In technical terms, a folding scheme is a method for recursive proof composition. It operates on two Relaxed R1CS (Rank-1 Constraint System) instances, which represent computational claims. The prover takes these two instances and generates a single, new folded instance that is a commitment to both original ones. Crucially, the verifier's work to check the folded instance is significantly less than checking the two original instances separately, enabling efficient verification of long-running computations. This process is a core component of Nova, a prominent recursive SNARK.
LABS
Glossary
Folding Scheme
A folding scheme is a cryptographic primitive that allows two instances of a constraint system to be combined into a single instance, enabling efficient recursive proof composition for zk-SNARKs.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is a Folding Scheme?
A folding scheme is a cryptographic protocol that allows a prover to combine, or 'fold', two instances of a computational statement into a single, smaller instance, while preserving the ability to verify the original claims.
The power of folding lies in its incrementally verifiable computation (IVC). In IVC, a prover executes a function step-by-step. After each step, it uses the folding scheme to combine the proof for the new step with the accumulated proof for all previous steps. This creates a single, constantly updated proof that attests to the correct execution of the entire sequence. Unlike traditional SNARKs that prove the entire computation at once, folding allows the proof to be built incrementally, which can be more memory-efficient for very long computations.
Folding schemes are distinguished from SNARKs (Succinct Non-interactive Arguments of Knowledge) by their lack of a succinct verification key and their non-succinct proof size. The output of a folding step is not a succinct proof itself but a folded instance that must still be proven. Therefore, a folding scheme is typically paired with a final, dedicated SNARK (like a Spartan-based proof) to compress the final folded instance into a single, small proof for practical use. This two-stage approach—folding for incremental computation and a final SNARK for succinctness—defines the architecture of Nova-like systems.
Key properties of a secure folding scheme include knowledge soundness (a prover can only create a valid folded instance if they know valid witnesses for the original instances) and zero-knowledge (the folded instance reveals no information about the witnesses). These properties are maintained recursively throughout the IVC process. The technique enables powerful scalability applications, such as proving the correct execution of a zkVM (zero-knowledge virtual machine) over millions of steps or creating parallelizable proof generation where different parts of a computation can be folded together.
key-features
FOLDING SCHEME
Key Features
Folding schemes are cryptographic proof systems that enable efficient verification of large computations by recursively combining multiple instances into one, drastically reducing proof size and verification cost.
01
Recursive Proof Composition
The core mechanism where two or more Nova proof instances are folded into a single, new instance. This process:
- Combines claims about two separate executions into one claim about their sum.
- Uses a relaxed R1CS structure to handle incremental verification.
- Enables incremental computation where each step's proof folds into the next, avoiding the need to verify the entire chain from scratch.
02
Relaxed R1CS
A modified Rank-1 Constraint System (R1CS) that is fundamental to folding. It introduces two additional vectors (error term E and scalar u) to the standard R1CS equation Az ∘ Bz = Cz. This relaxation allows the prover to:
- Accumulate verification errors across multiple folded instances.
- Maintain a single, succinct statement that represents the entire computation history.
- Later be compiled into a final, succinct proof via a zk-SNARK like Spartan.
03
IVC & PCD
Folding schemes are the engine for Incremental Verifiable Computation (IVC) and Proof-Carrying Data (PCD). In IVC:
- A prover demonstrates correct execution of a long-running or stateful computation step-by-step.
- Each step's proof is folded into a single, evolving running instance.
- This creates a succinct certificate for the entire computation history, enabling efficient blockchain state verification and rollup recursion.
04
Non-interactive Folding
A later enhancement that removes the need for interactive commitment phases between prover and verifier. Using a Fiat-Shamir transform and cryptographic commitments, the protocol becomes non-interactive. This is critical for blockchain applications, as it allows:
- Proof generation without live verifier participation.
- Batching of proof folding off-chain.
- Integration into decentralized protocols where interaction is impractical.
05
Prover Efficiency
Folding offers significant prover speed-ups compared to directly generating a SNARK for a large computation. The primary cost is dominated by:
- Multiexponentiations (MSMs) for commitment operations during each fold.
- Field operations within the relaxed R1CS.
- This makes it asymptotically more efficient for long, repetitive computations, as the cost per step is largely constant and avoids the super-linear overhead of monolithic SNARK proving.
06
Verifier Efficiency & Succinctness
The verifier's work is exceptionally light. After the initial setup, verifying a fold requires only:
- A constant number of cryptographic group operations (e.g., elliptic curve additions).
- Simple field arithmetic.
- The final, folded instance is succinct—its size is independent of the number of steps folded. This enables verification on-chain with minimal gas costs, a key advantage for Layer 2 rollups and zkVMs.
how-it-works
ZK-PROOF MECHANISM
How a Folding Scheme Works
A folding scheme is a cryptographic primitive that incrementally compresses the verification of multiple computations into a single, smaller statement, forming the core of Nova and other recursive proof systems.
A folding scheme is a cryptographic protocol that allows a prover to combine, or "fold," two instances of a computational statement (e.g., two Non-deterministic Polynomial (NP) statements) into a single new instance. Crucially, this new folded statement is of the same size and structure as the original inputs. The verifier's work is reduced to checking this single combined claim, along with a small, constant amount of auxiliary data. This process does not itself generate a zero-knowledge proof; instead, it accumulates computation in a compressed form, dramatically reducing the cost of eventual final proof generation.
The core mechanism relies on a commitment to a witness for each computation. In a typical step, the prover holds two Relaxed R1CS instances—a generalization of standard rank-1 constraint systems that includes an error term and a scalar. The folding verifier performs a simple, fast operation (often just elliptic curve additions and multi-scalar multiplication) to combine these into one new Relaxed R1CS instance. This iterative folding creates a recursive structure: the output of one fold becomes an input to the next, enabling the incremental processing of a long-running computation or a large batch of transactions.
The primary advantage of folding is its asymptotic efficiency. Unlike proving systems that require a monolithic proof for the entire computation, folding breaks the work into small, incremental steps with minimal verifier overhead. This makes it ideal for scenarios like incremental verifiable computation (IVC) and parallel proof generation. After many folding steps, a single, efficient zk-SNARK proof is created for the final folded statement, which validates the entire accumulated history. This two-phase approach—cheap folding followed by one final proof—is far more scalable for persistent state updates.
Nova, the seminal folding scheme, implements this using the Cycle of Curves technique. It uses two elliptic curves (e.g., Pasta curves or BN254/Grumpkin) where the scalar field of one matches the base field of the other. This allows the recursive circuit that performs the folding verification to be expressed efficiently without unbounded overhead, making the recursion non-trivial. Subsequent schemes like SuperNova extend this to support different virtual machines or functions at each step, called Nova-like or folding-based proof systems.
In practice, folding schemes are foundational for building high-throughput Layer 2 blockchains and co-processing engines. They enable a blockchain to maintain a succinct cryptographic commitment to its entire state history, where each new block is "folded" into this commitment. This allows for extremely lightweight clients to verify the chain's validity without re-executing all transactions, providing a powerful alternative to traditional rollup architectures by minimizing on-chain verification costs and enabling parallel proof construction.
visual-explainer
FOLDING SCHEME
Visualizing the Fold
An intuitive exploration of how folding schemes, a core cryptographic primitive, compress large computations into a single, verifiable statement.
A folding scheme is a cryptographic protocol that allows a prover to combine two instances of a computational statement into one, creating a single, smaller statement that maintains the validity of the original claims. This process, often visualized as 'folding' two pieces of paper into one, is the foundational mechanism behind Nova and other incrementally verifiable computation (IVC) systems. Unlike a zero-knowledge proof that verifies a single execution, a folding scheme recursively aggregates the work of many steps, enabling efficient proof generation for long-running computations like blockchain state transitions or machine learning training.
The core mechanism involves two primary components: a Relaxed R1CS (Rank-1 Constraint System) instance, which is a generalized form of a standard R1CS that can absorb errors or 'slack', and a folding verifier. In each iteration, the prover presents two instances: one representing the accumulated computation so far (the running instance) and one for the next step (the incremental instance). The folding verifier performs a low-cost, public-coin interaction, resulting in a single new relaxed R1CS instance. Critically, the verifier's work is minimal—requiring only a handful of group operations—shifting the heavy cryptographic lifting to the prover.
To visualize the process, consider proving the correct execution of a program with 1,000 steps. Instead of generating one massive proof, a folding scheme starts with Step 1. It then 'folds' Step 2 into the result of Step 1, creating a compact statement for Steps 1-2. This new statement is then folded with Step 3, and so on. After 1,000 folds, the prover holds a single relaxed R1CS instance representing the entire computation. A final, standalone zk-SNARK proof is then generated for this final folded instance, providing a succinct certificate of correctness for the whole sequence with minimal verification overhead.
examples
PROTOCOLS & USE CASES
Folding Scheme
Folding schemes are a cryptographic primitive for incrementally verifying long computations, enabling efficient recursive proof composition and the construction of succinct, scalable zero-knowledge proofs.
01
Core Mechanism
A folding scheme allows a prover to combine two NP statements (e.g., two program executions) into a single, smaller statement called a folded instance. This process does not generate a new proof but creates a commitment to the combined claim, deferring final verification. It relies on a commit-and-fold paradigm using cryptographic commitments like Pedersen hashes.
- Incremental Verification: Continuously folds new claims into an existing accumulator.
- Non-Interactive: Requires no back-and-forth between prover and verifier during folding.
- Amortized Cost: The final verification cost is spread across many steps, reducing per-step overhead.
03
Benefits vs. Traditional SNARKs
Folding schemes offer distinct advantages over standard SNARK and STARK proof systems, particularly for recursive applications.
- Reduced Prover Overhead: Avoids the need to generate a full SNARK proof at each step; only a cheap folding operation is required.
- Memory Efficiency: The prover's memory footprint grows logarithmically with the number of folded steps, not linearly.
- Parallel Proving: Different segments of a computation can be folded independently and later combined.
- No Trusted Setup: Many folding-based protocols (like Nova) are transparent, requiring no toxic waste or trusted ceremony.
04
Application: zkVM & zkRollups
Folding is a cornerstone for building succinct zero-knowledge virtual machines (zkVMs) and scaling zkRollups.
- zkVM Proving: Each CPU cycle or instruction can be folded into an accumulator. Projects like Lurk and Spartan leverage this for proving arbitrary computations.
- Rollup State Transition: A rollup's state update from a batch of transactions can be represented as a foldable computation, creating a single proof for the entire batch's validity.
- Scalability: This allows parallel proof generation across multiple provers, dramatically speeding up proof creation for high-throughput blockchains.
05
Key Cryptographic Components
The security and efficiency of a folding scheme depend on specific cryptographic assumptions and constructions.
- Commitment Scheme: Typically uses Pedersen commitments or other additively homomorphic schemes, allowing committed values to be combined.
- Error Terms: The relaxed R1CS introduces a slack vector
Eand a scalaruto absorb the "difference" between two instances during folding. - Folding Function: A deterministic, non-interactive function that takes two relaxed R1CS instances and outputs a new folded instance and a witness update.
- Security: Relies on the discrete logarithm assumption in the underlying cryptographic group.
06
Related Concepts & Evolution
Folding schemes exist within a broader ecosystem of recursive proof systems and verifiable computation.
- IVC & PCD: Folding is a method to achieve Incremental Verifiable Computation (IVC) and Proof-Carrying Data (PCD), where the output of one step is a verifiable input to the next.
- SuperNova: An evolution of Nova that supports folding different circuits (non-uniform computation), not just repeated instances of the same circuit.
- Cycle of Curves: Many implementations use a pair of elliptic curves (e.g., Pasta curves) with efficient cycle operations to make recursive verification feasible within the proof system itself.
benefits
FOLDING SCHEME
Core Benefits & Advantages
Folding schemes are a cryptographic primitive that enables efficient, incremental verification of large computations by compressing them into a single, small proof. Their primary advantages center on scalability and composability.
01
Incremental Verifiability
A folding scheme allows a prover to take two Relaxed R1CS instances (representing computations) and 'fold' them into a single new instance. This process is non-interactive and does not require generating a new zero-knowledge proof each time. The key benefit is that the verifier's work remains constant, regardless of how many steps are folded, enabling the verification of long-running computations.
02
Linear Prover Efficiency
The prover's work scales linearly with the size of the computation, not exponentially. Unlike recursive SNARKs, which require repeated proof generation, folding only involves performing elliptic curve operations (like MSM and FFT) on the committed data. This makes it significantly more efficient for the prover, a critical improvement for practical zkVM execution.
03
Native Recursion Without Overhead
Folding is a core building block for recursive proof composition. By repeatedly folding instances, a prover can accumulate an unbounded number of computation steps. The final, folded instance can then be proven with a single, efficient zkSNARK (like Nova's final SNARK step). This avoids the heavy cryptographic overhead typically associated with recursive proof verification.
04
IVC & PCD Construction
Folding schemes are used to construct Incrementally Verifiable Computation (IVC) and Proof-Carrying Data (PCD). In IVC, each step of a sequential computation is folded into a running commitment. This creates a succinct certificate of correct execution up to any step, enabling features like stateless block validation and verifiable state transitions in blockchains.
05
No Trusted Setup
Most folding scheme implementations, such as Nova, are transparent and do not require a trusted setup. They rely on cryptographic assumptions (like the discrete log problem) that are considered secure in the random oracle model. This eliminates a major point of trust and complexity compared to many SNARK systems that need structured reference strings.
06
Parallelization Potential
The structure of folding allows for parallel computation. Independent computation segments can be folded in parallel before being combined. This is a distinct advantage over strictly sequential recursive proofs, opening the door for hardware-accelerated zk-rollup provers that can leverage GPUs or FPGAs to drastically reduce proving times for complex workloads.
PROOF SYSTEM COMPARISON
Folding Schemes vs. Traditional Recursive Proofs
A technical comparison of two paradigms for incrementally verifying computation in zero-knowledge proof systems.
| Feature / Metric | Folding Scheme (e.g., Nova) | Traditional Recursive Proof (e.g., PlonK/Groth16) |
|---|---|---|
Core Mechanism | Folds two instances into one, deferring final proof | Recursively verifies a proof within another proof |
Prover Overhead per Step | Constant (O(1)) | Logarithmic (O(log n)) in circuit size |
Primary Data Structure | Incrementally Verifiable Computation (IVC) with a relaxed R1CS | Nested proof with a SNARK/STARK verifier circuit |
Final Proof Generation | Single SNARK generated only at the end of the folding process | Proof generated at each recursive step |
Memory Footprint (Prover) | Low; maintains running instance/witness | High; requires full circuit representation per step |
Amortized Proving Cost | Very low for incremental updates | Higher, as each step incurs full proving cost |
Primary Use Case | Long-running, stateful computations (e.g., VM execution, rollup state updates) | Batching many independent proofs or proving a single large circuit |
FOLDING SCHEMES
Technical Deep Dive
Folding schemes are a powerful cryptographic primitive that enables the incremental verification of large computations by 'folding' two instances into one, drastically reducing the cost of generating a zero-knowledge proof.
A folding scheme is a cryptographic protocol that allows a prover to combine two instances of a computational statement into a single, new instance, while preserving the property that if the original instances were valid, the folded one is also valid. It works by having the prover and verifier interact: the verifier sends a random challenge, and the prover uses it to create a folded witness and a commitment to the error term. The core mechanism reduces the task of verifying two claims to verifying one, which is cheaper. This process can be repeated iteratively, 'folding' an entire computation trace into a single, small instance that can be efficiently proven with a final zk-SNARK or zk-STARK. Nova is the canonical example of a folding scheme for R1CS (Rank-1 Constraint Systems).
FOLDING SCHEME
Frequently Asked Questions
A folding scheme is a cryptographic primitive for incrementally verifying long computations. These questions address its core concepts, applications, and relationship to other proving systems.
A folding scheme is a cryptographic protocol that allows a prover to combine two NP statements (e.g., two program executions) into a single, smaller statement, called a folded instance, without requiring a full proof. The core mechanism involves the prover sending a commitment to a correction term to the verifier, who then responds with a random challenge. Using this challenge, the prover 'folds' the two instances into one that retains the property: if the folded instance is satisfied, then with high probability the original two instances were also satisfied. This process reduces the verification workload incrementally, enabling efficient proof aggregation for recursive proof composition.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall