2021 Nov 05

See all posts

*Particular because of Justin Drake and Sean Bowe for splendidly pedantic and considerate suggestions and overview, and to Pratyush Mishra for dialogue that contributed to the unique IPA exposition.*

Readers who’ve been following the ZK-SNARK house intently ought to by now be aware of the excessive stage of how ZK-SNARKs work. ZK-SNARKs are based mostly on checking equations the place the weather going into the equations are mathematical abstractions like polynomials (or in rank-1 constraint methods matrices and vectors) that may maintain lots of information. There are three main households of cryptographic applied sciences that enable us to signify these abstractions succinctly: Merkle bushes (for FRI), common elliptic curves (for inner product arguments (IPAs)), and elliptic curves with pairings and trusted setups (for KZG commitments). These three applied sciences result in the three varieties of proofs: FRI results in STARKs, KZG commitments result in “common” SNARKs, and IPA-based schemes result in bulletproofs. These three applied sciences have very distinct tradeoffs:

FRI | Hashes solely (quantum secure!) | Giant (10-200 kB) | Medium (poly-logarithmic) |

Internal product arguments (IPAs) | Fundamental elliptic curves | Medium (1-3 kB) | Very excessive (linear) |

KZG commitments | Elliptic curves + pairings + trusted setup | Quick (~500 bytes) | Low (fixed) |

Thus far, the primary and the third have seen probably the most consideration. The explanation for this has to do with that pesky proper column within the second row of the desk: elliptic curve-based internal product arguments have linear verification time. What because of this though the *measurement* of a proof is small, the period of time wanted to confirm the proof all the time takes longer than simply operating the computation your self. This makes IPAs non-viable for scalability-related ZK-SNARK use instances: there is not any level in utilizing an IPA-based argument to show the validity of an Ethereum block, as a result of verifying the proof will take longer than simply checking the block your self. KZG and FRI-based proofs, then again, actually are a lot sooner to confirm than doing the computation your self, so a type of two looks like the apparent alternative.

**Extra just lately, nevertheless, there was a slew of analysis into strategies for merging a number of IPA proofs into one.** A lot of the preliminary work on this was carried out as a part of designing the Halo protocol which is going into Zcash. These merging strategies are low cost, and a merged proof takes now not to confirm than a single one of many proofs that it is merging. This opens a means ahead for IPAs to be helpful: as an alternative of verifying a size-(n) computation with a proof that takes nonetheless takes (O(n)) time to confirm, break that computation up into smaller size-(ok) steps, make (fracnk) proofs for every step, and merge them collectively so the verifier’s work goes all the way down to slightly greater than (O(ok)). These strategies additionally enable us to do

*incremental verification*: if new issues maintain being launched that must be confirmed, you possibly can simply maintain taking the present proof, mixing it in with a proof of the brand new assertion, and getting a proof of the brand new mixed assertion out. That is actually helpful for verifying the integrity of, say, a whole blockchain.

So how do these strategies work, and what can they do? That is precisely what this publish is about.

**Contents**hide

## Background: how do internal product arguments work?

Internal product arguments are a proof scheme that may work over many mathematical constructions, however often we deal with IPAs over elliptic curve points. IPAs will be revamped easy elliptic curves, theoretically even Bitcoin and Ethereum’s secp256k1 (although some particular properties are most well-liked to make FFTs extra environment friendly); no want for insanely sophisticated pairing schemes that regardless of having written an explainer article and an implementation I can nonetheless barely perceive myself.

We’ll begin off with the dedication scheme, sometimes known as **Pedersen vector commitments**. To have the ability to decide to diploma (< n) polynomials, we first publicly select a set of base factors, (G_0 … G_n-1). These factors will be generated by means of a pseudo-random process that may be re-executed by anybody (eg. the x coordinate of (G_i) will be (hash(i, j)) for the bottom integer (j ge 0) that produces a legitimate level); that is *not* a trusted setup because it doesn’t depend on any particular get together to introduce secret info.

To decide to a polynomial (P(x) = sum_i c_i x^i), the prover computes (com(P) = sum_i c_i G_i). For instance, (com(x^2 + 4)) would equal (G_2 + 4 * G_0) (bear in mind, the (+) and (*) listed here are elliptic curve addition and multiplication). Cryptographers may even usually add an additional (r cdot H) hiding parameter for privateness, however for simplicity of exposition we’ll ignore privateness for now; usually, it isn’t that tough so as to add privateness into all of those schemes.

*Although it is not likely mathematically correct to think about elliptic curve factors as being like actual numbers which have sizes, space is nonetheless a superb instinct for desirous about linear combos of elliptic curve factors like we use in these commitments. The blue space right here is the worth of the Pedersen dedication (C = sum_i c_i G_i) to the polynomial (P = sum_i c_i x^i).*

Now, let’s get into how the proof works. **Our closing objective can be a polynomial analysis proof**: given some (z), we need to make a proof that (P(z) = a), the place this proof will be verified by anybody who has the dedication (C = com(P)). **However first, we’ll deal with an easier process: proving that (C) is a legitimate dedication to any polynomial in any respect** – that’s, proving that (C) was constructed by taking a linear mixture (sum_i c_i G_i) of the factors (G_0 … G_n-1), with out anything combined in.

After all, technically *any* level is a few a number of of (G_0) and so it is theoretically a legitimate dedication of one thing, however what we care about is proving that the prover *is aware of* some (c_0 … c_n-1) such that (sum_i c_i G_i = C). A dedication (C) can’t decide to a number of distinct polynomials *that the prover is aware of about*, as a result of if it might, that may indicate that elliptic curves are damaged.

The prover *might*, in fact, simply present (c_0 … c_n-1) immediately and let the verifier verify the dedication. However this takes an excessive amount of house. So as an alternative, we attempt to scale back the issue to a smaller drawback of half the dimensions. The prover offers two factors, (L) and (R), representing the yellow and inexperienced areas on this diagram:

You might be able to see the place that is going: should you add (C + L + R) collectively (bear in mind: (C) was the unique dedication, so the blue space), the brand new mixed level will be expressed as a sum of *4* squares as an alternative of eight. And so now, the prover might end by offering solely 4 sums, the widths of every of the brand new squares. Repeat this protocol two extra instances, and we’re all the way down to a single full sq., which the prover can show by sending a single worth representing its width.

However there’s an issue: if (C) is inaccurate indirectly (eg. the prover added some additional level (H) into it), then the prover might simply subtract (H) from (L) or (R) to compensate for it. We plug this gap by randomly scaling our factors after the prover offers (L) and (R):

Select a random issue (alpha) (sometimes, we set (alpha) to be the hash of all information added to the proof thus far, together with the (L) and (R), to make sure the verifier also can compute (alpha)). Each even (G_i) level will get scaled by (alpha), each odd (G_i) level will get scaled *down* by the identical issue. Each odd coefficient will get scaled up by (alpha) (discover the flip), and each even coefficient will get scaled down by (alpha). Now, discover that:

- The yellow space ((L)) will get multiplied by (alpha^2) (as a result of each yellow sq. is scaled up by (alpha) on each dimensions)
- The inexperienced space ((R)) will get divided by (alpha^2) (as a result of each inexperienced sq. is scaled down by (alpha) on each dimensions)
- The blue space ((C)) stays unchanged (as a result of its width is scaled up however its top is scaled down)

Therefore, we will generate our new half-size occasion of the issue with some easy transformations:

- (G’_i = alpha G_2i + fracG_2i+1alpha)
- (c’_i = fracc_2ialpha + alpha c_2i+1)
- (C’ = C + alpha^2 L + fracRalpha^2)

(Notice: in some implementations you as an alternative do (G’_i = alpha G_2i + G_2i+1) and (c’_i = c_2i + alpha c_2i+1) with out dividing the odd factors by (alpha). This makes the equation (C’ = alpha C + alpha^2 L + R), which is much less symmetric, however ensures that the operate to compute any (G’) in any spherical of the protocol turns into a polynomial with none division. Yet *another* alternative is to do (G’_i = alpha G_2i + G_2i+1) and (c’_i = c_2i + fracc_2i+1alpha), which avoids any (alpha^2) phrases.)

After which we repeat the method till we get down to at least one level:

Lastly, we’ve got a size-1 drawback: show that the ultimate modified (C^*) (on this diagram it is (C”’) as a result of we needed to do three iterations, nevertheless it’s (log(n)) iterations usually) equals the ultimate modified (G^*_0) and (c^*_0). Right here, the prover simply offers (c^*_0) within the clear, and the verifier checks (c^*_0 G^*_0 = C^*). Computing (c^*_0) required having the ability to compute a linear mixture of (c_0 … c_n-1) that was not recognized forward of time, so offering it and verifying it convinces the verifier that the prover truly does know all of the coefficients that go into the dedication. This concludes the proof.

### Recapping:

- The assertion we’re proving is that (C) is a dedication to
*some*polynomial (P(x) = sum_i c_i x^i) dedicated to utilizing the agreed-upon base factors (G_0 … G_n-1) - The proof consists of (log(n)) pairs of ((L, R)) values, representing the yellow and inexperienced areas at every step. The prover additionally offers the ultimate (c^*_0)
- The verifier walks by means of the proof, producing the (alpha) worth at every step utilizing the identical algorithm because the prover and computing the brand new (C’) and (G’_i) values (the verifier would not know the (c_i) values to allow them to’t compute any (c’_i) values)
- On the finish, they verify whether or not or not (c^*_0 G^*_0 = C^*)

On the entire, the proof comprises (2 * log(n)) elliptic curve factors and one quantity (for pedants: one *area ingredient*). Verifying the proof takes logarithmic time in each step besides one: computing the brand new (G’_i) values. This step is, sadly, linear.

*See additionally: Dankrad Feist’s more detailed explanation of internal product arguments.*

### Extension to polynomial evaluations

We will lengthen to polynomial evaluations with a easy intelligent trick. Suppose we are attempting to show (P(z) = a). The prover and the verifier can lengthen the bottom factors (G_0 … G_n-1) by attaching powers of (z) to them: the brand new base factors turn into ((G_0, 1), (G_1, z) … (G_n-1, z^n-1)). These pairs will be handled as mathematical objects (for pedants: *group parts*) very like elliptic curve factors themselves; so as to add them you accomplish that element-by-element: ((A, x) + (B, y) =) ((A + B, x + y)), utilizing elliptic curve addition for the factors and common area addition for the numbers.

We will make a Pedersen dedication utilizing this prolonged base!

Now, here is a puzzle. Suppose (P(x) = sum_i c_i x^i), the place (P(z) = a), would have a dedication (C = sum_i c_i G_i) if we had been to make use of the common elliptic curve factors we used earlier than as a base. If we use the pairs ((G_i, z^i)) as a base as an alternative, the dedication could be ((C, y)) for some (y). What have to be the worth of (y)?

The reply is: it have to be equal to (a)! That is simple to see: the dedication is ((C, y) = sum_i c_i (G_i, z^i)), which we will decompose as ((sum_i c_i G_i, sum_i c_i z^i)). The previous is the same as (C), and the latter is simply the analysis (P(z))!

Therefore, if (C) is a “common” dedication to (P) utilizing (G_0 … G_n-1) as a base, then to show that (P(z) = a) we’d like solely use the identical protocol above, however proving that ((C, a)) is a legitimate dedication utilizing ((G_0, 1), (G_1, z) … (G_n-1, z^n-1)) as a base!

Notice that in observe, that is often carried out barely in a different way as an optimization: as an alternative of attaching the numbers to the factors and explicitly coping with constructions of the shape ((G_i, z^i)), we add one other randomly chosen base level (H) and specific it as (G_i + z^i H). This protects house.

**See here for an instance implementation of this complete protocol.**

## So, how will we mix these proofs?

Suppose that you’re given two polynomial analysis proofs, with completely different polynomials and completely different analysis factors, and need to make a proof that they’re each appropriate. You may have:

- Proof (Pi_1) proving that (P_1(z_1) = y_1), the place (P_1) is represented by (com(P_1) = C_1)
- Proof (Pi_2) proving that (P_2(z_2) = y_2), the place (P_2) is represented by (com(P_2) = C_2)

Verifying every proof takes linear time. We need to make a proof that proves that each proofs are appropriate. It will nonetheless take linear time, however the verifier will solely must make *one* spherical of linear time verification as an alternative of two.

We begin off with an commentary. The one linear-time step in performing the verification of the proofs is computing the (G’_i) values. That is (O(n)) work as a result of you need to mix (fracn2) pairs of (G_i) values into (G’_i) values, then (fracn4) pairs of (G’_i) values into (G”_i) values, and so forth, for a complete of (n) combos of pairs. However should you have a look at the algorithm fastidiously, you’ll discover that *we do not really want any of the intermediate (G’_i) values; we solely want the ultimate (G^*_0)*. This (G^*_0) is a linear mixture of the preliminary (G_i) values. What are the coefficients to that linear mixture? It seems that the (G_i) coefficient is the (X^i) time period of this polynomial:

[(X + alpha_1) * (X^2 + alpha_2) * … * (X^fracn2 + alpha_log(n)) ]

That is utilizing the (C’ = alpha C + alpha^2 L + R) model we talked about above. The power to immediately compute (G^*_0) as a linear mixture already cuts down our work to (O(fracnlog(n))) resulting from fast linear combination algorithms, however we will go additional.

The above polynomial has diploma (n – 1), with (n) nonzero coefficients. However its un-expanded type has measurement (log(n)), and so you possibly can *consider* the polynomial at any level in (O(log(n))) time. Moreover, you would possibly discover that (G^*_0) is a dedication to this polynomial, so we will immediately *show* evaluations! So here’s what we do:

- The prover computes the above polynomial for every proof; we’ll name these polynomials (K_1) with (com(K_1) = D_1) and (K_2) with (com(K_2) = D_2). In a “regular” verification, the verifier could be computing (D_1) and (D_2) themselves as these are simply the (G^*_0) values for his or her respective proofs. Right here, the prover offers (D_1) and (D_2) and the remainder of the work is proving that they are appropriate.
- To show the correctness of (D_1) and (D_2) we’ll show that they are appropriate at a random level. We select a random level (t), and consider each (e_1 = K_1(t)) and (e_2 = K_2(t))
- The prover generates a random linear mixture (L(x) = K_1(x) + rK_2(x)) (and the verifier can generate (com(L) = D_1 + rD_2)). The prover now simply must make a single proof that (L(t) = e_1 + re_2).

The verifier nonetheless must do a bunch of additional steps, however all of these steps take both (O(1)) or (O(log(n))) work: consider (e_1 = K_1(t)) and (e_2 = K_2(t)), calculate the (alpha_i) coefficients of each (K_i) polynomials within the first place, do the elliptic curve addition (com(L) = D_1 + rD_2). However this all takes vastly lower than linear time, so all in all we nonetheless profit: the verifier solely must do the linear-time step of computing a (G^*_0) level themselves as soon as.

This system can simply be generalized to merge (m > 2) signatures.

## From merging IPAs to merging IPA-based SNARKs: Halo

Now, we get into the core mechanic of the Halo protocol being built-in in Zcash, which makes use of this proof combining approach to create a recursive proof system. The setup is straightforward: suppose you have got a series, the place every block has an related IPA-based SNARK (see right here for the way generic SNARKs from polynomial commitments work) proving its correctness. You need to create a brand new block, constructing on high of the earlier tip of the chain. The brand new block ought to have its personal IPA-based SNARK proving the correctness of the block. In truth, this proof ought to cowl each the correctness of the brand new block *and* the correctness of the earlier block’s proof of the correctness of your entire chain earlier than it.

IPA-based proofs by themselves can’t do that, as a result of a proof of a press release takes longer to confirm than checking the assertion itself, so a proof of a proof will take even longer to confirm than each proofs individually. However proof merging can do it!

Primarily, we use the standard “recursive SNARK” approach to confirm the proofs, besides the “proof of a proof” half is barely proving the logarithmic a part of the work. We add an additional chain of combination proofs, utilizing a trick much like the proof merging scheme above, to deal with the linear a part of the work. To confirm the entire chain, the verifier want solely confirm one linear-time proof on the very tip of the chain.

The exact particulars are considerably completely different from the precise proof-combining trick within the earlier part for effectivity causes. As a substitute of utilizing the proof-combining trick to mix a number of proofs, we apply it to a *single* proof, simply to re-randomize the purpose that the polynomial dedicated to by (G^*_0) must be evaluated at. We then use the *identical* newly chosen analysis level to guage the polynomials within the proof of the block’s correctness, which permits us to show the polynomial evaluations collectively in a single IPA.

Expressed in math:

- Let (P(z) = a) be the earlier assertion that must be confirmed
- The prover generates (G^*_0)
- The prover proves the correctness of the brand new block plus the logarithmic work within the earlier statements by producing a PLONK proof: (Q_L * A + Q_R * B + Q_O * C + Q_M * A * B + Q_C = Z * H)
- The prover chooses a random level (t), and proves the analysis of a linear mixture of (G^*_0, Q_L, A, Q_R, B, Q_O, C, Q_M, Q_C, Z, H) at (t). We will then verify the above equation, changing every polynomial with its now-verified analysis at (t), to confirm the PLONK proof.

### Incremental verification, extra usually

The scale of every “step” doesn’t must be a full block verification; it may very well be one thing as small as a single step of a digital machine. The smaller the steps the higher: it ensures that the linear work that the verifier in the end has to do on the finish is much less. The one decrease sure is that every step must be large enough to include a SNARK verifying the (log(n)) portion of the work of a step.

However whatever the advantageous particulars, this mechanism permits us to make succinct and easy-to-verify SNARKs, together with simple assist for recursive proofs that can help you lengthen proofs in actual time because the computation extends and even have completely different provers to do completely different elements of the proving work, all with out pairings or a trusted setup! The primary draw back is a few additional technical complexity, in contrast with a “easy” polynomial-based proof utilizing eg. KZG-based commitments.

FRI | Hashes solely (quantum secure!) | Giant (10-200 kB) | Medium (poly-logarithmic) |

Internal product arguments (IPAs) | Fundamental elliptic curves | Medium (1-3 kB) | Very excessive (linear) |

KZG commitments | Elliptic curves + pairings + trusted setup | Quick (~500 bytes) | Low (fixed) |

IPA + Halo-style aggregation | Fundamental elliptic curves | Medium (1-3 kB) | Medium (fixed however larger than KZG) |

## Not simply polynomials! Merging R1CS proofs

A standard different to constructing SNARKs out of polynomial video games is constructing SNARKs out of matrix-vector multiplication video games. Polynomials and vectors+matrices are each pure bases for SNARK protocols as a result of they’re mathematical abstractions that may retailer and compute over giant quantities of knowledge on the identical time, and that admit dedication schemes that enable verifiers to verify equations rapidly.

In R1CS (see a extra detailed description right here), an occasion of the sport consists of three matrices (A), (B), (C), and an answer is a vector (Z) such that ((A cdot Z) circ (B cdot Z) = C cdot Z) (the issue is usually in observe restricted additional by requiring the prover to make a part of (Z) public and requiring the final entry of (Z) to be 1).

*An R1CS occasion with a single constraint (so (A), (B) and (C) have width 1), with a satisfying (Z) vector, although discover that right here the (Z) seems on the left and has 1 within the high place as an alternative of the underside.*

Identical to with polynomial-based SNARKs, this R1CS sport will be become a proof scheme by creating commitments to (A), (B) and (C), requiring the prover to supply a dedication to (the non-public portion of) (Z), and utilizing fancy proving methods to show the equation ((A cdot Z) circ (B cdot Z) = C cdot Z), the place (circ) is item-by-item multiplication, with out totally revealing any of those objects. And identical to with IPAs, this R1CS sport has a proof merging scheme!

Ioanna Tzialla et al describe such a scheme in a recent paper (see web page 8-9 for his or her description). They first modify the sport by introducing an expanded equation:

[ (A cdot Z) circ (B cdot Z) – u * (C cdot Z) = E]

For a “base” occasion, (u = 1) and (E = 0), so we get again the unique R1CS equation. The additional slack variables are added to make aggregation attainable; aggregated cases could have different values of (u) and (E). Now, suppose that you’ve two options to the identical occasion, although with completely different (u) and (E) variables:

[(A cdot Z_1) circ (B cdot Z_1) – u_1 * (C cdot Z_1) = E_1]

[(A cdot Z_2) circ (B cdot Z_2) – u_2 * (C cdot Z_2) = E_2]

The trick includes taking a random linear mixture (Z_3 = Z_1 + r Z_2), and making the equation work with this new worth. First, let’s consider the left facet:

[ (A cdot (Z_1 + rZ_2)) circ (B cdot (Z_1 + rZ_2)) – (u_1 + ru_2)*(C cdot (Z_1 + rZ_2)) ]

This expands into the next (grouping the (1), (r) and (r^2) phrases collectively):

[(A cdot Z_1) circ (B cdot Z_1) – u_1 * (C cdot Z_1)]

[r((A cdot Z_1) circ (B cdot Z_2) + (A cdot Z_2) circ (B cdot Z_1) – u_1 * (C cdot Z_2) – u_2 * (C cdot Z_1))]

[r^2((A cdot Z_2) circ (B cdot Z_2) – u_2 * (C cdot Z_2))]

The primary time period is simply (E_1); the third time period is (r^2 * E_2). The center time period is similar to the cross-term (the yellow + inexperienced areas) close to the very begin of this publish. The prover merely offers the center time period (with out the (r) issue), and identical to within the IPA proof, the randomization forces the prover to be sincere.

Therefore, it is attainable to make merging schemes for R1CS-based protocols too. Curiously sufficient, we do not even technically must have a “succinct” protocol for proving the [ (A cdot Z) circ (B cdot Z) = u * (C cdot Z) + E] relation on the finish; as an alternative, the prover might simply show by opening all of the commitments immediately! This is able to nonetheless be “succinct” as a result of the verifier would solely must confirm one proof that really represents an arbitrarily giant variety of statements. Nevertheless, in observe having a succinct protocol for this final step is healthier as a result of it retains the proofs smaller, and Tzialla et al’s paper offers such a protocol too (see web page 10).

## Recap

- We do not know of a solution to make a dedication to a size-(n) polynomial the place evaluations of the polynomial will be verified in (< O(n)) time immediately. One of the best that we will do is make a (log(n)) sized proof, the place the entire work to confirm it’s logarithmic
*aside from one closing (O(n))-time piece*. - However what we
*can*do is merge a number of proofs collectively. Given (m) proofs of evaluations of size-(n) polynomials, you may make a proof that covers*all*of those evaluations, that takes logarithmic work plus a single size-(n) polynomial proof to confirm. - With some intelligent trickery, separating out the logarithmic elements from the linear elements of proof verification, we will leverage this to make recursive SNARKs.
- These recursive SNARKs are literally extra environment friendly than doing recursive SNARKs “immediately”! In truth, even in contexts the place direct recursive SNARKs are attainable (eg. proofs with KZG commitments), Halo-style strategies are sometimes used as an alternative as a result of they’re extra environment friendly.
- It is not nearly polynomials; different video games utilized in SNARKs like R1CS will also be aggregated in related intelligent methods.
- No pairings or trusted setups required!

The march towards sooner and extra environment friendly and safer ZK-SNARKs simply retains going…

#exploring #incremental #verification #SNARKs #pairings