Add scripting to Monero via the specification of R1CS circuits #116
Comments
|
how opaque is an R1CS program? is it transparent enough for an outside observer to infer something about the content of the program? would this mean all enotes would be R1CS programs, or only the ones with scripting? I see layer 2's, especially rollups (and obviously I prefer ZK to optimistic), as a very important future direction for Monero. however, I also hold that they are acceptable only if the required changes on layer 1 don't meaningfully reduce the privacy of layer 1 transactions, or there are no changes required at all. (I conjecture that's possible, but that's a separate conversation.) |
|
It's a series of scalars. You'd be able to see the expected mathematical relations of the proof without issue. Evaluating what those mathematical relations do is a much more difficult problem, yet not one inherently private. Your question about if all enotes would use this is partially left to the privacy discussion. Due to the computational load of proof production/verification, ideally no, standard enotes wouldn't be R1CS specified. |
|
I would then side with you that this is a no-go in terms of privacy at minimum, but potentially also in terms of performance. |
|
I don't believe the privacy of the program is an issue in the slightest. Yes, the programs would be transparent. The arguments they're evaluated with would be ZK, and the programs can be written such that they show which program they are yet not how they're configured. The concern is that any output using a program is outside of the privacy pool. While that may be an inevitability with scaling (any scaling solution would use a distinct privacy pool), it's not one I care to answer today. |
|
I see: so the script would be transparent, but what it's used for would be private, and who uses it would be somewhat-private (limited by the privacy of the graph of the transaction rings, unless full-chain membership proofs are achieved).
not if it were built with scriptless scripts, i.e. using the signature algorithm's algebraic property to essentially execute programs with it. Andrew Poelstra formalized this and has shown that it works with Schnorr signatures, of which Monero's EdDSA is a variant. there are a couple of papers that describe how payment channel(network)s can be built on such a foundation. it's a longer shot for rollup validation because the scriptless scripts known/developed so far aren't expressive enough, and it's an underresearched area, but something like this would be very much in line with Monero's focus on privacy. |
|
|
This was discussed in Zcash 7y ago. Due to their use of Groth16, they would've had a fixed program length (which is opaque), fixed verification time, and they achieved randomization so you can't distinguish between a Sapling proof and between a full program proof (achieving full privacy on the L1). They didn't move forward with it as the tooling was no where near at a matching level. With the context of now, it'd have allowed full ZK rollups, including EVMs, yet over the underlying blockchain. While I can't propose Groth16 here, as achieving the same guarantees would require a Monero circuit program premised on Groth16, it does point to the end goal use case and question about modern SNARKs which achieve similar enough properties (based on pairing curves/class groups/the discrete log problem). Unfortunately, the current discussion of moving to a curve cycle isn't directly amenable with currently known techniques, and I'm unsure an evolution of such 'perfection' is possible without a trusted setup. |
|
|
|
https://gist.github.com/kayabaNerve/7336bf7d95176deaa9c2807690e8c47e I did end up spending multiple hours literalizing this for distinct reasons. Given those distinct reasons have run their life, I post this now here. |
|
If you are trying to save storage space, this cannot be just pruned. |
|
Mind providing more context? The outputs would not increase in size under the ZeroExec proposal, and the input proofs would be as prunable as our current input proofs. For the data layer, we could inherit behavior from Ethereum and only guarantee data publication and availability for a limited time (as done by its blob space). This also reduces on-chain load by enabling L2s. I'm not inherently sure what your commentary on pruning then is. |
|
I don't know details. I was just stating my perspective as a beginner.
That's good. If it had to be available for ever, no pruning is possible. |
|
If you don't know details, please don't make statements ("this cannot be just pruned") yet ask questions ("how does this impact pruning?"). |
I'll start by saying I don't support this, due to the privacy (and performance) concerns around it.
If Monero outputs specified an R1CS program, an opaque collection of numbers, then outputs could only be spent given a sufficient ZK proof that all conditions are specified. If Monero was to change the ZK proof it used to evaluate the R1CS, all prior outputs would remain spendable. It's only that we couldn't move to a proof which doesn't support R1CS (or whatever circuit description chosen). This would enable Bulletproofs/Bulletproofs+/Bulletproofs++/Halo/Nova/more now, yet prevent us from accessing the Plonk family without a converter (which probably could be trivially done, albeit inefficiently).
This would enable ZK rollups on Monero, not bind us to a proof within Monero, and support complex wallet descriptors.
The text was updated successfully, but these errors were encountered: