|
| 1 | +--- |
| 2 | +title: Recursive proofs |
| 3 | +description: Explore the concept of recursive proofs in Zero-Knowledge programming. Understand how recursion works in Noir, a language for writing smart contracts on the EVM blockchain. Learn through practical examples like Alice and Bob's guessing game, Charlie's recursive merkle tree, and Daniel's reusable components. Discover how to use recursive proofs to optimize computational resources and improve efficiency. |
| 4 | + |
| 5 | +keywords: |
| 6 | + [ |
| 7 | + "Recursive Proofs", |
| 8 | + "Zero-Knowledge Programming", |
| 9 | + "Noir", |
| 10 | + "EVM Blockchain", |
| 11 | + "Smart Contracts", |
| 12 | + "Recursion in Noir", |
| 13 | + "Alice and Bob Guessing Game", |
| 14 | + "Recursive Merkle Tree", |
| 15 | + "Reusable Components", |
| 16 | + "Optimizing Computational Resources", |
| 17 | + "Improving Efficiency", |
| 18 | + "Verification Key", |
| 19 | + "Aggregation", |
| 20 | + "Recursive zkSNARK schemes", |
| 21 | + "PLONK", |
| 22 | + "Proving and Verification Keys" |
| 23 | + ] |
| 24 | +--- |
| 25 | + |
| 26 | +In programming, we tend to think of recursion as something calling itself. A classic example would be the calculation of the factorial of a number: |
| 27 | + |
| 28 | +```js |
| 29 | +function factorial(n) { |
| 30 | + if (n === 0 || n === 1) { |
| 31 | + return 1; |
| 32 | + } else { |
| 33 | + return n * factorial(n - 1); |
| 34 | + } |
| 35 | +} |
| 36 | +``` |
| 37 | + |
| 38 | +In this case, while `n` is not `1`, this function will keep calling itself until it hits the base case, bubbling up the result on the call stack: |
| 39 | + |
| 40 | +```md |
| 41 | + Is `n` 1? <--------- |
| 42 | + /\ / |
| 43 | + / \ n = n -1 |
| 44 | + / \ / |
| 45 | + Yes No -------- |
| 46 | +``` |
| 47 | + |
| 48 | +In Zero-Knowledge, recursion has some similarities. |
| 49 | + |
| 50 | +It is not a Noir function calling itself, but a proof being used as an input to another circuit. In short, you verify one proof *inside* another proof, returning the proof that both proofs are valid. |
| 51 | + |
| 52 | +This means that, given enough computational resources, you can prove the correctness of any arbitrary number of proofs in a single proof. This could be useful to design state channels (for which a common example would be [Bitcoin's Lightning Network](https://en.wikipedia.org/wiki/Lightning_Network)), to save on gas costs by settling one proof on-chain, or simply to make business logic less dependent on a consensus mechanism. |
| 53 | + |
| 54 | +## Examples |
| 55 | + |
| 56 | +Let us look at some of these examples |
| 57 | + |
| 58 | +### Alice and Bob - Guessing game |
| 59 | + |
| 60 | +Alice and Bob are friends, and they like guessing games. They want to play a guessing game online, but for that, they need a trusted third-party that knows both of their secrets and finishes the game once someone wins. |
| 61 | + |
| 62 | +So, they use zero-knowledge proofs. Alice tries to guess Bob's number, and Bob will generate a ZK proof stating whether she succeeded or failed. |
| 63 | + |
| 64 | +This ZK proof can go on a smart contract, revealing the winner and even giving prizes. However, this means every turn needs to be verified on-chain. This incurs some cost and waiting time that may simply make the game too expensive or time-consuming to be worth it. |
| 65 | + |
| 66 | +As a solution, Alice proposes the following: "what if Bob generates his proof, and instead of sending it on-chain, I verify it *within* my own proof before playing my own turn?". |
| 67 | + |
| 68 | +She can then generate a proof that she verified his proof, and so on. |
| 69 | + |
| 70 | +```md |
| 71 | + Did you fail? <-------------------------- |
| 72 | + / \ / |
| 73 | + / \ n = n -1 |
| 74 | + / \ / |
| 75 | + Yes No / |
| 76 | + | | / |
| 77 | + | | / |
| 78 | + | You win / |
| 79 | + | / |
| 80 | + | / |
| 81 | +Generate proof of that / |
| 82 | + + / |
| 83 | + my own guess ---------------- |
| 84 | +``` |
| 85 | + |
| 86 | +### Charlie - Recursive merkle tree |
| 87 | + |
| 88 | +Charlie is a concerned citizen, and wants to be sure his vote in an election is accounted for. He votes with a ZK proof, but he has no way of knowing that his ZK proof was included in the total vote count! |
| 89 | + |
| 90 | +If the vote collector puts all of the votes into a [Merkle tree](https://en.wikipedia.org/wiki/Merkle_tree), everyone can prove the verification of two proofs within one proof, as such: |
| 91 | + |
| 92 | +```md |
| 93 | + abcd |
| 94 | + __________|______________ |
| 95 | + | | |
| 96 | + ab cd |
| 97 | + _____|_____ ______|______ |
| 98 | + | | | | |
| 99 | + alice bob charlie daniel |
| 100 | +``` |
| 101 | + |
| 102 | +Doing this recursively allows us to arrive on a final proof `abcd` which if true, verifies the correctness of all the votes. |
| 103 | + |
| 104 | +### Daniel - Reusable components |
| 105 | + |
| 106 | +Daniel has a big circuit and a big headache. A part of his circuit is a setup phase that finishes with some assertions that need to be made. But that section alone takes most of the proving time, and is largely independent of the rest of the circuit. |
| 107 | + |
| 108 | +He might find it more efficient to generate a proof for that setup phase separately, and verify that proof recursively in the actual business logic section of his circuit. This will allow for parallelization of both proofs, which results in a considerable speedup. |
| 109 | + |
| 110 | +## What params do I need |
| 111 | + |
| 112 | +As you can see in the [recursion reference](https://noir-lang.org/docs/noir/standard_library/recursion), a simple recursive proof requires: |
| 113 | + |
| 114 | +- The proof to verify |
| 115 | +- The Verification Key of the circuit that generated the proof |
| 116 | +- The public inputs for the proof |
| 117 | + |
| 118 | +:::info |
| 119 | + |
| 120 | +Recursive zkSNARK schemes do not necessarily "verify a proof" in the sense that you expect a true or false to be spit out by the verifier. Rather an aggregation object is built over the public inputs. |
| 121 | + |
| 122 | +So, taking the example of Alice and Bob and their guessing game: |
| 123 | + |
| 124 | +- Alice makes her guess. Her proof is *not* recursive: it doesn't verify any proof within it! It's just a standard `assert(x != y)` circuit |
| 125 | +- Bob verifies Alice's proof and makes his own guess. In this circuit, he doesn't exactly *prove* the verification of Alice's proof. Instead, he *aggregates* his proof to Alice's proof. The actual verification is done when the full proof is verified, for example when using `nargo verify` or through the verifier smart contract. |
| 126 | + |
| 127 | +We can imagine recursive proofs a [relay race](https://en.wikipedia.org/wiki/Relay_race). The first runner doesn't have to receive the baton from anyone else, as he/she already starts with it. But when his/her turn is over, the next runner needs to receive it, run a bit more, and pass it along. Even though every runner could theoretically verify the baton mid-run (why not? 🏃🔍), only at the end of the race does the referee verify that the whole race is valid. |
| 128 | + |
| 129 | +::: |
| 130 | + |
| 131 | +## Some architecture |
| 132 | + |
| 133 | +As with everything in computer science, there's no one-size-fits all. But there are some patterns that could help understanding and implementing them. To give three examples: |
| 134 | + |
| 135 | +### Adding some logic to a proof verification |
| 136 | + |
| 137 | +This would be an approach for something like our guessing game, where proofs are sent back and forth and are verified by each opponent. This circuit would be divided in two sections: |
| 138 | + |
| 139 | +- A `recursive verification` section, which would be just the call to `std::verify_proof`, and that would be skipped on the first move (since there's no proof to verify) |
| 140 | +- A `guessing` section, which is basically the logic part where the actual guessing happens |
| 141 | + |
| 142 | +In such a situation, and assuming Alice is first, she would skip the first part and try to guess Bob's number. Bob would then verify her proof on the first section of his run, and try to guess Alice's number on the second part, and so on. |
| 143 | + |
| 144 | +### Aggregating proofs |
| 145 | + |
| 146 | +In some one-way interaction situations, recursion would allow for aggregation of simple proofs that don't need to be immediately verified on-chain or elsewhere. |
| 147 | + |
| 148 | +To give a practical example, a barman wouldn't need to verify a "proof-of-age" on-chain every time he serves alcohol to a customer. Instead, the architecture would comprise two circuits: |
| 149 | + |
| 150 | +- A `main`, non-recursive circuit with some logic |
| 151 | +- A `recursive` circuit meant to verify two proofs in one proof |
| 152 | + |
| 153 | +The customer's proofs would be intermediate, and made on their phones, and the barman could just verify them locally. He would then aggregate them into a final proof sent on-chain (or elsewhere) at the end of the day. |
| 154 | + |
| 155 | +### Recursively verifying different circuits |
| 156 | + |
| 157 | +Nothing prevents you from verifying different circuits in a recursive proof, for example: |
| 158 | + |
| 159 | +- A `circuit1` circuit |
| 160 | +- A `circuit2` circuit |
| 161 | +- A `recursive` circuit |
| 162 | + |
| 163 | +In this example, a regulator could verify that taxes were paid for a specific purchase by aggregating both a `payer` circuit (proving that a purchase was made and taxes were paid), and a `receipt` circuit (proving that the payment was received) |
| 164 | + |
| 165 | +## How fast is it |
| 166 | + |
| 167 | +At the time of writing, verifying recursive proofs is surprisingly fast. This is because most of the time is spent on generating the verification key that will be used to generate the next proof. So you are able to cache the verification key and reuse it later. |
| 168 | + |
| 169 | +Currently, Noir JS packages don't expose the functionality of loading proving and verification keys, but that feature exists in the underlying `bb.js` package. |
| 170 | + |
| 171 | +## How can I try it |
| 172 | + |
| 173 | +Learn more about using recursion in Nargo and NoirJS in the [how-to guide](../how_to_guides/recursive_aggregation.md) and see a full example in [noir-examples](https://github.com/noir-lang/noir-examples). |
0 commit comments