Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

an idea to reduce gas cost by converting a Nova proof to other proof system #41

Open
RoyTimes opened this issue Nov 17, 2023 · 1 comment
Open

an idea to reduce gas cost by converting a Nova proof to other proof system #41

RoyTimes opened this issue Nov 17, 2023 · 1 comment

Comments

@RoyTimes
Copy link

First of all - super awesome work! I want to pay my deepest respect first!

My team and I have been working on a circuit that is supposed to be run inside of a browser (- a client-side ZK prover) and can be cheaply verified on-chain. The circuit itself will benefits a lot from folding, therefore Nova. But on-chain verification comes short for us. In summary, the priority ranking for us: 1. fixture size 2. prover time 3. gas cost to verify on-chain 4. proof size ...

Quite recently, when working with Plonky2 which produces a huge proof that is also costly to be verified on-chain, I was drawn to the work by Succinct Labs that transform a client-side FRI-Plonk proof to a KZG-Plonk proof by Gnark. Gas cost for a verification is merely ~210k. The only drawback is that the conversion circuit takes 6 minutes to run and takes a shit tons of memory. However, the conversion circuit is supposed to be run on a server, while the client side has already ZK-ed the witness, so no witness leak whatsoever and the whole solution seems quite put-together. Which leads me to think, if it's gonna be more viable to convert a Nova-Spartan proof to a cheap on-chain proof would be a better approach to reduce gas-cost with either Gnark or Halo2.

In the end, I think it's acceptable to have the client side generate a huge proof but within a few seconds of prover time, then transmit the proof to a prover either run by the team or a prover-as-a-service provider to do the conversion - after a conversion/aggregation time of a few minutes (GPU-optimization can be done to significantly reduce the time), the end-proof takes less than ~500k gas to be verified on-chain.

Let me know how y'all think. If this seems like a good idea and fits your goal with this repo, would love to further connect and potentially discuss the viability of this idea/work together on a impl.
@storojs72
Copy link
Collaborator

storojs72 commented Dec 4, 2023
edited
Loading

Hi, @RoyTimes !

Snarkifying Nova is indeed a viable idea. However, as far as I remember out discussion with @huitseeker, some time ago, this requires "freezing" the internal "reference" Nova implementation (https://github.com/lurk-lab/arecibo), which is currently being under active development, that is why, so far, we have chosen an approach of developing this solidity-verifier to be consisted with the latest "reference" implementation. If Nova verifier implementation in Rust changes, we are changing its Solidity counterpart.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RoyTimes @storojs72