Try   HackMD

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
#4 - Home Edition

ZkpComRef: Interfaces, Formats and Interoperability

Please start by reading the editorial disclaimer to ensure proper expectations about the process.

Collaboration Instructions

This page was prepared for a breakout session during the ZKProof 4th workshop in order to receive concurrent/collaborative suggestions of content that may be useful for the "ZKProof Community Reference" (ZkpComRef).

Goal: this document will focus on expanding Section 3.4 on APIs and File Formats and Section 3.7 on Constraint-System Interoperability.

Content

Each contribution should be either self-contained or written within the context of the section (as an edit of the current subsections). The field is advancing fast, and more interesting solutions for interfacing between frontends and backends are being published, different formats (PLONK, R1CS, Circuits, etc.) are being built and more needs for interoperability exist.

Contributors are free to chose the relevant topics, either expanding on existing titles or adding new subsections. Here is a list of potential topics to be covered:

Examples of topics:

  • Concrete / reference APIs for the different systems: can we build a generic API that would be used across the board in a "plug-and-play" manner? what would be the challenges?
    • Backends APIs
    • Frontend APIs
    • Communication APIs
  • Descriptions of file formats: what other formats exist (aside from R1CS) that can be used with ZK systems? For each maybe describe them, their mathematics, what are the (dis)advantages over others and how are they used in ZK proving systems?
    • R1CS and different versions. There are other "light-weight" constraint systems that are similar to R1CS.
    • Arithmetic and Boolean Circuits. The most common form of encoding computational statements is in circuit form.
    • PLONK and Custom Gates. The PLONK encoding format comes with the advantage of defining custom gates that can compute functions in a "cheaper form".
  • Expand on the Frontend-Backend interoperability section: what are some more advanced "features" that can be supported by such intermediate representations in the interoperability systems? What should be the scope of such systems (tooling, communication framework?)
    • Textual vs binary representations
  • Recursive composition of proofs: these can improve the performance and functionality ofZK proof systems in applications that deal with multi-stage computation or large amounts of data.
    • Proof-carrying data (PCD) compliance predicates are constraint systems with additional conventions that determine theirsemantics, and for interoperability these conventions require precise specification.
    • If we are to use different ZK systems for different parts of the composition, how are these interoperable?
  • Extended forms of interoperability: Beyond interfacing between frontend and backend, there are other forms of interoperability (see Section 3.7)
    • Proof interoperability
    • Procedural interoperability
    • Common reference string

Guidelines

What to include in the contribution:
Each contribution may have a different set of requirements or "titles", please try to think about the following questions when you write the contribution:

  • What would be most relevant to discuss in the context of ZKProof and the ZkpComRef?
  • How can you describe the topic in the simplest way without losing technical depth?
  • How does the topic at hand fit within the larger picture of ZKP systems?
  • Are there any efficiency trade-offs to keep in mind?
  • What kind of adoption would be required in order for this topic to become a standard?

Add your contribution:

Email confirmation: After adding a contribution, please send a brief email to editors@zkproof.org to confirm your suggestion (mention the suggestion number and title).

Contribution #0: TEMPLATE VERSION

Do not edit or delete this template; instead, copy-paste its content inside one of the available suggestion placeholders below, and then edit it there.

Suggested by : Daniel Benarroch (daniel@qed-it.com)Example

Topic Description

what are you contributing about?

Specification

please say more, with technical details?

Considerations

how does this fit in the larger picture?

Contribution #1: PFCS (Prime Field Constraint System)

Suggested by : Alessandro Coglio (coglio@kestrel.edu, acoglio@aleo.org)Eric McCarthy (mccarthy@kestrel.edu, ericm@aleo.org)...

Topic Description

This is a possible generalization of R1CS and other constraint systems used in zero-knowledge proofs. The inspiring purpose is to facilitate formal proofs of correctness of R1CS with respect to higher-level specifications, but it may have broader uses.

Specification

A PFCS is a system of constraints over a prime field; the constraints include variables that range over a prime field. The motivation for PFCS stems from zero-knowledge proofs, but there may be more general applications. PFCS generalizes R1CS in two ways:

  • Constraints in PFCS are not limited to the R1CS form (i.e. equality between a product of two linear polynomials and a linear polynomial). They are equalities between any combinations of additions and multiplications (and perhaps more operations in the future); note that addition and multiplication suffice to describe arithmetic circuits. Thus, PFCS generalize R1CS, and likely (or eventually) other forms of constraints used in zero-knowledge proofs, e.g. PLONK. The richer representation also supports more elaborate transformations of the constraints.
  • Constraints in PFCS may be hierarchically organized, by naming sets of them as relations with parameters, which may be referenced (i.e. “called”) in the definition of other relations. This explicates the natural hierarchical structure of zero-knowledge gadgets (R1CS or others), and supports more modular verification, analysis, transformation, and synthesis.

This is a prototype formalization of PFCS in the ACL2 theorem prover: https://github.com/acl2/acl2/tree/master/books/kestrel/crypto/pfcs
This is the hyperlinked documentation generated from that code:
https://www.cs.utexas.edu/users/moore/acl2/manuals/current/manual/?topic=PFCS____PRIME-FIELD-CONSTRAINT-SYSTEMS

Considerations

This seems a fairly simple idea, and may overlap with other similar initiatives in zkinterface and elsewhere. The details may vary, but the main idea is to provide more structure.

Formal verification is facilitated by the additional structure in the same way as procedural decomposition facilitates traditional program verification.

Contribution #2: zkInterface

Suggested by : Eran Tromer...

(copy-paste here the template)

Contribution #3: SIEVE IR

Suggested by : Eran TromerKimberlee Model (kimee@stealthsoftwareinc.com)...

Not yet public, but we can start preparing.
(copy-paste here the template)

The SIEVE IR is a circuit based intermediate representation currently in progress within DARPA's SIEVE program. The IR is based on circuits, and is parameterizable along two axis.

  • Gate set: Arithmetic or Boolean gate sets.
  • Uniformity: non uniform is a list of gates for streaming. Uniformity (work in progress) uses nested scopes to convey structure.

The IR comes with three "resources" as the inputs to a proof system. The relation defines a circuit, while two input streams provide common inputs (instance) and prover inputs (short witness).

Contribution #4: ACIR (Abstract Circuit Intermediate Representation)

Suggested by : Kevname2

A uniform constraint system over proving systems and NP relation (R1CS and PLONK-CSAT).

It allows uniformity over any proving system by allowing for black box functions, and special opcodes which allow for prover provided values.

(copy-paste here the template)

Contribution #5: UltraPLONK

Suggested by : Eran Tromer

Format

To specify the constraint system used in PLONK in an abstract manner, we need to specify:

  • The width
  • The available custom constraints

One format which can be used to accomodate for custom constraints, is to view them as blackbox functions, where their functionality is known beforehand. This suggestion assumes the custom constraints are known along with their functionality.

The width is unbounded, which means that you can have any fan-in, fan-out configuration.

The available constraints are not theoretically bounded, so the format should accomodate for this.

A custom constraint can be seen as a polynomial identity which is encoded in this PLONK configuration.

The available custom constraints are accumulated into a quotient polynomial, where the degree of the quotient polynomial is a function of the degree of the highest polynomial identity.

(copy-paste here the template)

Contribution #6: </h2> <blockquote class="raw part" data-startline="171" data-endline="171"> <p data-position="9261" data-size="0"><span data-position="9261" data-size="15">Suggested by : </span><small><span data-position="15" data-size="12"><i class="fa fa-user"></i><span class="px-1" data-position="9282" data-size="5">name1</span></span></small><small><span data-position="27" data-size="12"><i class="fa fa-user"></i><span class="px-1" data-position="9294" data-size="5">name2</span></span></small></p> </blockquote> <p class="part" data-startline="173" data-endline="173" data-position="9302" data-size="0"><strong data-position="9302" data-size="0"><span data-position="9304" data-size="30">(copy-paste here the template)</span></strong></p> <hr> <h2 class="raw part" data-startline="177" data-endline="177"><span data-position="9346" data-size="34">Contribution #7: Uniformity Matrix</span></h2> <blockquote class="raw part" data-startline="179" data-endline="179"> <p data-position="9383" data-size="0"><span data-position="9383" data-size="15">Suggested by : </span><small><span data-position="15" data-size="22"><i class="fa fa-user"></i><span class="px-1" data-position="9404" data-size="15">Kimberlee Model</span></span></small><small><span data-position="37" data-size="12"><i class="fa fa-user"></i><span class="px-1" data-position="9426" data-size="5">name2</span></span></small></p> </blockquote> <p class="part" data-startline="181" data-endline="181" data-position="9434" data-size="0"><span data-position="9434" data-size="57">Multiple of the interfaces given here express uniformity.</span></p> <p class="part" data-startline="183" data-endline="183" data-position="9493" data-size="0"><span data-position="9493" data-size="32">TODO: explain what is uniformity</span></p> <ul class="part" data-startline="184" data-endline="186" data-position="9527" data-size="0"> <li class="raw" data-startline="184" data-endline="184" data-position="9529" data-size="0"><span data-position="9529" data-size="85">Uniformity for the purpose of the representation being "smaller" than the computation</span></li> <li class="raw" data-startline="185" data-endline="186" data-position="9618" data-size="0"><span data-position="9618" data-size="62">or for allowing the proof to be "smaller" than the computation</span></li> </ul> <p class="part" data-startline="187" data-endline="187" data-position="9682" data-size="0"><span data-position="9682" data-size="24">TODO: fill in the table</span></p> <table class="part" data-startline="189" data-endline="195"> <thead> <tr> <th><span data-position="9710" data-size="9">interface</span></th> <th><span data-position="9723" data-size="15">constraint type</span></th> <th><span data-position="9741" data-size="16">fixed repetition</span></th> <th><span data-position="9760" data-size="11">conditional</span></th> <th><span data-position="9776" data-size="26">encapsulated functionality</span></th> </tr> </thead> <tbody> <tr> <td><span data-position="9904" data-size="4">PFCS</span></td> <td><span data-position="9918" data-size="13">expr1 = expr2</span></td> <td><span data-position="9935" data-size="2">no</span></td> <td><span data-position="9954" data-size="13">not currently</span></td> <td><span data-position="9970" data-size="3">yes</span></td> </tr> <tr> <td><span data-position="10001" data-size="11">zkInterface</span></td> <td><span data-position="10015" data-size="4">R1CS</span></td> <td><span data-position="10032" data-size="4">TODO</span></td> <td><span data-position="10051" data-size="4">TODO</span></td> <td><span data-position="10067" data-size="4">TODO</span></td> </tr> <tr> <td><span data-position="10098" data-size="8">SIEVE IR</span></td> <td><span data-position="10112" data-size="8">Circuits</span></td> <td><span data-position="10129" data-size="13">(in progress)</span></td> <td><span data-position="10148" data-size="13">(in progress)</span></td> <td><span data-position="10164" data-size="13">(in progress)</span></td> </tr> <tr> <td><span data-position="10195" data-size="4">ACIR</span></td> <td><span data-position="10209" data-size="8">Circuits</span></td> <td><span data-position="10226" data-size="2">no</span></td> <td><span data-position="10245" data-size="2">no</span></td> <td><span data-position="10261" data-size="3">yes</span></td> </tr> <tr> <td><span data-position="10292" data-size="5">PLONK</span></td> <td><span data-position="10306" data-size="4">TODO</span></td> <td><span data-position="10323" data-size="4">TODO</span></td> <td><span data-position="10342" data-size="4">TODO</span></td> <td><span data-position="10358" data-size="4">TODO</span></td> </tr> </tbody> </table> <p class="part" data-startline="197" data-endline="197" data-position="10388" data-size="0"><span data-position="10388" data-size="64">TODO: explain each column on the table (possibly add more cols?)</span></p> <ul class="part" data-startline="199" data-endline="203" data-position="10455" data-size="0"> <li class="raw" data-startline="199" data-endline="199" data-position="10457" data-size="0"><strong data-position="10457" data-size="0"><span data-position="10459" data-size="15">constraint type</span></strong><span data-position="10476" data-size="26">: Form of the constraints.</span></li> <li class="raw" data-startline="200" data-endline="200" data-position="10506" data-size="0"><strong data-position="10506" data-size="0"><span data-position="10508" data-size="16">fixed repetition</span></strong><span data-position="10526" data-size="28">: Support for bounded loops.</span></li> <li class="raw" data-startline="201" data-endline="201" data-position="10558" data-size="0"><strong data-position="10558" data-size="0"><span data-position="10560" data-size="11">conditional</span></strong><span data-position="10573" data-size="66">: Support for branching (i.e. alternatives) on private conditions.</span></li> <li class="raw" data-startline="202" data-endline="203" data-position="10644" data-size="0"><strong data-position="10644" data-size="0"><span data-position="10646" data-size="26">encapsulated functionality</span></strong><span data-position="10674" data-size="60">: Support for hierarchical/procedural structure and scoping.</span></li> </ul> <hr>

Last changed by 
4th ZKProof Workshop
The notes for the 4th ZKProof Workshop - 2021
0
234

Read more

ZkpComRef: Diagrams and Illustrations

![](https://i.imgur.com/WeIvTiX.png =150x) Workshop #4 -- Home Edition Please start by reading the editorial disclaimer to ensure proper expectations about the process. Collaboration Instructions Context. This page was prepared for a breakout session of the ZKProof 4th workshop. The page can be concurrently/collaboratively edited. Goal. Collect suggestions/sketches for visual material (diagrams, illustrations and other figures) to add to the ZkpComRef. The suggestions can include: Embeding sketch/draft diagrams, illustrations or other figures.

Apr 20, 2022
ZkpComRef: Concrete Schemes

![](https://i.imgur.com/WeIvTiX.png =150x) Workshop #4 -- Home Edition Please start by reading the editorial disclaimer to ensure proper expectations about the process. Goal: Collect short descriptions of numerous concrete ZKP schemes (i.e., protocols), conveying their relation to a possible IT proof system type (PCP, Linear PCP, IOP, ...) (and sub-type), cryptographic compilers, and efficiency. Note on future integration: The ZkpComRef will likely not incorporate all these descriptions. However, these descriptions will be tentatively useful when creating a table or diagram with many references to concrete schemes, differentiating them across various parameters (e.g., IT system type, efficiency type, ...). Existing material for comparison:

Jul 13, 2021
4th Workshop - Ultimate List of Links

![](https://i.imgur.com/WeIvTiX.png =150x) #4 - Home Edition Here you can find all the links associated with the sessions and discussions of the 4th ZKProof Workshop - Home Edition. Please refer back to this page to view the updated links for the different discussions by entering the URL https://zkproof.org/workshop4-links Checkout the Charter, Code of Conduct and IP Policy :::info

Jul 13, 2021
Proposal: Practical Groth16 Aggregation

![](https://i.imgur.com/WeIvTiX.png =150x) #4 Home Edition Moderator: Daniel Benarroch &amp; Eran Tromer Presenters: Anca Nitulescu and Nicolas Gailly Authors: Nicolas Gailly Mary Maller Anca Nitulescu

Apr 29, 2021
Read more from 4th ZKProof Workshop
Published on HackMD