Recursive SNARKs
CS251 Fall 2021(cs251.stanford.edu)
Benedikt BΓΌnz
Recap: Non-interactive Proof SystemsA non-interactive proof system is a triple (S, P, V):
β’ S(πΆ) βΎ public parameters (Sp, Sv) for prover and verifier
(Sp, Sv) is called a reference string
β’ P(Sp, π,π) βΎ proof π
β’ V(Sv, π, π ) βΎ accept or reject
Recap: zkRollupToday: every miner must verify every posted Tx verify
all Tx
verifyall Tx
verifyall Tx
verify all Tx β short proof Ο
summary, Ο
verifyΟ
verifying proof is much easier than verifying 10K Tx
verifyΟ
Rollup Server
Recap: zkRollupToday: every miner must verify every posted Tx verify
all Tx
verifyall Tx
verifyall Tx
verify all Tx β short proof Ο
summary, Ο
verifyΟ
verifying proof is much easier than verifying 10K Tx
verifyΟ
Rollup Server
Rollup with many coordinators
summary2,
Ο2
verifyΟ
verifyΟ
Server 2
Server 1
summary1, Ο1
summary, Ο
verifyΟ
Zk-zk-Rollupβ’ Multiple serversβ’ Each responsible for subset of users (no overlaps)β’ Rollup aggregator (can be one of the servers)β’ Rollup aggregator combines summaries (balance table) and
creates one proof thatβ’ How can we combine proofs?β’ Trivial solution: β’ All servers forward all Txβ’ Rollup aggregator creates one SNARKβ’ Does not save work
Recap: Non-interactive Proof SystemsA non-interactive proof system is a triple (S, P, V):
β’ S(πΆ) βΎ public parameters (Sp, Sv) for prover and verifier
(Sp, Sv) is called a reference string
β’ P(Sp, π,π) βΎ proof π
β’ V(Sv, π, π ) βΎ accept or reject
SNARK of a SNARK ProofA non-interactive proof system is a triple (S, P, V):
β’ S(πΆ) βΎ public parameters (Sp, Sv) for prover and verifier
(Sp, Sv) is called a reference string
β’ P(Sp, π,π) βΎ proof π
β’ V(Sv, π, π ) βΎ accept or reject
SNARK of SNARK
π πΆ β π!, π"π β π(π!, π₯, π€)
Now write a circuit πΆβ² that verifies π: β’ Input π₯β² is xβ’ Witness π€β² is πβ’ πΆβ²(π₯β², wβ) = 0 iff V(π", π, π₯)=Accept Finally:
π πΆβ² β πβ²!, πβ²"πβ² β π(πβ²!, π₯β², π€β²) 9
How can we aggregate proofs?
SNARK of SNARKs
π πΆ β π!, π"π# β π(π!, π₯#, π€#) π$ β π(π!, π₯$, π€$)
Now write a circuit πΆβ² that verifies π: β’ Input π₯β² is x1||x2
β’ Witness π€β² is π#||π$β’ πΆβ²(π₯β², wβ) = 0 iff V(π" , π₯#, π#)=Accept and V(π" , π₯$, π$)=Accept Finally:
π πΆβ² β πβ²!, πβ²"πβ² β π(πβ²!, π₯β², π€β²) 10
How can we aggregate proofs?
SNARK of SNARKs
β’ Note that Cβ depends only on V and Sv (not on C1,C2)β’ We can express V as a circuit:
π! π₯β² πβ²
+ β
Γ
0 = βπ΄πππππ‘β π€2 = πβ² is independent of π€3, π€4|Cβ|=2*|V| < |2* C|
Building SNARK of SNARKs
β’ How big is Cβ?β’ Comparison |SHA256 circuit| = 20k gatesβ’ First SNARK of SNARK ~1 million gates with trusted
setup (BCTV14)β’ Today less than 50k gates (Halo, BCLMS20, Nova) β’ no trusted setup
β’ Independent of inner SNARK circuits!
Rollup with many coordinators
summary2,
Ο1
verifyΟ
verifyΟ
Server 2
Server 1
summary1, Ο2
summary, Ο
verifyΟ
Zk-zk-Rollupβ’ Let rooti be the Merkle Tree Root of summary i
β’ S!, π" β πΊ(πΆ#) // πΆ# rollup circuit
Merkle treeππππ‘1 ππππ‘2 ππππ‘3 ππππ‘5
root
Build one root from summaries
πΆ67!(x = S8, π«π¨π¨π; w = ππππ‘3, ππππ‘4β¦ , π3, π4, β¦ ):V(S8, π₯ = ππππ‘9, π9) for all i and π«π¨π¨π=MT(ππππ‘9s)
Tornado cash
nf1
nullifiers
coinsMerkle
root
Treasury: 300 DAI100 DAI pool:each coin = 100 DAI
nf2(32 bytes)
C1 C2 C3 C4 0 β¦ 0
tree ofheight 20
(220 leaves)
public list of coins
nf, proof π , A(over Tor)
nf
nf and π reveal nothing about which coin was spent.
But, coin #3 cannot be spent again, because nf = H2(kβ) is now nullified.
β¦ but observer does not know which are spent
100 DAIto address A
Merkleroot
H1, H2: R βΎ {0,1}256
next = 5
contract state
Withdraw coin #3to addr A:
zk3-Rollup (tornado cash rollup)
summary2,
Ο2
verifyΟ
verifyΟ
Rollup Server 2
Rollup Server 1
summary1, Ο1
summary, Ο
π:;
π:;
π:;
π:;
verifyΟ
zk3-Rollupβ’ Users create SNARK for TC Circuit πΆ"#
β’ S$, π% β πΊ(πΆ"#)β’ π"# β π(π% , π‘π₯, π€)
β’ Rollups create SNARKs for πΆ& = β' π π( , π‘π₯' , π' = βππππππ‘ββ’ π‘π₯ ππππ‘ = ππ π‘π₯), β¦ , π‘π₯*β’ π+ = π"#,)|| β¦ ||π"#,*β’ S$β², π%β² β πΊ(πΆ&)β’ π& = π(π%+ , π‘π₯ ππππ‘, π+)
β’ Rollup Aggregator creates SNARK for πΆ- = β' π(π(β², ππππ‘' , π&,')β’ S$++, π%++ β πΊ(πΆ-)β’ ππππ‘ = ππ(ππππ‘), β¦ , ππππ‘.)β’ π&β² = π&,)|| β¦ ||π&,.β’ π- = π(π%++, ππππ‘, π&+ )
Enhancing transactions with SNARKsβ’ Weβve seen that private transactions require zero-
knowledge proofsβ’ Add ZK-SNARKs to every transactionβ’ Level 1 coordinators verify transaction by verifying
transaction ZK-SNARKsβ’ Additionally, we can have more complicated transactions
(Smart Contracts) β’ Transaction verification is constant time regardless of
proof complexityβ’ Can we also hide the smart contract?
ZEXE private execution
β’ ZEXE is a model of computation (like UTXOs/Scripts or Accounts/EVM)
β’ The basic unit is a record (similar to a UTXO)β’ Every transaction consumes records and creates
recordsβ’ Universal predicate: Prevents double spendsβ’ Birth predicate: Says how a record can be createdβ’ Death predicate: Says how a record can be consumed
ZEXE private executionRecord 1:Birth predicate 1Death predicate 1Payload 1
Record 2:Birth predicate 1Death predicate 1 Payload 1
Record 3:Birth predicate 3Death predicate 3Payload 3
TX checks that Record 1 and Record 2 have not been spentBirth3(R1, R2,R3) and Death1(R1, R2,R3) and Death2(R1,R2,R3)
ZEXE private executionβ’ Universal predicate (similar to tornado cash)β’ Uses nullifiersβ’ Checks that nullifier=H(sk,records) is properly
createdβ’ Checks that nullifier only appears onceβ’ Prevents double spends
Merkleroot
tree ofheight 20
(220 leaves)
R1 R2 R3 β¦ 0 0 0
Implementing assets with ZEXE
β’ Record payload has a value v and an asset id β’ Birth predicateβ’ Defines the tokenβ’ New record id needs to match consumed predicate idsβ’ New record value is sum of inputs
β’ Death predicateβ’ Defines the SCRIPTβ’ E.g. spendable by signatureβ’ E.g. Spendable by multisigature + preimage of hash
Implementing smart contracts with ZEXE
β’ Record payload is state of smart contract, smart contract instance id
β’ Birth predicateβ’ Either creates smart contract orβ’ One of the inputs needs to be the old smart
contract recordβ’ Death predicateβ’ Defines the smart contract logic
ZEXE game of Chessβ’ Record payload is state of smart contract, smart contract
instance idβ’ Birth predicate
β’ Starts new game (and assigns pks to black/white) orβ’ One of the inputs needs to be the old chess game
β’ Death predicateβ’ If game finished then pay money to the winnerβ’ Otherwise input records must be game record + one move
recordβ’ Move record must be signed by the right player β’ Move record must contain a valid move
Making ZEXE privateβ’ π%!, π(! β π(πΆ/) (Universal predicate)β’ π%" , π(" β π(πΆ0) (Birth predicate)β’ π%# , π(# β π(πΆ1) (Death predicate)β’ π%$% , π($% β π(πΆ"2) (TX circuit)β’ πΆ"2 = π π(!, . , . =0 and π π(" , . , . =0 and π π(# , . , . =0 And Record=π»(πππ¦ππππ, π(" , π(# , π) // π random
β’ TX: Input records || Output records β’ Compute nullifiers ππ!, β¦ , ππ" from input records β’ To create a TX, create three ZK-SNARKS (now ZK is important)
β’ x=TX,π€ = πππ¦πππππ , π#!, π#"β’ π$ β π π%#, x ππ!, β¦ , ππ", π€ | | ππ ππππππ β’ π& β π π%!, x, π€β’ π' β π π%", x, π€
β’ Create π() β π π%$%, x, π€||π$, π&, π'
R1 R2 R3 β¦ 0 0 0
Merkleroot
tree ofheight 20
(220 leaves)
MT of all records
Birth and death predicate as well as records are private!
Hitchhikers guide to the galaxy
Input Output (42)
Long Computation
What if we want to verify that computation?
SNARKs for long computations
Input Output (42)P(Sp, π,π) βΎ πV(Sv, π, π) βΎ acceptLong Computation, Transcript
C β Circuit for long computationS(πΆ) βΎ (Sp, Sv) π = πππππ, πππππππ = ππππππππππ
Issues:-P takes very long-Starts after proving aftercomputation finished-Canβt hand off computation-S also runs at least linear in |C| (ok if many proofs)
Handing off computation
Input Output (42), πS
πΆTβ Circuit for long intermediate computation
S(πΆT) βΎ (Sp, Sv) ππ = πππππ, ππππ , ππ = πππππππππππππ = ππππ, ππππ , ππ = πππππππππππππ = ππππ, ππππππ , ππ = πππππππππππP(Sp, ππ, ππ) βΎπ9
Int1,π3 Int2,π4transcript1 transcript2 transcript3
V(Sv, ππ, π π)V(Sv, ππ, π π)V(Sv, ππ, π π)|π|/ V linear in #handoffs
Incremental Proofs
β’ We need updatable/incremental proofs
S(πΆT) βΎ (Sp, Sv)
πΆTβ Circuit per computation step, π‘ number of steps/handoffs
P(Sp, ππ, ππ, π9Y3) βΎ updated proof π9 // πZ =β₯
V(Sv, ππ, ππ, π:, t) βΎ accept/reject
|π9| = |π9Y3| // proofs donβt grow
PhotoProof
Allow valid updates of photo and provide proof
Viewer can still verify authenticity
PhotoProof
Proof allows valid edits only, Incrementally updated
Constant size blockchains
β’ Rollup reduces the verification costβ’ Still linear in the number of state updatesβ’ When a node joins the network they need to verify
one rollup proof per block!β’ In general starting a full node requires verification of
all blocksβ’ Can take days!
Constant size Blockchain
π$State-MT1
TX-MT1
Merkle tree
Transactions
π%State-MT2
TX-MT2
π&State-MT3
TX-MT3
π'State-MT4
TX-MT4
π9 prooves that transactions are valid with respect to the stateANDπ9Y3 was valid for the previous block
Constant size Blockchain
π$State-MT1
TX-MT1
Merkle tree
Transactions
π%State-MT2
TX-MT2
π&State-MT3
TX-MT3
π'State-MT4
TX-MT4
Old miner New minerHead and State 4
Verifies State-MT4 and π5
Constant size Blockchain
β’ Light clients can verify every block! β’ Low memory, low computation β’ Independent of length of chain or #transactions
β’ Relies on data serving nodes for synching
β’ Practical today!
Next lecture: Crypto tricks and open discussionPlease attend last two lectures if you can
END OF LECTURE
Top Related