 Welcome to the talk on succinct arguments in the application. I'm Katerina Stiraike, and this is a joint work with Jonathan Budo and Alessandro Cies. So the topic of this talk is succinct arguments, so let's start with the definition of what succinct arguments are. So in these protocols, we have two parties, a proven and a verifier, and they share some common input. The common input could be, for instance, an arithmetic circuit and a value, which in this case is equal to 10. In succinct arguments, the prover tries to convince the verifier that they know a witness for the common input. In this case, the witness sees some values that evaluate the arithmetic circuit to the common value 10. In the protocol, the prover and verifier exchange messages, and at the end of the protocol, the verifier either accepts or objects. So we require three properties from succinct arguments. The first one is called completeness, and it says that if the witness is valid, then the verifier should accept. The second one is soundness, and it says that if the witness is invalid, then the verifier should reject. And there are different notions of soundness. One of them that we consider is called the knowledge soundness. Finally, we require succinctness, that means that the messages exchanged between the prover and the verifier should be way smaller than the size of the witness. A particular succinct protocol is the samsic protocol, which was introduced in 92. In this protocol, the common input contains a polynomial, p, over a field, f, and the value u, over the same field. The statement that the prover is trying to convince the verifier is that the evaluation of this polynomial over a subset h to dl is equal to the common value u. Again, we have a prover in the verifier and the exchange messages. In this case, the prover messages are some polynomial, some smaller polynomials than the common polynomial p, and the verifier messages are some random challenges from the set f. Finally, after they exchange the messages, the verifier performs some checks that are related to the messages sent by the prover. And the final check requires an evaluation of the polynomial p to a point defined by the challenge of the verifier. Notice that this protocol reduces the computation of the polynomial p over h to dl points to the evaluation of the p over a single point. The communication of the protocol is proportional to l, which is the number of variables in the polynomial p, and the degree of p. And it's counted in elements of the finite field f. Finally, the sounds that this protocol offers says that if the sum of evaluations of the polynomial p is not equal to the value u, then the verifier accepts with probability that is proportional to l times the degree of p over the size of f. The sunset protocol is a very celebrated protocol. The first time that was used was in complexity theory, and in particular in probabilistic proofs. But since then, it has been used in many other areas, such as succinct arguments. And in fact, there have been many different versions of the sunset protocol that have found many applications in succinct arguments. These versions include the univari sound check and the sum for tensor codes. Actually, some tech has been so important that has been that they have been posted with titles such as the unreasonable power of the sum to protocol by Justin Tyler. But why is the sunset protocol so important? A reason why this case is because this protocol has some very useful properties. In particular, many settings, we can implement a prover in linear time. And also, the prover in multiple settings can be implemented using a small space, namely as a steering algorithm. Finally, the sunset protocol has some very strong sounds properties. And which tell us that we can make it non-interactive without the use of random models. Different body of work in succinct arguments stand from a technique introduced in 2016 that it's called splinical technique. The first work that uses this technique constructs arguments for arithmetic circuits using based on the discrete logarithm assumption. Since then, there has been improvements in the other arguments based on the discrete logarithm assumption. And this technique has been adapted to work in other settings, including the preparing group setting, the groups of unknown order setting and the lab setting. Part of the individual cryptographic settings, there have been also some works on providing unified abstractions that try to capture many settings at once. This technique has also some, apart from the theoretical interest, has also some practical interest. In particular, it has been deployed in many cryptocurrencies and has been implemented in operations source libraries. The splinical technique serves some useful properties with the sunset protocol. So in many settings, we can implement the prover in linear time and also we can have a stream prover that requires small space. So now that we have the background on succinct arguments and on these two types of work based on sunset and split and point, let me summarize our results. Our results basically say that even though we seemingly have two different techniques, one based on sunset and the other on faulting techniques, in reality, we can have a unified perspective that describes faulting techniques through a variant of the sunset protocol. We call this variant, sunset arguments. Our general goal is to provide succinct arguments for commitment openings. So let's see what these protocols are. Again, we have a prover in the verifier, but now their common input is a commitment and a commitment key CK. And the goal of the prover is to convince the verifier that they know a message M that's a valid opening of the commitment C. The succinctness goal says that the communication of this protocol should be way smaller than the size of the message M. And in order to get highly efficient and succinct arguments for commitment openings, we focus on commitments that have some very special structure. To describe this structure, we introduce a notion of a sunset-friendly commitments. In sunset-friendly commitments, the commitment scheme has the following form. A commitment of a message M with respect to a key CK can be written as a sum of valuation of a polynomial. Let me break down this definition a little bit more. So first, the sum of valuation is over a subset H of a ring R. Also, the commitment space is C. It should be an R module for the same ring R. Finally, on the right-hand side, the polynomial that we have to compute is split into two parts. The first one is called the message polynomial and is related to the message M. This is defined where an R module M and a key polynomial, which is also defined over a different R module that we call K. Finally, these two polynomials, PM and PCK, are combined through a combined function that maps elements of M times K to elements of the commitment spacing. This definition might be a bit too abstract. So I'll try to describe a specific example through the Patterson commitments. In Patterson commitments, a commitment of a message is written as the sum of multiplications between message elements and key elements. So in this particular case, AI are the elements of the message and GI are the elements of the key. Then we can show that the Patterson commitment is a sum-check-friendly commitment by setting H to be equal to minus 1, 1 and R, the ring R, to be the final field FB. Then the message space polynomial is also defined over FB and is equal to a multiliner polynomial where the coefficients are equal to the message elements. Similarly, the key polynomial is defined over a group G and is also multiliner polynomial with coefficients equal to the elements of the key. Finally, the combined function maps A comma G to A times G, which is an element of the group G. In the paper, we show some other examples of sum-check-friendly commitments. These examples include the commitments related to scalar products. In this case, the commitment has three parts. The first two parts are Patterson commitments of messages A and B. The third part is the scalar product of the two messages. Also, commitments related to linear functions. In this case, again, the commitment has three parts. One of them, the first one, is related to an evaluation point of the linear function. The second one is a commitment to the coefficients of the linear function. The third one is the evaluation of the linear function on the point A, which can be written as a scalar product. Given the definition of sum-check-friendly commitments, we can describe our main theorem. The main theorem says that if a commitment scheme is sum-check-friendly and it has some additional property that we call invertibility, then running the sum-check protocol on the polynomial B as its defined slide gives us a succinct argument of knowledge for commitment openings. Actually, we don't run exactly the sum-check protocol, but a slight variant of it where we have an extra verifier check. And this protocol has the same properties as the sum-check. Something to observe is that the original sum-check protocol is defined over finite build depth, whereas the polynomial that I define in this slide is over unarmed module. This is not an issue because we can easily extend the sum-check to work over rings and modules. Also, in terms of the communication of the protocol, we should think of, in this case, of L times degree P as something that is logarithmic to the size of the opening, the commitment opening. Many pair works on sum-check-based succinct arguments and speed and forward techniques get succinct arguments for MP by first reducing the NP-statements scalar products and then use efficient sub-routines for scalar products. We use a similar strategy by constructing a sum-check argument for scalar products over binary modules and then reducing NP-statements to this scalar product statement. For our NP-statements, we use the R1CS problem. In this problem, we are given three matrices, A and B and C, and we try to answer whether there is just a G such that A Z times B Z is equal to C Z. And as I said before, we consider statements over bilinear modules where a bilinear module is a collection of R modules equipped with a bilinear map. So this collection of modules must have enough structure to, for example, define Peterson commitment or run Snor protocols. So given a bilinear module that has an extra property of being secure, then we can have zero knowledge succinct arguments for R1CS statements where the R1CS ring is related to module ML and an ideal I. And the proven very far time are linear instance operations in the modules that are part of the bilinear module. Finally, the proof size is logarithmic in N, where N is the size of the witness Z. So let's see a few more details about bilinear modules. As we said, the bilinear module is a collection of modules. In particular, it has three modules, the left module ML, the right module RMR, and the target module MA. These modules are also equipped with a bilinear map E that maps elements of ML times MR to an element of MT. We should think in our commitment schemes, we should think of small elements of ML as the message space, elements of MR as the key space, and elements of MT as the commitment space. Finally, the binding assumption of our commitment scheme is reduced on assumption that we call bilinear relation assumption. Let's see what that means for the example of Peterson commitment. As we said before, a Peterson commitment is a scalar product between the message and the key. Then if we want to define a Peterson commitment over a bilinear module, then we can multiply messages and keys using the bilinear map E. We can add them together using the fact that elements in AI, GI belong to an R module MT. And the binding of the scheme is reducing to finding small messages A, such that A, G is equal to zero. And this is exactly what we call bilinear relation assumption. In the paper, we give different instantiations of bilinear module, including settings such as the discrete logarithm, the pairing, groups of unknown order, and ring SIS. Particular instantiation is the lattice-based instantiation, which gives us succinct arguments of knowledge for R1-CS based on a lattice assumption, in particular, the ring SIS assumption. I should also mention that there have been some concurrent work in this space that also appearing in this crypto. Specifically, there is a work that gives lattice-based succinct arguments for MP that uses split-and-fold techniques. And also there's another work that shows some impossibility results on the efficiency of this instantiation and also provides different instantiations of lattice-sittings for the ring SIS assumption. So let me conclude with some open questions. First, an interesting question that we don't answer in this work is related to the post-quantum security of some succinct arguments. And specifically how we can analyze the security when the proven verifier are quantum. Also, another interesting direction is to investigate the new lattice instantiation in this concurrent work and see whether we can have a concrete performance improvement. And finally, even though our framework encompasses most of the split-and-fold techniques, there are still some words that we cannot describe. So it's interesting to see whether we can have a generalization of our framework that also includes these works. The key takeaways of our work is that many commitment schemes can be taught as succinct-friendly. Also, we can recast many different cryptographic things as Bayesian modules. And finally, I would like to point to the paper for more information about the instantiations and the proofs. And also for constructing polynomial commitment schemes over Bayesian modules. Thank you for listening.