1 Introduction
In the existing ZKP proof system, in addition to focusing on proof size and verification time, Prover Time is an important bottleneck.
When focusing on Prover Time, consider the STARK solution. And with the help of recursive STARK+SNARK, to obtain small proof.
Prover Time:
- Directly depends on the calculation size.
For the same calculation, different arithmetic strategies will affect the calculation size at the time of proof, and then affect the Prover Time. If it is proved that y = x − 1 mod py=x^{-1}\mod py=x−1modp:
- plan 1:
- According to Fermat's little theorem, x − 1 = xp − 2 mod px^{-1}=x^{p-2}\mod px−1=xp−2modp,
- Then use double and add to calculate xp − 2 x^{p-2}xp−2,
- Check that y = xp − 2 y=x^{p-2}y=xWhether p − 2 holds
- The overhead is log ( p ) \log(p)log g ( p ) constraints
- Scenario 2:
- Turn to prove that 1 = x × ymod p 1=x\times y \mod p1=x×ymodp
- Corresponds to 1 constraint.
This article focuses on the Plonkish arithmetic system:
- addition and multiplication constraints
- copy constraints
- selector polynomial
- custom constraints
- lookup constraint
To prove that 0 ≤ c 3 < 4 0\leq c_3<40≤c3<4:
- 1) If there are only multiplication constraints in the circuit, it is impossible to realize the proof.
- 2) If there are addition and multiplication constraints in the circuit, binary decomposition can be done, expressed as: [lack of sufficient structure, unable to constrain c 3 = a 1 + 2 a 2 c_3=a_1+2a_2c3=a1+2a _2】
- 3) If there are addition and multiplication constraints in the circuit, as well as copy constraints, then: [Is there a problem of excessive constraints? 】
- 4) If there are addition and multiplication constraints, copy constraints, and selector polynomials in the circuit, then: [The selector polynomial is used to select when to use which gate. 】
The strategy for adding zero-knowledge properties to multiplicative constraints is:
2. copy constraints
That is, Copy Constraints enforcement is divided into 3 major steps:
- 1) Connect all public and private inputs in order
- 2) Demonstrate equivalence between permuted inputs
- 3) Use the Neff Permutation argument to prove. For details, see:
https://github.com/asn-d6/curdleproofs (Rust)
3. selector polynomial
The selector polynomial is used to switch constraints.
4. Custom constraints
Such as MinRoot Verifiable Delay Function, its demand background lies in:
- Good random numbers are really hard to come by
- Ethereum needs good nonces for consensus
The so-called MinRoot Verifiable Delay Function means that every round is calculated:
( xi + 1 , yi + 1 ) = ( ( xi + yi ) 1 3 , xi + i ) (x_{i+1},y_{i+ 1})=((x_i+y_i)^{\frac{1}{3}},x_i+i)(xi+1,yi+1)=((xi+yi)31,xi+i)
In a constrained circuit, turn to computing:
- x i + 1 3 = x i + y i x_{i+1}^3=x_i+y_i xi+13=xi+yi, so that a lot of cubic operations need to be done instead of cubic operations.
However, in custom constraints (custom constraints), there are trade-offs:
- Each additional column makes custom constraints more expressive, but at the cost of an additional proof element.
- Each additional multiplication operation can make custom constraints more expressive, but at the cost of an additional proof element.
- Each type of custom constraint adds an additional proof element overhead.
- In fact, it is a trade-off between proof size/verifier time and prover time.
References
[1] Shared video How Custom Gates Are Used During Arithmetization - Mary Maller of the Ethereum Foundation Mary Maller at the 13th BIU Winter School on Cryptography in February 2023