diff --git a/slides_sonobe-zkbarcelona.pdf b/slides_sonobe-zkbarcelona.pdf index 0daf1f2..da06ca1 100644 Binary files a/slides_sonobe-zkbarcelona.pdf and b/slides_sonobe-zkbarcelona.pdf differ diff --git a/slides_sonobe-zkbarcelona.tex b/slides_sonobe-zkbarcelona.tex index 1bbea3b..1ff67b5 100644 --- a/slides_sonobe-zkbarcelona.tex +++ b/slides_sonobe-zkbarcelona.tex @@ -89,17 +89,16 @@ \end{frame} -\section[Preliminaries]{Preliminaries} -\begin{frame}{Homomorphic commitments} - [TODO] Homomorphic commitment definition - +\section[Folding]{Folding} +\begin{frame}{Homomorphic commitments and RLC} + We rely on homomorphic commitments\\ ie. Pedersen commitments\\ Let $g \in \mathbb{G}^n,~ v \in \mathbb{F}_r^n$,\\ $$Com(v) = \langle g, v \rangle =g_1 \cdot v_1 + g_2 \cdot v_2 + \ldots + g_n \cdot v_n$$ % \pause - RLC\\ + RLC:\\ Let $v_1, v_2 \in \mathbb{F}_r^n$, set $cm_1 = Com(v_1),~ cm_2=Com(v_2)$. \\then, \begin{align*} @@ -111,7 +110,6 @@ \end{frame} -\section[Folding]{Folding} \begin{frame}{Relaxed R1CS} R1CS instance: $(\{A, B, C\} \in \mathbb{F}^{n \times n},~ io,~ n,~ l)$, such that for $z=(io \in \mathbb{F}^l, 1, w \in \mathbb{F}^{n-l-1}) \in \mathbb{F}^n$, @@ -130,13 +128,16 @@ for $u \in \mathbb{F},~~ E \in \mathbb{F}^n$. Committed Relaxed R1CS instance: $CI = (\overline{E}, u, \overline{W}, x)$\\ Witness of the instance: $WI=(E, W)$ +\vspace{0.5cm} +\footnotesize{(We don't have time for it now, but there is a simple reasoning for the RelaxedR1CS usage explained in Nova paper)} + \end{frame} \begin{frame}{NIFS - Non Interactive Folding Scheme} \scriptsize{ \begin{align*} - CI_1 &=(\overline{E}_1, u_1, \overline{W}_1, x_1) ~~~~~~WI_1=(E_1, W_1)\\ + CI_1 &=(\overline{E}_1 \in \mathbb{G}, u_1 \in \mathbb{F}, \overline{W}_1 \in \mathbb{G}, x_1 \in \mathbb{F}^n) ~~~~~~WI_1=(E_1 \in \mathbb{F}^n, W_1 \in \mathbb{F}^n)\\ CI_2 &=(\overline{E}_2, u_2, \overline{W}_2, x_2) ~~~~~~WI_2=(E_2, W_2) \end{align*} where $\overline{V}=Com(V)$ @@ -186,7 +187,7 @@ New folded witness: $(E, W)$ \small{ F':\\ - i) execute a step of the incremental computation, $z_i+1 = F(z_i)$\\ + i) execute a step of the incremental computation, $z_{i+1} = F(z_i)$\\ ii) invoke the NIFS.V to fold $U_i, u_i$ into $U_{i+1}$\\ iii) other checks to ensure that the IVC is done properly } @@ -288,6 +289,29 @@ New folded witness: $(E, W)$ \end{frame} \begin{frame}{Code example} + [show code with a live demo] + \vspace{0.5cm} + + Some numbers (still optimizations pending): + \begin{itemize} + \item AugmentedFCircuit: $\sim 80k$ R1CS constraints + \item DeciderEthCircuit: $\sim 9.6M$ R1CS constraints + \begin{itemize} + \item $<3$ minutes in a 32GB RAM 16 core laptop + \end{itemize} + \item gas costs (DeciderEthCircuit proof): $\sim 800k$ gas + \begin{itemize} + \item mostly from G16, KZG10, public inputs processing + \item will be reduced by hashing the public inputs + \item expect to get it down to $< 600k$ gas. + \end{itemize} + \end{itemize} + + \vspace{0.3cm} + +Recall, this proof is proving that applying $n$ times the function $F$ (the circuit that we're folding) to an initial state $z_0$ results in the state $z_n$. +\\In Srinath Setty words, you can prove practically unbounded computation onchain by 800k gas (and soon $< 600k$). + \end{frame} @@ -299,7 +323,9 @@ New folded witness: $(E, W)$ \item \href{https://privacy-scaling-explorations.github.io/sonobe-docs/}{https://privacy-scaling-explorations.github.io/sonobe-docs/} \end{itemize} +\begin{center} \includegraphics[width=4cm]{qr-sonobe-repo-link} +\end{center} \tiny{ $$\text{2024-04-22}$$