Arithmetization

A Rank-1 Constraint System (R1CS) is a standard format for representing arithmetic circuits as a set of quadratic constraints. It is the primary intermediate representation used by many zk-SNARK systems like Groth16 and Marlin.

• Each constraint is of the form: (A · s) * (B · s) = (C · s), where s is the witness vector.
• It provides a flexible way to encode complex program logic into a form suitable for polynomial commitment schemes.

Plonkish arithmetization is the constraint system framework used by the Plonk proof system and its variants. It generalizes R1CS by using custom gates and lookup arguments.

• Constraints are expressed via selector polynomials that activate specific gate equations.
• This allows for more efficient representation of common operations (like XOR, bitwise operations) and supports universal trusted setups.

Algebraic Intermediate Representation (AIR) is the arithmetization method used by STARKs. It represents computation as the execution trace of a virtual machine over multiple cycles.

• The correctness of the trace is enforced by constraint polynomials that must vanish over a specified domain.
• This method is highly parallelizable and does not require a trusted setup, making it foundational for scalable, transparent proofs.

Lookup arguments, such as those in PlonkUP and Halo2, are a powerful arithmetization technique for proving a value exists in a pre-defined table.

• This is far more efficient than expressing complex, non-arithmetic operations (e.g., range checks, cryptographic primitives) with traditional gates.
• It significantly reduces the number of constraints and proof size for operations with sparse, non-polynomial relationships.

High-level domain-specific languages (DSLs) like Noir and Circom provide a developer-friendly interface for writing zero-knowledge circuits, which are then compiled down to low-level arithmetization formats.

• Circom compiles to R1CS.
• Noir can target multiple backends, including ACIR (Aztec's IR) and eventually Plonkish arithmetization.
• These tools abstract the complexity of directly writing constraint systems.

Polynomial Interactive Oracle Proofs (IOPs) are a theoretical framework that underlies modern proof systems. Arithmetization transforms a computation into a set of low-degree polynomials.

• The prover commits to these polynomials, and the verifier queries them via oracle access.
• Systems like Marlin, Plonk, and STARKs can be viewed as compiling a Polynomial IOP with a specific polynomial commitment scheme (e.g., KZG, FRI).

Fully on-chain games and autonomous worlds use arithmetization to verify complex game state transitions efficiently. This allows:

• The game's core logic (e.g., physics, rules) to be defined as a deterministic state transition function.
• Each turn or action batch is arithmetized into a proof, enabling trustless verification by other players or a Layer 1.
• This creates a cryptographically verifiable game world where the state is secured by cryptography, not just consensus.

Rank-1 Constraint System (R1CS) is a standard format for representing arithmetic circuits, which are the foundation of zk-SNARKs. It expresses a computation as a set of quadratic equations of the form A * B = C, where A, B, and C are linear combinations of variables.

• Purpose: Provides a uniform way to describe complex computations for proof systems.
• Role: The output of the arithmetization step, ready to be converted into a polynomial for proving.

Plonkish arithmetization is a more flexible framework used by proof systems like Plonk, Halo2, and zkEVM. It generalizes R1CS by using custom gates and lookup tables.

• Custom Gates: Allow complex operations (e.g., elliptic curve addition) to be expressed as a single constraint.
• Lookup Tables: Enable efficient proof of that a value exists within a pre-defined set, optimizing proofs for operations like range checks or bytecode execution.

A Polynomial Commitment Scheme (PCS) is a cryptographic primitive that allows a prover to commit to a polynomial and later reveal evaluations of it, proving the evaluations are consistent with the committed polynomial without revealing the polynomial itself.

• Core Function: Enables the polynomial IOP (Interactive Oracle Proof) step in zk-SNARKs and zk-STARKs.
• Examples: KZG commitments (used in Plonk, Groth16), FRI (used in STARKs), and Bulletproofs.

Algebraic Intermediate Representation (AIR) is an arithmetization method used by STARK proof systems. Instead of circuits, it models computation as the execution of a state machine over discrete time steps.

• Structure: Defines a set of polynomial constraints that must hold for every row (time step) in an execution trace.
• Advantage: Highly parallelizable and transparent, not requiring a trusted setup, making it suitable for scalable proofs.

An arithmetic circuit is a directed acyclic graph (DAG) representing a computation using only addition and multiplication gates over a finite field. It is the primary computational model for arithmetization.

• Inputs/Outputs: Wires carry field elements; gates perform operations.
• Purpose: Converts program logic (e.g., a smart contract) into a format that can be expressed as polynomial constraints for zero-knowledge proofs.

A zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) is a cryptographic proof system that relies heavily on arithmetization. The prover uses it to demonstrate they possess certain information without revealing it.

• Process: The statement is first arithmetized into a circuit (e.g., R1CS), then turned into polynomials, and finally a proof is generated using a PCS.
• Application: Enables private transactions (Zcash) and scalable Layer 2 rollups (zk-Rollups).