Validating VK for function privacy

Resource Machine Stuff
2

Thanks for your thoughts.

One thing I wonder is what is the real purpose of hashing the verifying key. In the DP-only case, I believe is to avoid reading it from the compliance circuit. In the FP, if using a length-reducing commitment, it would give the same effect.

In principle, or intuitively, the compliance checks should not be affected by whether we are in DP-only or in FP, (or as you put it, should be ‘free of side effects’). This is because the checks in the compliance and action units are orthogonal.

In the PR, @xuyang suggested this strategy:

  1. The compliance circuit receives logic_vk_hash as a witness from resources and produces the commitment as an instance.
  2. The logic proof is generated normally.
  3. The recursive circuit generates the logic commitment using logic_vk and the same randomness as in the compliance circuit, verifies logic_vk_hash = hash(logic_vk), and computes c = commit(logic_vk_hash, r). The commitment goes to the instance as well.
  4. Finally, check that the commitments from step 1 (compliance instances) and step 3 (recursive instances) are equal outside the circuit.

I wonder whether the compliance circuit could just read the commitment, the same way is done currently (@xuyang). Only in the augmented (outer) logic circuit correct generation of commitments is enforced.

Yes they are, esentially, the same. Receive as input a commitment of the (verifying key of the) circuit, enforce its correctness, and run the (verifier of the) circuit.

In the sentence above the recursive strategy includes parenthesis, the zkVM approach doesn’t. However, evil is in details. At this moment we are not even sure whether the zkVM approach works, or what’s needed to make it work.

Is this really a problem? Or in other words, it is our (Anoma/RM) responsability? I’d say we should only worry about developing sound code. That is, ‘standardize’ sound circuits by providing reference implementations for both, DP-only and FP cases. The verifying key of the FP outer layer can be hard-coded in code. That would the simplest, and more realistic, option, I think.