The following contains a list of questions to answer about proof aggregation that we identified during the cryptography team meeting. I might edit the post adding answers to these questions so we can reference this post in the future.
- Can we aggregate the same kind of proofs?
- Can we aggregate different kinds of proofs (logics)?
- Can we efficiently use recursion for aggregation?
- Can we aggregate recursively (aggregated proofs together, aggregated and logic proofs, etc)
- Can we aggregate proofs from different actions?
- What are the costs? (General tendency + compared to
nindividual proofs) - Can we aggregate proofs from different transactions?
- What are the inputs (witnesses, instances) of the aggregation circuit?
- How many circuits do we need? What is the relationship between them?
- What changes, if any, in the RM interface do we need to make to support aggregation?
- When do we want to aggregate the proofs? Do we want aggregated proofs for unbalanced transactions? Does the solver aggregate proofs? What data do they need? Does it require extra data?