![](https://i.imgur.com/WeIvTiX.png =150x) **#4 Home Edition** # Proposal: Practical Groth16 Aggregation **Moderator:** Daniel Benarroch & Eran Tromer **Presenters:** Anca Nitulescu and Nicolas Gailly **Authors:** - Nicolas Gailly - Mary Maller - Anca Nitulescu To be presented on 2021-04-29. Resources: * [Latest PDF version](https://docs.zkproof.org/pages/standards/accepted-workshop4/proposal-aggregation.pdf) * [Miro whiteboard frame](https://miro.com/app/board/o9J_lJQRFxQ=/?moveToWidget=3074457357481295789&cot=14) * [Additional related links](https://hackmd.io/@workshop4/links) * [Related conversation]() ---- ## Real-time notes _Note Taker:_ Daira Hopwood Q. What is $D$ in the batch verification equations? A. A constant dependent on the verification key. Q. Daira: on a previous slide it looked like there were four different "toxic waste" secrets, how do you get that from two ceremonies? A. No, only two secrets (with two generators each). Q. Deidre: these are good numbers to keep in mind as we compare batch'd groth16 vs recursive halo2 A. Daira: Don't have full benchmarks yet, but Halo 2 probably better performance. Don't quote me! A. Mary: Halo 2 probably worse proving, better verification. Q. Mikhail: Applicability to other pairing-based proof systems? A. Mary: Random oracle queries in the middle of the proof causes this to fall apart. A. Mary: You need to have an algebraic structure in the statement being proven in the proof system. Wouldn't apply with less algebraic systems. Q. Eran: What needs to hold about the statements/instances being proven, for this to be applicable? A. Nicolas: Extendible to different verification keys in a batch, currently needs to be all the same verification key (i.e., same relation). Observation. Ariel: in zkRollup, you're rolling up SNARK proofs, and there are 3 types of these. The recursive circuit checks that you're using one of the predefined keys from the set. Antoine: focussing on block chain systems, but in the context where bandwidth complexity matters, using recursion (esp. with succinct proof system) is optimal. Nicolas: the aggregator can be any third party. Daira: For Halo, don't want large arity of recursive verification because you pay linear cost at the end. Q. Mikhail. What's the security paradigm? Same as Groth16? A. Daira: goal is to have the same security notion, aggregator is untrusted. ### Whence in ZKProof Standardization? Daira: Stepping stone: standardize Groth16 batch verification (as already used in Zebra and described in [Zcash protocol spec, Appendix B.2](https://zips.z.cash/protocol/protocol.pdf#grothbatchverify)). Mary: One layer of recursion. Other protocols use many layers. The two settings are related but different. Eran: We have some specifications of ZKP schemes out there (e.g. Zcash protocol spec), including serialization formats and reference vectors. Should we start a process where we include these? A. Daira, Thomas, Antoine: +1 A. Daira: Will be happy to help extracting pertinent parts of the Zcash spec. Including ingredients like curve representations etc. Groth16 itself is not specified in the Zcash spec itself (just referring to the Groth16 paper), just adding batch verification. A. Antoine: There are flavors of Groth16, depending on use case. For example, on Ethereum you do some modifications so that you only manipulate source group elements (because that's what the EVM supports) at the cost of more ops. So need to standardize the flavor that maks the most sense for applications. Eran: Possible Groth16 standardization milestones: 1. Vanilla Groth16 (some flavor(s), see above) 2. Add batch verification 3. Add aggregation Q. Eran: what other sufficiently-concrete specs do we have out there? A. \<silence\> Antoine: include the many additional implementation choices that come up, such as sampling randomness. Daira: yes, easier to implement using a library impl as a reference than from a paper, because the impl includes such considerations. Deidre, Anca: +1: the paper often leaves out assumptions or decisions an implementor has to make. Q. Daniel: Should we etablish a WG on Telegram to discuss concrete scheme standardization A. Anca Nitulescu, Daira Hopwood, AntoineR, Deidre Connolly, Mark Blunden, Mary Maller, Stephen Holmes, Eran Tromer: +1
Last changed by  
4th ZKProof Workshop
The notes for the 4th ZKProof Workshop - 2021
765

Read more

ZkpComRef: Diagrams and Illustrations

![](https://i.imgur.com/WeIvTiX.png =150x) Workshop #4 -- Home Edition Please start by reading the editorial disclaimer to ensure proper expectations about the process. Collaboration Instructions Context. This page was prepared for a breakout session of the ZKProof 4th workshop. The page can be concurrently/collaboratively edited. Goal. Collect suggestions/sketches for visual material (diagrams, illustrations and other figures) to add to the ZkpComRef. The suggestions can include: Embeding sketch/draft diagrams, illustrations or other figures.

4/20/2022
ZkpComRef: Concrete Schemes

![](https://i.imgur.com/WeIvTiX.png =150x) Workshop #4 -- Home Edition Please start by reading the editorial disclaimer to ensure proper expectations about the process. Goal: Collect short descriptions of numerous concrete ZKP schemes (i.e., protocols), conveying their relation to a possible IT proof system type (PCP, Linear PCP, IOP, ...) (and sub-type), cryptographic compilers, and efficiency. Note on future integration: The ZkpComRef will likely not incorporate all these descriptions. However, these descriptions will be tentatively useful when creating a table or diagram with many references to concrete schemes, differentiating them across various parameters (e.g., IT system type, efficiency type, ...). Existing material for comparison:

7/13/2021
4th Workshop - Ultimate List of Links

![](https://i.imgur.com/WeIvTiX.png =150x) #4 - Home Edition Here you can find all the links associated with the sessions and discussions of the 4th ZKProof Workshop - Home Edition. Please refer back to this page to view the updated links for the different discussions by entering the URL https://zkproof.org/workshop4-links Checkout the Charter, Code of Conduct and IP Policy :::info

7/13/2021
Proposal: Commit-and-Prove Zero-Knowledge Proof Systems and Extensions

![](https://i.imgur.com/WeIvTiX.png =150x) #4 Home Edition Moderator: Daira Hopwood Presenters: Jiwon Lee Authors: Daniel Benarroch Matteo Campanelli Dario Fiore

4/29/2021
Read more from 4th ZKProof Workshop
Published on HackMD