Lurk: Lambda the Ultimate Recursive Knowledge
About me
François Garillot (@huitseeker)
Team work from Lurk Lab,
Team previously at Protocol Labs,
(led by Chhi'mèd Künzang).
ZK-proof languages
Writing a ZK-proof language in 2023
- circom,
- Zokrates,
- snarkyJS / snarky,
- Leo,
- Noir
SNARKs and Rank 1 Constrained Systems (R1CS)
- Arithmetize computation \(f\) for SNARKs using arithmetic circuit,
- Express computation as \(\exists w: f'(x,y,w)=1\)
- Map to three \(m \times m\) matrices \(A,B,C\) over \(\mathbb{F}\)
- Satisfiability is equivalent to \((A \cdot z) \circ (B \cdot z) = C \cdot z\)
Expressing Computation as R1CS Instance
- Direct compilation approach: stepwise translation and ad-hoc combinators
- Drawbacks: R1CS is a flat structure, requires flattening and unrolling loops
- Increased R1CS size negatively affects proving time,
- Prover memory can become a practical bottleneck due to space complexity.
Branch unrolling
When we don't know the iteration count, it's harder to produce the circuit:
(let ((collatz (lambda (n)
(letrec ((aux (lambda (acc n)
(if (= n 1)
acc
(let ((x (/ n 2)))
(if (< x 0) ; odd
(aux (+ 1 acc) (+ 1 (* 3 n)))
(aux (+ 1 acc) x)))))))
(aux 0 n))))
(collatz 27))
IVC
Incrementally Verifiable Computation (IVC) for SNARKs
- Alternative to constructing a circuit for entire computation \(f\)
- Verify correctness step-by-step, then recursively fold correctness proofs
- Cryptographic verification applied to transition function of executing program
- IVC: Repeated composition of smaller function \(f\) over machine state
- Most efficient IVC candidate: Nova (Kothapalli et al., 2022)
Nova
- cheap folding argument rather than recursion
- plus a final SNARK
- but we need a "natural" iterative form
Language definitions
Definitional language interpreters
A common way of defining a language : giving it an interpreter.
Interpreters and abstract machines
See e.g. Defunctionalized Interpreters for Programming Languages, Danvy et al. 2014
The CEK machine
Lurk as an iterated abstract machine stepper
Commitments
> (commit 123)
Iterations: 2
Result: (comm 0x2937881e)
Opening commitments
((open 0x1aec2d8c) 9)
Iterations: 12
Result: 88
Hashing all the things!
- hash-consing is a classic functional programming technique to share structurally equal values,
- we hash each value rigorously, and compare using hash equality,
- translating this to Poseidon in proof gives program equality semantics in proofs.
A taste of Lurk
Lurk is a Lisp
> (let ((collatz (lambda (n)
(letrec ((aux (lambda (acc n)
(if (= n 1)
acc
(let ((x (/ n 2)))
(if (< x 0) ; odd
(aux (+ 1 acc) (+ 1 (* 3 n)))
(aux (+ 1 acc) x)))))))
(aux 0 n))))
(collatz 27))
Iterations: 4016
Result: 111
Functional commitments
(commit (lambda (x) (+ 7 (* x x))))
Iterations: 2
Result: (comm 0x1aec2d8c)
Higher-order functional commitments
> (let ((secret-data 555)
(data-interface (lambda (f) (f secret-data))))
(commit data-interface))
Iterations: 7
Result: (comm 0x03836e2e)
> ((open 0x03836e2e) (lambda (data) (+ data 111)))
Iterations: 14
Result: 666
Lurk release 1.0 alpha
- the blog post
- the pre-print
- and more! Specification, audit report, tutorial etc.
Lurk
- on Twitter @LurkLab
- on Zulip: https://zulip.lurk-lab.com/
Lurk: Lambda the Ultimate Recursive Knowledge
{"metaMigratedAt":"2023-06-18T00:51:26.744Z","metaMigratedFrom":"YAML","title":"Lurk: Lambda the Ultimate Recursive Knowledge","breaks":true,"slideOptions":"{\"transition\":\"slide\",\"tags\":\"Lurk, talk, crypto\"}","description":"circom,","contributors":"[{\"id\":\"dbd3a2cc-6969-479a-9e28-e36eca77e32e\",\"add\":13986,\"del\":9591}]"}