 Hello and welcome to my TCC2031 talk about fully succinct verifiable delegation from constant size assumptions. I am Alonso Monsales and this is joint work with Alessandro Zagarakis. A delegation scheme, what is a delegation scheme? In a delegation scheme, a computationally constrained verifier would like to delegate some heavy but still polynomial time computation which in this case will be represented by some circuit C and the statement the verifier would like to check is whether C evaluated on X outputs Y. So the verifier delegates this computation to a more powerful but still polynomial time pruder which evaluates the circuit but also produces some proof pi which is sent to the verifier. So we are just considering what message this could be interactive also but in this case it's just one message. The verifier then checks the proof if it's valid or not and of course checking the proof should take less time than just evaluating the circuit. Otherwise the verifier just evaluates the circuit. Okay so a related notion is that of an argument of knowledge for MP for example because in this case it's an argument of knowledge in P. So this is a P statement. So a snark is also a delegation scheme but the statement is more general. So there is no X and the pruder shows that it knows some X that makes the circuit output Y. I said that because in order to see what is available in the literature we also need to consider snarks. For example we can start with row 16 which is kind of optimal in some sense and very attractive in practice because the size of the proof is just a constant number of group elements and the verification time is just a constant number of pating evaluations. Okay and this is what we call in this work fully succinct. Okay so then the expressivity so you can show the validity of any MP statement but this comes at a price if you want to have succinct verification and proof size and such a large amount of expressivity you need to rely on non-falsifier assumptions. That is an assumption for which it is not you cannot efficiently check if an adversary breaks the assumption or not. So in fact there are impossibility results which says that any snark for MP so any argument for MP which is also succinct needs to be based on non-falsifiable assumptions. And indeed this is the case of row 16 which is proven sound in the generic group model or the algebraic group model. So in this work we want to move below this axis. We want to go below this plane here and use falsifiable assumptions. Okay so with falsifiable assumptions there's the work of Kalei Panjang at stock 19 which is based on the work of Panetam Roadbloom at TCC 17. They have a delegation scheme so since they based their scheme on falsifiable assumptions so here's a Q assumption. This is an assumption that grows with the size of the computation. But so in order to do so to be based on falsifiable assumptions you cannot have an argument for MP but just for P. So we have delegation scheme. But the good thing is that the size of the proof is succinct so it's shorter evaluating a real delegation scheme evaluating the proof and the proof size is linear in the size of the circuit. But the still is larger than row 16. And in this work we would like to have something like row 16 and based on even better assumptions because this assumption grows with the size of the circuit. We also put here Panetam Roadbloom because it's very related but the assumption is worse so it's based on multilinear maps and obfuscation. Okay so we want to have something here and the assumption is even better than actual assumptions so our order one assumption which is DDH, the lean. So a good candidate for something like that is what is known as a quasi-adaptive and interactive zero-knowledge proof well introduced by Jutlan Roy but the most efficient instantiations were proposed by other researchers in a long-line research of work where they construct very short proofs so comparable to the proofs of row 16 and also the verification time is also a constant time so it's a constant number of pairing evaluations and the proof size is a constant number of group 11. On the other hand assumption is very good so it's DDH or the lean so constant size assumptions but the problem is the specificity the specificity is just for very simple languages so linear languages and some restricted non-linear languages okay so what we are going to do now is to start from QNSIK and using other techniques like the one of Kalei Panjang, Panetam Roadbloom we are going to extend the expressivity of QNSIK in order to get to P okay so let's see how we construct this delegation scheme so as we said before we start from QNSIK this is going to be our brick our starting point because they have what we want they have good proof sizes just around one group element or a constant number of group elements and it's based on good assumptions so on the other hand we are going to use the techniques of Panetam Roadbloom and Kalei Panjang so what they call quasi-arguments in Kalei Panjang so the important thing is that they have what is called a non-signal extraction and they use what they show is that with these quasi-arguments and using this non-signal extraction you can get delegation for bounded with circuit but as we see before they also extend their work for managing other circuits but the problem is that the proof is not fully succinct so it's not a constant number of group elements then the assumption is not constant size so what we do is we construct new of these quasi-arguments but based on QNSIK so that they also inherit the short proof size and the good assumption so we managed to get fully succinct delegation for bounded with circuit from the link in order to extend these techniques to do any circuit we use our work at Asia Crit 19 which is delegation for bounded with circuit this is bounded with growth so if you take any circuit growth with the width and this one the size of the proof and the verification time grows with the depth so we mix the two things and we get some proof which don't grow with the grid so it doesn't grow with the width nor with the depth and it's fully succinct based just on the link so the only thing that we need to solve here in this work is that this is based on QAS assumptions and since we want to base just on constant size assumptions so we need to extend these techniques in order to be based on constant size assumptions so in this case on SxDH ok so let's start to see in more detail these ingredients so let's start with this quasi-arguments of knowledge of Kalei Panjang and we don't see any extraction so a quasi-argument of knowledge is a relaxation of an argument of knowledge because since we also want succinctness an argument of knowledge turns out to be something very hard to construct if we also want succinctness and because of the following reasons so an argument of knowledge gives the following soundness guarantees what is known as knowledge soundness so for any adversely breaking soundness there is an extractor which proceeds as follows so it generates some parameters, global parameters, public parameters and then simulates the adversely on input these parameters and the random codes until this adversely output a statement and a proof and if this proof is valid the extractor should also output a witness for the statement and here's the problem so the proof size is quite short while the witness in general is much more larger and the problem is how to extract this amount of information from this very short amount of information and the answer is that the only way to do that is by using non-falsified assumptions as being shown by Gentry language so since we want to avoid non-falsified assumptions we cannot use an argument of knowledge and we are recited to use weaker notions which is the case of a quasi-argument of knowledge which are parameterized by some parameter, the locality parameter which is some integer k much shorter than the size of the witness and we are also going to build an extractor but it's a little different it receives as input a subset of the positions in the witness and of course this subset is of size shorter than the locality parameter and the extractor which is similarly as before it simulates the adversary, the adversary outputs a statement and a proof and if the proof is valid we are not going to extract the whole witness which is pretty hard but just a small witness which is called the local witness so it's the witness basically for the position defined by s and this witness needs to be locally sound what is locally sound? well it depends on the language for example let's take the language of the language of formulas, Boolean formulas which are the arms of many clauses each of these clauses now is the or of many variables and now so a formula is in the language if there is a satisfying assignment so the witness now is a satisfying assignment for the formula it gives value to the variables but now a extractor extract of course a local witness a local assignment so it's an assignment that gives value to just a limited number of variables so what does it mean previous question on the previous slide was what does it mean for the local witness the local assignment in this case to be locally sound so we are going to define a local formula and this local formula is going to contain just the clauses for which all the variables belong to this set and now the local witness is going to be locally sound if the local formula is valid many locals okay but this was the notion of local sounds used by Calais Panjang but we are going to use another so this was the language used by Calais Panjang so we use formulas and we are going to use another kind of language so our statements are going to be commitments and our witness opening to this commitment now and the statement is going to be true if there is some opening for this commitment and this opening satisfies some linear relation so it's in the image of this matrix and the local extractor is going to open a local opening so a small part here of the commitment a local opening for the commitment and this local opening needs to satisfy the corresponding equations so if the local commitment appears here then it needs to satisfy the matrix the sub matrix of the respective rules and we also consider another language the language of Hadamard relations which is also the statements are commitments now three commitments and the statement is going to be true if there is an opening for the commitments for each of the commitments and these openings satisfy this Hadamard relation also this is the entry-wise multiplication so it's saying that the first entry is equal to the multiplication of the two and now the local extractor is going to extract a small part of the witness and these small parts of the witness here, here and here need to satisfy the corresponding relations okay so as we say before this quasi-argument also have what was called what is a known signaling extraction and it's defined as follows we consider two experiments one on the left and the other on the right and we're going to take two different sets now a larger set shorter than the locality parameter and a subset of this set in the first experiment we're going to run the extractor the local extractor which is going to output some local witness with respect to the set S but since S' is containing S so all the positions in S' are in S we're going to restrict the extracted witness to the smaller set and in the other experiment we are going to extract a shorter witness and the condition needs requires that the two distributions are computationally indistinguishable okay so let's see now how to use nodes in an extraction so quasi-arguments for building delegation for bounded depths was shown by Panett-Rodlum and Kalaipajang so we are going to take a circuit of the D and with S and we are going to divide the circuit in all the levels so depending on the distance from the inputs okay so we are going to have D levels where D is the multiplicative depth of the circuit and each of the levels is going to look as follows the inputs of the level are going to be the outputs of the previous level then all these wires are going to pass through a linear transformation and if you think of a Boolean circuit this linear transformation is some wires this wire goes here and also goes here this other wire goes here and in general for an arithmetic circuit you can also take linear combination of the wires so you can have two wires multiply by some constant and so on okay but at the output we are going to have a set of left wires and a set of right wires and these left and right wires are going to be the inputs two multiplication gates and now the output of the level is going to be the Hadamard product so the entrywise product of the left wires and the right wires so basically what we have here is kind of the language that we saw before here we have the linear transformation and here we have the Hadamard relation okay so how to build a delegation scheme for bonding with the circuit so now we are going to commit to all the left wires but we are going to start from the left most first we are going to take the left most here so we are going to pass through this wire but not this one and then the other wires the one that goes to the right now we start here and then we go through here and so on until we get S commitment S shrinking commitments so this is in the end grows with the width so that's why it's for so this is part of the proof and then the proof grows with the width of the circuit and it's just for bonded them and then we do the same for the right wires and the output wires and importantly we have many Q arguments for the linear Hadamard relation so one for the left most and another for the other ones and so on so we have also S for the linear Hadamard relation now how to see that this is sound that indeed why needs to be the right evaluation of the circuit and input X so let's start we are going to use the local extraction to extract the commitments at many levels so we can extract here and this level here so we are going to start but extracting the first level so we extract A11 A21 and so on so and by local soundness it needs to hold that the left and right wires are the right linear transformation of the input also they are consistent in some sense with the input, they are the right the honest evaluation of the input and the same for C1 because C1 is the Hadamard product of these two and then is the honest evaluation of the circuit and input X now we are going to change the extraction set now we have a smaller set so this set is contained here and then if it is consistent with X then also this needs to be consistent with X why because being consistent so being the right evaluation is something that is efficiently, you can check it efficiently because well it's just evaluating as you can then some these two need to be computational and distinguishable this also needs to be the honest evaluation because otherwise you can distinguish the two experiment and break no signalling so we can change again the extraction set go a little below so we are taking just the output of the first level and the input but the left and right wires of the next level and for the same reason C1 needs to also be consistent with the input and now by local soundness we know that A2 and B2 are the right linear transformation of the output of the previous level and we can continue until we get till the end and so our invariant is whatever we extract is consistent with the input and in particular the output needs to be consistent with the input and then this is sound very nice so quasi-argument of knowledge this is what we need for building delegation ok but as we saw say before so Kalaipa and Yang already build quasi-arguments but the argument were not fully succinct and were not based on constants assumptions so we are going to base this quasi-argument on QNUC so what is a QNUC so for now we are just going to see QNUC for linear spaces ok so in a QNUC argument we have a vector of group elements so we have a bi-linear group so groups provided with a padding and we want to show that this vector belongs to the image of some matrix you know so the similar the same language is what what is what is proven with a hash proof system you know this tool introduced by Kramel and Schupp for showing CCA2 security and many other applications and the good thing is that the proofs are very short so are very short and they are based on very good assumptions so not even an assumption statistically some but the problem is that they are designated verifiers so there is a secret key for shaking if a proof is false or not so it's valid or not so and so the proofs are very short there is a secret key here and in order to enable the prover to compute the proofs we publish some public key which is the key times the matrix which is also called the projective key and now the prover can compute proofs for a statement in the language and if the statement is not in the language so you take a vector in outside the image of M it turns out that this public key only reveals key through M and the rest of the key is statistically hidden and you cannot with very high probability you cannot produce proofs for vectors which are outside the image of M very good very good assumption nice proof size so what we want but the problem is the designated verifier thing so what was done with QNUsick is to take this hash proof system and provide public verifiability by adding padding so this doesn't require any padding and QNUsick require padding but have public verifiability and they achieve that by also providing some you can think of this as a commitment key and this value which is some commitment to the secret key and now the idea is that you can publish the secret key but still the prover or the adversary don't know the secret key and using the painting you can check basically the same equation it's just multiplied by A here but it's the same equation as before so here the verification equation with the secret keys K times X and here is similar but we have K here ok so the proof size is still good it's just a constant number of group elements the verification equation where the evaluation a constant number of paintings and now the assumption under which you prove soundness is not so it's not you don't have a statistical soundness but just computational soundness because now you need to base soundness on an assumption but it's still a very good assumption which is even weaker than the dh well depends on the dh, the lean or any of the assumptions so a constant assumption so this is a good building block ok so now we are going to extend these QNSEC arguments to have quasi arguments no so that we can build delegation scheme so we need to define what is a quasi argument of membership in a linear space so as we say so we already defined this language before so our statements are going to be commitments and the statement is going to be true if there is there exists an opening for this commitment and this opening lies on the image of this matrix and what we want is to have this local extractor now that extract a local opening for the commitment and we want this a local opening to be sound so that means it belongs to the sub matrix of the corresponding rows of M but before we are going to start with something more simpler which will just output a local opening regardless of sounds or not so this is some kind of commitment so we have some commitment here which have a local extractor and indeed this is very similar to what is known as a somewhere statistically binding commitment and but we also will need to add this note in any extraction so we start with with the commitment we introduce at Asia Keep 15 with Alejandro Evencarla Raffles which were like one so somewhere statistically binding for one coordinate in this mean that given the commitment there is some that is completely defined also there is only one opening at that coordinate and they achieve that by defining the commitment key as a matrix of just so that the output so the commitments are two group elements and they have as many rows as as the the elements of the vectors you want to commit this is some kind of generalization of Pedersen commitments but the good thing is that you can also simply in a computational distinguishable fashion the commitment key such that one of the rows is linearly dependent from the others and that means that the corresponding position is uniquely defined by C ok so starting from this one SSB showed that they are also have no because there is a way of exacting from C computing the corresponding opening which is from G you can construct a matrix T such that T times G is equal to 0 0 0 so on one in the in the linear independent column and 0 0 0 0 and then this implies that T times the commitment is equal to X of I ok so SSB commitments are extractable and the extractor can be shown to be that is also is very easy to show that is no signaling and by just stacking many of them so K of them you can build K no signaling SSB commitment with locality parameter K which is what we need ok we also show something stronger so go directly from K SSB which are shorter than than so basically so in the end we show this stronger relation that K SSB are also no signaling the proof is more complex but the resulting commitment is shorter ok now we have the first part that we wanted and now we need to show that the the extracted commitment belongs to the image of the corresponding matrix no so in order to do so we are going to have a proof and the proof will be that C belongs to the image of G times M ok because C have that form also the the committed value needs to be in the image of M and then C is in the image of the if it's on the image of G times M but now what we want is so that Versa is going to provide some proof that shows that C is in the image but we want to show that the local opening belongs to the image of the matrix no and we we are going to see that this is possible by using the the linear properties of the QNUC proof so what we want to show is we want to produce a proof for XS and so we are given the public the projective projective key the public key for showing membership in the image of which is some some secret key K KDAR in this case and we want to produce a statement for this proof for this statement KDAR times the matrix times the witness ok so we are going to define another key so we are going to run our adversary for the quasi argument so we are going to define the CRS so we are going to define another key which is related to this key which we don't know so we are going to implicitly define this key as the secret key this is the trapdoor for the for the SSB commitment and some random key ok and now pi which is output by the adversary is going to be the correct so it's going to be K times C and it turns out that this is almost what we want but plus this value and since we sampled this value we can recover the original so the proof for XS this is here is XS so we can obtain XS using the trapdoor and we have also a proof for XS and it means that XS need to belong to the to the language ok so then what we can also do is extend this QNC to some simple quadratic language and have what we want with a quasi argument of membership in nearest space well also for simple for the Hadamard relation which you can see in the full paper we can just build delegation for bounded depth circuit so we also need to build we also need to build delegation for bounded depth circuit which is our work at HACRIP 19 we can also look that up with compression also what we did before is depth compression now we take our final proof doesn't depend on the width but it doesn't depend on the depth and now we are going to do the other thing also with compression so we are going to build delegation for bounded depth circuit which are these objects like this very short circuit so in this case it's just one level so we are going to use the technique of our techniques HACRIP 19 where we show the statement of the following form so we take the inputs and the output of this short circuit and we commit to this input with short commitments and the statement we show about the opening is the following so if you know an opening of the input commitment then you should also know an opening for the output commitment and this opening need to satisfy some relation in this case is the function of this short circuit applies to the input so if we take for example linear relations and rewrite the commitments as matrix multiplication for example with Pedersen commitment is the case we know that our input commitment we know an opening for this commitment and then the output commitment needs to open to the right linear information of the input this implies that C and D belongs to the image of this matrix but it's not hard to see that the other way around is not true so it's not necessarily true and in our work at HACRIP 19 we introduce what is called an argument of knowledge transfer which is basically that's who here you have knowledge for C and then is transferred to D and we show that using a Q and E seek argument of membership in this matrix but also a computational assumption over M which is in fact a a mean assumption so it's just the BDAH or 68 you can show that you have this argument of knowledge transfer and then you can build delegation for bounded depth circuits because now you need to compute all the commitments to the input and the output of each level and show this argument of knowledge transfer but in this case we need to add this no signalling property to this argument of knowledge transfer and we achieve that by computing commitments to commitments so computing some no signalling commitment and to many of this argument of knowledge transfer that we have the input commitment and then the input commitment for the next level and so on so the idea now is that our extractor extract a local opening for this commitment and the hypothesis is that we know an opening for this local commitment and then the output commitment needs to open to the right transformation of the input but the thing now is that we can extract the no signalling commitment at many levels and for each level you need to have this statement is true and now finally let's see how to do with undead compression and then we have fully succinct proof for any circuit we start with our circuit and we commit to the left, right output wires for each level for this level we compute to all the left wires with this commitment for the first level and the same for the right wires here and the same for the output wires here and the same for every level so here we have here we have the commitments now we apply dead compression so we compute this no signalling commitment and we take all these commitments and are shrink into just one short commitment the same for the right wires here and the same for the output wires and we have a no signalling argument of knowledge transfer and well it is going to have the following guarantee so we can open now this commitment at many levels this is constant size the arguments are just in the end the Q and U seek proof this is just a constant number of group elements and we can locally open this commitment for example to the first level and by local soundness we know that so we can extract these three guys and by local soundness we know that these guys are the right linear transformation of the input and this guy is the Hadamard product of the opening of these guys and so on we can change now not extract these two guys but these two guys and this guy and these guys are going to be the right linear transformation of the output of the opening of this guy and so on until we show that the output is consistent with the input and then is the right evaluation of the input and voila so let's summarize what we did so we constructed fully 16th so a constant number of group elements an argument of knowledge for P in particular for arithmetic circuit over some large field so the field that we use is so we use set Q and Q is the size of the group not of the somebody in a group then importantly we can prove soundness from static assumption so from the decision linear assumption we haven't talked about this because this is related to the Hadamard argument if we want to base the Hadamard argument with base the Hadamard argument on static assumptions we need a large CRS which grows quadratically with the size of the circuit we get that compression by building NICS arguments for simple languages and importantly they are based on static assumption and they have very short proofs they are based on QNUC arguments for linear and quadratic languages and also we use the technique of our techniques at HRQ 19 for width compression which were based on Q assumptions and we base them on static assumptions but again the cost is a larger reference string this is for the Hadamard relations but this also happens here so we also here for Hadamard relations have a large reference string but an open question that we live open for the future is that so we can stay with the original proof here the original construction here which is based on Q assumption but has a short CRS so now the question is that can we do the same for this one so this is based on a constant size assumption so can we base this on a Q assumption and get a shorter CRS and in the end the idea is to have a snark4p with linear CRS but based on Q assumptions and we leave that as an open question and the last thing we did is to combine these two things in a meaningful way to get to get width and depth compression at the same time and to get fully 16 delegations from standard assumptions so thank you very much for your time and this is the end of this talk