03/03/2022:

BLS12-377 / BW6 <- Justin talks about Zexe , 2chain of curve

$E_1(F_q)$ of order $r$ $E_2(F_t)$ of order $q$ <-- circuits in $F_q$, means I can express group operations efficiently, $E_1(F_q) + E_1(F_q)$

$G_t$ is in $F_q^{12}$

Benchmark

2 Circuits for https://github.com/nikkolasg/grothan/blob/main/src/lib.rs

• Multiplication of two GT elements
• 66 constraints
• Scalar multiplication of one scalar and GT elements
• 39409 constraints
• Enforcing equality:
• 12 constraints

IPP verifcation

• $T_i = T_l^x * T * T_r^{x^{-1}}$
• U
• Z

Per iteration of the loop

• 2 GT multiplication * 3 ⇒ 6 Gt MUL
• 6 Scalr mul

In total:

6 * log(n) * GT_MUL + 6 * log(n) * Scalar_mul

for n = 2**30

math.log2(n) * (6gtmul + 6scmul) 7031880.0 constraints

Sumcheck verification

Justin says 1000 for $F_r$ non native arithmetic multiplication

3 Fr multiplication per round of sumcheck

P(x1,x2,x3) = x1x2 + x2x3 + x1x3

P(x,r2,r3) → P(0,r2,r3) + P(1,r2,r3) → 2Fr + 2Fr + 1 ?? →

Prover sends (r2 + r3)x1 + r2r3, already in affine form so 2 Fr operation per evaluation

in total 2 * 2 + 1 = 5 Fr operation per “round” + hash(3 elements) ← 1000 constraints using Poseidon

Using non native field arithmetic, supposing 1000 constraints for Fr operations, it’s (1000*5+3000)*log(n) = 240000 constraints for n=2**30

Using sub Groth16 proof:

• Need to do scalar multiplication on ALL the public inputs → log(n) elements in $F_r$
• 500*log(n) constraints for doing $a_iG$
• Need to do 3 pairings → 150 000 constraints

Concrete scheme / curves

Spartan:

• Operations $F_r$ for GKR/Sumcheck
• Operations over $F_q$ this is for polymnomial commitment

2 choices of “curves”:

• Either we use a 2chain :
• BLS12-377/BW6 →
• BW6: One curve where circuit native in $F_q$ → native operations for Gt, “Non Native Arithmetic” for $F_r$
• BLS12-377: ANother curve where circuit is native in $F_r$
• Do a Groth16 proof for sumcheck, over $F_r$
• Do a Groth16 proof for polynomial commitment + verification of first proof over $F_q$
• OR we use a regular “pairing curve”, like BLS12-381:
• We do NNA operations for $F_q$
• F_r operatiopn can do natively
• Problematic because 1-2 order of magnitude
• Potential tricks: $r << q$, that means we can embed one element $F_r$ directly in one $F_q$ , could potentialy write many operations, like add/mul and only doing the modulo at the end