diff --git a/docs/attachments/hash_ivc_folding_scheme.png b/docs/attachments/hash_ivc_folding_scheme.png new file mode 100644 index 0000000..212c599 Binary files /dev/null and b/docs/attachments/hash_ivc_folding_scheme.png differ diff --git a/docs/attachments/simple_ivc_folding_scheme.png b/docs/attachments/simple_ivc_folding_scheme.png new file mode 100644 index 0000000..b3dc25d Binary files /dev/null and b/docs/attachments/simple_ivc_folding_scheme.png differ diff --git a/docs/attachments/zk_snark_ivc_folding_scheme.png b/docs/attachments/zk_snark_ivc_folding_scheme.png new file mode 100644 index 0000000..a921509 Binary files /dev/null and b/docs/attachments/zk_snark_ivc_folding_scheme.png differ diff --git a/docs/nova.md b/docs/nova.md index f6d1a9b..eb814c2 100644 --- a/docs/nova.md +++ b/docs/nova.md @@ -76,3 +76,74 @@ denote a [random oracle](../terms/random_oracle_model.md), then the Prover (P) can get random challenge $r$ via: $r \leftarrow \rho(vk, u_1, u_2, \bar T)$. + +## Constructing IVC from a Folding Scheme + +### Simple IVC Folding Scheme + +The simple idea is: at step $i$ of the [IVC](../terms/recursive_snark.md) process: + +- Nova’s prover proves that the step $i$ was computed correctly. +- Nova treats the computation at step $i-1$ as an R1CS instance and folds it into a running relaxed R1CS instance. + +So, each step computes a step of the incremental computation and includes a circuit for the computation of the verifier +in the non-interactive folding scheme for relaxed R1CS. + +In this construction, the prover uses an augmented function $F'$. This function not only invokes $F$ but also performs +additional bookkeeping to fold proofs of prior invocations of itself. + +$F'$ takes as non-deterministic advice two committed relaxed R1CS instances $u_i$ and $U_i$, where: + +- $u_i$ represents the correct execution of invocation $i$ of $F'$: $F'(z_{i-1}) = z_i$. This is the **fresh instance**. +- $U_i$ represents the correct execution of invocations $1,...,i-1$ of $F'$: $F'^{(i -1)}(z_0) = z_{i-1}$. + This is the **running instance**. + +$F'$ executes 2 tasks: + +- Executes a step of the incremental computation: $F'(z_i) = z_{i + 1}$. +- Invokes the verifier of non-interactive folding scheme to fold the task of checking $u_i$ and $U_i$ into the task of checking +- a single instance $U_{i+1}$. + +The IVC prover then computes a new instance $u_{i+1}$,which is used to attest that $z_{i + 1} = F'(z_i)$, and gets $U_{i+1}$ as +the result of folding $u_i$ and $U_i$. + +Here is the depiction: + +![Simple IVC Folding Scheme](attachments/simple_ivc_folding_scheme.png) + +However, the instance $u_{i + 1}$ contains $U_{i + 1}.x$, and $F'$ must hold $u_{i+1}.x$ into $U_{i+1}.x$ in the next iteration, +so the size of $u_{i+1}$ grows linearly. To avoid that, we replace it with a hash function of its public IO. The next invocation +of $F'$ will takes the preimage of this hash via the proof. + +In particular, the public IO of $u_i$ and $u_{i+1}$ are: + +- $u_i.x = hash(i, z_0, z_i, U_i)$ +- $u_{i+1}.x = hash(i, z_0, z_{i+1}, U_{i+1})$ + +The verifier checks that $u_i.x \stackrel{?}{=} hash(i, z_0, z_i, U_i)$, and the prover now needs to send proof: +$((U_{i+1}, W_{i+1}), (u_{i+1}, w_{i+1}))$. + +![Hash IVC Folding Scheme](attachments/hash_ivc_folding_scheme.png) + +### IVC Folding Scheme with zkSNARKs + +First, the witness $W$ and $w$ are sent by the prover, so it is not zero-knowledge. Second, the proof size is linear in the size +of $F$. Therefore, we should use zkSNARKs to make the proof zero-knowledge and succinct. + +To do that, the prover creates a proof $\Pi$ claims that he knows a witness $W'$ such that: +$(U', W') = folding((U, W), (u, w))$, and the verifier will verify that proof for each iteration. + +![zkSNARK IVC folding scheme](attachments/zk_snark_ivc_folding_scheme.png) + +Unfortunately, employing an off-the-shelf zkSNARK makes the overall solution impractical. The reason is that the zkSNARK prover +must prove the knowledge of vectors whose commitments equal a particular value (e.g., $\bar W$ is the commitment of $W$). This +requires encoding a linear number of group scalar multiplications in the programming model of zkSNARKs. One way to make this +practical is by interpreting commitments to vectors as polynomial commitments. + +## References + +[Nova paper - Abhiram Kothapalli & Srinath Setty & Ioanna Tzialla](https://eprint.iacr.org/2021/370.pdf) + +[Nova: IVC from folding scheme - ZKstudy Session 07 [EN]](https://www.youtube.com/watch?v=xpgDdTqPnSg&t=1389s) + +[(Workshop) [Super] Nova [Scotia]: Unpacking Nova](https://www.youtube.com/watch?v=N6RW_YhLMNw)