CESC2020: An Overview of Recursive SNARKs

Hi everyone, my name is Allison. I am a faculty member in computer science at UC Berkeley. I am also a co-founder of sarkar and the bleach in the stock I would like to give you an introduction to request it starts. I will provide a warning that the stock is going to be Technical and it had to go to stop. This talk, is that in the last couple of years, there has been increasing your interest in the Arts, in the applied and open source Community assaulted at 2. We just talked

to talk about about some of the science that underlies this marks Let's get started. First, let's start with the obligatory and slides on starts. So Alberta program under a fire, a circuit C, and an instant sex linked and the Pooh Bear wants to prove to the great fire. That they know our weakness tablet that makes the circuit The key proper term is snart is that the proof for convincing. The great fire is 30 smoke specifically is smaller than the size of the circuit? That

means the grease in. It any more precisely these security prompt and Schmick in the size of the circuit? Awesome. And if you know that it's not possible unless they're suitable public. The fact that Starbucks have different types of setup. I will not really discuss these things in this talk, we just be aware. Okay, so this is something we have some common language in location. That is a snack. I would like to know motivate the notion of recursion with a specter snacks. So that's just an example and suppose that you want to prove

the threat of execution or something. So that means that you have some integer team and you want to prove that issue, let's say apply a sitter to bleed to the input 0 so a so that's what that's what is 2 * you got some ziti one way to prove. That is something that we could call the Mona Lisa caption. You have to prove all the executions. Who advertises some Dropbox actually been feasible, the memory consumption of Krueger algorithms, in many start instructions to gross Ding-A-Ling suffered, sufficiently large teeth are just won't exist machine. That will be able to do this even though maybe

you're willing to wait long enough. Also maybe this it's rated application of the function is just an ongoing computation and there's no specific day that you have any money. This motivates the so-called option, is that what you want to do? Is you going to prove one execution of that, and also the correctness of the party and picture. It would look something like this. You use the snark to argue that one application rs.20 leads to send me to meet at outputs AC one

and it's a concept. You apply to start again to prove that you can go from D1 to D2 to him but also you proved it to verify the Pirates nog. So now this second proof actually attached to the correctness of little ding, a photograph of 0 And took this fashion as long as you want. And the point here is that Story, circus option. You're able to overcome both of the above Dropbox in that. There's no large memory consumption or just a territory, applying the snark to her and some smaller computation of F and you can keep doing this as long as you want without

knowing, Tina advance. So hopefully these pictures points, the difference between music and recursive auction and what I would like to address now is, is this auction secure, is it efficient? Cleveland start asking these questions. We need to discuss. What is the goal of recursion? What do we obtain when we were first things? And one way to do that, is through a cryptographic primitive is known as incrementally verifiable computation. In more detail on IBC

scheme for a predicate Omega. And so, where does it come from? We're talking about a function is to be the predicate Valley transition to the predicate says, you can transition from output zinus want to see, I possibly facilitated through some weakness, is the function given the previous and some weakness output Z. I try to get that models. Water bottle transitions for examples, conditions, according to Acts, Okay, 96 Kim is also to book like a snoring consisting of a Hoover and

verifier. so now let's try to go through them there, some property in a valley transition so you have Vicki and Nicki Minaj Swan to make the project Omega hearty possibly through some witness, the Beauty and the predicate says with the tire out good, then you can produce a new proof for the new output. Using the obvious approver in such in a way that would produce an output that the Odyssey verify will accept my sisters, but if you want to prove true things you can make progress in the store. Efficiency says that you're not allowed to. Just remember, all the prayer room put on

the proofs, and just satisfy this hope. Try to listen to something. In particular, you want to restrict the cost of each product mixed at the size of each fruit finished at to be independent of the example, you could make it to depend on the size of the Dogs Out Tegan approaches. And that's when police not missed. You want this to be secure and intuitively. This means that if you have some Leisure store that sells Hahira have some cleans out with the team and that I disapprove or says yeah, I just proved, he was good, then it is

because the probador knows Witnesses, WW2, Insurance, before that leads, to Tri-Valley transition from the beginning. So you can go from D1 to D2. Through some weakness, validly examples of functional mt300 valid through line computation that leads to ziti in two steps. So he's a high-level are in the truck and what is Taylor's to model the 7 incremental? Looks like a cryptographic Primitives that we can see her in a generalization of the computers. Predicate, that have multiple inputs. So,

Multiple inputs. So in this case, the predicate would receive not just one prior output equation that involves over a line graph, our computer at their competitions, that evolved over directions to the ground. It's going to be able to tell you, I think we have Primitives that captured, the desired functionality and security. How do you steam engines in the wrong to have applications? That's why I'm standing on one was already known as two years ago. Was that actually, you

should she have some form of recursion? Let me see. You can I shoot a Navy Sea for long chains of descendants are in turning flies? And you can also think nards for my previous computation. We're proving is it sensible for used to be stationed and perhaps closer to blockchains? You can use. I received to construct a functions and also for 16 blockchains, which have applications to ultralight planes. I will not stand for their time in applications. Are here are some references that I used to look up the

prices to say that are you staying busy. Very powerful Primitives. And And one singles to the find, a different thing is to construct them. So how can you achieve a b c and b, c d from So this leads me to the main part of the talk, which is the one that summarize, the foundations of what we know about how to construct a u c e d. I want to start by, assuming in into the core of the construction of a b c, which is where use the snark Kruger to prove. That it's not very far has accepted and also to be satisfied.

The core of the construction is to Define computation, we're going to call it a r r stands for recursive function as an improved satisfied, is not very fire. It would look something like this, you have a instances Vicki. And some of these are a witness out stick and these computation will check. That is the reason why the transition from ZTE Max. Want to see the prior output is accompanied by a valid proof that this competition is recursive because The invites we here. We have the codes of the computation appearing inside the competition itself.

Why? Because that would be making proves about. This looks circular and I will go right now and how are you? If you can make it with the approver and fire and if you want to stay in that, I disapprove her from the obvious, it's not from the start to her, it would look something like this. The approver was first assembled, an army from the Project's America in the very far from Starke. And the ICC verifier will. Similarly construct. The computation are from omega-3 fire to verify be and in some

YouTube this is roughly how constructing a receipt looks like. This is just putting together if the snark is a so-called adaptive argument of knowledge is a snark. That's what the k in the snack. Stand for argument to secure according to this nation has sketched in the primary slide. Rover East Bismark has so-called 63 fication. This means that checking a proof for circuit requires much less time than the men that I can see. Scheme is efficient in the sense that we defined area and your intuition for why you need to listen to reputation

in the construction that we saw. On the driver side is that is that is the case, then recursive circuits are doesn't grow with age that which you don't want. Do you want to be able to have a sustainable and a number of times? So this was more generally for pissing schemes, which I didn't discuss. We know it has been proven that recursion. You'll be saying I've seen Pacific The construction has actually useful additional features for example, preserves their knowledge in that is your knowledge. So is the ice BC

or PG? Also has maintained that type of setup. So, sure it's not cuz he do then. Okay. Know the hypothesis for security that is not an argument of knowledge construction that we have to work hard. But basically almost any actual construction that we have proves to be A convenient is the second restriction to want to meet require that. The snort a six-inch verification verification, which is last year was observed to, that reason, you don't really need it to require the sniper fication to be succinct

intuitively for creation. It should be enough to commit to the update estate that remembers the conjunction of ability of past proves. You don't want to remember the end of whether they're all satisfied and then you can verify this conjunction outside, the recursive circuit. In a recent paper, this has led to the notion of snags with the communication, which allows us to expand the reach, recursion, to new constructions of stomachs because this is a black shirt template to explain what is a accumulation for snow.

Triple DVD. That is a proven very far in the cider is an accumulation scheme for snark. If several properties. Hold The first of these is not a t, we want to make progress. So when I see it in this case, this is the old Community groups. And if the accumulation decider determines that, the conjunction is one. And also the new Star Wars, the new Star Trek into a human. In such a way that the new Terminator looks like it was indeed produced from the previous night and older community Theatre and

agrees that the new conjunction. If I used to one another words, In a way. That's at the end you can check whether is there anyway. Whatever was a conjunction with other work boots. efficiency here says that you're not allowed to cheat, like the sizes of things just been say, possibly And security says that information has proven. He is able to send help for Juice Newton later is valid, and this nuke simulator is properly produced from an older to me later, then you can insure because then you can later resulted the old snark. I mean, it's not that was folded into

it, and into the past security. So I need to be there in 3 ish, is that we're not very fine snarks. We're going to remember the end of all this knowledge we've encountered so far. Armed with a stool. We can now modify our Paradigm rather than proving that it's not great. Fire has accepted. We're going to prove that the explanation very fire has accumulated so or not. You go Liz, you're going to stain are you see from a snark with a humiliation which is

I'm more relaxed requirements than start with Sim certification. And the court of constructions Define, recursive computation colors are again. The checks that a new outfit like before, but now and here is the suta code for not. You see here, we have added and it to me later in the instance, for the circuit, which we remembered, if I need to call proofs, And the only difference is that in some checking is not very far from the old one. And given this recursive computation, and I received a call immediately, will assemble

the Omega and the commission noted before passing along, Manchester proof, but also launches new process and that we start. The proof is valid. So do you think technically it would happen. And in the same paper introduced the commission schemes, it was proved that if the snort began is an Adaptive argument to knowledge and the conditions team is sound, and securing the way that the first light. Then Debbie scheme scheme, isn't it secure? Efficiency standpoint. We only need

the smart to imagination. And crucially, we do not need the snot very Fire or the commission, decided her to be sick. Synced, the only thing we need is that the commission very fire, which indeed appear is precipitation. And we learn that's not with a communication does lead to a b, c, a b, c d. This type of recursion also preserves nice properties Lexi, or knowledge and set up like the private one. So we discussed two types of recursion. I want to dedicate just once lied about first Quantum security because you don't for the long-term security of eventually,

we're going to need to know just post Quantum snacks but I supposed to know which means Open. It is clear that if the stock itself is not respond to secure, then we have little hope. Not going to be the case that anything would be a question of, what if we start from the start that he's supposed to be secure example, out there, possibly secure. The main challenge to show that to ask the recursion, you obtain a steam that he's supposed to come over, maybe for realistic

realistic, adversaries are problematic for recursion. It's a start with the malicious rumor that I'll put some cleaned out to the tea and two fighting scene extractor that produces a weakness for their coast of computation statement obtained. A tiger outfit in a Fireproof. I'm just extractor. We are able to produce a prior sorcery, that produces the prior approved through security, because the chain that Lexus IS I don't have a problem. How do we know that the prior out was produced with extractor

and a swan or the same? We need them to be the same. Otherwise we got disconnected chain leading up to the team. Need to connect to check. In a classical case is easily fixed. We just fix the same. Random is the same brand new string for the structure routine and approver PT - 1. What's a question security? There is no way to carpal the random choices of Ethiopian respond because it can generate their own Randomness by example. Measuring, a qubit is so convincing me to to

fix a prostitute. Please. You recently in the solution that was used to study. This was too reliant on technology. And this was shown to suffice for recursion Trump's interpretation the first type of replacing the salt and the corrosion from accumulation, the second type of the Caribbean theme song. So that we have a place Clinton foundation for recursion book cases, so, Summary for the foundation. Part of this talk. We know from the ocean. In fact not just stop being a smart aleck Malaysian also includes

constructions like Halo which relation which is great because it's a person. All I really wanted to say about Temptation because I want to talk to you about practice because we want to try to leverage this understanding of corrosion and turn and turned it into something that can be used practice. interesting, when you have somebody working because you first thing you can do, First of all, it's not proving it expensive, any song. Remind me personally. But in the course of your training is only more expensive and expense that are very good reasons for why. Proving recursively,

sings is more expensive. You have you seen visiting for the two types of recursion that we saw in the foundation's part of the stock? What problem is that? You going to have to prove the IBC, predicate, Omega. I start to this request computation. However, and then we'll explain this function of the way straight forward approach is to resolve the circularity, right? So we have are here are here forward approaches to the economy, in which you will have to hear us. We seem like today was

their expense. What is universal to mission? Mean? It means that for every logical gates. Are you going to have some set of gates to kind of figure out what is the Gateway public parking cost? Running practical. What happens is that unit is not my fire or decommission very fire within their personal communication. And for reasons of mention, short week straight forward approach is to express this type of mutation in the only reason you wish and around maker, Carson, expenses, and any practical solution going to

have to do some way to address these. lots of Cheers in developed as ways to cope with these How do I cope with a cost of proving the Privacy trying to get to Mega? What approach to do that is through the feature of processing training offline says, he's able to take her the design competition in this case, recursive circuit are and produce for me to sound preachy, for are in a short verification key for this would be used, but it's not very fire to check proofs about that. We just met this dude letters do is that now we're actually able to define a

recursive circuit. By passing in the street, which equation do you pronounce generic including it, where we will eventually want the recognition key for our to be. So it's like some additional inputs and because it's short the surface can actually receive it as input. And later we will Second Edition key to be the short-term vacation key for are actually could be possible to pass to our a cryptographic short summary of itself. To use inside it. I will not be asking to the technical details, but true that

any proposed thing. Start the cost of proving a recursive step for the reasons. I just described is essentially the same as the cost of proving may God stand alone. Remind me to conceptualize that is as follows that I want to compare. Cost of disapproval to prove a recursive stack of a mega versus the cost of the snap program to stand down to write to a construct of your Christmas. Not cuz I shouldn't expect to be faster than just stand alone. Compare our rehearsal cost against the

baseline, or just proving Omega standalone. I'm a construction of the ICC cougar. This is essentially the cost of a snack to wear under curse of computation are depending on us to make it was large. The beach at the gate will cost you no more than standard improving your extra gate of an egg. So it's great like this, it's just that there is no Universal simulation. There's no was typically cost on the size of Niger. And this makes a huge difference. So this is the

major technique to Coppola cost to program. Mega What about how do you cope with a costs? Proving it is not very fire or condition. Very fine. Three problems, expressing verification in. It's not a language disorder, has a large size. There are stories of the size of this stock, very fine with me is going to be huge. And the reason for, why isn't the case reason for why is Knox field from discrete or stocks like 16 or Marlene order or Blanc? We have somebody take care of and underneath

and there is this problem that is size of the group cannot equal the size of the Wisconsin number. Siri and this causes some basically means that the computation of the rotational Define the refuse but it's different from the steagles of the starch language, this causes the so-called curse which if you are not extremely expensive houses, One of the major approaches to cope with this is to use a so-called Cycles. Elliptic curves are made too much and their own parameters Ashley

snarks. The main problem is that there may Hashem. And give me an approach to address this. To use a drake ashes. Smaller circuits by dealership using a fact that they're Define the word large Fields device to two ways to cope with the costume. Proving differentiation efficient design. And now these things together how's life to constructions of recursive? Starks Morristown birth are acceptable Extinction. You don't care about the courage in you going to use an elliptic curve such as well as 12. And this guy is the size of a tire.

I refused if you use instead cycle, for example, I'm in the Forum at 6. I've heard these besides the refinery has to be something in rather modest and something we can deal with what's 1000 + 600. Using is answering at the gate. Has repercussions that are little bit unpleasant, example, the freaking strength fruiting time. Music box of 10. In the argument size was not perfect and you we win the match more in reducing the size of a very fire, but switching the curve, then we lose in this blow ups in Brooklyn.

Nikki's of high-speed Starks. If one were to use a hash function that is so traditional. Refused some of the more recent and modern designs, algebraic hash functions, like them for a cruise system like when he's able to obtain a very fired. I can hear this has repercussions, that makes proving about 10 times slower. But again, the same situation, trade-offs, and you're happy that you have a very fired. There's no enormous In the case of creation, from more recent, exciting

ongoing engineering work. So, this concludes the part of the chocolate is about practice. So I would like to summarize what? I so need to know what it means and that's why it is important to note that this goal is captured using cryptographic Primitives such as incremental verify with several approaches to achieve, these specifically, from 16 through fication and from accumulation. Processing, curve Cycles in algebraic ashes are important tools to improve efficiency, especially if you want to come strapped in practice and build

systems. This was a technical talk. Experiment for me. That you haven't even this type of material because it starts so,