Owner: @Mehmet
As mentioned above, proof systems can generally be considered a combination of an IOP and a PCS. The commonly used PCS can be categorized into three types: KZG, IPA, and FRI (multivariate PCS can be seen as variants of these). While deciding on the proof system to be used for the Coordination Layer, we had established the following priority for the Nomos project: verifier time > proof size > prover time. Additionally, since the proof system to be used will be privacy-focused, it's desired that the protocol chosen does not involve a trusted setup, which is a critical consideration in the literature. Although KZG-based proof systems are efficient in terms of proof size and verification time, they are not considered the first choice due to their inclusion of a trusted setup. Therefore, KZG-based systems are deprioritized. After extensive research, the top two proof systems that emerged were Halo2 and Plonky2. Among the FRI-based proof systems, Plonky2 meets the desired verification time. The drawback of Plonky2 is the proof size, while Halo2 offers a smaller proof size but lags behind Plonky2 in verification time. Both protocols don’t involve trusted setups. Folding schemes and aggregation methods can be used for trade-offs among the desired features. For example, to address proof size issues with Plonky2, proof aggregation can be used, with the final proof being generated using Groth16. The performance evaluation of methods that can be used in this context is presented in the benchmark table. Ready implementations of the selected proof systems are expected for the project, and existing libraries that can be used have been listed above. After the CL protocol details are finalized, tests will be conducted using Plonky2* and Halo2 circuits to select the most suitable approach.** Key libraries such as Risc0, Succinct, and Jolt will also be examined to identify which sub-libraries might be applicable. These related projects contain pre-built libraries that cover different proof methods.
<aside> 💡
*Plonky3 is a slightly improved version of Plonky2. When we wrote the proof survey, Plonky3 hadn’t become widespread yet. After finishing the survey, zkVMs generally started moving towards STARK-to-SNARK usage, which also makes sense for our project. Now, we also used Plonky3 as a stark proof in Risc0
**We try to avoid using proof systems that require a trusted setup as much as possible. However, in current zkVM designs, Groth16 or Plonk, which are proof systems requiring trusted setup, are used for shorter proofs. This is why we opted for this type of wrapper in the final design.
</aside>