Quantum Protocol Specifications

At this stage, each user-submitted proof ($\pi$) (excluding SP1 proofs) and its corresponding public inputs ($pis$) are individually verified within a Risc0 zkVM circuit. This circuit implements the verification algorithm for the proving scheme and some hashing. The result of this process is a compressed proof ($\pi_{reduced}$) along with new reduced public inputs ($pis_{reduced}$).

The sp1 proofs and the reduced proofs ($\pi_{reduced}$), along with their public inputs ($pis_{reduced}$), are recursively verified and encoded into two Merkle trees - using Sp1 zkVM for the former, and Risc0 zkVM for the latter. This produces the 2 aggregated proofs ($\pi_{agg1}, \pi_{agg2}$) and their corresponding aggregated public inputs ($pis_{agg1},pis_{agg2}$).

The aggregated proofs ($\pi_{agg1},\pi_{agg2}$) and the corresponding public inputs ($pis_{agg1},pis_{agg2}$) undergo a further transformation at this stage. The proofs with their associated public inputs ($pis_{snark1},pis_{snark2}$) are recursively verified and converted into 2 Groth16 proofs ($\pi_{snark1},\pi_{snark2}$) using the circuits provided here and here, respectively.

At the final stage, the Groth16 proofs ($\pi_{snark1},\pi_{snark2}$) and their public inputs ($pis_{snark1},pis_{snark2}$) are recursively verified inside a Gnark circuit. This produces the final proof ($\pi_{final}$) and its public inputs ($pis_{final}$).

$user\_circuit\_data$: The circuit-specific data, which varies based on the proving scheme.

$risc0\_image\_id$: The unique identifier for the reduction circuit used in the protocol.

For Gnark Groth16/Plonk, the user's Verification Key is serialized into bytes using the Borsh serialization format. The serialized bytes are then hashed using the Keccak Hash algorithm to compute $user\_circuit\_data$.

For SP1 Succinct Proofs, $user\_circuit\_data$ is computed from SP1VerifyingKey using this function.

In this stage, the user submits the proof $\pi_{u}$ they want aggregated, along with the corresponding public inputs $pis_{u}$. In return, the user receives a unique proofId. This proofId is computed as follows:

This step produces a compressed proof ($\pi_{red}$), unifying proofs from different proving schemes into a standardized format. The reduction circuit accepts all the necessary data for verifying a proof as private input, while the public input for the reduction circuit is typically as follows:

$vkey_{u}$ : User circuit verification key

$\pi_{u}$ : Proof user wants to get aggregated corresponding to $vkey_{u}$

$pis_{u}$: Public inputs corresponding to $\pi_{u}$

Public Input ( $pis_{red}$ : Reduction Circuit Public Input):

$pis_{red}$ $( \ keccak(keccak(vkey_{u} ) \ || \ keccak(\pi_{u}) \ || \ keccak(pis_{u})))$

$snark\_verify(vkey_{u}, \pi_{u}, pis_{u}) == True$

$pis_{red} == ( \ keccak(keccak(vkey_{u}) \ || \ keccak(\pi_{u}) \ || \ keccak(pis_{u})) )$

$image\_id_{u}$ : User risc0 circuit Image Id

$journal_{u}$ : User generated risc0 journal

Public Inputs ( $pis_{red}$ : Reduction Circuit Public Input):

$pis_{red}$$(keccak(image\_id_{u} \ || \ keccak(journal_{u}) ))$

$risc0\_verify\_compressed(image\_id_{u}, journal_{u}) == True$

$pis_{red} ==(keccak(image\_id_{u} \ || \ keccak(journal_{u})))$

$common\_data_{u}$: User plonky2 circuit common_data

$vkey_{u}$: User circuit verification_only data

$\pi_{u}$: Plonky2 proof user wants to get aggregated corresponding to $vkey_{u}$

$pis_{u}$ : User circuit public inputs

$pis_{red}$($keccak(keccak(vkey_{u} \ || \ common\_data_{u}) \ || \ keccak(\pi_{u}) \ || \ keccak(pis_{u}))$)

$plonky2\_verify\_proof(common\_data_{u}, vkey_{u}, pis_{u}, \pi_{u})$

$pis_{red} == keccak(keccak(vkey_{u} \ || \ common\_data_{u}) \ || \ keccak(\pi_{u}) \ || \ keccak(pis_{u}))$

$protocol\_data_{u}$

$s\_g2_{u}$

$pis_{u}$

$\pi_{u}$

$pis_{red}$$(keccak(protocol\_data_{u} \ || \ s\_g2_{u}) \ || \ keccak(\pi_{u}) \ || \ keccak(pis_{u}))$

$halo2\_verify(protocol\_data_{u}, pis_{u}, s\_g2_{u}, \pi_{u})$

$pis_{red} == (keccak(protocol\_data_{u} \ || \ s\_g2_{u}) \ || \ keccak(\pi_{u}) \ || \ keccak(pis_{u}))$

In the aggregation stage, all the reduced proofs and public input pairs are recursively verified inside a single risc0 circuit and all the SP1 proofs are recursively verified inside a single sp1 circuit. These circuits encode all the user's proof in binary Merkle trees, producing 2 compressed proofs $(\pi_{agg1},\pi_{agg2})$

Public Input ($pis_{agg1}$): $risc0\_root$

Reduced Proofs: $(\pi_{red_{i}})_{i=0}^{i=batch\_size}$

Reduced Public Inputs: $(pis_{red_{i}})_{i=0}^{i=batch\_size}$

User Proof Types: $(proof\_type_{i})_{i=0}^{i=batch\_size}$

User Proof Hashes: $(\pi\_hash_{i})_{i=0}^{i=batch\_size}$

User Public Input Hashes: $(pis\_hash_{i})_{i=0}^{i=batch\_size}$

User Circuit Datas: $(ckt\_data)_{i=0}^{i=batch\_size}$

$(verify\_risc0\_proof(\pi_{red_{i}}, pis_{red_{i}}, redn\_image\_id_{i}) == True)_{i=0}^{i=batch\_size}$

$(pis_{red_{i}} == keccak(ckt\_data_{i} \ || \ \pi\_hash_{i} \ || \ pis\_hash_{i} ))_{i=0}^{i=batch\_size}$

$risc0\_root == construct\_tree(leaves); \\leaves=[keccak(keccak(ckt\_data_{i} \ || \ redn\_image\_id_{i}) \ || \ \pi\_hash_{i} \ || \ pis\_hash_{i})]_{i=0}^{i=batch\_size}$

Public Input ($pis_{agg2}$): $sp1\_root$

User Proofs: $(\pi_{u_{i}})_{i=0}^{i=batch\_size}$

Public Inputs: $(pis_{u_{i}})_{i=0}^{i=batch\_size}$

User Public Inputs: $(pis_{i})_{i=0}^{i=batch\_size}$

User Circuit Datas: $(ckt\_data)_{i=0}^{i=batch\_size}$

$(verify\_sp1\_proof(ckt\_data_{i},\pi_{u_{i}}, pis_{u_{i}}) == True)_{i=0}^{i=batch\_size}$

$sp1\_root == construct\_tree(leaves); \\leaves=[keccak(ckt\_data_{i} \ || \ pis\_hash_{i})]_{i=0}^{i=batch\_size}$

This stage converts compressed proofs ($\pi_{agg1},\pi_{agg2}$) to 2 groth16 proofs ($\pi_{snark1},\pi_{snark2}$) using the circuits provided here and here. The only reason for this step is to reduce on-chain verification cost on Ethereum. The public input in this stage which is the $super\_root$ is defined as:

$super\_root == keccak(risc0\_root\ || \ sp1\_root)$

At this stage, the Groth16 proofs ($\pi_{snark1},\pi_{snark2}$) and their public inputs ($pis_{snark1},pis_{snark2}$) are recursively verified inside a Gnark circuit. This produces the final proof ($\pi_{final}$) and its public inputs ($pis_{final}$). Additionally, this stage future-proofs the system by enabling seamless integration with additional VMs for reduction and aggregation, requiring minimal modifications.

Once the Snarkification step is complete, the Groth16 proof ($\pi_{final}$) is submitted to the QuantumVerifier contract on Ethereum for on-chain verification. The corresponding public input ($pis_{final}$), which is the Super Root, is also passed to the contract.

The QuantumVerifier contract validates the proof against the public input using the Groth16 verifier logic. If the verification is successful, the Super Root ($pis_{final}$) is stored in the Quantum contract's state as a record of successful aggregation and proof verification.

After the Super Root ($pis_{final}$) is verified and stored on-chain, individual users can perform an Inclusion Check to verify that their proof ($\pi_u$) was correctly included in the aggregated proof.

The inclusion_proof is a Merkle proof that demonstrates that the user’s proof ($\pi_{u}$) was correctly verified using the appropriate verifier circuit identified by $redn\_image\_id_{proving\_scheme}$, corresponding to the public inputs ($pis_{u}$) for the circuit with circuit data $ckt\_data_{u}$. It also confirms that this verified proof was included in the Merkle tree whose root is the Super Root.

The circuit_hash uniquely identifies the user’s circuit and is derived during the Circuit Registration phase as: $circuitHash=Keccak(user\_circuit\_data ∣∣ risc0\_image\_id)$

$Keccak(\pi_{u})$: The hash of the user’s individual proof.

$pis_{u}$: The public inputs corresponding to the proof.

$inclusion\_proof$: A Merkle proof that links the user’s proof to the Super Root stored on-chain.

Inside the protocol smart contract, the submitted data is used to reconstruct the Merkle leaf as: $leaf=Keccak(circuitHash ∣∣ Keccak(π_u) ∣∣ Keccak(pis_u))$

If the inclusion_proof is valid and the Merkle proof matches the Super Root, the user’s public inputs ($pis_{u}$) are confirmed as part of the aggregated proof.