Trustless (S)NARKs
Inner Product with KZG
a_{1}
a_{2}
a_{3}
a_{5}
a_{6}
a_{8}
a_{4}
a_{7}
b_{1}
b_{2}
b_{3}
b_{4}
b_{5}
b_{6}
b_{7}
b_{8}
\vec{a}
\vec{b}
\omega^{0}
\omega^{1}
\omega^{2}
\omega^{3}
\omega^{4}
\omega^{5}
\omega^{6}
\omega^{7}
\mathbb{H}
- We know \(\vec{a}\) and \(\vec{b}\) such that \(c = \langle \vec{a}, \vec{b} \rangle\)
- To prove this using KZG, convert \(\vec{a}, \vec{b}\) to polynomials
a(X) = \sum_{i=1}^{8} \textcolor{lightgreen}{a_i} \cdot \textcolor{gray}{L_{\mathbb{H},i}(X)}
\begin{aligned}
\textcolor{gray}{\textsf{KZG.open}}\left(m(X), \omega^0, c\right)
\end{aligned}
b(X) = \sum_{i=1}^{8} \textcolor{orange}{b_i} \cdot \textcolor{gray}{L_{\mathbb{H},i}(X)}
- Define a polynomial \(m(X) := \sum_{i=1}^{8} \textcolor{lightgreen}{a_i} \textcolor{orange}{b_i} \cdot \textcolor{gray}{L_{\mathbb{H},i}(X)}\)
- Define \(r(X) = m(X) - a(z)b(X)\) for some \(z \in \mathbb{F}\)
- Finally, just open the polynomials \(a, b, m, r\):
\begin{aligned}
\textcolor{gray}{\textsf{KZG.open}}\Big(\big\{a(X), b(X), r(X)\big\}, z, \big\{\bar{a}, \bar{b}, 0\big\}\Big)
\end{aligned}
- Drawback: the trusted setup!
Inner Product: Main Idea
a_{1}
a_{2}
a_{3}
a_{5}
a_{6}
a_{8}
a_{4}
a_{7}
b_{1}
b_{2}
b_{3}
b_{4}
b_{5}
b_{6}
b_{7}
b_{8}
\vec{a}
\vec{b}
G_1
G_2
G_3
G_4
G_5
G_6
G_7
G_8
\vec{G}
- Naive way: just send \(\vec{a},\vec{b}\) to the verifier
- Randomly sample generators \(\vec{G}, \vec{H} \in \mathbb{G}^8\) and \(Q \in \mathbb{G}\)
- Pedersen commitment to the vectors \(\vec{a}, \vec{b}\) as:
P := \langle \textcolor{lightgreen}{\vec{a}}, \textcolor{darkgreen}{\vec{G}} \rangle
+ \langle \textcolor{orange}{\vec{b}}, \textcolor{sienna}{\vec{H}} \rangle
+ \langle \textcolor{lightgreen}{\vec{a}}, \textcolor{orange}{\vec{b}} \rangle \textcolor{gray}{Q}
H_1
H_2
H_3
H_4
H_5
H_6
H_7
H_8
\vec{H}
x
x
x
x
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x
x
x
x
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
= \langle \textcolor{gray}{x} \textcolor{red}{\vec{a}}, \textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} \rangle
+ \langle \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}}, \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \rangle
\ +
\langle \textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}}, \textcolor{gray}{x} \textcolor{red}{\vec{H}} \rangle
+ \langle \textcolor{gray}{x} \textcolor{cyan}{\vec{b}}, \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \rangle
\ +
\big(
\langle \textcolor{gray}{x} \textcolor{red}{\vec{a}}, \textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} \rangle
+ \langle \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}}, \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \rangle
\big)
\textcolor{gray}{Q}
=
\Big\langle
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \big)
\Big\rangle
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{G}} \rangle
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{G}} \rangle
+
\Big\langle
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big),
\big(\textcolor{gray}{x} \textcolor{red}{\vec{H}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \big)
\Big\rangle
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{cyan}{\vec{b}}, \textcolor{red}{\vec{H}} \rangle
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{red}{\vec{b}}, \textcolor{cyan}{\vec{H}} \rangle
+
\Big\langle
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big)
\Big\rangle \textcolor{gray}{Q}
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{b}} \rangle \textcolor{gray}{Q}
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{b}} \rangle \textcolor{gray}{Q}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x
x
x
x
x
x
x
x
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
Inner Product: Main Idea
a_{1}
a_{2}
a_{3}
a_{5}
a_{6}
a_{8}
a_{4}
a_{7}
b_{1}
b_{2}
b_{3}
b_{4}
b_{5}
b_{6}
b_{7}
b_{8}
\vec{a}
\vec{b}
G_1
G_2
G_3
G_4
G_5
G_6
G_7
G_8
\vec{G}
- Naive way: just send \(\vec{a},\vec{b}\) to the verifier
- Randomly sample generators \(\vec{G}, \vec{H} \in \mathbb{G}^8\) and \(Q \in \mathbb{G}\)
- Pedersen commitment to the vectors \(\vec{a}, \vec{b}\) as:
P := \langle \textcolor{lightgreen}{\vec{a}}, \textcolor{darkgreen}{\vec{G}} \rangle
+ \langle \textcolor{orange}{\vec{b}}, \textcolor{sienna}{\vec{H}} \rangle
+ \langle \textcolor{lightgreen}{\vec{a}}, \textcolor{orange}{\vec{b}} \rangle \textcolor{gray}{Q}
H_1
H_2
H_3
H_4
H_5
H_6
H_7
H_8
\vec{H}
x
x
x
x
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x
x
x
x
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
=
\Big\langle
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \big)
\Big\rangle
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{G}} \rangle
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{G}} \rangle
+
\Big\langle
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big),
\big(\textcolor{gray}{x} \textcolor{red}{\vec{H}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \big)
\Big\rangle
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{cyan}{\vec{b}}, \textcolor{red}{\vec{H}} \rangle
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{red}{\vec{b}}, \textcolor{cyan}{\vec{H}} \rangle
+
\Big\langle
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big)
\Big\rangle \textcolor{gray}{Q}
-
\textcolor{gray}{x^{\tiny2}} \langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{b}} \rangle \textcolor{gray}{Q}
-
\textcolor{gray}{x^{\tiny-2}} \langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{b}} \rangle \textcolor{gray}{Q}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x
x
x
x
x
x
x
x
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
x^{\tiny -1}
= \textcolor{gray}{\textsf{PED.commit}(}
\textcolor{lightgreen}{\vec{a}_{\textsf{half}}},
\textcolor{darkgreen}{\vec{G}_{\textsf{half}}},
\textcolor{orange}{\vec{b}_{\textsf{half}}},
\textcolor{sienna}{\vec{H}_{\textsf{half}}}
\textcolor{gray}{)}
-
\textcolor{gray}{x^{\tiny 2}}L_1 - \textcolor{gray}{x^{\tiny -2}}R_1
- Now we only need to send \((\textcolor{lightgreen}{\vec{a}_{\textsf{half}}}, \textcolor{sienna}{\vec{b}_{\textsf{half}}}, L_1, R_1)\)
- Recursion leads to \((L_1, R_1, L_2, R_2, L_3, R_3, \textcolor{lightgreen}{a_{\textsf{last}}}, \textcolor{sienna}{b_{\textsf{last}}})\)
IPA Prover
- For \(j\in \lceil \text{log}_2(N) \rceil\), the prover starts by setting \(n = N/2\):
{\small\circ} \ L_j =
\langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{G}} \rangle +
\langle \textcolor{cyan}{\vec{b}}, \textcolor{red}{\vec{H}} \rangle +
\langle \textcolor{red}{\vec{a}}, \textcolor{cyan}{\vec{b}} \rangle \textcolor{gray}{Q}
{\small\circ} \ (\textcolor{red}{\vec{a}} \ \| \ \textcolor{cyan}{\vec{a}}) \leftarrow \textcolor{lightgreen}{\vec{a}}, \quad
(\textcolor{red}{\vec{b}} \ \| \ \textcolor{cyan}{\vec{b}}) \leftarrow \textcolor{orange}{\vec{b}}
{\small\circ} \ (\textcolor{red}{\vec{G}} \ \| \ \textcolor{cyan}{\vec{G}}) \leftarrow \textcolor{darkgreen}{\vec{G}}, \quad
(\textcolor{red}{\vec{H}} \ \| \ \textcolor{cyan}{\vec{H}}) \leftarrow \textcolor{sienna}{\vec{H}}
{\small\circ} \ R_j =
\langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{G}} \rangle +
\langle \textcolor{red}{\vec{b}}, \textcolor{cyan}{\vec{H}} \rangle +
\langle \textcolor{cyan}{\vec{a}}, \textcolor{red}{\vec{b}} \rangle \textcolor{gray}{Q}
{\small\circ} \
\textcolor{lightgreen}{\vec{a}_{\textsf{next}}}
=
\big(\textcolor{gray}{x} \textcolor{red}{\vec{a}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{a}} \big),
\quad
\textcolor{darkgreen}{\vec{G}_{\textsf{next}}}
=
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \big)
{\small\circ} \
\textcolor{orange}{\vec{b}_{\textsf{next}}}
=
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{b}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{b}} \big),
\quad \
\textcolor{sienna}{\vec{H}_{\textsf{next}}}
=
\big(\textcolor{gray}{x} \textcolor{red}{\vec{H}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \big)
- Prover work: \(\mathcal{O}(N) \equiv \sum_{j \in \lceil \text{log}_2(N) \rceil}4n_j\)
- Proof size: \(\mathbb{G} \rightarrow 2 \lceil \text{log}_2(N) \rceil, \ \mathbb{F} \rightarrow 2\)
\textcolor{gray}{\textsf{MSM}:} (2n+1)
\textcolor{gray}{\textsf{MSM}:} (2n+1)
\textcolor{gray}{\textsf{MSM}:} (2n)
\textcolor{gray}{\textsf{MSM}:} (2n)
IPA Verifier
- Given a proof \((\{L_j,R_j\}_{j \in \lceil \text{log}_2(N) \rceil}, a, b)\), verifier starts by setting: \(P_{\textsf{acc}} = P\)
{\small\circ} \
\textcolor{darkgreen}{\vec{G}_{\textsf{next}}}
=
\big(\textcolor{gray}{x^{\tiny-1}} \textcolor{red}{\vec{G}} + \textcolor{gray}{x} \textcolor{cyan}{\vec{G}} \big)
{\small\circ} \
\textcolor{sienna}{\vec{H}_{\textsf{next}}}
=
\big(\textcolor{gray}{x} \textcolor{red}{\vec{H}} + \textcolor{gray}{x^{\tiny-1}} \textcolor{cyan}{\vec{H}} \big)
- Verifier work: \(\mathcal{O}(N) \equiv \sum_{j \in \lceil \text{log}_2(N) \rceil}2n_j\)
- Verifier in KZG was \(\mathcal{O}(1)\) 😳
\textcolor{gray}{\textsf{MSM}:} (2n)
\textcolor{gray}{\textsf{MSM}:} (2n)
{\small\circ} \
P_{\textsf{next}}
=
\textcolor{gray}{x^2}L_j + P_{\textsf{acc}} + \textcolor{gray}{x^{-2}}R_j
{\small\circ} \
P_{\textsf{acc}} \leftarrow P_{\textsf{next}}
{\small\circ} \
P_{\textsf{acc}}
\stackrel{?}{=}
a \textcolor{darkgreen}{G_{\textsf{last}}} +
b \textcolor{sienna}{H_{\textsf{last}}} +
\langle a, b \rangle \textcolor{gray}{Q}
- After \(\lceil \text{log}_2(N) \rceil\) rounds, final verification check:
IPA Efficient Verifier
- Verifier needs \(\textcolor{gray}{\textsf{MSM:}} \ 2\lceil \text{log}_2(N) \rceil+1\) to compute \(P_{\textsf{acc}}\)
- Note that \(\textcolor{darkgreen}{G_{\textsf{last}}}\) and \(\textcolor{sienna}{H_{\textsf{last}}}\) only depend on \(\textcolor{darkgreen}{\vec{G}}, \textcolor{sienna}{\vec{H}}\) and challenges
a \textcolor{darkgreen}{G_{\textsf{last}}} +
b \textcolor{sienna}{H_{\textsf{last}}} +
\langle a, b \rangle \textcolor{gray}{Q}
\stackrel{?}{=}
P_{\textsf{acc}}
- After \(\lceil \text{log}_2(N) \rceil\) rounds, final verification check:
\bigg(
\textcolor{gray}{x_m^2}L_m +
\dots +
\Big(
\textcolor{gray}{x_2^2}L_2 +
\big(\textcolor{gray}{x_1^2}L_1 + P + \textcolor{gray}{x_1^{-2}}R_1\big) +
\textcolor{gray}{x_2^{-2}}R_2
\Big) +
\dots +
\textcolor{gray}{x_m^2}L_m
\bigg)
\underbrace{\hspace{5cm}}_{P_1}
\underbrace{\hspace{10cm}}_{P_2}
\underbrace{\hspace{19cm}}_{P_m}
\textcolor{darkgreen}{G_{\textsf{last}}} =
\textcolor{gray}{x_1^{-1}x_2^{-1}x_3^{-1}}G_1 +
\textcolor{gray}{x_1^{-1}x_2^{-1}x_3^{1}}G_2 +
\textcolor{gray}{x_1^{-1}x_2^{1}x_3^{-1}}G_3 +
\textcolor{gray}{x_1^{-1}x_2^{1}x_3^{1}}G_4 \ +
\textcolor{gray}{x_1^{1}x_2^{-1}x_3^{-1}}G_5 +
\textcolor{gray}{x_1^{1}x_2^{-1}x_3^{1}}G_6 +
\textcolor{gray}{x_1^{1}x_2^{1}x_3^{-1}}G_7 +
\textcolor{gray}{x_1^{1}x_2^{1}x_3^{1}}G_8.
- Total verifier work \(\textcolor{gray}{\textsf{MSM:}} \ 2N + 2\lceil \text{log}_2(N) \rceil+1\)
Impact of IPA
Trustless
Trusted
Setup
IPA to PCS
f(X) = a_1 + a_2X + a_3X^2 + \dots + a_{d-1}X^{d-1}
v := f(z) = a_1 + a_2z + a_3z^2 + \dots + a_{d-1}z^{d-1}
= \langle \vec{a}, \vec{z} \rangle
\begin{aligned}
\textcolor{gray}{\textsf{IPApoly.commit}}\left(f(X)\right) \equiv \quad P := \langle \vec{a}, \textcolor{darkgreen}{\vec{G}} \rangle
\end{aligned}
\begin{aligned}
\textcolor{gray}{\textsf{IPApoly.open}}\left(f(X), z, v\right) \equiv \ \pi_{\textsf{IPA}} = \textcolor{gray}{\textsf{IPA}}(\mathcal{R})
\end{aligned}
\mathcal{R} = \left\{ ((P, z, v); \ \vec{a}) \ | \ P = \langle \vec{a}, \textcolor{darkgreen}{\vec{G}} \rangle \ \wedge \ v = \langle \vec{a}, \vec{z} \rangle \right\}
\begin{aligned}
\textcolor{gray}{\textsf{IPApoly.verify}}\left(\pi_{\textsf{IPA}}, z, v\right) \equiv \ \{0,1\} \leftarrow \textcolor{gray}{\textsf{IPA.verify}}(\mathcal{R})
\end{aligned}
- Here, we just need one generator vector \(\textcolor{darkgreen}{\vec{G}}\) (read: smaller overall MSM)
- With the Inner-product argument, we can derive a PCS:
Halo2 Recursion
\begin{aligned}
a \textcolor{red}{G_{\textsf{last}}} + a\textcolor{red}{b}\textcolor{gray}{Q}
\stackrel{?}{=}
P + v\textcolor{gray}{Q} \sum_{j \in \lceil \text{log}(d) \rceil} (\textcolor{gray}{x_j^2} L_j + \textcolor{gray}{x_j^{-2}}R_j)
\end{aligned}
- RHS is \(\mathcal{O}(\text{log}(d))\) but LHS is still \(\mathcal{O}(d)\) as \(\textcolor{darkgreen}{G_{\textsf{last}}} = \langle \vec{s}, \textcolor{darkgreen}{\vec{G}} \rangle, b = \langle \vec{s}, \vec{z} \rangle\)
- We can write \(\vec{s}\) as the polynomial:
- The IPA PCS verification equation:
\textcolor{darkgreen}{G_{\textsf{last}}}
=
\langle
\overbrace{
\begin{pmatrix}
\textcolor{gray}{x_m^{-1}} \textcolor{gray}{x_{m-1}^{-1}} \textcolor{gray}{\dots} \textcolor{gray}{x_3^{-1}} \textcolor{gray}{x_2^{-1}} \textcolor{gray}{x_1^{-1}} \\[5pt]
\textcolor{gray}{x_m^{-1}} \textcolor{gray}{x_{m-1}^{-1}} \textcolor{gray}{\dots} \textcolor{gray}{x_3^{-1}} \textcolor{gray}{x_2^{-1}} \textcolor{gray}{x_1}^{1} \\[5pt]
\textcolor{gray}{x_m^{-1}} \textcolor{gray}{x_{m-1}^{-1}} \textcolor{gray}{\dots} \textcolor{gray}{x_3^{-1}} \textcolor{gray}{x_2}^{1} \textcolor{gray}{x_1}^{1} \\[5pt]
\textcolor{gray}{x_m^{-1}} \textcolor{gray}{x_{m-1}^{-1}} \textcolor{gray}{\dots} \textcolor{gray}{x_3}^{1} \textcolor{gray}{x_2^{-1}} \textcolor{gray}{x_1^{-1}} \\
\textcolor{gray}{\vdots} \\
\textcolor{gray}{x_m}^1 \textcolor{gray}{x_{m-1}}^1 \textcolor{gray}{\dots} \textcolor{gray}{x_3}^1 \textcolor{gray}{x_2}^{1} \textcolor{gray}{x_1^{-1}} \\[5pt]
\textcolor{gray}{x_m}^1 \textcolor{gray}{x_{m-1}}^1 \textcolor{gray}{\dots} \textcolor{gray}{x_3}^1 \textcolor{gray}{x_2}^{1} \textcolor{gray}{x_1}^{1}
\end{pmatrix}
}^{\vec{s}},
\textcolor{darkgreen}{\vec{G}}
\rangle
\begin{aligned}
s(X) = \prod_{j\in [k]} \left(\textcolor{gray}{x_{j}^{1}} + \textcolor{gray}{x_{j}^{-1}}X^{2^{i-1}} \right)
\end{aligned}
- Thus, the verifier can compute \(b\) in \(\mathcal{O}(\text{log}(d))\)
- What about \(\textcolor{darkgreen}{G_{\textsf{last}}}\)? It cannot!
- But the prover can send \(\textcolor{darkgreen}{G_{\textsf{last}}}\) with a proof that it was correctly computed!
Halo2 Recursion
\begin{aligned}
a^{(1)} \textcolor{orange}{G_{\textsf{last}}^{(1)}} + a^{(1)}\textcolor{red}{b^{(1)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(1)} + v^{(1)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(1)}\big)^2} L_j^{(1)} +
\textcolor{gray}{\big(x_j^{\tiny(1)}\big)^{-2}}R_j^{(1)}
\right)
\end{aligned}
\begin{aligned}
\pi_1 = \left\{ \left\{ L_j^{(1)}, R_j^{(1)} \right\}_{j \in [m]}, a^{(1)}, \textcolor{orange}{G_{\textsf{last}}^{(1)}} \right\}
\end{aligned}
\begin{aligned}
\pi_2 = \left\{ \left\{ L_j^{(2)}, R_j^{(2)} \right\}_{j \in [m]}, a^{(2)}, \textcolor{lightgreen}{G_{\textsf{last}}^{(2)}}, \
\pi_{\textcolor{orange}{G_\textsf{last}^{(1)}}} \right\}
\end{aligned}
\begin{aligned}
\pi_3 = \left\{ \left\{ L_j^{(3)}, R_j^{(3)} \right\}_{j \in [m]}, a^{(3)}, \textcolor{yellow}{G_{\textsf{last}}^{(3)}}, \
\pi_{\textcolor{lightgreen}{G_\textsf{last}^{(2)}}} \right\}
\end{aligned}
\begin{aligned}
\pi_4 = \left\{ \left\{ L_j^{(4)}, R_j^{(4)} \right\}_{j \in [m]}, a^{(4)}, \textcolor{violet}{G_{\textsf{last}}^{(4)}}, \
\pi_{\textcolor{yellow}{G_\textsf{last}^{(3)}}} \right\}
\end{aligned}
\begin{aligned}
a^{(2)} \textcolor{lightgreen}{G_{\textsf{last}}^{(2)}} + a^{(2)}\textcolor{red}{b^{(2)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(2)} + v^{(2)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(2)}\big)^2} L_j^{(2)} +
\textcolor{gray}{\big(x_j^{\tiny(2)}\big)^{-2}}R_j^{(2)}
\right)
\end{aligned}
\begin{aligned}
a^{(3)} \textcolor{yellow}{G_{\textsf{last}}^{(3)}} + a^{(3)}\textcolor{red}{b^{(3)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(3)} + v^{(3)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(3)}\big)^2} L_j^{(3)} +
\textcolor{gray}{\big(x_j^{\tiny(3)}\big)^{-2}}R_j^{(3)}
\right)
\end{aligned}
\begin{aligned}
a^{(4)} \textcolor{violet}{G_{\textsf{last}}^{(4)}} + a^{(4)}\textcolor{red}{b^{(4)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(4)} + v^{(4)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(4)}\big)^2} L_j^{(4)} +
\textcolor{gray}{\big(x_j^{\tiny(4)}\big)^{-2}}R_j^{(4)}
\right)
\end{aligned}
\begin{aligned}
\pi_M = \left\{ \left\{ L_j^{(M)}, R_j^{(M)} \right\}_{j \in [m]}, a^{(M)}, \textcolor{blue}{G_{\textsf{last}}^{(M)}} \right\}
\end{aligned}
\vdots
\begin{aligned}
a^{(M)} \textcolor{blue}{G_{\textsf{last}}^{(M)}} + a^{(M)}\textcolor{red}{b^{(M)}}\textcolor{gray}{Q}
\stackrel{?}{=}
P^{(M)} + v^{(M)}\textcolor{gray}{Q} +
\sum_{j \in [m]}
\left(
\textcolor{gray}{\big(x_j^{\tiny(M)}\big)^2} L_j^{(M)} +
\textcolor{gray}{\big(x_j^{\tiny(M)}\big)^{-2}}R_j^{(M)}
\right)
\end{aligned}
\begin{aligned}
\textcolor{red}{G_{\textsf{last}}^{(M)}} \stackrel{?}{=}
\textcolor{blue}{G_{\textsf{last}}^{(M)}}
\end{aligned}
Trustless (S)NARKs
By Suyash Bagad
