Decider for Onchain Verification

Overview: This section describes the approach for the Decider (compressed SNARK / final proof) in order to be able to verify the Nova+CycleFold proofs onchain (in Ethereum's EVM).

Warning: This section, as the rest of Sonobe, is experimental. The approach described in this section is highly experimental and has not been audited.

Context

At the final stage of the Nova+CycleFold folding, after $n$ iterations, we have the committed instances ${u_{n}, U_{n}, U_{EC, n}}$ and their respective witnessess.

Diagram source: CycleFold paper (https://eprint.iacr.org/2023/1192.pdf). In the case of this document $n = i + 2$ , so $u_{i + 2} = u_{n}$ , $U_{i + 2} = U_{n}$ , $U_{EC, i + 2} = U_{EC, n}$ .

We work on a cycle of curves composed by $E_{1}$ and $E_{2}$ , where $E_{1} . F_{r} = E_{2} . F_{q}$ and $E_{1} . F_{q} = E_{2} . F_{r}$ . We will use $F_{r}$ to refer to $E_{1} . F_{r} = E_{2} . F_{q}$ , and $F_{q}$ to refer to $E_{1} . F_{q} = E_{2} . F_{r}$ . The main circuit constraint field is $F_{r}$ , and $C_{EC}$ circuit constraint field is $F_{q}$ .

Since the objective is to verify the proofs on Ethereum, we set $E_{1}$ =BN254 and $E_{2}$ =Grumpkin. Thus, $F_{r}$ is the scalar field of the BN254.

The $u_{n}$ and $U_{n}$ contain: ${\overline{E} \in E_{1}, \overline{W} \in E_{1}, u \in F_{r}, x \in F_{r}^{∣ i o ∣}}$

And $U_{EC, n}$ contains: ${\overline{E} \in E_{2}, \overline{W} \in E_{2}, u \in F_{q}, x \in F_{q}^{∣ i o ∣}}$

Decider high level checks

These are the same checks for both the Onchain & Offchain Deciders. The difference lays on how are performed.

check $N I FS . V (r, U_{n}, u_{n}, \overline{T}) = ? U_{n + 1}$
check that $u_{n} . \overline{E} = 0$ and $u_{n} . u = 1$
check that $u_{n} . x_{0} = H (n, z_{0}, z_{n}, U_{n})$ and $u_{n} . x_{1} = H (U_{EC, n})$
correct RelaxedR1CS relation of $U_{n + 1}, W_{n + 1}$ of the AugmentedFCircuit
check commitments of $U_{n + 1} . {\overline{E}, \overline{W}}$ with respect $W_{n + 1}$ (where $\overline{E}, \overline{W} \in E_{1}$ )
check the correct RelaxedR1CS relation of $U_{EC, n}, W_{EC, n}$ of the CycleFoldCircuit
check commitments of $U_{EC, n} . {\overline{E}, \overline{W}}$ with respect $W_{EC, n}$ (where $\overline{E}, \overline{W} \in E_{2}$ )

Onchain Decider approach

The decider proof is computed once, and after all the folding has taken place. Our aim is to be able to verify this proof in the Ethereum's EVM.

The prover computes $(U_{n + 1}, W_{n + 1}, \overline{T}) = N I FS . P ((U_{n}, W_{n}), (u_{n}, w_{n}))$

The Decider Circuit verifies in its R1CS relation over $F_{r}$ the following checks:

1.1: check that the given NIFS challenge $r$ is indeed well computed. This challenge is then used outside the circuit by the Verifier to compute NIFS.V obtaining $U_{i + 1}$
2: check that $u_{n} . \overline{E} = 0$ and $u_{n} . u = 1$
3: check that $u_{n} . x_{0} = H (n, z_{0}, z_{n}, U_{n})$ and $u_{n} . x_{1} = H (U_{EC, n})$
4: correct RelaxedR1CS relation of $U_{n + 1}, W_{n + 1}$ of the AugmentedFCircuit
5.1: Check correct computation of the KZG challenges $c_{E} = H (\overline{E} . {x, y}), c_{W} = H (\overline{W} . {x, y})$ which we do through in-circuit Transcript.
5.2: check that the KZG evaluations are correct
- $e v a l_{W} == p_{W} (c_{W})$
- $e v a l_{E} == p_{E} (c_{E})$
  where $p_{W}, p_{E} \in F [X]$ are the interpolated polynomials from $W_{i + 1} . W, W_{i + 1} . E$ respectively.
  ie. $p_{W} (x) = in t er p o l a t e (W_{i + 1} . W, 0)$ , where $0$ is zero-padding to the next power of 2 length, and $in t er p o l a t e ()$ interpolates a (unique) polynomial from the vector
6: check the correct RelaxedR1CS relation of $U_{EC, n}, W_{EC, n}$ of the CycleFoldCircuit (this is non-native operations and with naive sparse matrix-vector product blows up the number of constraints)
7: Pedersen commitments verification of $U_{EC, n} . {\overline{E}, \overline{W}}$ with respect $W_{EC, n}$ (the witness of the committed instance) (where $\overline{E}, \overline{W} \in E_{2}$ , this check is native in $F_{r}$ )
The following check is done non-natively (in $F_{r}$ ):

Additionally we would have to check (outside of the circuit):

1.2: check $N I FS . V (r, U_{n}, u_{n}, \overline{T}) = ? U_{n + 1}$
5.3: Commitments verification of $U_{n + 1} . {\overline{E}, \overline{W}}$ with respect $W_{n + 1}$ (where $\overline{E}, \overline{W} \in E_{1}$ )

The check 7 would be too expensive if using Pedersen commitments verification in-circuit (non-natively), so we changed these commitments from Pedersen to KZG, and then verify the KZG commitments outside of the circuit and directly onchain.

The prover would generate a Groth16 proof over BN254 for this Decider Circuit, which can later be verified onchain in the EVM together with the KGZ commitments of check 7 and check 8.

In this way, the final proof to be verified onchain would be:

a Groth16 proof of the checks 1.1, 2, 3, 4, 5.1, 5.2, 6, 7
the KZG proofs verification (check 5.3)
the NIFS.V (check 1.2), which relates the inputs of the checks in the Groth16 proof and check 5

The RelaxedR1CS checker circuit

The "correct RelaxedR1CS relation" (used in check 1) is checked by the gadget proposed by Nalin Bhardwaj, which is a R1CS circuit that checks the RelaxedR1CS relation, more details here.

The idea is that we check in a R1CS circiut the RelaxedR1CS relation ( $A z \circ B z - u C z - E = 0$ ). Note that this approach has a blowup of 3x with respect to the original circuit number of constraints x (when using sparse representation of the matrices).

Circuit costs

Note: the number of constraints written in this section is the current values that we have, which we aim to reduce in future iterations.

Estimated costs of the full decider-onchain circuit:

(x is the number of constraints of the circuit that we're folding, and the AugmentedFCircuit takes ~52k constraints)

1.1: check that the given NIFS challenge $r$ is indeed well computed
2: $u_{n}$ check: <1000
3: $u_{n} . x$ hash check: 2634
4: $U_{n + 1}$ relation: 3(x+52k)
5.1: Check correct computation of the KZG challenges: 7708
5.2: check that the KZG evaluations are correct 262k
6: $U_{EC, n}$ relation (non-native): 5.1M
7: Pedersen check of $U_{EC, n}$ commitments (native): <5M both commitments (including the inputs allocations). This is a couple of native MSMs of <1500 elements each one

Total: 1000 + 2634 + 3*(x+52_252) + 7708 + 262_000 + 4_967_155 + 5_146_236

eg: for a circuit of 500k constraints the decider circuit would take approximately 11.9M constraints.

As can be seen, most of the costs come from the Pedersen commitments verification and the $U_{EC, n}$ relation (checks 6 and 7 respectively).

sonobe docs

Decider for Onchain Verification

Context

Decider high level checks

Onchain Decider approach

Circuit costs