Logo

    KZG Openings in SNARK

    Creator
    D
    Deleted User
    Created
    Feb 9, 2022 12:34 PM
    Stage
    No more action (or old)

    Description

    Problem

    Opening naively KZG proof in SNARKs requires:

    1. Compatible elliptic curves families which can be used within a SNARK system to write a pairing in the constraint system.
    2. Efficient KZG opening algorithm. A pairing costs 20k constraints in Groth16 like circuit so opening naively multiple openings is not practicable at Filecoin scale (23k openings for wpost)

    Both of these conditions made it extremely hard to verify multiple opening proofs inside a SNARKs so it has not been done.

    Potential solution

    There has been many advances on both of these fronts in the recent years such that it is worth revisiting the problem:

    1. Pairing + SNARK friendly curves: One example is the development of the BLS12-377 curve from Youssef that allows to write pairings inside a circuit.
    2. Batch KZG openings: Many papers have been optimizing the opening of multiple points from a KZG like commitment in the context of IOP SNARKs (Plonk-ish). Some of these improvements are actually helping as well inside circuits where we want to amortize the cost of the verifier accross many openings.

    Outcome

    The outcome is a SNARK that can support KZG openings at Filecoin scale.

    Working Items

    Tasks

    Name
    Tags

    CryptoNet is a Protocol Labs initiative.