Spartan tl;dr - HackMD

# Spartan tl;dr ## Overview - [Spartan](https://eprint.iacr.org/2019/550.pdf) is a zero-knowledge proving system that is prover efficient, can operate with any field, and doesn't require a trusted setup. - To add zero knowledge, Spartan employs the same method used in [Hyrax](https://eprint.iacr.org/2017/1132), with some modifications to make it simple. - Spartan appears to give us the best problem-solution fit. Its proving time is significantly faster than other zkSNARK counterparts. - Spartan is based on R1CS, and its implementation allows you to write R1CS with Rust. However, there is a possibility that we can import the R1CS file which Circom outputs into Spartan. ## How Hyrax (and hence Spartan) adds zero-knowledge - In the Hyrax paper, [there is the explanation of zk proof of dot product](https://eprint.iacr.org/2017/1132.pdf#page=17) (i.e. homomorphic dot product) using Pedersen commitments and zero-knowledge openings. - And we can use any elliptic curve with Pedersen commitments. Spartan uses curve25519 (with its group ristretto255), but we can certainly use secq256k1. - Circom allows us to specify any prime field, so we can likely use Circom with secq256k1 and Spartan as the backend. - The zk proof of dot product only involves Pedersen commitments, hence the predominant calculations in Spartan proving are multi-scalar multiplications. ## Using the Spartan family zkps in privacy applications There are some unique restrictions when using zkps in privacy applications - We have a setup where the verifier is powerful and the prover is weak. - We want to keep the proof size *somewhat* small, but we can bare a lot more than blockchains. To be precise, the proof should have a size that is manageable with a bandwidth of a client-server setup, and that is likely far greater than the bandwidth of blockchains. Therefore, If we only care about zk and completely ignore the succinctness of the proofs, we can simply send the zk proof of dot products to the verifier, which will prove that we know a witness that satisfies an R1CS. However, by *compressing* the proof on the prover side, we will need less bandwidth to send the proof. ## Further research - Understand the [sum-check protocol](http://people.cs.georgetown.edu/jthaler/blogpost.pdf).