sully

emsczkp presented the Bulletproofs* (BP*) folding scheme, demonstrating conceptual decoupling of the NARK prover from the folding prover; this enables third-party folding of already-generated proofs and has potential applications in Monero for block producers aggregating multiple-party proofs without secret knowledge, with the paper planned for peer-reviewed submission upon completion. emsczkp: Regarding questions posed in the previous MRL meeting by jberman, which I thank for valuable comments on the paper and questions: the folding prover does not necessarily have to coincide with the NARK prover. The NARK prover knows the original secret witness, whereas the folding prover operates on the NARK proofs. emsczkp: In BP*, NARK proofs are split into instance and witness parts. The folding prover takes both parts as input and performs the fold. Precisely, the witness data used here are those required by the (modified BP) algebraic verifiers for constraint checks and the commitment-consistency check. Such witness data differ from the original secret witness. emsczkp: So, to answer to jberman, the paper designs a folding scheme in which the NARK prover and the folding prover are conceptually decoupled. The folding prover does not need the original secret witness, but it does need the instance-witness parts for the proof and accumulator required by the folding relation. In that sense, a third party could fold already-generated NARK proofs. emsczkp: I would phrase the application level implications cautiously, since the paper itself at this stage focuses on the folding scheme design rather than a concrete deployment scenario. But, My current intuition is that this decoupling could be useful in applications where one entity produces proofs and another entity folds them. emsczkp: And that's the case, as also pointed out with jberman: github.com/monero-project… emsczkp: Here, BP* could potentially enable the idea outlined by kayabanerve, where a block producer folds many proofs from many parties without knowing secrets or interacting with parties. jberman: When we were initially discussing this CCS proposal, I expressed a desire / interest in seeing if the BP* design that could potentially enable exactly that^, so it's exciting to me that this potential is on the table with BP* jberman: I admit my math expertise is not deep enough to give a very strong review of the actual math itself, but it seems to pass a smell test with adequate rigor imo. It would be great to get it reviewed by those with the deeper math expertise, but generally I think this work is potentially bearing larger frui ts than was initially even proposed, and I'm cautiously optimistic about the direction rucknium: emsczkp: Do you plan to submit the paper to a peer-reviewed conference or journal when it is finished? emsczkp: yes, that's when all future works/steps will be addressed. #c665161" target="_blank" rel="nofollow noopener">libera.monerologs.net/monero-researc…