Nova and Memory

why can't memory just be treated as part of the input / output

One thing that Nova does not exactly do (but Supernova does?) is supporting VM memory. We can think of memory as part of the state of computation and is abstractly just a vector that is "carried" with the computation.

Is this just making a new row/vector in the R1CS?

A natural design ^[1] for supporting memory that is folding friendly would be the following:

we assume that our memory is a
$k$ -element array
$v = (v_{0}, \dots, v_{k - 1})$ .
we commit the entire memory using KZG commitments. This means we commit to
$v$ with

$c = [p (X)] = \sum_{i = 0}^{k - 1} v_{i} \cdot [L_{i} (X)]$
using some secret point
${[s^{i}]}_{i \in {0, \dots, k - 1}}$ as in KZG.
we define 3 operations on memory, READ, ADD, and WRITE, and make them folding-friendly.

`READ`

First, we describe READ access. Specifically, this means proving that the

i

-th element of array

v

, namely,

v_{i}

, is equal to

y

for some public value

y

. In case of polynomial commitment, it is equivalent to proving that

p (ω^{i}) = y_{i}

The proof for opening at the

i

-th position is computed as

w_{i} = [\frac{p (X) - p (ω^{i})}{X - ω^{i}}] .

And, to verify the correctness of the proof, we simply check that

e ([s] - [ω^{i}], w_{i}) = e (c - [y_{i}], [1]) .

Now, we build an R1CS and define its components. Notice that the verification of evaluation at

ω^{i}

require the involvement of

[s], c, [ω^{i}], [y_{i}], w_{i}

and

[1]

, with no secret elements, so the witness vector is exactly this information.

variable	value
$w$	${(\begin{matrix} [s] & c & [ω^{i}] & [y_{i}] & w_{i} & [1] \end{matrix})}^{T} .$
$A$	$(\begin{matrix} 1 & 0 & - 1 & 0 & 0 & 0 \end{matrix}) .$
$B$	$(\begin{matrix} 0 & 0 & 0 & 0 & 1 & 0 \end{matrix}) .$
$C$	$(\begin{matrix} 0 & 1 & 0 & - 1 & 0 & 0 \end{matrix}) .$

`ADD`

Suppose we want to change

x_{i}

x_{i} + t

. Then we want to commit to a new vector

(x_{0}, \dots, x_{i - 1}, x_{i} + t, x_{i + 1}, \dots, x_{k - 1})

, with commitment

\begin{aligned} c^{'} & = t \cdot [L_{i} (X)] + \sum_{j} x_{j} \cdot [L_{j} (X)] \\ = c + t \cdot [L_{i} (X)] \end{aligned}

Hence, to update

c

c^{'}

, we simply make the addition for

c

and

t \cdot [L_{i} (X)]

`WRITE`

Suppose we want to change

x_{i}

x_{i}^{'}

. We first perform a READ to prove the value of

x_{i}

. Then we set

t = x_{i}^{'} - x_{i}

, and ADD

t

x_{i}

Note that opening a commitment is expensive, so READ is more expensive than ADD.

From Oskar:

Supernova is about supporting different types of F, that correspond to e.g. diff opcodes, like ADD, MUL etc, in a VM. This reduces the prover overhead because an additional opcodes doesn't incur additional cost on the circuit. See https://zkresear.ch/t/towards-a-nova-based-zk-vm/105#supernova-vm-10

I don't think there's any else specific to memory in SuperNova.

More for other doc: It might also be useful to make a distinction between stack vs heap memory since they have diff characteristics

References

Proposal for Handling The Memory of zkVM, https://hackmd.io/vF1jobzsRoubyUASqQG0Zw?both ↩︎

Oskar

2023/06/08 10:03:33

but Supernova does?)

(copy pasted from other doc) Supernova is about supporting different types of F, that correspond to e.g. diff opcodes, like ADD, MUL etc, in a VM. This reduces the prover overhead because an additional opcodes doesn't incur additional cost on the circuit. See https://zkresear.ch/t/towards-a-nova-based-zk-vm/105#supernova-vm-10 I don't think there's any else specific to memory in SuperNova. (Edited)

2023/06/08 10:03:45

It might also be useful to make a distinction between stack vs heap memory since they have different characteristics. (Edited)