Compressed SNARK description

High-level

Traits

We add a BatchedRelaxedR1CSSNARKTrait which generalizes the existing RelaxedR1CSSNARKTrait in src/traits/snark.rs. The main difference is that the setup, prove and verify methods take as inputs slices of

R1CS shapes S
Relaxed R1CS instances U
Relaxed R1CS witnesses W

We also implement a CompressedSNARK proof for the SuperNova RecursiveSNARK. The main differences with the original are

We initializes the instance/witness pairs for non-folded primary circuits to their default values
The primary circuits are proved using an implementation of BatchedRelaxedR1CSSNARK.

In src/spartan, we implement batched versions of snark.rs and pp_snark.rs in batched.rs and batched_ppsnark.rs.
The BatchedRelaxedR1CSSNARK structs in both cases resemble their non-batched counter-parts, except that fields containing commitments or evaluations are replaced with vectors of the same elements. The Sumcheck and PCS proofs are batched so their count remains constant with regards to the number of instances.

The proving/verification keys are also mainly the same, apart from having to store parameters for each individual circuit being proved.

Batching Strategy

The implementation attempts to mirror the existing SNARK and pp-SNARK as much as possible.

In the "IOP" portion of the protocol, where the prover sends commitments to polynomials or evaluations thereof, and the verifier responds with challenges, we simply repeat this step for each instance. The prover messages are added to the transcript in batches, and stored in the proof as vectors.

The Sumcheck claims are set up slightly differently to account for circuits of different sizes. In particular, when a claim of size

m

is batched in a Sumcheck over

n \geq m

rounds, we create separate EqPolynomials for each instance. Given a single random challenge

r

, we use the first

m

components of

\vec{r} = (1, r^{2}, r^{4}, \dots, r^{2^{n - 1}})

to define the EqPolynomial for a claim over

m

variables. This ensures all polynomials within a claim have the same size. We explain in the next section how we modified Sumcheck to handle multiple claims of possibly different sizes.

Since the original SNARKs already implement batching of MLE evaluations, we are able to reuse the code to batch all polynomials across the several instances. We explain the subtleties of the batching argument for the ppSNARK in a later section.

Batched Sumcheck

Multiple Sumcheck claims can be batched together by running the protocol over a random-linear combination of the input claims. The existing implementation of ppSNARK already includes this functionality, though we augmented it to handle instances defined over fewer variables.

A Sumcheck instance implements the SumcheckEngine trait. It may be composed of multiple independent claims of the type

σ_{j} = \sum_{\vec{x} \in {0, 1}^{n}} F_{j} (P_{0} (\vec{x}), P_{1} (\vec{x}), \dots),

where

F_{j}

is a multivariate polynomial of degree

\leq d

, and

P_{0}, P_{1}, \dots

are multi-linear polynomials in

n

variables.

In rounds

i = 0, 1, \dots, n - 1

after receiving challenges

\vec{r} = r_{0}, \dots, r_{i - 1}

, the prover computes for each claim

j

the evaluations at

X = 0, 2, \dots, d - 1

of the univariate polynomial

S_{j} (X_{i}) = \sum_{\vec{x} \in {0, 1}^{n - i - 1}} F_{j} (P_{0} (\vec{r}, X_{i}, \vec{x}), P_{1} (\vec{r}, X_{i}, \vec{x}), \dots,)

The prover sends the random linear combination of all univariate polynomials

S_{j} (X)

and obtains the Fiat-Shamir challenge

r_{i}

, which is used to bound the variable

X_{i}

of the multilinear polynomials

P_{0}, P_{1}, \dots

After the

n

-th round, the prover sends

v_{0}, v_{1}, \dots

equal to the multi-linear evaluations of

P_{0}, P_{1}, \dots

\vec{r} = (r_{0}, \dots, r_{n - 1})

Non-uniform instances

We can use the same Sumcheck instantiation to batch instances of different sizes.
Let

m < n

be the number of variables for the instance

σ = \sum_{\vec{x} \in {0, 1}^{m}} F (P_{0} (\vec{x}), P_{1} (\vec{x}), \dots),

where

P_{0}, P_{1}, \dots

are multi-linear polynomials over

m

variables.

We can prove this claim with

n

-round Sumcheck by considering the equivalent scaled instance

\underset{σ^{'}}{\underset{⏟}{2^{n - m} \cdot σ}} = \sum_{{\vec{x}}^{'} \in {0, 1}^{n - m}} \sum_{\vec{x} \in {0, 1}^{m}} F (P_{0} (\vec{x}), P_{1} (\vec{x}), \dots) .

Here, we "lift" the

m

-variate polynomials

P_{0}, P_{1}, \dots

n

variables

(X_{0}, \dots, X_{n - 1})

by evaluating them over

(X_{n - m}, \dots, X_{n - 1})

In rounds

0 \leq i < n - m

, the univariate polynomial

S (X_{i})

is constant and given by

S (X_{i}) = \sum_{{\vec{x}}^{'} \in {0, 1}^{n - m - i - 1}} \sum_{\vec{x} \in {0, 1}^{m}} F (P_{0} (\vec{x}), P_{1} (\vec{x}), \dots,) \equiv 2^{n - m - i - 1} \cdot σ

Given the initial claim

σ

, the prover produces the evaluations of

S (X_{i})

without having to perform any work.
Moreover, binding the polynomials

P_{0}, P_{1}

r_{i}

has no effect, so we do not need to update the list of evaluations.

Once the prover reaches rounds

n - m \leq i < n

, the protocol proceeds as usual. We note though that in the final phase, the prover sends the evaluations

v_{0}, v_{1}, \dots

of the polynomials

P_{0}, P_{1}, \dots

\vec{r} = (r_{n - m}, \dots, r_{n - 1})

Implementation

In order to minimize the amount of changes to the existing ppsnark.rs code, we implemented the above technique by recreating a prove_helper method which handles batching of multiple instances of different sizes. Our changes are compatible with the existing Instances implementing the SumcheckEngine trait.

The prove_helper function takes as input multiple SumcheckEngine implementations, each of which contains one or more independent claims. These claims hold over multilinear polynomials of the same size contained in the instance struct. It is assumed that all instances have degree 3. We let

n

be the total number of Sumcheck rounds.

Let

I = {I_{j}}_{j}

be a set of instances, where

I_{j}

is defined by

Number of variables
$m_{j}$
Multi-linear polynomials
${P_{j, ℓ}}_{ℓ}$ over variables
$(X_{n - m_{j}}, \dots, X_{n - 1})$
Initial claims
${\vec{σ}}_{j} = {σ_{j, k}}_{k}$ .
Combination functions
${F_{j, k}}_{k}$

For each instance at index

j

and each sub-claim at index

k

it holds that

σ_{j, k} = \sum_{\vec{x} \in {0, 1}^{m_{j}}} F_{j, k} (P_{j, 0} (\vec{x}), P_{j, 1} (\vec{x}), \dots)

At the start of the protocol, the verifier sends a challenge

s

used for the random linear combination of claims. For notational simplicity, we define

s_{j, k}

as the power of

s

corresponding to the claim

σ_{j, k}

. The full batched claim is given by

\sum_{j, k} s_{j, k} \cdot 2^{n - m_{j}} \cdot σ_{j, k} = \sum_{j, k} s_{j, k} (\sum_{{\vec{x}}^{'} \in {0, 1}^{n - m_{j}}} \sum_{\vec{x} \in {0, 1}^{m_{j}}} F_{j, k} (P_{j, 0} (\vec{x}), P_{j, 1} (\vec{x}), \dots))

Get
$s \in F$ from verifier
Set initial batched scaled claim
$e_{0} = \sum_{j, k} s_{j, k} \cdot 2^{n - m_{j}} \cdot σ_{j, k}$
For rounds
$0 \leq i < n$
1. Let
  $\vec{r} = (r_{0}, \dots, r_{i - 1})$ be the verifier challenges from the previous rounds
2. For each claim
  $k$ in instance
  $j$ , compute the univariate polynomial
  $S_{j, k}^{(i)} (X_{i})$
  - If
    $m_{j} < n - i$ , set
    $S_{j, k}^{(i)} (X_{i}) \equiv 2^{n - i - m_{j} - 1} \cdot σ_{j, k}$
  - Otherwise, compute evaluate it the usual way by evaluating the sum
    $\sum_{\vec{x} \in {0, 1}^{n - i - 1}} F_{j, k} (P_{j, 0} (\vec{r}, X_{i}, \vec{x}), P_{j, 1} (\vec{r}, X_{i}, \vec{x}), \dots)$ at
    $X_{i} = 0, 2, 3$
3. Compute the batched univariate polynomial
  $S^{(i)} (X_{i}) = \sum_{j, k} s_{j, k} \cdot S_{j, k}^{(i)} (X_{i})$ , noting that
  $S^{(i)} (1) = e_{i} - S^{(i)} (0)$
4. Send
  $S^{(i)} (X_{i})$ to the verifier and get challenge
  $r_{i}$ (the linear coefficient is removed to save on hashing costs)
5. Compute next batched claimed sum
  $e_{i + 1} = S^{(i)} (r_{i})$
6. For each instance
  $j$ bind all polynomials
  ${P_{j, ℓ}}_{ℓ}$ to
  $X_{i} = r_{i}$
  - If
    $m_{j} < n - i$ , then
    $X_{i}$ is not a variable of the polynomial
    $P_{j, ℓ}$ so do nothing
  - Else compute the
    $2^{n - i - 1}$ evaluation of the multilinear polynomial
    $P_{j, ℓ} (r_{0}, \dots, r_{i}, X_{i + 1}, \dots, X_{n - 1})$ in
    $n - i - 1$ variables
At the end of the protocol, send to the verifier the evaluations
${v_{j, ℓ}}_{j, ℓ}$ for each polynomial at index
$ℓ$ of the instance
$j$ , where
$v_{j, ℓ} = P_{j, ℓ} (r_{n - m_{j}}, \dots, r_{n - 1})$

The SumcheckProof::verify_batch algorithm only considers the flattened list of claims

Sample batching challenge
$s$
Compute batched scaled claim
$e_{0} = \sum_{j, k} s_{j, k} \cdot 2^{n - m_{j}} \cdot σ_{j, k}$
For rounds
$0 \leq i < n$
1. Get
  $S^{(i)} (X_{i})$ from the prover by recomputing the linear term using the relation
  $S^{(i)} (0) + S^{(i)} (1) = e_{i}$
2. Sample round challenge
  $r_{i}$
3. Evaluate
  $e_{i + 1} = S^{(i)} (r_{i})$
Receive evaluations
${v_{j, ℓ}}$ from the prover
- Note that for polynomials like
  $eq$ or
  $pow$ appearing in one of the claims at index
  $j$ , the verifier computes them manually over
  $(r_{n - m_{j}}, \dots, r_{n - 1})$
Check that
$e_{n} = \sum_{j, k} s_{j, k} \cdot F_{j, k} (v_{j, 0}, v_{j, 1}, \dots)$

If the verifier accepts the final check, it must then check that all polynomial evaluations are correct.

Note that this batching technique implemented in the ppSNARK's prove_helper method was also ported to the prove_quad_batch and prove_cubic_with_additive_term_batch methods of spartan::sumcheck::SumcheckProof.

Batched PCS

At the start of the protocol, the prover will have compute commitments to polynomials

{P_{j, ℓ}}_{j, ℓ}

where

P_{j, ℓ}

is defined over

m_{j}

variables. Again we let

n = max_{j} {m_{j}}

be the maximum number of variables.

We assume the PCS supports opening multilinear polynomials over

n

variables. It is represented in memory by its list of evaluations

[P_{i}]_{i = 0}^{2^{n} - 1}

which yields the expression

P (X_{0}, \dots, X_{n - 1}) = \sum_{i = 0}^{2^{n} - 1} P_{i} \cdot L_{i} (X_{0}, \dots, X_{n}) .

We commit to this polynomial by computing the MSM with the commitment key base points

[G_{i}]_{i = 0}^{2^{n} - 1}

. That is

C = \sum_{i = 0}^{2^{n} - 1} P_{i} \cdot G_{i} .

If a polynomial is defined over

m < n

variables, it has

2^{m}

evaluations

[P_{i}]_{i = 0}^{2^{m} - 1}

. When committing to it, we interpret the evaluations at indices

2^{m} \leq i < 2^{n}

as zeros so that

C = \sum_{i = 0}^{2^{n} - 1} P_{i} \cdot G_{i} = \sum_{i = 0}^{2^{m} - 1} P_{i} \cdot G_{i} .

This interpretation allows us to compute the MSM using only

O (2^{m})

group operations.

Effectively, we have committed to the polynomial

P^{'} (X_{0}, \dots, X_{n - 1}) = L_{0} (X_{0}, \dots, X_{n - m - 1}) \cdot \sum_{i = 0}^{2^{m} - 1} P_{i} \cdot L_{i} (X_{n - m}, \dots, X_{n - 1}) .

During Sumcheck though, for polynomial defined over

m < n

variables, we receive evaluations

v = P (r_{n - m}, \dots, r_{n - 1}) = \sum_{i = 0}^{2^{m} - 1} P_{i} \cdot L_{i} (r_{n - m}, \dots, r_{n - 1}) .

In order to open

v

using the commitment

C

, we need to transform

v

into an evaluation

v^{'}

for the polynomial

P^{'}

v^{'} = L_{0} (r_{0}, \dots, r_{n - m - 1}) \cdot v_{j} = P^{'} (r_{0}, \dots, r_{n - 1}) .

Implementation

For each evaluation

v_{j, ℓ}

provided by the Sumcheck prover, both parties compute a batched PCS evaluation instance

u = (C, (r_{0}, \dots, r_{n - 1}), v)

and the prover computes the witness polynomial

w = P (X_{0}, \dots, X_{n - 1})

, such that

$P (r_{0}, \dots, r_{n - 1}) = v$
$Commit (P) = C$

Verifier samples batching challenge
$c \in F$ , and both compute powers
${s_{j, ℓ}}$
For each instance
$j$
- $v_{j, ℓ}^{'} = L_{0} (r_{0}, \dots, r_{n - m_{j} - 1}) \cdot v_{j, ℓ}$
Compute batched instance values
- $C = \sum_{j, ℓ} s_{j, ℓ} \cdot C_{j, ℓ}$
- $v = \sum_{j, ℓ} s_{j, ℓ} \cdot v_{j, ℓ}^{'}$
The prover computes
$P (X_{0}, \dots, X_{n - 1}) = \sum_{j, ℓ} s_{j, ℓ} \cdot P_{j, ℓ}^{'} (X_{0}, \dots, X_{n - 1})$ , where the individual polynomials
$P_{j, ℓ}^{'}$ are interpreted as a list of the first
$2^{m_{j}}$ evaluations over the
$n$ -dimensional hypercube.

Batched Sumcheck PCS Reduction

In the non-pre-processing SNARK, the verifier needs to verify the evaluations of multiple multi-linear polynomials at various points defined by the inner and outer Sumcheck instances. Unfortunately, the polynomial commitment schemes only support batching of evaluations for polynomials opened at the same point.

Since the creation of the opening argument is expensive, the original implementation uses a specialized Sumcheck argument to reduce each evaluation to an evaluation at a common point. All of these can be batched via random linear combination so that only a single PCS opening argument needs to be created.

Let

n

be the maximum number of variables over all polynomials being opened. Let

[((C_{i}, e_{i}, \vec{x_{i}}, n_{i}), P_{i})]_{i}

be a list of polynomial evaluation instances, where:

$P_{i}$ represents the MLE polynomial, interpolating values
$[P_{i, j}]_{j = 0}^{2^{n_{i}} - 1}$ over
${0, 1}^{m_{i}}$ .
$C_{i}$ is a commitment to the polynomial
$P$ , such that
$C_{i} = \sum_{j = 0}^{2^{n_{i}} - 1} P_{i, j} \cdot G_{i}$
$e_{i}$ is the evaluation of
$P_{i}$ queried at
$\vec{x_{i}} \in F^{n_{i}}$ , where
$P_{i}$ is defined as
$P_{i} (X_{0}, \dots, X_{n_{i} - 1}) = \sum_{i = 0}^{2^{n_{i}} - 1} P_{i, j} \cdot L_{i} (X_{0}, \dots, X_{n_{i} - 1})$

For each evaluation instance

i

, the prover and verifier run the batched Sumcheck to prove the claim

e_{i} = \sum_{\vec{x} \in {0, 1}^{m_{i}}} eq ({\vec{x}}_{i}, \vec{x}) \cdot P_{i} (\vec{x}) .

The protocol proceeds as described in [[Compressed SNARK#Batched Sumcheck]], where all claims are appropriately scaled to

n

variables.

The output is a query point

\vec{r} \in F^{n}

and evaluations

[v_{i} = P_{i} (r_{n - m_{i}}, \dots, r_{n - 1})]_{i}

, to which we can apply the same technique as the [[Compressed SNARK#Batched PCS]].

Implementation

The methods batch_eval_proveand
batch_eval_verify represent sub-protocols that reduce the task of checking the validity

[(u_{i}, w_{i})]_{i} = [((C_{i}, e_{i}, \vec{r_{i}}, n_{i}), P_{i})]_{i}

, to only checking the opening of a single evaluation instance

(u, w) = ((C, v, \vec{r}, n); P^{'})

The verifier samples challenge
$ρ$ for the random linear combination of all Sumcheck claims defined above.
Both parties run the batched Sumcheck protocol resulting in
$\vec{r} \in F^{n}$ and evaluations
$[v_{i}]_{i}$ .
The verifier checks that
$\sum_{i} ρ^{i} \cdot eq ({\vec{x}}_{i}, \vec{r}) \cdot v_{i}$ evaluated to the final Sumcheck claim.
The verifier samples
$γ$ and computes the new batched polynomial evaluation instance
$(C, v, \vec{r}, n)$
- $C = \sum_{i} γ^{i} \cdot C_{i}$
- $v = \sum_{i} γ^{i} \cdot L_{0} (r_{0}, \dots, r_{n - n_{i} - 1}) \cdot v_{i}$
The prover compute the corresponding polynomial

$P (X_{0}, \dots, X_{n - 1}) = \sum_{i} γ^{i} \cdot L_{0} (X_{0}, \dots, X_{n - n_{i} - 1}) \cdot P_{i} (X_{n_{i} - n}, \dots, X_{n - 1})$
Both parties engage in the PCS opening argument for the resulting instance.

Bounded Witness Check

In the pre-processing SNARK, the Sumcheck claims of each RelaxedR1CS instance are padded to

2^{n} = max {# constraints, 2 \cdot # variables, | A | + | B | + | C |}

. If we let

2^{m} = # variables

, then the witness vector

W

is of length

2^{m}

, though we pad it to

2^{n}

by adding zeros.

W (X_{0}, \dots, X_{n - 1}) = \sum_{i = 0}^{2^{m} - 1} W_{i} \cdot L_{i} (X_{0}, \dots, X_{n - 1}) = L_{0} (X_{0}, \dots, X_{n - m - 1}) \cdot \sum_{i = 0}^{2^{m} - 1} W_{i} \cdot L_{i} (X_{n - m}, \dots, X_{n - 1}) .

The public input

X

is a list of at most

2^{n}

elements, which we also consider as a MLE. These are appended to

W

yielding the vector

Z = W | | X \in 2^{m + 1}

. Its MLE is given by:

Z (X_{0}, \dots, X_{n - 1}) = W (X_{0}, \dots, X_{n - 1}) + \sum_{i = 0}^{2^{m} - 1} X_{i} \cdot L_{2^{m} + i} (X_{0}, \dots, X_{n - 1})

The prover provides a commitment to

W

by the verifier uses the values of

X

and computations of the Lagrange polynomials to derive an evaluation of

Z

The evaluation of

W

is performed over

n

variables rather than the

m

variables it is actually defined over. We need to ensure that

W

does not "overflow" into the evaluation slots for

X

, which we do using a new Sumcheck instance using a special MaskedEqPolynomial.

{eq}_{\leq m} (\vec{r}, i_{0}, \dots, i_{n - 1}) = {\begin{cases} 0, & if i_{0} = \dots = i_{n - m - 1} = 0 \\ eq (\vec{r}, i_{0}, \dots, i_{n - 1}), & otherwise \end{cases}

This polynomial can be succinctly evaluated by noting that it is equal to

eq (\vec{r}, \vec{X}) - (\prod_{i = 0}^{n - m - 1} (1 - r_{i}) (1 - X_{i})) \cdot (\prod_{i = n - m}^{n - 1} eq (r_{i}, X_{i})) .

The Sumcheck instance we end up proving is

0 = \sum_{\vec{x} \in {0, 1}^{n}} {eq}_{\leq m} (\vec{r}, \vec{x}) \cdot W (\vec{x}) .

By definition of

{eq}_{\leq m}

, the sum equals 0 (with overwhelming probability) since in the first

2^{m}

entries,

{eq}_{\leq m}

evaluates to 0 cancelling out the values of

W

, while it equals

eq (\vec{r}, \vec{x})

in the remaining entries, forcing

W

to be be 0.

Implementation

We include this check as a separate SumcheckEngine implementation, defined in spartan::batched_ppsnark::WitnessBoundSumcheck. The constructor takes as input a random element

r

, the maximum number of variables

m

, and the padded witness

W \in F^{2^{n}}

. It computes the evaluations of

{eq}_{\leq m} (\vec{r}, \vec{X})

, where

\vec{r} = (1, r^{2}, r^{4}, \dots, r^{2^{n - 1}})

One of the benefits of including this new instance is that the Sumcheck prover will have computed the multi-linear evaluation of

W

, bypassing the need to compute it manually.

huitseeker

2023/12/13 13:56:08

In src/spartan, we implement batched versions of snark.rs and pp_snark.rs in batched.rs and batched_ppsnark.rs.

This should probably be moved a couple lines below, to group Spartan/CompressedSNARK concerns.

2023/12/13 14:22:46

Note that the updates to the ppSNARK prove_helper were also ported to the prove_quad_batch and prove_cubic_with_additive_term_batch methods of spartan::sumcheck::SumcheckProof.

It's unclear what "updates" you're referring to here: do you rather mean that you made the batching approach available through the `prove_{quad, cubic_with_additive_term}_batch` methods?

2023/12/13 14:30:01

the padded witness .

MathJax typo

Compressed SNARK description

High-level

Traits

Batching Strategy

Batched Sumcheck

Non-uniform instances

Implementation

Batched PCS

Implementation

Batched Sumcheck PCS Reduction

Implementation

Bounded Witness Check

Implementation

Read more

Note on "Small field zerocheck"

Issue with public inputs

Batched Sumcheck explanation

Albi Protostar tmp notes