Challenge rounds in Groth16-like system This is a continuation and clarification of my previous post which was a very rough description of a possible scheme of adding lookups (and any other challenge arguments) to Groth16. It generated some traction and comments. Mainly I would like to thank Weikeng Chen who gave me some references on similar approaches (based on LegoSNARK), and confirmed that it should be possible to get rid of all interfacing between different argument systems (which loosely works similar to Pinoccio), instead using a singular Groth16-styled equation. It seems that it is, indeed, possible. I describe the protocol here, and provide a sketch of proof. Let's recall normal Groth16 protocol, first This turned out to be quite long, tbh. Can be skipped, but it makes sense to look on zero-knowledgness / soundness proofs here to make sense of my arguments for the UltraGroth.

yes (sort of) Huge thanks to Lúcás Meier @cronokirby for asking this question. UPDATE: Weikeng Chen has suggested an even simpler version of this approach, which is relative to it in a similar way to how Pinoccio is related to Groth16. This largely deprecates the "Pinoccio" approach. Brief explanation: instead of just separating private and public inputs as in normal Groth16, lets make a more refined separation of witness, by using few elements $\gamma_1, ..., \gamma_n$, and the elements $C_i$ belonging to a subset of a witness will be divided by $\gamma_i$. This will achieve the desired effect of witness commitment separation. So, more precisely, the question asked was "can R1CS support lookups". There is, indeed, a very simple and natural extension of the R1CS language which can support lookups and all sorts of other interesting things. Here, I will describe it, and suggest possible Groth16-style proof system for this language.

Non-coercible voting with MPC operator ln this text, I will propose an efficient non-coercible voting system with MPC process instead of an operator. It is largely motivated by MACI, however, there are also significant differences. Design considerations MACI has the following desirable properties: Soundness Privacy Non-coercibility