CS 251 Fall 2020 cs 251 stanford edu
- Slides: 31
CS 251 Fall 2020 (cs 251. stanford. edu) Recursive SNARKs Benedikt Bünz
Hitchhikers guide to the galaxy What if we want to verify that computation? Output (42) Input Long Computation
Recap: Non-interactive Proof Systems •
SNARKs for long computations Issues: -P takes very long -Starts after proving after computation finished -Can’t hand off computation -S also runs at least linear in |C| (ok if many proofs) C – Circuit for long computation Input Long Computation, Transcript
Handing off computation Input transcript 1 transcript 2 transcript 3
Incremental Proofs • We need updatable/incremental proofs
Photo. Proof Viewer can still verify authenticity Allow valid updates of photo and provide proof
Photo. Proof allows valid edits only, Incrementally updated
Recursive Proofs • How can we build incremental proofs?
SNARK of SNARK • 10
SNARK of SNARK… • Note that C’ depends only on V and Sv • We can express V as a circuit:
SNARK of SNARK… • 12
SNARK of SNARK… • 13
SNARK of SNARK… • 14
Universal SNARK Verifier • 15
Universal SNARK verifier • 16
Recap: SNARKRollup Today: every miner must verify every posted Tx verify all Txπ verify all Tx verify ⇒ short proof π all Tx summary, π Coordinator verifying proof is much easier than verifying 10 K Tx verify πall Tx
Recap: Rollup Today: every miner must verify every posted Tx verify all Txπ verify all Tx verify ⇒ short proof π all Tx summary, π Coordinator verifying proof is much easier than verifying 10 K Tx verify πall Tx
Rollup with many coordinators verify sum mary π2 π summary, Coordinator 2 s verify 1, π , 2 y r a umm π1 Coordinator 1 π verify π
SNARK 2 -Rollup • • Multiple coordinators/servers Each responsible for subset of users (no overlaps) Super coordinator (can be one of the coordinators) Super coordinator combines summaries (balance table) and creates one proof that
SNARK 2 -Rollup • root Build one root from summaries Merkle tree
SNARK 2 -Rollup • root Build one root from summaries Merkle tree
SNARK 3 -Rollup verify sum mary π2 s π summary, Coordinator 2 verify 1, π , 2 y r a umm π1 Coordinator 1 π verify π
Enhancing transactions with SNARKs • We’ve seen that private transactions require zeroknowledge proofs • Add ZK-SNARKs to every transaction • Level 1 coordinators verify transaction by verifying transaction ZK-SNARKs • Additionally we can have more complicated transactions (Smart Contracts) • Transaction verification is constant time regardless of proof complexity
SNARK 3 -Rollup •
SNARK 3 -Rollup •
Constant size blockchains • Rollup reduces the verification cost • Still linear in the number of state updates • When a node joins the network they need to verify one rollup proof per block! • In general starting a full node requires verification of all blocks • Can take days!
Constant size Blockchain Merkle tree Transactions
Constant size Blockchain Merkle tree Transactions Old miner Head and State 4 New miner
Constant size Blockchain • Light clients can verify every block! • Low memory, low computation • Independent of length of chain or #transactions • Relies on data serving nodes for synching • Practical today!
END OF LECTURE Next lecture: Crypto tricks and open discussion Please attend last two lectures if you can
- Stanford cs251
- Cs251 stanford
- Cs251 stanford solutions
- Highwire stanford edu
- Cs 4803
- Cs61c fall 2020
- Cs61c fall 2020
- Edu.sharif.edu
- 15-251
- A vida tem tristezas mil letra
- Me 251
- Legge 251 del 2000 art 1
- Amedd aecp
- Aae 251 purdue
- Cs 251
- 15-251
- Cmu 15251
- Edu.ro programe scolare 2020-2021
- Stanford web security
- Smartmart stanford
- Stanford prison experiment cells
- Diego ongaro stanford
- Ndo stanford
- Stanford research park map
- Stanford hci
- Stanford human computer interaction
- Stanford hci
- Stanford gps lab
- Stanford cs223
- Computer forum stanford
- Stanford
- Stanford achievement test 10