Overview of Recursive SNARKs

1 Introduction

Recursive SNARKs又名Incrementally Verifiable Computation（IVC）、Proof Carrying Data（PCD）或 inductive SNARKs。

The image below is taken from the Microsoft Teams 2021 paper Nova: Recursive Zero-Knowledge Arguments from Folding Schemes , where:

• [BCTV14]: For the 2014 paper " Scalable zero knowledge via cycles of elliptic curves " by Ben-Sasson et al.
• [Gro16]: For Groth's 2016 paper " On the size of pairing-based non-interactive arguments ". Check out the blog:
  • Groth16 study notes
  • ZCash bellman version Groth16 code analysis .
• [Set20]: For the Microsoft Team Setty 2019 paper " Spartan: Efficient and general-purpose zkSNARKs without trusted setup ". Check out the blog:
  • Spartan: zkSNARKS without trusted setup study notes
  • Spartan: zkSNARKS without trusted setup source code analysis
  • Basic idea of ​​SNARK proof of Vitalik R1CS example in Spartan
• [COS20]: Chiesa et al. 2019 paper " Fractal: Postquantum and transparent recursive proofs from holography "
• [BGH19]: Bowe et al. 2019 paper " Halo: Recursive proof composition without a trusted setup ". Check out the blog:
  • Halo: Recursive Proof Composition without a Trusted Setup 学习笔记
  • Halo code analysis
• [BCL+20]: 2020 paper " Proof-carrying data without succinct arguments " by B¨unz et al. Check out the blog:
  • proof-carrying data from accumulation schemes study notes

2. What are Recursive SNARKs?

2.1 What is a SNARK?

2.2 What is SNARK of a SNARK proof?

2.3 What is SNARK of multiple SNARK proofs?

3. Recursive SNARKs application scenarios

Recursive SNARKs can be used in the following scenarios:

• 1）Zk-zk-Rollup 和 zk${}^3$-Rollup
• 2) Privacy Computing ZEXE

3.1 for Zk-zk-Rollup and zk ${}^3$-Rollup

Compared with zkRollup, Zk-zk-Rollup has the following characteristics:
* 1.1) There are multiple servers, each server is responsible for different non-overlapping user groups.
* 1.2) It has a Rollup aggregator (which can be one of the servers), which is responsible for summarizing (balance table) and creating a corresponding proof.


The corresponding Zk-zk-Rollup circuit is expressed as: [where $roo{t}_1,roo{t}_2,\cdots ,{Pi}_1,{Pi}_2,\cdots$ are witnesses]

Take Tornado Cash as an example:

after zk${}^3$ -Rollup,Tornado Cashcan realize shielded transfer and any amount. [Adding zk-SNARKs to each transaction enables private transactions. 】

3.2 ZEXE for privacy computing

ZEXE is a computing model (similar to the Scripts of the UTXO chain and the Accounts of the EVM chain). So think of ZEXE as an abstraction of smart contracts or complex transactions.
The basic unit of ZEXE is record (similar to UTXO).
Each transaction consumes records and also creates records.

Taking UTXO as an example, the corresponding ZEXE expression is:

• Universal predicate (universal expression) is: prevent double spending.
• Birth predicate is: how a record is created.
• Death predicate is: how a record is consumed.

The transaction process of generating Record 3 based on Record 1 and Record 2 can be expressed as:

references

[1] Microsoft Team 2021 paper Nova: Recursive Zero-Knowledge Arguments from Folding Schemes
[2] July 2021 video An Overview of Recursive SNARKs
[3] 2021 Stanford courseware Recursive SNARKs
[4] 2020 Mina’s blog on zkproof Inductive Proof Systems and Recursive SNARKs