### Introducing the first Home Edition of the ZKProof Workshop

Amid health concerns surrounding the coronavirus (COVID-19), and after much internal discussion, the ZKProof Steering Committee has decided to forgo a physical gathering in London and to hold this year’s 3rd ZKProof Workshop as an online conference. Register on Eventbrite now.

The goals of the ZKProof initiative are to promote the standardization of zero-knowledge proof cryptography and to increase the engagement of companies and researchers worldwide. We are aware that a virtual event limits the personal interaction that is desirable for strengthening any community, especially in the cryptography community, which benefits greatly from these interactions.

With that in mind, we have created an immersive online workshop experience that encompasses these goals as much as possible, focusing on productive interactions and the high-quality discussions. Moreover, we believe this format change will make the workshop extremely accessible and will allow even more community members to take an active role in the standardization initiative.

### Restructuring the Agenda – The ZKProof Month

Given that 12 papers were accepted to the workshop (3 SoK and 9 community proposals), we decided to restructure the whole event in order to create an optimal environment for each discussion. As such, instead of 3 days of full-time talks, which is not realistic given the circumstances, the workshop will span a month of shorter segments. For five weeks, every Monday and Thursday we will host a 3 hour talk and a discussion. See the full schedule below.

We encourage everyone to join us in every session, mainly because we value community participation, but also because the discussions will be continued from one session to another. Furthermore, we are hosting a networking session every day where you will be able to meet your peers, have tea with a friend, and more.

The full schedule can be found below,, and here is the call for papers. We thank our sponsors for their support.

#### Important Information

Dates: April 20 – May 21, every Monday and Thursday at 3pm UTC.
New Registration: Register on Eventbrite. There is a reduced fee of £30 (GBP). The first 150 registrations will receive a surprise kit to their doorstep.
Location: Zoom conference room – participants will receive a link for the event.
Schedule: Please find the full schedule below. We have added a Google Calendar so you can easily track any changes.

#### Info for Registered Participants

To make this workshop a success we encourage everyone to participate in discussions both online and offline, and as such we have set up three different types of tools

• Zoom for talks and live discussions
• The community forum and our Telegram group for offline discussions and chats
• Collaborative tools for simultaneous work: (1) hackmd for writing and note-taking; (2) Miro for visuals and diagrams

The accepted papers will be published and we encourage all participants to review them before the discussions in order to have more productive sessions.

### Registration and Submissions

Register now for the first Home Edition of the ZKProof Workshop.

The reviewing committee accepted a total of 12 submissions, the papers will be available online.

To apply for our limited number of scholarships, email us at [email protected]

## Keynote Speakers

### Accepted Community Proposals

AirAssembly: a Low-Level Language for Encoding AIR of Computations – Bobbin Threadbare

Semaphore: Zero-Knowledge Signaling on Ethereum – Kobi Gurkan, Koh Wei Jie, Barry Whitehat

Plumo : Towards Scalable, Interoperable Blockchains Using Ultra Light Validation Systems – Ariel Gabizon, Kobi Gurkan, Philipp Jovanovic, Asa Oines, Marek Olszewski, Michael Straka, Eran Tromer, and Psi Vesely

Commit-and-Prove Zero-Knowledge Proof Systems – Daniel Benarroch, Matteo Campanelli and Dario Fiore

zkInterface, a Tool for Zero-Knowledge Interoperability – Daniel Benarroch, Aurelien Nicolas, Ron Kahat, Kobi Gurkan and Eran Tromer

A Benchmarking Framework for (Zero-Knowledge) Proof Systems – Daniel Benarroch, Aurelien Nicolas, Justin Thaler and Eran Tromer

Distributed Auditing Proofs of Liabilities – Konstantinos Chalkias, Kevin Lewi, Payman Mohassel, Valeria Nikolaenko

SNARK-Friendly, Additively-Homomorphic, and Verifiable Encryption and Decryption with Rerandomization – Jiwon Lee, Jaekyoung Choi, Jihye Kim, and Hyunok Oh

The Turbo-PLONK Program Syntax for Specifying SNARK Programs – Ariel Gabizon and Zachary J. Williamson

### Accepted Systematizations of Knowledge (SoK)

Hardware Accelerated Modular Multiplication for ZKProofs – Justin Drake, Sean Gulley, Kelly Olson, Erdinc Ozturk and Simon Peffers

Formalising $\Sigma$-Protocols and Commitment Schemes using CryptHOL – D. Butler, A. Lochbihler, D. Aspinall and A. Gascon

Lifting Transformations for Simulation Extractable Subversion and Updatable SNARKs – Behzad Abdolmaleki, Sebastian Ramacher, and Daniel Slamanig

## Schedule

Note that the schedule below may change during the course of the workshop, as sessions advance and we adapt make the most out of the discussions. We will make sure to update the participants through all the channels.

## Monday, April 20

3:00 PM (UTC)
Kick-off
Welcome Remarks
We will kick-off the online workshop and explain the logistics of this format.
3:15 PM (UTC)
Keynote
Zero Knowledge to the Rescue
Moti Yung

Zero Knowledge (ZK) as a technique has been invented 35 years ago, and since then it gained many theoretical implications to cryptographic research and enabled various cryptographic primitives, and the centrality of the notion is very well established in cryptography. Further, in the last few years concrete applications of ZK have been developed primarily as part of the cryptocurrency wave but also elsewhere. Efficient methods have been found and implemented etc. to solve actual (i.e., industry) problems in systems.

In this talk I will review some properties of ZK from an industrial perspective, and how it became handy and uniquely positioned for concrete deployed solutions in my own experience, and how the availability of the techniques matched exactly and uniquely what was needed in actual applications under actual trust and threat settings.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
Distributed Auditing Proofs of Liabilities
Kostas Chalkias

The Distributed Auditing Proofs of Liabilities (DAPOL) are schemes designed to let companies that accept a) monetary deposits from consumers (i.e., custodial wallets, blockchain exchanges, banks, gambling industry etc.) or b) fungible obligations and report claims from users (i.e., fake news and hate speech reporting, disapproval voting etc.) to prove their total amount of liabilities or obligations without compromising the privacy of both users' identity and individual amounts.

One of the most popular applications of proofs of liabilities is proving solvency of blockchain exchanges and wallets. Solvency is defined as the ability of a company to meet its long-term financial commitments. In finance and particularly in blockchain systems, proof of solvency consists of two components:

• -Proof of liabilities: proving the total quantity of coins the exchange owes to all of its customers.
• - Proof of reserves} (also known as proof of assets): proving ownership of digital assets (i.e., coins) in the blockchain.

Typically, an exchange should prove that the total balance of owned coins is greater than or equal to their liabilities, which correspond to the sum of coins their users own internally to their platform.

It is highlighted that this proposal focuses on the proofs of liabilities part only, mainly because the same solution can be applied to a broad range of applications, even outside solvency, and secondly because the proof of assets part cannot easily be generalized and it differs between blockchain types due to different privacy guarantees offered per platform.

The extra benefit of DAPOL compared to conventional auditor-based approaches is it provides an transparent mechanism for users to validate their balance inclusion in the reported total amount of liabilities/obligations and complements the traditional validation performed by the auditors by adding extra privacy guarantees.

This document focuses on a particular class of auditing cases, in which we assume that the audited entity does not have any incentive to increase its liabilities or obligations. Although proofs of liabilities are an essential part of proving financial solvency, it will be shown that there are numerous applications of DAPOL, including their use in tax earning statements, "negative" voting and transparent reports of offensive content in social networks, among the others.

The recommended approach combines previously known cryptographic techniques to provide a layered solution with predefined levels of privacy in the form of gadgets. The backbone of this proposal is based on the enhanced Maxwell's Merkle-tree construction and is extended using balance splitting tricks, efficient padding, verifiable random functions, deterministic key derivation functions and the range proof techniques from Provisions and ZeroLedge solvency protocols, respectively.

Because Bulletproofs, Gro16, Ligero, Plonk, Halo and other efficient zkSNARK or zkSTARK constructions were not available or mature when the above solvency protocols were published, we will assume that any efficient zero knowledge scheme for set membership in summation structures can be a good candidate, but we hope we will agree as a community on one or two concrete constructions.

6:00 PM (UTC)
End of Day

## Thursday, April 23

3:00 PM (UTC)
SoK
Lifting Transformations for Simulation Extractable Subversion and Updateable SNARKs

Zero-knowledge proofs and in particular succinct non-interactive zero-knowledge proofs (so called zk-SNARKs) are getting increasingly used in real-world applications, with cryptocurrencies being the prime example. Simulation extractability (SE) is a strong security notion of zk-SNARKs which informally ensures non-malleability of proofs, which is considered highly important in practical applications. Another problematic issue for the practical use of zk-SNARKs is the requirement of a fully trusted setup, as especially for large-scale decentralized applications finding a trusted party that runs the setup is practically impossible. Quite recently, the study of approaches to relax or even remove the trust in the setup procedure, and in particular subversion as well as updatable zk-SNARKs (with latter being the most promising approach), has been initiated and received considerable attention since then. Unfortunately, so far SE-SNARKs with aforementioned properties are only constructed in an ad-hoc manner and no generic techniques are available.

In this SoK paper we present the state-of-the-art in generic techniques to obtain SE subversion and updatable SNARKs. In particular, we present a revisited version of the lifting technique due to Kosba et al. (called C∅C∅). This revisited version called OC∅C∅ explores the design space of many recently proposed SNARK- and STARK-friendly symmetric-key primitives. While C∅C∅ and OC∅C∅ are compatible with subversion SNARKs, they are not compatible with updatable SNARKs. Then, we present another lifting transformation called Lamassu, which is build upon key-homomorphic signatures as well as so called updatable signatures. Lamassu preserves the subversion and in particular updatable properties of the underlying zk-SNARK. Finally, we present an comprehensive comparison of these lifting transformations with ad-hoc techniques as well as a discussion of many aspects regarding the instantiation of the techniques.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
Commit-and-Prove Zero-Knowledge Proof Systems
Matteo Campanelli

Commit-and-Prove Zero-Knowledge Proof systems (CP-ZKPs) [Kilian89,CLOS02] are a generalization of zero-knowledge proofs in which the prover proves statements about values that are committed.

The motivation for using CP-ZKPs is both theoretical and practical. On the theoretical side, the commit-and-prove methodology is used in plenty of cryptographic constructions. On the practical side, we see emerging application scenarios in which a party commits to an input $x$ \emph{ahead of time} (i.e., before even knowing what it will prove about $x$) and can later prove different properties about $x$; anybody else can verify these proofs having access only to the commitment (versus having access to the plain' input $x$).

The aim of this document is to stimulate a discussion on the formalization of CP-ZKPs, following the ongoing standardization effort in the context of ZKPs. This is an updated version of the proposal submitted and discussed at the 2nd ZKP workshop. The updates reflect the feedback received during the discussion, and the goal of resubmitting is to propose a continuation of the discussion around the topic.

6:00 PM (UTC)
End of Day

## Monday, April 27

3:00 PM (UTC)
Keynote
Gage MPC – Going beyond the Residual Function Non-Interactive MPC Lower Bound
Tal Rabin

Existing models for non-interactive MPC necessarily require leakage of the residual function – the output of the function on the honest parties’ inputs together with all possible settings of the adversarial inputs. We present a new MPC model which enables to circumvent this lower bound.

To achieve this, we utilize a blockchain in a novel way, incorporating smart contracts and (arbitrary) miners as participants. Security is maintained under a monetary assumption on the computational resources of the adversary in relation to those of the honest parties. This yields non-interactive MPC protocols with very strong security guarantees in the short term. Over time, as the adversary can invest more and more computational resources, the security guarantee decays. Thus, our model, which we call Gage MPC, is very suitable for secure computation with limited-time secrecy, such as auctions over the blockchain.

A key ingredient in our protocols is a new primitive we call “Gage Time Capsules” (GaTC) which utilize zero-knowledge proofs.

Joint work: Ghada Almashaqbeh, Fabrice Benhamouda. Seungwook Han, Daniel Jaroslawicz , Tal Malkin, Alex Nicita. Abhishek Shah, Eran Tromer

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
Semaphore: Zero-Knowledge Signaling on Ethereum
Kobi Gurkan and Koh Wei Jie

Privacy has been a big concern in the blockchain space. While different specific solutions have been introduced to introduce more privacy into systems, they remain focused on specific problems and are complex to extend and deploy.

We introduce Semaphore - a framework for zero-knowledge signaling on Ethereum. It allows a user to broadcast their support of an arbitrary string, without revealing who they are to anyone, besides being approved to do so. Semaphore is meant to be used a base layer for signaling-based applications - mixers, anonymous DAOs, anonymous journalism, etc.

Semaphore is designed to allow building applications in a modular fashion. Normally, they would be implemented as a smart contract that would manage the onboarding of new identities and would define the conditions for signals to be accepted for broadcast, besides passing the checks of the Semaphore layer. Being deployed on Ethereum, it allows interaction with other applications residing on the Ethereum blockchain.

We provide an efficient implementation of our framework, in the form of two example applications - a mixer and an anonymous survey dApp. Our implementation is built in a way that makes it flexible to extend and clear to deploy.

6:00 PM (UTC)
End of Day

## Thursday, April 30

3:00 PM (UTC)
SoK
Formalising $Sigma$-Protocols and Commitment Schemes using CryptHOL
David Butler

$\Sigma$-protocols provide a method to obtain efficient zero knowledge. In this work we first use CryptHOL~\cite{DBLP:journals/afp/Lochbihler17}, a framework embedded inside Isabelle/HOL, to provide a fully formalised theory of $\Sigma$-protocols. Our formalisation proves secure multiple case studies namely; the Schnorr, Chaum-Pedersen and Okamoto $\Sigma$-protocols as well as a construction that allows for compound (AND and OR) $\Sigma$-protocols.

This work also reports on our fully formalised theory of commitment schemes. A highlight of the work is a formalisation of the construction of commitment schemes from $\Sigma$-protocols \cite{sigma_protocols}. We formalise this proof at an abstract level using the modularity available in Isabelle/HOL and CryptHOL. This way, the proofs of the instantiations come for free.

Formal verification of proofs of security is important to increase the rigour of provable security. In particular they allow the proofs to be scrutinised in a level of detail beyond that which is available in paper proofs. For example, in this work, we are able to highlight which of the numerous definitions of $\Sigma$-protocols in the literature is the correct one.

We believe this work lays strong foundations for providing a fully formalised theory of Zero-Knowledge using CryptHOL. It is however, unclear what form this formalisation should take to be of most use for Cryptographers? Is a formalised definitional theory sufficient, or are there certain results that the community would benefit from being formalised?

All definitions and statements presented in this work have been formalised in CryptHOL and are available online.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
AirAssembly: a Low-Level Language for Encoding AIR of Computations
In this paper we present AirAssembly - a low-level language for describing Algebraic Intermediate Representation (AIR) of computations. AIR is an output of an arithmetization process which translates a Computational Integrity statement into a polynomial, which is then used by zk-STARK proving systems to create an efficiently verifiable proof of computation. As of writing of this paper, no public formats exist for describing AIR, and we believe that AirAssembly can fill this gap.
6:00 PM (UTC)
End of Day

## Monday, May 4

3:00 PM (UTC)
Keynote
Zero-Knowledge Proofs for Constructing Protocols
Jan Camenisch

One of the main applications of zero-knowledge proofs is the design and construction of cryptographic protocols, typically by proving knowledge of values that are inputs and/or output of selected cryptographic primings. For instance, a group signature scheme can be realised as a proof of knowledge of an encrypted value that is signed by the group manager. Now, to obtain efficient protocols, it is essentials that the zero-knowledge proofs and the cryptographic primitives interact well.

In this talk we will give a brief overview different construction frameworks of compatible primitives and zero-knowledge proofs and then discuss open problems and challenges that arise when folding these protocol construction frameworks are folded into security modelling frameworks such as UC.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
Plumo: Towards Scalable, Interoperable Blockchains Using Ultra Light Validation Systems
Psi Vesely and Michael Straka
Scalability and interoperability issues have been two of the main reasons preventing the wide-spread adoption of blockchain systems. Despite significant progress in recent years, solutions that are simple, efficient, and secure, and that do not restrict functionality remain elusive. In this paper, we are taking a step forward to address these challenges by introducing Plumo, a framework that enables secure and efficient light client synchronization and cross-chain transaction validation via SNARK proofs. We present a concrete instantiation of Plumo on top of a BFT consensus network which uses SNARKs to prove changes in the consensus committee. We further show how to build SNARK-friendly hash-to-curve functions from existing cryptographic primitives and SNARK-friendly aggregateable BLS signatures to further increase prover and verifier efficiency. Finally, we present an evaluation of our implementation showing that even resource-constrained clients, such as low-end mobile phones, can transact efficiently and securely with our system. We show that the generation of a (reusable) SNARK proof spanning 6 months worth of validator changes costs only about USD \$12 worth of computation on modern cloud infrastructure and can be verified in about 6 seconds on a Motorola Moto G (2nd Gen) smart phone.
6:00 PM (UTC)
End of Day

## Thursday, April 30

3:00 PM (UTC)
Reference
Towards Verion 1.0 of the ZKProof Community Reference
Daniel Benarroch, Luis Brandao and Eran Tromer
Zero-knowledge proofs enable proving mathematical statements while maintaining the confiden-tiality of supporting data. This can serve as a privacy-enhancing cryptographic tool in a widerange of applications, but its usability is dependent on secure, practical and interoperable deploy-ments. This ZKProof Community Reference — an output of the ZKProof standardization effort— intends to serve as a reference for the development of zero-knowledge-proof technology. Thedocument arises from contributions by the community and for the community. It covers theoreticalaspects of definition and theory, as well as practical aspects of implementation and applications.
4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
zkInterface: a Tool for Zero-Knowledge Interoperability
Aurelien Nicolas and Eran Tromer
In this proposal, we present a framework for enabling the interoperability of zero-knowledge proof systems by defining a standard file format for the intermedi- ate representations (in this case R1CS), and decoupling the frontend implementa- tion to generate constraint systems from the backend implementations to generate and verify proofs of those statements. This proposal is a resubmission. This was a first of its kind proposal at last year’s 2nd ZKProof Workshop, and since then we have implemented the feedback from the discussions, and more.
6:00 PM (UTC)
End of Day

## Monday, May 11

3:00 PM (UTC)
Keynote
Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority
Carmit Hazay

In this work, we design and implement the first protocol for RSA modulus construction that can support thousands of parties and offers security against an arbitrary number of corrupted parties. In a nutshell, we design the `best'' protocol for this scale that is secure against passive corruption, then amplify it to obtain active security using efficient non-interactive zero-knowledge arguments. Our protocol satisfies a stronger security guarantee where a deviating party can be identified when the protocol aborts (referred to as security with identifiable-abort) and allows for "public verifiability".

We instantiate our ZK proof system by composing two different types of ZK proof systems: (1) the Ligero sub-linear zero-knowledge proof system (Ames et al., CCS 2017), and (2) Sigma-protocol for proving the knowledge of a discrete logarithm in unknown order groups (Shoup, Eurocrypt 2000).

We implemented both the passive and the active variants of our protocol and ran experiments using 2--4000 parties. For generating a 2048-bit modulus among 1,000 parties, our passive protocol executed in under 4 minutes and the active variant ran in 22 minutes. In all our experiments, we ran each party on a t3.small AWS EC2 instance (2 vCPUs, 2GB RAM, up to 2Mbps) and the coordinator on a r5dn.24xlarge instance (96 vCPUs, 768GB RAM, up to 100Gbps).

We highlight that this is the first implementation that:(1) Scales an MPC protocol to more than 1000 parties, (2) Demonstrates viability of the classic GMW compiler from passive to active, and (3) Implements a zero-knowledge prover of a large NP statement in a memory/cpu constrained environment.

This is a joint work with Megan Chen, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Muthu Venkitasubramaniam and Ruihan Wang.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
SAVER: Snark-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization
Jiwon Lee

In the pairing-based zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK), there often exists a requirement for the proof system to be combined with encryption. As a typical example, a blockchain-based voting system requires the vote to be confidential (using encryption), while verifying voting validity (using zk-SNARKs). In these combined applications, a general solution is to extend the zk-SNARK circuit to include the encryption code. However, complex cryptographic operations in the encryption algorithm increase the circuit size, which leads to impractically large proving time and the CRS size.

In this paper, we propose Snark-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization or SAVER, which is a novel approach to detach the encryption from the SNARK circuit. The encryption in SAVER holds many useful properties. It is SNARK-friendly: the encryption is conjoined with an existing pairing-based SNARK, in a way that the encryptor can prove pre-defined properties while encrypting the message apart from the SNARK. It is additively-homomorphic: the ciphertext holds a homomorphic property from the ElGamal-based encryption. It is a verifiable encryption: one can verify arbitrary properties of encrypted messages by connecting with the SNARK system. It provides a verifiable decryption: anyone without the secret can still verify that the decrypted message is indeed from the given ciphertext. It provides rerandomization: the proof and the ciphertext can be rerandomized as independent objects so that even the encryptor (or prover) herself cannot identify the origin.

For the representative application, we define and construct a voting system scenario and explain the necessity of each property in the SAVER. We prove the IND-CPA-security of the encryption, along with the soundness of encryption and decryption proofs. The experimental results show that the voting system designed from our SAVER yields 0.7s proving/encryption (voting) time, and 16MB-sized CRS for the SNARK.

6:00 PM (UTC)
End of Day

## Thursday, May 14

3:00 PM (UTC)
SoK
Hardware Accelerated Modular Multiplication for ZKProofs
Erdinc Ozturk and Justin Drake

This talk focuses on hardware acceleration of modular multiplication and its application to the blockchain ecosystem. While there have been many exciting new developments in computer science and cryptography over the past decade, less effort has been spent on how to make these new techniques computationally practical. By increasing the performance of modular multiplication, novel cryptographic techniques like VDFs, SNARKs, and Accumulators can become feasible, enabling blockchain protocols to reduce their compute, storage, and networking requirements. This talk will discuss techniques for optimization across CPU, GPU, FPGA, and ASIC architectures, as well as both algorithmic and numerical representation techniques that enable improved performance. We will provide concrete data from recent optimization work on different architectures for RSA-based cryptography, and discuss the viability of this approach to improve blockchain security and scalability. The talk will conclude with a discussion of developments that have <1% the latency of a CPU system, and over 1000 times the throughput of a CPU core.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
A Benchmarking Framework for (Zero-Knowledge) Proof Systems
Daniel Benarroch and Justin Thaler
This document proposes a partial framework for evaluating the concrete performance of proof and argument systems. The goals of this work are to: (1) summarize the challenges and subtleties inherent in any evaluation framework, (2) encourage quality and consistency in published evaluations, and (3) ease comparison of different proof and argument systems.
6:00 PM (UTC)
End of Day

## Monday, May 18

3:00 PM (UTC)
Keynote
TBD
Rosario Gennaro
TBD
4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
The Turbo-PLONK program syntax for specifying SNARK programs
Ariel Gabizon and Zachary J. Williamson

We present a new syntax analogous to r1cs for specifying SNARK statements, which we call Turbo PLONK(TP). We give the example of fixed-base scalar multiplication and Pedersen hash to exemplify TP's efficiency gains over r1cs when using it with the PLONK SNARK.

6:00 PM (UTC)
End of Day

## Thursday, May 21

3:00 PM (UTC)
Panel Discussion
The Future of Privacy-Enhancing Cryptography
TBD

TBD

4:00 PM (UTC)
Keynote
TBD
TBD

TBD

4:45 PM (UTC)
TBD
TBD

TBD

5:30 PM (UTC)
Closing Ceremony
ZKProof Organizers

The closing cerenomy will include final remarks, prizes and other surprises.

6:00 PM (UTC)
End of Workshop