You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

420 lines
13 KiB

  1. \documentclass{beamer}
  2. \usefonttheme[onlymath]{serif}
  3. \mode<presentation>
  4. {
  5. \usetheme{Frankfurt}
  6. \usecolortheme{dove} %% grey scale
  7. \useinnertheme{circles}
  8. % \setbeamercovered{transparent}
  9. }
  10. \hypersetup{
  11. colorlinks,
  12. citecolor=black,
  13. filecolor=black,
  14. linkcolor=black,
  15. urlcolor=blue
  16. }
  17. \usepackage{graphicx}
  18. \usepackage{listings} % embed code
  19. \setbeamertemplate{itemize}{$\circ$}
  20. \setbeamertemplate{itemize items}{$\circ$}
  21. \beamertemplatenavigationsymbolsempty %% no navigation bar
  22. \setbeamertemplate{footline}{\hspace*{.1cm}\scriptsize{
  23. \hspace*{50pt} \hfill\insertframenumber/\inserttotalframenumber\hspace*{.1cm}\vspace*{.1cm}}}
  24. \setbeamertemplate{caption}[numbered]
  25. \setbeamerfont{caption}{size=\tiny}
  26. \title{HyperNova introduction}
  27. \author{}
  28. \date{\scriptsize{2023-07-25\\\href{https://0xparc.org}{0xPARC}, London}}
  29. \begin{document}
  30. \frame{\titlepage}
  31. % NOTE: This talk provides an overview, if people is interested we can do another session going more into the technical details of the schemes.
  32. \section[Preliminaries]{Preliminaries}
  33. \begin{frame}{IVC}
  34. For a function $F$, with initial input $z_0$, an IVC scheme allows a prover to produce a proof $\pi_i$ for the statement $z_i = F^{(i)}(z_0)$, given a proof $\pi_{i-1}$ for the statement $z_{i-1} = F^{(i-1)}(z_0)$
  35. TODO add draw
  36. TODO add reference to Valiant paper (2008)
  37. \end{frame}
  38. \begin{frame}{Recursion before folding schemes}
  39. We used to use recursive SNARKs to achieve IVC.
  40. \begin{itemize}
  41. \item Prove verification in circuit: inside a circuit, verify another proof
  42. \begin{itemize}
  43. \item eg. verifying a Groth16 proof inside a Groth16 circuit.
  44. \end{itemize}
  45. \item Amortized accumulation
  46. \begin{itemize}
  47. \item eg. Halo
  48. \end{itemize}
  49. \end{itemize}
  50. \end{frame}
  51. \begin{frame}{R1CS refresher}
  52. R1CS instance: $(\{A, B, C\} \in \mathbb{F}^{m \times n},~ io,~ m,~ n,~ l)$, such that for $z=(io \in \mathbb{F}^l, 1, w \in \mathbb{F}^{m-l-1}) \in \mathbb{F}^m$,
  53. $$Az \circ Bz = Cz$$
  54. Typically we use some scheme to prove that the previous equation is fullfilled by some private $w$ (eg. Groth16, Marlin, Spartan, etc).
  55. \end{frame}
  56. % \begin{frame}{R1CS refresher}
  57. % TODO add A, B, C example from Vitalik article
  58. % \end{frame}
  59. \begin{frame}{Random linear combination}
  60. Combine 2 instances together through a random linear comibnation, and the outputted instance will still satisfy the relation.
  61. \begin{itemize}
  62. \item Have 2 values $x_1, x_2$.
  63. \item Set $r \in^R \mathbb{F}$
  64. \item Compute $x_3 = x_1 + r \cdot x_2$.
  65. \end{itemize}
  66. \pause
  67. Combined with homomorphic commitments
  68. \begin{itemize}
  69. \item We can do random linear combinations with the commitments and their witnesses, and the output can still be opened
  70. \end{itemize}
  71. % TODO check on internet if there is some more standard definition / examples.
  72. \end{frame}
  73. \section[Nova]{Nova}
  74. \begin{frame}{Folding schemes}
  75. We're not verifying the entire proof
  76. \begin{itemize}
  77. \item Take n instances and 'batch' them together
  78. \begin{itemize}
  79. \item Folds $k$ (eg. 2) instances (eg. R1CS instances) and their respective witnesses into a signle one
  80. \end{itemize}
  81. \item At the end of the chain of folds, we just prove that the last fold is correct through a SNARK
  82. \begin{itemize}
  83. \item Which implies that all the previous folds were correct
  84. \end{itemize}
  85. \end{itemize}
  86. \pause
  87. In Nova: folding without a SNARK, we just reduce the satisfiability of the 2 inputted instances to the satisfiability of the single outputted one.
  88. [TODO image of multiple folding iterations]
  89. \end{frame}
  90. \begin{frame}{Relaxed R1CS}
  91. We work with \emph{relaxed R1CS}
  92. $$Az \circ Bz = u \cdot Cz + E$$
  93. \begin{scriptsize} % TODO use the other simplier font syntax
  94. (= R1CS when $u=1,~ E=0$)
  95. \end{scriptsize}
  96. \begin{itemize}
  97. \item main idea: allows us to fold, but accumulates \emph{cross terms}
  98. \pause
  99. \item when we do the \emph{relaxed} of higher degree equations (eg. plonkish), the cross terms grow (eg. Sangria with higher degree gates)
  100. \end{itemize}
  101. \end{frame}
  102. \begin{frame}{NIFS - setup}
  103. V and P: \emph{committed relaxed R1CS} instances
  104. \begin{align*}
  105. \varphi_1&=(\overline{E}_1, u_1, \overline{w}_1, x_1)\\
  106. \varphi_2&=(\overline{E}_2, u_2, \overline{w}_2, x_2)
  107. \end{align*}
  108. P: witnesses
  109. \begin{align*}
  110. (E_1, r_{E_1}, w_1, r_{w_1})\\
  111. (E_2, r_{E_2}, w_2, r_{w_2})
  112. \end{align*}
  113. Let $z_1 = (w_1, x_1, u_1)$ and $z_2 = (w_2, x_2, u_2)$.
  114. \end{frame}
  115. \begin{frame}{NIFS}
  116. \begin{footnotesize}
  117. % While Prover works with $w, E$, Verifier works with commitments to them (\emph{Committed Relaxed R1CS}).\\
  118. % To keep the relations working with the random linear combinations, we use homomorphic commitments.
  119. \begin{itemize}
  120. \item V, P: folded instance $\varphi = (\overline{E}, u, \overline{w}, x)$
  121. \begin{align*}
  122. &\overline{E}=\overline{E}_1 + r \overline{T} + r^2 \overline{E}_2\\
  123. &u = u_1 + r u_2\\
  124. &\overline{w} = \overline{w}_1 + r \overline{w}_2\\
  125. &x = x_1 + r x_2
  126. \end{align*}
  127. \item P: folded witness $(E, r_E, w, r_W)$
  128. \begin{align*}
  129. &E = E_1 + r T + r^2 E_2\\
  130. &r_E = r_{E_1} + r \cdot r_T + r^2 r_{E_2}\\
  131. &w=w_1 + r w_2\\
  132. &r_W = r_{w_1} + r \cdot r_{w_2}
  133. \end{align*}
  134. \end{itemize}
  135. \end{footnotesize}
  136. \pause
  137. \begin{scriptsize}
  138. Note: $T$ are the cross-terms comming from combining the two R1CS instances from
  139. \begin{align*}
  140. Az \circ Bz &=A(z_1 + r \cdot z_2) \circ B(z_1 + r z_2)\\
  141. &=A z_1 \circ B z_1 + r(A z_1 \circ B z_2 + A z_2 \circ B z_1) + r^2 (A z_2 \circ B z_2) = \ldots
  142. \end{align*}
  143. \end{scriptsize}
  144. \end{frame}
  145. \begin{frame}{NIFS}
  146. \begin{small}
  147. $$E=E_1 + r \underbrace{ (A z_1 \circ B z_2 + A z_2 \circ B z_1 - u_1 C z_2 - u_2 C z_1) }_\text{cross-terms} + r^2 E_2$$
  148. \end{small}
  149. $Az \circ Bz = uCz + E$ will hold for valid $z$ (which comes from valid $z_1,~ z_2$).
  150. [TODO add image of function F' with F inside with extra checks]
  151. \end{frame}
  152. \begin{frame}{NIFS}
  153. Each fold: $2~EC_{Add} + 1~EC_{Mul} + 1~hash$
  154. 20k R1CS constraints (using curve cycles)
  155. {\footnotesize
  156. (so folding makes sense when we have a circuit with more than $2 \cdot 20k$ constraints)
  157. }
  158. \pause
  159. After all the folding iterations, Nova generates a SNARK proving the last folding instance.
  160. In Nova implementation, they use Spartan.
  161. \end{frame}
  162. \begin{frame}{Benchmarks}
  163. % TODO: review names, and add links to profiles.
  164. Benchmarks that Oskar, Carlos, et al did during the Vietnam residency in April
  165. \href{https://hackmd.io/u3qM9s_YR1emHZSg3jteQA?view}{https://hackmd.io/u3qM9s\_YR1emHZSg3jteQA}
  166. \begin{center}
  167. \begin{tabular}{ |c|c|c| }
  168. \hline
  169. Size & Constraints & Time\\
  170. \hline
  171. 2KB & 883k & 320ms\\
  172. 4KB & 1.7m & 521ms\\
  173. 8KB & 3.4m & 1s\\
  174. 16KB & 6.8m & 1.9s\\
  175. 32KB & 13.7m & 4.1s \\
  176. \hline
  177. \end{tabular}\\
  178. {\footnotesize eg. for 8kb, x100 Halo2 and Plonky2}
  179. \end{center}
  180. (this is for the folding, without the last snark)
  181. \end{frame}
  182. \begin{frame}{SuperNova}
  183. \begin{itemize}
  184. \item iteration on Nova, combining \emph{different circuits} in a single one with \emph{selectors}
  185. \item so we can work with a big circuit with \emph{subcircuits} without paying the whole size cost on each iteration
  186. \item in IVC terms: fold multiple $F_i$ in a single $F'$ (in Nova was a single $F$ in $F'$)
  187. \end{itemize}
  188. This is useful for example for a VM, doing one $F_i$ for each opcode
  189. \end{frame}
  190. \section[HyperNova]{HyperNova}
  191. % \begin{frame}{CCS}
  192. % \begin{itemize}
  193. % \item kind of a generalization of constraint systems
  194. % \item can translate R1CS,Plonk,AIR to CCS
  195. % \end{itemize}
  196. % $$\sum_{i=0}^{q-1} c_i \cdot \bigcirc_{j \in S_i} M_j \cdot z ==0$$
  197. % \end{frame}
  198. \begin{frame}{R1CS to CCS example}
  199. \begin{scriptsize}
  200. \begin{itemize}
  201. \item Kind of a generalization of constraint systems
  202. \item Can translate R1CS,Plonk,AIR to CCS
  203. \end{itemize}
  204. \pause
  205. \begin{description}
  206. \item[CCS instance] $S_{CCS} = (m, n, N, l, t, q, d, M, S, c)$\\
  207. where we have the same parameters than in $S_{R1CS}$, but additionally:\\
  208. $t=|M|$, $q = |c| = |S|$, $d$= max degree in each variable.
  209. \item[R1CS-to-CCS parameters] $n=n,~ m=m,~ N=N,~ l=l,~ t=3,~ q=2,~ d=2$, $M=\{A,B,C\}$, $S=\{\{0,~1\},~ \{2\}\}$, $c=\{1,-1\}$
  210. \end{description}
  211. \pause
  212. The CCS relation check:
  213. \end{scriptsize}
  214. $$\sum_{i=0}^{q-1} c_i \cdot \bigcirc_{j \in S_i} M_j \cdot z ==0$$
  215. \begin{scriptsize}
  216. In our R1CS-to-CCS parameters is equivalent to
  217. \begin{align*}
  218. &c_0 \cdot ( (M_0 z) \circ (M_1 z) ) + c_1 \cdot (M_2 z) ==0\\
  219. \Longrightarrow &1 \cdot ( (A z) \circ (B z) ) + (-1) \cdot (C z) ==0\\
  220. \Longrightarrow &( (A z) \circ (B z) ) - (C z) ==0
  221. \end{align*}
  222. \end{scriptsize}
  223. \end{frame}
  224. \begin{frame}{Multifolding}
  225. \begin{itemize}
  226. \item Nova: 2-to-1 folding
  227. \item HyperNova: multifolding, k-to-1 folding
  228. \item We fold while through a SumCheck proving the correctness of the fold
  229. \end{itemize}
  230. SumCheck's polynomial work is trivial, most of the cost comes from Poseidon hash in the transcript
  231. [TODO WIP section]
  232. \end{frame}
  233. \begin{frame}{Multifolding - Overview}
  234. \begin{tiny}
  235. \begin{enumerate}
  236. \item[1.] $V \rightarrow P: \gamma \in^R \mathbb{F},~ \beta \in^R \mathbb{F}^s$
  237. \item[2.] $V: r_x' \in^R \mathbb{F}^s$
  238. \item[3.] $V \leftrightarrow P$: sum-check protocol:
  239. $c \leftarrow \langle P, V(r_x') \rangle (g, s, d+1, \underbrace{\sum_{j \in [t]} \gamma^j \cdot v_j}_\text{T})$, where:
  240. \begin{align*}
  241. g(x) &:= \underbrace{\left( \sum_{j \in [t]} \gamma^j \cdot L_j(x) \right)}_\text{LCCCS check} + \underbrace{\gamma^{t+1} \cdot Q(x)}_\text{CCCS check}\\
  242. L_j(x) &:= \widetilde{eq}(r_x, x) \cdot \left(
  243. \underbrace{\sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_1(y)}_\text{LCCCS check}
  244. \right)\\
  245. Q(x) := &\widetilde{eq}(\beta, x) \cdot \left(
  246. \underbrace{ \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \left( \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(x, y) \cdot \widetilde{z}_2(y) \right) }_\text{CCCS check}
  247. \right)
  248. \end{align*}
  249. \end{enumerate}
  250. \end{tiny}
  251. \end{frame}
  252. \begin{frame}{Multifolding - Overview}
  253. \begin{tiny}
  254. \begin{enumerate}
  255. \item[4.] $P \rightarrow V$: $\left( (\sigma_1, \ldots, \sigma_t), (\theta_1, \ldots, \theta_t) \right)$, where $\forall j \in [t]$,
  256. $$\sigma_j = \sum_{y \in \{0,1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_1(y)$$
  257. $$\theta_j = \sum_{y \in \{0, 1\}^{s'}} \widetilde{M}_j(r_x', y) \cdot \widetilde{z}_2(y)$$
  258. \item[5.] V: $e_1 \leftarrow \widetilde{eq}(r_x, r_x')$, $e_2 \leftarrow \widetilde{eq}(\beta, r_x')$\\
  259. check:
  260. $$c = \left(\sum_{j \in [t]} \gamma^j \cdot e_1 \cdot \sigma_j \right) + \gamma^{t+1} \cdot e_2 \cdot \left( \sum_{i=1}^q c_i \cdot \prod_{j \in S_i} \theta_j \right)$$
  261. \item[6.] $V \rightarrow P: \rho \in^R \mathbb{F}$
  262. \item[7.] $V, P$: output the folded LCCCS instance $(C', u', \mathsf{x}', r_x', v_1', \ldots, v_t')$, where $\forall i \in [t]$:
  263. \begin{align*}
  264. C' &\leftarrow C_1 + \rho \cdot C_2\\
  265. u' &\leftarrow u + \rho \cdot 1\\
  266. \mathsf{x}' &\leftarrow \mathsf{x}_1 + \rho \cdot \mathsf{x}_2\\
  267. v_i' &\leftarrow \sigma_i + \rho \cdot \theta_i
  268. \end{align*}
  269. \item[8.] $P$: output folded witness and the folded $r_w'$:
  270. \begin{align*}
  271. \widetilde{w}' &\leftarrow \widetilde{w}_1 + \rho \cdot \widetilde{w}_2\\
  272. r_w' &\leftarrow r_{w_1} + \rho \cdot r_{w_2}
  273. \end{align*}
  274. \end{enumerate}
  275. \end{tiny}
  276. \end{frame}
  277. \section[Wrappup]{Wrappup}
  278. \begin{frame}{Mysteries \& unsolved things}
  279. \begin{itemize}
  280. \item how HyperNova compares to Protostar
  281. \item prover knows the full witness [TODO update/rm this]
  282. \end{itemize}
  283. [TODO WIP section]
  284. \end{frame}
  285. \begin{frame}
  286. \frametitle{Wrappup}
  287. \begin{itemize}
  288. \item HyperNova: \href{https://eprint.iacr.org/2023/573}{https://eprint.iacr.org/2023/573}
  289. \item multifolding PoC on arkworks: \href{https://github.com/privacy-scaling-explorations/multifolding-poc}{github.com/privacy-scaling-explorations/multifolding-poc}
  290. \item PSE hypernova WIP \href{https://github.com/privacy-scaling-explorations/Nova}{github.com/privacy-scaling-explorations/Nova}
  291. \end{itemize}
  292. \vspace{2cm}
  293. \tiny{
  294. $$\text{2023-07-25}$$
  295. $$\text{\href{https://0xparc.org}{0xPARC}}$$
  296. }
  297. \end{frame}
  298. % from Michael
  299. % - Why Nova?
  300. % - Nova's limitations
  301. % - Why Hypernova
  302. % - Hypernova concepts explained to General Technologist (minimal ZK understanding)
  303. % - Final output
  304. %%%%%
  305. % - We used recursive SNARKs to achieve IVC
  306. % - get a proof and prove that it's verification passes, inside another proof
  307. % - Folding: we're not verifying the entire proof
  308. % - we take n proofs and 'batch' them together
  309. % - at the end of the chain of folds, we just prove that the last fold is correct
  310. % - which implies that all the previous folds were correct
  311. % - Random Linear Combination: combine 2 instances together through a random linear comibnation, and the outputted instance will still satisfy the relation
  312. % - Multifolding SumCheck: SumCheck's polynomial work is trivial, most of the cost comes from Poseidon hash in the transcript
  313. \end{document}