 I'm a professor at Technion Computer Science. I'm also one of the seven founding scientists of Z-Cache. And I'm going to tell you mostly about joint work with Ido Bento, Vianon Jowish, and Michael Reabtsev. And it will have three parts. The first part is going to be a little bit more theoretical. The second part is going to be very practical. And then the third part is going to be, again, more theoretical. So those, and I'll tell you when we're moving between the parts, and you can stop me and ask questions. Okay, so I want to tell you first of all about the sort of theoretical models in which we like to play these games and build these proof systems. And then I want to talk to you about the way we realize them and some numbers of benchmarks. And then, again, go back to some theory that applies to both Starks and to Snarks. Okay, so I'm going to tell you about something called an interactive oracle proof. It's a kind of a game that mathematicians like to study. It's very clean mathematically, and you can make a lot of progress studying this game, but it's unrealistic if you want to use it in practice. Then I'm going to tell you about a special kind of IOPs, interactive oracle proofs that are really, really efficient, almost optimally so. And they're going to be really great. And again, we can prove a lot of things about them, even without any cryptographic assumptions. But, again, they are unrealistic. And then if you go and realize them, and I'll talk a little bit about that, and you realize such a stick, then you get something that is practical. And you do need cryptographic assumptions, but very lean ones, ones that are post-quantum secure. They don't have any number theory involved in them. They don't require a trusted setup, and that sort of stuff. So that's how you get a Stark in the end. Good, so let's start. We play these games about computational equity statements. So Bob makes a claim that he wishes to convince the world. And he says, I know some private witness, W, if I would take that witness and run a specific computation, C, on this thing that only I know, and also some public input that everyone knows, then I'll reach an output of Y within T steps. This is a very general statement. But examples are the Zcash joint split. That's a special case of such a computation. Or if you want a proof of solvency or that you own enough coins and you could have applications in smart contracts and so on and so forth. So we like to study these very abstract settings. Okay, so what is this game called an interactive oracle proof? It's a game of many rounds between a prover, that's Bob, and a verifier that could be anyone. And the game, the best way to think about it is that the prover sends a USB stick that the verifier keeps. And then the verifier tosses some random coins, public or private, and sends a message back to the prover, and the prover sends another USB stick. It depends also on the randomness that he was asked. Okay, and this goes on for a while. And then at the end, so the verifier, in this case Alice, has collected a bunch of USB sticks. And now she tosses some more coins and based on those coins she goes and queries a few random locations of the data written on these various USB sticks and she plugs it into some computation. And based on that computation she decides whether to accept or reject the statement. Okay, so it's a very simple game, one in which you get a USB stick, you send some randomness and so on and so forth. Okay, and we would say that this game is good for the purpose we made it up, if it has completeness which means that a true statement if Bob really knows this private W, then he can indeed convince through this game with USB sticks. He can convince the verifier that it's true. And soundness is the more tricky and important part that if the statement is indeed false or Bob doesn't know this W, then it's going to be very unlikely for him to convince the verifier that the statement is true. So it's an unrealistic model but it's mathematically clean and why do I say it's mathematically clean? Because within this model we could say if you were willing to play this game you could take any kind of computation even if the prover has to run exponentially longer than what the verifier will do. This is a class of problems called NEXP. Then any one of these problems that includes the joint split circuit and various smart contracts and a lot more you can have this sort of IOP that's also really, really great. First of all it has zero knowledge but it has a bunch of colored terms here that I'm now going to explain. So it's fully scalable, it's transparent, it's an IOP of knowledge and it has perfect zero knowledge. Okay, and this is joint work also with Alessandro Chiesa Real Gabison sitting here. Madars Virza, all of us are with Zcash and then there's follow-up work also with Mike Forbes, Michael Le Abtsev and Nick Spooner. So let me explain now those colored terms. So fully scalable or doubly scalable means scalable proving time and scalable verifying time. Prover time scales almost linearly in the time it would have taken just around the computation. So instead of taking t steps it takes t times log t to some small exponent, hopefully the exponent is small. Sometimes it's called quasi linear time and it's not hard to show that prover cannot run less than t steps. So up to this polylog factor it's optimal on the prover side and at the same time it's also optimal on the verifier side. The verifier needs at least to specify the statement and log t is a theoretical lower bound for this thing and you can still get the verifier to run only in log t which is the bare minimum needed to some power. Transparency means there is no trusted setup, there are no secrets, all the randomness the verifier needs is just public random coins. So in particular if you think of a setup where you have a blockchain with blocks coming along once in a while and containing some randomness in them you could say we don't need the verifier. If everyone is watching the blockchain we could extract the randomness from there and have that play this side of the verifier and you would get public verifiability in a very transparent way that everyone can sort of believe in. Okay, an IOP of knowledge I don't want to go into the definition but it actually means that if Alice takes the USB sticks and opens everything up in them then she can find this witness which seems to be contradicting perfect zero knowledge which says that it's the strongest form of zero knowledge in a mathematical defined way. Now the last two bullets seem to contradict each other because if Alice gets the USB sticks and reads everything in them she can recover W. So, but the last bullet says that looking at the interaction Alice learns nothing and this is part of why we say that the model is unrealistic because first of all sending USB sticks is kind of inconvenient but worse if Alice has these sticks and she is malicious she can compromise zero knowledge. So for these two reasons we need something else to implement this model and this goes back 30 years and weren't the basic works of Kylian and Mikali on how to take protocols like these things called PCPs of which IOPs are a generalization and how you can convert them into practical things so you can do it in two ways basically and the solution should seem reasonable to anyone working with blockchains instead of sending this whole big message it's USB stick what the pooper does is compute a merkle root of the information a hash and that's a commitment to everything he wants to send and he sends that so it's a very short message and then he gets randomness and then he sends another hash a merkle root hash for the second USB stick and then at the end Alice or the verifier will ask him some questions and whenever he opens those questions he will append to them an authentication path proving the second USB as claimed and these are standard things that are done with merkle trees, good and you could do it in two you could do this interactively which means let's say you could rely on a blockchain and wait a block each time to get new randomness or you could have someone send the randomness or you could do it also non-interactively in which basically you take the hash of the latest message and you think of it as the randomness that the verifier sends and both of these realizations now require some cryptographic assumptions so we're moving away by doing this from the clean theoretical abstract game and we rely either on collision resistant hash functions in the interactive case in an I-STARC or you take you do a non-interactive one get an N-STARC and then we need something called the random oracle assumption which is commonly used but mathematically not as clean as the games we started playing good so a good research question N-STARCs and STARCs have a similar sound and it's on purpose but a research question that I actually do not know to answer formally there are definitions for these two things are all N-STARCs non-interactive so interactive STARCs are clearly not SNARCs because the N in SNARC is non-interactive so you can't have an interactive non-interactive thing but you could ask whether an N-STARC is actually always necessarily a SNARC it's a question that I think is interesting and answerable but I haven't looked at it okay but they definitely serve the same purpose which is proving in zero knowledge very very efficiently general statements about computation good so we talked a little bit about theory and what we've been doing it took actually quite a long time but we now have some implementations of STARCs that have either without zero knowledge or with zero knowledge so the first STARC without zero knowledge was presented about a year and a half ago with Eurocrypt it's a whole bunch of authors Ariel is one of them as is among the Zcash founders it also includes Alessandro Chiesa Eran Tomer and Madar Zvirza I hope I'm not forgetting anyone here and a whole bunch of students of mine at Technion so I don't want to waste all the time on this so now we have the first Zcash STARC it's based on a theoretical zero knowledge succinct scalable transparent IOP of knowledge which is again one of those theoretical constructions and that's again joint work with Ariel Madar and Alessandro and we have already the proof of concept code I'll show you some benchmarks the paper takes always much longer if you think that to debug code takes longer than debugging papers is I guess similar if not worse so are just writing them and one component already appears online it's a very clean and separated thing that those of you who like algebra I urge you to download it and read it and you can actually implement it both over prime fields and over binary fields I think it's very digestible for those who know who know algebra or took okay so some part of the new STARC is already out there and the rest I hope so okay we're done with the first part which is sort of abstract now I want to show you what happens like in terms of running time when we use this realization this STARC, the zero knowledge STARC good so those of you sort of spaced out because it was very abstract now I'm just going to show you some running times and measurements so the benchmark I'm going to talk about is this setting where the FBI has let's say a DNA profile database and it is willing to publish daily a miracle, sorry a hash of the state of this database and in it are basically the DNA profiles taken from all crime scenes and each DNA profile is then analyzed and compressed and it turns out to be 40 integers okay that's sort of each one of us DNA sample is taken it is reduced to a set of 40 integers and it publishes this daily and now some day along let's say a new head of the FBI solicited and what should I do? like this okay I'll try like this I don't know yeah microphones are really spooky things what? okay do not touch this thing okay I will do like this okay so the FBI's database is posted and now there's supposed to be a new head of the FBI and the public is worried whether he's sort of shady and the FBI wants to convince the public that this is not the case and that they can run a profile match search the incoming head of police or whatever against this forensic DNA profile database and report the match okay so that's the program that we actually implemented and the program is written down there it's sort of the public input X that everyone sees is a hash commitment to the database and a hash commitment to the incoming chief of police and the witness that only the FBI should hold are the pre-images of the database a pretty large string or a set of profiles and also the pre-image of this incoming chief of police's DNA and they run this computation where they both compute the hash and compare it to the publicly known hashes and they also check some profile match which is not just string equality there are some logical complications there but nothing too deep good so we ran this thing actually and it's kind of a large machine that has like 16 cores I mean 32 AMD cores which are I just learned recently it's like 16 cores with hyper threading never mind and half a terabyte of RAM so we managed to run it all the way up to a million profiles which is a megabyte size file and is there any way to maybe decrease the light for a minute because probably only the first row can see anything is there a way what can you guys in the back see anything I mean then you'll see some graphs here okay on the top there are various measures for the prover side for the side generating the proofs this would be the FBI and on the bottom there are measures for the folks you know the public to verify it and for instance what we see here is the ratio of proving running time to naive running time so when the database size is kind of small so it's only 50,000 times more time takes 50,000 x 50,000 more time to generate a proof than it is to just naively run the computation and then it jumps up to like 250,000 and right about this is where we sort of max the RAM out and we need to start doing either swapping or redoing the proof so presumably if we get more RAM then we would be able to do it only at 50,000 times more or slower than just doing the generate just running the computation without any proofs this is the overall proving time so it takes much less than one second if you just have a very small database and it takes about a day to generate the proof for the whole million size database by the way I think the USA's forensic DNA profile is around 20 million or so located in different places so we're not that far away even today from being able to prove something on that large database and here we have the proof size this is like an internal measure a theoretical measure of the amount of space that the prover needs not the amount that he's sending over here we have the verifier side and what we can see is the communication complexity it's the amount of information being sent now the prover we can run the verifier we can measure even on data for which we cannot generate proofs because the verifier can just make some queries and then checks if everything is fine so we might as well generate just like even for inputs that we cannot yet generate proofs for that's what we did here so we ran all the way up to 2 to the 36 entries which is pretty big 2 to the 6 times gigabyte so billions of entries much more than there are people living on the face of the earth today and even there at the end you get something like around 1.2 megabyte long non-interactively again for something that would be many many gigabytes of information so we actually get compression in space and by the way so we said there is a clean mathematical model and that costs very little of the communication complexity and most of it is about the authentication paths from these murkles another interesting thing that we'll talk about later in a minute is the overall running time starts at 20 milliseconds and even for 2 to the 36 it would have taken less than 80 milliseconds to verify which would have been much faster than doing it naive now because of this because the verification time is exponentially faster than naive computation time it behaves like log of T as opposed to T as opposed to running time we can talk about compression functions so the time compression function is the time it takes to verify a statement divided by the time it takes to run the statement and if this value is above 1 it means your verification takes longer than just running the computation but once it goes below 1 you're actually saving on verification time and you could do the same thing with space supposing that the witness is this non-deterministic proof that the computation you could compare the size of that proof with the argument that comes from using a proof system and again you could divide the communication complexity of the proof system by the size of the database and once this ratio goes below 1 you're actually compressing and this is something we're very proud of we actually manage in practice for the first time to overcome both the time compression and the space compression functions which means that we actually generated proofs and verified them in time that is about I think four times faster and compresses by a factor of 50 but as you can see from the plots because of this exponential speedup the larger the data sets in general and the larger the scope of the computation the more impressive that your compression in space and in time must be so we're very optimistic that in the future we'll see even more compressions and there's a big discussion about scalability of blockchains in general how do we process millions or thousands of transactions so I think the one very viable long term solution is to use things like this because they can really offload the whole task of proving the integrity of a very big system in a way that's mathematically very clean post quantum secure you don't need any trusted setups and it's also very efficient on the prover and verifier side so there's a bunch of other really cool approaches scientific approaches to addressing this question of proving statements with zero knowledge and I'm just listing a few of the theoretical things that have been implemented in practice and comparing them asymptotically along these desirable properties so you would like something that has a scalable prover a scalable verifier you would want to prove to be transparent and you would want them to be post quantum secure so the very first approach it's based on homomorphic public key cryptography there's a whole line of works here but this includes the snarks and quadratic arithmetic programs of Genaro et al so you can see it has scalable prover the verifier is scalable only after the pre-processing phase so for a computation that goes time and time again that's not an issue something like the circuit of Zcache but if you want to modify circuits and generate new ones or tweak with them a little bit then you're going to have this pre-processing phase that makes the verifier non-scalable for a single computation they're not transparent and not post quantum secure there's a nice approach based on the discrete log problem by Gauth that takes away it makes the system transparent but it's not post quantum secure and the verifier isn't scalable that even is post quantum secure based on running an NPC protocol in the head and you can also apply incrementally verifiable computation on top of any system and this is something we implemented it's not transparent and post quantum secure but it is scalable theoretically and as you can see Stark is green the whole line through which is why I think in the long run this is the way to go and in terms of running time I took these theoretical approaches and we actually took the same computation and saw how different systems measure up on the same machine trying to compare apples to apples as best we could so lower is better and what you can see here is that the prover generation time is almost best for Stark the NPC in the head is slightly better but the verifier running time here is pretty large it takes about 30 seconds versus 40 milliseconds now with Snarks which are the yellow thing so if you take into account the time needed to generate parameters then you get really long verifier time because the verifier is the one generating the parameters that's 28 seconds but of course assuming that you've done that and also there's a very large communication complexity for sending this key so Snarks is of course fastest 9 milliseconds versus 40 milliseconds and the proofs are extremely short 0.23 kilobyte versus in our case 452 and this is the discrete log based 8 kilobytes and this is 6.5 megabytes and as time will go on we'll see more and more implementations and even along these lines we'll see them all going down so I talked a little bit about the numbers we're getting right now in our proof of concept code and now the very last part I want to go back again to theory and I want to tell you a little bit about arithmetization and arithmetization is this nice thing that is also part of the theory that is behind both Snarks and Starks and also all those other systems that I showed you so all the implemented systems again there's a very strong component of arithmetization so that's going to be the last thing I want to tell you about so everything I say now is relevant both to Snarks and to Starks and to things based on discrete log and to running an MPC in the head and a bunch of other approaches it's a very powerful and beautiful technique and I want to explain it to you just a little bit good so arithmetization is like it goes back to even to Gettle's proof of the incompleteness theorem for those of you who learned about it it's a fundamental theorem in logic and philosophy and then it was used in the 80s by the famous theoretical computer science to prove theoretical results they won't go into and then it was modified and brought into the world of these proof systems by Fort now in Babay and since then it's been used to great extent so okay now we're starting again so those who haven't seen these things and don't know what a polynomial is I apologize it's going to be a little bit fast but those of you who have seen I hope it's you'll enjoy this so a polynomial is this formal sum it's really a computer program of a very special kind that allows you only to do multiplication and addition and the degree is the maximal term the maximal degree so 5 is a degree 5 polynomial and lines are degree 1 polynomials and these parabolas we study in high school are degree 2 polynomials so on and so forth good now we'll say that a function that is evaluated on a set of points is called said to be of degree d if the polynomial that describes that function is a degree d polynomial so these are two slightly different objects right if I see a line on the plane and I take the sequence of points that comprise this line that is a function for every x value I get a y value but we will say that it's a degree 1 function and the same thing with a parabola so I'll say it's a quadratic function degree 2 function so these are some basic definitions and the fact that we're going to use is that two distinct polynomials of degree d can intersect d points for instance two lines if they're not the same line they can intersect only at a single point two degree parabolas if they're not the same parabola they intersect only at two points and so on and so forth and this is a very important property so this is how we're going to use it if you have two distinct functions that have degree d but you ask for their evaluation on 100 times d points then they will disagree if they're not the same function they either agree completely on all of these 100 times d evaluation points or they disagree on at least 99% so if you sample a random point and they're not the same function with 99% probability you'll see that they're not the same function and we'll use this to find falsities or see if we're being cheated and formally you could say that the space of low degree functions form an error correcting code and it has a name the Reed Solomon code was discovered this use of it was discovered and studied in the early 60s interesting fact is that it was studied in the early 60s and started getting implemented in CDs and DVDs in the mid 90s so 35 years and things like zero knowledge proofs started you know were discovered and invented in the late 1980s 1990s and now we're in 2017 so that's roughly 35 37 years till they start getting implemented in things like Zcash you know people actually use them as opposed to just study them ok so there's this three and a half decades separation between science and realization so here's here's our goal now right we're talking about I want to try and convince you that it is possible I want to show you some of the magic that goes into Bob being able to prove to Alice a statement that Alice doesn't have even the time to run and verify so here's a very simple example as part of this complicated computation Bob is claiming to Alice you know there's this there's this register and it's type or it's range it always has the value values between one and ten and it's really important to the the bigger argument maybe this is the program counter and it's a ten line program so it never goes over below one and above ten but the thing is that Bob is making this claim about a really large number of points he's saying there are a million points or a million values in this array that all of them are between the range of one and ten so the goals we would like are we would like to find a way to trust Bob's claim can he prove that he's correct and we would like later on to talk about privacy can will this proof leak information about these million about some of these million points we would like it not to because it's part of what zero knowledge is supposed to do and the last thing is can we do it succinctly can we make sure that Alice doesn't have to work very hard and you know query all of these million points so this is the first claim Bob claims I have a list of ten to the six integers they're all in the range one to the ten and the question to you is can you see a way for Alice to check this statement with just two queries and still have 99% probability of finding if Bob is cheating any ideas is it possible no it's not possible right because you know Alice has to check all of them there's a million of them and she doesn't check one she might be wrong with so Bob really wants to convince Alice that this is the case so he says you know what I've added redundancy and more information to sort of convince you and I took and encoded this list using so what I did is I interpolated I found what is the degree one million polynomial that goes through these points and then I evaluated that polynomial on many many more points on a billion points ten to the nine will you now you know trust me with this claim so the question goes again can Alice now make two queries and find if this is the case what do you think what? who thinks this can be done raise your hand with just this information who thinks it cannot be done with just this information no other information so the second it cannot be done with just this information it's not enough information okay because actually you still need to read basically a million points in order to find out this thing okay so Bob is really frustrated he says Alice what more do you want me to convince you know what more do you need in order to be convinced so Alice will say you know what I'm gonna ask you for a favor Bob please evaluate one more polynomial and you know give me any polynomial of degree ten to the seven minus ten to the six so it's like nine million that is the degree of the polynomial I seek you can give anyone you want but if you do it well and your claim is true then I will know with 99 percent certainty if that's the case okay and this already works now so it seems it's almost like the second claim right it's still the same claim but there's just a little bit more information right Bob is giving two evaluations of polynomials of weird degrees one of degree a million and the other one of degree nine million and Alice says you know that's enough for me to know if you're saying the truth or not so here's how this magic can happen and she's just gonna read two points and still be convinced that this is true so let's define this weird polynomial C of X it's not so weird it's a polynomial that has exactly ten roots there are ten values that make it vanish or make it become zero and these ten values are exactly the numbers one to ten right if you take if X is two then this term becomes zero and zero times everything else is zero same thing with one up to ten so this is a polynomial of degree ten it's a polynomial of degree ten and if you open it up you'll get ten terms okay good and again this is a very important polynomial to our problem because it captures the range or the type thing that we want to check right we want to check that something is in the range one to ten it's really that what we want to do is check that this polynomial vanishes if you plug into it those points now similarly this will be sort of an added construction but it's of the same flavor so there's this polynomial D of X that you constructed in the same way but it vanishes on the points one up to a million instead of one up to ten so basically this is the polynomial that captures what are the points on which Bob is making his claim right because Bob says for the first million entries of the array for the points one up to a million the value of the function is between one and ten so we're sort of algebraically defining what is the space that we care about good so we have these two polynomials and now this is the actual test that Alice is going to use okay and first I'll convince you that it makes two queries and then we're going to discuss why it actually accepts with probability one true claims whereas it rejects with 99% probability any falsity that Bob's makes which is really going to be magical so what is the test the test is rather simple Alice tosses a coin so remember what Bob did is he wrote down these two polynomials one and both of them are evaluated on the numbers one up to a billion okay so you have like two tables two arrays or two USB sticks if you think of them and this is Alice's test she picks a random you know she tosses coins she picks a random number between one and a billion and then she let's call it X naught and then she queries the first function and the second function at the same point and let's suppose that the answers are alpha and beta that's how we'll denote them and then all Alice does is she says I will accept that all the numbers between one and a million or in the range 1 to 10 if and only if c of alpha so she plugs alpha into this polynomial of degree 10 and she says I will accept if and only c of alpha equals b times d this weird polynomial when I plug alpha into it sorry x0 into it so let's see what we understand now this is a test that makes only two queries 1 to f and 1 to g that's all we know now does it work so in proof systems there are two parts there's completeness proving that correct statements can be proved with high probability and the hardest part is soundness which is proving that a falsity is rejected with high probability let's start with a simpler statement where Bob is on it so really the first million values have been between 1 to 10 and then the low degree extension so he sort of interpolated and then evaluated on a billion points and that's his f what? we'll see in a minute what g should be right now all Alice said to Bob is you can give me any polynomial you want any evaluation any function of degree 9 million but now we'll see what an honest Bob would use there's just one you can use so that's what we'll see now so let's see and we're heading towards this g so we said that f is you know is this good function and it is of degree a million and p of x is the interpolant is the polynomial that describes it now if we plug p of x into the polynomial c we get a new polynomial but this polynomial will vanish on all points between 1 and a million why? because p of x on all points between 1 and a million gives you a value between 1 and 10 and if you plug a number between 1 and 10 into c you get 0 that's exactly what c does so assuming that p of x has the range between 1 and 10 on the first million entries then c of p of x will vanish on the first million entries okay we just restated but here's a nice fact so a polynomial vanishes at a point x naught if and only if you can divide it by x minus x naught which means if and only if there exists a q prime q prime is not the derivative some other polynomial of degree exactly one less such that q of x equals x minus x naught times q prime of x and if a polynomial vanishes on a million points so there are many x knots that you can divide, you can repeat dividing qx by x naught and here's the corollary so if you look at c of p of x and call it q of x it vanishes on the domain 1 to a million only if there exists some q prime that is of degree a million less than the degree of q and that's exactly 9 million such that q prime of x times d of x this pre-specified polynomial equals q of x so now let me return the question to you what is g of x going to be what g of x what function will you evaluate so that this equality always holds exactly q prime so what Bob does is he sets g to be the evaluation of g prime and because this equality holds because c of p of x equals d times q prime of x p of x if you evaluate it you get f q prime if you evaluate it you get g so you get that this equals this always and in particular this equals this always so the test passes with probability 1 now the harder part I said is soundness so what we've seen is that an honest Bob can convince Alice with probability 1 in a test that she makes only two queries about so let's look at the other case now suppose Bob is cheating and for simplicity every element in this array is between 1 and 10 but for the very first one which has the value 11 so if Alice is just going to check some random things she won't notice this she has probability of 1 in a million of picking the first entry so again we do the same process we let p of x be the interpolant of f and the point is that c when you plug p of x into it it does not vanish on all points between 1 and a million there's one point on which it does not vanish on 1 on the point 1 if x0 equals 1 then c of p of x does not equal 0 it equals something else okay it seems like we're in the same cases before there's just one entry out of a million on which the value of this function is not 0 doesn't seem Alice has a chance but you see for any other low degree polynomial q prime that Bob would take and evaluate as his g we know that the product q prime times d does vanish on all first million points right because why does q prime of x times d of x vanish on the first million points for any choice of q prime x why does the product vanish on the first million points it's a product of two of two polynomials and if one of them is 0 it will that polynomial annihilate and make the other one be 0 or not matter and d of x was defined to be a polynomial that vanishes on the first million points this product whatever Bob picks for q prime and evaluates as g this product does vanish on the first million points so c of p of x does not vanish on the first million on all of the first million points whereas d of x sorry whereas this product does vanish on all so the two polynomials are not the same you would think that they only differ on one point in the first million entries and that may be the case but recall that we said that degree d polynomials if they don't agree completely they can agree on at most d points now we took two polynomials of degree 9 million but they're not the same so they can agree only on 9 million points whereas we have sorry it's actually 10 million this is a polynomial of 10 million and we actually have evaluations on a billion points so they could agree the two sides of the equation could agree on 10 million points out of a billion that's 1 in 100 chance they disagree on 99% of the domain which means that for random x0 the probability of failure is 99% in this case so I'm right because my time is up what have we seen we've seen that you can take a statement that discusses a very huge array a type checking statement which is a basic thing that is part of checking correctness of a computation and even though the statement refers to a million points you can ask the prover the person making this statement to use polynomials two polynomials in this case that you can easily distinguish between truisms and falsities with only two queries that's what we achieved and this is this is what earth metization does now the only remaining problem that we have and this is where Snarks and Starks differ is how do you ensure that Bob gives you evaluations of low degree polynomials in the first place and two my time is up there's some more papers that need to be read in order to find this but you can do it the Snark way or the Stark way and with this I'll end. Thank you