ZK Jay

Here's a solution: Let f be a univariate polynomial who's roots are the claimed unique values. A prover can commit to this polynomial using your favorite PCS. Any scheme will work if you're smart enough. Then, the prover can commit to additional polynomials p and q. Now, all we need is evaluation proofs of f(r), p(r), and q(r). Additionally, the formal derivative f' has an evaluation that can be easily evaluated several different ways (X margins too small). Verifier simply needs to check that f(r)p(r)+f'(r)q(r)=1. Proof: Schwartz-Zippel gives soundness, Bezoit and weak Nullstellensatz give completeness.

We have been aggressively optimizing our GPU execution to reduce the cost of our polynomial commitments. This is the dominating cost (asymptotically and concretely) of most proof systems. However, as of these most recent benchmarks, the costs of our commitment scheme are now about 40% of our overall proof time (and dropping). What's next? The other 60% 😎

When you're looking at the Proof of SQL benchmarks, note that this graph is deceptive. It's a log-log graph, so it makes it look like performance decreases as the dataset scales. The opposite is true. In fact, performance on this graph is sublinear. We haven't even hit the asymptomatic linear scaling until we reach close to 10 million rows of data.

Super excited to launch Proof of SQL today! Proof of SQL is a ZK protocol that enables scalable data processing beyond anything we’ve seen in Web3. The trick that gives the speed unlock here is that we built the protocol around the data: the commitments are data-driven, the arithmetization is data-driven, and the acceleration is data-driven. For example, let’s think about the commitments. Merkle tree based data structures are not native to ZK: they require a minimum of n hashes to access n items of data. This is a large overhead simply for data access. Instead, we use the proof-native commitment scheme as the data structures holding the data itself. This begs the question: what commitment schemes are conducive to holding data? There are 3 major criteria that we think are critical: 1) It has to scale. In other words, it should be able to support huge amounts of data. A trusted setup of size 2^30 only can support roughly a billion data elements. That's not a lot of data. 2) It has to be succinctly updateable/appendable. In other words, we want a commitment scheme that can be incrementally modified without needing access to the entire dataset, but only needing a small cache to modify it. 3) It needs succinct evaluation proofs and fast proof and verification times. Merkle trees satisfy 1 and 2, but not 3. KZG-style commitments satisfy 2 and 3, but not 1. FRI-style commitments satisfy 1 and 3, but not 2. The Dory commitment scheme satisfies all three. That's what we use today, but stay tuned, because we can do even better. 👀🚀