proofs. On the other hand, we get a log time verifier. Whereas bullet proofs has a slightly sub linear verifier. The main difference between this protocol we just presented and the one in LMR 19 is just the commitment scheme used. They commit to both the G one and G two elements in two commitments under different random generators. Now that we've got some sense of how these inner product arguments work, we're going to talk about our generalized inner product argument, which takes the core ideas from protocols like the CGG P 16 bill approved sell more and abstracts them. Basically, our generalized argument shows that if we have three primordial groups and one and two and three and one times m two to m three and a commitment for messages that are n m one elements and m two elements and an m three element where the commitment has an additive homomorphism, both a message and commitment key space. We call these doubly homomorphic commitments. Then we get an inner product argument. We see both our own works and previous works as instantiations of a single generalized protocol. So we build inner product arguments for elliptic curve pairings and multi-exponentiations. Then we can also see previous works that do scalar field multiplication, such as bullet proofs as an instantiation of JIPAA as well. And this lets us create, for example, one security proof that covers all of these based on properties of the commitment scheme. With respect to JIPAA security, we observe that most practical applications require non-interactive protocols. And we know that we can use the Fiat-Shamir heuristic to compress an interactive proof into a non-interactive one. For this resulting protocol, we run into the problem that existing Fiat-Shamir ROM extraction techniques give a super polynomial extractor for a log-round protocols when we try to generalize them. So here was our solution. We treat the commitment as algebraic, essentially requiring the adversary to output an A and B vector. Then the extractor has to show that Z is equal to the inner product of A and B, which is a bit more difficult. For this, we use the zero finding game from BCMS20, which essentially relates the probability that an adversary wins at short zipple to the number of random oracle queries it makes. We saw an inner pairing product argument for the AFGHO commitment scheme that had logarithmic size proofs. In each round, we sent those cross terms, which was a constant number of target group elements. And there's only a logarithmic number of rounds, and that constitutes the proof. So we have a log proof size, and we add a linear verifier time. So we had to do a logarithmic number of target group exponentiations to fold in those cross products with the commitments in each round, where that was on the right hand side of those equalities we're checking. And then on the left hand side, we had to fold in each round the commitment key. And this is what required a linear amount of work overall, or slightly sublinear, if we defer computing the final commitment key to the end, which the verifier can do, and then use pipergers to compute the multi-exponentiation. Next, we observe that for a log time evaluable polynomial in some indeterminate and the L challenges for the, where L is the number of rounds, that the final commitment key can be written as a commitment to that polynomial. Then using a polynomial commitment in particular KZG10, we can offload computation of the final the prime value to P so that the verifier does not have to scale the commitment key themselves. They're only doing a logarithmic amount of work by evaluating this halo polynomial and by orbit group multi-exponentiation. So here is how this sub-protocol works. It sends V prime to the verifier. The verifier then picks a random challenge point for the field and uses the halo polynomial and the challenges from each round of the inner product argument to compute this V value in log time. The prover then sends a succinct evaluation proof showing that V prime opens to V at Z. Recall, the prover is proving knowledge of some polynomial F prime of X that agrees with F at Z and the X1 through XL challenges. These two polynomials will only agree if they are different with negligible probability by short zipple. And V is able to check this evaluation proof in constant time using the KZG10 verifier. This is the basic idea of how we achieve log time verification using pairing-based commitments. And again, this isn't just for our inner pairing product protocol, but for multi-exponentiation in a pairing-based commitment. Just to give a basic idea of the halo polynomial and its log time valuable form, here instead of a trapdoor beta, we have a trapdoor alpha and this would represent the logarithm of the structured reference string elements W1, W2, and so on for eight values. And then after one round, we would have a SRS that is half the size and is folded, Vesley, and so on in terms of these challenges X1, X2, and X3. And then we see how this forms a log time of valuable polynomial, which we can then write the final W prime in terms of moving on. We're going to talk about our polynomial commitment scheme. We set a high level. We begin by using the strategy of having a two-tiered homomorphic commitment. This is what will ultimately give us square root opening and square root CRS. We'll see how that works later. And it will be presented as a commitment for a bivariate polynomial of degree at most M equal to square root of N in each variable. But in the paper, we also give a univariate transformation. So we consider a coefficient matrix A, whereas we move down the rows, the power of X grows, and as we move down the columns, the power of Y grows. We commit to each row using a KZG10 commitment with the same SRS. So this means only a square root size SRS. And then we commit to all the row commitments using the TIP commitment scheme, which is again basically a trusted version of the AFGHO 16 commitment, just like the KZG10 commitment is basically a trusted version of the generalized Patterson commitment. And we get a commitment that is a single target group element. And also our SRS for the TIP commitment is also square root N size. We want to prove an evaluation at XY. To do this, we first create an outer tier evaluation proof, where we show that U is equal to this multi-exponentiation inner product between the commitments to the row vectors AI and the powers of X. And this is a proof of a partial evaluation of F of X, where we've plugged in the X, but we have left Y indeterminate. And this means that U is a KZG commitment to the following monic polynomial. So for the inner tier evaluation, we use KZG10, the opening evaluation proof from that protocol to prove that U opens to V equal to F of XY at Y. As we already noted, both MIPK and KZG commitments use an SRS with size linear in M equal to square root of N. And we also note that both the MIPK and KZG10 provers run in time linear in square root of N. We will, however, take a minute to look at subsequent work. First, Lee20 and Dory introduces an inner pairing product argument that achieves a log time verifier without a trusted setup. This comes at a six times increase to proof size plus verifier time. Whether this is a good trade-off or not just depends on the application. We've also seen lattice-based inner product arguments from BLNS20 recently, which achieve polylogarithmic proof size and linear time verifiers. We've also seen our work applied to vector commitment opening proof aggregation, incrementally verifiable computation without recursion, and snark aggregation. And we've seen some industry adoption, our protocols, or derivatives thereof, are already in use by Polkadot and Filecoin. Finally, we conclude with some open questions, some of which have been very recently answered. So recently, we've seen a proof in the ROM for inner product arguments. In particular, the result is showing for a generalized notion of special soundness that when you apply Fiat-Chemere to these protocols, you get a knowledge sound protocol in the ROM that is tight. And so this is actually a little bit more general of a result. The next step would be to consider if for particular commitment schemes, there are correlation intractable hash functions such that we could have non-interactive inner product arguments that are knowledge sound in the standard model. Another direction to go in would be to try and extend the results of AFK-21 to the quantum random oracle model. Another question was whether we could achieve sublinear verification without pairings. And in particular, this is kind of a technical reason, but multi-exponentiations using Pippinger still use a quasi-linear number of field operations, which is important when using inner product arguments to build polynomial commitments to plug into polynomial IOPs or algebraic holographic proofs if you want them to run in a linear number of field operations. And since LS-21 actually requires square root group operations, it does accomplish this. The next question would be can we achieve logarithmic verification without pairings? And can we improve on the lattice base inner product argument of BL and S20? Could Dory be adapted to the lattice setting? And this might also answer a question of whether we can achieve logarithmic verification without pairings. Can we improve on the arithmatization of bullet proofs or LMR, which would mean taking an arithmetic circuit and turning it into an inner product, which we then prove with an inner product protocol rather than turning our inner product argument into a polynomial commitment and then plugging it into a PO, IP or AHP. So that wraps up my talk. Thank you for watching and be sure to check out the paper at this link. If this were a live talk, this is where I would be asking for questions. But if you are at Asia Crypt, you can ask me them during the live session.