**Home Edition** # Breakout Session notes #2: Formats and Interoperability Zoom link: https://zkproof.org/workshop3-zoom2 password: 22 Moderators: Eran Tromer and Aurel Nicolas Note Taker: Eran Tromer --- ## NOTES * Interoperability of what? Interop vs. standards? * Plug-and-play proof systems * Standardize cures, generators, hash-to-curve? (Also raised in Plumo session) * Gadgets - Calling convetion - Specific primitives * High-level primitives (proof systems, commit-and-prove tc.) * Security properties and levels - Which security definition (standalone, non-malleability, sim-soundness, UC...) - Metrics (cycles, invokations, ...) - Model (Fiat-Shamir instantiation, AGM, GGM) - FiatShamir is a factor of 2 loss in security for "common" protocols (using round-by-round soundness in one the 3 recent ZK from LWE papers, applies to BulletProofs, STARKs etc.). Picnic2 (KKW) really did double secrity paramter for FS. - AGM, GGM: specify the level _within_ the model, and the best known attack in the _standard_ model.