 Hi everyone, I am Katerina Pavlik, this is joint work with HelperLivma. We are from similar UIP, Norway. This talk will be recorded for the Asia Crypt 2020. In this talk I will describe our brand new succinct functional commitment scheme for alleged large class of arithmetic surface. A commitment scheme is an interactive protocol between two parties. The committer holds a message and the verifier which allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the commitment value later. This scheme consists of four algorithms. At the beginning the commitment key generation algorithm is run to produce a commitment key and a trapdoor key. The commitment algorithm commits to a message, getting commitment and decommitment values, and sends to the verifier the commitment value. The opening algorithm computes an opening to a message which sends to the verifier. The verification algorithm checks whether the commitment really is to the message that the sender claims to be and either accepts or rejects. The commitment schemes come with two security properties, hiding and biting. Hiding defends against the malicious verifier, guaranteeing it does not gain any information about the message of the honest committer. Biting protects against the malicious committer who cannot change the value or statement after he has committed to it. In other words, a possible malicious committer cannot find matching openings for different messages and zero and one for a given commitment to a verifier without knowing trapdoor. In recent years several generalizations of commitment schemes were introduced. In 2013 Catalano and Fiore put forth a notion of trapdoor commitment which allows committer to commit to a trapdoor of messages such that it can later open the commitment at any position of trapdoor. A corresponding notification of biding for such commitment is called position biding. In a polynomial commitment scheme, the committer commits to a polynomial. Later after getting an evaluation point, he opens the commitment to the evaluation of the polynomial in that point. A polynomial commitment scheme is evaluation biding. If it is hard to open the same commitments to two different evaluations of the same polynomial. And the latest generalization by Liebert et al. formalizes a notion of function commitment, which allows committing to vectors of messages which can later be open to specific function evaluation. Liebert proposed a construction for linear maps based on Diffie-Hellman assumption, exponent assumption or pairing groups. Succinct polynomial and vector commitment schemes have recently become very popular since they can be used to construct snacks. There is a logic gap between functional classes for which a succinct functional commitment scheme is known and the class of all efficient verifiable functions. So we put a goal to fill the gap. We construct a succinct functional commitment scheme for a large class of circles under a falsifiable assumption. And the words succinct and falsifiable are key words. It is straightforward to construct a succinct functional commitment scheme for all poly-sized circles under non-versifiable assumption. For that, one just use snacks as a black box. And since one can construct non-succinct MISC from falsifiable assumption for B-class, one can construct a non-succinct functional commitment scheme from a non-succinct MISC. Pytanski produced this approach proposing a non-succinct functional commitment scheme for all circles that uses MISC as a black box. However, while non-versifiable assumptions are required to construct snacks, we hope to construct succinct functional commitment scheme under weaker assumption. Thus, just using snack as a black box is not a satisfactory solution. Altogether, constructing succinct functional commitment scheme is a much harder task than constructing non-succinct functional commitment scheme. Thus, our goal is to design a succinct functional commitment scheme for a wide variety of functionalities under a nice falsifiable assumption in groups with a brilliant map. Let d be the domain and cc be a class of circles, and let we have a circuit from this class that computes some vector function of two inputs, alpha and beta. A functional commitment scheme for circuit class cc enables for any circuit from this class the committer to first commit a vector alpha, and later opens the commitment to the output value of the circuit xi where the verifier chooses vector beta as the time of opening. This definition generalizes the notion of functional commitment as defined in Libert from inner products to arbitrary circles. A functional commitment scheme for inner products just assumes that circuit computes the inner product of vectors alpha and beta. Our functional commitment scheme satisfies three definitions of the hiding property for functional commitment schemes of increasing strength. The first definition corresponds to the definition of hiding given by Libert, and essentially states that commitments do not reveal any information on alpha. The open hiding property is considerably stronger, stating that the commitment and the opening together do not reveal more information on the vector alpha than the values of circuit on quiet values beta. And finally, zero-knowledge functional commitment schemes have hiding in the sense of simulatability, which makes sense only in the CRS model. Our scheme is a relation binding that allows the committer to open to two different openings, to do two different vectors, as long as the value of function is the same. And our commitment scheme is succinct, that is, both the commitment and opening have length, that is, polynomial characteristic in size of the vectors alpha and beta. Our scheme is inspired with SNARCs. SNARC is a short MISC argument system, which guarantee honesty, privacy or soundness, and zero-knowledge. We use the gross efficient SNARC for arithmetic circuit satisfiability, namely its improved version by Libertla. Here is a high-level overview of our technical contribution. The construction of the new functional commitment scheme consists of the following steps. At the beginning, we compile the original circuit, computing the fixed function to a circuit consisting of four public subcircuits. We need such division to prove a relation binding under a falsifiable assumption. Then we did present the compiler circuit in the QAP language which SNARCs usually use. And finally, we construct succinct functional commitment scheme for the QAP representation by using SNARC techniques in a non-Blackbox way. So how do we use SNARC if not as a Blackbox? Though SNARC and functional commitment schemes have some similarities, they have drastically different objectives. Some conceptual differences between objectives are gathered in the next table. We have different security properties to achieve. In case of SNARC's prover has full access to input, in case of functional commitment, it gradually gets it and later constructs the argument based on the full info. For SNARC's argument consists of a single bit string for functional commitments. We have division due to careful separation of public and private inputs. Circuit combination. That we have a polynomial size arithmetic circuit such that on an input alpha and beta computes xi, a value of some function. We modify the original circuit to a combined circuit that consists of four public sub-circuits, phi, xi, psi and he. On the picture to the right, the red circle applies to private input only, the green circuit to public input and they are unrestricted. The circuit high combines outputs of previous two circuits and has a restriction. For security reasons, this circuit high is restricted to have multiplicative depths one. That is, intuitively, it's some ups products of polynomials of alpha is polynomials of beta, and it guarantees that in a collision the two accepted openings have a nice linear relation that doesn't depend on secret data alpha. The later makes it possible for the reduction to break the underlying assumption. Thus, we cannot handle all circuits due to the reduction of evaluation binding to a falsifiable assumption. This combination we use reduces the circuit class we can handle. In summary, our new succinct function commitments him and work for all circuit. Circuits that have a polynomial size compiled circuit such that that concrete sub-circuit, phi, has multiplicative depths one. We study the class of compilable according to the given definition arithmetic circuits by employing tools from algebraic complexity theory. What we get the resulting class is wider than a class of sparse polynomial polynomials, but smaller than the class of poly-degree polynomials that have poly-sized circuits. A circuit evaluation can be verified by verifying the next matrix equation where matrices u, v and w define the circuit uniquely and reflect all the circuit constraints. Here, r is a business consisting of values of all the wires of the compiled circuit. We verify the main matrix equation by constructing matrices u, phi, u psi, u phi and u psi and correspondingly matrices for v and w and check that the various sub-circuits of the compiled circuit are correctly computed. That is, we are checking the next four equations. In our security theorem, we will need several conditions for the compiled circuit to hold and those conditions dictate the shape of the matrices u, v and w. We have a theorem where we list all those conditions and prove they hold for the compiled circuit. In quiet conditions shortly, there should be a lot of use in these matrices. Some of those pink entries are responsible for the evaluation biting proof, success and other for the security of the underlying assumption. Intuitively, we start constructing a snark for the compiled circuit by following the approach of GROSS. However, we modify this approach and it never exudes our goals. In GROSS 2016 snark, first the CRS is constructed, it's generated and then the prouver gets as an input alpha and beta which states the proof of three group elements which sends to verify. Verifies and recomputes a part of the group element C using public data and verifies the argument given the computed C. P stands here for public and S for private. We remark that the new succinct functional commitment scheme inherits the efficiency of GROSS snark. We use somewhat similar flow of protocol but with several rounds. In our succinct functional commitment scheme, committer's input consists of two parts, private and public. At the beginning, committer knows only alpha and computes parts of elements A and B capitals that can be computed from alpha only. Later, eventually verifier decides on beta value and sends this to prouver. Prouver computes opening, sends it to verify, verifier recomputes now all the three elements A, B and C capitals using parts of ABC and runs snark verifier on the reconstructed proof. Our main result is the construction of succinct functional commitment scheme and its security proof. While the correctness and hiding proofs are straightforward, evaluation binding is far from it. In the main theorem, for a fixed circuit, we deduced evaluation binding of functional commitment scheme to a new span filter assumption in a source group. The full evaluation binding proof is quite tricky. Interested reader can check the paper. Intuition is as follows. So given a collision to verification equations, we almost compute the assumption challenge. Subtracting them, we have data only in one side of parent and this enables for us to get reduction to the underlying assumption. To eliminate this almost, we need also some auxiliary elements to be output by commuter and we use the specific structure of matrices U, V and W, which we discussed earlier. Many of the linear group assumptions have been gathered under the umbrella of the other assumptions. Well-known class of UBRE assumptions are Q-type assumptions. The new span UBRE assumption states that it is difficult to output an element sum together with the coefficient vector data where f i are not in the span of the set r. Here, data is a vector of component-wise differences between two climate values of function f. Importantly, if the circuit of a circuit has one output then the span UBRE assumption is equivalent to the UBRE assumption. The span UBRE assumption is falsifiable and thus significantly more realistic than non-falsifiable assumption needed to prove the sourness of snarks. Still, it is a new assumption and thus we have written down three different proofs that it follows from already known assumptions. First, we prove that the span UBRE assumption in a sourced group holds under the known UBRE assumption in the target group. Here, f i are different but related functions. Thus, we have an instantiation of the computational UBRE assumption known to be secure in the genetic group model. Since the genetic group model is very restrictive and has no weakness not shared by well-chosen knowledge assumptions, we prove that the computational span UBRE assumption holds under a hash algebraic knowledge assumption and a pdr assumption. And also, we use a dejectable approach to prove that the span UBRE assumption in sourced group is secure under subgroup hiding assumption. To demonstrate the usefulness of our functional commitments scheme, we give several applications. Some of them are well known and some are new. We show how to use our functional commitments to construct sub-vector commitments and multivariate polynomial commitments. In addition, we outlined a few similar new applications like aggregated inner product, aggregated polynomial product and aggregated polynomial commitment and evaluation point commitment schemes. Importantly, all described commitment schemes are succinct. The new succinct functional commitment scheme assures easy aggregation in a more general sense. Net is i, be some circuit of which exists an efficient succinct functional commitment scheme, then we can construct an efficient aggregation for the circuit that consists of sequential composition of s i's. Some of the referred papers construct aggregated commitment schemes only for a concrete circuit and our scheme allows to aggregate different succinct functional commitment schemes. To sum up, we constructed a snark-based succinct functional commitments scheme for a large class of arithmetic circuits, proved it evaluation-viding under a new falsifiable span assumption, and provided justification for the assumption. Open questions we are working at. These are an efficient compilation to a circuit. For which class of circuits the compiled circuit will be always politicized? Is it possible to extend our constructions to all politicized arithmetic circuits? And is it possible to construct a succinct functional commitment scheme based on a static security assumption in prime order groups? Thank you for listening.