Try   HackMD

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Home Edition #2

Proposal: Leo: A Programming Language for Formally Verified, Zero-Knowledge Applications Discussion Notes

Moderator: Eran Tromer
Presenters: Howard Wu & Collin Chin

Authors:

  • Collin Chin
  • Howard Wu
  • Raymond Chu
  • Alessandro Coglio
  • Eric McCarthy
  • Eric Smith

To be presented on 2021-04-19.

Resources:

Real-time notes

Note taker: Daira Hopwood

Motivation:

Decentralised applications have scalability issues due to everyone reexecuting all transactions.

Time-sharing resources across all parties.

Limited execution environments are being used to improve throughput.

History of all state-transitions must be executed by all parties causes privacy issues.

Lack of privacy also enables front-running attacks against consensus.

ZKPs enable prover to prove known state-execution was performed correctly without publicly disclosing contents.

Challenges:

DApps have weak guarantees of correctness and safety.

Require specialised expertise to represent executions.

Solution:

Leo is formally verified programming language for zero-knowledge applications. It is composable, decidable and universal.

Leo has 3 primary stages. Code -> Parser -> AST -> Conversion ->

Focus on Type Inference.

Type inference: automatically detects types of an expression in a formal language.

Formal definition of Leo language, aimed at producing a verifying compiler that proves semantic equivalence between input and output programs

Using ACL2 to verify each stage, using a formal model of the phase. There might be nondeterminism in the specification of the phase.

Compose the stage proofs to obtain an end-to-end proof.

Adding more optimization phases. Proofs are composable for modularity of the compiler.

Leo is implemented in Rust, 65000+ LoC, 12 contributors

Formally verified in ACL2, open-sourcing this soon.

70+ page language specification.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Also built tooling and frameworks, including Leo Playground. Will be released tomorrow.

Aleo Studio - IDE for writing zk applications.

Aleo package manager, with collaborative features.

https://leo-lang.org
https://paper.leo-lang.org
https://github.com/AleoHQ/leo

Discussion

Does it support nondeterminism?

  • Currently no. There have been discussions.
  • The current assumption is that a Leo circuit is compiled to a noninteractive proof system. Could also execute in the clear to produce a witness.

Is the scope of Leo just specifying a circuit? Does it include precomputation?

  • Specifying and executing a deterministic circuit.
  • Want to expand proof systems and curves.

Own implementation of proof system and curves?

  • own impl of Groth16 with BLS12-377

Supporting zkInterface?

  • Trying to optimize size of serialized representation.
  • PFCS = prime field constraint system, generalization of R1CS.
  • Need deterministic conversion to R1CS.

Eran: proposed extensions to zkInterface coming from SIEVE programme.

  • SIEVE IR, two syntaxes one based on zkInterface. Other might support PLONK-like custom-gate features, loops, branches, etc.

Francois Garillot: rationale for Hindley-Milner, relation to e.g. Noir?

  • need strong types with modular proof
  • biggest differentiating factor is formal verification
  • heavy lift is to remove assumptions in IR to make proving easier.

Francois: Why standardize specific language? What is required of the IR to enable more general standard that would enable formal verification?

  • Only the last stage depends on the circuit model. We want to formally verify the entire stack.

Francois: need to abstract in order to standardize. Otherwise we are standardizing precisely Leo.
Eran: drill more into what zkInterface should provide to support what Leo needs.

  • Extract what we had in early versions (baked in Groth16 and BLS12-377) to a separate repo.

Daira: comparison with CirC? (https://eprint.iacr.org/2020/1586)

  • SMT solver approach looks to be more elegant
  • Some language barrier (CirC implemented in Haskell, Rust version is coming up)
  • core library functionality could use CirC.

Kev: relation to ACIR (unlimited fan-in gates and black-box functions)

  • One aspect that makes our IR nice is that we use an ASG (abstract semantic graph) which enables outputting ASTs that can be converted to any IR.
  • Optimizations are standard PL fare.

Kev: rationale for Hindley-Milner?

  • not polymorphic, just inspired by H-M
  • not clear whether Leo will have polymorphic types
  • standardizing type systems for zk is an interesting problem

Alessandro: Verifying Leo programs against higher-level specifications is indeed of interest. But no work on that yet — focusing on the compilation process.

Stephane Graham-Langrand on Terminology: In the formal methods community, the name “Leo” is already taken as the name of a well-established Theorem Prover. Is the name set in stone? :-) It’s going to be confusing while interacting with the FM community…

Eran: standardizing language aspects (syntax and semantics that are quite opinionated) would be an uphill battle.

Proposed standards-oriented action

  1. Work with zkIntrface WG to discuss compilation targets and requisite extensions to zkInterface for representing structure, succinctness, etc.
  2. PFCS
  3. other components were mentioned that could be reused?

Telegram group for discussion: invite link here
Formal specification doc: link here

Last changed by 
4th ZKProof Workshop
The notes for the 4th ZKProof Workshop - 2021
0
881

Read more

ZkpComRef: Diagrams and Illustrations

![](https://i.imgur.com/WeIvTiX.png =150x) Workshop #4 -- Home Edition Please start by reading the editorial disclaimer to ensure proper expectations about the process. Collaboration Instructions Context. This page was prepared for a breakout session of the ZKProof 4th workshop. The page can be concurrently/collaboratively edited. Goal. Collect suggestions/sketches for visual material (diagrams, illustrations and other figures) to add to the ZkpComRef. The suggestions can include: Embeding sketch/draft diagrams, illustrations or other figures.

Apr 20, 2022
ZkpComRef: Concrete Schemes

![](https://i.imgur.com/WeIvTiX.png =150x) Workshop #4 -- Home Edition Please start by reading the editorial disclaimer to ensure proper expectations about the process. Goal: Collect short descriptions of numerous concrete ZKP schemes (i.e., protocols), conveying their relation to a possible IT proof system type (PCP, Linear PCP, IOP, ...) (and sub-type), cryptographic compilers, and efficiency. Note on future integration: The ZkpComRef will likely not incorporate all these descriptions. However, these descriptions will be tentatively useful when creating a table or diagram with many references to concrete schemes, differentiating them across various parameters (e.g., IT system type, efficiency type, ...). Existing material for comparison:

Jul 13, 2021
4th Workshop - Ultimate List of Links

![](https://i.imgur.com/WeIvTiX.png =150x) #4 - Home Edition Here you can find all the links associated with the sessions and discussions of the 4th ZKProof Workshop - Home Edition. Please refer back to this page to view the updated links for the different discussions by entering the URL https://zkproof.org/workshop4-links Checkout the Charter, Code of Conduct and IP Policy :::info

Jul 13, 2021
Proposal: Practical Groth16 Aggregation

![](https://i.imgur.com/WeIvTiX.png =150x) #4 Home Edition Moderator: Daniel Benarroch & Eran Tromer Presenters: Anca Nitulescu and Nicolas Gailly Authors: Nicolas Gailly Mary Maller Anca Nitulescu

Apr 29, 2021
Read more from 4th ZKProof Workshop
Published on HackMD