Nova: Recursive Zero-Knowledge Arguments from Folding Schemes

Kothapalli, Abhiram; Setty, Srinath; Tzialla, Ioanna

doi:10.1007/978-3-031-15985-5_13

Abhiram Kothapalli⁹,
Srinath Setty¹⁰ &
Ioanna Tzialla¹¹

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13510))

Included in the following conference series:

Annual International Cryptology Conference

1692 Accesses

Abstract摘要

We introduce a new approach to realize incrementally verifiable computation (IVC), in which the prover recursively proves the correct execution of incremental computations of the form $y = F^{(ℓ)} (x)$ , where F is a (potentially non-deterministic) computation, x is the input, y is the output, and $ℓ > 0$ . Unlike prior approaches to realize IVC, our approach avoids succinct non-interactive arguments of knowledge (SNARKs) entirely and arguments of knowledge in general. Instead, we introduce and employ folding schemes, a weaker, simpler, and more efficiently-realizable primitive, which reduces the task of checking two instances in some relation to the task of checking a single instance. We construct a folding scheme for a characterization of NP and show that it implies an IVC scheme with improved efficiency characteristics: (1) the “recursion overhead” (i.e., the number of steps that the prover proves in addition to proving the execution of F) is a constant and it is dominated by two group scalar multiplications expressed as a circuit (this is the smallest recursion overhead in the literature), and (2) the prover’s work at each step is dominated by two multiexponentiations of size O(|F|), providing the fastest prover in the literature. The size of a proof is O(|F|) group elements, but we show that using a variant of an existing zkSNARK, the prover can prove the knowledge of a valid proof succinctly and in zero-knowledge with $O (\log | F |)$ group elements. Finally, our approach neither requires a trusted setup nor FFTs, so it can be instantiated efficiently with any cycles of elliptic curves where DLOG is hard.
我们提出了一种实现增量可验证计算（IVC）的新方法，其中证明者递归地证明增量计算的正确执行，计算形式为 $y = F^{(ℓ)} (x)$ ，其中 F 是一个（可能非确定性的）计算，x 是输入，y 是输出，以及 $ℓ > 0$ 。与实现 IVC 的先前方法不同，我们的方法完全避免了简洁非交互式知识论证（SNARKs）以及一般的知识论证。相反，我们引入并采用折叠方案，这是一种更弱、更简单且更高效实现的原始方案，它将检查两个实例在某些关系中的任务简化为检查单个实例的任务。我们为 NP 的特征描述构建了一种折叠方案，并表明它意味着具有改进效率特性的 IVC 方案：（1）“递归开销”（即证明者在证明 F 的执行之外还需证明的步骤数）是常数，并且它由两个表示为电路的群标量乘法主导（这是文献中最小的递归开销），（2）在每个步骤中，证明者的工作主要由两个大小为 O(|F|)的多指数运算主导，提供了文献中最快的证明者。证明的大小为 O(|F|)个群元素，但我们表明，使用现有 zkSNARK 的一个变体，证明者可以简洁且在零知识下证明有效证明的知识，使用 $O (\log | F |)$ 个群元素。最后，我们的方法既不需要可信设置也不需要 FFT，因此可以在任何 DLOG 困难的椭圆曲线周期中高效实例化。

Access provided by Zhejiang University of Technology. Download conference paper PDF
浙江大学科技学院提供访问权限。下载会议论文 PDF

Snårkl: Somewhat Practical, Pretty Much Declarative Verifiable Computing in Haskell
Snårkl：有点实用的，相当声明的可验证计算（在 Haskell 中）

Recursion Schemes in Coq
递归方案在 Coq 中

Incrementally Verifiable Computation via Incremental PCPs
增量可验证计算通过增量 PCPs

1 Introduction1 简介

We revisit the problem of realizing incrementally-verifiable computation (IVC) [43]: a cryptographic primitive that enables producing proofs of correct execution of “long running” computations such that a verifier can efficiently verify the correct execution of any prefix of the computation. IVC enables a wide variety of applications including verifiable delay functions [9, 45], succinct blockchains [13, 31], and incrementally-verifiable versions of verifiable state machines [33, 39].
我们重新审视实现增量可验证计算（IVC）[43]的问题：这是一种密码学原语，它能够生成“长时间运行”的计算的正确执行证明，使得验证者可以高效地验证计算任何前缀的正确执行。IVC 能够支持包括可验证延迟函数[9, 45]、简洁区块链[13, 31]以及可验证状态机的增量可验证版本[33, 39]在内的广泛应用。

A well-known approach to construct IVC is to use succinct non-interactive arguments of knowledge (SNARKs) for $N P$ [23, 24, 29, 36]: at each incremental step i, the prover produces a SNARK proving that it has applied F correctly to the output of step $i - 1$ and that the SNARK verifier represented as a circuit has accepted the SNARK from step $i - 1$ [6, 8]. However, it is well-known that this approach is impractical [6, 19]. Alternatively, one can use SNARKs without trusted setup [17, 21, 38, 41] but their verifiers are more expensive than those of SNARKs with trusted setup, both asymptotically and concretely. Recent works [10, 12, 15, 16] aim to address the inefficiency of SNARK-based IVC, with an innovative approach: at each step, the verifier circuit “defers” expensive steps in verifying a SNARK for $N P$ instances (e.g., verifying polynomial evaluation proofs) by accumulating those steps into a single instance that is later checked efficiently. However, these works still require the prover to produce a SNARK at each step and the verifier circuit to partially verify that SNARK.
一种构建 IVC 的知名方法是使用简洁的非交互式知识论证（SNARKs）[23, 24, 29, 36]：在每个增量步骤 i 中，证明者生成一个 SNARK，证明它已正确地将 F 应用于步骤 $i - 1$ 的输出，并且作为电路表示的 SNARK 验证器已接受步骤 $i - 1$ [6, 8]的 SNARK。然而，众所周知，这种方法不切实际[6, 19]。另一种方法是使用无需信任设置的 SNARKs[17, 21, 38, 41]，但它们的验证器比具有信任设置的 SNARKs 更昂贵，无论是从理论上还是从实际应用上。最近的研究[10, 12, 15, 16]旨在解决基于 SNARK 的 IVC 的低效问题，采用了一种创新的方法：在每个步骤中，验证器电路“推迟”验证 SNARK 实例（例如，验证多项式评估证明）中的昂贵步骤，将这些步骤累积到一个单独的实例中，稍后高效地检查。然而，这些研究仍然要求证明者在每个步骤中生成一个 SNARK，并且验证器电路需要部分验证该 SNARK。

We introduce a new approach that avoids SNARKs (and more generally arguments of knowledge) entirely and relies purely on deferral to realize IVC. In a nutshell, instead of accumulating expensive steps of verifying a SNARK for $N P$ instances, the verifier circuit in our approach accumulates the $N P$ instances themselves. We formalize this technique as a new and minimal primitive, which we refer to as a folding scheme. A folding scheme is weaker, simpler, and far more efficient compared to arguments of knowledge including SNARKs. Indeed, realizing IVC via folding schemes results in improved efficiency over prior work (Fig. 3): (1) the verifier circuit is constant-sized and its size is dominated by two group scalar multiplications; this is the smallest verifier circuit in the literature (in the context of recursive proof composition); and (2) the prover’s work at each step is dominated by two multiexponentiations of size O(|F|), providing the fastest prover in the literature, both asymptotically and concretely. Section 1.4 provides a detailed comparison between our approach and prior work.
我们介绍了一种全新的方法，完全避免了 SNARKs（以及更一般的知识论证）并纯粹依赖于延迟来实现 IVC。简而言之，我们方法中的验证电路不是累积验证 SNARK 的昂贵步骤，而是累积 $N P$ 实例本身。我们将这种技术形式化为一种新的最小原始方法，我们称之为折叠方案。与包括 SNARKs 在内的知识论证相比，折叠方案更弱、更简单，且效率更高。确实，通过折叠方案实现 IVC 比以往的工作效率更高（图 3）：（1）验证电路大小恒定，其大小由两个群标量乘法主导；这是文献中最小的验证电路（在递归证明组合的背景下）；（2）在每个步骤中，证明者的工作主要由两个大小为 O(|F|)的多指数运算主导，提供了文献中最快的证明者，无论是从理论上还是从实际角度来看。第 1.4 节提供了我们方法与以往工作的详细比较。

1.1 Folding Schemes1.1 折叠方案

A folding scheme is defined with respect to an $N P$ relation, and it is a protocol between an untrusted prover and a verifier. Both entities hold two N-sized $N P$ instances, and the prover in addition holds purported witnesses for both instances. The protocol enables the prover and the verifier to output a single N-sized $N P$ instance, which we refer to as a folded instance. Furthermore, the prover privately outputs a purported witness to the folded instance using purported witnesses for the original instances. Informally, a folding scheme guarantees that the folded instance is satisfiable only if the original instances are satisfiable. A folding scheme is said to be non-trivial if the verifier’s costs and the communication are lower in the case where the verifier participates in the folding scheme and then verifies a purported $N P$ witness for the folded instance than the case where the verifier verifies purported $N P$ witnesses for each of the original instances.
折叠方案是根据 $N P$ 关系定义的，它是一个不信任的证明者和验证者之间的协议。双方持有两个 N 大小的 $N P$ 实例，证明者除此之外还持有这两个实例的所谓证据。该协议使证明者和验证者能够输出一个单一的 N 大小的 $N P$ 实例，我们称之为折叠实例。此外，证明者私下使用原始实例的所谓证据输出折叠实例的所谓证据。非正式地说，折叠方案保证只有当原始实例可满足时，折叠实例才是可满足的。如果验证者在参与折叠方案并验证折叠实例的所谓 $N P$ 证据的情况下，验证者的成本和通信量低于验证每个原始实例的所谓 $N P$ 证据的情况下，则称折叠方案为非平凡的。

Several existing techniques exhibit the two-to-one reduction pattern of folding schemes. Examples include the sumcheck protocol [35] and the split-and-fold techniques in inner product arguments [11]. [30, App. A] provides further details.
现有技术中，一些技术表现出折叠方案的二对一减少模式。例如，求和校验协议[35]和内积论证中的分割折叠技术[11]。[30, 附录 A]提供了更多细节。

Remark 1 (Folding Schemes vs. SNARKs)
备注 1（折叠方案与 SNARKs）

SNARKs for $N P$ [7, 23, 24, 29, 36] trivially imply a folding scheme for $N P$ : given two $N P$ instances $u_{1}$ and $u_{2}$ and the corresponding witnesses, the prover proves $u_{1}$ by producing a SNARK. The verifier checks that SNARK and then sets $u_{2}$ to be the folded instance. However, we construct a folding scheme for $N P$ without relying on SNARKs (or more generally arguments of knowledge). Specifically, our folding scheme is weaker than any argument of knowledge (succinct or otherwise) because it merely reduces the satisfiability of two $N P$ instances to the satisfiability of a single $N P$ instance.^{Footnote 1}
SNARKs for $N P$ [ 7, 23, 24, 29, 36] trivially imply a folding scheme for $N P$ : given two $N P$ instances $u_{1}$ and $u_{2}$ and the corresponding witnesses, the prover proves $u_{1}$ by producing a SNARK. The verifier checks that SNARK and then sets $u_{2}$ to be the folded instance. However, we construct a folding scheme for $N P$ without relying on SNARKs (or more generally arguments of knowledge). Specifically, our folding scheme is weaker than any argument of knowledge (succinct or otherwise) because it merely reduces the satisfiability of two $N P$ instances to the satisfiability of a single $N P$ instance.

To design a folding scheme for $N P$ , we start with a popular $N P$ -complete language that generalizes arithmetic circuit satisfiability: R1CS (Definition 10). As we illustrate later, it is difficult to devise a folding scheme for R1CS. To address this, we introduce a variant of R1CS, called relaxed R1CS, which, like R1CS, not only characterizes $N P$ , but, unlike R1CS, can support a folding scheme. The following theorem captures the cryptographic and efficiency characteristics of our folding scheme for relaxed R1CS.
为了设计一个针对 $N P$ 的折叠方案，我们从一个流行的 $N P$ -完备语言开始，该语言泛化算术电路可满足性：R1CS（定义 10）。正如我们稍后所展示的，为 R1CS 设计折叠方案是困难的。为了解决这个问题，我们引入了 R1CS 的一个变体，称为放宽的 R1CS，它不仅像 R1CS 一样表征 $N P$ ，而且与 R1CS 不同，它可以支持折叠方案。以下定理捕捉了我们为放宽的 R1CS 设计的折叠方案的加密和效率特性。

Theorem 1定理 1

There exists a constant-round, public-coin, zero-knowledge folding scheme for relaxed R1CS where for N-sized relaxed R1CS instances over a finite field $F$ with the same “structure” (i.e., R1CS coefficient matrices), the prover’s work is $O_{λ} (N)$ , and the verifier’s work and the communication are both $O_{λ} (1)$ , assuming the existence of any additively-homomorphic commitment scheme that provides $O_{λ} (1)$ -sized commitments to N-sized vectors over $F$ (e.g., Pedersen’s commitments), where $λ$ is the security parameter.
存在一个常数轮、公共币、零知识折叠方案，适用于宽松的 R1CS，其中对于大小为 N 的宽松 R1CS 实例，在有限域 $F$ 上具有相同的“结构”（即 R1CS 系数矩阵），证明者的工作为 $O_{λ} (N)$ ，验证者的工作和通信均为 $O_{λ} (1)$ ，假设存在任何提供 N 大小向量的 $O_{λ} (1)$ -大小承诺的加法同态承诺方案（例如，Pedersen 的承诺），其中 $λ$ 是安全参数。

Because our folding scheme is public coin, it can be made non-interactive in the random oracle model using the Fiat-Shamir transform [22], and be instantiated (heuristically) in the standard model using a concrete hash function. We rely on such a non-interactive folding scheme to construct IVC.
因为我们的折叠方案是公开币，它可以在随机预言机模型中使用 Fiat-Shamir 变换[22]进行非交互式处理，并且可以使用具体的哈希函数在标准模型中实例化（启发式）。我们依赖于这种非交互式折叠方案来构建 IVC。

1.2 IVC from Non-interactive Folding Schemes
1.2 非交互折叠方案中的 1.2 IVC

We show how to realize IVC using a non-interactive version of our folding scheme for relaxed R1CS. We refer to our construction as Nova.
我们展示了如何使用我们为宽松 R1CS 设计的非交互式折叠方案来实现 IVC。我们将我们的构造称为 Nova。

Recall that an IVC is an argument of knowledge [29, 36]^{Footnote 2} for incremental computations of the form $y = F^{(ℓ)} (x)$ , where F is a (possibly non-deterministic) computation, $ℓ > 0$ , x is a public input, and y is the public output. At each incremental step, the IVC prover produces a proof that the step was computed correctly and it has verified a proof for the prior step. In other words, at each incremental step, the IVC prover produces a proof of satisfiability for an augmented circuit that augments the circuit for F with a “verifier circuit” that verifies the proof of the prior step. Recursively, the final proof proves the correctness of the entire incremental computation. A key aspect of IVC is that neither the IVC verifier’s work nor the IVC proof size depends on the number of steps in the incremental computation. In particular, the IVC verifier only verifies the proof produced at the last step of the incremental computation.
回忆一下，IVC（增量验证计算）是知识的一个论点[29, 36] ^{Footnote 2} ，用于形式为 $y = F^{(ℓ)} (x)$ 的增量计算，其中 F 是（可能非确定性的）计算 $ℓ > 0$ ，x 是公开输入，y 是公开输出。在每一步增量计算中，IVC 证明者生成一个证明，证明该步骤被正确计算，并且它已验证了前一步的证明。换句话说，在每一步增量计算中，IVC 证明者生成一个增强电路的满足性证明，该电路通过添加一个“验证电路”来增强 F 的电路，以验证前一步的证明。递归地，最终证明证明了整个增量计算的正确性。IVC 的一个关键方面是，IVC 验证者的工作量和 IVC 证明的大小都不依赖于增量计算中的步骤数量。特别是，IVC 验证者只验证增量计算的最后一步产生的证明。

In Nova, we consider incremental computations, where each step of the incremental computation is expressed with R1CS (all the steps in the incremental computation share the same R1CS coefficient matrices). At step i of the incremental computation, as in other approaches to IVC, Nova’s prover proves that the step i was computed correctly. Furthermore, at step i, instead of verifying a proof for step $i - 1$ (as in traditional approaches to IVC), Nova’s approach treats the computation at step $i - 1$ as an R1CS instance and folds that into a running relaxed R1CS instance. Specifically, at each step, Nova’s prover proves that it has performed the step’s computation and has folded its prior step represented as an R1CS instance into a running relaxed R1CS instance. In other words, the circuit satisfiability instance that the prover proves at each incremental step computes a step of the incremental computation and includes a circuit for the computation of the verifier in the non-interactive folding scheme for relaxed R1CS.
在 Nova 中，我们考虑增量计算，其中增量计算的每一步都使用 R1CS（增量计算中的所有步骤共享相同的 R1CS 系数矩阵）。在增量计算的步骤 i 中，正如其他 IVC 方法一样，Nova 的证明者证明步骤 i 被正确计算。此外，在步骤 i 中，Nova 的方法不是验证步骤 $i - 1$ 的证明（如传统 IVC 方法），而是将步骤 $i - 1$ 的计算视为 R1CS 实例，并将其折叠到一个运行中的放松 R1CS 实例中。具体来说，在每一步，Nova 的证明者证明它已经执行了该步骤的计算，并将之前步骤表示为 R1CS 实例的内容折叠到一个运行中的放松 R1CS 实例中。换句话说，证明者在每个增量步骤中证明的电路可满足性实例计算了增量计算的一个步骤，并包括一个用于非交互式折叠方案中放松 R1CS 的验证器计算电路。

A distinctive aspect of Nova’s approach to IVC is that it achieves the smallest “verifier circuit” in the literature. Since the verifier’s costs in the non-interactive version of the folding scheme for relaxed R1CS is $O_{λ} (1)$ , the size of the computation that Nova’s prover proves at each incremental step is $\approx$ $| F |$ , assuming N-sized vectors are committed with an $O_{λ} (1)$ -sized commitments (e.g., Pedersen’s commitments). In particular, the verifier circuit in Nova is constant-sized and its size is dominated by two group scalar multiplications. Furthermore, Nova’s prover’s work at each step is dominated by two multiexponentiations of size $\approx$ $| F |$ . Note that Nova’s prover does not perform any FFTs, so it can be instantiated efficiently using any cycles of elliptic curves where DLOG is hard.
诺瓦对 IVC 的方法的一个显著特点是实现了文献中最小的“验证器电路”。由于在非交互式折叠方案中，验证器的成本为 $O_{λ} (1)$ ，因此诺瓦的证明者在每个增量步骤中证明的计算大小为 $\approx$ $| F |$ ，假设使用 N 大小的向量与 $O_{λ} (1)$ 大小的承诺（例如，Pedersen 的承诺）。特别是，诺瓦中的验证器电路大小恒定，其大小主要由两个群标量乘法决定。此外，诺瓦的证明者在每个步骤的工作主要由两个大小为 $\approx$ $| F |$ 的多指数运算决定。请注意，诺瓦的证明者不执行任何 FFT，因此可以使用任何 DLOG 困难的椭圆曲线周期有效地实例化。

With the description thus far, the size of an IVC proof (which is a purported witness for the running relaxed R1CS instance) is $O_{λ} (| F |)$ . Instead of sending such a proof to a verifier, at any point in the incremental computation, Nova’s prover can prove the knowledge of a satisfying witness to the running relaxed R1CS instance in zero-knowledge with an $O_{λ} (\log | F |)$ -sized succinct proof using a zkSNARK that we design by adapting Spartan [38]. The following theorem summarizes our key result.
根据目前的描述，IVC 证明（作为运行中的放松 R1CS 实例的所谓见证）的大小为 $O_{λ} (| F |)$ 。在增量计算的任何时刻，Nova 的证明者可以用我们通过适配 Spartan [38]设计的 zkSNARK，以 $O_{λ} (\log | F |)$ 大小的简洁证明，在零知识中证明对运行中的放松 R1CS 实例的满足见证的知识，而不是将此类证明发送给验证者。以下定理总结了我们的关键结果。

Theorem 2定理 2

For any incremental function where each step of the incremental function applies a (non-deterministic) function F, there exists an IVC scheme with the following efficiency characteristics, assuming N-sized vectors are committed with an $O_{λ} (1)$ -sized commitments.
对于任何增量函数，其中增量函数的每一步都应用一个（非确定性）函数 F，存在一个具有以下效率特性的 IVC 方案，假设使用 N 大小的向量与 $O_{λ} (1)$ 大小的承诺。

IVC proof sizes are O(|F|) and the verifier’s work to verify them is $O_{λ} (| F |)$ . The prover’s work at each incremental step is $\approx$ $| F |$ . Specifically, the prover’s work at each step is dominated by two multiexponentiations of size $\approx$ $| F |$ .
IVC 证明大小为 O(|F|)，验证者验证它们的工作量为 $O_{λ} (| F |)$ 。在每个增量步骤中，证明者的工作为 $\approx$ $| F |$ 。具体来说，证明者在每一步的工作主要由两个大小为 $\approx$ $| F |$ 的多指数运算主导。
Succinct zero-knowledge proofs of valid IVC proofs are size $O_{λ} (\log | F |)$ , and the verifier’s work to verify them is either $O_{λ} (\log | F |)$ or $O_{λ} (| F |)$ depending on the commitment scheme for vectors. The prover’s work to produce this succinct zero-knowledge proof is $O_{λ} (| F |)$ .
简洁的零知识证明有效的 IVC 证明大小为 $O_{λ} (\log | F |)$ ，验证者验证这些证明的工作量要么是 $O_{λ} (\log | F |)$ ，要么是 $O_{λ} (| F |)$ ，具体取决于向量的承诺方案。生成此简洁零知识证明的证明者工作量为 $O_{λ} (| F |)$ 。

1.3 Implementation and Performance Evaluation
1.3 实施与性能评估

We implement Nova as a library in about 6,000 lines of Rust [3]. The library is generic over a cycle of elliptic curves and a hash function (used internally as the random oracle). The library provides candidate implementations with the Pasta cycle of elliptic curves [4] and Poseidon [2, 26]. Finally, the library accepts F (i.e., a step of the incremental computation) as a bellperson gadget [1].
我们将 Nova 实现为一个 Rust 库，约 6000 行代码[3]。该库对椭圆曲线周期和哈希函数（作为内部随机预言机使用）进行泛型处理。库提供了椭圆曲线 Pasta 周期[4]和 Poseidon[2, 26]的候选实现。最后，该库接受 F（即增量计算的步骤）作为 bellperson 小工具[1]。

Recursion Overheads. We measure the size of Nova’s verifier circuit, as it determines the recursion overhead: the number of additional constraints that the prover must prove at each incremental step besides proving an invocation of F.
递归开销。我们测量 Nova 验证器电路的大小，因为它决定了递归开销：除了证明 F 的调用外，证明者在每个增量步骤中必须证明的额外约束的数量。

We find that Nova’s verifier circuit is $\approx$ 20,000 R1CS constraints. This is the smallest verifier circuit in the literature and hence Nova incurs the lowest recursion overhead. Specifically, Nova’s recursion overhead is $> 10 \times$ lower than in SNARK-based IVC [6] with state-of-the-art per-circuit trusted setup SNARK [27], and over $100 \times$ smaller than with a SNARK without trusted setup [21]. Compared to recent works, Nova’s recursion overhead is over $7 \times$ lower than Halo’s [12], and over $2 \times$ lower than the scheme of Bunz et al. [15] (Fig. 1).
我们发现 Nova 的验证器电路是 $\approx$ 20,000 R1CS 约束。这是文献中最小的验证器电路，因此 Nova 产生的递归开销最低。具体来说，Nova 的递归开销比基于 SNARK 的 IVC[6]中具有最先进每电路可信设置的 SNARK[27]低 $> 10 \times$ ，并且比没有可信设置的 SNARK[21]低 $100 \times$ 。与近期工作相比，Nova 的递归开销比 Halo[12]低 $7 \times$ ，比 Bunz 等人[15]的方案低 $2 \times$ （图 1）。

Performance of Nova. We experiment with Nova on an Azure Standard F32s_v2 VM (16 physical CPUs, 2.70 GHz Intel(R) Xeon(R) Platinum 8168, and 64 GB memory). In our experiments, we vary the number of constraints in F. Our performance metrics are: the prover time, the verifier time, and proof sizes. We measure these for Nova’s IVC scheme as well as its Spartan-based zkSNARK to compress IVC proofs. Figure 2 depicts our results, and we find the following.
Nova 性能。我们在 Azure Standard F32s_v2 虚拟机（16 个物理 CPU，2.70 GHz Intel(R) Xeon(R) Platinum 8168，64 GB 内存）上对 Nova 进行实验。在我们的实验中，我们改变 F 中的约束数量。我们的性能指标是：证明者时间、验证者时间和证明大小。我们测量了 Nova 的 IVC 方案以及基于 Spartan 的 zkSNARK 压缩 IVC 证明的情况。图 2 展示了我们的结果，我们发现以下情况。

The prover’s per-step cost to produce an IVC proof and compress it scale sub-linearly with the size of F (since the cost is dominated by two multiexponentiations, which scale sub-linearly due to the Pippenger algorithm and parallelize better at larger sizes). When $| F | \approx 2^{20}$ constraints, the prover’s per-step cost to produce an IVC proof is $\approx$ 1 $μ$ s/constraint. For the same F, the cost to produce a compressed IVC proof is $\approx$ 24 $μ$ s/constraint.^{Footnote 3}
证明者在每一步生成 IVC 证明并压缩它的成本随着 F 的大小以亚线性比例增长（因为成本主要由两个多指数运算组成，这些运算由于 Pippenger 算法而以亚线性比例增长，并且在较大尺寸上并行化更好）。当有 $| F | \approx 2^{20}$ 约束时，证明者在每一步生成 IVC 证明的成本是 $\approx$ 1 $μ$ s/约束。对于相同的 F，生成压缩 IVC 证明的成本是 $\approx$ 24 $μ$ s/约束。 ^{Footnote 3}
Compressed IVC proofs are $\approx 8$ –9 KB and are significantly shorter than IVC proofs (e.g., they are $\approx$ 7,400 $\times$ shorter when $| F | \approx 2^{20}$ constraints).
压缩 IVC 证明为 $\approx 8$ –9 KB，比 IVC 证明显著更短（例如，当 $| F | \approx 2^{20}$ 约束时，它们比 $\approx$ 7,400 $\times$ 短）。
Verifying a compressed proof is only $\approx$ 2 $\times$ higher costs than verifying a significantly longer IVC proof.
验证压缩证明的成本仅比验证显著更长的 IVC 证明高 $\approx$ 2 $\times$ 。

1.4 A More Detailed Comparison with Prior Work
1.4 与先前工作的更详细比较

Figure 3 compares Nova with prior approaches. Nova’s approach can be viewed as taking Halo’s approach to the extreme. Specifically:
图 3 比较了 Nova 与先前的方法。Nova 的方法可以看作是将 Halo 的方法推向极致。具体来说：

At each incremental step, Halo’s verifier circuit verifies a “partial” SNARK. This still requires Halo’s prover to perform |F|-sized FFTs and O(|F|) exponentiations (i.e., not an |F|-sized multiexponentiation). Whereas, in Nova, the verifier circuit folds an entire $N P$ instance representing computation at the prior step into a running relaxed R1CS instance. This only requires Nova’s prover to commit to a satisfying assignment of an $\approx$ $| F |$ -sized circuit (which computes F and performs the verifier’s computation in a folding scheme for relaxed R1CS), so at each step, Nova’s prover only computes an O(|F|)-sized multiexponentiation and does not compute any FFTs. So, Nova’s prover incurs lower costs than Halo’s prover, both asymptotically and concretely.
在每一步增量中，Halo 的验证器电路验证一个“部分”SNARK。这仍然需要 Halo 的证明者执行|F|大小的 FFT 和 O(|F|)次幂运算（即不是|F|大小的多指数运算）。而 Nova 中，验证器电路将代表前一步计算的整个 $N P$ 实例折叠成一个运行中的放松 R1CS 实例。这只需要 Nova 的证明者对 $\approx$ $| F |$ -大小的电路（该电路计算 F 并在折叠方案中执行验证者的计算）的满足赋值进行承诺，因此，在每一步，Nova 的证明者只需计算 O(|F|)大小的多指数运算，而不需要计算任何 FFT。因此，Nova 的证明者比 Halo 的证明者承担的成本更低，无论是从渐近角度还是具体实现角度。
The verifier circuit in Halo is of size $O_{λ} (\log | F |)$ whereas in Nova, it is $O_{λ} (1)$ . Concretely, the dominant operations in Halo’s circuit is $O (\log | F |)$ group scalar multiplications, whereas in Nova, it is two group scalar multiplications.
Halo 中的验证器电路大小为 $O_{λ} (\log | F |)$ ，而在 Nova 中为 $O_{λ} (1)$ 。具体来说，Halo 电路中的主导操作是 $O (\log | F |)$ 群标量乘法，而在 Nova 中是两次群标量乘法。
Halo and Nova have the same proof sizes $O_{λ} (\log | F |)$ and verifier time $O_{λ} (| F |)$ .
Halo 和 Nova 具有相同的证明大小 $O_{λ} (\log | F |)$ 以及验证器时间 $O_{λ} (| F |)$ 。

Bünz et al. [16] apply Halo’s approach to other polynomial commitment schemes. Halo Infinite [10] generalizes the approach in Halo [12] to any homomorphic polynomial commitment scheme; they also obtain PCD (and hence IVC) even when polynomial commitment schemes do not satisfy succinctness.
Bünz 等人[16]将 Halo 的方法应用于其他多项式承诺方案。Halo Infinite[10]将 Halo[12]中的方法推广到任何同态多项式承诺方案；即使在多项式承诺方案不满足简洁性的情况下，他们也获得了 PCD（从而得到 IVC）。

Bünz et al. [15] propose a variant of the approach in Halo, where they realize PCD (and hence IVC) without relying on succinct arguments. Specifically, they first devise a non-interactive argument of knowledge (NARK) for R1CS with $O_{λ} (N)$ -sized proofs and $O_{λ} (N)$ verification times for N-sized R1CS instances. Then, they show that most of the NARK’s verifier’s computation can be deferred by performing $O_{λ} (1)$ work in the verifier circuit. For zero-knowledge, Nova relies on zero-knowledge arguments with succinct proofs, whereas their approach does not rely on succinct arguments. However, Nova’s approach has several conceptual and efficiency advantages over the work of Bünz et al. [15]:
Bünz 等人[15]提出了一种 Halo 方法变体，其中他们实现了 PCD（从而是 IVC），而不依赖于简洁的论证。具体来说，他们首先为 R1CS 设计了一种非交互式知识论证（NARK），具有 $O_{λ} (N)$ 大小的证明和 $O_{λ} (N)$ 验证时间，用于 N 大小的 R1CS 实例。然后，他们表明，通过在验证器电路中执行 $O_{λ} (1)$ 工作，可以推迟 NARK 验证器的大部分计算。对于零知识，Nova 依赖于具有简洁证明的零知识论证，而他们的方法则不依赖于简洁论证。然而，Nova 的方法在概念和效率上比 Bünz 等人[15]的工作具有几个优势：

Nova introduces a new primitive called a folding scheme, which is conceptually simpler and is easier to realize than prior notions such as (split) accumulation schemes used in prior work [15, 16]. Furthermore, a folding scheme for $N P$ directly leads to IVC and is again easier to analyze than with prior notions.
诺瓦引入了一种名为折叠方案的新原语，它在概念上比先前工作中使用的（分割）累积方案等概念更简单，也更易于实现。此外，针对 $N P$ 的折叠方案直接导致 IVC，并且与先前概念相比，分析起来也更加容易。
At each step, their prover performs an O(|F|)-sized FFT (which costs $O (| F | \log | F |)$ operations over $F$ ). Whereas, Nova does not perform any FFTs.
在每一步，他们的证明者执行一个大小为 O(|F|)的快速傅里叶变换（FFT，在 $F$ 上需要 $O (| F | \log | F |)$ 次操作）。而 Nova 不执行任何 FFT。
Their prover’s work for multiexponentitions at each step and the size of their verifier circuit are both higher than in Nova by $\approx$ $4 \times$ .
他们的证明者在每一步的多指数运算工作以及验证器电路的大小都高于 Nova 的 $\approx$ $4 \times$ 。
Proof sizes are $O_{λ} (| F |)$ in their work, whereas in Nova, they are $O_{λ} (\log | F |)$ . We believe, in theory, they can also compress their proofs, using a succinct argument, but unlike Nova, they do not specify how to do so in a concretely efficient manner. Furthermore, using succinct arguments is inconsistent with their goal of not employing them.
证明大小在其工作中为 $O_{λ} (| F |)$ ，而在 Nova 中为 $O_{λ} (\log | F |)$ 。理论上，我们认为他们也可以使用简洁的论据压缩他们的证明，但与 Nova 不同，他们没有具体说明如何以高效的方式做到这一点。此外，使用简洁的论据与他们的目标——不使用它们——不一致。

Concurrent Work. In an update concurrent with this work, Bünz et al. [15] provide an improved construction of their NARK for R1CS, which leads to an IVC that, like Nova, avoids FFTs. Furthermore, they improve the size of the verifier circuit by $\approx$ $2 \times$ , which is still larger than Nova’s verifier circuit by $\approx$ $2 \times$ . The per-step computation of the prover remains $4 \times$ higher than Nova.
并发工作。在与这项工作同时更新的一个版本中，Bünz 等人[15]提供了他们针对 R1CS 的 NARK 的改进构造，这导致了一个 IVC，类似于 Nova，避免了 FFT。此外，他们通过 $\approx$ $2 \times$ 改进了验证器电路的大小，这仍然比 Nova 的验证器电路 $\approx$ $2 \times$ 大。证明者的每步计算仍然比 Nova 高 $4 \times$ 。

1.5 An Overview of the Rest of the Paper
1.5 论文其余部分的概述

Section 2 provides the necessary background. Section 3 formally defines folding schemes and their properties. In Sect. 4, we introduce a variant of R1CS called relaxed R1CS for which we provide a folding scheme satisfying Theorem 1. Then, in Sect. 5, we use a non-interactive version of the folding scheme (§4.2) to construct an IVC scheme and a scheme to compress IVC proofs satisfying Theorem 2 by assuming the existence of a zkSNARK for relaxed R1CS with logarithmic-sized proofs. Finally, in Sect. 6, we construct such a zkSNARK.
第 2 节提供必要的背景。第 3 节正式定义折叠方案及其性质。在第 4 节中，我们介绍了一种称为宽松 R1CS 的 R1CS 变体，并为满足定理 1 的折叠方案提供了一种折叠方案。然后，在第 5 节中，我们使用折叠方案的非交互版本（§ 4.2）构建了一个 IVC 方案和一个压缩 IVC 证明的方案，该方案满足定理 2，并假设存在一个针对宽松 R1CS 的对数大小证明的 zkSNARK。最后，在第 6 节中，我们构建了这样的 zkSNARK。

2 Preliminaries2 前言

Let $F$ denote a finite field with $| F | = 2^{Θ (λ)}$ , where $λ$ is the security parameter. Let $≅$ denote computational indistinguishability with respect to a PPT adversary. We globally assume that generator algorithms that produce public parameters are additionally provided appropriate size bounds.
用 $F$ 表示具有 $| F | = 2^{Θ (λ)}$ 的有限域，其中 $λ$ 是安全参数。用 $≅$ 表示相对于 PPT 攻击者的计算不可区分性。我们全局假设生成公参数的生成算法还提供了适当的大小界限。

2.1 A Commitment Scheme for Vectors over $F$
2.1 向量上的承诺方案

We require a commitment scheme for vectors over $F$ that is additively homomorphic and succinct. We formally define these two properties and others noted below in [30, App. F]. Below, we define the syntax for commitment schemes.
我们要求一个针对向量 $F$ 的承诺方案，该方案是加法同态且简洁的。我们正式定义了这两个属性以及以下所提到的其他属性，见[30, 附录 F]。以下，我们定义了承诺方案的语法。

Definition 1 (A Commitment Scheme for Vectors)
定义 1（向量承诺方案）

A commitment scheme for $F^{m}$ is a tuple of three protocols with the following interface.
一个针对 $F^{m}$ 的承诺方案是一个包含以下界面的三个协议的元组。

$G e n (1^{λ}, m) \to p p$ : takes length parameter m; produces public parameters $p p$ .
$G e n (1^{λ}, m) \to p p$ : 接收长度参数 m；生成公共参数 $p p$ .
$C o m (p p, v, r) \to C$ : takes vector $v \in F^{m}$ and $r \in F$ ; produces commitment C.
$C o m (p p, v, r) \to C$ : 取向量 $v \in F^{m}$ 和 $r \in F$ ; 生成承诺 C.
$O p e n (p p, C, v, r) \to {0, 1}$ : verifies the opening of commitment C to $v \in F^{m}$ .
$O p e n (p p, C, v, r) \to {0, 1}$ : 验证对 $v \in F^{m}$ 的承诺 C 的开启。

A commitment scheme satisfies hiding (the commitment reveals no information), binding (a PPT adversary cannot open a commitment to two different values), and succinctness (the commitment size is logarithmic in the opening size).
一个承诺方案满足隐藏性（承诺不泄露任何信息）、绑定性（PPT 对手不能将承诺打开为两个不同的值）和简洁性（承诺的大小是打开大小的对数）。

2.2 Non-interactive Arguments of Knowledge
2.2 知识的非交互式参数

Definition 2 (Non-Interactive Argument of Knowledge)
定义 2（非交互式知识论辩）

Consider a relation $R$ over public parameters, structure, instance, and witness tuples. A non-interactive argument of knowledge for $R$ consists of PPT algorithms $(G, P, V)$ and deterministic $K$ , denoting the generator, the prover, the verifier and the encoder respectively with the following interface.
考虑一个关于公共参数、结构、实例和见证元组的 $R$ 关系。 $R$ 的非交互式知识论证由 PPT 算法 $(G, P, V)$ 和确定性 $K$ 组成，分别表示生成器、验证者、验证者和编码器的接口。

$G (1^{λ}) \to p p$ : On input security parameter $λ$ , samples public parameters $p p$ .
$G (1^{λ}) \to p p$ : 在输入安全参数 $λ$ 时，采样公共参数 $p p$ 。
$K (p p, s) \to (p k, v k)$ : On input structure $s$ , representing common structure among instances, outputs the prover key $p k$ and verifier key $v k$ .
$K (p p, s) \to (p k, v k)$ : 在输入结构 $s$ 中，表示实例之间的公共结构，输出证明密钥 $p k$ 和验证密钥 $v k$ 。
$P (p k, u, w) \to π$ : On input instance u and witness w, outputs a proof $π$ proving that $(p p, s, u, w) \in R$ .
$P (p k, u, w) \to π$ : 在输入实例 u 和见证者 w 上，输出一个证明 $π$ 以证明 $(p p, s, u, w) \in R$ 。
$V (v k, u, π) \to {0, 1}$ : Checks instance u given proof $π$ .
$V (v k, u, π) \to {0, 1}$ : 检查实例 u 给定的证明 $π$ 。

An argument of knowledge satisfies completeness if for any PPT adversary $A$
一个知识论点满足完备性，如果对于任何 PPT 对手 $A$

An argument of knowledge satisfies knowledge soundness if for all PPT adversaries $A$ there exists a PPT extractor $E$ such that for all randomness $ρ$
一个知识论据满足知识有效性，如果对于所有 PPT 攻击者 $A$ ，存在一个 PPT 提取器 $E$ ，使得对于所有随机性 $ρ$

Definition 3 (Zero-Knowledge)
定义 3（零知识）

An argument of knowledge $(G, K, P, V)$ for relation $R$ satisfies zero-knowledge if there exists PPT simulator $S$ such that for all PPT adversaries $A$
一个关于关系 $R$ 的知识论据 $(G, K, P, V)$ 满足零知识，如果存在 PPT 模拟器 $S$ ，使得对于所有 PPT 对手 $A$

Definition 4 (Succinctness)
定义 4（简洁性）

A non-interactive argument system is succinct if the size of the proof $π$ is polylogarithmic in the size of the witness w.
非交互式论证系统在证明 $π$ 的大小与见证 w 的大小成对数多项式关系时是简洁的。

2.3 Incrementally Verifiable Computation
2.3 逐步可验证计算

Incrementally verifiable computation (IVC) [43] enables verifiable computation for repeated function application. Intuitively, for a function F, with initial input $z_{0}$ , an IVC scheme allows a prover to produce a proof $Π_{i}$ for the statement $z_{i} = F^{(i)} (z_{0})$ (i.e., i applications of F on input $z_{0}$ ) given a proof $Π_{i - 1}$ for the statement $z_{i - 1} = F^{(i - 1)} (z_{0})$ . Formally, IVC schemes additionally permit F to take auxiliary input $ω$ . We recall the definition of IVC using notational conventions of modern argument systems.
增量可验证计算（IVC）[43] 允许对重复函数应用进行可验证计算。直观上，对于函数 F，给定初始输入 $z_{0}$ ，一个 IVC 方案允许证明者针对陈述 $z_{i} = F^{(i)} (z_{0})$ （即对输入 $z_{0}$ 应用 F 的 i 次）产生证明 $Π_{i}$ ，前提是针对陈述 $z_{i - 1} = F^{(i - 1)} (z_{0})$ 已有一个证明 $Π_{i - 1}$ 。形式上，IVC 方案还允许 F 接收辅助输入 $ω$ 。我们使用现代论证系统的符号约定来回忆 IVC 的定义。

Definition 5 (IVC)定义 5（IVC）

An incrementally verifiable computation (IVC) scheme is defined by PPT algorithms $(G, P, V)$ and deterministic $K$ denoting the generator, the prover, the verifier, and the encoder respectively. An IVC scheme $(G, K, P, V)$ satisfies perfect completeness if for any PPT adversary $A$
增量可验证计算（IVC）方案由 PPT 算法定义，包括生成器、证明者、验证者和编码器，分别表示为 $(G, P, V)$ 和确定性 $K$ 。一个 IVC 方案 $(G, K, P, V)$ 如果对于任何 PPT 对手 $A$ 满足完美完备性。

where F is a polynomial time computable function. Likewise, an IVC scheme satisfies knowledge-soundness if for any constant $n \in N$ , and expected polynomial time adversaries $P^{*}$ there exists expected polynomial-time extractor $E$ such that for any input randomness $ρ$
F 是一个多项式时间可计算函数。同样，一个 IVC 方案满足知识一致性，如果对于任何常数 $n \in N$ ，以及期望的多项式时间对手 $P^{*}$ ，存在期望的多项式时间提取器 $E$ ，使得对于任何输入随机性 $ρ$

An IVC scheme satisfies succinctness if the size of the IVC proof $Π$ does not grow with the number of applications n.
一个 IVC 方案在 IVC 证明的大小 $Π$ 不随应用数量 n 增长的情况下满足简洁性。

We note that in the definition above, the number of steps n is treated as a fixed environment variable that characterizes the extractor. This model is required for all known general recursive techniques as they rely on recursive extractors that blowup polynomially for each additional recursive step [10, 13, 15, 16, 21]. Bitansky et al. [8] avoid such a restriction by making non-blackbox assumptions about the extractors runtime with respect to that of the malicious prover. In any case, there are no known attacks on arbitrary depth recursion.
我们注意到，在上面的定义中，步骤数 n 被视为一个固定环境变量，它表征了提取器。所有已知的通用递归技术都需要这个模型，因为它们依赖于递归提取器，每个额外的递归步骤都会以多项式方式爆炸[10, 13, 15, 16, 21]。Bitansky 等人[8]通过关于提取器运行时间和恶意证明者运行时间的非黑盒假设来避免这种限制。无论如何，没有已知针对任意深度递归的攻击。

3 Folding Schemes3 折叠方案

This section formally defines folding schemes. Intuitively, a folding scheme for a relation $R$ is a protocol that reduces the task of checking two instances in $R$ to the task of checking a single instance in $R$ .
本节正式定义折叠方案。直观上，对于关系 $R$ 的折叠方案是一种将检查 $R$ 中的两个实例的任务简化为检查 $R$ 中的单个实例的任务的协议。

Definition 6 (Folding Scheme)
定义 6（折叠方案）

Consider a relation $R$ over public parameters, structure, instance, and witness tuples. A folding scheme for $R$ consists of a PPT generator algorithm $G$ , a deterministic encoder algorithm $K$ , and a pair of PPT algorithms $P$ and $V$ denoting the prover and verifier respectively, with the following interface:
考虑一个在公共参数、结构、实例和见证元组上的关系 $R$ 。一个折叠方案 $R$ 包括一个 PPT 生成算法 $G$ ，一个确定性编码算法 $K$ ，以及一对 PPT 算法 $P$ 和 $V$ ，分别表示证明者和验证者，具有以下接口：

$G (1^{λ}) \to p p$ : On input security parameter $λ$ , samples public parameters $p p$ .
$G (1^{λ}) \to p p$ : 在输入安全参数 $λ$ 时，采样公共参数 $p p$ 。
$K (p p, s) \to (p k, v k)$ : On input $p p$ , and a common structure $s$ between instances to be folded, outputs a prover key $p k$ and a verifier key $v k$ .
$K (p p, s) \to (p k, v k)$ : 在输入 $p p$ ，以及要折叠的实例之间的常见结构 $s$ ，输出一个证明密钥 $p k$ 和一个验证密钥 $v k$ 。
$P (p k, (u_{1}, w_{1}), (u_{2}, w_{2})) \to (u, w)$ : On input instance-witness tuples $(u_{1}, w_{1})$ and $(u_{2}, w_{2})$ outputs a new instance-witness tuple (u, w) of the same size.
$P (p k, (u_{1}, w_{1}), (u_{2}, w_{2})) \to (u, w)$ : 在输入实例-见证元组 $(u_{1}, w_{1})$ 和 $(u_{2}, w_{2})$ 的基础上输出相同大小的新实例-见证元组 (u, w)。
$V (v k, u_{1}, u_{2}) \to u$ : On input instances $u_{1}$ and $u_{2}$ , outputs a new instance u.
$V (v k, u_{1}, u_{2}) \to u$ : 在输入实例 $u_{1}$ 和 $u_{2}$ 上，输出新的实例 u.

Let让我们

\begin{aligned} (u, w) \leftarrow ⟨ P (p k, w_{1}, w_{2}), V (v k) ⟩ (u_{1}, u_{2}) \end{aligned}

denote the the verifier’s output instance u and the prover’s output witness w from the interaction of $P$ and $V$ on witnesses $(w_{1}, w_{2})$ , prover key $p k$ , verifier key $v k$ and instances $(u_{1}, u_{2})$ . Likewise, let
表示验证者输出实例 u 和证明者输出见证 w，从 $P$ 和 $V$ 与见证 $(w_{1}, w_{2})$ 的交互、证明者密钥 $p k$ 、验证者密钥 $v k$ 以及实例 $(u_{1}, u_{2})$ 中得出。同样地，让

\begin{aligned} t r = ⟨ P (p k, w_{1}, w_{2}), V (v k) ⟩ (u_{1}, u_{2}) \end{aligned}

denote the corresponding interaction transcript. A folding scheme satisfies perfect completeness if for all PPT adversaries $A$
表示相应的交互记录。一个折叠方案满足完美完备性，如果对于所有 PPT 对手 $A$

A folding scheme satisfies knowledge soundness if for any expected polynomial-time adversary $P^{*}$ there is an expected polynomial-time extractor $E$ such that
一个折叠方案满足知识一致性，如果对于任何预期的多项式时间对手 $P^{*}$ ，存在一个预期的多项式时间提取器 $E$ ，使得

where $ρ$ denotes arbitrary input randomness for $P^{*}$ . We call a transcript an accepting transcript if $P$ outputs a satisfying folded witness w for the folded instance u. We consider a folding scheme non-trivial if the communication costs and $V$ ’s computation are lower in the case where $V$ participates in the folding scheme and then checks a witness sent by $P$ for the folded instance than the case where $V$ checks witnesses sent by $P$ for each of the original instances.
$ρ$ 表示对 $P^{*}$ 的任意输入随机性。我们称一个记录为接受记录，如果 $P$ 输出满足折叠实例 u 的折叠证明 w。我们考虑一个折叠方案是非平凡的，如果参与折叠方案并检查由 $V$ 发送的折叠实例的证明的成本和 $V$ 的计算成本，比检查由 $V$ 为每个原始实例发送的证明的成本要低。

Definition 7 (Non-Interactive)
定义 7（非交互式）

A folding scheme $(G, K, P, V)$ is non-interactive if the interaction between $P$ and $V$ consists of a single message from $P$ to $V$ . This single message is denoted as an output of $P$ , and an input to $V$ .
折叠方案 $(G, K, P, V)$ 在 $P$ 与 $V$ 之间的交互仅由 $P$ 发送给 $V$ 的单一消息组成时是非交互式的。此单一消息表示为 $P$ 的输出，以及 $V$ 的输入。

Definition 8 (Zero-Knowledge)
定义 8（零知识）

A folding scheme $(G, K, P, V)$ satisfies zero-knowledge for relation $R$ if there exists a PPT simulator $S$ such that for all PPT adversaries $A$ , and $V^{*}$ , and input randomness $ρ$
折叠方案 $(G, K, P, V)$ 在存在一个 PPT 模拟器 $S$ 的情况下，对于所有 PPT 对手 $A$ ，以及 $V^{*}$ ，和输入随机性 $ρ$ ，满足关系 $R$ 的零知识

Definition 9 (Public Coin)
定义 9（公共币）

A folding scheme $(G, K, P, V)$ is called public coin if all the messages sent from $V$ to $P$ are sampled from a uniform distribution.
折叠方案 $(G, K, P, V)$ 如果从 $V$ 到 $P$ 发送的所有消息都来自均匀分布，则称为公共币。

Typically, knowledge soundness is difficult to prove directly. To assist these proofs, prior works employ the forking lemma [11], which abstracts away much of the probabilistic reasoning. The original forking lemma shows that to prove knowledge soundness it is sufficient to construct a PPT extractor that takes as input a “tree” of accepting transcripts and outputs a satisfying witness. However, in our setting, this extractor must additionally take as input the prover’s output (i.e., the folded instance and witness) for each of these transcripts, which contains information needed to reconstruct the original witness. So, we introduce a small variant of the forking lemma that captures this modification.
通常，知识的正确性难以直接证明。为了协助这些证明，先前的工作采用了分叉引理[11]，该引理抽象掉了大部分概率推理。原始的分叉引理表明，为了证明知识的正确性，构建一个 PPT 提取器就足够了，该提取器以接受会话的“树”作为输入，并输出一个满足的证人。然而，在我们的设置中，这个提取器还必须以每个这些会话的证明者的输出（即折叠实例和证人）作为输入，这些输出包含重建原始证人的所需信息。因此，我们引入了分叉引理的一个小变体，以捕捉这种修改。

Lemma 1引理 1

(Forking Lemma for Folding Schemes). Consider a $(2 μ + 1)$ -move folding scheme $Π = (G, K, P, V)$ . $Π$ satisfies knowledge soundness if there exists a PPT $X$ such that for all input instance pairs $u_{1}$ , $u_{2}$ , outputs satisfying witnesses $w_{1}$ , $w_{2}$ with probability $1 - n e g l (λ)$ , given public parameters $p p$ , structure $s$ , and an $(n_{1}, \dots, n_{μ})$ -tree of accepting transcripts and corresponding folded instance-witness pairs (u, w). This tree comprises $n_{1}$ transcripts (and corresponding instance-witness pairs) with fresh randomness in $V$ ’s first message; and for each such transcript, $n_{2}$ transcripts (and corresponding instance-witness pairs) with fresh randomness in $V$ ’s second message; etc., for a total of $\prod_{i = 1}^{μ} n_{i}$ leaves bounded by $p o l y (λ)$ .
（折叠方案分叉引理）。考虑一个 $(2 μ + 1)$ -移动折叠方案 $Π = (G, K, P, V)$ 。 $Π$ 满足知识一致性，如果存在一个 PPT $X$ ，使得对于所有输入实例对 $u_{1}$ ， $u_{2}$ ，在给定公共参数 $p p$ ，结构 $s$ ，以及一个 $(n_{1}, \dots, n_{μ})$ -接受转录树和相应的折叠实例-见证对（u, w）的情况下，以概率 $1 - n e g l (λ)$ 输出满足见证的输出 $w_{1}$ ， $w_{2}$ 。此树包含 $n_{1}$ 转录（以及相应的实例-见证对），在 $V$ 的第一条消息中具有新鲜随机性；对于每个这样的转录， $n_{2}$ 转录（以及相应的实例-见证对），在 $V$ 的第二条消息中具有新鲜随机性；等等，总共有 $\prod_{i = 1}^{μ} n_{i}$ 个叶子，受限于 $p o l y (λ)$ 。

Proof Intuition. A proof for our variant of the forking lemma is similar to that of Bootle et al. [11]. We present a formal proof in [30, App. F]. $◻$
证明直觉。我们对分叉引理的变体所提供的证明与 Bootle 等人[11]的类似。我们在[30，附录 F]中提供了一个形式化的证明。 $◻$

4 A Folding Scheme for NP
4 一种 NP 折叠方案

In this section, we describe a public-coin, zero-knowledge interactive folding scheme for $N P$ . We additionally discuss how to make it non-interactive. We leverage the non-interactivity property to realize IVC in the next section, and the zero-knowledge property to achieve zero-knowledge IVC proof compression.
在这一节中，我们描述了一种针对 $N P$ 的公开币、零知识交互折叠方案。此外，我们还讨论了如何使其非交互式。我们利用非交互性属性在下一节实现 IVC，并利用零知识属性实现零知识 IVC 证明压缩。

4.1 A Public-Coin, Zero-Knowledge Folding Scheme
4.1 公共币，零知识折叠方案

To design a folding scheme for $N P$ , we need an $N P$ -complete language. While theoretically any $N P$ -complete language is a viable candidate, we focus on R1CS,^{Footnote 4} a popular algebraic representation that generalizes arithmetic circuit satisfiability.
为了设计 $N P$ 的折叠方案，我们需要一个 $N P$ -完备的语言。虽然从理论上讲，任何 $N P$ -完备的语言都是可行的候选者，但我们专注于 R1CS， ^{Footnote 4} 一种流行的代数表示，它泛化了算术电路可满足性。

Definition 10 (R1CS)定义 10（R1CS）

Consider a finite field $F$ . Let the public parameters consist of size bounds $m, n, ℓ \in N$ where $m > ℓ$ . The R1CS structure consists of sparse matrices $A, B, C \in F^{m \times m}$ with at most $n = Ω (m)$ non-zero entries in each matrix. An instance $x \in F^{ℓ}$ consists of public inputs and outputs and is satisfied by a witness $W \in F^{m - ℓ - 1}$ if $(A \cdot Z) \circ (B \cdot Z) = C \cdot Z$ , where $Z = (W, x, 1)$ .
考虑一个有限域 $F$ 。公参数由大小界限 $m, n, ℓ \in N$ 组成，其中 $m > ℓ$ 。R1CS 结构由稀疏矩阵 $A, B, C \in F^{m \times m}$ 组成，每个矩阵中最多有 $n = Ω (m)$ 个非零项。一个实例 $x \in F^{ℓ}$ 由公输入和输出组成，并由一个证明者 $W \in F^{m - ℓ - 1}$ 满足，如果 $(A \cdot Z) \circ (B \cdot Z) = C \cdot Z$ ，其中 $Z = (W, x, 1)$ 。

As we show in the next section, to realize IVC, we only need a folding scheme that can fold two R1CS instances with the same R1CS matrices (A, B, C). Specifically, given R1CS matrices (A, B, C), and two corresponding instance-witness pairs $(x_{1}, W_{1})$ and $(x_{2}, W_{2})$ , we would like to devise a scheme that reduces the task of checking both instances into the task of checking a single new instance-witness pair $(x, W)$ against the same R1CS matrices (A, B, C). Unfortunately, as we illustrate now, it is difficult to devise a folding scheme for R1CS such that it satisfies completeness, let alone knowledge soundness.
正如我们在下一节中所示，要实现 IVC，我们只需要一个可以折叠具有相同 R1CS 矩阵（A，B，C）的两个 R1CS 实例的折叠方案。具体来说，给定 R1CS 矩阵（A，B，C）和两个相应的实例-证据对 $(x_{1}, W_{1})$ 和 $(x_{2}, W_{2})$ ，我们希望设计一个方案，将检查两个实例的任务简化为检查单个新的实例-证据对 $(x, W)$ 对相同的 R1CS 矩阵（A，B，C）的任务。不幸的是，正如我们现在所展示的，要设计一个满足完备性，更不用说知识健全性的 R1CS 折叠方案是困难的。

First Attempt. As R1CS is an algebraic system, the most direct approach would be to take a random linear combination. Ignoring efficiency concerns, suppose that the prover sends witnesses $W_{1}$ and $W_{2}$ in the first step. The verifier responds with a random $r \in F$ ; the prover and the verifier both compute
第一次尝试。由于 R1CS 是一个代数系统，最直接的方法是采用随机线性组合。忽略效率问题，假设验证者在第一步发送了见证 $W_{1}$ 和 $W_{2}$ 。验证者响应随机 $r \in F$ ；验证者和验证者都计算

\begin{aligned} x & \leftarrow x_{1} + r \cdot x_{2} \\ W & \leftarrow W_{1} + r \cdot W_{2}, \end{aligned}

and set the new instance-witness pair to be $(x, W)$ . However, for non-trivial $Z_{1} = (W_{1}, x_{1}, 1)$ and $Z_{2} = (W_{2}, x_{2}, 1)$ , and $Z = (W, x, 1)$ , we roughly have that
将新实例见证对设置为 $(x, W)$ 。然而，对于非平凡的 $Z_{1} = (W_{1}, x_{1}, 1)$ 和 $Z_{2} = (W_{2}, x_{2}, 1)$ ，以及 $Z = (W, x, 1)$ ，我们大致有：

\begin{aligned} A Z \circ B Z & = A (Z_{1} + r \cdot Z_{2}) \circ B (Z_{1} + r \cdot Z_{2}) \\ = A Z_{1} \circ B Z_{1} + r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1}) + r^{2} \cdot (A Z_{2} \circ B Z_{2}) \\ \neq C Z . \end{aligned}

The failed attempt exposes three issues. First, we must account for an additional cross-term, $r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1})$ . Second, the terms excluding the cross-term combine to produce a term that does not equal CZ:
失败的尝试揭示了三个问题。首先，我们必须考虑一个额外的交叉项， $r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1})$ 。其次，排除交叉项的术语组合产生一个不等于 CZ 的术语。

\begin{aligned} A Z_{1} \circ B Z_{1} + r^{2} \cdot (A Z_{2} \circ B Z_{2}) = C Z_{1} + r^{2} \cdot C Z_{2} \neq C Z_{1} + r \cdot C Z_{2} = C Z . \end{aligned}

Third, we do not even have that $Z = Z_{1} + r \cdot Z_{2}$ because $Z_{1} + r \cdot Z_{2} = (W, x, 1 + r \cdot 1)$ .
第三，我们甚至没有那个 $Z = Z_{1} + r \cdot Z_{2}$ ，因为 $Z_{1} + r \cdot Z_{2} = (W, x, 1 + r \cdot 1)$ 。

Second Attempt. To handle the first issue, we introduce a “slack” (or error) vector $E \in F^{m}$ which absorbs the cross terms generated by folding. To handle the second and third issues, we introduce a scalar u, which absorbs an extra factor of r in $C Z_{1} + r^{2} \cdot C Z_{2}$ and in $Z = (W, x, 1 + r \cdot 1)$ . We refer to a variant of R1CS with these additional terms as relaxed R1CS.
第二次尝试。为了处理第一个问题，我们引入一个“松弛”（或误差）向量 $E \in F^{m}$ ，它吸收由折叠产生的交叉项。为了处理第二个和第三个问题，我们引入一个标量 u，它在 $C Z_{1} + r^{2} \cdot C Z_{2}$ 和 $Z = (W, x, 1 + r \cdot 1)$ 中吸收额外的 r 因子。我们将具有这些附加项的 R1CS 变体称为松弛 R1CS。

Definition 11 (Relaxed R1CS)
定义 11（宽松的 R1CS）

Consider a finite field $F$ . Let the public parameters consist of size bounds $m, n, ℓ \in N$ where $m > ℓ$ . The relaxed R1CS structure consists of sparse matrices $A, B, C \in F^{m \times m}$ with at most $n = Ω (m)$ non-zero entries in each matrix. A relaxed R1CS instance consists of an error vector $E \in F^{m}$ , a scalar $u \in F$ , and public inputs and outputs $x \in F^{ℓ}$ . An instance $(E, u, x)$ is satisfied by a witness $W \in F^{m - ℓ - 1}$ if $(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ , where $Z = (W, x, u)$ .
考虑一个有限域 $F$ 。公参数由大小界限 $m, n, ℓ \in N$ 组成，其中 $m > ℓ$ 。放宽的 R1CS 结构由稀疏矩阵 $A, B, C \in F^{m \times m}$ 组成，每个矩阵中最多有 $n = Ω (m)$ 个非零项。一个放宽的 R1CS 实例由一个错误向量 $E \in F^{m}$ ，一个标量 $u \in F$ ，以及公输入和输出 $x \in F^{ℓ}$ 组成。如果一个实例 $(E, u, x)$ 被一个证人 $W \in F^{m - ℓ - 1}$ 满足，那么 $(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ ，其中 $Z = (W, x, u)$ 。

Note that any R1CS instance can be expressed as a relaxed R1CS instance by augmenting it with $u = 1$ and $E = 0$ , so relaxed R1CS retains $N P$ -completeness.
请注意，任何 R1CS 实例都可以通过增加 $u = 1$ 和 $E = 0$ 来表示为放宽的 R1CS 实例，因此放宽的 R1CS 保留了 $N P$ -完备性。

Building on the first attempt, the prover and verifier can now use E to accumulate the cross-terms. In particular, for $Z_{i} = (W_{i}, x_{i}, u_{i})$ , the prover and verifier additionally compute
基于第一次尝试，证明者和验证者现在可以使用 E 来累积交叉项。特别是对于 $Z_{i} = (W_{i}, x_{i}, u_{i})$ ，证明者和验证者还额外计算

\begin{aligned} u & \leftarrow u_{1} + r \cdot u_{2} \\ E & \leftarrow E_{1} + r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1} - u_{1} C Z_{2} - u_{2} C Z_{1}) + r^{2} \cdot E_{2}, \end{aligned}

and set the new instance-witness pair to be $((E, u, x), W)$ . Conveniently, updating u in this manner also keeps track of how the constant term in Z should be updated, which motivates our choice to use u in $Z = (W, x, u)$ rather than introducing a new variable. Now, for $Z = (W, x, u)$ , and for random $r \in F$ ,
将新实例见证对设置为 $((E, u, x), W)$ 。方便的是，以这种方式更新 u 也会跟踪 Z 中的常数项应该如何更新，这促使我们选择在 $Z = (W, x, u)$ 中使用 u 而不是引入新变量。现在，对于 $Z = (W, x, u)$ ，以及对于随机 $r \in F$ ，

\begin{aligned} A Z \circ B Z & = A Z_{1} \circ B Z_{1} + r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1}) + r^{2} \cdot (A Z_{2} \circ B Z_{2}) \\ = (u_{1} C Z_{1} + E_{1}) + r \cdot (A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1}) + r^{2} \cdot (u_{2} C Z_{2} + E_{2}) \\ = (u_{1} + r \cdot u_{2}) \cdot C (Z_{1} + r Z_{2}) + E \\ = u C Z + E . \end{aligned}

This implies that, for R1CS matrices (A, B, C), the folded witness W is a satisfying witness for the folded instance $(E, u, x)$ as promised. A few issues remain: in the above scheme, the prover sends witnesses $(W_{1}, W_{2})$ for the verifier to compute E. As a result, the folding scheme is not non-trivial; it is also not zero-knowledge.
这表明，对于 R1CS 矩阵（A，B，C），折叠的见证 W 是对折叠实例 $(E, u, x)$ 的满足见证，正如所承诺的那样。仍有一些问题存在：在上面的方案中，证明者向验证者发送见证 $(W_{1}, W_{2})$ 以计算 E。因此，折叠方案不是平凡的；它也不是零知识。

Final Protocol. To circumvent these issues, we use succinct and hiding additively homomorphic commitments to W and E in the instance, and treat both W and E as the witness. We refer to this variant of relaxed R1CS as committed relaxed R1CS. Below, we describe a folding scheme for committed relaxed R1CS, where the prover sends a single commitment to aid the verifier in computing commitments to the folded witness (W, E).
最终协议。为规避这些问题，我们在实例中使用简洁且隐藏的加法同态承诺来处理 W 和 E，并将 W 和 E 都视为见证。我们将这种放松的 R1CS 的变体称为承诺的放松 R1CS。以下，我们描述了一个针对承诺的放松 R1CS 的折叠方案，其中验证者发送单个承诺以帮助验证者计算折叠见证（W，E）的承诺。

Definition 12 (Committed Relaxed R1CS)
定义 12（承诺宽松 R1CS）

Consider a finite field $F$ and a commitment scheme $C o m$ over $F$ . Let the public parameters consist of size bounds $m, n, ℓ \in N$ where $m > ℓ$ , and commitment parameters ${p p}_{W}$ and ${p p}_{E}$ for vectors of size m and $m - ℓ - 1$ respectively. The committed relaxed R1CS structure consists of sparse matrices $A, B, C \in F^{m \times m}$ with at most $n = Ω (m)$ non-zero entries in each matrix. A committed relaxed R1CS instance is a tuple $(\bar{E}, u, \bar{W}, x)$ , where $\bar{E}$ and $\bar{W}$ are commitments, $u \in F$ , and $x \in F^{ℓ}$ are public inputs and outputs. An instance $(\bar{E}, u, \bar{W}, x)$ is satisfied by a witness $(E, r_{E}, W, r_{W}) \in (F^{m}, F, F^{m - ℓ - 1}, F)$ if $\bar{E} = C o m ({p p}_{E}, E, r_{E})$ , $\bar{W} = C o m ({p p}_{W}, W, r_{W})$ , and $(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ , where $Z = (W, x, u)$ .
考虑一个有限域 $F$ 和一个在 $F$ 上的承诺方案 $C o m$ 。公共参数由大小界限 $m, n, ℓ \in N$ 组成，其中 $m > ℓ$ ，以及大小为 m 的向量的承诺参数 ${p p}_{W}$ 和大小为 $m - ℓ - 1$ 的向量的承诺参数 ${p p}_{E}$ 。已承诺的松弛 R1CS 结构由最多有 $n = Ω (m)$ 个非零元素的稀疏矩阵 $A, B, C \in F^{m \times m}$ 组成。一个已承诺的松弛 R1CS 实例是一个元组 $(\bar{E}, u, \bar{W}, x)$ ，其中 $\bar{E}$ 和 $\bar{W}$ 是承诺， $u \in F$ 和 $x \in F^{ℓ}$ 是公共输入和输出。一个实例 $(\bar{E}, u, \bar{W}, x)$ 被一个见证 $(E, r_{E}, W, r_{W}) \in (F^{m}, F, F^{m - ℓ - 1}, F)$ 满足，如果 $\bar{E} = C o m ({p p}_{E}, E, r_{E})$ ， $\bar{W} = C o m ({p p}_{W}, W, r_{W})$ ，和 $(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ ，其中 $Z = (W, x, u)$ 。

Construction 1建设 1

(A Folding Scheme for Committed Relaxed R1CS). Consider a finite field $F$ and a succinct, hiding, and homomorphic commitment scheme $C o m$ over $F$ . We define the generator and the encoder as follows.
（针对承诺松弛 R1CS 的折叠方案）。考虑一个有限域 $F$ 和一个简洁、隐藏和同态承诺方案 $C o m$ 在 $F$ 上。我们如下定义生成器和编码器。

$G (1^{λ}) \to p p$ : output size bounds $m, n, ℓ \in N$ , and commitment parameters ${p p}_{W}$ and ${p p}_{E}$ for vectors of size m and $m - ℓ - 1$ respectively.
$G (1^{λ}) \to p p$ : 输出大小边界 $m, n, ℓ \in N$ ，以及大小为 m 的向量和大小为 $m - ℓ - 1$ 的承诺参数 ${p p}_{W}$ 和 ${p p}_{E}$ 。
$K (p p, (A, B, C)) \to (p k, v k)$ : output $p k \leftarrow (p p, (A, B, C))$ and $v k \leftarrow ⊥$ .
$K (p p, (A, B, C)) \to (p k, v k)$ : 输出 $p k \leftarrow (p p, (A, B, C))$ 和 $v k \leftarrow ⊥$ 。

The verifier $V$ takes two committed relaxed R1CS instances $({\bar{E}}_{1}, u_{1}, {\bar{W}}_{1}, x_{1})$ and $({\bar{E}}_{2}, u_{2}, {\bar{W}}_{2}, x_{2})$ . The prover $P$ , in addition to the two instances, takes witnesses to both instances, $(E_{1}, r_{E_{1}}, W_{1}, r_{W_{1}})$ and $(E_{2}, r_{E_{2}}, W_{2}, r_{W_{2}})$ . Let $Z_{1} = (W_{1}, x_{1}, u_{1})$ and $Z_{2} = (W_{2}, x_{2}, u_{2})$ . The prover and the verifier proceed as follows.
验证者 $V$ 接收两个提交的宽松 R1CS 实例 $({\bar{E}}_{1}, u_{1}, {\bar{W}}_{1}, x_{1})$ 和 $({\bar{E}}_{2}, u_{2}, {\bar{W}}_{2}, x_{2})$ 。除了这两个实例，证明者 $P$ 还接收两个实例的见证， $(E_{1}, r_{E_{1}}, W_{1}, r_{W_{1}})$ 和 $(E_{2}, r_{E_{2}}, W_{2}, r_{W_{2}})$ 。设 $Z_{1} = (W_{1}, x_{1}, u_{1})$ 和 $Z_{2} = (W_{2}, x_{2}, u_{2})$ 。证明者和验证者按以下步骤进行。

1.
$P$ : Send $\bar{T} : = C o m ({p p}_{E}, T, r_{T})$ , where $r_{T} \leftarrow_{R} F$ and with cross term
$P$ : 发送 $\bar{T} : = C o m ({p p}_{E}, T, r_{T})$ ，其中 $r_{T} \leftarrow_{R} F$ 以及跨项
$\begin{aligned} T = A Z_{1} \circ B Z_{2} + A Z_{2} \circ B Z_{1} - u_{1} \cdot C Z_{2} - u_{2} \cdot C Z_{1} . \end{aligned}$
2.
$V$ : Sample and send challenge $r \leftarrow_{R} F$ .
$V$ : 样本和发送挑战 $r \leftarrow_{R} F$ 。
3.
$V, P$ : Output the folded instance $(\bar{E}, u, \bar{W}, x)$ where
输出折叠实例 $(\bar{E}, u, \bar{W}, x)$
$\begin{aligned} \begin{array}{lllllll} \bar{E} & \leftarrow & {\bar{E}}_{1} & + & r \cdot \bar{T} & + & r^{2} \cdot {\bar{E}}_{2} \\ u & \leftarrow & u_{1} & + & r \cdot u_{2} \\ \bar{W} & \leftarrow & {\bar{W}}_{1} & + & r \cdot {\bar{W}}_{2} \\ x & \leftarrow & x_{1} & + & r \cdot x_{2} \end{array} \end{aligned}$
4.
$P$ : Output the folded witness $(E, r_{E}, W, r_{W})$ , where
输出折叠的见证者 $(E, r_{E}, W, r_{W})$ ，其中
$\begin{aligned} \begin{array}{lllllll} E & \leftarrow & E_{1} & + & r \cdot T & + & r^{2} \cdot E_{2} \\ r_{E} & \leftarrow & r_{E_{1}} & + & r \cdot r_{T} & + & r^{2} \cdot r_{E_{2}} \\ W & \leftarrow & W_{1} & + & r \cdot W_{2} \\ r_{W} & \leftarrow & r_{W_{1}} & + & r \cdot r_{W_{2}} \end{array} \end{aligned}$

Theorem 3定理 3

(A Folding Scheme for Committed Relaxed R1CS). Construction 1 is a public-coin folding scheme for committed relaxed R1CS with perfect completeness, knowledge soundness, and zero-knowledge.
（承诺宽松 R1CS 的折叠方案）。构造 1 是一个具有完美完备性、知识正确性和零知识证明的公共币折叠方案。

Proof Intuition. With textbook algebra, we can show that if witnesses $(E_{1}, r_{E_{1}},$ $W_{1}, r_{W_{1}})$ and $(E_{2}, r_{E_{2}}, W_{2}, r_{W_{2}})$ are satisfying witnesses, then the folded witness $(E, r_{E}, W, r_{W})$ must be a satisfying witness. We prove knowledge soundness via the forking lemma (Lemma 1) by showing that the extractor can produce the initial witnesses given three accepting transcripts and the corresponding folded witnesses. Specifically, the extractor uses all three transcripts to compute $E_{i}$ and $r_{E_{i}}$ , and any two transcripts to compute $W_{i}$ and $r_{W_{i}}$ for $i \in {1, 2}$ . The choice of which two transcripts does not matter due to the binding property of the commitment scheme. We present a formal proof in [30, App. B]. $◻$
证明直觉。使用教科书中的代数，我们可以证明如果见证者 $(E_{1}, r_{E_{1}},$ $W_{1}, r_{W_{1}})$ 和 $(E_{2}, r_{E_{2}}, W_{2}, r_{W_{2}})$ 是满足见证者，那么折叠见证者 $(E, r_{E}, W, r_{W})$ 必须是满足见证者。我们通过分叉引理（引理 1）证明知识健全性，通过展示提取器可以基于三个接受会话和相应的折叠见证者产生初始见证者。具体来说，提取器使用所有三个会话来计算 $E_{i}$ 和 $r_{E_{i}}$ ，以及任何两个会话来计算 $W_{i}$ 和 $r_{W_{i}}$ 以便计算 $i \in {1, 2}$ 。由于承诺方案的绑定属性，选择哪两个会话并不重要。我们在 [ 30, 附录 B] 中提供了一个形式化的证明。 $◻$

4.2 Achieving Non-interactivity via the Fiat-Shamir Transform
4.2 通过法币-沙米尔变换实现非交互性

To design Nova’s IVC scheme, we require our folding scheme for committed relaxed R1CS to be non-interactive in the standard model. To do so we first achieve non-interactivity in the random oracle model using the (strong) Fiat-Shamir transform [22]. Next, we heuristically instantiate the random oracle using a cryptographic hash function. As a result, we can only heuristically argue the security of the resulting non-interactive folding scheme. Note that all existing IVC constructions in the standard model require instantiating the random oracle with a cryptographic hash function [12, 15, 21, 43].
为了设计 Nova 的 IVC 方案，我们需要我们的针对已提交的松弛 R1CS 的折叠方案在标准模型中是非交互式的。为此，我们首先使用（强）Fiat-Shamir 变换[22]在随机预言模型中实现非交互性。接下来，我们通过密码哈希函数启发式地实例化随机预言。因此，我们只能启发式地论证所得到的非交互式折叠方案的安全性。请注意，所有现有的标准模型中的 IVC 构造都需要使用密码哈希函数实例化随机预言[12, 15, 21, 43]。

Construction 2建设 2

(A Non-Interactive Folding Scheme). We achieve non-interactivity in the random oracle model using the strong Fiat-Shamir transform [22]. Let $ρ$ denote a random oracle sampled during parameter generation and provided to all parties. Let $(G, K, P, V)$ represent our interactive folding scheme (Construction 1). We construct a non-interactive folding scheme $(G, K, P, V)$ as follows:
(非交互式折叠方案)。我们通过使用强大的 Fiat-Shamir 变换[22]在随机预言模型中实现非交互性。令 $ρ$ 表示在参数生成期间采样的随机预言，并将其提供给所有参与者。令 $(G, K, P, V)$ 表示我们的交互式折叠方案（构造 1）。我们如下构造一个非交互式折叠方案 $(G, K, P, V)$ ：

$G (1^{λ})$ : output $p p \leftarrow G (1^{λ})$ .
$G (1^{λ})$ : 输出 $p p \leftarrow G (1^{λ})$ .
$K (p p, (A, B, C))$ : $v k \leftarrow ρ (p p, s)$ and $p k \leftarrow (p p, (A, B, C), v k)$ ; output $(v k, p k)$ .
$K (p p, (A, B, C))$ : $v k \leftarrow ρ (p p, s)$ 以及 $p k \leftarrow (p p, (A, B, C), v k)$ ; 输出 $(v k, p k)$ .
$P (p k, (u_{1}, w_{1}), (u_{2}, w_{2}))$ : runs $P ((p k . p p, p k . (A, B, C))$ to retrieve its first message $\bar{T}$ , and sends $\bar{T}$ to $V$ ; computes $r \leftarrow ρ (v k, u_{1}, u_{2}, \bar{T})$ , forwards this to $P$ , and outputs the resulting output.
$P (p k, (u_{1}, w_{1}), (u_{2}, w_{2}))$ : 运行 $P ((p k . p p, p k . (A, B, C))$ 以获取其第一条消息 $\bar{T}$ ，并发送 $\bar{T}$ 到 $V$ ；计算 $r \leftarrow ρ (v k, u_{1}, u_{2}, \bar{T})$ ，将此转发到 $P$ ，并输出结果。
$V (v k, u_{1}, u_{2}, \bar{T})$ : runs $V$ with $\bar{T}$ as the message from the prover and with randomness $r \leftarrow ρ (v k, u_{1}, u_{2}, \bar{T})$ , and outputs the resulting output.
$V (v k, u_{1}, u_{2}, \bar{T})$ : 运行 $V$ ，使用来自验证者的消息 $\bar{T}$ 和随机性 $r \leftarrow ρ (v k, u_{1}, u_{2}, \bar{T})$ ，并输出结果。

Assumption 1假设 1

(RO instantiation). Construction 2 is a non-interactive folding scheme that satisfies completeness, knowledge soundness, and zero-knowledge in the standard model when $ρ$ is instantiated with a cryptographic hash function.
(RO 实例化). 构造 2 是一种非交互式折叠方案，当使用密码哈希函数实例化 $ρ$ 时，在标准模型中满足完备性、知识正确性和零知识。

5 Nova: An IVC Scheme with Proof Compression
5 新诺瓦：一种带有证明压缩的 IVC 方案

This section describes Nova, an IVC scheme designed from a non-interactive folding scheme, which when instantiated with any additively-homomorphic commitment scheme with succinct commitments achieves the claimed efficiency (Lemma 4). In addition, Nova incorporates an efficient zkSNARK to prove the knowledge of valid IVC proofs succinctly and in zero-knowledge, providing a succinct, zero-knowledge proof of knowledge of a valid IVC proof.
本节描述了 Nova，这是一个非交互式折叠方案设计的 IVC 方案，当与任何具有简洁承诺的加法同态承诺方案实例化时，实现了所声称的效率（引理 4）。此外，Nova 集成了高效的 zkSNARK，用于简洁且零知识地证明有效 IVC 证明的知识，提供了一个有效 IVC 证明知识的简洁、零知识证明。

In Nova, at each incremental step, the prover folds a particular step of the incremental computation (represented as a committed relaxed R1CS instance-witness pair) into a running committed relaxed R1CS instance-witness pair. At any step in the incremental computation, a valid “IVC proof”, in a nutshell, is a satisfying witness of the running committed relaxed R1CS instance (which an honest prover can compute by folding witnesses associated with each step of the incremental computation) along with the running committed relaxed R1CS instance. Furthermore, at any incremental step, Nova’s prover can prove in zero-knowledge and with a succinct proof—using a variant of an existing zkSNARK [38] (Sect. 6)—that it knows a valid IVC proof (i.e., a satisfying witness) to the running committed relaxed R1CS instance (Construction 4).
在 Nova 中，在每一步增量步骤中，验证者将增量计算的一个特定步骤（表示为提交的放松 R1CS 实例-见证对）折叠到一个正在运行的提交的放松 R1CS 实例-见证对中。在增量计算的任何步骤中，一个有效的“IVC 证明”，简而言之，是运行中的提交的放松 R1CS 实例的满足见证（一个诚实的验证者可以通过折叠与增量计算每个步骤相关的见证来计算）以及运行中的提交的放松 R1CS 实例。此外，在任何增量步骤中，Nova 的验证者可以使用现有 zkSNARK [38]（第 6 节）的一个变体，在零知识下并以简洁的证明方式证明它知道一个有效的 IVC 证明（即满足见证）到运行中的提交的放松 R1CS 实例（构造 4）。

Note that Nova is not a zero-knowledge IVC scheme, as that would additionally require an IVC proof to be zero-knowledge (in Nova’s case, an IVC proof does not hide witnesses associated with steps of the incremental computation). This difference is immaterial in the context of a single prover since it can use Nova’s auxiliary zkSNARK to provide a zero-knowledge proof of knowledge of a valid IVC proof; we leave it to future work to achieve zero-knowledge IVC.
请注意，Nova 不是一个零知识 IVC 方案，因为那还需要 IVC 证明是零知识的（在 Nova 的情况下，IVC 证明不会隐藏与增量计算步骤相关的证人）。这种差异在单个证明者的上下文中无关紧要，因为它可以使用 Nova 的辅助 zkSNARK 提供关于有效 IVC 证明的知识零知识证明；我们将实现零知识 IVC 留待未来的工作。

5.1 Constructing IVC from a Folding Scheme for $N P$
5.1 从折叠方案构建 IVC

Recall that an IVC scheme allows a prover to show that $z_{n} = F^{(n)} (z_{0})$ for some count n, initial input $z_{0}$ , and output $z_{n}$ . We now show how to construct an IVC scheme for a non-deterministic, polynomial-time computable function F using our non-interactive folding scheme for committed relaxed R1CS (Construction 2).^{Footnote 5}
回忆一下，一个 IVC 方案允许证明者展示对于某个计数 n，初始输入 $z_{0}$ ，以及输出 $z_{n}$ ， $z_{n} = F^{(n)} (z_{0})$ 。我们现在展示如何使用我们的非交互式折叠方案为提交的放松 R1CS（构造 2）构造一个非确定性多项式时间可计算函数 F 的 IVC 方案。 ^{Footnote 5}

In our construction, as in a SNARK-based IVC, the prover uses an augmented function $F^{'}$ (Fig. 4), which, in addition to invoking F, performs additional bookkeeping to fold proofs of prior invocations of itself.
在我们的构造中，就像基于 SNARK 的 IVC 一样，验证者使用一个增强函数 $F^{'}$ （图 4），除了调用 F 之外，还执行额外的簿记操作，以折叠之前自身调用的证明。

We first describe a simplified version of $F^{'}$ , to provide intuition. $F^{'}$ takes as non-deterministic advice two committed relaxed R1CS instances $u_{i}$ and $U_{i}$ . Suppose that $U_{i}$ represents the correct execution of invocations $1, \dots, i - 1$ of $F^{'}$ so long as $u_{i}$ represents the correct execution of invocation i of $F^{'}$ . $F^{'}$ performs two tasks. First, it executes a step of the incremental computation: instance $u_{i}$ contains $z_{i}$ which $F^{'}$ uses to output $z_{i + 1} = F (z_{i})$ . Second, $F^{'}$ invokes the verifier of the non-interactive folding scheme to fold the task of checking $u_{i}$ and $U_{i}$ into the task of checking a single instance $U_{i + 1}$ . The IVC prover then computes a new instance $u_{i + 1}$ which attests to the correct execution of invocation $i + 1$ of $F^{'}$ , thereby attesting that $z_{i + 1} = F (z_{i})$ and $U_{i + 1}$ is the result of folding $u_{i}$ and $U_{i}$ . Now, we have that $U_{i + 1}$ represents the correct execution of invocations $1, \dots, i$ of $F^{'}$ so long as $u_{i + 1}$ represents the correct execution of invocation $i + 1$ of $F^{'}$ .
首先描述了 $F^{'}$ 的简化版本，以提供直观感受。 $F^{'}$ 将两个提交的宽松 R1CS 实例 $u_{i}$ 和 $U_{i}$ 作为非确定性建议。假设 $U_{i}$ 代表 $1, \dots, i - 1$ 的调用 $F^{'}$ 的正确执行，只要 $u_{i}$ 代表调用 i 的 $F^{'}$ 的正确执行。 $F^{'}$ 执行两个任务。首先，它执行增量计算的步骤：实例 $u_{i}$ 包含 $z_{i}$ ，它使用 $F^{'}$ 输出 $z_{i + 1} = F (z_{i})$ 。其次， $F^{'}$ 调用非交互折叠方案的验证器，将检查 $u_{i}$ 和 $U_{i}$ 的任务折叠成检查单个实例 $U_{i + 1}$ 的任务。IVC 证明器随后计算一个新的实例 $u_{i + 1}$ ，证明调用 $i + 1$ 的 $F^{'}$ 的正确执行，从而证明 $z_{i + 1} = F (z_{i})$ 和 $U_{i + 1}$ 是折叠 $u_{i}$ 和 $U_{i}$ 的结果。现在，我们有 $U_{i + 1}$ 代表调用 $1, \dots, i$ 的 $F^{'}$ 的正确执行，只要 $u_{i + 1}$ 代表调用 $i + 1$ 的 $F^{'}$ 的正确执行。

The above description glossed over a subtle discrepancy: Because $F^{'}$ must output the running instance $U_{i + 1}$ for the next invocation to use, it is contained in $u_{i + 1} . x$ (i.e., the public IO of $u_{i + 1}$ ). But, in the next iteration, $F^{'}$ must fold $u_{i + 1} . x$ into $U_{i + 1} . x$ , meaning that $F^{'}$ is stuck trying to squeeze $U_{i + 1}$ into $U_{i + 1} . x$ . To handle this inconsistency, we modify $F^{'}$ to output a collision-resistant hash of its public IO rather than producing it directly (this ensures that the public IO of $F^{'}$ is a constant number of finite field elements). The next invocation of $F^{'}$ then additionally takes the preimage of this hash as non-deterministic advice. We assume that the hash function takes an additional random input (which provides hiding) but for notational convenience we do not explicitly depict this.
上述描述略过了细微的差异：因为 $F^{'}$ 必须输出运行实例 $U_{i + 1}$ 以便下一次调用使用，它包含在 $u_{i + 1} . x$ （即 $u_{i + 1}$ 的公共 IO 中）。但是，在下一次迭代中， $F^{'}$ 必须将 $u_{i + 1} . x$ 折叠到 $U_{i + 1} . x$ 中，这意味着 $F^{'}$ 卡在试图将 $U_{i + 1}$ 挤压到 $U_{i + 1} . x$ 中。为了处理这种不一致性，我们修改 $F^{'}$ 以输出其公共 IO 的碰撞抵抗哈希，而不是直接产生它（这确保了 $F^{'}$ 的公共 IO 是有限域中的固定数量的元素）。下一次调用 $F^{'}$ 时，还额外采用这个哈希的预像作为非确定性建议。我们假设哈希函数接受额外的随机输入（这提供了隐藏），但为了书写方便，我们没有明确表示这一点。

Producing IVC Proofs. Let $(u_{⊥}, w_{⊥})$ be the trivially satisfying instance-witness pair, where E, W, and $x$ are appropriately-sized zero vectors, $r_{E} = 0$ , $r_{W} = 0$ , and $\bar{E}$ and $\bar{W}$ are commitments of E and W respectively.
生成 IVC 证明。令 $(u_{⊥}, w_{⊥})$ 为平凡满足的实例-证人对，其中 E、W 和 $x$ 是适当大小的零向量， $r_{E} = 0$ 、 $r_{W} = 0$ 、 $\bar{E}$ 和 $\bar{W}$ 分别是 E 和 W 的承诺。

Now, in iteration $i + 1$ , the IVC prover runs $F^{'}$ and computes $u_{i + 1}$ and $U_{i + 1}$ as well as the corresponding witnesses $w_{i + 1}$ and $W_{i + 1}$ . Because $u_{i + 1}$ and $U_{i + 1}$ together attest to the correctness of $i + 1$ invocations of $F^{'}$ (which indirectly attests to $i + 1$ invocations of F) the IVC proof $Π_{i + 1}$ is $((U_{i + 1}, W_{i + 1}), (u_{i + 1}, w_{i + 1}))$ . Moreover, succinctness is maintained by the properties of the underlying folding scheme. We formally describe our construction below.
现在，在迭代 $i + 1$ 中，IVC 证明器运行 $F^{'}$ 并计算 $u_{i + 1}$ 和 $U_{i + 1}$ 以及相应的证人 $w_{i + 1}$ 和 $W_{i + 1}$ 。因为 $u_{i + 1}$ 和 $U_{i + 1}$ 共同证明了 $i + 1$ 对 $F^{'}$ 的调用正确性（这间接证明了 $i + 1$ 对 F 的调用正确性），所以 IVC 证明 $Π_{i + 1}$ 是 $((U_{i + 1}, W_{i + 1}), (u_{i + 1}, w_{i + 1}))$ 。此外，通过底层折叠方案的性质，保持了简洁性。我们下面将正式描述我们的构造。

Construction 3 (IVC)建设 3（IVC）

[IVC] Let $N I F S = (G, K, P, V)$ be the non-interactive folding scheme for committed relaxed R1CS (Construction 2). Consider a polynomial-time function F that takes non-deterministic input, and a cryptographic hash function $h a s h$ . We define our augmented function $F^{'}$ as follows (all arguments to $F^{'}$ are taken as non-deterministic advice):
[IVC] 设 $N I F S = (G, K, P, V)$ 为针对提交的宽松 R1CS（构造 2）的非交互折叠方案。考虑一个接受非确定性输入的多项式时间函数 F 和一个密码学哈希函数 $h a s h$ 。我们定义我们的增强函数 $F^{'}$ 如下（所有输入到 $F^{'}$ 的参数均视为非确定性建议）：

$\underline{F^{'} (v k, U_{i}, u_{i}, (i, z_{0}, z_{i}), ω_{i}, \bar{T}) \to x}$ :

If i is 0, output $h a s h (v k, 1, z_{0}, F (z_{0}, ω_{i}), u_{⊥})$ ;
如果 i 为 0，输出 $h a s h (v k, 1, z_{0}, F (z_{0}, ω_{i}), u_{⊥})$ ;

otherwise, 否则，

(1)
check that $u_{i} . x = h a s h (v k, i, z_{0}, z_{i}, U_{i})$ , where $u_{i} . x$ is the public IO of $u_{i}$ ,
检查 $u_{i} . x = h a s h (v k, i, z_{0}, z_{i}, U_{i})$ ，其中 $u_{i} . x$ 是 $u_{i}$ 的公共 IO
(2)
check that $(u_{i} . \bar{E}, u_{i} . u) = (u_{⊥} . \bar{E}, 1)$ ,
检查 $(u_{i} . \bar{E}, u_{i} . u) = (u_{⊥} . \bar{E}, 1)$ ，
(3)
compute $U_{i + 1} \leftarrow N I F S . V (v k, U, u, \bar{T})$ , and
计算 $U_{i + 1} \leftarrow N I F S . V (v k, U, u, \bar{T})$ ，和
(4)
output $h a s h (v k, i + 1, z_{0}, F (z_{i}, ω_{i}), U_{i + 1})$ .输出 $h a s h (v k, i + 1, z_{0}, F (z_{i}, ω_{i}), U_{i + 1})$ .

Because $F^{'}$ can be computed in polynomial time, it can be represented as a committed relaxed R1CS structure $s_{F^{'}}$ . Let
因为 $F^{'}$ 可以在多项式时间内计算，它可以表示为一个承诺的松弛 R1CS 结构 $s_{F^{'}}$ 。

(u_{i + 1}, w_{i + 1}) \leftarrow t r a c e (F^{'}, (v k, U_{i}, u_{i}, (i, z_{0}, z_{i}), ω_{i}, \bar{T}))

denote the satisfying committed relaxed R1CS instance-witness pair $(u_{i + 1}, w_{i + 1})$ for the execution of $F^{'}$ on non-deterministic advice $(v k, U_{i}, u_{i}, (i, z_{0}, z_{i}), ω_{i}, \bar{T})$ .
表示满足的、承诺的、放松的 R1CS 实例-证人对 $(u_{i + 1}, w_{i + 1})$ ，用于在非确定性建议 $(v k, U_{i}, u_{i}, (i, z_{0}, z_{i}), ω_{i}, \bar{T})$ 上执行 $F^{'}$ 。

We define the IVC scheme $(G, K, P, V)$ as follows.
我们定义了 IVC 方案 $(G, K, P, V)$ 如下。

$\underline{G (1^{λ}) \to p p}$ : Output $N I F S . G (1^{λ})$ .
$\underline{G (1^{λ}) \to p p}$ : 输出 $N I F S . G (1^{λ})$ .

$\underline{K (p p, F) \to (p k, v k)}$ :

Compute $({p k}_{f s}, {v k}_{f s}) \leftarrow N I F S . K (p p, s_{F^{'}})$ and output $(p k, v k) \leftarrow ((F, {p k}_{f s}), (F, {v k}_{f s}))$ .
计算 $({p k}_{f s}, {v k}_{f s}) \leftarrow N I F S . K (p p, s_{F^{'}})$ 并输出 $(p k, v k) \leftarrow ((F, {p k}_{f s}), (F, {v k}_{f s}))$ 。

$\underline{P (p k, (i, z_{0}, z_{i}), ω_{i}, Π_{i}) \to Π_{i + 1}}$ :

Parse $Π_{i}$ as $((U_{i}, W_{i}), (u_{i}, w_{i}))$ and then
解析 $Π_{i}$ 作为 $((U_{i}, W_{i}), (u_{i}, w_{i}))$ 并然后

(1) if i is 0, compute $(U_{i + 1}, W_{i + 1}, \bar{T}) \leftarrow (u_{⊥}, w_{⊥}, u_{⊥} . \bar{E})$ ;
(1) 如果 i 为 0，计算 $(U_{i + 1}, W_{i + 1}, \bar{T}) \leftarrow (u_{⊥}, w_{⊥}, u_{⊥} . \bar{E})$ ;

otherwise, compute $(U_{i + 1}, W_{i + 1}, \bar{T}) \leftarrow N I F S . P (p k, (U_{i}, W_{i}), (u_{i}, w_{i}))$ ,
否则，计算 $(U_{i + 1}, W_{i + 1}, \bar{T}) \leftarrow N I F S . P (p k, (U_{i}, W_{i}), (u_{i}, w_{i}))$

(2) compute $(u_{i + 1}, w_{i + 1}) \leftarrow t r a c e (F^{'}, (v k, U_{i}, u_{i}, (i, z_{0}, z_{i}), ω_{i}, \bar{T}))$ , and
(2) 计算 $(u_{i + 1}, w_{i + 1}) \leftarrow t r a c e (F^{'}, (v k, U_{i}, u_{i}, (i, z_{0}, z_{i}), ω_{i}, \bar{T}))$ ，和

(3) output $Π_{i + 1} \leftarrow ((U_{i + 1}, W_{i + 1}), (u_{i + 1}, w_{i + 1}))$ .
(3) 输出 $Π_{i + 1} \leftarrow ((U_{i + 1}, W_{i + 1}), (u_{i + 1}, w_{i + 1}))$ .

$\underline{V (v k, (i, z_{0}, z_{i}), Π_{i}) \to {0, 1}}$ :

If i is 0, check that $z_{i} = z_{0}$ ;
如果 i 为 0，检查 $z_{i} = z_{0}$ ；

otherwise, 否则，

(1)
parse $Π_{i}$ as $((U_{i}, W_{i}), (u_{i}, w_{i}))$ ,
解析 $Π_{i}$ 为 $((U_{i}, W_{i}), (u_{i}, w_{i}))$ ，
(2)
check that $u_{i} . x = h a s h (v k, i, z_{0}, z_{i}, U_{i})$ ,
检查 $u_{i} . x = h a s h (v k, i, z_{0}, z_{i}, U_{i})$ ，
(3)
check that $(u_{i} . \bar{E}, u . u) = (u_{⊥} . \bar{E}, 1)$ , and
检查 $(u_{i} . \bar{E}, u . u) = (u_{⊥} . \bar{E}, 1)$ ，并
(4)
check that $W_{i}$ and $w_{i}$ are satisfying witnesses to $U_{i}$ and $u_{i}$ respectively.
检查 $W_{i}$ 和 $w_{i}$ 分别是 $U_{i}$ 和 $u_{i}$ 的满意见证者。

Lemma 2 (Completeness)

Construction 3 is an IVC scheme that satisfies completeness.

Proof Intuition. Given a satisfying IVC proof $Π_{i} = ((U_{i}, W_{i}), (u_{i}, w_{i}))$ suppose that $P$ outputs $Π_{i + 1} = ((U_{i + 1}, W_{i + 1}), (u_{i + 1}, w_{i + 1}))$ . Because $Π_{i}$ is a valid IVC proof, $(u_{i}, w_{i})$ and $(U_{i}, W_{i})$ are satisfying instance-witness pairs. Because $(U_{i + 1}, W_{i + 1})$ is obtained by folding $(u_{i}, w_{i})$ and $(U_{i}, W_{i})$ , it must be satisfying by the folding scheme’s completeness. By construction, $(u_{i + 1}, w_{i + 1})$ is satisfying instance-witness pair that satisfies the IVC verifier’s auxiliary checks. Thus, $Π_{i + 1}$ is satisfying. [30, App. C] provides a formal proof. $◻$

Lemma 3 (Knowledge Soundness)

Construction 3 is an IVC scheme that satisfies knowledge soundness.

Proof Intuition. For function F, constant n, $p p \leftarrow G (1^{λ})$ , and $(p k, v k) \leftarrow K (p p, F)$ , consider an adversary $P^{*}$ that outputs $(z_{0}, z, Π)$ such that $V (v k, (n, z_{0}, z), Π) = 1$ with probability $ϵ$ . We construct an extractor $E$ that with input $(p p, z_{0}, z)$ , outputs $(ω_{0}, \dots, ω_{n - 1})$ such that by computing $z_{i} \leftarrow F (z_{i - 1}, ω_{i - 1})$ for all $i \in {1, \dots, n}$ we have that $z_{n} = z$ with probability $ϵ - n e g l (λ)$ . We show inductively that $E$ can construct an extractor $E_{i}$ that outputs $(z_{i}, \dots, z_{n - 1})$ , $(ω_{i}, \dots, ω_{n - 1})$ , and $Π_{i}$ such that for all $j \in {i + 1, \dots, n}$ , $z_{j} = F (z_{j - 1}, ω_{j - 1})$ , $V (v k, i, z_{0}, z_{i}, Π_{i}) = 1$ , and $z_{n} = z$ with probability $ϵ - n e g l (λ)$ . Then, because in the base case when $i = 0$ , $V$ checks that $z_{0} = z_{i}$ , it is sufficient for $E$ to run $E_{0}$ to retrieve values $(ω_{0}, \dots, ω_{n - 1})$ . Initially, $E_{n}$ simply runs the assumed $P^{*}$ to get a satisfying $Π_{n}$ . Given extractor $E_{i}$ that satisfies the inductive hypothesis, we can construct extractor $E_{i - 1}$ . [30, App. C] provides a formal proof. $◻$
证明直觉。对于函数 F、常数 n、 $p p \leftarrow G (1^{λ})$ 和 $(p k, v k) \leftarrow K (p p, F)$ ，考虑一个敌手 $P^{*}$ ，它输出 $(z_{0}, z, Π)$ ，使得 $V (v k, (n, z_{0}, z), Π) = 1$ 的概率为 $ϵ$ 。我们构造一个提取器 $E$ ，它以输入 $(p p, z_{0}, z)$ 为条件，输出 $(ω_{0}, \dots, ω_{n - 1})$ ，使得通过计算对于所有 $z_{i} \leftarrow F (z_{i - 1}, ω_{i - 1})$ ，我们有 $i \in {1, \dots, n}$ 的概率为 $z_{n} = z$ 。我们通过归纳法证明 $ϵ - n e g l (λ)$ 可以构造一个提取器 $E$ ，它输出 $E_{i}$ ， $(z_{i}, \dots, z_{n - 1})$ ， $(ω_{i}, \dots, ω_{n - 1})$ 和 $Π_{i}$ ，使得对于所有 $j \in {i + 1, \dots, n}$ ， $z_{j} = F (z_{j - 1}, ω_{j - 1})$ ， $V (v k, i, z_{0}, z_{i}, Π_{i}) = 1$ 和 $z_{n} = z$ ，概率为 $ϵ - n e g l (λ)$ 。然后，因为在基本情况中当 $i = 0$ ， $V$ 检查 $z_{0} = z_{i}$ 时，只需 $E$ 运行 $E_{0}$ 以检索值 $(ω_{0}, \dots, ω_{n - 1})$ 即可。最初， $E_{n}$ 简单地运行假设的 $P^{*}$ 以获得令人满意的 $Π_{n}$ 。给定满足归纳假设的提取器 $E_{i}$ ，我们可以构造提取器 $E_{i - 1}$ 。[ 30, 附录 C] 提供了形式证明。 $◻$

Lemma 4 (Efficiency)引理 4（效率）

When instantiated with the Pedersen commitment scheme, we have that $| F^{'} | = | F | + o (2 \cdot G + 2 \cdot H + R)$ , where |F| denotes the number of R1CS constraints to encode a function F, $G$ is the number of constraints required to encode a group scalar multiplication, $H$ is the number of constraints required to encode $h a s h$ , and $R$ is the number of constraints to encode the RO $ρ$ .
当使用 Pedersen 承诺方案实例化时，我们有 $| F^{'} | = | F | + o (2 \cdot G + 2 \cdot H + R)$ ，其中|F|表示编码函数 F 所需的 R1CS 约束数量， $G$ 是编码群标量乘法所需的约束数量， $H$ 是编码 $h a s h$ 所需的约束数量， $R$ 是编码 RO $ρ$ 的约束数量。

Proof证明

On input instances $U$ and $u$ , $N I F S . V$ computes $\bar{E} \leftarrow U . \bar{E} + r \cdot \bar{T} + r^{2} \cdot u . \bar{E}$ and $\bar{W} \leftarrow U . \bar{W} + r \cdot u . \bar{W}$ . However, by construction, $u . \bar{E} = u_{⊥} . \bar{E} = \bar{0}$ . So, $N I F S . V$ computes two group scalar multiplications, as it does not need to compute $r^{2} \cdot u . \bar{E}$ . $N I F S . V$ additionally invokes the RO once to obtain a random scalar. Finally, $F^{'}$ makes two additional calls to $h a s h$ (details are in the description of $F^{'}$ ). $◻$
在输入实例 $U$ 和 $u$ ， $N I F S . V$ 计算出 $\bar{E} \leftarrow U . \bar{E} + r \cdot \bar{T} + r^{2} \cdot u . \bar{E}$ 和 $\bar{W} \leftarrow U . \bar{W} + r \cdot u . \bar{W}$ 。然而，根据构造， $u . \bar{E} = u_{⊥} . \bar{E} = \bar{0}$ 。因此， $N I F S . V$ 计算两个群标量乘法，因为它不需要计算 $r^{2} \cdot u . \bar{E}$ 。 $N I F S . V$ 此外调用 RO 一次以获取一个随机标量。最后， $F^{'}$ 对 $h a s h$ 进行两次额外调用（详细信息见 $F^{'}$ 的描述）。 $◻$

5.2 Compressing IVC Proofs with zkSNARKs
5.2 使用 zkSNARKs 压缩 IVC 证明

To prove a statement about an incremental computation, the prover can produce an IVC proof using the construction in the prior section and send the IVC proof to the verifier. However, this does not satisfy zero-knowledge (as the IVC proof described in the prior section does not hide the prover’s non-deterministic inputs) and succinctness (as the IVC proof size is linear in the size F). In theory, one can address this problem with any zkSNARK for $N P$ . Specifically, $\bar{P}$ can produce a zkSNARK proving that it knows $Π_{i}$ such that IVC verifier $V$ accepts for statement $(i, z_{0}, z_{i})$ . Naturally, the proof sent to the verifier is succinct and zero-knowledge due to the corresponding properties of the zkSNARK.
为了证明关于增量计算的一个陈述，证明者可以使用前述章节中的构造方法生成一个 IVC 证明，并将 IVC 证明发送给验证者。然而，这并不满足零知识（因为前述章节中描述的 IVC 证明没有隐藏证明者的非确定性输入）和简洁性（因为 IVC 证明的大小与 F 的大小成线性关系）。在理论上，可以使用任何 zkSNARK 来解决此问题。具体来说， $\bar{P}$ 可以生成一个 zkSNARK，证明它知道 $Π_{i}$ ，使得 IVC 验证者 $V$ 接受该陈述 $(i, z_{0}, z_{i})$ 。自然地，由于 zkSNARK 的相应属性，发送给验证者的证明是简洁的和零知识的。

Unfortunately, employing an off-the-shelf zkSNARK makes the overall solution impractical as the zkSNARK prover must prove, among other things, the knowledge of vectors whose commitments equal a particular value; this requires encoding a linear number of group scalar multiplications in the programming model of zkSNARKs (e.g., R1CS or circuits). To address this, we design a zkSNARK tailored for our particular purpose and we describe it in Sect. 6. Below, we describe how to use a zkSNARK to prove the knowledge of a valid IVC proof.
很遗憾，使用现成的 zkSNARK 使得整体解决方案不切实际，因为 zkSNARK 证明者必须证明，包括其他事项在内，知道向量承诺等于特定值的向量；这需要在 zkSNARK 的编程模型（例如 R1CS 或电路）中编码线性数量的群标量乘法。为了解决这个问题，我们设计了一个针对我们特定目的的 zkSNARK，并在第 6 节中描述了它。下面，我们描述了如何使用 zkSNARK 来证明有效 IVC 证明的知识。

Construction 4建设 4

(A zkSNARK of a Valid IVC Proof). Let $I V C$ denote the IVC scheme in Construction 3, let $N I F S$ denote the non-interactive folding scheme in Construction 2, and let $h a s h$ denote a randomized cryptographic hash function. Assume a zero-knowledge succinct non-interactive argument of knowledge (Definition 2), $z k S N A R K$ , for committed relaxed R1CS. That is, given public parameters $p p$ , structure $s$ , and instance $u$ , $z k S N A R K . P$ can convince $z k S N A R K . V$ in zero-knowledge and with a succinct proof (e.g., $O_{λ} (\log N)$ -sized proof) that it knows a corresponding witness $w$ such that $(p p, s, u, w)$ is a satisfying committed relaxed R1CS tuple.
(一个有效的 IVC 证明的 zkSNARK)。令 $I V C$ 表示构造 3 中的 IVC 方案，令 $N I F S$ 表示构造 2 中的非交互式折叠方案，令 $h a s h$ 表示一个随机的加密哈希函数。假设对于承诺的放松 R1CS，存在一个零知识简洁非交互式知识论证（定义 2）， $z k S N A R K$ ，即，给定公共参数 $p p$ ，结构 $s$ ，和实例 $u$ ， $z k S N A R K . P$ 可以在零知识下，并通过一个简洁的证明（例如， $O_{λ} (\log N)$ 大小的证明）说服 $z k S N A R K . V$ ，它知道一个相应的证人 $w$ ，使得 $(p p, s, u, w)$ 是一个满足的承诺的放松 R1CS 元组。

Consider a polynomial-time computable function F. Suppose $p p \leftarrow I V C . G (1^{λ})$ and $(p k, v k) \leftarrow I V C . K (p p, F)$ . Suppose the prover $P$ and verifier $V$ are provided an instance $(i, z_{0}, z_{i})$ . We construct a zkSNARK that allows the prover to show that it knows an IVC proof $Π_{i}$ such that $I V C . V (v k, i, z_{0}, z_{i}, Π_{i}) = 1$ .
考虑一个多项式时间可计算函数 F。假设 $p p \leftarrow I V C . G (1^{λ})$ 和 $(p k, v k) \leftarrow I V C . K (p p, F)$ 。假设证明者 $P$ 和验证者 $V$ 被提供了一个实例 $(i, z_{0}, z_{i})$ 。我们构建一个零知识证明系统 zkSNARK，允许证明者展示它知道一个 IVC 证明 $Π_{i}$ ，使得 $I V C . V (v k, i, z_{0}, z_{i}, Π_{i}) = 1$ 。

In a nutshell, we leverage the fact that $Π$ is two committed relaxed R1CS instance-witness pairs. So, $P$ first folds instance-witness pairs $(u, w)$ and $(U, W)$ to produce a folded instance-witness pair $(U^{'}, W^{'})$ , using $N I F S . P$ . Next, $P$ runs $z k S N A R K . P$ to prove that it knows a valid witness for $U^{'}$ . In more detail, for polynomial-time computable function F and corresponding function $F^{'}$ as defined in Construction 3 (and instantiated with $h a s h$ ), we define $(G, K, P, V)$ as follows.
总的来说，我们利用了 $Π$ 是两个承诺的松弛 R1CS 实例-见证对的事实。因此， $P$ 首先将实例-见证对 $(u, w)$ 和 $(U, W)$ 折叠成折叠后的实例-见证对 $(U^{'}, W^{'})$ ，使用 $N I F S . P$ 。接下来， $P$ 运行 $z k S N A R K . P$ 来证明它知道 $U^{'}$ 的有效见证。更详细地说，对于多项式时间内可计算函数 F 及其在构造 3 中定义的对应函数 $F^{'}$ （并使用 $h a s h$ 实例化），我们如下定义 $(G, K, P, V)$ 。

$\underline{G (1^{λ}) \to p p}$ :

(1)
Compute ${p p}_{N I F S} \leftarrow N I F S . G (1^{λ})$ 计算 ${p p}_{N I F S} \leftarrow N I F S . G (1^{λ})$
(2)
Compute ${p p}_{z k S N A R K} \leftarrow z k S N A R K . G (1^{λ})$ 计算 ${p p}_{z k S N A R K} \leftarrow z k S N A R K . G (1^{λ})$
(3)
Output $({p p}_{N I F S}, {p p}_{z k S N A R K})$ 输出 $({p p}_{N I F S}, {p p}_{z k S N A R K})$

$\underline{K (p p, F) \to (p k, v k)}$ :

(1)
Compute $({p k}_{N I F S}, {v k}_{N I F S}) \leftarrow N I F S . K (p p . {p p}_{N I F S}, s_{F^{'}})$ .计算 $({p k}_{N I F S}, {v k}_{N I F S}) \leftarrow N I F S . K (p p . {p p}_{N I F S}, s_{F^{'}})$ .
(2)
Compute $({p k}_{z k S N A R K}, {v k}_{z k S N A R K}) \leftarrow z k S N A R K . K (p p . {p p}_{z k S N A R K}, s_{F^{'}})$ .计算 $({p k}_{z k S N A R K}, {v k}_{z k S N A R K}) \leftarrow z k S N A R K . K (p p . {p p}_{z k S N A R K}, s_{F^{'}})$ .
(3)
Output $(({p k}_{N I F S}, {p k}_{z k S N A R K}), ({v k}_{N I F S}, {v k}_{z k S N A R K}))$ .输出 $(({p k}_{N I F S}, {p k}_{z k S N A R K}), ({v k}_{N I F S}, {v k}_{z k S N A R K}))$ .

$\underline{P (p k, (i, z_{0}, z_{i}), Π) \to π}$ :

If i is 0, output $⊥$ ;
如果 i 为 0，输出 $⊥$ ;

otherwise, 否则，

(1)
parse $Π$ as $((U, W), (u, w))$
解析 $Π$ 为 $((U, W), (u, w))$
(2)
compute $(U^{'}, W^{'}, \bar{T}) \leftarrow N I F S . P ({p k}_{N I F S}, (U, W), (u, w))$ 计算 $(U^{'}, W^{'}, \bar{T}) \leftarrow N I F S . P ({p k}_{N I F S}, (U, W), (u, w))$
(3)
compute $π_{U^{'}} \leftarrow z k S N A R K . P ({p k}_{z k S N A R K}, U^{'}, W^{'})$ 计算 $π_{U^{'}} \leftarrow z k S N A R K . P ({p k}_{z k S N A R K}, U^{'}, W^{'})$
(4)
output $(U, u, \bar{T}, π_{U^{'}})$ .输出 $(U, u, \bar{T}, π_{U^{'}})$ .

$\underline{V (v k, (i, z_{0}, z_{i}), π) \to {0, 1}}$ :

If i is 0, check that $z_{0} = z_{i}$ ;
如果 i 为 0，检查 $z_{0} = z_{i}$ ；

otherwise, 否则，

(1)
parse $π$ as $(U, u, \bar{T}, π_{U^{'}})$ ,
解析 $π$ 为 $(U, u, \bar{T}, π_{U^{'}})$ ，
(2)
check that $u . x = h a s h ({v k}_{N I F S}, i, z_{0}, z_{i}, U)$ ,
检查 $u . x = h a s h ({v k}_{N I F S}, i, z_{0}, z_{i}, U)$ ，
(3)
check that $(u . \bar{E}, u . u) = (u_{⊥} . \bar{E}, 1)$ ,
检查 $(u . \bar{E}, u . u) = (u_{⊥} . \bar{E}, 1)$ ，
(4)
compute $U^{'} \leftarrow N I F S . V ({v k}_{N I F S}, U, u, \bar{T})$ , and
计算 $U^{'} \leftarrow N I F S . V ({v k}_{N I F S}, U, u, \bar{T})$ ，和
(5)
check that $z k S N A R K . V ({v k}_{z k S N A R K}, U^{'}, π_{U^{'}}) = 1$ .
检查 $z k S N A R K . V ({v k}_{z k S N A R K}, U^{'}, π_{U^{'}}) = 1$ 。

Theorem 4定理 4

Construction 4 is a zkSNARK of a valid IVC proof produced by Construction 3.
构造 4 是构造 3 产生的有效 IVC 证明的 zkSNARK。

Proof Intuition. Completeness and knowledge soundness hold due to the completeness and knowledge soundness of the underlying zkSNARK and the non-interactive folding scheme. Assuming the non-interactive folding scheme satisfies succinctness (e.g., by using the Pedersen commitment scheme), succinctness holds due to the fact that $u$ , $U$ , and $\bar{T}$ are succinct, and due to the succinctness of the underling zkSNARK.
证明直觉。完备性和知识一致性由底层 zkSNARK 和非交互折叠方案的性质保证。假设非交互折叠方案满足简洁性（例如，通过使用 Pedersen 承诺方案），由于 $u$ ， $U$ ，和 $\bar{T}$ 的简洁性以及底层 zkSNARK 的简洁性，简洁性得以保持。

To prove zero-knowledge, we construct a simulator $S$ that first iteratively simulates $(U_{i}, u_{i})$ for all $i \in {1, \dots, n}$ . Specifically, given a simulated proof $(U_{i}, u_{i})$ , $S$ first uses the simulator of the non-interactive folding scheme to simulate ${\bar{T}}_{i}$ . $S$ then folds $U_{i}$ and $u_{i}$ using ${\bar{T}}_{i}$ to produce $U_{i + 1}$ . $S$ simulates $u_{i}$ using the observation that all terms are randomized. In the final round, $S$ folds $u_{n}$ and $U_{n}$ (again using a simulated ${\bar{T}}_{n}$ ) to produce an instance $U^{'}$ , and then uses the simulator of the zkSNARK to produce $π_{U^{'}}$ . $S$ outputs $(U_{n}, u_{n}, {\bar{T}}_{n}, π_{U^{'}})$ . We provide a formal proof in [30, App. D]. $◻$
为了证明零知识，我们构建了一个模拟器 $S$ ，它首先迭代模拟 $(U_{i}, u_{i})$ 对于所有 $i \in {1, \dots, n}$ 。具体来说，给定一个模拟证明 $(U_{i}, u_{i})$ ， $S$ 首先使用非交互折叠方案的模拟器来模拟 ${\bar{T}}_{i}$ 。 $S$ 然后使用 ${\bar{T}}_{i}$ 将 $U_{i}$ 和 $u_{i}$ 折叠，以产生 $U_{i + 1}$ 。 $S$ 利用所有项都是随机化的观察来模拟 $u_{i}$ 。在最后一轮， $S$ 使用模拟的 ${\bar{T}}_{n}$ 将 $u_{n}$ 和 $U_{n}$ 折叠（再次使用模拟），以产生一个实例 $U^{'}$ ，然后使用 zkSNARK 的模拟器来产生 $π_{U^{'}}$ 。 $S$ 输出 $(U_{n}, u_{n}, {\bar{T}}_{n}, π_{U^{'}})$ 。我们在 [30, 附录 D] 中提供了形式化的证明。 $◻$

6 A zkSNARK for Committed Relaxed R1CS
6 一个针对 Committed Relaxed R1CS 的 zkSNARK

As described in Sect. 5.2, Nova needs a zkSNARK for committed relaxed R1CS to prove the knowledge of a valid IVC proof succinctly and in zero-knowledge. This section presents such a zkSNARK by adapting Spartan [38]. We build on Spartan [38] to avoid FFTs and a trusted setup.
如第 5.2 节所述，Nova 需要一个 zkSNARK 来证明对有效的 IVC 证明知识的简洁且零知识证明。本节通过适配 Spartan [38]提出了这样一个 zkSNARK。我们基于 Spartan [38]构建，以避免 FFT 和可信设置。

6.1 Background6.1 背景

We assume familiarity with polynomials. We provide background in [30, App. G].
我们假设读者熟悉多项式。我们提供了背景信息在[30，附录 G]。

Definition 13 (Polynomial Extension)
定义 13（多项式扩展）

Suppose $f : {0, 1}^{ℓ} \to F$ is a function that maps $ℓ$ -bit strings to an element of $F$ . A polynomial extension of f is a low-degree $ℓ$ -variate polynomial $\tilde{f} : F^{ℓ} \to F$ such that $\tilde{f} (x) = f (x)$ for all $x \in {0, 1}^{ℓ}$ . A multilinear extension (MLE) of a function $f : {0, 1}^{ℓ} \to F$ is a low-degree polynomial extension where the extension is a multilinear polynomial.
假设 $f : {0, 1}^{ℓ} \to F$ 是一个将 $ℓ$ 位字符串映射到 $F$ 中一个元素的函数。f 的多项式扩展是一个低度数的 $ℓ$ 变元多项式 $\tilde{f} : F^{ℓ} \to F$ ，使得对于所有 $\tilde{f} (x) = f (x)$ 。一个函数 $f : {0, 1}^{ℓ} \to F$ 的多线性扩展（MLE）是一个低度数的多项式扩展，其中扩展是一个多线性多项式。

Every function $f : {0, 1}^{ℓ} \to F$ has a unique MLE, and conversely every $ℓ$ -variate multilinear polynomial over $F$ extends a unique function mapping ${0, 1}^{ℓ} \to F$ . Below, we use $\tilde{f}$ to denote the unique MLE of f.
每个函数 $f : {0, 1}^{ℓ} \to F$ 都有一个唯一的最大似然估计（MLE），反之，每个 $ℓ$ -变元的关于 $F$ 的多元线性多项式都扩展了一个唯一的函数映射 ${0, 1}^{ℓ} \to F$ 。下面，我们用 $\tilde{f}$ 来表示 f 的唯一 MLE。

Lemma 5引理 5

(The Sum-Check Protocol [35]). For $ℓ$ -variate polynomial G over $F$ with degree at most $μ$ in each variable, there exists a public-coin interactive proof protocol (known as the sum-check protocol) to reduce the task of checking $\sum_{x \in {0, 1}^{ℓ}} G (x) = T$ to the task of checking $G (r) = e$ for $r \in F^{ℓ}$ . The interaction consists of a total of $ℓ$ rounds, where in each round the verifier sends a single element of $F$ and the prover responds with $μ + 1$ elements of $F$ .
（Sum-Check 协议 [35]）。对于在 $F$ 上定义的、每个变量次数最多为 $μ$ 的 -变元多项式 G，存在一个公共币交互式证明协议（称为求和校验协议），将检查 $\sum_{x \in {0, 1}^{ℓ}} G (x) = T$ 的任务降低为检查 $G (r) = e$ 对于 $r \in F^{ℓ}$ 的任务。交互包括总共 $ℓ$ 轮，其中在每个轮次中，验证者发送 $F$ 的单个元素，而证明者响应 $μ + 1$ 个 $F$ 的元素。

6.2 A Polynomial IOP for Idealized Relaxed R1CS
6.2 理想化松弛 R1CS 的多项式 IOP

Our exposition below is based on Spartan [38] and its recent recapitulation [34]. The theorem below and its proof is a verbatim adaptation of Spartan’s polynomial IOP for R1CS to relaxed R1CS.
以下阐述基于 Spartan [38]及其近期概述[34]。下面的定理及其证明是对 Spartan 的 R1CS 多项式 IOP 的逐字改编，以适应放宽的 R1CS。

Recall that an interactive proof (IP) [25] for a relation $R$ is an interactive protocol between a prover and a verifier where the prover proves the knowledge of a witness w for a prescribed instance u such that $(u, w) \in R$ . An interactive oracle proof (IOP) [5, 37] generalizes interactive proofs where in each round the prover may send an oracle (e.g., a string) and the verifier may query a previously-sent oracle during the remainder of the protocol. A polynomial IOP [17] is an IOP in which the oracle sent by the prover is a polynomial and the verifier may query for an evaluation of the polynomial at a point in its domain. We consider a (minor) variant of polynomial IOPs, where the verifier has oracle access to polynomials in the R1CS structure and instance.
回忆一下，对于关系 $R$ 的交互式证明（IP）[25]是一个证明者和验证者之间的交互协议，其中证明者证明了对一个规定的实例 u 的见证 w 的知识，使得 $(u, w) \in R$ 。交互式预言机证明（IOP）[5, 37]泛化了交互式证明，其中在每个回合中，证明者可以发送一个预言机（例如，一个字符串），验证者可以在协议剩余时间内查询之前发送的预言机。多项式 IOP [17]是一种 IOP，其中证明者发送的预言机是一个多项式，验证者可以查询多项式在其定义域中的某个点的值。我们考虑多项式 IOPs 的一个（较小的）变体，其中验证者可以访问 R1CS 结构和实例中的多项式预言机。

We first construct a polynomial IOP for an idealized version of relaxed R1CS (Definition 14) where the instance contains a purported witness. We then compile it into a zkSNARK for committed relaxed R1CS (Definition 12).
首先，我们为理想化的宽松 R1CS（定义 14）构建一个多项式 IOP，其中实例包含一个所谓的证人。然后，我们将它编译成针对承诺宽松 R1CS（定义 12）的 zkSNARK。

Definition 14 (Idealized Relaxed R1CS)
定义 14（理想化宽松 R1CS）

Consider a finite field $F$ . Let the public parameters consist of size bounds $m, n, ℓ \in N$ where $m > ℓ$ . The idealized relaxed R1CS structure consists of sparse matrices $A, B, C \in F^{m \times m}$ with at most $n = Ω (m)$ non-zero entries in each matrix. A idealized relaxed R1CS instance consists of an error vector $E \in F^{m}$ , a scalar $u \in F$ , witness vector $W \in F^{m}$ , and public inputs and outputs $x \in F^{ℓ}$ . An instance $(E, u, W, x)$ is satisfying if $(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ , where $Z = (W, x, u)$ .
考虑一个有限域 $F$ 。公参数由大小界限 $m, n, ℓ \in N$ 组成，其中 $m > ℓ$ 。理想化的松弛 R1CS 结构由稀疏矩阵 $A, B, C \in F^{m \times m}$ 组成，每个矩阵中最多有 $n = Ω (m)$ 个非零项。一个理想化的松弛 R1CS 实例由一个错误向量 $E \in F^{m}$ ，一个标量 $u \in F$ ，一个见证向量 $W \in F^{m}$ ，以及公输入和输出 $x \in F^{ℓ}$ 组成。一个实例 $(E, u, W, x)$ 如果 $(A \cdot Z) \circ (B \cdot Z) = u \cdot (C \cdot Z) + E$ ，则满足，其中 $Z = (W, x, u)$ 。

Construction 5建设 5

(Polynomial IOP for Idealized Relaxed R1CS). Consider an idealized relaxed R1CS statement $φ$ consisting of public parameters $(m, n, ℓ)$ , structure (A, B, C), and instance $(E, u, W, x)$ , Without loss of generality, we assume that m and n are powers of 2 and that $m = 2 \cdot (ℓ + 1)$ .
(多项式 IOP 的理想化松弛 R1CS)。考虑一个由公共参数 $(m, n, ℓ)$ 、结构(A, B, C)和实例 $(E, u, W, x)$ 组成的理想化松弛 R1CS 语句 $φ$ ，不失一般性，我们假设 m 和 n 是 2 的幂，并且 $m = 2 \cdot (ℓ + 1)$ 。

Let $s = \log m$ . We interpret the matrices A, B, C as functions with signature ${0, 1}^{\log m} \times {0, 1}^{\log m} \to F$ in a natural manner. In particular, an input in ${0, 1}^{\log m} \times {0, 1}^{\log m}$ is interpreted as the binary representation of an index $(i, j) \in [m] \times [m]$ , where $[m] : = {1, \dots, m}$ and the function outputs (i, j)th entry of the matrix. As such, let $\tilde{A}$ , $\tilde{B}$ , and $\tilde{C}$ denote multilinear extensions of A, B, and C interpreted as functions, so they are $2 \log m$ -variate sparse multilinear polynomials of size n. Similarly, we interpret E and W as functions with respective signatures ${0, 1}^{\log m} \to F$ and ${0, 1}^{\log m - 1} \to F$ . Furthermore, let $\tilde{E}$ and $\tilde{W}$ denote the multilinear extensions of E and W interpreted as functions, so they are multilinear polynomials in $\log m$ and $\log m - 1$ variables respectively.
;; 将下一行文本作为纯文本输入，并将其翻译为简体中文，仅输出翻译。如果某些内容无需翻译（如专有名词、代码等），则保持原文不变。不要解释，输入文本: Let $s = \log m$ . 我们将矩阵 A、B、C 解释为具有签名 ${0, 1}^{\log m} \times {0, 1}^{\log m} \to F$ 的函数，以自然的方式。特别是，输入 ${0, 1}^{\log m} \times {0, 1}^{\log m}$ 被解释为索引 $(i, j) \in [m] \times [m]$ 的二进制表示，其中 $[m] : = {1, \dots, m}$ ，函数输出矩阵的第 (i, j) 个元素。因此，让 $\tilde{A}$ ， $\tilde{B}$ ，和 $\tilde{C}$ 表示 A、B 和 C 的多线性扩展，作为函数，它们是 n 维的 -变量稀疏多线性多项式。同样，我们将 E 和 W 解释为具有相应签名 ${0, 1}^{\log m} \to F$ 和 ${0, 1}^{\log m - 1} \to F$ 的函数。此外，让 $\tilde{E}$ 和 $\tilde{W}$ 表示 E 和 W 的多线性扩展，作为函数，它们分别是 $\log m$ 和 $\log m - 1$ 变量的多线性多项式。

As noted earlier, the verifier has an oracle access to the following polynomials: $\tilde{A}$ , $\tilde{B}$ , $\tilde{C}$ , $\tilde{E}$ , and $\tilde{W}$ . Additionally, the verifier reads u and $x$ in entirety.
如前所述，验证者有权访问以下多项式： $\tilde{A}$ ， $\tilde{B}$ ， $\tilde{C}$ ， $\tilde{E}$ ，以及 $\tilde{W}$ 。此外，验证者将 u 和 $x$ 完整读取。

Let $Z = (W, x, u)$ . Similar to how we interpret matrices as functions, we interpret Z and $(x, u)$ as functions with the following respective signatures: ${0, 1}^{s} \to F$ and ${0, 1}^{s - 1} \to F$ . Observe that the MLE $\tilde{Z}$ of Z satisfies
类似我们将矩阵解释为函数的方式，我们将 Z 和 $(x, u)$ 解释为具有以下相应签名的函数： ${0, 1}^{s} \to F$ 和 ${0, 1}^{s - 1} \to F$ 。观察 Z 的最大似然估计（MLE） $\tilde{Z}$ 满足

\begin{aligned} \tilde{Z} (X_{1}, \dots, X_{s}) = (1 - X_{1}) \cdot \tilde{W} (X_{2}, \dots, X_{s}) + X_{1} \cdot \tilde{(x, u)} (X_{2}, \dots, X_{s}) \end{aligned}

(1)

Similar to [38, Theorem 4.1], checking if $φ$ is satisfiable is equivalent, except for a soundness error of $\log m / | F |$ over the choice of $τ \in F^{s}$ , to checking if the following identity holds:
与[38, 定理 4.1]类似，检查 $φ$ 是否可满足等价于检查以下恒等式成立，除了在 $\log m / | F |$ 关于 $τ \in F^{s}$ 的选择上存在一个正确性错误：

\begin{aligned} 0 \overset{?}{=} \sum_{x \in {0, 1}^{s}} \tilde{e q} (τ, x) \cdot F (x), \end{aligned}

(2)

where哪里

\begin{aligned} F (x) = & (\sum_{y \in {0, 1}^{s}} \tilde{A} (x, y) \cdot \tilde{Z} (y)) \cdot (\sum_{y \in {0, 1}^{s}} \tilde{B} (x, y) \cdot \tilde{Z} (y)) \\ - (u \cdot \sum_{y \in {0, 1}^{s}} \tilde{C} (x, y) \cdot \tilde{Z} (y) + \tilde{E} (x)), \end{aligned}

and $\tilde{e q}$ is the multilinear extension of $e q : {0, 1}^{s} \times {0, 1}^{s} \to F$ where $e q (x, e) = 1$ if $x = e$ and 0 otherwise.

That is, if $φ$ is satisfiable, then Eq. (2) holds with probability 1 over the choice of $τ$ , and if not, then Eq. (2) holds with probability at most $O (\log m / | F |)$ over the random choice of $τ$ .

To compute the right-hand side in Eq. (2), the prover and the verifier apply the sum-check protocol to the following polynomial: $g (x) : = \tilde{e q} (τ, x) \cdot F (x)$ From the verifier’s perspective, this reduces the task of computing the right-hand side of Eq. (2) to the task of evaluating g at a random input $r_{x} \in F^{s}$ . Note that the verifier can locally evaluate $\tilde{e q} (τ, r_{x})$ in $O (\log m)$ field operations via $\tilde{e q} (τ, r_{x}) = \prod_{i = 1}^{s} (τ_{i} r_{x, i} + (1 - τ_{i}) (1 - r_{x, i}))$ . With $\tilde{e q} (τ, r_{x})$ in hand, $g (r_{x})$ can be computed in O(1) time given the four quantities: $\sum_{y \in {0, 1}^{s}} \tilde{A} (r_{x}, y) \cdot \tilde{Z} (y),$ $\sum_{y \in {0, 1}^{s}} \tilde{B} (r_{x}, y) \cdot \tilde{Z} (y),$ $\sum_{y \in {0, 1}^{s}} \tilde{C} (r_{x}, y) \cdot \tilde{Z} (y),$ and $\tilde{E} (r_{x}) .$
为了计算方程（2）的右侧，证明者和验证者应用求和校验协议于以下多项式： $g (x) : = \tilde{e q} (τ, x) \cdot F (x)$ 从验证者的角度来看，这把计算方程（2）右侧的任务简化为在随机输入 $r_{x} \in F^{s}$ 上评估 g 的任务。请注意，验证者可以通过 $\tilde{e q} (τ, r_{x})$ 在 $O (\log m)$ 域中本地评估 $\tilde{e q} (τ, r_{x}) = \prod_{i = 1}^{s} (τ_{i} r_{x, i} + (1 - τ_{i}) (1 - r_{x, i}))$ 。有了 $\tilde{e q} (τ, r_{x})$ ，在给定四个数量： $\sum_{y \in {0, 1}^{s}} \tilde{A} (r_{x}, y) \cdot \tilde{Z} (y),$ $\sum_{y \in {0, 1}^{s}} \tilde{B} (r_{x}, y) \cdot \tilde{Z} (y),$ $\sum_{y \in {0, 1}^{s}} \tilde{C} (r_{x}, y) \cdot \tilde{Z} (y),$ 和 $\tilde{E} (r_{x}) .$ 的情况下，可以在 O(1)时间内计算 $g (r_{x})$ 。

The last quantity can be computed with a single query to polynomial $\tilde{E}$ . Furthermore, the first three quantities can be computed by applying the sum-check protocol three more times in parallel, once to each of the following three polynomials (using the same random vector of field elements, $r_{y} \in F^{s}$ , in each of the three invocations): $\tilde{A} (r_{x}, y) \cdot \tilde{Z} (y),$ $\tilde{B} (r_{x}, y) \cdot \tilde{Z} (y),$ and $\tilde{C} (r_{x}, y) \cdot \tilde{Z} (y) .$
最后这个数量可以通过对多项式 $\tilde{E}$ 进行单次查询来计算。此外，前三个数量可以通过在三个多项式（使用相同的域元素随机向量 $r_{y} \in F^{s}$ 在三次调用中）上并行应用求和校验协议三次来计算： $\tilde{A} (r_{x}, y) \cdot \tilde{Z} (y),$ $\tilde{B} (r_{x}, y) \cdot \tilde{Z} (y),$ 和 $\tilde{C} (r_{x}, y) \cdot \tilde{Z} (y) .$ 。

To perform the verifier’s final check in each of these three invocations of the sum-check protocol, it suffices for the verifier to evaluate each of the above three polynomials at the random vector $r_{y}$ , which means it suffices for the verifier to evaluate $\tilde{A} (r_{x}, r_{y})$ , $\tilde{B} (r_{x}, r_{y})$ , $\tilde{C} (r_{x}, r_{y})$ , and $\tilde{Z} (r_{y})$ . The first three evaluations can be obtained via the verifier’s assumed query access to $(\tilde{A}, \tilde{B}, \tilde{C})$ . $\tilde{Z} (r_{y})$ can be computed (via Eq. (1)) from a query to $\tilde{W}$ and from computing $\tilde{(x, u)}$ .
执行这三个求和校验协议调用中的验证者最终检查，验证者只需评估上述三个多项式在随机向量 $r_{y}$ 上的每个，这意味着验证者只需评估 $\tilde{A} (r_{x}, r_{y})$ ， $\tilde{B} (r_{x}, r_{y})$ ， $\tilde{C} (r_{x}, r_{y})$ ，和 $\tilde{Z} (r_{y})$ 。前三个评估可以通过验证者对 $(\tilde{A}, \tilde{B}, \tilde{C})$ 的假设查询访问获得。 $\tilde{Z} (r_{y})$ 可以通过查询 $\tilde{W}$ 并计算 $\tilde{(x, u)}$ （通过公式（1））来获得。

In summary, we have the following polynomial IOP.
总结来说，我们有以下多项式 IOP。

1.
$V \to P$ : $τ \in_{R} F^{s}$
2.
$V \leftrightarrow P$ : run the sum-check protocol to reduce the check in Eq. (2) to checking if the following hold, where $r_{x}, r_{y}$ are vectors in $F^{s}$ chosen at random by the verifier over the course of the sum-check protocol:
$V \leftrightarrow P$ : 运行求和校验协议以将等式（2）中的校验简化为检查以下条件是否成立，其中 $r_{x}, r_{y}$ 是在求和校验协议过程中由验证者随机选择的 $F^{s}$ 中的向量：
- $\tilde{A} (r_{x}, r_{y}) \overset{?}{=} v_{A}$ , $\tilde{B} (r_{x}, r_{y}) \overset{?}{=} v_{B}$ , and $\tilde{C} (r_{x}, r_{y}) \overset{?}{=} v_{C}$ ;
  $\tilde{A} (r_{x}, r_{y}) \overset{?}{=} v_{A}$ ， $\tilde{B} (r_{x}, r_{y}) \overset{?}{=} v_{B}$ ，以及 $\tilde{C} (r_{x}, r_{y}) \overset{?}{=} v_{C}$ ；
- $\tilde{E} (r_{x}) \overset{?}{=} v_{E}$ ; and $\tilde{E} (r_{x}) \overset{?}{=} v_{E}$ ; 以及
- $\tilde{Z} (r_{y}) \overset{?}{=} v_{Z}$ .
3.
$V$ :
- check if $\tilde{A} (r_{x}, r_{y}) \overset{?}{=} v_{A}$ , $\tilde{B} (r_{x}, r_{y}) \overset{?}{=} v_{B}$ , and $\tilde{C} (r_{x}, r_{y}) \overset{?}{=} v_{C}$ , with a query to $\tilde{A}, \tilde{B}, \tilde{C}$ at $(r_{x}, r_{y})$ ;
  检查 $\tilde{A} (r_{x}, r_{y}) \overset{?}{=} v_{A}$ ， $\tilde{B} (r_{x}, r_{y}) \overset{?}{=} v_{B}$ ，以及 $\tilde{C} (r_{x}, r_{y}) \overset{?}{=} v_{C}$ ，在 $(r_{x}, r_{y})$ 处向 $\tilde{A}, \tilde{B}, \tilde{C}$ 发起查询；
- check if $\tilde{E} (r_{x}) \overset{?}{=} v_{E}$ with an oracle query to $\tilde{E}$ ; and
  检查是否使用预言机查询 $\tilde{E} (r_{x}) \overset{?}{=} v_{E}$ 到 $\tilde{E}$ ; 并
- check if $\tilde{Z} (r_{y}) \overset{?}{=} v_{Z}$ by checking if: $v_{Z} = (1 - r_{y} [1]) \cdot v_{W} + r_{y} [1] \cdot \tilde{(x, u)} (r_{y} [2..]),$ where $r_{y} [2..]$ refers to a slice of $r_{y}$ without the first element of $r_{y}$ , and $v_{W} \leftarrow \tilde{W} (r_{y} [2..])$ via an oracle query (see Eq. (1)).
  检查是否 $\tilde{Z} (r_{y}) \overset{?}{=} v_{Z}$ 通过检查： $v_{Z} = (1 - r_{y} [1]) \cdot v_{W} + r_{y} [1] \cdot \tilde{(x, u)} (r_{y} [2..]),$ 其中 $r_{y} [2..]$ 指的是 $r_{y}$ 的一个切片，不包含 $r_{y}$ 的第一个元素，以及通过预言机查询 $v_{W} \leftarrow \tilde{W} (r_{y} [2..])$ （见公式（1））。

Theorem 5定理 5

Construction 5 is a polynomial IOP for idealized relaxed R1CS defined over a finite field $F$ , with the following parameters, where m denotes the dimension of the R1CS matrices, and n denotes the number of non-zero entries in the matrices: Soundness error is $O (\log m) / | F |$ ; round complexity is $O (\log m)$ ; The verifier has query access to $2 \log m$ -variate multilinear polynomials $\tilde{A}, \tilde{B}, \tilde{C}$ in the structure, and $(\log m)$ -variate multilinear polynomial $\tilde{E}$ , and $(\log m - 1)$ -variate multilinear polynomial $\tilde{W}$ in the instance; the verifier issues a single query to polynomials $\tilde{A}$ , $\tilde{B}$ , $\tilde{C}$ , and $\tilde{W}$ , $\tilde{E}$ , and otherwise performs $O (\log m)$ operations over $F$ ; the prover performs O(n) operations over $F$ to compute its messages in the polynomial IOP and to respond to the verifier’s queries to $(\tilde{W}, \tilde{E}, \tilde{A}, \tilde{B}, \tilde{C})$ .
构造 5 是一个在有限域 $F$ 上定义的理想化松弛 R1CS 的多项式 IOP，具有以下参数，其中 m 表示 R1CS 矩阵的维度，n 表示矩阵中的非零项数：正确性错误是 $O (\log m) / | F |$ ；轮复杂度是 $O (\log m)$ ；验证者可以查询结构中的 $2 \log m$ -变元多线性多项式 $\tilde{A}, \tilde{B}, \tilde{C}$ ，以及实例中的 $(\log m)$ -变元多线性多项式 $\tilde{E}$ ，和 $(\log m - 1)$ -变元多线性多项式 $\tilde{W}$ ；验证者对多项式 $\tilde{A}$ ， $\tilde{B}$ ， $\tilde{C}$ ，和 $\tilde{W}$ ， $\tilde{E}$ 发起单个查询，否则在 $O (\log m)$ 上执行 $F$ 操作；证明者对 $F$ 执行 O(n)操作来计算其在多项式 IOP 中的消息并响应验证者的查询 $(\tilde{W}, \tilde{E}, \tilde{A}, \tilde{B}, \tilde{C})$ 。

Proof证明

Perfect completeness follows from perfect completeness of the sum-check protocol and the fact that Eq. (2) holds with probability 1 over the choice of $τ$ if $φ$ is satisfiable. Applying a standard union bound to the soundness error introduced by probabilistic check in Eq. (2) with the soundness error of the sum-check protocol [35], we conclude that the soundness error for the depicted polynomial IOP as at most $O (\log m) / | F |$ .
完美完备性源于求和校验协议的完美完备性以及等式（2）在概率 1 下对 $τ$ 的选择成立的事实，如果 $φ$ 是可满足的。将标准并集界限应用于等式（2）中由概率校验引入的可靠性错误以及求和校验协议的可靠性错误[35]，我们得出结论，所描述的多项式 IOP 的可靠性错误至多为 $O (\log m) / | F |$ 。

The sum-check protocol is applied four times (although three of the invocations occur in parallel and in practice combined into one [38]). In each invocation, the polynomial to which the sum-check protocol is applied has degree at most 3 in each variable, and the number of variables is $s = \log m$ . Hence, the round complexity of the polynomial IOP is $O (\log m)$ . Since each polynomial has degree at most 3 in each variable, the total communication cost is $O (\log m)$ field elements.
协议在四次（尽管三次调用是并行进行的，实际上合并为一次[38]）应用。在每次调用中，应用于求和校验协议的多项式的每个变量的次数最多为 3，变量的数量为 $s = \log m$ 。因此，多项式 IOP 的轮复杂度为 $O (\log m)$ 。由于每个多项式在每个变量上的次数最多为 3，总通信成本为 $O (\log m)$ 域元素。

The claimed verifier runtime is immediate from the verifier’s runtime in the sum-check protocol, and the fact that $\tilde{e q}$ can be evaluated at any input $(τ, r_{x}) \in F^{2 s}$ in $O (\log m)$ field operations. As in Spartan [38], the prover’s work in the polynomial IOP in O(n) operations over $F$ using prior techniques [42, 46]. $◻$
所声称的验证器运行时间是来自验证器运行时的即时性，以及 $\tilde{e q}$ 可以在 $O (\log m)$ 域操作中的任何输入 $(τ, r_{x}) \in F^{2 s}$ 处进行评估。正如在 Spartan [38]中，证明者在多项式 IOP 中使用先前技术[42, 46]在 $F$ 上进行 O(n)操作的工作。 $◻$

6.3 Compiling Polynomial IOPs to zkSNARKs
6.3 编译多项式 IOPs 到 zkSNARKs

As in prior works [17, 20, 38], we compile our polynomial IOP into a zkSNARK using a polynomial commitment scheme [28] and the Fiat-Shamir transform [22].
与先前的工作[17, 20, 38]一样，我们使用多项式承诺方案[28]和 Fiat-Shamir 变换[22]将我们的多项式 IOP 编译成 zkSNARK。

Interpreting Commitments to Vectors as Polynomial Commitments. It is well known that commitments to m-sized vectors over $F$ are commitments to $\log m$ -variate multilinear polynomials represented with evaluations over ${0, 1}^{m}$ [32, 38, 44, 47]. Furthermore, there is a polynomial commitment scheme for $\log m$ -variate multilinear polynomials if there exists an argument protocol to prove an inner product computation between a committed vector and an m-sized public vector $((r_{1}, 1 - r_{1}) \otimes \dots \otimes (r_{\log m}, 1 - r_{\log m}))$ , where $r \in F^{\log m}$ is an evaluation point. There are two candidate constructions in the literature. Note that the primary difference between two schemes is in the verifier’s time.
将向量的承诺解释为多项式承诺。众所周知，在 $F$ 上对 m 大小的向量的承诺是对 $\log m$ -变元的多元线性多项式的承诺，这些多项式通过在 ${0, 1}^{m}$ [ 32, 38, 44, 47]上的评估来表示。此外，如果存在一个论证协议来证明一个承诺的向量和 m 大小的公共向量 $\log m$ 之间的内积计算，那么就有一个多元线性多项式的多项式承诺方案。文献中有两种候选构造。请注意，两种方案之间的主要区别在于验证者的时间。

1.
${P C}_{B P}$ . If the commitment scheme for vectors over $F$ is Pedersen’s commitments, as in prior work [44], Bulletproofs [14] provides a suitable inner product argument protocol. The polynomial commitment scheme here achieves the following efficiency characteristics, assuming the hardness of the discrete logarithm problem. For a $\log m$ -variate multilinear polynomial, committing takes $O_{λ} (m)$ time to produce an $O_{λ} (1)$ -sized commitment; the prover incurs $O_{λ} (m)$ costs to produce an evaluation proof of size $O_{λ} (\log m)$ that can be verified in $O_{λ} (m)$ . Note that ${P C}_{B P}$ is a special case of Hyrax’s polynomial commitment scheme [44].
${P C}_{B P}$ 。如果向量在 $F$ 上的承诺方案是 Pedersen 的承诺，如先前工作 [44] 中所述，Bulletproofs [14] 提供了一个合适的内积论证协议。这里的多项式承诺方案实现了以下效率特性，假设离散对数问题的难度。对于一个 $\log m$ 变元的多元线性多项式，生成一个 $O_{λ} (1)$ 大小的承诺需要 $O_{λ} (m)$ 的时间；证明者产生一个大小为 $O_{λ} (\log m)$ 的评估证明，该证明可以在 $O_{λ} (m)$ 内被验证。请注意， ${P C}_{B P}$ 是 Hyrax 的多项式承诺方案 [44] 的一个特例。
2.
${P C}_{D o r y}$ . If vectors over $F$ are committed with a two-tiered “matrix” commitment (see for example, [18, 32]), which provides $O_{λ} (1)$ -sized commitments to m-sized vectors under the SXDH assumption. With this commitment scheme, Dory [32] provides the necessary inner product argument. The polynomial commitment here achieves the following efficiency characteristics, assuming the hardness of SXDH. For a $\log m$ -variate multilinear polynomial, committing takes $O_{λ} (m)$ time to produce an $O_{λ} (1)$ -sized commitment; the prover incurs $O_{λ} (m)$ costs to produce an evaluation proof of size $O_{λ} (\log m)$ that can be verified in $O_{λ} (\log m)$ .
${P C}_{D o r y}$ 。如果向量在 $F$ 上使用双层“矩阵”承诺（例如参见[ 18, 32]），这为 m 大小的向量提供了 $O_{λ} (1)$ 大小的承诺，基于 SXDH 假设。在这种承诺方案中，Dory [ 32] 提供了必要的内积论证。这里的多项式承诺在假设 SXDH 的困难性下实现了以下效率特性，对于一个 $\log m$ 变元的多元线性多项式，承诺需要 $O_{λ} (m)$ 的时间来生成一个 $O_{λ} (1)$ 大小的承诺；证明者产生一个大小为 $O_{λ} (\log m)$ 的评估证明，该证明可以在 $O_{λ} (\log m)$ 内被验证。

Polynomial Commitments for Sparse Multilinear Polynomials. In our constructions below, we require polynomial commitment schemes that can efficiently handle sparse multilinear polynomials. Spartan [38, §7] (and its optimization [41, §6]) provides a generic compiler to transform existing polynomial commitment schemes for multilinear polynomials into those that can efficiently handle sparse multilinear polynomials. Specifically, we apply [34, Theorem 5]) (which captures Spartan’s compiler in a generic manner) to ${P C}_{B P}$ and ${P C}_{D o r y}$ to obtain their variants that can efficiently handle sparse multilinear polynomials; we refer to them as “Sparse- ${P C}_{B P}$ ” and “Sparse- ${P C}_{D o r y}$ ” respectively.
多项式承诺用于稀疏多线性多项式。在我们下面的构造中，我们需要能够高效处理稀疏多线性多项式的多项式承诺方案。Spartan [38, §7]（及其优化[41, §6]）提供了一个通用的编译器，可以将现有的多线性多项式多项式承诺方案转换为能够高效处理稀疏多线性多项式的方案。具体来说，我们将[34, 定理 5]（以通用方式捕捉 Spartan 编译器）应用于 ${P C}_{B P}$ 和 ${P C}_{D o r y}$ ，以获得它们各自的变体，这些变体可以高效处理稀疏多线性多项式；我们分别称它们为“Sparse- ${P C}_{B P}$ ”和“Sparse- ${P C}_{D o r y}$ ”。

Theorem 6定理 6

(A zkSNARK from ${P C}_{B P}$ ). Assuming the hardness of the discrete logarithm problem, there exists a zkSNARK in the random oracle model for committed relaxed R1CS with the following efficiency characteristics, where m denotes the dimensions of R1CS matrices and n denotes the number of non-zero entries in the matrices: The encoder runs in time $O_{λ} (n)$ ; The prover runs in time $O_{λ} (n)$ ; The proof length is $O_{λ} (\log n)$ ; and the verifier runs in time $O_{λ} (n)$ .^{Footnote 6}
(一个来自 ${P C}_{B P}$ 的 zkSNARK)。假设离散对数问题的难度，在随机预言模型中存在一个针对承诺放松 R1CS 的 zkSNARK，具有以下效率特性，其中 m 表示 R1CS 矩阵的维度，n 表示矩阵中的非零条目数：编码器运行时间为 $O_{λ} (n)$ ；验证者运行时间为 $O_{λ} (n)$ ；证明长度为 $O_{λ} (\log n)$ ；验证者运行时间为 $O_{λ} (n)$ 。 ^{Footnote 6}

Proof证明

For R1CS structure (A, B, C), we first have the encoder directly provide $(\tilde{A}, \tilde{B}, \tilde{C})$ in the prover key, and additionally provide sparse polynomial commitments to $\tilde{A}, \tilde{B}, \tilde{C}$ using Sparse- ${P C}_{B P}$ in both the prover and verifier keys. Next, we apply the compiler of [17] using ${P C}_{B P}$ to the polynomial IOP from Construction 5. At a high level, this replaces all of the oracles provided to the verifier with ${P C}_{B P}$ commitments, which the prover and verifier then use to simulate ideal queries to a committed oracle. By [17, Theorem 6] this provides a public-coin honest-verifier zero-knowledge interactive argument of knowledge. In particular, we can treat the resulting protocol as an argument for committed relaxed R1CS because the verifier is now provided with (polynomial) commitments to E and W. Applying the Fiat-Shamir transform [22] achieves non-interactivity and zero-knowledge in the random oracle model.
对于 R1CS 结构（A，B，C），我们首先在验证者密钥中让编码器直接提供 $(\tilde{A}, \tilde{B}, \tilde{C})$ ，并在验证者和验证者密钥中额外使用 Sparse- ${P C}_{B P}$ 对 $\tilde{A}, \tilde{B}, \tilde{C}$ 提供稀疏多项式承诺。接下来，我们使用[17]中的 ${P C}_{B P}$ 编译器对构造 5 中的多项式 IOP 进行编译。从高层次来看，这用 ${P C}_{B P}$ 承诺替换了提供给验证者的所有预言机，验证者和验证者随后使用这些承诺来模拟对已提交预言机的理想查询。根据[17，定理 6]，这提供了一个公钥诚实验证者零知识交互论证。特别是，我们可以将生成的协议视为对提交放松 R1CS 的论证，因为验证者现在提供了对 E 和 W 的（多项式）承诺。应用 Fiat-Shamir 变换[22]在随机预言机模型中实现了非交互性和零知识。

The claimed efficiency follows from the efficiency of the polynomial IOP, ${P C}_{B P}$ , and Sparse- ${P C}_{B P}$ . In more detail, using Sparse- ${P C}_{B P}$ , the encoder takes $O_{λ} (n)$ time to create commitments $2 \log m$ -variate sparse multilinear polynomials $\tilde{A}, \tilde{B}, \tilde{C}$ . The prover’s costs in the polynomial IOP is O(n). Furthermore, proving the evaluations of two $O (\log m)$ -variate multilinear polynomials using ${P C}_{B P}$ , it takes $O_{λ} (m)$ time. And, to prove the evaluations of three $2 \log m$ -variate sparse multilinear polynomials of size n, using Sparse- ${P C}_{B P}$ , it takes $O_{λ} (n)$ time. In total, the prover time is $O_{λ} (n)$ . The proof length in the polynomial IOP is $O (\log m)$ , and the proof sizes in the polynomial evaluation proofs is $O_{λ} (\log n)$ , so the proof length is $O_{λ} (\log n)$ . The verifier’s time in the polynomial IOP is $O (\log m)$ . In addition, it verifies five polynomial evaluations, which costs $O_{λ} (n)$ time: the two polynomial in the instance take $O_{λ} (m)$ time using ${P C}_{B P}$ , and the three polynomials in the structure takes $O_{λ} (n)$ time using Sparse- ${P C}_{B P}$ . So, in total, the verifier time is $O_{λ} (n)$ . $◻$
所声称的效率来源于多项式 IOP 的效率， ${P C}_{B P}$ ，以及 Sparse- ${P C}_{B P}$ 。更详细地说，使用 Sparse- ${P C}_{B P}$ ，编码器需要 $O_{λ} (n)$ 时间来创建承诺 $2 \log m$ -变元的稀疏多线性多项式 $\tilde{A}, \tilde{B}, \tilde{C}$ 。在多项式 IOP 中，证明者的成本是 O(n)。此外，使用 ${P C}_{B P}$ 证明两个 $O (\log m)$ -变元多线性多项式的评估需要 $O_{λ} (m)$ 时间。而且，要证明大小为 n 的三个 $2 \log m$ -变元稀疏多线性多项式的评估，使用 Sparse- ${P C}_{B P}$ ，需要 $O_{λ} (n)$ 时间。总而言之，证明者的时间是 $O_{λ} (n)$ 。在多项式 IOP 中的证明长度是 $O (\log m)$ ，多项式评估证明中的证明大小是 $O_{λ} (\log n)$ ，因此证明长度是 $O_{λ} (\log n)$ 。在多项式 IOP 中，验证者的时间是 $O (\log m)$ 。此外，它验证了五个多项式评估，这需要 $O_{λ} (n)$ 时间：实例中的两个多项式使用 ${P C}_{B P}$ 需要 $O_{λ} (m)$ 时间，结构中的三个多项式使用 Sparse- ${P C}_{B P}$ 需要 $O_{λ} (n)$ 时间。因此，验证者的总时间是 $O_{λ} (n)$ 。 $◻$

Corollary 1推论 1

(A zkSNARK from ${P C}_{D o r y}$ ). Assuming the hardness of the SXDH problem, there exists a zkSNARK in the random oracle model for committed relaxed R1CS with the following efficiency characteristics, where m denotes the dimensions of R1CS matrices and n denotes the number of non-zero entries in the matrices: The encoder runs in time $O_{λ} (n)$ ; The prover runs in time $O_{λ} (n)$ ; The proof length is $O_{λ} (\log n)$ ; and the verifier runs in time $O_{λ} (\log n)$ .
(一个来自 ${P C}_{D o r y}$ 的 zkSNARK)。假设 SXDH 问题的难度，在随机预言模型中存在一个针对承诺放松 R1CS 的 zkSNARK，具有以下效率特性，其中 m 表示 R1CS 矩阵的维度，n 表示矩阵中的非零条目数：编码器运行时间为 $O_{λ} (n)$ ；验证者运行时间为 $O_{λ} (n)$ ；证明长度为 $O_{λ} (\log n)$ ；验证者运行时间为 $O_{λ} (\log n)$ 。

Notes备注

1.
This work realizes IVC using our folding scheme. As IVC implies SNARKs (e.g., see [6]), one might wonder whether folding schemes are in general weaker than SNARKs. However, existing constructions of IVC (including our own) rely on additional assumptions (§4.2), which the resulting IVC-based SNARK inherits.
这项工作实现了使用我们的折叠方案进行 IVC。由于 IVC 暗示了 SNARKs（例如，参见[6]），人们可能会想知道折叠方案是否在一般情况下比 SNARKs 更弱。然而，现有的 IVC 构造（包括我们自己的）依赖于额外的假设（§4.2），这些假设被基于 IVC 的 SNARK 所继承。
2.
An argument of knowledge for circuit satisfiability enables an untrusted polynomial-time prover to prove to a verifier the knowledge of a witness w such that $C (w, x) = y$ , where $C$ is a circuit, x is some public input, and y is some public output.
知识论证用于电路可满足性，使一个不可信的多项式时间证明者能够向验证者证明其知道一个见证 w，使得 $C (w, x) = y$ ，其中 $C$ 是电路，x 是某些公开输入，y 是某些公开输出。
3.
If the prover produces a compressed IVC proof every $\approx$ 24 steps, the prover incurs at most $2 \times$ overhead to compress IVC proofs. Similarly, if the prover compresses its IVC proof every $\approx$ 240 steps, the overhead drops to $\approx$ 20%.
如果验证者每 24 步产生一个压缩的 IVC 证明，验证者最多产生 $2 \times$ 的开销来压缩 IVC 证明。同样地，如果验证者每 240 步压缩其 IVC 证明，开销降至 $\approx$ 20%。
4.
R1CS is implicit in the QAPs formalism of GGPR [23], but it was made explicit in subsequent work [40]; they refer to it as a “constraint system in quadratic form”.
R1CS 隐含于 GGPR 的 QAPs 形式化中[23]，但在后续工作中被明确化[40]；他们将其称为“二次形式的约束系统”。
5.
While, in theory, we can use any folding scheme for $N P$ , we specifically invoke our construction for committed relaxed R1CS for a simpler presentation.
虽然从理论上讲，我们可以为 $N P$ 使用任何折叠方案，但我们特别调用我们的构造方法，用于提交的宽松 R1CS，以实现更简单的展示。
6.
[30, App. H] describes a minor optimization and a corresponding Corollary.
[30, 附录 H]描述了一个小的优化及其相应的推论。

References参考

bellperson. https://github.com/filecoin-project/bellperson
neptune. https://github.com/filecoin-project/neptune
海王星. https://github.com/filecoin-project/neptune
Nova: Recursive SNARKs without trusted setup. https://github.com/Microsoft/Nova
Nova：无需信任设置的递归 SNARKs。https://github.com/Microsoft/Nova
Pasta curves. https://github.com/zcash/pasta
意大利面曲线。https://github.com/zcash/pasta
Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive Oracle Proofs. In: TCC (2016)
本-萨松，E.，切萨，A.，斯波纳，N.：交互式预言机证明。在：TCC（2016）
Google Scholar谷歌学术
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 276–294. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_16
Chapter第十章 Google Scholar谷歌学术
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: ITCS (2012)
比特安斯基，N.，卡内蒂，R.，切西亚，A.，特罗梅尔，E.：从可提取的抗碰撞抵抗到简洁的非交互式知识论证，再回到抗碰撞抵抗。在：ITCS（2012）
Google Scholar谷歌学术
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKs and proof-carrying data. In: STOC (2013)
比特安斯基，N.，卡内蒂，R.，切西亚，A.，特罗梅尔，E.：SNARKs 和携带证明数据的递归组合与自举。在：STOC（2013）
Google Scholar谷歌学术
Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, Report 2018/712 (2018)
Boneh, D., Bünz, B., Fisch, B.: 两次可验证延迟函数综述。密码学电子档案，报告 2018/712（2018）
Google Scholar谷歌学术
Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo infinite: recursive zk-SNARKs from any additive polynomial commitment scheme. Cryptology ePrint Archive, Report 2020/1536 (2020)
Boneh, D., Drake, J., Fisch, B., Gabizon, A.: 霍洛无限：从任何加法多项式承诺方案中递归 zk-SNARKs。密码学电子档案，报告 2020/1536（2020）
Google Scholar谷歌学术
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Chapter第十章 MATH数学 Google Scholar谷歌学术
Bowe, S., Grigg, J., Hopwood, D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021 (2019)
鲍，S.，格里格，J.，霍普伍德，D.：Halo：无需可信设置的递归证明组合。密码学电子档案，报告 2019/1021（2019）
Google Scholar谷歌学术
Bowe, S., Grigg, J., Hopwood, D.: Halo2 (2020). https://github.com/zcash/halo2
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S &P (2018)
Bünz, B.，Bootle, J.，Boneh, D.，Poelstra, A.，Wuille, P.，Maxwell, G.：Bulletproofs：用于机密交易的简短证明及更多。在：S &P（2018）
Google Scholar谷歌学术
Bünz, B., Chiesa, A., Lin, W., Mishra, P., Spooner, N.: Proof-carrying data without succinct arguments. Cryptology ePrint Archive, Report 2020/1618 (2020)
Google Scholar
Bünz, B., Chiesa, A., Mishra, P., Spooner, N.: Proof-carrying data from accumulation schemes. In: TCC (2020)
Bünz, B.，Chiesa, A.，Mishra, P.，Spooner, N.：从累积方案中携带证明的数据。在：TCC（2020）
Google Scholar谷歌学术
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24
Chapter第十章 Google Scholar谷歌学术
Bünz, B., Maller, M., Mishra, P., Vesely, N.: Proofs for inner pairing products and applications. Cryptology ePrint Archive, Report 2019/1177 (2019)
Bünz, B.，Maller, M.，Mishra, P.，Vesely, N.：内配对积的证明及其应用。密码学电子档案，报告 2019/1177（2019）
Google Scholar谷歌学术
Chen, W., Chiesa, A., Dauterman, E., Ward, N.P.: Reducing participation costs via incremental verification for ledger systems. Cryptology ePrint Archive, Report 2020/1522 (2020)
陈，W.，切萨，A.，道特曼，E.，沃德，N.P.：通过增量验证降低账本系统的参与成本。密码学电子档案，报告 2020/1522（2020）
Google Scholar谷歌学术
Chiesa, A., Hu, Y., Maller, M., Mishra, P., Vesely, N., Ward, N.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 738–768. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_26
Chapter第十章 Google Scholar谷歌学术
Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27
Chapter第十章 Google Scholar谷歌学术
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Chapter第十章 Google Scholar谷歌学术
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37
Chapter第十章 Google Scholar谷歌学术
Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108 (2011)
Gentry, C.，Wichs, D.：将简洁的非交互式论证与所有可证伪假设分离。在：STOC，第 99-108 页（2011 年）
Google Scholar谷歌学术
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: STOC (1985)
Goldwasser, S., Micali, S., Rackoff, C.：交互式证明系统的知识复杂性。在：STOC（1985）
Google Scholar谷歌学术
Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. Cryptology ePrint Archive, Paper 2019/458 (2019)
Grassi, L.，Khovratovich, D.，Rechberger, C.，Roy, A.，Schofnegger, M.：Poseidon：一种用于零知识证明系统的新的哈希函数。密码学电子档案，论文 2019/458（2019）
Google Scholar谷歌学术
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Chapter第十章 Google Scholar谷歌学术
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: ASIACRYPT, pp. 177–194 (2010)
Kate, A.，Zaverucha, G.M.，Goldberg, I.：多项式常规模拟及其应用。在：ASIACRYPT，第 177-194 页（2010 年）
Google Scholar谷歌学术
Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: STOC (1992)
基利安，J.：关于高效零知识证明和论证的笔记（扩展摘要）。在：STOC（1992）
Google Scholar谷歌学术
Kothapalli, A., Setty, S., Tzialla, I.: Nova: recursive zero-knowledge arguments from folding schemes. Cryptology ePrint Archive, Paper 2021/370 (2021)
Kothapalli, A.，Setty, S.，Tzialla, I.：Nova：从折叠方案到递归零知识论证。密码学电子档案，论文 2021/370（2021）
Google Scholar谷歌学术
Labs, O.: Mina cryptocurrency (2020). https://minaprotocol.com
实验室，O.：Mina 加密货币（2020）。https://minaprotocol.com
Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. Cryptology ePrint Archive, Report 2020/1274 (2020)
李，J.：Dory：泛化内积和多项式承诺的高效、透明论证。密码学电子档案，报告 2020/1274（2020）
Google Scholar谷歌学术
Lee, J., Nikitin, K., Setty, S.: Replicated state machines without replicated execution. In: S &P (2020)
李，J.，尼基京，K.，塞蒂，S.：无需复制执行即可复制的状态机。在：S &P（2020）
Google Scholar谷歌学术
Lee, J., Setty, S., Thaler, J., Wahby, R.: Linear-time zero-knowledge SNARKs for R1CS. Cryptology ePrint Archive, Report 2021/030 (2021)
李，J.，塞蒂，S.，塞勒，J.，瓦希比，R.：线性时间零知识 SNARKs 用于 R1CS。密码学电子档案，报告 2021/030（2021）
Google Scholar谷歌学术
Lund, C., Fortnow, L., Karloff, H., Nisan, N.: Algebraic methods for interactive proof systems. In: FOCS (October 1990)
Lund, C., Fortnow, L., Karloff, H., Nisan, N.：交互式证明系统中的代数方法。在：FOCS（1990 年 10 月）
Google Scholar谷歌学术
Micali, S.: CS proofs. In: FOCS (1994)
米卡利，S.：CS 证明。在：FOCS（1994）
Google Scholar谷歌学术
Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: STOC, pp. 49–62 (2016)
Reingold, O., Rothblum, G.N., Rothblum, R.D.：恒定轮次交互式证明用于委托计算。在：STOC，第 49-62 页（2016 年）
Google Scholar谷歌学术
Setty, S.: Spartan: efficient and general-purpose zkSNARKs without trusted setup. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 704–737. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_25
Chapter第十章 Google Scholar谷歌学术
Setty, S., Angel, S., Gupta, T., Lee, J.: Proving the correct execution of concurrent services in zero-knowledge. In: OSDI (October 2018)
Setty, S.，Angel, S.，Gupta, T.，Lee, J.：在零知识中证明并发服务的正确执行。在：OSDI（2018 年 10 月）
Google Scholar谷歌学术
Setty, S., Braun, B., Vu, V., Blumberg, A.J., Parno, B., Walfish, M.: Resolving the conflict between generality and plausibility in verified computation. In: EuroSys (April 2013)
Setty, S.，Braun, B.，Vu, V.，Blumberg, A.J.，Parno, B.，Walfish, M.：在验证计算中解决通用性和可信度之间的冲突。在：EuroSys（2013 年 4 月）
Google Scholar谷歌学术
Setty, S., Lee, J.: Quarks: quadruple-efficient transparent zkSNARKs. Cryptology ePrint Archive, Report 2020/1275 (2020)
Setty, S., Lee, J.: 四重高效透明 zkSNARKs：夸克。密码学电子档案，报告 2020/1275（2020）
Google Scholar谷歌学术
Thaler, J.: Time-optimal interactive proofs for circuit evaluation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 71–89. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_5
Chapter第十章 Google Scholar谷歌学术
Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1
Chapter第十章 MATH数学 Google Scholar谷歌学术
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: S &P (2018)
瓦比，R.S.，齐亚拉，I.，谢拉特，A.，塔勒，J.，沃尔菲什，M.：无需信任设置的倍效率 zkSNARKs。在：S &P（2018）
Google Scholar谷歌学术
Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13
Chapter第十章 Google Scholar谷歌学术
Xie, T., Zhang, J., Zhang, Y., Papamanthou, C., Song, D.: Libra: succinct zero-knowledge proofs with optimal prover computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 733–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_24
Chapter第十章 Google Scholar谷歌学术
Zhang, Y., Genkin, D., Katz, J., Papadopoulos, D., Papamanthou, C.: vSQL: verifying arbitrary SQL queries over dynamic outsourced databases. In: S &P (2017)
Google Scholar

Download references

Author information

Authors and Affiliations

Carnegie Mellon University, Pittsburgh, USA
Abhiram Kothapalli
Microsoft Research, Redmond, USA
Srinath Setty
New York University, New York, USA
Ioanna Tzialla

Authors

Abhiram Kothapalli
View author publications
You can also search for this author in PubMed Google Scholar
Srinath Setty
View author publications
You can also search for this author in PubMed Google Scholar
Ioanna Tzialla
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Abhiram Kothapalli or Srinath Setty .

Editor information

Editors and Affiliations

New York University, New York, NY, USA
Yevgeniy Dodis
University of Florida, Gainesville, FL, USA
Thomas Shrimpton

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Kothapalli, A., Setty, S., Tzialla, I. (2022). Nova: Recursive Zero-Knowledge Arguments from Folding Schemes. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13510. Springer, Cham. https://doi.org/10.1007/978-3-031-15985-5_13
Kothapalli, A.，Setty, S.，Tzialla, I.（2022）。Nova：从折叠方案递归零知识论证。载于：Dodis, Y.，Shrimpton, T.（编者）. 密码学进展——CRYPTO 2022。CRYPTO 2022。计算机科学讲义，第 13510 卷。Springer，Cham。https://doi.org/10.1007/978-3-031-15985-5_13

Download citation下载引用

DOI: https://doi.org/10.1007/978-3-031-15985-5_13
Published发布: 11 October 20222022 年 10 月 11 日
Publisher Name发布者名称: Springer, Cham施普林格，昌姆
Print ISBN: 978-3-031-15984-8
Online ISBN: 978-3-031-15985-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us发布与我们

Policies and ethics政策和伦理

Societies and partnerships
社会与伙伴关系

International Association for Cryptologic Research
国际密码学研究协会 (opens in a new tab)

Search

Navigation

Nova: Recursive Zero-Knowledge Arguments from Folding Schemes诺瓦：折叠方案中的递归零知识论证

Abstract摘要

Similar content being viewed by others其他人正在查看类似内容

Snårkl: Somewhat Practical, Pretty Much Declarative Verifiable Computing in Haskell Snårkl：有点实用的，相当声明的可验证计算（在 Haskell 中）

Recursion Schemes in Coq 递归方案在 Coq 中

Incrementally Verifiable Computation via Incremental PCPs 增量可验证计算通过增量 PCPs

1 Introduction1 简介

1.1 Folding Schemes1.1 折叠方案

Remark 1 (Folding Schemes vs. SNARKs)备注 1（折叠方案与 SNARKs）

Theorem 1定理 1

1.2 IVC from Non-interactive Folding Schemes1.2 非交互折叠方案中的 1.2 IVC

Theorem 2定理 2

1.3 Implementation and Performance Evaluation1.3 实施与性能评估

1.4 A More Detailed Comparison with Prior Work1.4 与先前工作的更详细比较

1.5 An Overview of the Rest of the Paper1.5 论文其余部分的概述

2 Preliminaries2 前言

2.1 A Commitment Scheme for Vectors over F2.1 向量上的承诺方案

Definition 1 (A Commitment Scheme for Vectors)定义 1（向量承诺方案）

2.2 Non-interactive Arguments of Knowledge2.2 知识的非交互式参数

Definition 2 (Non-Interactive Argument of Knowledge)定义 2（非交互式知识论辩）

Definition 3 (Zero-Knowledge)定义 3（零知识）

Definition 4 (Succinctness)定义 4（简洁性）

2.3 Incrementally Verifiable Computation2.3 逐步可验证计算

Definition 5 (IVC)定义 5（IVC）

3 Folding Schemes3 折叠方案

Definition 6 (Folding Scheme)定义 6（折叠方案）

Definition 7 (Non-Interactive)定义 7（非交互式）

Definition 8 (Zero-Knowledge)定义 8（零知识）

Definition 9 (Public Coin)定义 9（公共币）

Lemma 1引理 1

4 A Folding Scheme for NP4 一种 NP 折叠方案

4.1 A Public-Coin, Zero-Knowledge Folding Scheme4.1 公共币，零知识折叠方案

Definition 10 (R1CS)定义 10（R1CS）

Definition 11 (Relaxed R1CS)定义 11（宽松的 R1CS）

Definition 12 (Committed Relaxed R1CS)定义 12（承诺宽松 R1CS）

Construction 1建设 1

Theorem 3定理 3

4.2 Achieving Non-interactivity via the Fiat-Shamir Transform4.2 通过法币-沙米尔变换实现非交互性

Construction 2建设 2

Assumption 1假设 1

5 Nova: An IVC Scheme with Proof Compression5 新诺瓦：一种带有证明压缩的 IVC 方案

5.1 Constructing IVC from a Folding Scheme for NP5.1 从折叠方案构建 IVC

Construction 3 (IVC)建设 3（IVC）

Lemma 2 (Completeness)

Lemma 3 (Knowledge Soundness)

Lemma 4 (Efficiency)引理 4（效率）

Proof证明

5.2 Compressing IVC Proofs with zkSNARKs5.2 使用 zkSNARKs 压缩 IVC 证明

Construction 4建设 4

Theorem 4定理 4

6 A zkSNARK for Committed Relaxed R1CS6 一个针对 Committed Relaxed R1CS 的 zkSNARK

6.1 Background6.1 背景

Definition 13 (Polynomial Extension)定义 13（多项式扩展）

Lemma 5引理 5

6.2 A Polynomial IOP for Idealized Relaxed R1CS6.2 理想化松弛 R1CS 的多项式 IOP

Definition 14 (Idealized Relaxed R1CS)定义 14（理想化宽松 R1CS）

Construction 5建设 5

Theorem 5定理 5

Proof证明

6.3 Compiling Polynomial IOPs to zkSNARKs6.3 编译多项式 IOPs 到 zkSNARKs

Theorem 6定理 6

Proof证明

Corollary 1推论 1

Notes备注

References参考

Author information

Authors and Affiliations

Corresponding authors

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation下载引用

Share this paper分享此论文

Publish with us发布与我们

Societies and partnerships社会与伙伴关系

Nova: Recursive Zero-Knowledge Arguments from Folding Schemes
诺瓦：折叠方案中的递归零知识论证

Similar content being viewed by others
其他人正在查看类似内容

Snårkl: Somewhat Practical, Pretty Much Declarative Verifiable Computing in Haskell
Snårkl：有点实用的，相当声明的可验证计算（在 Haskell 中）

Recursion Schemes in Coq
递归方案在 Coq 中

Incrementally Verifiable Computation via Incremental PCPs
增量可验证计算通过增量 PCPs

Remark 1 (Folding Schemes vs. SNARKs)
备注 1（折叠方案与 SNARKs）

1.2 IVC from Non-interactive Folding Schemes
1.2 非交互折叠方案中的 1.2 IVC

1.3 Implementation and Performance Evaluation
1.3 实施与性能评估

1.4 A More Detailed Comparison with Prior Work
1.4 与先前工作的更详细比较

1.5 An Overview of the Rest of the Paper
1.5 论文其余部分的概述

2.1 A Commitment Scheme for Vectors over $F$
2.1 向量上的承诺方案

Definition 1 (A Commitment Scheme for Vectors)
定义 1（向量承诺方案）

2.2 Non-interactive Arguments of Knowledge
2.2 知识的非交互式参数

Definition 2 (Non-Interactive Argument of Knowledge)
定义 2（非交互式知识论辩）

Definition 3 (Zero-Knowledge)
定义 3（零知识）

Definition 4 (Succinctness)
定义 4（简洁性）

2.3 Incrementally Verifiable Computation
2.3 逐步可验证计算

Definition 6 (Folding Scheme)
定义 6（折叠方案）

Definition 7 (Non-Interactive)
定义 7（非交互式）

Definition 8 (Zero-Knowledge)
定义 8（零知识）

Definition 9 (Public Coin)
定义 9（公共币）

4 A Folding Scheme for NP
4 一种 NP 折叠方案

4.1 A Public-Coin, Zero-Knowledge Folding Scheme
4.1 公共币，零知识折叠方案

Definition 11 (Relaxed R1CS)
定义 11（宽松的 R1CS）

Definition 12 (Committed Relaxed R1CS)
定义 12（承诺宽松 R1CS）

4.2 Achieving Non-interactivity via the Fiat-Shamir Transform
4.2 通过法币-沙米尔变换实现非交互性

5 Nova: An IVC Scheme with Proof Compression
5 新诺瓦：一种带有证明压缩的 IVC 方案

5.1 Constructing IVC from a Folding Scheme for $N P$
5.1 从折叠方案构建 IVC

5.2 Compressing IVC Proofs with zkSNARKs
5.2 使用 zkSNARKs 压缩 IVC 证明

6 A zkSNARK for Committed Relaxed R1CS
6 一个针对 Committed Relaxed R1CS 的 zkSNARK

Definition 13 (Polynomial Extension)
定义 13（多项式扩展）

6.2 A Polynomial IOP for Idealized Relaxed R1CS
6.2 理想化松弛 R1CS 的多项式 IOP

Definition 14 (Idealized Relaxed R1CS)
定义 14（理想化宽松 R1CS）

6.3 Compiling Polynomial IOPs to zkSNARKs
6.3 编译多项式 IOPs 到 zkSNARKs

Societies and partnerships
社会与伙伴关系