### Join the Final Day Open Session

Thursday, May 21st at 3pm UTC

Register now for the final event of the Home Edition.
Find here the speaker list and the schedule for the day.

### Introducing the first Home Edition of the ZKProof Workshop

Amid health concerns surrounding the coronavirus (COVID-19), and after much internal discussion, the ZKProof Steering Committee has decided to forgo a physical gathering in London and to hold this year’s 3rd ZKProof Workshop as an online conference. Register on Eventbrite now.

The goals of the ZKProof initiative are to promote the standardization of zero-knowledge proof cryptography and to increase the engagement of companies and researchers worldwide. We are aware that a virtual event limits the personal interaction that is desirable for strengthening any community, especially in the cryptography community, which benefits greatly from these interactions.

With that in mind, we have created an immersive online workshop experience that encompasses these goals as much as possible, focusing on productive interactions and the high-quality discussions. Moreover, we believe this format change will make the workshop extremely accessible and will allow even more community members to take an active role in the standardization initiative.

### Restructuring the Agenda – The ZKProof Month

Given that 12 papers were accepted to the workshop (3 SoK and 9 community proposals), we decided to restructure the whole event in order to create an optimal environment for each discussion. As such, instead of 3 days of full-time talks, which is not realistic given the circumstances, the workshop will span a month of shorter segments. For five weeks, every Monday and Thursday we will host a 3 hour talk and a discussion. See the full schedule below.

We encourage everyone to join us in every session, mainly because we value community participation, but also because the discussions will be continued from one session to another. Furthermore, we are hosting a networking session every day where you will be able to meet your peers, have tea with a friend, and more.

The full schedule can be found below,, and here is the call for papers. We thank our sponsors for their support.

#### Important Information

Dates: April 20 – May 21, every Monday and Thursday at 3pm UTC.
New Registration: Register on Eventbrite. There is a reduced fee of £30 (GBP). The first 150 registrations will receive a surprise kit to their doorstep.
Location: Zoom conference room – participants will receive a link for the event.
Schedule: Please find the full schedule below. We have added a Google Calendar so you can easily track any changes.

#### Info for Registered Participants

To make this workshop a success we encourage everyone to participate in discussions both online and offline, and as such we have set up three different types of tools

• Zoom for talks and live discussions
• The community forum and our Telegram group for offline discussions and chats
• Collaborative tools for simultaneous work: (1) hackmd for writing and note-taking; (2) Miro for visuals and diagrams

The accepted papers will be published and we encourage all participants to review them before the discussions in order to have more productive sessions.

### Registration and Submissions

Register now for the first Home Edition of the ZKProof Workshop.

The reviewing committee accepted a total of 12 submissions, the papers will be available online.

To apply for our limited number of scholarships, email us at [email protected]

## Schedule

Note that the schedule below may change during the course of the workshop, as sessions advance and we adapt make the most out of the discussions. We will make sure to update the participants through all the channels.

## Monday, May 18

Session Chairs and Moderators: Benedikt Buenz and Izaak Meckler

3:00 PM (UTC)
Reference
Towards Version 1.0 of the ZKProof Community Reference
Daniel Benarroch, Luis Brandao and Eran Tromer
Zero-knowledge proofs enable proving mathematical statements while maintaining the confiden-tiality of supporting data. This can serve as a privacy-enhancing cryptographic tool in a widerange of applications, but its usability is dependent on secure, practical and interoperable deploy-ments. This ZKProof Community Reference — an output of the ZKProof standardization effort— intends to serve as a reference for the development of zero-knowledge-proof technology. Thedocument arises from contributions by the community and for the community. It covers theoretical aspects of definition and theory, as well as practical aspects of implementation and applications.
4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
zkInterface: a Tool for Zero-Knowledge Interoperability
Aurelien Nicolas and Eran Tromer

In this proposal, we present a framework for enabling the interoperability of zero-knowledge proof systems by defining a standard file format for the intermediate representations (in this case R1CS), and decoupling the frontend implementa- tion to generate constraint systems from the backend implementations to generate and verify proofs of those statements. This proposal is a resubmission. This was a first of its kind proposal at last year’s 2nd ZKProof Workshop, and since then we have implemented the feedback from the discussions, and more.

6:00 PM (UTC)
End of Day

## Thursday, May 21

3:00 PM (UTC)
Panel Discussion
Panelists: Josh Cincinatti (Zcash Foundation), Mariana Gomez de la Villa (ING), Jonathan Rouach (QEDIT), Charles Hoskinson (IOHK), Rilly Chen (Ant Financial) and Antonio Senatore (Deloitte)
Moderator: Samantha Stein

TBD

4:00 PM (UTC)
Short Talk
Secure and Private Distributed Ledgers: ZK - Saviour and Saved
Markulf Kohlweiss, University of Edinburgh

IOHK and the blockchain technology lab are maybe best known for formalizing the security of distributed ledgers and the Ouroboros family of proof-of-stake protocols, which because of its robust security analysis is a viable alternative to bitcoin's proof-of-work in terms of security -- while vastly superior in terms of energy efficiency.

In this talk, I show how distributed ledgers help solve the setup problem of our most succinct and performant ZK prove systems. Based on such a setup, I continue the Ouroboros programme to show how zcash on top of Ouroboros Crypsinous can be as private as zcash on top of bitcoin. The ZK setup can in turn enrich the ledger with private smart contracts and succinct ledger verification.

4:25 PM (UTC)
Short Talk
Combining Advanced Cryptography in Enterprise Products: Showcasing QEDIT for Excel
Jonathan Rouach, QEDIT

TBD

4:50 PM (UTC)
Coffee Break
5:00 PM (UTC)
Panel Discussion
The Future of Privacy-Enhancing Cryptography
Panelists: Joshua Baron (DARPA), Yuval Ishai (Technion), Kristin Lauter (Microsoft), Kobbi Nissim (Harvard) and Vinod Vaikuntanathan (MIT) and Chris Peikert (U. of Michigan)
Moderator: Shafi Goldwasser (UC Berkeley and MIT)

TBD

6:00 PM (UTC)
Community Ceremony
Daniel Benarroch (QEDIT), Yau Benor (QEDIT) and Aviv Zohar (Hebrew U. and QEDIT)

The closing cerenomy will include final remarks, prizes and other surprises.

6:20 PM (UTC)
Closing Remarks
ZKProof Steering Committee
6:30 PM (UTC)
End of Workshop

## Monday, April 20

Session Chairs & Moderators: Mariana Raykova and Eran Tromer

3:00 PM (UTC)
Kick-off
Welcoming Remarks
Prof. Aviv Zohar
3:15 PM (UTC)
Keynote
Zero Knowledge to the Rescue
Moti Yung

Zero Knowledge (ZK) as a technique has been invented 35 years ago, and since then it gained many theoretical implications to cryptographic research and enabled various cryptographic primitives, and the centrality of the notion is very well established in cryptography. Further, in the last few years concrete applications of ZK have been developed primarily as part of the cryptocurrency wave but also elsewhere. Efficient methods have been found and implemented etc. to solve actual (i.e., industry) problems in systems.

In this talk I will review some properties of ZK from an industrial perspective, and how it became handy and uniquely positioned for concrete deployed solutions in my own experience, and how the availability of the techniques matched exactly and uniquely what was needed in actual applications under actual trust and threat settings.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
Distributed Auditing Proofs of Liabilities
Speaker: Kostas Chalkias

The Distributed Auditing Proofs of Liabilities (DAPOL) are schemes designed to let companies that accept a) monetary deposits from consumers (i.e., custodial wallets, blockchain exchanges, banks, gambling industry etc.) or b) fungible obligations and report claims from users (i.e., fake news and hate speech reporting, disapproval voting etc.) to prove their total amount of liabilities or obligations without compromising the privacy of both users' identity and individual amounts.

One of the most popular applications of proofs of liabilities is proving solvency of blockchain exchanges and wallets. Solvency is defined as the ability of a company to meet its long-term financial commitments. In finance and particularly in blockchain systems, proof of solvency consists of two components:

• -Proof of liabilities: proving the total quantity of coins the exchange owes to all of its customers.
• - Proof of reserves} (also known as proof of assets): proving ownership of digital assets (i.e., coins) in the blockchain.

Typically, an exchange should prove that the total balance of owned coins is greater than or equal to their liabilities, which correspond to the sum of coins their users own internally to their platform.

It is highlighted that this proposal focuses on the proofs of liabilities part only, mainly because the same solution can be applied to a broad range of applications, even outside solvency, and secondly because the proof of assets part cannot easily be generalized and it differs between blockchain types due to different privacy guarantees offered per platform.

The extra benefit of DAPOL compared to conventional auditor-based approaches is it provides an transparent mechanism for users to validate their balance inclusion in the reported total amount of liabilities/obligations and complements the traditional validation performed by the auditors by adding extra privacy guarantees.

This document focuses on a particular class of auditing cases, in which we assume that the audited entity does not have any incentive to increase its liabilities or obligations. Although proofs of liabilities are an essential part of proving financial solvency, it will be shown that there are numerous applications of DAPOL, including their use in tax earning statements, "negative" voting and transparent reports of offensive content in social networks, among the others.

The recommended approach combines previously known cryptographic techniques to provide a layered solution with predefined levels of privacy in the form of gadgets. The backbone of this proposal is based on the enhanced Maxwell's Merkle-tree construction and is extended using balance splitting tricks, efficient padding, verifiable random functions, deterministic key derivation functions and the range proof techniques from Provisions and ZeroLedge solvency protocols, respectively.

Because Bulletproofs, Gro16, Ligero, Plonk, Halo and other efficient zkSNARK or zkSTARK constructions were not available or mature when the above solvency protocols were published, we will assume that any efficient zero knowledge scheme for set membership in summation structures can be a good candidate, but we hope we will agree as a community on one or two concrete constructions.

6:00 PM (UTC)
End of Day

## Thursday, April 23

Session Chairs & Moderators: Yuval Ishai and Mary Maller

3:00 PM (UTC)
SoK
Lifting Transformations for Simulation Extractable Subversion and Updateable SNARKs

Zero-knowledge proofs and in particular succinct non-interactive zero-knowledge proofs (so called zk-SNARKs) are getting increasingly used in real-world applications, with cryptocurrencies being the prime example. Simulation extractability (SE) is a strong security notion of zk-SNARKs which informally ensures non-malleability of proofs, which is considered highly important in practical applications. Another problematic issue for the practical use of zk-SNARKs is the requirement of a fully trusted setup, as especially for large-scale decentralized applications finding a trusted party that runs the setup is practically impossible. Quite recently, the study of approaches to relax or even remove the trust in the setup procedure, and in particular subversion as well as updatable zk-SNARKs (with latter being the most promising approach), has been initiated and received considerable attention since then. Unfortunately, so far SE-SNARKs with aforementioned properties are only constructed in an ad-hoc manner and no generic techniques are available.

In this SoK paper we present the state-of-the-art in generic techniques to obtain SE subversion and updatable SNARKs. In particular, we present a revisited version of the lifting technique due to Kosba et al. (called C∅C∅). This revisited version called OC∅C∅ explores the design space of many recently proposed SNARK- and STARK-friendly symmetric-key primitives. While C∅C∅ and OC∅C∅ are compatible with subversion SNARKs, they are not compatible with updatable SNARKs. Then, we present another lifting transformation called Lamassu, which is build upon key-homomorphic signatures as well as so called updatable signatures. Lamassu preserves the subversion and in particular updatable properties of the underlying zk-SNARK. Finally, we present an comprehensive comparison of these lifting transformations with ad-hoc techniques as well as a discussion of many aspects regarding the instantiation of the techniques.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
Commit-and-Prove Zero-Knowledge Proof Systems
Speaker: Matteo Campanelli

Commit-and-Prove Zero-Knowledge Proof systems (CP-ZKPs) [Kilian89,CLOS02] are a generalization of zero-knowledge proofs in which the prover proves statements about values that are committed.

The motivation for using CP-ZKPs is both theoretical and practical. On the theoretical side, the commit-and-prove methodology is used in plenty of cryptographic constructions. On the practical side, we see emerging application scenarios in which a party commits to an input $x$ \emph{ahead of time} (i.e., before even knowing what it will prove about $x$) and can later prove different properties about $x$; anybody else can verify these proofs having access only to the commitment (versus having access to the plain' input $x$).

The aim of this document is to stimulate a discussion on the formalization of CP-ZKPs, following the ongoing standardization effort in the context of ZKPs. This is an updated version of the proposal submitted and discussed at the 2nd ZKP workshop. The updates reflect the feedback received during the discussion, and the goal of resubmitting is to propose a continuation of the discussion around the topic.

6:00 PM (UTC)
End of Day

## Monday, April 27

Session Chairs & Moderators: Daniel Benarroch and Muthu Venkitasubraniam

3:00 PM (UTC)
Keynote
Gage MPC – Going beyond the Residual Function Non-Interactive MPC Lower Bound
Tal Rabin

Existing models for non-interactive MPC necessarily require leakage of the residual function – the output of the function on the honest parties’ inputs together with all possible settings of the adversarial inputs. We present a new MPC model which enables to circumvent this lower bound.

To achieve this, we utilize a blockchain in a novel way, incorporating smart contracts and (arbitrary) miners as participants. Security is maintained under a monetary assumption on the computational resources of the adversary in relation to those of the honest parties. This yields non-interactive MPC protocols with very strong security guarantees in the short term. Over time, as the adversary can invest more and more computational resources, the security guarantee decays. Thus, our model, which we call Gage MPC, is very suitable for secure computation with limited-time secrecy, such as auctions over the blockchain.

A key ingredient in our protocols is a new primitive we call “Gage Time Capsules” (GaTC) which utilize zero-knowledge proofs.

Joint work: Ghada Almashaqbeh, Fabrice Benhamouda. Seungwook Han, Daniel Jaroslawicz , Tal Malkin, Alex Nicita. Abhishek Shah, Eran Tromer

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
Semaphore: Zero-Knowledge Signaling on Ethereum
Kobi Gurkan and Koh Wei Jie

Privacy has been a big concern in the blockchain space. While different specific solutions have been introduced to introduce more privacy into systems, they remain focused on specific problems and are complex to extend and deploy.

We introduce Semaphore - a framework for zero-knowledge signaling on Ethereum. It allows a user to broadcast their support of an arbitrary string, without revealing who they are to anyone, besides being approved to do so. Semaphore is meant to be used a base layer for signaling-based applications - mixers, anonymous DAOs, anonymous journalism, etc.

Semaphore is designed to allow building applications in a modular fashion. Normally, they would be implemented as a smart contract that would manage the onboarding of new identities and would define the conditions for signals to be accepted for broadcast, besides passing the checks of the Semaphore layer. Being deployed on Ethereum, it allows interaction with other applications residing on the Ethereum blockchain.

We provide an efficient implementation of our framework, in the form of two example applications - a mixer and an anonymous survey dApp. Our implementation is built in a way that makes it flexible to extend and clear to deploy.

6:00 PM (UTC)
End of Day

## Thursday, April 30

Session Chairs & Moderators: Alessandro Chiesa, Yael Kalai and Justin Thaler

3:00 PM (UTC)
SoK
Formalising $Sigma$-Protocols and Commitment Schemes using CryptHOL
David Butler

$\Sigma$-protocols provide a method to obtain efficient zero knowledge. In this work we first use CryptHOL~\cite{DBLP:journals/afp/Lochbihler17}, a framework embedded inside Isabelle/HOL, to provide a fully formalised theory of $\Sigma$-protocols. Our formalisation proves secure multiple case studies namely; the Schnorr, Chaum-Pedersen and Okamoto $\Sigma$-protocols as well as a construction that allows for compound (AND and OR) $\Sigma$-protocols.

This work also reports on our fully formalised theory of commitment schemes. A highlight of the work is a formalisation of the construction of commitment schemes from $\Sigma$-protocols \cite{sigma_protocols}. We formalise this proof at an abstract level using the modularity available in Isabelle/HOL and CryptHOL. This way, the proofs of the instantiations come for free.

Formal verification of proofs of security is important to increase the rigour of provable security. In particular they allow the proofs to be scrutinised in a level of detail beyond that which is available in paper proofs. For example, in this work, we are able to highlight which of the numerous definitions of $\Sigma$-protocols in the literature is the correct one.

We believe this work lays strong foundations for providing a fully formalised theory of Zero-Knowledge using CryptHOL. It is however, unclear what form this formalisation should take to be of most use for Cryptographers? Is a formalised definitional theory sufficient, or are there certain results that the community would benefit from being formalised?

All definitions and statements presented in this work have been formalised in CryptHOL and are available online.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
AirAssembly: a Low-Level Language for Encoding AIR of Computations
In this paper we present AirAssembly - a low-level language for describing Algebraic Intermediate Representation (AIR) of computations. AIR is an output of an arithmetization process which translates a Computational Integrity statement into a polynomial, which is then used by zk-STARK proving systems to create an efficiently verifiable proof of computation. As of writing of this paper, no public formats exist for describing AIR, and we believe that AirAssembly can fill this gap.
6:00 PM (UTC)
End of Day

## Monday, May 4

Session Chairs & Moderators: Dario Fiore and Yupeng Zhang

3:00 PM (UTC)
Keynote
Zero-Knowledge Proofs for Constructing Protocols
Jan Camenisch

One of the main applications of zero-knowledge proofs is the design and construction of cryptographic protocols, typically by proving knowledge of values that are inputs and/or output of selected cryptographic primings. For instance, a group signature scheme can be realised as a proof of knowledge of an encrypted value that is signed by the group manager. Now, to obtain efficient protocols, it is essentials that the zero-knowledge proofs and the cryptographic primitives interact well.

In this talk we will give a brief overview different construction frameworks of compatible primitives and zero-knowledge proofs and then discuss open problems and challenges that arise when folding these protocol construction frameworks are folded into security modelling frameworks such as UC.

4:00 PM (UTC)
Networking Break
Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee.
4:30 PM (UTC)
Proposal
Plumo: Towards Scalable, Interoperable Blockchains Using Ultra Light Validation Systems
Psi Vesely and Michael Straka
Scalability and interoperability issues have been two of the main reasons preventing the wide-spread adoption of blockchain systems. Despite significant progress in recent years, solutions that are simple, efficient, and secure, and that do not restrict functionality remain elusive. In this paper, we are taking a step forward to address these challenges by introducing Plumo, a framework that enables secure and efficient light client synchronization and cross-chain transaction validation via SNARK proofs. We present a concrete instantiation of Plumo on top of a BFT consensus network which uses SNARKs to prove changes in the consensus committee. We further show how to build SNARK-friendly hash-to-curve functions from existing cryptographic primitives and SNARK-friendly aggregateable BLS signatures to further increase prover and verifier efficiency. Finally, we present an evaluation of our implementation showing that even resource-constrained clients, such as low-end mobile phones, can transact efficiently and securely with our system. We show that the generation of a (reusable) SNARK proof spanning 6 months worth of validator changes costs only about USD $12 worth of computation on modern cloud infrastructure and can be verified in about 6 seconds on a Motorola Moto G (2nd Gen) smart phone. 6:00 PM (UTC) End of Day ## Thursday, May 7th Session Chairs & Moderators: Daira Hopwood and Riad S. Wahby 3:00 PM (UTC) Keynote The Simulation Paradigm and Deniable Communications Rosario Gennaro In this talk I will survey the area of Deniable Communication and the use of the Simulation Paradigm to define and prove what deniability is. I will discuss the fundamental differences between zero-knowledge and deniability simulations, and then focus on the specific application of deniable authentication and key-exchange. I will conclude by presenting a recent work that analyzes the deniability of widely used messaging protocols such as Signal. 4:00 PM (UTC) Networking Break Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee. 4:30 PM (UTC) Proposal The Turbo-PLONK program syntax for specifying SNARK programs Ariel Gabizon and Zachary J. Williamson We present a new syntax analogous to r1cs for specifying SNARK statements, which we call Turbo PLONK(TP). We give the example of fixed-base scalar multiplication and Pedersen hash to exemplify TP's efficiency gains over r1cs when using it with the PLONK SNARK. 6:00 PM (UTC) End of Day ## Monday, May 11 Session Chairs & Moderators: Carmit Hazay and Hugo Krawczyk 3:00 PM (UTC) Proposal SAVER: Snark-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization Jiwon Lee In the pairing-based zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK), there often exists a requirement for the proof system to be combined with encryption. As a typical example, a blockchain-based voting system requires the vote to be confidential (using encryption), while verifying voting validity (using zk-SNARKs). In these combined applications, a general solution is to extend the zk-SNARK circuit to include the encryption code. However, complex cryptographic operations in the encryption algorithm increase the circuit size, which leads to impractically large proving time and the CRS size. In this paper, we propose Snark-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization or SAVER, which is a novel approach to detach the encryption from the SNARK circuit. The encryption in SAVER holds many useful properties. It is SNARK-friendly: the encryption is conjoined with an existing pairing-based SNARK, in a way that the encryptor can prove pre-defined properties while encrypting the message apart from the SNARK. It is additively-homomorphic: the ciphertext holds a homomorphic property from the ElGamal-based encryption. It is a verifiable encryption: one can verify arbitrary properties of encrypted messages by connecting with the SNARK system. It provides a verifiable decryption: anyone without the secret can still verify that the decrypted message is indeed from the given ciphertext. It provides rerandomization: the proof and the ciphertext can be rerandomized as independent objects so that even the encryptor (or prover) herself cannot identify the origin. For the representative application, we define and construct a voting system scenario and explain the necessity of each property in the SAVER. We prove the IND-CPA-security of the encryption, along with the soundness of encryption and decryption proofs. The experimental results show that the voting system designed from our SAVER yields 0.7s proving/encryption (voting) time, and 16MB-sized CRS for the SNARK. 4:30 PM (UTC) Networking Break Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee. 5:00 PM (UTC) Keynote Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority Carmit Hazay In this work, we design and implement the first protocol for RSA modulus construction that can support thousands of parties and offers security against an arbitrary number of corrupted parties. In a nutshell, we design the `best'' protocol for this scale that is secure against passive corruption, then amplify it to obtain active security using efficient non-interactive zero-knowledge arguments. Our protocol satisfies a stronger security guarantee where a deviating party can be identified when the protocol aborts (referred to as security with identifiable-abort) and allows for "public verifiability". We instantiate our ZK proof system by composing two different types of ZK proof systems: (1) the Ligero sub-linear zero-knowledge proof system (Ames et al., CCS 2017), and (2) Sigma-protocol for proving the knowledge of a discrete logarithm in unknown order groups (Shoup, Eurocrypt 2000). We implemented both the passive and the active variants of our protocol and ran experiments using 2--4000 parties. For generating a 2048-bit modulus among 1,000 parties, our passive protocol executed in under 4 minutes and the active variant ran in 22 minutes. In all our experiments, we ran each party on a t3.small AWS EC2 instance (2 vCPUs, 2GB RAM, up to 2Mbps) and the coordinator on a r5dn.24xlarge instance (96 vCPUs, 768GB RAM, up to 100Gbps). We highlight that this is the first implementation that:(1) Scales an MPC protocol to more than 1000 parties, (2) Demonstrates viability of the classic GMW compiler from passive to active, and (3) Implements a zero-knowledge prover of a large NP statement in a memory/cpu constrained environment. This is a joint work with Megan Chen, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Muthu Venkitasubramaniam and Ruihan Wang. 6:00 PM (UTC) End of Day ## Thursday, May 14 Session Chairs & Moderators: Jens Groth and Abhi Shelat 3:00 PM (UTC) SoK Hardware Accelerated Modular Multiplication for ZKProofs Erdinc Ozturk and Justin Drake This talk focuses on hardware acceleration of modular multiplication and its application to the blockchain ecosystem. While there have been many exciting new developments in computer science and cryptography over the past decade, less effort has been spent on how to make these new techniques computationally practical. By increasing the performance of modular multiplication, novel cryptographic techniques like VDFs, SNARKs, and Accumulators can become feasible, enabling blockchain protocols to reduce their compute, storage, and networking requirements. This talk will discuss techniques for optimization across CPU, GPU, FPGA, and ASIC architectures, as well as both algorithmic and numerical representation techniques that enable improved performance. We will provide concrete data from recent optimization work on different architectures for RSA-based cryptography, and discuss the viability of this approach to improve blockchain security and scalability. The talk will conclude with a discussion of developments that have <1% the latency of a CPU system, and over 1000 times the throughput of a CPU core. 4:00 PM (UTC) Networking Break Join us to meet your peers in a unique virtual networking session over a cup of tea or coffee. 4:30 PM (UTC) Proposal A Benchmarking Framework for (Zero-Knowledge) Proof Systems Daniel Benarroch and Justin Thaler This document proposes a partial framework for evaluating the concrete performance of proof and argument systems. The goals of this work are to: (1) summarize the challenges and subtleties inherent in any evaluation framework, (2) encourage quality and consistency in published evaluations, and (3) ease comparison of different proof and argument systems. 6:00 PM (UTC) End of Day ### Accepted Community Proposals AirAssembly: a Low-Level Language for Encoding AIR of Computations – Bobbin Threadbare Semaphore: Zero-Knowledge Signaling on Ethereum – Kobi Gurkan, Koh Wei Jie, Barry Whitehat Plumo : Towards Scalable, Interoperable Blockchains Using Ultra Light Validation Systems – Ariel Gabizon, Kobi Gurkan, Philipp Jovanovic, Asa Oines, Marek Olszewski, Michael Straka, Eran Tromer, and Psi Vesely Commit-and-Prove Zero-Knowledge Proof Systems – Daniel Benarroch, Matteo Campanelli and Dario Fiore zkInterface, a Tool for Zero-Knowledge Interoperability – Daniel Benarroch, Aurelien Nicolas, Ron Kahat, Kobi Gurkan and Eran Tromer A Benchmarking Framework for (Zero-Knowledge) Proof Systems – Daniel Benarroch, Aurelien Nicolas, Justin Thaler and Eran Tromer Distributed Auditing Proofs of Liabilities – Konstantinos Chalkias, Kevin Lewi, Payman Mohassel, Valeria Nikolaenko SNARK-Friendly, Additively-Homomorphic, and Verifiable Encryption and Decryption with Rerandomization – Jiwon Lee, Jaekyoung Choi, Jihye Kim, and Hyunok Oh The Turbo-PLONK Program Syntax for Specifying SNARK Programs – Ariel Gabizon and Zachary J. Williamson ### Accepted Systematizations of Knowledge (SoK) Hardware Accelerated Modular Multiplication for ZKProofs – Justin Drake, Sean Gulley, Kelly Olson, Erdinc Ozturk and Simon Peffers Formalising$\Sigma\$-Protocols and Commitment Schemes using CryptHOL – D. Butler, A. Lochbihler, D. Aspinall and A. Gascon

Lifting Transformations for Simulation Extractable Subversion and Updatable SNARKs – Behzad Abdolmaleki, Sebastian Ramacher, and Daniel Slamanig