Goal

Given we can use a new proof system, we have the opportunity to consider a new vector commitment which is either

• Cheaper to compute on its own
• More adapted to the the new proof system

This section explores multiple options on these fronts

Using Verkle Trees

As a concrete example:

• We build a Verkle Tree using BLS12-377 as the base curve
• Arity is 256
• That means there are four layers in the Verkle Tree

A “inclusion proof” contains the following:

1. All the C_i (2) that goes from the root to the leaf (minus root)
2. All inclusion proofs (or one batched proof in practice)

Verifying a “path” means the following roughly:

Start from the leaf and go upward:
 1. Verify the inclusion proof of the current node in the next C_i
 2. node = H(C_i)

For our current application that would mean in practice:

1. Hashing: 3000 (# inclusion proof) * 565 (cost of hashing) * 3 = 5M
2. Opening Proofs:see below

Verify an opening proof in circuit

1. Verify a pairing check:

bls12-381 over bls12-381 : 2.6M constraint

2. G1 scalar mul