Decider for Onchain Verification

Overview

This section describes the details of Sonobe's Decider, which is a zkSNARK that compresses the IVC's final proof.

Given an IVC scheme constructed with a folding scheme based on the CycleFold approach, the decider described in this section allows one to efficiently verify the final proof onchain in Ethereum's EVM.

Below we use Nova as a concrete example of the folding scheme, but the decider itself is generic and can be used with any other folding scheme.

Warning: This section, as the rest of Sonobe, is experimental. The approach described in this section is highly experimental and has not been audited.

Context

At the final stage of IVC based on Nova+CycleFold, after $n$ iterations, we have the committed instances ${u_{n}, U_{n}, U_{EC, n}}$ and their respective witnessess, where $u_{n}$ is the incoming instance, $U_{n}$ is the running instance, and $U_{EC, n}$ is the CycleFold (running) instance.

Diagram source: CycleFold paper (https://eprint.iacr.org/2023/1192.pdf). In the case of this document $n = i + 2$ , so $u_{i + 2} = u_{n}$ , $U_{i + 2} = U_{n}$ , $U_{EC, i + 2} = U_{EC, n}$ .

We work on a cycle of curves composed by $E_{1}$ and $E_{2}$ , where $E_{1} . F_{r} = E_{2} . F_{q}$ and $E_{1} . F_{q} = E_{2} . F_{r}$ . We will use $F_{r}$ to refer to $E_{1} . F_{r} = E_{2} . F_{q}$ , and $F_{q}$ to refer to $E_{1} . F_{q} = E_{2} . F_{r}$ . The main circuit constraint field is $F_{r}$ , and $C_{EC}$ circuit constraint field is $F_{q}$ .

Since the objective is to verify the proofs on Ethereum, we set $E_{1}$ =BN254 and $E_{2}$ =Grumpkin. Thus, $F_{r}$ is the scalar field of the BN254.

The $u_{n}$ and $U_{n}$ contain: ${\overline{E} \in E_{1}, \overline{W} \in E_{1}, u \in F_{r}, x \in F_{r}^{∣ i o ∣}}$

And $U_{EC, n}$ contains: ${\overline{E} \in E_{2}, \overline{W} \in E_{2}, u \in F_{q}, x \in F_{q}^{∣ i o ∣}}$

Decider high level checks

Consider the Nova-based IVC for R1CS, where $r 1 cs$ is the R1CS for the augmented circuit AugmentedFCircuit, and $r 1 c s_{EC}$ is the R1CS for the CycleFold circuit CycleFoldCircuit.

The decider is essentially responsible for ensuring the validity of $I V C . V$ , which contains the following checks:

$R_{r 1 cs} (W_{n}, U_{n}) = 1$ :
- The running instance $U_{n}$ and witness $W_{n}$ satisfy (relaxed) $r 1 cs$ .
- The commitments in $U_{n}$ open to the values in $W_{n}$ .
$R_{r 1 cs} (w_{n}, u_{n}) = 1$ :
- The incoming instance $u_{n}$ and witness $w_{n}$ satisfy (plain) $r 1 cs$ .
- The commitments in $u_{n}$ open to the values in $w_{n}$ .
$R_{r 1 c s_{EC}} (W_{EC, n}, U_{EC, n})$ :
- The CycleFold instance $U_{EC, n}$ and witness $W_{EC, n}$ satisfy (relaxed) $r 1 c s_{EC}$ .
- The commitments in $U_{EC, n}$ open to the values in $W_{EC, n}$ .
$u_{n}$ is valid:
- $u_{n} . x$ contains the correct hash of the initial and final states.
- $u_{n}$ is indeed an incoming instance.

In Sonobe, the logic above is implemented in a zkSNARK circuit. To reduce circuit size, we ask the prover to fold $W_{n}, U_{n}$ and $w_{n}, u_{n}$ one more time, obtaining $W_{n + 1}, U_{n + 1}$ . Now, the circuit only needs to check:

$U_{n + 1}$ is the correct folding of $U_{n}, u_{n}$ , i.e., $N I FS . V (r, U_{n}, u_{n}, \overline{T}) = U_{n + 1}$ .
$R_{r 1 cs} (W_{n + 1}, U_{n + 1}) = 1$ :
- The running instance $U_{n + 1}$ and witness $W_{n + 1}$ satisfy (relaxed) $r 1 cs$ .
- The commitments in $U_{n + 1}$ (i.e., $U_{n + 1} . {\overline{E}, \overline{W}} \in E_{1}$ ) open to the values in $W_{n + 1}$ (i.e., $W_{n + 1} . {E, W}$ ).
$R_{r 1 c s_{EC}} (W_{EC, n}, U_{EC, n})$ :
- The CycleFold instance $U_{EC, n}$ and witness $W_{EC, n}$ satisfy (relaxed) $r 1 c s_{EC}$ .
- The commitments in $U_{EC, n}$ (i.e., $U_{EC, n} . {\overline{E}, \overline{W}} \in E_{2}$ ) open to the values in $W_{EC, n}$ (i.e., $W_{EC, n} . {E, W}$ ).
$u_{n}$ is valid:
- $u_{n} . x$ contains the correct hash of the initial and final states, i.e., $u_{n} . x_{0} = H (n, z_{0}, z_{n}, U_{n})$ and $u_{n} . x_{1} = H (U_{EC, n})$
- $u_{n}$ is indeed an incoming instance, i.e., $u_{n} . \overline{E} = 0$ and $u_{n} . u = 1$ .

Note: These are the same checks for both the Onchain & Offchain Deciders. The difference lays on how are performed.

Onchain Decider approach

The decider proof is computed once, and after all the folding has taken place. Our aim is to be able to verify this proof in the Ethereum's EVM.

The prover computes $(U_{n + 1}, W_{n + 1}, \overline{T}) = N I FS . P ((U_{n}, W_{n}), (u_{n}, w_{n}))$

The Decider Circuit verifies in its R1CS relation over $F_{r}$ the checks described above. Below we explain how the checks are performed in the circuit (for circuit efficiency, the order of the checks is different from the one described above):

1: Enforce $U_{n + 1}$ and $W_{n + 1}$ satisfy $r 1 cs$ , the RelaxedR1CS relation of the AugmentedFCircuit
2: Check that $u_{n} . \overline{E} = 0$ and $u_{n} . u = 1$
3: Check that $u_{n} . x_{0} = H (n, z_{0}, z_{n}, U_{n})$ and $u_{n} . x_{1} = H (U_{EC, n})$
4: Commitments verification of $U_{EC, n} . {\overline{E}, \overline{W}}$ with respect to $W_{EC, n} . {E, W}$ , where Pedersen commitments are used
- This check is native in $F_{r}$ because $U_{EC, n} . {\overline{E}, \overline{W}} \in E_{2}$ .
5: Enforce $U_{EC, n}$ and $W_{EC, n}$ satisfy $r 1 c s_{EC}$ , the RelaxedR1CS relation of the CycleFoldCircuit
- This check involves non-native operations because $W_{EC, n} . {E, W} \in F_{q}$ . With naive sparse matrix-vector product, it blows up the number of constraints.
6.1: Partially enforce that $U_{n + 1}$ is the correct folding of $U_{n}, u_{n}$
- By partially, we mean that only field elements in $U_{n + 1}$ are checked, while the group elements (i.e., commitments) are not, as they are in $E_{1}$ and are expensive non-native operations.
7.1: Check correct computation of the KZG challenges $c_{E} = H (\overline{E} . {x, y}), c_{W} = H (\overline{W} . {x, y})$ which we do through in-circuit Transcript.
7.2: Check that the KZG evaluations are correct
- $e v a l_{W} == p_{W} (c_{W})$
- $e v a l_{E} == p_{E} (c_{E})$
  where $p_{W}, p_{E} \in F [X]$ are the interpolated polynomials from $W_{i + 1} . W, W_{i + 1} . E$ respectively.
  ie. $p_{W} (x) = in t er p o l a t e (W_{i + 1} . W, 0)$ , where $0$ is zero-padding to the next power of 2 length, and $in t er p o l a t e ()$ interpolates a (unique) polynomial from the vector

The rest of the checks are performed outside of the circuit by the verifier. In addition to verifying the decider proof, the verifier would have to check:

6.2: The commitments in $U_{n + 1}$ are the correct folding of those in $U_{n}, u_{n}$ , i.e., $U_{n + 1} . \overline{E} = U_{n} . \overline{E} + r \cdot \overline{T}$ and $U_{n + 1} . \overline{W} = U_{n} . \overline{W} + r \cdot u_{n} . \overline{W}$ .
- 6.1 and 6.2 in together enforce $N I FS . V (r, U_{n}, u_{n}, \overline{T}) = U_{n + 1}$ .
7.3: The KZG proofs are valid with respect to the commitments $U_{n + 1} . {\overline{E}, \overline{W}}$ and the challenges $c_{E}, c_{W}$ .
- 7.1, 7.2, and 7.3 together enforce that $W_{n + 1} . {E, W}$ are the openings to the commitments $U_{n + 1} . {\overline{E}, \overline{W}}$ .

If we use Pedersen commitment as the commitment scheme for generating $U_{n + 1}$ , the checks for commitments would be too expensive as they are non-native in-circuit. By changing the commitment scheme to KZG, we can separate the commitments verification into 7.1, 7.2, and 7.3, where 7.1 and 7.2 can be (relatively) cheaply verified in-circuit, and 7.3 can be verified outside of the circuit (onchain).

The prover would generate a Groth16 proof over BN254 for this Decider Circuit, which can later be verified onchain in the EVM together with the KZG commitments of check 7.1 and check 7.2.

In this way, the final proof to be verified onchain would be:

a Groth16 proof of the checks 1, 2, 3, 4, 5, 6.1, 7.1, 7.2
the KZG proofs verification (check 7.3)
the NIFS.V (check 6.2), which relates the inputs of the checks in the Groth16 proof and check 6.1

The RelaxedR1CS checker circuit

The "correct RelaxedR1CS relation" (used in check 1) is checked by the gadget proposed by Nalin Bhardwaj, which is a R1CS circuit that checks the RelaxedR1CS relation, more details here.

The idea is that we check in a R1CS circiut the RelaxedR1CS relation ( $A z \circ B z - u C z - E = 0$ ). Note that this approach has a blowup of 3x with respect to the original circuit number of constraints x (when using sparse representation of the matrices).

Circuit costs

Note: the number of constraints written in this section is the current values that we have, which we aim to reduce in future iterations.

Estimated costs of the full decider-onchain circuit:

(x is the number of constraints of the circuit that we're folding, and the AugmentedFCircuit takes ~52k constraints)

1: $U_{n + 1}$ relation: 3(x+52k)
2: $u_{n}$ check: <1000
3: $u_{n} . x$ hash check: 2634
4: Pedersen check of $U_{EC, n}$ commitments (native): <5M both commitments (including the inputs allocations). This is a couple of native MSMs of <1500 elements each one
5: $U_{EC, n}$ relation (non-native): 5.1M
6.1: Partial check of $N I FS . V$ : (cheap)
7.1: Check correct computation of the KZG challenges: 7708
7.2: Check that the KZG evaluations are correct 262k

Total: 3*(x+52_252) + 1000 + 2634 + 4_967_155 + 5_146_236 + 7708 + 262_000

eg: for a circuit of 500k constraints the decider circuit would take approximately 11.9M constraints.

As can be seen, most of the costs come from the Pedersen commitments verification and the $U_{EC, n}$ relation (checks 4 and 5 respectively).

sonobe docs