Nova over Cycles of Curves

Let's define functions $\mathsf{Fold_V}(\mathbb{U_1},\mathbb{U_2}), \mathsf{Fold_P}((\mathbb{U_1},\mathbb{W_1}),(\mathbb{U}_2,\mathbb{W}_2))$ as the verifier and prover parts of folding committed relaxed R1CS, respectively. Suppose you have a $\mathsf{R1CS}^{(1)}$ instance over a certain scalar field of $\mathbb{G}^{(1)}$ which is $\mathbb{F}^{(1)}$. To check a folded instance from $\mathsf{R1CS}^{(1)}$ we need to check if the folded instance is the result of correct execution $\mathsf{Fold_V}$. This constraint can be only be implemented efficiently over the base field of $\mathbb{G}^{(1)}$ which is $\mathbb{F}^{(2)}$.

For example, with four $\mathsf{R1CS}^{(1)}$ instances, the folding process would occur in two steps:

First fold: Fold two pairs of instances, resulting in two $\mathsf{R1CS}^{(1)}$ instances but to verify if each of them are constructed correctly, we will need two $\mathsf{R1CS}^{(2)}$ instances.

Second fold: Fold the $\mathsf{R1CS}^{(2)}$ instances into a single $\mathsf{R1CS}^{(2)}$ instance but to verify if it is constructed correctly, we will need one $\mathsf{R1CS}^{(1)}$ instance.

$\mathsf{R1CS}^{(1)}$ to do $i$-th step in $\mathbb{F}^{(1)}$ and accumulate the instances of $\mathsf{R1CS}^{(2)}$ (denoted as $\mathbb{U}^{(2)}_{acc,i+1}$).

$\mathsf{R1CS}^{(2)}$ to do $i$-th step in $\mathbb{F}^{(2)}$ and accumulate the instances of $\mathsf{R1CS}^{(1)}$ (denoted as $\mathbb{U}^{(1)}_{acc,i+1}$ ).

So if we denote the step function in $\mathbb{F}^{(1)}$ as $\mathsf{F}_1$ and $\mathbb{F}^{(2)}$ as $\mathsf{F}_2$. The high level overview of the IVC will be as shown below:

This is the high-level view of $\mathsf{R1CS}^{(1)}$ but $\mathsf{R1CS}^{(2)}$ would also look the same:

To summarize what we need to do in $\mathsf{R1CS}^{(1)}$ is:

Check if the public instance $x_0$ of $\mathbb{U}_i^{(2)}$ is indeed as given.

Check $\mathsf{IsStrict}(\mathbb{U}_i^{(2)})$ ($\mathsf{IsStrict}$ checks if the error term is $\bm{0}$ and scalar is 1).

Calculate $z^{(1)}_{i+1}$ $F^{(1)}$ and accumulate $\mathbb{U}_i^{(2)}$.

NOTE: In $\mathsf{R1CS}^{(2)}$, it will fold $\mathbb{U}_{i+1}^{(1)}$ and $\mathbb{U}_{acc,i}^{(1)}$ (instead of instances of same index). Also, hash assignments will be a bit different in terms of indexing:

Given a proof $\pi = (\mathbb{U}_i^{(1)}, \mathbb{U}_i^{(2)}, \mathbb{U}_{acc,i}^{(1)}, \mathbb{U}_{acc,i}^{(2)})$, $\mathsf{Verify}(i, (z_0^{(1)}, z_0^{(2)}), (z_i^{(1)}, z_i^{(2)}),\pi)$ checks the following:

Check if $\mathbb{U}_i^{(1)}$, $\mathbb{U}_i^{(2)}$, $\mathbb{U}_{acc,i}^{(1)}$ and $\mathbb{U}_{acc,i}^{(2)}$ instances are satisfied.

Check if $\mathbb{U}_i^{(1)}.{\mathsf{x}_1}=\mathsf{hash}(i^{(1)}, z_0^{(1)}, z_i^{(1)}, \mathbb{U}_{acc,i}^{(2)})$. This ensures that this output hash is derived from inputs $z_i^{(1)}, \mathbb{U}_{acc,i}^{(2)}.$

Check if $\mathbb{U}_i^{(2)}.{\mathsf{x}_1}=\mathsf{hash}(i^{(2)}, z_0^{(2)}, z_i^{(2)}, \mathbb{U}_{acc,i}^{(1)})$.

In this version, Wilson Nguyen et al. showed that it is possible to generate proof of evaluation of $2^{75}$ rounds of the Minroot VDF in only 1.46 seconds and proposed a fix which has been reflected to Nova implementation.

This attack mainly stems from the fact that there is no constraints on the $\mathsf{x}_0$. Notice that the verification in the faulty version can be split into 2 parts:

Check if $\mathbb{U}_i^{(2)}$ and $\mathbb{U}_{acc,i}^{(1)}$ instances are satisfied.

Check $\mathsf{IsStrict}(\mathbb{U}_i^{(2)})$

Check if $\mathbb{U}_i^{(2)}.{\mathsf{x}_1}=\mathsf{hash}(i^{(2)}, z_0^{(2)}, z_i^{(2)}, \mathbb{U}_{acc,i}^{(1)})$.

Check if $\mathbb{U}_i^{(1)}$ and \$\mathbb{U}_{acc,i}^{(2)}$ instances are satisfied.

Check $\mathsf{IsStrict}(\mathbb{U}_i^{(1)})$

Check if $\mathbb{U}_i^{(1)}.{\mathsf{x}_1}=\mathsf{hash}(i^{(1)}, z_0^{(1)}, z_i^{(1)}, \mathbb{U}_{acc,i}^{(2)})$.

Step 1: Generate malicious instance $\textcolor{red}{\mathbb{U}^{(2)}_{i-1}}=(\bm{0},\bm{0},(\mathsf{x}_0,\mathsf{x}_1),1)$ where $\mathsf{x}_0=\mathsf{hash}(\cdot,\textcolor{red}{\mathbb{U}_{acc,i-1}^{(2)}})$ is a trash value and $\mathsf{x}_1=\mathsf{hash}((i-1)^{(2)},z^{(2)}_0,z^{(2)}_{i-1},\textcolor{green}{\mathbb{U}_\perp^{(1)}})$.

Step 2: Run the honest prover to get $\textcolor{green}{\mathbb{U}^{(1)}_i}$ and $\textcolor{green}{\mathbb{U}^{(2)}_{acc,i}}$.

Step 3: Do step 1 and 2 for the other field to get $(\textcolor{green}{\mathbb{U}^{(2)}_i},\textcolor{green}{\mathbb{U}^{(1)}_{acc,i}})$.

It is very well explained in the presentation by Wilson Nguyen . It is highly recommended to watch it if you want to fully understand how it works. To elaborate a bit more on this video:

The honest prover will run $\mathsf{R1CS}^{(1)}$ with $\textcolor{red}{\mathbb{U}_{i-1}^{(2)}}$ and some fake accumulation claim $\textcolor{red}{\mathbb{U}_{acc,i-1}^{(2)}}$, and some arbitrary $z_{i-1}^{(1)}$.

$\textcolor{red}{\mathbb{U}^{(2)}_{acc,i}}:=\mathsf{Fold_V}(\textcolor{red}{\mathbb{U}_{i-1}^{(2)}},\textcolor{red}{\mathbb{U}_{acc,i-1}^{(2)}})$

$z_i^{(1)}$

$\textcolor{green}{\mathbb{U}_i^{(1)}}$ with $\textcolor{green}{\mathbb{U}_{i}^{(1)}}.\mathsf{x_0}=\textcolor{red}{\mathbb{U}_{i-1}^{(2)}}.\mathsf{x}_1=\mathsf{hash}((i-1)^{(2)},z^{(2)}_0,z^{(2)}_{i-1},\textcolor{green}{\mathbb{U}_\perp^{(1)}})$.

This makes it possible to use $\textcolor{green}{\mathbb{U}_\perp^{(1)}}$ in $\mathsf{R1CS}^{(2)}$ and it will output:

$\textcolor{green}{\mathbb{U}_{acc,i}^{(1)}}:=\mathsf{Fold_V}(\textcolor{green}{\mathbb{U}_i^{(1)}},\textcolor{green}{\mathbb{U}_{\perp}^{(1)}})$

$\textcolor{green}{\mathbb{U}_i^{(2)}}$ with $\textcolor{green}{\mathbb{U}_{i}^{(2)}}.\mathsf{x_0}=\textcolor{red}{\mathbb{U}_{i-1}^{(1)}}.\mathsf{x}_1=\mathsf{hash}(i^{(1)},z^{(1)}_0,z^{(1)}_{i},{\textcolor{red}{\mathbb{U}_{acc,i}^{(2)}}})$.

With this, we have a valid $\textcolor{green}{\mathbb{U}_i^{(2)}}$ and $\textcolor{green}{\mathbb{U}_{acc,i}^{(1)}}$.

The $\textcolor{red}{\mathbb{U}^{(2)}_{acc,i}}$ generated here is invalid so $\textcolor{green}{\mathbb{U}_i^{(1)}}$ cannot be used as well since the $\textcolor{green}{\mathbb{U}_i^{(1)}}.\mathsf{x}_1$ hash has $\textcolor{red}{\mathbb{U}^{(2)}_{acc,i}}$. But we will just discard them both and generate them in Step 3.

Check $\mathbb{U}_i^{(1)}.{\mathsf{x}_1}=\mathsf{hash}(i^{(1)}, z_0^{(1)}, z_i^{(1)}, \mathbb{U}_{acc,i}^{(2)})$ passes since this hash was also properly constructed by the honest prover.

Check $\mathbb{U}_i^{(2)}.{\mathsf{x}_1}=\mathsf{hash}(i^{(2)}, z_0^{(2)}, z_i^{(2)}, \mathbb{U}_{acc,i}^{(1)})$ passes as well similarly.

Given a proof $\pi = (\mathbb{U}_i^{(2)}, \mathbb{U}_{acc,i}^{(1)}, \mathbb{U}_{acc,i}^{(2)})$, $\mathsf{Verify}(i, (z_0^{(1)}, z_0^{(2)}), (z_i^{(1)}, z_i^{(2)}),\pi)$ checks the following:

Check if $\mathbb{U}_i^{(2)}$, $\mathbb{U}_{acc,i}^{(1)}$ and $\mathbb{U}_{acc,i}^{(2)}$ instances are valid.

Check if $\mathbb{U}_i^{(2)}.{\mathsf{x}_1}=\mathsf{hash}(i^{(2)}, z_0^{(2)}, z_i^{(2)}, \mathbb{U}_{acc,i}^{(1)})$.

Check if $\mathbb{U}_i^{(2)}.{\mathsf{x}_0}=\mathsf{hash}(i^{(1)}, z_0^{(1)}, z_{i}^{(1)}, \mathbb{U}_{acc,i}^{(2)})$.

Here, the previous attack passes the check 1 and 2 but for the last check, it becomes tricky since now we can't just discard the invalid instances and generate another one because $\mathbb{U}_i^{(2)}.{\mathsf{x}_0}$ contains $\textcolor{red}{\mathbb{U}_{acc,i}^{(2)}}$.

Written by from