recursive proof composition
ZKProof Standards 5.5
1 Aug 2023
agenda
agenda
V0
V
P
a recursive proof is a proof that enforces the accepting computation of the proof system’s own verifier
π
overview: motivation
shrinking proof size
πC
V0
V
C
πR
overview: motivation
// Start with a dummy proof of specified size
let inner = dummy_proof::<F, C, D>(config, log2_inner_size)?;
let (_, _, cd) = &inner;
∏dummy
Vdummy
shrinking proof size
overview: motivation
// Start with a dummy proof of specified size
let inner = dummy_proof::<F, C, D>(config, log2_inner_size)?;
let (_, _, cd) = &inner;
// Recursively verify the proof
let middle = recursive_proof::<F, C, C, D>(&inner, config, None)?;
let (_, _, cd) = &middle;
∏dummy
∏0
Vdummy
V0
Initial proof degree 16384 = 2^14
Degree before blinding & padding: 4028
Degree after blinding & padding: 4096
shrinking proof size
overview: motivation
// Start with a dummy proof of specified size
let inner = dummy_proof::<F, C, D>(config, log2_inner_size)?;
let (_, _, cd) = &inner;
// Recursively verify the proof
let middle = recursive_proof::<F, C, C, D>(&inner, config, None)?;
let (_, _, cd) = &middle;
// Add a second layer of recursion to shrink the proof size further
let outer = recursive_proof::<F, C, C, D>(&middle, config, None)?;
let (proof, vd, cd) = &outer;
∏dummy
∏0
∏1
Vdummy
V0
V1
Single recursion proof degree 4096 = 2^12
Degree before blinding & padding: 3849
Degree after blinding & padding: 4096
Initial proof degree 16384 = 2^14
Degree before blinding & padding: 4028
Degree after blinding & padding: 4096
shrinking proof size
overview: motivation
∏dummy
∏0
∏1
Vdummy
V0
V1
Double recursion proof degree 4096 = 2^12
Proof length: 127184 bytes
0.2511s to compress proof
Compressed proof length: 115708 bytes
Single recursion proof degree 4096 = 2^12
Degree before blinding & padding: 3849
Degree after blinding & padding: 4096
Initial proof degree 16384 = 2^14
Degree before blinding & padding: 4028
Degree after blinding & padding: 4096
shrinking proof size
overview: motivation
shrinking proof size
overview: motivation
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
each column j corresponds to a Lagrange interpolation polynomial pj(X)�evaluating to pj(⍵i) = xij, where ⍵ is the nth primitive root of unity.
xij
shrinking proof size
overview: motivation
| fast prover | small proof / fast verifier |
"wide" proof | ✔️ | ❌ |
wide circuit
πwide
fast prover
large proof
shrinking proof size
overview: motivation
wide circuit
πwide
fast prover
large proof
| fast prover | small proof / fast verifier |
"wide" proof | ✔️ | ❌ |
"narrow" proof | ❌ | ✔️ |
narrow circuit
πnarrow
slow prover
tiny proof
shrinking proof size
overview: motivation
wide circuit
πwide
fast prover
large proof
| fast prover | small proof / fast verifier |
"wide" proof | ✔️ | ❌ |
"narrow" proof | ❌ | ✔️ |
verifier in narrow circuit
πnarrow
slow prover
tiny proof
shrinking proof size
overview: motivation
| fast prover | small proof / fast verifier |
STARK | ✔️ | ❌ |
STARK prover circuit
πSTARK
fast prover
large proof
shrinking proof size
overview: motivation
| fast prover | small proof / fast verifier |
STARK | ✔️ | ❌ |
Groth16 | ❌ | ✔️ |
STARK prover circuit
πSTARK
fast prover
large proof
Groth16 prover circuit
πGroth16
slow prover
tiny proof
shrinking proof size
overview: motivation
| fast prover | small proof / fast verifier |
STARK | ✔️ | ❌ |
Groth16 | ❌ | ✔️ |
STARK prover circuit
πSTARK
fast prover
large proof
STARK verifier in Groth16 prover circuit
πGroth16
slow prover
tiny proof
shrinking proof size
overview: motivation
STARK prover circuit
πSTARK
STARK verifier in Groth16 prover circuit
πGroth16
slow prover
tiny proof
STARK prover circuit
πSTARK
shrinking proof size
overview: motivation
STARK prover circuit
πSTARK
STARK verifier in Groth16 prover circuit
πGroth16
slow prover
tiny proof
STARK prover circuit
πSTARK
shrinking proof size
overview: motivation
F’
F’
F’
F(3)
z0
π3,z3
Π0, z0
break large circuit into N repetitions of smaller circuit: reduces prover space complexity
Π1, z1
Π2, z2
Π3, z3
incrementally verifiable computation
overview: motivation
applications:
F’
F’
F’
…
F’
Π0, z0
Π1, z1
Π2, z2
ΠN, zN
incrementally verifiable computation
overview: motivation
a blockchain in which each block can be verified in constant time regardless of the number of prior blocks in the history
tx0
tx1
tx2
tx3
tx4
σ(tx0)
σ(tx1)
σ(tx2)
σ(tx3)
σ(tx4)
full node
e.g. succinct blockchain
overview: motivation
a blockchain in which each block can be verified in constant time regardless of the number of prior blocks in the history
e.g. succinct blockchain
tx0
tx1
tx2
tx3
tx4
σ(tx0)
σ(tx1)
σ(tx2)
σ(tx3)
σ(tx4)
full node
light client
assume correct
overview: motivation
a blockchain in which each block can be verified in constant time regardless of the number of prior blocks in the history
e.g. succinct blockchain
tx0
tx1
tx2
tx3
tx4
σ(tx0)
σ(tx1)
σ(tx2)
σ(tx3)
σ(tx4)
full node
light client
π0
"σ(tx0) is a valid state transition"
π1
"σ(tx1) is a valid state transition, and π0 is correct"
π2
π3
π4
"σ(tx2) is a valid state transition, and π1 is correct"
"σ(tx3) is a valid state transition, and π2 is correct"
the state transitions up to this block are correct
overview: motivation
verifiable delay function [BBBF18]: a sequential computation that is slow to compute but efficient to verify
f
f
f
f
x
f(x)
f2(x)
f3(x)
f4(x)
"f4(input) = output"
evaluator
πf4
prover
e.g. parallelising the VDF prover
overview: motivation
verifiable delay function [BBBF18]: a sequential computation that is slow to compute but efficient to verify
f
f
f
f
x
f(x)
f2(x)
f3(x)
f4(x)
πf
πf
πf
πf
"f(input) = output"
πr
πr
πr
"the previous two proofs were correct"
"the previous two proofs were correct"
evaluator
e.g. parallelising the VDF prover
overview: motivation
proof-carrying data
overview: motivation
proof-carrying data
e.g. MapReduce [CTV15]
overview: constructions
overview: constructions
proof-carrying data (PCD)
non-uniform IVC (NIVC)
full recursion
accumulation scheme
incrementally verifiable computation (IVC)
atomic accumulation
split accumulation / folding scheme
[Val08]
[KS22]
[BCMS20]
[BCLMS21]
[BGH19]
[Chi10]
[BCTV14]
overview: constructions
overview: constructions
proof-carrying data (PCD)
non-uniform IVC (NIVC)
full recursion
accumulation scheme
incrementally verifiable computation (IVC)
atomic accumulation
split accumulation / folding scheme
[Val08]
[KS22]
[BCMS20]
[BCLMS21]
[BGH19]
[Chi10]
[BCTV14]
overview: constructions
overview: constructions
full recursion
zi
zi+1
πi
πi+1
F
wi
V(πi) = 1
zi+1 = F(zi; wi)
IVC prover
SNARK.Verify
overview: constructions
overview: constructions
full recursion
zi
zi+1
πi
πi+1
F
R
SNARK.Prove
wi
V(πi) = 1
zi+1 = F(zi; wi)
πi+1
IVC prover
SNARK.Verify
overview: constructions
overview: constructions
full recursion
zi
zi+1
πi
πi+1
F
R
SNARK.Prove
F
SNARK.Prove
R
wi
wi+1
V(πi) = 1
zi+1 = F(zi; wi)
πi+1
V(πi+1) = 1
zi+2 = F(zi+1; wi+1)
IVC prover
IVC prover
SNARK.Verify
SNARK.Verify
overview: constructions
overview: constructions
full recursion
zi
zi+1
πi
πi+1
F
R
SNARK.Prove
F
SNARK.Prove
R
zi+2
πi+2
wi
wi+1
V(πi) = 1
zi+1 = F(zi; wi)
πi+1
V(πi+1) = 1
zi+2 = F(zi+1; wi+1)
πi+2
IVC prover
IVC prover
SNARK.Verify
SNARK.Verify
overview: constructions
overview: constructions
full recursion
zi
zi+1
πi
πi+1
F
R
SNARK.Prove
F
SNARK.Prove
R
zi+2
πi+2
wi
wi+1
V(πi) = 1
zi+1 = F(zi; wi)
πi+1
V(πi+1) = 1
zi+2 = F(zi+1; wi+1)
πi+2
IVC prover
IVC prover
IVC verifier
zn
πn
z0
0/1
SNARK.Verify
SNARK.Verify
overview: constructions
full recursion: small-field FRI
image from https://www.risczero.com/news/continuations
overview: constructions
full recursion: small-field FRI
image from https://www.risczero.com/news/continuations
overview: constructions
full recursion: pairings over a cycle of elliptic curves [BCTV14]
zi
πq
F
V
R
SNARK.Prove
V
SNARK.Prove
F
R
zi+1
πr
wi
𝔽q
𝔽r
wi
e.g. MNT4/6 curves
overview: constructions
full recursion: pairings over a cycle of elliptic curves [BCTV14]
zi
πq
F
V
R
SNARK.Prove
V
SNARK.Prove
F
R
zi+1
πr
wi
𝔽q
𝔽r
wi
e.g. MNT4/6 curves
high concrete cost of pairing check!
overview: constructions
overview: constructions
proof-carrying data (PCD)
non-uniform IVC (NIVC)
full recursion
accumulation scheme
incrementally verifiable computation (IVC)
atomic accumulation
split accumulation / folding scheme
[Val08]
[KS22]
[BCMS20]
[BCLMS21]
[BGH19]
[Chi10]
[BCTV14]
overview: constructions
overview: constructions
atomic accumulation
F
zi
zi+1
wi
overview: constructions
overview: constructions
atomic accumulation
F
zi
zi+1
IVC prover
πi
πi+1
acci
acci+1
P
accumulation prover
wi
overview: constructions
overview: constructions
atomic accumulation
F
zi
zi+1
IVC prover
πi
πi+1
P
V
accumulation verifier
wi
acci
acci+1
overview: constructions
overview: constructions
atomic accumulation
F
zi
zi+1
IVC prover
πi
πi+1
P
V
R
SNARK.Prove
wi
acci
acci+1
overview: constructions
overview: constructions
atomic accumulation
IVC verifier
F
zi
zi+1
IVC prover
πi
πi+1
P
V
R
SNARK.Prove
wi
acci
acci+1
overview: constructions
overview: constructions
atomic accumulation
F
zi
zi+1
IVC prover
πi
πi+1
P
V
R
SNARK.Prove
wi
IVC verifier
D
zi+1
SNARK.Verify
acci
acci+1
overview: constructions
overview: constructions
proof-carrying data (PCD)
non-uniform IVC (NIVC)
full recursion
accumulation scheme
incrementally verifiable computation (IVC)
atomic accumulation
split accumulation / folding scheme
[Val08]
[KS22]
[BCMS20]
[BCLMS21]
[BGH19]
[Chi10]
[BCTV14]
overview: constructions
overview: constructions
overview: constructions
split accumulation / folding
F
zi
zi+1
wi
overview: constructions
overview: constructions
overview: constructions
split accumulation / folding
F
zi
zi+1
IVC prover
πi
ai
ai+1
P
wi
overview: constructions
overview: constructions
overview: constructions
split accumulation / folding
F
zi
zi+1
IVC prover
πi
ai
P
πx,i
πw,i
ax,i
aw,i
wi
ai+1
overview: constructions
overview: constructions
overview: constructions
split accumulation / folding
F
zi
zi+1
IVC prover
πi
ai
ai+1
P
V
R
πx,i
πw,i
ax,i
aw,i
wi
overview: constructions
overview: constructions
overview: constructions
split accumulation / folding
F
zi
zi+1
IVC prover
πi
πi+1
ai
ai+1
P
V
R
SNARK.Prove
IVC verifier
πx,i
πw,i
ax,i
aw,i
wi
overview: constructions
overview: constructions
overview: constructions
split accumulation / folding
F
zi
zi+1
IVC prover
πi
πi+1
ai
ai+1
P
V
R
SNARK.Prove
IVC verifier
D
NARK.Verify
πx,i
πw,i
ax,i
aw,i
wi
overview: constructions
overview: constructions
overview: constructions
zi
Fj
zi+1
wi
wi+1
Fj (wi,zi) = zi+1
non-uniform IVC (NIVC)
overview: constructions
overview: constructions
overview: constructions
non-uniform IVC (NIVC)
pci
zi
F'j
Fj
verifier
zi+1
wi
wi+1
pci+1
verifier:
overview: constructions
overview: constructions
overview: constructions
non-uniform IVC (NIVC)
πi
pci
zi
F'j
Fj
verifier
zi+1
wi
wi+1
πi+1
pci+1
verifier:
overview: constructions
overview: constructions
overview: constructions
non-uniform IVC (NIVC)
πi
ui
pci
zi
F'j
Fj
verifier
zi+1
wi
wi+1
πi+1
pci+1
ui claims the correctness of the ith step
verifier:
overview: constructions
overview: constructions
overview: constructions
non-uniform IVC (NIVC)
πi
ui
pci
zi
F'j
Fj
verifier
zi+1
wi
wi+1
πi+1
pci+1
verifier:
ui claims the correctness of the ith step
overview: constructions
overview: constructions
overview: constructions
non-uniform IVC (NIVC)
πi
ui
pci
zi
F'j
Fj
verifier
zi+1
wi
wi+1
πi+1
pci+1
ui claims the correctness of the ith step
verifier:
overview: constructions
overview: constructions
overview: constructions
non-uniform IVC (NIVC)
πi
ui
pci
zi
F'j
Fj
verifier
zi+1
wi
wi+1
πi+1
ui+1
pci+1
ui claims the correctness of the ith step
verifier:
overview: constructions
overview: constructions
overview: constructions
non-uniform IVC (NIVC)
πi
. . .
ui
Ui[0]
Ui[ℓ]
pci
zi
F'j
Fj
verifier
zi+1
wi
wi+1
Ui[j]
. . .
πi+1
. . .
ui+1
Ui+1[0]
Ui+1[ℓ]
Ui+1[j]
. . .
pci+1
ui claims the correctness of the ith step
Ui[j] attests to all prior i -1 iterations of F'j
verifier:
overview: constructions
overview: constructions
overview: constructions
non-uniform IVC (NIVC)
πi
. . .
ui
Ui[0]
Ui[ℓ]
pci
zi
F'j
Fj
verifier
zi+1
wi
wi+1
Ui[j]
. . .
πi+1
. . .
ui+1
Ui+1[0]
Ui+1[ℓ]
Ui+1[j]
. . .
pci+1
verifier:
ui claims the correctness of the ith step
Ui[j] attests to all prior i -1 iterations of F'j
agenda
comparison: implementations
shrinking proof size
IVC / PCD
full recursion
accumulation scheme / folding
comparison: recursion threshold
comparison: recursion threshold
comparison: recursion threshold
taken from Nico Mohnblatt’s presentation
protocol | relation | accumulator | “reduce” | “combine” |
halo2-IPA | PlonKish | IPA polycommit opening proofs | P: vanishing argument, multiopen argument, IPA | P: random linear combination and opening proof |
V: produce challenges, check multiopen argument, check logarithmic part of IPA | V: random linear combination and partial opening proof | |||
BCLMS21 | R1CS | Hadamard product vector commitment claims | P: commit to matrix-vector product | P: commit to error term |
V: none | V: add commitments w/ error | |||
Nova | R1CS | committed relaxed R1CS | P: commit to witness | P: commit to error term |
V: none | V: add commitments w/ error | |||
Sangria | PlonK | committed relaxed PlonK | P: commit to witness | P: commit to error term |
V: none | V: add commitments w/ error |
comparison: recursion threshold
taken from Nico Mohnblatt’s presentation
protocol | relation | accumulator | “reduce” | “combine” |
Nova | R1CS | committed relaxed R1CS | P: commit to witness | P: commit to error term |
V: none | V: add commitments w/ error | |||
HyperNova | CCS | linearised committed CCS | P: commit to witness | P: random linear combination |
P and V: run the sumcheck protocol | V: random linear combination | |||
ProtoStar | any relation w/ algebraic verifier | commitments to all messages and compressed verifier check | P: commit to each message | P: compute the compressed cross terms |
V: produce random challenges | V: add commitments and compressed cross terms |
comparison: recursion threshold
taken from Nico Mohnblatt’s presentation
protocol | relation | accumulator | “reduce” | “combine” |
Nova | R1CS | committed relaxed R1CS | P: commit to witness | P: commit to error term |
V: none | V: add commitments w/ error | |||
HyperNova | CCS | linearised committed CCS | P: commit to witness | P: random linear combination |
P and V: run the sumcheck protocol | V: random linear combination | |||
ProtoStar | any relation w/ algebraic verifier | commitments to all messages and compressed verifier check | P: commit to each message | P: compute the compressed cross terms |
V: produce random challenges | V: add commitments and compressed cross terms |
need additively homomorphic commitments!
comparison: security & cryptographic assumptions
Ui-2
fold
ui-2
Ui-1
comparison: security & cryptographic assumptions
Ui-2
fold
ui-2
Ui-1
ui-1
comparison: security & cryptographic assumptions
fold
Ui-2
fold
ui-2
Ui-1
ui-1
comparison: security & cryptographic assumptions
Ui-2
Ui-1
Ui
fold
fold
ui-2
ui-1
ui
comparison: security & cryptographic assumptions
Ui-2
Ui
fold
fold
ui-2
ui-1
ui
what if i provide a random U’ instead?
Ui-1
comparison: security & cryptographic assumptions
Ui-2
Ui
fold
fold
ui-2
ui-1
ui
Ui-1
.x = H(Ui-1)
check that ui-1 involved a fold which produced Ui-1
what if i provide a random U’ instead?
comparison: security & cryptographic assumptions
Ui-2
Ui
fold
fold
ui-2
ui-1
Ui-1
.x = H(Ui-1)
check that ui-1 involved a fold which produced Ui-1;
load new folding result Ui into new instance ui.
ui.x = H(Ui)
what if i provide a random U’ instead?
comparison: security & cryptographic assumptions
Ui+1
fold
ui+1.x = H(Ui+1)
Ui-2
Ui-1
Ui
fold
fold
ui-2.x = H(Ui-2)
ui-1.x = H(Ui-1)
ui.x = H(Ui)
check that ui-1 involved a fold which produced Ui-1;
load new folding result Ui into new instance ui.
this forms a hash chain ⇒ incremental computation
Ui+1
fold
ui+1.x = H(Ui+1)
Ui-2
Ui-1
Ui
fold
fold
ui-2.x = H(Ui-2)
ui-1.x = H(Ui-1)
ui.x = H(Ui)
these are in the wrong field!
Ui+1
fold
ui+1.x = H(Ui+1)
Ui-2
Ui-1
Ui
fold
fold
ui-2.x = H(Ui-2)
ui-1.x = H(Ui-1)
ui.x = H(Ui)
these are in the wrong field!
let’s use elliptic curve cycles
Ui(2)
fold
ui(1).x = H1(Ui(2))
Ui-1(2)
Ui-1(1)
fold
fold
ui-2(2).x = H2(Ui-2(1))
ui-1(1).x = H1(Ui-1(2))
ui-1(2).x = H2(Ui-1(1))
let’s use elliptic curve cycles
(and superscript by cycle index)
Ui-2(2)
Ui-2(1)
Ui(2)
fold
ui(1)
Ui-1(2)
Ui-1(1)
fold
fold
ui-2(2)
ui-1(1)
ui-1(2)
let’s use elliptic curve cycles
(and superscript by cycle index)
(and reformat for readability)
Ui-2(2)
Ui-2(1)
.x = H2(Ui-2(1))
.x = H1(Ui-1(2))
.x = H2(Ui-1(1))
.x = H1(Ui(2))
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
Ui-2(2)
Ui-2(1)
.x = H2(Ui-2(1))
.x = H1(Ui(2))
no access to Ui-1(2), can’t check hash
ui-1(2)
.x = H2(Ui-1(1))
Ui-1(2)
ui-1(1)
.x = H1(Ui-1(2))
Ui-1(1)
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
Ui-2(2)
Ui-2(1)
.x = H2(Ui-2(1))
.x = H1(Ui(2))
no access to Ui-1(2), can’t check hash
Ui-1(1)
“copy” over to next curve!
ui-1(2)
Ui-1(2)
ui-1(1)
.x = H1(Ui-1(2))
.x1 = H2(Ui-1(1))
.x0 = ui-1(1).x
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
Ui-2(2)
Ui-2(1)
.x = H2(Ui-2(1))
.x = H1(Ui(2))
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-1(1).x1
.x0 = ui-2(2).x1
.x1 = H1(Ui-1(2))
“copy” over to next curve!
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
Ui-2(2)
Ui-2(1)
.x1 = H2(Ui-2(1))
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
.x0 = ui-2(1).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
fold
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
Ui-2(2)
Ui-2(1)
.x1 = H2(Ui-2(1))
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
.x0 = ui-2(1).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
fold
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
Ui-2(2)
Ui-2(1)
.x1 = H2(Ui-2(1))
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
.x0 = ui-2(1).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
fold
.x0 = ui-1(1).x1
.x1 = H1(U⟂(2))
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
U⟂(1)
.x1 = H2(Ui-2(1))
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = H2(U⟂(1))
.x0 = ui-2(1).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
Ui-2(2)
fold
.x0 = ui-1(1).x1
.x1 = H1(U⟂(2))
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
U⟂(1)
.x1 = H2(Ui-2(1))
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = H2(U⟂(1))
.x0 = ui-2(1).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
Ui-2(2)
fold
.x0 = ui-1(1).x1
.x1 = H1(U⟂(2))
Ui(2)
fold
ui(1)
fold
fold
ui-2(2)
U⟂(1)
.x1 = H2(Ui-2(1))
Ui-1(1)
ui-1(2)
U⟂(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = H2(U⟂(1))
.x0 = ui-2(1).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
Ui-2(2)
fold
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
ui(1)
fold
U⟂(1)
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(U⟂(1))
.x0 = ui-2(2).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
Ui(1)
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
fold
Ui-2(1)
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
ui(2).x0 = H1(Ui(2)) was not checked!
fold
ui(2)
.x1 = H2(Ui(1))
.x0 = ui(1).x1
.x1 = H1(Ui(2))
ui(1)
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
fold
Ui-2(1)
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
ui(2).x0 = H1(Ui(2)) was not checked!
instead, ui(1).x1, ui(2).x1 were checked
fold
ui(2)
.x1 = H2(Ui(1))
.x1 = H1(Ui(2))
.x0 = ui(1).x1
ui(1)
.x0 = ui-1(2).x1
fold
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
ui(1)
fold
Ui-2(1)
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
fold
fold
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
ui(1)
fold
Ui-2(1)
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
.x1 = H2(Ui-1(1))
fold
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
ui(1)
fold
Ui-2(1)
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
.x1 = H1(Ui(2))
.x0 = ui-1(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
fold
fold
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
fold
Ui-2(1)
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
fix #1: remove ui(1) output from IVC proof
fold
.x0 = ui-1(1).x1
.x1 = H1(Ui-1(2))
Ui(2)
fold
fold
Ui-2(1)
Ui-1(1)
ui-1(2)
Ui-1(2)
ui-1(1)
.x1 = H2(Ui-1(1))
.x0 = ui-2(2).x1
.x1 = H1(Ui(2))
Ui(1)
.x0 = ui(1).x1
ui(2)
.x1 = H2(Ui(1))
fix #1: remove ui(1) output from IVC proof
fix #2: check ui(2).x0 = H1(Ui(2))
comparison: support for lookup arguments
cq only works with KZG commitment scheme!
agenda
future work
tooling & interfaces
future work
tooling & interfaces
benchmarking
future work
tooling & interfaces
benchmarking
standards & specifications
future work
tooling & interfaces
benchmarking
standards & specifications
security