Proposal for Handling The Memory of zkVM

Hanh Tang (NTU), Minh Pham (Orochi Network), and Chiro Hiro (Orochi Network)

Generalize the memory for zkVM (zkMemory)

The idea is to create an independent module that can be used by any zkVM. You might aware that the memory can be constructed as a simple state machine with

2

instructions READ and WRITE, and configurable WORD_SIZE. Our memory state machine is only able access the exactly WORD_SIZE for every executed instruction. That is, if you want to access arbitrary data size, it must be translated to multiple accesses.

These instructions need to be satisfied following conditions:

READ instruction
- READ on a memory was not wrote should return 0
- EveryREAD access for the same location, must have the value to be equal to the previous WRITE.
WRITE instruction
- Every WRITE access must write on writable memory chunks (some areas of the memmory might be read only).

Questions:

How could we handle the memory boundaries?

Do we need to deal with memory allocation/deallocation?

How could we deal with configurable WORD_SIZE?

Memory trace

To prove the accuracy and consistent of the memory, every memory accesss needs to be recorded. We propose the following trace table, (this table might be a well know among many zkVM projects).

Address	Time Log	Instruction	Value
0x0000000000000000	1	READ	0x0000000000000000
0x0000000000000000	2	WRITE	0x0000000000000a20
0x0000000000000020	3	WRITE	0x0000000000000010
0x0000000000000020	4	READ	0x0000000000000010
0x…	..	…	…

We're epxecting these tuple for every memory access.

(address, time_log, instruction, value)

address: The location that we applied the memory instruction.
time_log: Incremental value that will be increased for every access.
instruction: READ, WRITE.
value: Value of size WORD_SIZE.

Proposing for the first implementation

We suppose to implement the first version of zkMemory following this wishlist:

Building up the memory trace.
Committing every state of memory to the Verkle tree.
Providing the witness after each state is committed allowing the prover to prove the correctness of entier memory.

KZG Polynomial Commitment

KZG polynomial commitment scheme was introduced by Kate, Zaverucha and Goldberg. It allows us to commit to a polynomial

p (X)

. Then open

p

's evaluations at specific points later.

KZG is widely used due to various reasons:

KZG commitment and opening proof sizes are constant, even when opening at multiple points. The proof of evaluation only consists of one group element. Thus, the scheme achieves constant proof size.
Verification time is also constant, namely, only a pairing operation.
The commitment is homomorphic. Given the commitment
$c$ and
$c^{'}$ and opening
$π$ and
$π^{'}$ of
$p$ and
$p^{'}$ , then the commitment and openings of
$p + p^{'}$ is just
$c + c^{'}$ and
$π + π^{'}$ .

\Rightarrow

Using KZG commitment scheme greatly reduces communication cost.

Now, we give a formal description to the KZG commitment scheme. Notice that for indexing, we use

ω^{i}

instead of

i

, where

ω

is a primitive root.

$Setup (1^{λ})$ : Sample
$s \in F$ and output
$({[s^{i}]_{1}}_{i \in {0, \dots, k - 1}}, {[s^{i}]_{2}}_{i \in {0, \dots, k - 1}})$
$Commit (p (X) \in F_{< k} [X], c r s)$ : For
$p (X) = \sum_{i = 0}^{k - 1} p_{i} X^{i}$ , output
$C = [p (s)]_{1} = \sum_{i = 0}^{k - 1} p_{i} [s^{i}]_{1}$
$Open (C, p (X))$ : Output
$p (X)$ .
$Verify (c r s, C, p (X))$ : Check if
$[p (s)]_{1} = \sum_{i \in [k]} p_{i} [s^{i}]_{1} = C$
$OpenWitness (p (X), ω^{i}, c r s)$ : To open
$p (X)$ at index
$ω^{i}$ , let
$h_{i} (X) = \frac{p (X) - p (ω^{i})}{X - ω^{i}}$ . Then, output
$π = (ω^{i}, p (ω^{i}), [h_{i} (s)]_{2}) .$
$VerifyWitness (C, π = (ω^{i}, y, h_{i} (s)_{2}), c r s)$ : Verify
$p (ω^{i}) = y$ by checking
$e (C - [y]_{1}, [1]_{2}) = e ([s]_{1} - [ω^{i}]_{1}, [h_{i} (s)]_{2})$ .

Commitment to Verkle Tree

Verkle tree was introduced by John Kuszmaul.

It is a

k -

ary tree having

ℓ + 1

layers, where:

Each leaf node contains a key and a value.
Each parent node
$N_{j}^{(i)}$ has
$k$ children and the value
$v_{j}^{(i)}$ of
$N_{j}^{(i)}$ of is the commitment to its children.

We see that, unlike Merkle tree, which is a binary tree, in a Verkle tree each parent node can have many more children.

To provide proof for a Verkle tree, we just need to provide a path from the node to the root. To do so, we employ the KZG commitment scheme.

Now, we will describe how to commit and open a path in a Verkle tree. It is possible to open multiple paths using the same technique. More details can be found in Dankrad Feist's blog.

$VerkleSetup$ : Sample
$s \in F$ and output
$({[s^{i}]_{1}}_{i \in {0, \dots, k - 1}}, {[s^{i}]_{2}}_{i \in {0, \dots, k - 1}})$ .
$VerkleCommit$ : For integers
$k, j$ , let
$j^{'} = k \cdot j$ . For each node
$N_{j}^{(i)}$ , where
$i \in {0, \dots, k - 1}$ , with children whose values are
$v_{j^{'}}^{(i + 1)}, v_{j^{'} + 1}^{(i + 1)}, \dots, v_{j^{'} + k - 1}^{(i + 1)}$ , find a polynomial
$p_{j}^{(i)} (X)$ such that
$p_{j}^{(i)} (ω^{t}) = v_{j^{'} + t}^{(i + 1)}$ for
$t = 0, 1, . . ., k - 1$ . Then the value
$v_{j}^{(i)}$ of
$N_{j}^{(i)}$ is
$Commit (c r s, p_{j}^{(i)} (X))$ . For the leaf layer, namely, layer
$ℓ$ , the value
$v_{j}^{(ℓ)}$ for
$j \in {0, \dots, 2^{ℓ} - 1}$ is simply the original value at location
$j$ . Output
$v_{0}^{(0)}$ , the root of the tree.
$VerkleOpen$ : For a path
$v_{j_{0}}^{(0)} \to v_{j_{1}}^{(1)} \to v_{j_{2}}^{(2)} \to . . . \to v_{j_{ℓ}}^{(ℓ)}$ , we have to prove that
$p_{j_{i}}^{(i)} (ω^{j_{i}}) = v_{j_{i + 1}}^{(i + 1)} \forall i \in {0, \dots, ℓ - 1}$ . We proceed the following steps:
– Let
$h_{j_{i}}^{(i)} (X) = \frac{p_{j_{i}}^{(i)} (X) - v_{j_{i + 1}}^{(i + 1)}}{X - ω^{j_{i}}}$ and
$r = H (v_{0}^{(0)}, . . ., v_{j_{ℓ - 1}}^{(ℓ - 1)}, v_{j_{1}}, . . ., v_{j_{ℓ}}^{(ℓ)}, ω^{j_{0}}, . . ., ω^{j_{h - 1}})$ .
– Let
$G (X) = \sum_{i \in [h]} r^{i} h_{i, j_{i}} (X)$ , compute
$D = [G (s)]_{1}$ .
– Let
$r^{'} = H (D, r)$ and
$h (X) = \sum_{i \in [ℓ]} r^{i} \frac{p_{i, j_{i}} (X)}{r^{'} - ω^{j_{i}}}$ . Compute
$E = [h (s)]_{1}$ . Note that
$E$ can be computed by both prover and verifier, si nce the verifier has already known
$[p_{i} i, j_{i} (s)]$ , which belongs to the opening path.
– Finally, let
$y = \sum_{i \in [ℓ]} r^{i} \frac{v_{j_{i + 1}}^{(i + 1)}}{r^{'} - ω^{j_{i}}}$ .
– Output
$D, π = {[\frac{h (s) - G (s) - y}{s - r^{'}}]}_{1}$
$VerkleVerify :$ Check if the root node element is equal to the first opening element and for
$r$ ,
$r^{'}$ ,
$y$ defined earlier, compute
$E = \sum_{i \in [ℓ]} r^{i} \frac{[v_{j_{i}}^{(i)}]_{1}}{r^{'} - ω^{j_{i}}}$ check whether
$e (E - D - [y]_{1}, [1]_{2}) = e (π, [s]_{2} - [r^{'}]_{2})$

There are several benefits of commiting to a Verkle tree using KZG than hashing in a Merkle tree.

Because the width Verkle tree is larger, the opening path is much shorter.
The opening proof of Verkle tree is constant sized. As mentioned by Buterin in his blog,the proof size is much smaller than a Merkle proof (6 to 8 times smaller).

Proposal of Folding Scheme for Vector Commitment

We construct a folding scheme for correct evaluation of vector commitment by R1CS-in-the-exponent. The vector commitment to a vector

x = (x_{0}, \dots, x_{k - 1})

in our solution employs the KZG polynomial commitment scheme and is realized by committing to a polynomial

p (X)

whose evaluations at

ω^{0}, \dots, ω^{k - 1}

, where

ω

is some reasonable primitive root, are equal to

x_{0}, \dots, x_{k - 1}

, respectively.

Remark. The solution we propose here, following Nova, is not complete for R1CS-in-the-exponent for vector commitment with respect to KZG commitment scheme and Verkle tree. It requires additonal adaptations to make it suitable with the form of relaxed R1CS-in-the-exponent.

To make polynomial commitment suitable with folding scheme, we remind the polynomial representations (i) by coefficients and (ii) by Lagrange basis, and show how to commit such a polynomial with respect to these presentations.

Polynomial representation by coefficients

The coefficient representation of a polynomial

p (X) \in F_{< k} [X]

of degree at most

k - 1

is represented by

p (X) = p_{0} + p_{1} X + p_{2} X^{2} + \dots + p_{k - 1} X^{k - 1} .

Polynomial representation by Lagrange basis

In case we would like to construct a polynomial

p (X) \in F_{< k} [X]

satisfying

p (ω^{i}) = x_{i}

for all

i \in {0, \dots, k - 1}

, using Lagrange basis

{L_{i} (X)}_{i \in {0, \dots, k - 1}}

helps construct such polynomial in a cleaner way. That is,

p (X) = \sum_{i = 0}^{k - 1} x_{i} L_{i} (X) .

Polynomial commitment by
$2$ ways of representations

Thus, in KZG polynomial commitment scheme, we can compute commitment to

p (X)

by computing either

[p (X)] = \sum_{i = 0}^{k - 1} p_{i} \cdot [s^{i}] or [p (X)] = \sum_{i = 0}^{k - 1} x_{i} \cdot [L_{i} (X)]

by using the common reference string

{[s^{i}]}_{i \in {0, \dots, k - 1}}

. However, commitment to

p (X)

by using Lagrange basis asks us to prepare

{[L_{i} (X)]}_{i \in {0, \dots, k - 1}}

in advance.

Proposal of Folding Scheme for Memory Accesses with Polynomial Commitments

In this section, we discuss the technique for constructing folding scheme for memory accesses with respect to polynomial commitments. In particular, we assume that our memory is a

k

-element array

v = (v_{0}, \dots, v_{k - 1})

. We commit the entire memory by using the KZG commitment scheme and describe the proof of correct accesses, namely, reading and writing, to the memory.

Using the KZG commitment scheme, we assume that the commitment to the memory is equal to

c = [p (X)] = \sum_{i = 0}^{k - 1} x_{i} \cdot [L_{i} (X)]

by using

{[s^{i}]}_{i \in {0, \dots, k - 1}}

. This computation is in fact equivalent to evaluating

p (X)

at a secret point

s

We first describe the technique for handling READ access to the memory. Specifically, we would like to prove that the

i

-th element of array

v

, namely,

v_{i}

, is equal to

y

for some public value

y

. In case of polynomial commitment, it is equivalent to proving that

p (ω^{i}) = y_{i}

The proof for opening at the

i

-th position is computed as

w_{i} = [\frac{p (X) - p (ω^{i})}{X - ω^{i}}] .

And, to verify the correctness of the proof, we simply check that

e ([s] - [ω^{i}], w_{i}) = e (c - [y_{i}], [1]) .

R1CS-in-the-exponent for vector commitment. It is now reasonable for us to define the correct form of matrices

A

B

and

C

, and witness vector

w

We first realize the structure of witness vector
$w$ . Notice that the verification of evaluation at
$ω^{i}$ require the involvement of
$[s], c, [ω^{i}], [y_{i}], w_{i}$ and
$[1]$ . Since there is no secret element here, we simply define the witness vector
$w$ to be

$w = (\begin{matrix} [s] \\ c \\ [ω^{i}] \\ [y_{i}] \\ w_{i} \\ [1] \end{matrix}) .$
The matrix
$A$ simply computes
$[s] - [ω^{i}]$ . Hence,

$A = (\begin{matrix} 1 & 0 & - 1 & 0 & 0 & 0 \end{matrix}) .$
Similarly, matrix
$B$ is defined to be

$B = (\begin{matrix} 0 & 0 & 0 & 0 & 1 & 0 \end{matrix}) .$
Matrix
$C$ is defined to be

$C = (\begin{matrix} 0 & 1 & 0 & - 1 & 0 & 0 \end{matrix}) .$

Handling `WRITE` Access

Notice that, since

c = [p (X)] = \sum_{i = 0}^{k - 1} x_{i} \cdot [L_{i} (X)]

is computed by Lagrange basis, to update

x_{i}

x_{i}^{'}

, we simply compute

\begin{aligned} c^{'} & = x_{i}^{'} \cdot [L_{i} (X)] + \sum_{j \neq i} x_{j} \cdot [L_{j} (X)] \\ = (x_{i} \cdot [L_{i} (X)] + \sum_{j \neq i} x_{j} \cdot [L_{j} (X)]) + (x_{i}^{'} - x_{i}) \cdot [L_{i} (X)] \\ = c + (x_{i}^{'} - x_{i}) \cdot [L_{i} (X)] \end{aligned}

which is a vector commitment to the vector

(x_{0}, \dots, x_{i - 1}, x_{i}^{'}, x_{i + 1}, \dots, x_{k - 1})

Hence, to update

c

c^{'}

, we simply make the addition for

c

and

(x_{i}^{'} - x_{i}) \cdot [L_{i} (X)]

Proposal of Verkle Tree with R1CS-in-the-Exponent

Recall that a

k

-ary Verkle tree of height

ℓ

has

ℓ + 1

layers, indexed from

0

ℓ

, of the following structure:

The unique node in level
$0$ is the root of the tree and its value is denoted by
$v_{0}^{(0)}$ which is a vector commitment to the sequence of values
$(v_{0}^{(1)}, \dots, v_{k - 1}^{(1)})$ of its direct
$k$ child nodes in layer
$1$ , to be described later.
For each intermediate layer from
$1$ to
$ℓ - 1$ , the
$i$ -th layer has exactly
$k^{i}$ nodes with values denoted by
$v_{j}^{(i)}$ for
$j \in {0, \dots, k^{i} - 1}$ . The value
$v_{j}^{(i)}$ is a vector commitment to the sequence of values
$(v_{k \cdot j}^{(i + 1)}, \dots, v_{k \cdot (j + 1) - 1}^{(i + 1)})$ in the
$(i + 1)$ -th layer.
The last layer, namely, layer
$ℓ$ , has exactly
$k^{ℓ}$ nodes with values denoted by
$v_{0}^{(ℓ)}, \dots, v_{k^{ℓ} - 1}^{(ℓ)}$ .

To prove correct opening of Mekle tree, we need to prove correct opening of each respective vector commitment in each layer from

0

ℓ - 1

. Hence, in this way, we can concatenate all component of all verifications, i.e., for all opening according to a path in Verkle tree, to make it an R1CS form.

Conclusion

We can provide a library/crate that handle memory commitment for multiple prover, especially the prove that friendly with KZG.
The library/crate we're developing can be used in any zkVM with configurable WORD_SIZE.
Verkle tree will redurce the overhead to commit and open at arbitrary node.
Constructing folding scheme for vector commitment.