FRI is a polynomial commitment scheme which is parameterized by a vector-commitment scheme. In other words, FRI is a compiler that takes a vector-commitment scheme and gives you a polynomial commitment scheme.
Briefly, FRI lets you open a polynomial \(p\) by committing to a vector of evaluations of \(p\), and then commiting to vectors of a bunch of evaluations of a bunch of polynomials related to \(p\), and then opening all these commitments at some random locations.
If your vector-commitment scheme lets you batch openings, then you can batch all the opening proofs required by FRI into a single vector-commitment opening proof, for both prover time and proof-size reductions.
Heretofore, most FRI systems have used Merkle trees for the vector commitment scheme. However, this has a few drawbacks
A nice alternative idea is to use Verkle trees as your vector commitment. Specifically, in the Mina context, we would use a Verkle tree based on our inner-product-argument-based polynomial commitment scheme. In this way, you can use a single inner-product-argument to do all the vector openings required by FRI, which gives a large reduction in proof size and cost of verifying a FRI-proof in a circuit.
Then, one could instantiate PLONK with this IPA-Verkle-tree FRI PCS.
The benefits of this over directly instantiating PLONK with the straight IPA PCS are two:
Say the branching factor of the Verkle tree is \(2^k\). Then using a depth \(d\) Verkle-tree we can commit to polynomials of degree up to \(2^{kd}\) (roughly) with a reference string of size \(2^k\) and IPAs with \(k\) rounds.
On the other-hand, using the IPA PCS directly, you can only commit to polynomials of degree less than \(2^k\). In this way, we can use a small reference string to handle large circuits.
We can put values of whatever field \(\mathbb{F}\) we like in the leaves of the Verkle tree, yielding a FRI-based PCS for polynomials over \(\mathbb{F}\), and ultimately a SNARK for \(\mathbb{F}\) arithmetic. On the other hand, for the IPA PCS, we can only commit to polynomials with coefficients in the scalar field of our chosen elliptic curve.
Thanks to Kostas Chalkias, Harjasleen Malvai, and Bobbin Threadbare for the initial idea.
or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe