EUROCRYPT ###### tags: `Reading sessions` [toc] --- # 2024 <https://eurocrypt.iacr.org/2024/acceptedpapers.php> ## [Unlocking the lookup singularity with Lasso](https://eprint.iacr.org/2023/1216) * By Srinath Setty, Justin Thaler, and Riad Wahby - In the domain of ZKPs, to prove the correct execution of computer programs, one usually first expresses the execution of the program in a specific form, like arithmetic circuits or related generalizations. The size of the circuit is vital since it determines the complexity of the underlying SNARKs. In practice, some operations in the program need a circuit with large size, like bitwise operations, and range check, etc. For these operations, a better approach to prove is using lookup arguments. - Informally, lookup arguments allow an untrusted prover to commit to a vector a and prove that all entries of a reside in some predetermined table. - This paper introduces Lasso, a new family of lookup arguments, which can be instantiated with any multilinear polynomial commitment schemes. It provides the following efficiency properties: 1. For $m$ lookups into a table of size $n$, Lasso’s prover commits to just $m+n$ field elements. The committed field elements are small (in {0,...,m\), no matter how big the field is. 2. Unlike all prior lookup arguments, if the table is structured, then no party needs to commit to the whole table, which enables the use of much larger tables than prior works. Lasso’s prover only “pays” in runtime for table entries that are accessed by the lookup operations. - The lookup singularity seeks to transform arbitrary computer program into “circuits” that only perform lookup. Lasso achieves this singularity due to its efficiency. ###### tags: `lookup arguments` `lookup singularity` `SNARKs` --- ## [Bulletproofs++: Next Generation Confidential Transactions via Reciprocal Set Membership Arguments](https://eprint.iacr.org/2022/510) * By Liam Eagen, Sanket Kanjalkar, Tim Ruffing, Jonas Nick - Cryptocurrencies like Bitcoin enable decentralized, peer-to-peer payments by maintaining a distributed public ledger called the blockchain. While this innovation has permitted financial autonomy on the Internet, the fact that every transaction leaves a permanent record in the blockchain poses a substantial threat to the financial privacy of users. For example, the monetary amounts in a transaction are stored as plain integers, which makes it easy for blockchain nodes to verify that a transaction is balanced. However, it will leak the information about the monetary amount. - To protect the privacy, Confidential Transactions are introduced, which hide the monetary amounts in homomorphic commitments such as Pedersen commitments. The additive homomorphism ensures that blockchain nodes can verify the amounts in a confidential transaction without learning the plain amounts. However, this approach is only sound if the amounts do not overflow during the homomorphic addition. To exclude overflow, transactions are required to carry a range proof that demonstrates that committed amounts are in a public range. - Motivated by this application, Bulletproofs was the first to achieve range proofs with an asymptotic size logarithmic in the number of bits in the range as well as concrete sizes less than 1 kB. However, Bulletproofs still account for 29% to 42% of the size of a typical transaction. These concrete storage cost and the concrete verification cost are still prohibitive. Moreover, the initial CT proposal has been extended to multi-asset confidential transactions (MACT), i.e., a single transaction can transfer multiple assets simultaneously, and no observer can learn the transacted amounts or the involved assets. But Bulletproofs cannot be used in this scenario directly and efficiently. - Contributions - This paper introduced Bulletproofs++, a zero-knowledge argument of knowledge for arithmetic circuits in the discrete logarithm setting. At the core of BP++ is the reciprocal argument that generalizes permutation arguments and set membership arguments. It can be used to construct range proofs and MACT simply by designing an arithmetic circuit that encodes the relation. - Compared with Bulletproofs, for a 64-bit range, the proof size of Bulletproofs++ is 38% smaller, the proving time is about 5 times faster, and the verification time is about 3 times faster. Also, it inherits all the advantages of BP, like transparent setup, aggregate proving, Multi-party aggregate proving, Batch verification, Conservative cryptographic assumptions. - drop-in replacement for BP. ###### tags: `confidential transactions` `range proofs` `reciprocal arguments` --- # 2022 [Link to accepted papers or the program]((</accepted>)https://link) ## [paper 1](https://link) * By authors * [AA] Short review by AA * [BB] Short rview by BB ###### tags: `` `` ## [paper 2](https://link) * By authors * [AA] Short review by AA * [BB] Short rview by BB ###### tags: `` `` --- # 2021 [Link to accepted papers or the program]((</accepted>)https://link) ## [paper 1](https://link) * By authors * [AA] Short review by AA * [BB] Short rview by BB ###### tags: `` `` ## [paper 2](https://link) * By authors * [AA] Short review by AA * [BB] Short rview by BB ###### tags: `` ``