Introduction
Last updated
Last updated
Sirius is an open-source plonkish folding framework for halo2 circuits.
Sirius, renowned as the most luminous star in the night sky, deceives the naked eye by appearing as a solitary point of light when, in fact, it is a binary star system. Inspired by this duality, our project bears the name Sirius, capturing the essence of folded instances that give the illusion of being a singular entity.
Within the context of an Incrementally Verifiable Computation (IVC) scheme, the prover's role is to demonstrate that, upon consecutively applying a step function F exactly n times to an initial value $z_0$, the result is $z_n$. Here, the step function F takes two inputs $z_i$ and $w$, and yields an output $z_{i+1}$.
The Sirius folding framework is designed with a three-tiered architecture.
The arithmetization layer, a.k.a. the front-end, serves as the interface of the constraint system. User-defined circuits and witness data are converted into an intermediate representation format defined by the folding scheme. Our current implementation follows the special-sound interactive protocol (SPS) from Protostar.
Supported front-ends:
halo2: Sirius accepts circuits expressed with halo2. See the Fold a Fibonacci Circuit or the Fold the zkevm-circuits example.
At the heart of the framework is the folding scheme IVC circuit that accumulates the computations of multiple steps. At each step, the prover first calculates the instance-witness pairs from the previous step and folds them into the accumulator, then computes the auxiliary data that is needed by the folding scheme verifier. An IVC circuit then takes the outputs from the prover and performs the following steps: apply the step function F, fold the previous step's instance into the accumulator instance, and verify the inputs of the IVC circuit.
The format and process of auxiliary data depend on the underlying folding scheme. We have implemented two types of folding schemes.
Protogalaxy: the prover calculates two polynomials defined in the main protocol and sends them to the verifier. Protogalaxy supports the folding of multiple instances per step.
Sangria (deprecating): the prover calculates cross terms and error vectors for the folded instance-witness pairs as the auxiliary data. The elliptic curve multiplications in the folding verifier circuit scale linearly with the degree of the custom gates. Also, Sangria IVC scheme only supports the folding of one instance per step.
The SNARK layer leverages Polynomial Interactive Oracle Proofs (PIOP) and Polynomial Commitment Schemes (PCS) to generate zkSNARKs for succinct and zero-knowledge verification. Polynomial relation checks of the IVC decider are converted to the multivariate sum-check protocol. The evaluation phase of the sum-check protocol depends on the polynomial commitment scheme, e.g. hyperkzg commitment scheme.
