Nova and its Implementation：A Deep Dive

Nova and its Implementation：A Deep Dive

Code structure

r1cs mod

R1CS

Relaxed R1CS

Committed Relaxed R1CS

A Folding Scheme for Committed Relaxed R1CS

code

nifs mod

A Non-Interactive Folding Scheme

code

constants mod

circuit mod

code

lib.rs

A zkSNARK of a Valid IVC Proof

Idealized Relaxed R1CS

Polynomial IOP for Idealized Relaxed R1CS

bellpepper mod

dependencies

bellpepper

This article will analysis Nova's code implementation, and explain how the code works based on the relevant papers.

I will first deduce the formula according to the papers, until it corresponds to the code, and then explain the code, which will be clearer and easier to understand.

As of August 30, 2023, I refer to the code corresponding to the latest commit, and considering that the code comments should be located near the code as much as possible, so I created the Nova-Analysis repo to save the code comments. When there are code comments, I will prompt in this article

Code structure













// private modules
mod bellpepper;
mod circuit;
mod constants;
mod nifs;
mod r1cs;

// public modules
pub mod errors;
pub mod gadgets;
pub mod provider;
pub mod spartan;
pub mod traits;

According to its lib.rs, we know that Nova has these different mods. we explain these mods below.

r1cs mod

Here is a example on how r1cs works.

R1CS

a example

the relation:

private inputs

{w_{1}, w_{2}, w_{3}, w_{4}}

and public output

x_{1}

satisfy the following constraint relation:

(w_{1} + w_{2}) * (w_{3} * w_{4}) = x_{1}

Let's try to represent this relation in terms of R1CS.

the circuit:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

the R1CS struct:

let

Z = [\begin{matrix} w_{1} \\ w_{2} \\ w_{3} \\ w_{4} \\ w_{5} \\ x_{1} \\ 1 \end{matrix}]

, According to the definition in Nova

Z = [\begin{matrix} W \\ x \\ 1 \end{matrix}]

, where

W

represents witness, including private input and intermediate values, that is

w_{i}

here.

x

represents public inputs and outputs, that is

x_{1}

here. If there are constants in the relation, the 1 can be used to encode them.

Write the

A B C

matrix according to the circuit:

for multiplication gate #1, the left input is

(w_{1} + w_{2}) = [\begin{matrix} 1 & 1 & 0 & 0 & 0 & 0 & 0 \end{matrix}] \cdot [\begin{matrix} w_{1} \\ w_{2} \\ w_{3} \\ w_{4} \\ w_{5} \\ x_{1} \\ 1 \end{matrix}]

for multiplication gate #2, the left input is

w_{3} = [\begin{matrix} 0 & 0 & 1 & 0 & 0 & 0 & 0 \end{matrix}] \cdot [\begin{matrix} w_{1} \\ w_{2} \\ w_{3} \\ w_{4} \\ w_{5} \\ x_{1} \\ 1 \end{matrix}]

So, we get the left input matrix:

A = [\begin{matrix} 1 & 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 & 0 \end{matrix}]

Matrix

A

consists of the left input of the all multiplication gates, and its number of rows is equal to the number of multiplication gates, and its number of columns is equal to the length of vector

Z

Using the same approach, we can get the right input matrix:

B = [\begin{matrix} 0 & 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 & 0 \end{matrix}]

Matrix

B

consists of the right input of the all multiplication gates. Its shape is the same with

A

C = [\begin{matrix} 0 & 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 & 0 \end{matrix}]

Matrix

C

consists of the output of the all multiplication gates. Its shape is the same with

A

Let's check:

\begin{aligned} (A \cdot Z) \circ (B \cdot Z) & = ([\begin{array}{c} 1 & 1 & 0 & 0 & 0 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 & 0 \end{array}] \cdot [\begin{array}{c} w_{1} \\ w_{2} \\ w_{3} \\ w_{4} \\ w_{5} \\ x_{1} \\ 1 \end{array}]) \circ ([\begin{array}{c} 0 & 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 & 0 \end{array}] \cdot [\begin{array}{c} w_{1} \\ w_{2} \\ w_{3} \\ w_{4} \\ w_{5} \\ x_{1} \\ 1 \end{array}]) \\ = [\begin{array}{c} w_{1} + w_{2} \\ w_{3} \end{array}] \circ [\begin{array}{c} w_{5} \\ w_{4} \end{array}] = [\begin{array}{c} (w_{1} + w_{2}) w_{5} \\ w_{3} w_{4} \end{array}] = [\begin{array}{c} x_{1} \\ w_{5} \end{array}] = C \cdot Z \end{aligned}

R1CS Definition

According to Definition 10 (R1CS) in Nova paper:

Consider a finite field
$F$ . Let the public parameters consist of size bounds
$m, n, l \in N$ where
$m > l$ . The R1CS structure consists of sparse matrices
$A, B, C \in F^{m \times m}$ with at most
$n = Ω (m)$ non-zero entries in each matrix. An instance
$x \in F^{l}$ consists of public inputs and outputs and is satisfied by a witness
$W \in F^{m - l - 1}$ if
$(A \cdot Z) \circ (B \cdot Z) = C \cdot Z$ , where
$Z = (W, x, 1)$ .

R1CS's attempt:

There are different vector

Z_{1}

and

Z_{2}

for different instance witness pairs

(x_{1}, W_{1})

(x_{2}, W_{2})

and so on, which need to be verified repeatedly

(A \cdot Z_{i}) \circ (B \cdot Z_{i}) = C \cdot Z_{i}

It can be seen that matrix

A, B, C

representing constraints will not change. What Folding needs to solve is to reduce the number of verifications

(A \cdot Z_{i}) \circ (B \cdot Z_{i}) = C \cdot Z_{i}

by merging different instances

Z_{i}

So,

Z = [\begin{matrix} W \\ x \\ 1 \end{matrix}]

, choose a random value

r \in F

, let

\begin{aligned} x & \leftarrow x_{1} + r \cdot x_{2} \\ W & \leftarrow W_{1} + r \cdot W_{2} \end{aligned}

failed because

Z \neq Z_{1} + r \cdot Z_{2}

Relaxed R1CS

Relaxed R1CS Definition

According to Definition 11 (Relaxed R1CS) in Nova paper:

Consider a finite field
$F$ . Let the public parameters consist of size bounds
$m, n, l \in N$ where
$m > l$ . The relaxed R1CS structure consists of sparse matrices
$A, B, C \in F^{m \times m}$ with at most
$n = Ω (m)$ non-zero entries in each matrix. A relaxed R1CS instance consists of an error vector
$E \in F^{m}$ , a scalar
$u \in F$ , and public inputs and outputs
$x \in F^{l}$ . An instance
$(E, u, x)$ is satisfied by a witness
$W \in F^{m - l - 1}$ if
$(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ , where
$Z = (W, x, u)$ .

Relaxed R1CS's attempt:

From the definition, we can get:

\begin{aligned} (A \cdot Z_{i}) \circ (B \cdot Z_{i}) & = u_{i} \cdot (C \cdot Z_{i}) + E_{i} \\ Z & = (W, x, u) \end{aligned}

Choose a random value

r \in F

, if we perform a linear combination of two instances in the following way:

\begin{aligned} x & \leftarrow x_{1} + r \cdot x_{2} \\ W & \leftarrow W_{1} + r \cdot W_{2} \\ u & \leftarrow u_{1} + r \cdot u_{2} \\ E & \leftarrow E_{1} + r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1} - u_{1} C Z_{2} - u_{2} C Z_{1}) + r^{2} \cdot E_{2} \end{aligned}

We can deduce the following result:

Z = (W, x, u) = [\begin{matrix} W \\ x \\ u \end{matrix}] = [\begin{matrix} W_{1} + r W_{2} \\ x_{1} + r x_{2} \\ u_{1} + r u_{2} \end{matrix}] = Z_{1} + r \cdot Z_{2}

\begin{aligned} A Z \circ B Z & = A (Z_{1} + r \cdot Z_{2}) \circ B (Z_{1} + r \cdot Z_{2}) \\ = A Z_{1} \circ B Z_{1} + r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1}) + r^{2} \cdot A Z_{2} \circ B Z_{2} \\ = u_{1} \cdot C Z_{1} + E_{1} + r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1}) + r^{2} \cdot (u_{2} \cdot C Z_{2} + E_{2}) \\ = u_{1} \cdot C Z_{1} + r u_{2} \cdot C Z_{1} - r u_{2} \cdot C Z_{1} + E_{1} + r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1}) + r^{2} \cdot (u_{2} \cdot C Z_{2} + E_{2}) + r u_{1} C Z_{2} - r u_{1} C Z_{2} \\ = (u_{1} + r u_{2}) C Z_{1} + E_{1} - r u_{2} C Z_{1} + r (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1}) + (u_{1} + r u_{2}) r C Z_{2} + r^{2} E_{2} - r u_{1} C Z_{2} \\ = (u_{1} + r u_{2}) C (Z_{1} + r Z_{2}) + r (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1} - u_{2} C Z_{1} - u_{1} C Z_{2}) + E_{1} + r^{2} E_{2} \\ = u C Z + E \end{aligned}

Success! we only need to verify whether

Z

satisfies the constraints

(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E

to check whether both

Z_{1}

and

Z_{2}

satisfy the constraints.

Committed Relaxed R1CS

Committed Relaxed R1CS Definition

According to Definition 12 (Committed Relaxed R1CS) in Nova paper:

Consider a finite field
$F$ and a commitment scheme
$Com$ over
$F$ . Let the public parameters consist of size bounds
$m, n, l \in N$ where
$m > l$ , and commitment parameters
${pp}_{E}$ and
${pp}_{W}$ for vectors of size
$m$ and
$m - l - 1$ respectively. The committed relaxed R1CS structure consists of sparse matrices
$A, B, C \in F^{m \times m}$ with at most
$n = Ω (m)$ non-zero entries in each matrix. A committed relaxed R1CS instance is a tuple
$(\overset{―}{E}, u, \overset{―}{W}, x)$ , where
$\overset{―}{E}$ and
$\overset{―}{W}$ are commitments,
$u \in F$ , and
$x \in F^{l}$ are public inputs and outputs. An instance
$(\overset{―}{E}, u, \overset{―}{W}, x)$ is satisfied by a witness
$(E, r_{E}, W, r_{W}) \in (F^{m}, F, F^{m - l - 1}, F)$ if
$\overset{―}{E} = Com ({pp}_{E}, E, r_{E}), \overset{―}{W} = Com ({pp}_{W}, W, r_{W})$ , and
$(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ , where
$Z = (W, x, u)$ .

For more introduction to the commitment, please refer to the wiki.

A Folding Scheme for Committed Relaxed R1CS

According to Construction 1 (A Folding Scheme for Committed Relaxed R1CS) in Nova paper:

Consider a finite field
$F$ and a succinct, hiding, and homomorphic commitment scheme
$Com$ over
$F$ . We define the generator and the encoder as follows.
–
$G (1^{λ}) \to pp$ : output size bounds
$m, n, l \in N$ , and commitment parameters
${pp}_{E}$ and
${pp}_{W}$ for vectors of size
$m$ and
$m - l - 1$ respectively.
–
$K (pp, (A, B, C)) \to (pk, vk)$ : output
$pk \leftarrow (pp, (A, B, C))$ and
$vk \leftarrow ⊥$ .

The verifier
$V$ takes two committed relaxed R1CS instances
$(\overset{―}{E_{1}}, u_{1}, \overset{―}{W_{1}}, x_{1})$ and
$(\overset{―}{E_{2}}, u_{2}, \overset{―}{W_{2}}, x_{2})$ . The prover
$P$ , in addition to the two instances, takes witnesses to both instances,
$(E_{1}, r_{E_{1}}, W_{1}, r_{W_{1}})$ and
$(E_{2}, r_{E_{2}}, W_{2}, r_{W_{2}})$ . Let
$Z_{1} = (W_{1}, x_{1}, u_{1})$ and
$Z_{2} = (W_{2}, x_{2}, u_{2})$ . The prover and the verifier proceed as follows.

$P :$ Send
$\overset{―}{T} := Com ({pp}_{E}, T, r_{T})$ , wherer
$r_{T} \leftarrow_{R} F$ and with cross term

$T = A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1} - u_{1} \cdot C Z_{2} - u_{2} \cdot C Z_{1} .$

$V :$ Sample and send challenge
$r \leftarrow_{r} F$ .

$V, P :$ Output the folded instance
$(\overset{―}{E}, u, \overset{―}{W}, x)$ where

$\begin{aligned} \overset{―}{E} & \leftarrow \overset{―}{E_{1}} + r \cdot \overset{―}{T} + r^{2} \cdot \overset{―}{E_{2}} \\ u & \leftarrow u_{1} + r \cdot u_{2} \\ \overset{―}{W} & \leftarrow \overset{―}{W_{1}} + r \cdot \overset{―}{W_{2}} \\ x & \leftarrow x_{1} + r \cdot x_{2} \end{aligned}$

$P :$ Output the folded witness
$(E, r_{E}, W, r_{W})$ , where

$\begin{aligned} E & \leftarrow E_{1} + r \cdot T + r^{2} \cdot E_{2} \\ r_{E} & \leftarrow r_{E_{1}} + r \cdot r_{T} + r^{2} \cdot r_{E_{2}} \\ W & \leftarrow W_{1} + r \cdot W_{2} \\ r_{W} & \leftarrow r_{W_{1}} + r \cdot r_{W_{2}} \end{aligned}$

code

Next, we analyze the code of r1cs mod according to the above theory, located in src/r1cs.rs.

R1CS struct



pub struct R1CS<G: Group> { 
  _p: PhantomData<G>,
}

This structure only retains a generic G, which needs to implement the methods in the Group trait, and has no valid data other than that.

There is a method for R1CS:

commitment_key, for a given circuit(certain
$A, B, C$ ), it will call Group's CE type's setup method to get a CommitmentKey and return it.

R1CSShape struct








pub struct R1CSShape<G: Group> {
  pub(crate) num_cons: usize,
  pub(crate) num_vars: usize,
  pub(crate) num_io: usize,
  pub(crate) A: Vec<(usize, usize, G::Scalar)>,
  pub(crate) B: Vec<(usize, usize, G::Scalar)>,
  pub(crate) C: Vec<(usize, usize, G::Scalar)>,
}

R1CSShape means matrix

A, B, C,

that is, circuit constraints.

There are some fields in this structure:

num_cons: Length of a column in the matrix, also the number of multiplication gates.
num_vars: Length of witness
$W$ , and according to the previous, it equals
$m - l - 1$ .
num_io: Length of public input and output
$x$ , and according to the previous, it equals
$l$ .
A, B, C: Represent the position and value of the non-zero value in the sparse matrix.

We can get length of a column in the matrix by num_vars + num_io + 1, so the three matrices

A, B, C

are completely determined by struct R1CSShape.

There are some methods for R1CSShape:

new(): Receive num_cons, num_vars, num_io, A, B, C as parameters, then do some checks，and return R1CSShape. The checks's comments.
check_regular_shape(): Checks regularity conditions on the R1CSShape, required in Spartan-class SNARKs. The checks's comments.
multiply_vec(): Calculate and return them:
$(A \cdot Z, B \cdot Z, C \cdot Z)$
is_sat_relaxed(): Check
$A \cdot Z \circ B \cdot Z = u \cdot C \cdot Z + E$ ,
$\overset{―}{W} = Com ({pp}_{W}, W, c k)$ and
$\overset{―}{E} = Com ({pp}_{E}, E, c k)$ .
$\overset{―}{W}$ and
$\overset{―}{E}$ used the same commitment key.
is_sat(): pass CommitmentKey, R1CSInstance and R1CSWitness as parameters, check
$A \cdot [\begin{matrix} W \\ x \\ 1 \end{matrix}] \circ B \cdot [\begin{matrix} W \\ x \\ 1 \end{matrix}] = C \cdot [\begin{matrix} W \\ x \\ 1 \end{matrix}]$ and
$\overset{―}{W} = Com ({pp}_{W}, W, c k)$
commit_T():
$\overset{―}{T} := Com ({pp}_{W}, T, c k_{T})$ , wherer
$r_{T} \leftarrow_{R} F$ and with cross term

$T = A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1} - u_{1} \cdot C Z_{2} - u_{2} \cdot C Z_{1}$ . first calculate
$Z_{1}$ and
$Z_{2}$ by
$Z_{i} = (W_{i}, u_{i}, x_{i})$
pad(): make witness.len() = M.colume.len() = 2^k, required in Spartan-class SNARKs.

R1CSWitness struct



pub struct R1CSWitness<G: Group> {
  W: Vec<G::Scalar>,
}

R1CSWitness means

W

, Witness of R1CS, which is a vector of length

m - l - 1

, the

W

Z = [\begin{matrix} W \\ x \\ 1 \end{matrix}]

There are some methods for R1CSWitness:

new(): Pass in an R1CSShape example S and a vector W. Because creating a Witness needs to know which R1CS's witness it is, and it will check that the length of W is equal to S.num_vars.
commit(): Calculate
$\overset{―}{W} = Com ({pp}_{W}, W, r_{W})$ . And the parameter ck, a CommitmentKey, means
$r_{W}$ .

R1CSInstance struct




pub struct R1CSInstance<G: Group> {
  pub(crate) comm_W: Commitment<G>,
  pub(crate) X: Vec<G::Scalar>,
}

R1CSInstance means

(\overset{―}{W}, x)

There are a method for R1CSInstance:

new():
$(\overset{―}{W}, x, 1)$ and A.num_io should == x.len()

RelaxedR1CSWitness struct




pub struct RelaxedR1CSWitness<G: Group> {
  pub(crate) W: Vec<G::Scalar>,
  pub(crate) E: Vec<G::Scalar>,
}

RelaxedR1CSWitness means

(W, E)

There are some methods for RelaxedR1CSWitness:

default(), use zero value to init the
$W, E$ .
from_r1cs_witness(), use zero value to init the
$E$ , and get the
$W$ from parameter.
commit(), return
$\overset{―}{W} / \overset{―}{E} = Com ({pp}_{W / E}, W / E, c k)$ , with the same comitment key ck.
fold(), Calculate
$W = W_{1} + r \cdot W_{2}$ and
$E = E_{1} + r \cdot T$ , used the same r. Why is not
$E = E_{1} + r \cdot T + r^{2} \cdot E_{2}$ here? since
$E_{2}$ of parameter's R1CSWitness is
$\vec{0}$ ,
$r^{2} \cdot E_{2}$ can be omitted.
pad(): Pads the provided witness to the correct length.

RelaxedR1CSInstance struct






pub struct RelaxedR1CSInstance<G: Group> {
  pub(crate) comm_W: Commitment<G>,
  pub(crate) comm_E: Commitment<G>,
  pub(crate) X: Vec<G::Scalar>,
  pub(crate) u: G::Scalar,
}

RelaxedR1CSInstance means

(\overset{―}{W}, \overset{―}{E}, x, u)

There are some methods for RelaxedR1CSInstance:

default(): Produces a default RelaxedR1CSInstance given R1CSGens and R1CSShape
from_r1cs_instance(): Initializes a new RelaxedR1CSInstance from an R1CSInstance, the u use one value
from_r1cs_instance_unchecked(): Initializes a new RelaxedR1CSInstance from an R1CSInstance, the u use one value
fold(): Folds an incoming R1CSInstance into the current one, calculate
$x = x_{1} + r \cdot x_{2}$ and
$\overset{―}{W} = \overset{―}{W_{1}} + r \cdot \overset{―}{W_{2}}$ and
$\overset{―}{E} = \overset{―}{E_{1}} + r \cdot \overset{―}{T}$ and
$u = u_{1} + r$ used the same r. Why is not
$\overset{―}{E} = \overset{―}{E_{1}} + r \cdot \overset{―}{T} + r^{2} \cdot \overset{―}{E_{2}}$ here? Since
$\overset{―}{E_{2}}$ of parameter's R1CSInstance is
$O$ ,
$r^{2} \cdot \overset{―}{E_{2}}$ can be omitted. and why is it
$u = u_{1} + r \cdot u_{2}$ ? Since the
$u_{2}$ from R1CSInstance is 1 in default.

nifs mod

A Non-Interactive Folding Scheme

According to Construction 2 (A Non-Interactive Folding Scheme) in Nova paper:

We achieve non-interactivity in the random oracle model using the strong Fiat-Shamir transform. Let
$ρ$ denote a random oracle sampled during parameter generation and provided to all parties. Let
$(G, K, P, V)$ represent our interactive folding scheme (Construction 1). We construct a non-interactive folding scheme
$(G, K, P, V)$ as follows:
–
$G (1^{λ})$ : output
$pp \leftarrow G (1^{λ})$ .
–
$K (pp, (A, B, C))$ :
$vk \leftarrow ρ (pp, s)$ and
$pk \leftarrow (pp, (A, B, C), vk)$ ; output
$(vk, pk)$ .
–
$P (pk, (u_{1}, w_{1}), (u_{2}, w_{2}))$ : runs
$P ((pk . pp, pk . (A, B, C))$ to retrieve its first message
$\overset{―}{T}$ , and sends
$\overset{―}{T}$ to
$V$ ; computes
$r \leftarrow ρ (vk, u_{1}, u_{2}, \overset{―}{T})$ , forwards this to
$P$ , and outputs the resulting output.
–
$V (vk, u_{1}, u_{2}, \overset{―}{T})$ : runs
$V$ with
$\overset{―}{T}$ as the message from the prover and with randomness
$r \leftarrow ρ (vk, u_{1}, u_{2}, \overset{―}{T})$ , and outputs the resulting output.

Assumption 1 (RO instantiation):

Construction 2 is a non-interactive folding scheme that satisfies completeness, knowledge soundness, and zero-knowledge in the standard model when
$ρ$ is instantiated with a cryptographic hash function.

code

Next, we analyze the code of nifs mod, located in src/nifs.rs.

NIFS struct



pub struct NIFS<G: Group> {
  pub(crate) comm_T: CompressedCommitment<G>,
}

This structure contains

\overset{―}{T}

, where

T = A \cdot Z_{1} \circ B \cdot Z_{2} + A \cdot Z_{2} \circ B \cdot Z_{1} - u_{1} \cdot C \cdot Z_{2} - u_{2} \cdot C \cdot Z_{1}, \overset{―}{T} = Com ({pp}_{E}, T, r_{E})

and there are two methods impl for NISF:

prove(): Given ck, ro_consts, pp_digest, S
$(A, B, C)$ , U1
$(\overset{―}{W_{1}}, \overset{―}{E_{1}}, x_{1}, u_{1})$ , W1
$(W_{1}, E_{1})$ , U2
$(\overset{―}{W_{2}}, x_{2})$ , W2(
$W_{2}$ ), return NIFS ,
$(W, E)$ and
$(\overset{―}{W}, \overset{―}{E}, x, u)$ , and the random r = ρ(ro_consts, pp_digest, U1, U2, comm_T)
verify(): Given ro_consts, pp_digest, U1
$(\overset{―}{W_{1}}, \overset{―}{E_{1}}, x_{1}, u_{1})$ , U2
$(\overset{―}{W_{2}}, x_{2})$ , get
$\overset{―}{T}$ from self.comm_T, calculate random r = ρ(ro_consts, pp_digest, U1, U2, comm_T), return the new U = U1.fold(U2).

constants mod






pub(crate) const NUM_CHALLENGE_BITS: usize = 128;
pub(crate) const NUM_HASH_BITS: usize = 250;
pub(crate) const BN_LIMB_WIDTH: usize = 64;
pub(crate) const BN_N_LIMBS: usize = 4;
pub(crate) const NUM_FE_WITHOUT_IO_FOR_CRHF: usize = 17;
pub(crate) const NUM_FE_FOR_RO: usize = 24;

NUM_CHALLENGE_BITS: Valid output bits when a random oracle is used to generate challenge value r.
NUM_HASH_BITS: Valid output bits when a random oracle is used to generate hash
BN_LIMB_WIDTH and BN_N_LIMBS: Use 4 * 64 bits to represent 256 bits.
NUM_FE_WITHOUT_IO_FOR_CRHF
NUM_FE_FOR_RO

circuit mod

According to Construction 3 (IVC) in Nova paper:

Let
$NIFS = (G, K, P, V)$ be the non-interactive folding scheme for committed relaxed R1CS (Construction 2). Consider a polynomialtime function F that takes non-deterministic input, and a cryptographic hash function
$hash$ . We define our augmented function
$F^{'}$ as follows (all arguments to
$F^{'}$ are taken as non-deterministic advice):

$\underset{―}{F^{'} (vk, U_{i}, u_{i}, (i, z_{0}, z_{i}), w_{i}, \overset{―}{T}) \to x :}$

If
$i$ is
$0$ , output
$hash (vk, 1, z_{0}, F (z_{0}, w_{i}), u_{⊥})$ ;

otherwise,

$(1)$ check that
$u_{i} . x = hash (vk, i, z_{0}, z_{i}, U_{i})$ , where
$u_{i} . x$ is the public IO of
$u_{i}$ ,

$(2)$ check that
$(u_{i} . \overset{―}{E}, u_{i} . u) = (u_{⊥} . \overset{―}{E}, 1)$ ,

$(3)$ compute
$U_{i + 1} \leftarrow NIFS . V (vk, U, u, \overset{―}{T})$ , and

$(4)$ output
$hash (vk, i + 1, z_{0}, F (z_{i}, w_{i}), U_{i + 1})$ .

Because
$F^{'}$ can be computed in polynomial time, it can be represented as a committed relaxed R1CS structure
$s_{F^{'}}$ . Let

$(u_{i + 1}, w_{i + 1}) \leftarrow trace (F^{'}, (vk, U_{i}, u_{i}, (i, z_{0}, z_{i}), w_{i}, \overset{―}{T}))$
denote the satisfying committed relaxed R1CS instance-witness pair
$(u_{i + 1}, w_{i + 1})$ for the execution of
$F^{'}$ on non-deterministic advice
$(vk, U_{i}, u_{i}, (i, z_{0}, z_{i}), w_{i}, \overset{―}{T})$ .

We define the IVC scheme
$(G, K, P, V)$ as follows.

$\underset{―}{G (1^{λ}) \to pp}$ : Output
$NIFS . G (1^{λ})$ .

$\underset{―}{K (pp, F) \to (pk, vk)}$ :

Compute
$({pk}_{fs}, {vk}_{fs}) \leftarrow NIFS . K (pp, s_{F^{'}})$ and output
$(pk, vk) \leftarrow ((F, {pk}_{fs}), (F, {vk}_{fs}))$ .

$\underset{―}{P (pk, (i, z_{0}, z_{i}), w_{i}, Π_{i}) \to Π_{i + 1}}$ :

Parse
$Π_{i}$ as
$((U_{i}, W_{i}), (u_{i}, w_{i}))$ and then

$(1)$ if
$i$ is
$0$ , compute
$(U_{i + 1}, W_{i + 1}, \overset{―}{T}) \leftarrow (u_{⊥}, w_{⊥}, u_{⊥} . \overset{―}{E})$ ;

otherwise, compute
$(U_{i + 1}, W_{i + 1}, \overset{―}{T}) \leftarrow NIFS . P (pk, (U_{i}, W_{i}), (u_{i}, w_{i}))$ ,

$(2)$ compute
$(u_{i + 1}, w_{i + 1}) \leftarrow trace (F^{'}, (vk, U_{i}, u_{i}, (i, z_{0}, z_{i}), w_{i}, \overset{―}{T}))$ , and

$(3)$ output
$Π_{i + 1} \leftarrow ((U_{i + 1}, W_{i + 1}), (u_{i + 1}, w_{i + 1}))$ .

$\underset{―}{V (vk, (i, z_{0}, z_{i}), Π_{i}) \to {0, 1}}$ :

If
$i$ is
$0$ , check that
$z_{i} = z_{0}$ ;
otherwise,

$(1)$ parse
$Π_{i}$ as
$((U_{i}, W_{i}), (u_{i}, w_{i}))$ ,

$(2)$ check that
$u_{i} . x = hash (vk, i, z_{0}, z_{i}, U_{i})$ ,

$(3)$ check that
$(u_{i} . \overset{―}{E}, u . u) = (u_{⊥} . \overset{―}{E}, 1)$ , and

$(4)$ check that
$W_{i}$ and
$w_{i}$ are satisfying witnesses to
$U_{i}$ and
$u_{i}$ respectively.

code





pub struct NovaAugmentedCircuitParams {
  limb_width: usize, // word size
  n_limbs: usize, // how many words
  is_primary_circuit: bool, // A boolean indicating if this is the primary circuit
}









pub struct NovaAugmentedCircuitInputs<G: Group> {
  params: G::Scalar, // Hash(Shape of u2, Gens for u2). Needed for computing the challenge.
  i: G::Base,
  z0: Vec<G::Base>,
  zi: Option<Vec<G::Base>>,
  U: Option<RelaxedR1CSInstance<G>>,
  u: Option<R1CSInstance<G>>,
  T: Option<Commitment<G>>,
}

params:

`lib.rs`

A zkSNARK of a Valid IVC Proof

Construction 4 (A zkSNARK of a Valid IVC Proof). Let
$IVC$ denote the IVC scheme in Construction 3, let
$NIFS$ denote the non-interactive folding scheme in Construction 2, and let
$hash$ denote a randomized cryptographic hash function. Assume a zero-knowledge succinct non-interactive argument of knowledge (Definition 2),
$zkSNARK$ , for committed relaxed R1CS. That is, given public parameters
$pp$ , structure
$s$ , and instance
$u$ ,
$zkSNARK . P$ can convince
$zkSNARK . V$ in zero-knowledge and with a succinct proof (e.g.,
$O_{λ} (\log N)$ -sized proof) that it knows a corresponding witness
$w$ such that
$(pp, s, u, w)$ is a satisfying committed relaxed R1CS tuple.

Consider a polynomial-time computable function
$F$ . Suppose
$pp \leftarrow IVC . G (1^{λ})$ and
$(pk, vk) \leftarrow IVC . K (pp, F)$ . Suppose the prover
$P$ and verifier
$V$ are provided an instance
$(i, z_{0}, z_{i})$ . We construct a zkSNARK that allows the prover to show that it knows an IVC proof
$Π_{i}$ such that
$IVC . V (vk, i, z_{0}, z_{i}, Π_{i}) = 1$ .

In a nutshell, we leverage the fact that
$Π$ is two committed relaxed R1CS instance-witness pairs. So,
$P$ first folds instance-witness pairs
$(u, w)$ and
$(U, W)$ to produce a folded instance-witness pair
$(U^{'}, W^{'})$ , using
$NIFS . P$ . Next,
$P$ runs
$zkSNARK . P$ to prove that it knows a valid witness for
$U^{'}$ . In more detail, for polynomial-time computable function
$F$ and corresponding function
$F^{'}$ as defined in Construction 3 (and instantiated with
$hash$ ), we define
$(G, K, P, V)$ as follows.

$\underset{―}{G (1^{λ}) \to pp}$ :

$(1)$ Compute
${pp}_{NIFS} \leftarrow NIFS . G (1^{λ})$

$(2)$ Compute
${pp}_{zkSNARK} \leftarrow zkSNARK . G (1^{λ})$

$(3)$ Output (
${pp}_{NIFS}, {pp}_{zkSNARK})$

$\underset{―}{K (pp, F) \to (pk, vk)}$ :

$(1)$ Compute
$({pk}_{NIFS}, {vk}_{NIFS}) \leftarrow NIFS . K (pp . {pp}_{NIFS}, s_{F^{'}})$ .

$(2)$ Compute
$({pk}_{zkSNARK}, {vk}_{zkSNARK}) \leftarrow zkSNARK . K (pp . {pp}_{zkSNARK}, s_{F^{'}})$ .

$(3)$ Output
$(({pk}_{NIFS}, {pk}_{zkSNARK}), ({vk}_{NIFS}, {vk}_{zkSNARK}))$ .

$\underset{―}{P (pk, (i, z_{0}, z_{i}), Π) \to π}$ :
If
$i$ is
$0$ , output
$⊥$ ;
otherwise,

$(1)$ parse
$Π$ as
$((U, W), (u, w))$

$(2)$ compute
$(U^{'}, W^{'}, \overset{―}{T}) \leftarrow NIFS . P ({pk}_{NIFS}, (U, W), (u, w))$

$(3)$ compute
$π_{U^{'}} \leftarrow zkSNARK . P ({pk}_{zkSNARK}, U^{'}, W^{'})$

$(4)$ output
$(U, u, \overset{―}{T}, π_{U^{'}})$ .

$\underset{―}{V (vk, (i, z_{0}, z_{i}), π) \to {0, 1}}$ :
If
$i$ is
$0$ , check that
$z_{0} = z_{i}$ ;
otherwise,

$(1)$ parse
$π$ as
$(U, u, \overset{―}{T}, π_{U^{'}})$ ,

$(2)$ check that
$u . x = hash ({vk}_{NIFS}, i, z_{0}, z_{i}, U)$ ,

$(3)$ check that
$(u . \overset{―}{E}, u . u) = (u_{⊥} . \overset{―}{E}, 1)$ ,

$(4)$ compute
$U^{'} \leftarrow NIFS . V ({vk}_{NIFS}, U, u, \overset{―}{T})$ , and

$(5)$ check that
$zkSNARK . V ({vk}_{zkSNARK}, U^{'}, π_{U^{'}}) = 1$ .

Polynomial Extension(MLE) see Notes for PAZK(MLE)

The Sum-Check Protocol see Notes for PAZK(Sum-Check)

Idealized Relaxed R1CS

Definition 14 (Idealized Relaxed R1CS). Consider a finite field
$F$ . Let the public parameters consist of size bounds
$m, n, l \in N$ where
$m > l .$ The idealized relaxed R1CS structure consists of sparse matrices
$A, B, C \in F^{m \times m}$ with at most
$n = Ω (m)$ non-zero entries in each matrix. A idealized relaxed R1CS instance consists of an error vector
$E \in F^{m}$ , a scalar
$u \in F$ , witness vector
$W \in F^{m}$ , and public inputs and outputs
$x \in F^{l}$ . An instance
$(E, u, W, x)$ is satisfying if
$(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ , where
$Z = (W, x, u)$ .

Polynomial IOP for Idealized Relaxed R1CS

Construction 5 (Polynomial IOP for Idealized Relaxed R1CS). Consider an idealized relaxed R1CS statement
$φ$ consisting of public parameters
$(m, n, l)$ , structure
$(A, B, C)$ , and instance
$(E, u, W, x)$ , Without loss of generality, we assume that
$m$ and
$n$ are powers of
$2$ and that
$m = 2 \cdot (l + 1)$ .

Let
$s = \log m$ . We interpret the matrices
$A, B, C$ as functions with signature
${0, 1}^{\log m} \times {0, 1}^{\log m} \to F$ in a natural manner. In particular, an input in
${0, 1}^{\log m} \times {0, 1}^{\log m}$ is interpreted as the binary representation of an index
$(i, j) \in [m] \times [m]$ , where
$[m] := {1, \dots, m}$ and the function outputs
$(i, j)$ th entry of the matrix. As such, let
$\tilde{A}, \tilde{B}$ , and
$\tilde{C}$ denote multilinear extensions of
$A, B,$ and
$C$ interpreted as functions, so they are
$2 \log m$ -variate sparse multilinear polynomials of size
$n$ . Similarly, we interpret
$E$ and
$W$ as functions with respective signatures
${0, 1}^{\log m} \to F$ and
${0, 1}^{\log m - 1} \to F$ . Furthermore, let
$\tilde{E}$ and
$\tilde{W}$ denote the multilinear extensions of
$E$ and
$W$ interpreted as functions, so they are multilinear polynomials in
$\log m$ and
$\log m - 1$ variables respectively.

As noted earlier, the verifier has an oracle access to the following polynomials:
$\tilde{A}, \tilde{B}, \tilde{C}, \tilde{E}$ , and
$\tilde{W}$ . Additionally, the verifier reads
$u$ and
$x$ in entirety.

Let
$Z = (W, x, u)$ . Similar to how we interpret matrices as functions, we interpret
$Z$ and
$(x, u)$ as functions with the following respective signatures:
${0, 1}^{s} \to F$ and
${0, 1}^{s - 1} \to F$ . Observe that the
$MLE$
$\tilde{Z}$ of
$Z$ satisfies
$\tilde{Z} (X_{1}, \dots, X_{s}) = (1 - X_{1}) \cdot \tilde{W} (X_{2}, \dots, X_{s}) + X_{1} \cdot \tilde{(x, u)} (X_{2}, \dots, X_{s}) (1)$

Similar to [40, Theorem 4.1], checking if
$φ$ is satisfiable is equivalent, except for a soundness error of
$\log m / | F |$ over the choice of
$τ \in F^{s}$ , to checking if the following identity holds:
$0 \overset{?}{=} \sum_{x \in {0, 1}^{s}} \tilde{eq} (τ, x) \cdot F (x), (2)$ where
$F (x) = (\begin{matrix} \sum_{y \in {0, 1}^{s}} \tilde{A} (x, y) \cdot \tilde{Z} (y) \end{matrix}) \cdot (\begin{matrix} \sum_{y \in {0, 1}^{s}} \tilde{B} (x, y) \cdot \tilde{Z} (y) \end{matrix}) - (\begin{matrix} u \cdot \sum_{y \in {0, 1}^{s}} \tilde{C} (x, y) \cdot \tilde{Z} (y) + \tilde{E} (x) \end{matrix}),$ and
$\tilde{eq}$ is the multilinear extension of
$eq : {0, 1}^{s} \times {0, 1}^{s} \to F$ where
$eq (x, e) = 1$ if
$x = e$ and
$0$ otherwise.

That is, if
$φ$ is satisfiable, then Equation (2) holds with probability
$1$ over the choice of
$τ$ , and if not, then Equation (2) holds with probability at most
$O (\log m / | F |)$ over the random choice of
$τ$ .

To compute the right-hand side in Equation (2), the prover and the verifier apply the sum-check protocol to the following polynomial:
$g (x) := \tilde{eq} (τ, x) \cdot F (x)$ From the verifier’s perspective, this reduces the task of computing the right-hand side of Equation (2) to the task of evaluating
$g$ at a random input
$r_{x} \in F^{s}$ . Note that the verifier can locally evaluate
$\tilde{eq} (τ, r_{x})$ in
$O (\log m)$ field operations via
$\tilde{eq} (τ, r_{x}) = \prod_{i = 1}^{s} (τ_{i} r_{x, i} + (1 - τ_{i}) (1 - r_{x, i})) .$ With
$\tilde{eq} (τ, r_{x})$ in hand,
$g (r_{x})$ can be computed in
$O (1)$ time given the four quantities:
$\sum_{y \in {0, 1}^{s}} \tilde{A} (r_{x}, y) \cdot \tilde{Z} (y), \sum_{y \in {0, 1}^{s}} \tilde{B} (r_{x}, y) \cdot \tilde{Z} (y), \sum_{y \in {0, 1}^{s}} \tilde{C} (r_{x}, y) \cdot \tilde{Z} (y)$ , and
$\tilde{E} (r_{x})$ .

The last quantity can be computed with a single query to polynomial
$\tilde{E}$ . Furthermore, the first three quantities can be computed by applying the sum-check protocol three more times in parallel, once to each of the following three polynomials (using the same random vector of field elements,
$r_{y} \in F^{s}$ , in each of the three invocations):
$\tilde{A} (r_{x}, y) \cdot \tilde{Z} (y), \tilde{B} (r_{x}, y) \cdot \tilde{Z} (y)$ , and
$\tilde{C} (r_{x}, y) \cdot \tilde{Z} (y)$ .

To perform the verifier’s final check in each of these three invocations of the sum-check protocol, it suffices for the verifier to evaluate each of the above three polynomials at the random vector
$r_{y}$ , which means it suffices for the verifier to evaluate
$\tilde{A} (r_{x}, r_{y}), \tilde{B} (r_{x}, r_{y}), \tilde{C} (r_{x}, r_{y})$ , and
$\tilde{Z} (r_{y})$ . The first three evaluations can be obtained via the verifier’s assumed query access to
$(\tilde{A}, \tilde{B}, \tilde{C})$ .
$\tilde{Z} (r_{y})$ can be computed (via Equation (1)) from a query to
$\tilde{W}$ and from computing
$\tilde{(x, u)}$ .

In summary, we have the following polynomial IOP.

$V \to P : τ \in_{R} F^{s}$

$V \leftrightarrow P$ : run the sum-check protocol to reduce the check in Equation (2) to checking if the following hold, where
$r_{x}, r_{y}$ are vectors in
$F^{s}$ chosen at random by the verifier over the course of the sum-check protocol:
–
$\tilde{A} (r_{x}, r_{y}) \overset{?}{=} v_{A}, \tilde{B} (r_{x}, r_{y}) \overset{?}{=} v_{B}$ , and
$\tilde{C} (r_{x}, r_{y}) \overset{?}{=} v_{C}$ ;
–
$\tilde{E} (r_{x}) \overset{?}{=} v_{E};$ and
–
$\tilde{Z} (r_{y}) \overset{?}{=} v_{Z}$ .

$V$ :
– check if
$\tilde{A} (r_{x}, r_{y}) \overset{?}{=} v_{A}, \tilde{B} (r_{x}, r_{y}) \overset{?}{=} v_{B}$ , and
$\tilde{C} (r_{x}, r_{y}) \overset{?}{=} v_{C}$ , with a query to
$\tilde{A}, \tilde{B}, \tilde{C}$ at
$(r_{x}, r_{y})$ ;
– check if
$\tilde{E} (r_{x}) \overset{?}{=} v_{E}$ with an oracle query to
$\tilde{E}$ ; and
– check if
$\tilde{Z} (r_{y}) \overset{?}{=} v_{Z}$ by checking if:
$v_{Z} = (1 - r_{y} [1]) \cdot v_{W} + r_{y} [1] \cdot \tilde{(x, u)} (r_{y} [2. .])$ , where
$r_{y} [2. .]$ refers to a slice of
$r_{y}$ without the first element of
$r_{y}$ , and
$v_{W} \leftarrow \tilde{W} (r_{y} [2. .])$ via an oracle query (see Equation (1)).)

Nova and its Implementation：A Deep Dive

Code structure

r1cs mod

R1CS

a example

R1CS Definition

R1CS's attempt:

Relaxed R1CS

Relaxed R1CS Definition

Relaxed R1CS's attempt:

Committed Relaxed R1CS

Committed Relaxed R1CS Definition

A Folding Scheme for Committed Relaxed R1CS

code

R1CS struct

R1CSShape struct

R1CSWitness struct

R1CSInstance struct

RelaxedR1CSWitness struct

RelaxedR1CSInstance struct

nifs mod

A Non-Interactive Folding Scheme

code

NIFS struct

constants mod

circuit mod

code

lib.rs

A zkSNARK of a Valid IVC Proof

Idealized Relaxed R1CS

Polynomial IOP for Idealized Relaxed R1CS

bellpepper mod

dependencies

bellpepper

Read more

Rust-Verkle [in progress]

LeRobot by hand

Inner Product Argument

What is the KZG PCS

`lib.rs`