►
From YouTube: Exploring New Proving Systems
Description
Filecoin's cryptographic proofs currently use the Groth16 proving system, we are exploring new proof systems which would allow us to add new proof types without the need for a labor intensive trusted-setup as well as reduce the storage footprint of the proofs published by Filecoin storage providers. Our goal is to achieve these without sacrificing proving or verification time.
A
Hello,
my
name
is
jake.
I
am
a
software
developer
software
engineer
at
filecoin.
I
work
on
primarily
on
the
cryptographic
proofs
and
like
the
file
coin
proofs
that
you
may
know
about,
but
today
I'm
going
to
be
talking
about
what
cryptographic
proofs
are,
how
they're
used
in
filecoin
some
of
the
scaling
limitations.
A
So
then
what
are
cryptographic
proofs?
They
are
not
what
you
would
typically
consider
to
be
like
a
traditional
mathematical
proof
like,
for
example,
like
there
will
be
a
proof
statement,
a
thing
that
you're
proving
and
then
you'll
follow
like
a
logical
sequence
of
lines
that,
like
have
to
be
logically
consistent
with
each
other.
A
Proof
systems
is
that
you
can
verify
proofs
from
them
faster
than
actually
doing
the
computation
yourself,
partly
why
that
is
that
they're
probabilistic,
meaning
that
the
verifier
has
access
to
some
randomness
which
they
can
exploit
to
for
fast
verification,
but
that
also
introduces
a
small
probability
of
very
small
probability
that
false
proofs
will
pass
verification.
This
is
one
of
the
main
differences
with
like
a
traditional
mathematical
proof
is
traditional
mathematical
proofs.
A
A
If
the
statement
is
true,
another
part
of
what
makes
cryptographic
proofs
a
little
bit
different
than
traditional
proofs
is
that
they're
written
for
satisfaction
problems
rather
than
evaluation
problems
by
evaluation
problem.
I
would
mean,
given
some
inputs,
follow
these
exact
steps
to
compute
the
output,
we're
actually
evaluating
the
function
line
by
line
a
satisfaction
problem
is
more
along
the
lines
of
given
some
function.
A
So
kind
of
this
is
a
high
level
diagram
proofs
for
general
computation
cryptographic
proofs.
They
can
be
computation
specific
or
they
can
be
for
general
computations,
which
generally
is
any
arithmetic
computation,
but
there
can
be
more
operations
and
generally
how
they
work
out,
and
maybe
it's
not
for
every
proof
system
as
clearly
delineated
as
this
diagram.
But
you
start
with
some
general
computation,
like
whatever
that
could
be
like
computing,
a
hash
function
or
you
know
inverting
an
integer
or
whatever
arithmetic
program.
A
For
many,
like
arithmetic
computations,
the
hardware
model
is,
you
have
addition
and
multiplication
are
your
arithmetic
operations.
Then
you
have
like
your
integer
type
and
those
can
be
basically
fed
into
each
other
inputs
and
outputs
to
instructions,
and
that
would
be
kind
of
like
the
hardware
model
and
then
once
you've
kind
of
modeled.
Your
computation,
using
like
this
hardware
like
integers
and
additional
multiplication
or
whatever
else
you
want
to
write
your
computation
as
a
satisfiability
problem,
which
is
okay
to
do
this
computation.
A
What
certain
values
and
processor
would
be
it'd
kind
of,
be
like
that,
and
then
once
you
have
a
satisfiability
problem
and
it's
using
like
operations
and
integers
or
whatever
type
of
numbers
the
proof
system
wants
you
to
use,
then
you
convert
it
into
some
sort
of
algebraic
statement
or
algebraic
form.
Here,
for
example,
I
have
like
a
matrix
times
a
vector,
then
a
product
of
that
with
a
matrix
times
a
vector,
and
then
you
assert
that
that's
equal
to
some
other
matrix
times
a
vector
w.
A
That
would
be
like
one
sort
of
algebraic
form
that
you
can
put
these
in
like
matrix,
vector
multiplication,
and
then
you
assert
some
equality.
Sometimes
it
has
to
do
with
polynomials,
but
there's
some
algebraic
form
that
these
proof
systems
can
that
a
certain
proof
system
will
operate
on
and
then
the
proof
system
itself
it
defines
like
how
do
you
use
this
algebraic
form
to
like
prove
and
verify
proofs,
and
then
also
cryptography
is
used
to
enforce
that
the
prover
has
actually
behaved
and
done
the
protocol
correctly.
A
In
reality,
the
proof
system
kind
of
sets
some
of
these
things.
Sometimes
it
doesn't
it's
not
just
as
clear-cut
as
the
proof
system
gives
you
a
proven
verify
function
like
sometimes
it
may
say
exactly
what
kind
of
satisfiability
problems
are
allowed.
What
the
hardware
model
is,
and
usually
it
sets
like
what
the
algebraic
statements
are,
that
it
ultimately
will
work
on.
A
So
there
are
many
different
types
of
cryptographic:
proof
systems
and
one
of
the
most
common
are
called
snarks
and
that
stands
for
succinct,
non-interactive
arguments
of
knowledge.
Succinct
means
you
have
fast
verification.
Non-Interactive
means
that
the
prover
and
verifier
don't
have
to
interact.
The
prover
just
can
send
the
verifier
a
single
message,
the
proof
or
just
publish
it
publicly,
and
anyone
can
verify
it
or
the
verifier
can
verify
it.
A
Arguments
of
knowledgeable
argument
means
that
the
proof
system
or
the
proof
itself
is
secure
against
a
cheating
proverb
unless,
when
the
prover
is
computationally
bounded
like
in
modern
cryptography,
most
cryptographic
techniques
are
secure
when
you
assume,
like
the
there's,
some
bound
on
the
provers
or
the
cheaters,
computational
ability
or
resources
on
these
an
argument
means
the
same
thing.
It's
a
proof
system,
that's
sound.
A
And
there's
also
a
public
ledger
which
basically
keeps
the
state
of
the
network.
It
says,
like
what
storage
providers
are
currently
providing,
what
storage
to
what
clients
and
how
much
resources
that
they
they
have
available,
but
what's
nice
about
snarks
and
why
there
can
be
used
in
filecoin
is
that
snarks
have
small
proofs
and
efficient
verification,
non-interactive
proofs,
meaning
like
the
verifier
improver,
don't
have
to
communicate,
which
is
really
useful
in
a
like
public
ledger
type
system
and
the
verifier
improver.
A
They
don't
have
much
additional
overhead
because
of
these
proof,
systems
like
the
prover
celeste
do
like
the
computation
that
they're
proving,
but
the
proof
system
doesn't
add
much
onto
that
and
fast
verification
yeah.
It
just
helps
for
people
who
are
verifying
the
the
proofs
that
are
generated
by
storage
providers.
A
A
A
One
of
these
proving
systems
is
like
proof,
size,
verification
time
which
usually
are
highly
correlated
does
the
prove
system
add
like
require
a
lot
of
resources
from
the
prover.
On
top
of
the
computation
that
they're
proving
what
sort
of
like
mathematical
operations
does
the
proof
system
require
improving
verifying,
because
some
mathematical
operations
are
really
expensive.
A
So,
even
if
there's
a
small
number
of
of
these
operations
that
could
still
be
really
really
expensive,
and
that
would
be
like
something
like
ffts,
which
would
like
multiply,
polynomials
or
you
just
basically
use
for
multiplication,
but
also
certain
like
elliptic
curve
operations
are
really
expensive.
So
you
basically
have
to
weigh
out
the
cost
of
like
those
the
types
of
operations
you're
doing
and
the
numbers
of
them
would
factor
into
your
own.
A
Your
overheads
on
the
proven
verifier
side,
but
also
you
can
look
at
potential
optimizations
for
those
operations,
which
is
something
that
falcon
engineers
have
done
a
lot
of
like.
How
do
you
optimize
these
proof
systems
beyond
like
in
practice?
Many
cryptographic,
proof
systems
and
snarks?
Specifically,
they
have
some
setup
procedure.
A
A
You
may
be
limited
by
the
size
of
computations
that
you're
allowed
to
prove
because
like
if
you
have
run
trusted
setup
for
whatever
like
proofs
with
like
a
hundred
multiplications
and
then
you
come
say,
I
want
to
actually
prove
something
with
like
200
multiplications.
Well,
you
can't
do
it.
You
have
to
do
another
one
of
these
very
costly
setup
procedures,
so
that's
where
transparent
snark
systems
would
be
really
helpful.
A
Then,
when
you're
choosing
a
snark
or
cryptographic
proof
system,
you
want
to
think
about
its
hardware
model
or
how
it
internally
or
how
you
represent
just
a
general
computation
using
like
the
operations
that
the
proof
system
like
allows
you.
So,
for
example,
like
I
guess,
if
you
have
a
computation,
that's
using,
like
maybe
bits
like
if
you
were
doing
like
a
shaw,
hash
or
something,
and
you
want
to
prove
something
about
that,
but
your
proof
system
it
uses
like
integers
and
doesn't
have
like
bitwise
operations
or
binary
operations
or
boolean
logic.
A
Well,
the
transition
from
bits
to
integers
and
like
arithmetic
operations,
improve
systems
hardware
model-
you
may
get
a
big
blow
up
and
it
may
not
be
the
right,
snark
or
proof
system
for
you
also.
You
might
want
to
consider
what
is
the
aggregate
ability
I'll
talk
more
about
this
later
with
proof
systems,
but
it
basically
allows
you
to
to
batch
together
proofs.
A
A
lot
of
people
use
it.
I
think
I'm
running
low
on
time,
but
the
way
filocoin
proves
is
it's.
A
decentralized
storage
network
is
basically
have
a
client
that
says
I
need
file,
storage,
a
approver
or
storage
data
center
person
says
I'll,
store
your
file,
and
then
they
have
to
prove
that
there's
the
approver
has
to
prove
that
they're
storing
the
file,
then
the
client
says
like
it
needs
some
proof
that
they
will
that
the
file
has
been
maintained
on
in
the
data
center.
A
We've
have
many
solutions
to
like
some
of
the
like
some
of
these
snark
scaling
issues,
but
halo
2
is
the
one
that
I've
really
been
looking
at
and
it's
a
new
proof
system,
not
grout
16,
but
it
has
a
transparent
setup,
which
means
that
you
don't
have
a
trusted
setup
or
setup.
So
you
can
prove
any
statement
that
you
want.
You
can
prove
like
anything.
A
So
if
so,
you
could
create
one
proof
that
maybe
verifies
like
a
thousand
other
proofs
and
then
just
post,
that
to
the
public
ledger
and
it
essentially
kind
of
makes
a
tree
structure
to
my
understanding
of
the
so
far.
Zcash
is
currently
like
implementing
this
and
getting
it
down,
but
there
are
papers
and
stuff
about
it.
Halo
2
also
has
weaker
security
assumptions,
meaning
it
doesn't
assume
as
much
as
like
our
current
proving
systems
like
route
16
like
it
has
yeah,
it
assumes
less
about
the
environment.
A
Usually
that
means
there's
more
security
or
you
they're
a
little
bit
more
realistic.
Maybe
if
you
have
weaker
security
assumptions
and
you
get
some
new
arithmetic
operations,
you
can
do
like
within
the
hardware
model
of
the
proof
system
like,
namely
you
have
like
lookup
tables
like
you
can
basically
do
like
dictionary
lookups
or
like
hash
map
lookups,
which
is
pretty
cool,
and
that's
not
something
that
I
know
of
in
other
snarks,
and
you
have
other
arithmetic
operations
like
you
can
do.
A
This
is
currently
in
developments
and
yeah
working
with
ecc
and
the
ethereum
foundation
on
it.
Yeah
zcash
has
done
a
lot
of
work.
They
have
papers
on
it,
they
are
leading
the
developments
of
the
libraries
in
rust,
but
everyone
is
really
excited
to
get
it
fully
developed
and
production
ready
and
deployed,
possibly
in
in
various
public
ledger
type
systems.