Description

Problem

Opening naively KZG proof in SNARKs requires:

1. Compatible elliptic curves families which can be used within a SNARK system to write a pairing in the constraint system.
2. Efficient KZG opening algorithm. A pairing costs 20k constraints in Groth16 like circuit so opening naively multiple openings is not practicable at Filecoin scale (23k openings for wpost)

Both of these conditions made it extremely hard to verify multiple opening proofs inside a SNARKs so it has not been done.

Potential solution

There has been many advances on both of these fronts in the recent years such that it is worth revisiting the problem:

1. Pairing + SNARK friendly curves: One example is the development of the BLS12-377 curve from Youssef that allows to write pairings inside a circuit.
2. Batch KZG openings: Many papers have been optimizing the opening of multiple points from a KZG like commitment in the context of IOP SNARKs (Plonk-ish). Some of these improvements are actually helping as well inside circuits where we want to amortize the cost of the verifier accross many openings.

Outcome

The outcome is a SNARK that can support KZG openings at Filecoin scale.

Working Items