Nova

Source: Proofs, Arguments, and Zero-Knowledge, Section 18.5

Relaxed R1CS

We’ll prove knowledge of a witness for a relaxed R1CS instance.

We’ll have the following public values:

Matrices $A, B, C \in F^{n \times n}$
Vectors $s := (y_{i - 1}, y_{i}) \in F^{m}$
Scalar $u \in F$

An the following committed values:

Witness vector $w \in F^{n - m}$
Slack vector $E \in F^{n}$

Let $s := (y_{i - 1}, y_{i})$ , $z := (s, w) \in F^{n}$ . We want to make the claim that:

(A \cdot z) \circ (B \cdot z) = u \cdot (C \cdot z) + E

Folding two instances

Let $r \in F$ be randomly picked by the verifier. Then, we set:

s := s_{1} + r \cdot s_{2}

w := w_{1} + r \cdot w_{2}

u := u_{1} + r \cdot u_{2}

E := E_{1} + r^{2} \cdot E_{2} + r \cdot T

Where $T$ are the cross-terms:

T := (A \cdot z_{2}) \circ (B \cdot z_{1}) + (A \cdot z_{1}) \circ (B \cdot z_{2}) - u_{1} \cdot C \cdot z_{2} - u_{2} \cdot C \cdot z_{1}

→ The result is also a valid relaxed R1CS instance! → The prover can commit to $T$ , $E$ , and $w$ using a homomorphic vector commitment, then the validator samples $r$

A Large non-interactive Argument

For each application of the circuit, the verifier keeps track of:

The current round number
The values $y_{j - 1}$ and $y_{j}$ (determining $s_{j}$ )
The values $u_{j}$
$c_{w}^{(j)}$ : The commitment to $w_{j}$
$c_{E}^{(j)}$ : The commitment to $E_{j}$

The protocol proceeds as follows:

In each round, the prover sends $y_{j}$ , $c_{w}^{(j)}$ , and $c_{T}^{(j)}$
In round 1, the verifier sends the round number to 1, $u_{1} := 1$ , $y_{0} := x$ (the input to the incremental computation), and $c_{E}^{(j)}$ to a commitment to the vectors of all $0$ s
Otherwise, the verifier increments the round number and updates the running instance as described above
In the final round, the prover also outputs a SNARK for the folded instance, e.g. using a generalization of Spartan with Bulletproofs

The proof is the concatenation of all the values kept track of by the verifier + the final SNARK.

Proving the folding

Idea: Augment the circuit to do the verifier’s work in each step:

All verifier’s variables become public inputs
All prover inputs become private input (except $y_{j}$ , which the circuit already computes)
The new values of the verifier’s variables become public output
- Question: How do we make sure these outputs are actually used as inputs in the next step?

The extra work that has to be computed in the circuit amounts to:

Invoking a cryptographic hash function to obtain $r$ via the Fiat-Shamir transformation
A few field multiplications and additions over $F_{p}$
Computing the updates of the homomorphic commitments
- Dominates the recursion overhead if the hash function is SNARK-friendly
- In the case of Pedersen Commitments: One group exponentiation and one group multiplication for each of the two commitments

One needs a cycle of curves, but they do not need to be pairing-friendly. → The original function needs to be efficiently computable over both fields!

Crypto Summaries

Explorer

Nova

Relaxed R1CS

Folding two instances

A Large non-interactive Argument

Proving the folding

Graph View

Backlinks