HyperNova: Recursive arguments for

customizable constraint systems

Abhiram Kothapalli† Srinath Setty?

† ?
Carnegie Mellon University Microsoft Research
Abstract.

This paper introduces HyperNova, a recursive argument for proving incre-

mental computations whose steps are expressed with CCS (Setty et al. ePrint
2023), a customizable constraint system that simultaneously generalizes Plonk-
ish, R1CS, and AIR without overheads. A distinguishing aspect of HyperNova
is that the prover’s cost at each step is dominated by a single multi-scalar
multiplication (MSM) of size equal to the number of variables in the constraint
system, which is optimal when using an MSM-based commitment scheme.
To construct HyperNova, we generalize folding schemes (CRYPTO 22), to
allow instances from two (potentially) different NP relations, that share the same
structure, to be folded; we refer to this generalization as multi-folding schemes.
Furthermore, we devise a public-coin, multi-folding scheme for instances in CCS
and linearized CCS (a variant of CCS that we introduce). This construction can
be viewed as an “early stopping” version of Spartan (CRYPTO 20), applied to
a carefully-crafted polynomial that includes claims about prior linearized CCS
instances. The prover’s work in the multi-folding scheme is a linear number of
finite field operations and the verifier’s work is a logarithmic number of finite
field operations and a single group scalar multiplication. We then construct
incrementally verifiable computation (IVC) from non-interactive multi-folding
schemes with the lowest prover costs and the lowest recursion overheads in the
literature. We also provide an alternate realization of HyperNova with a black
box use of Nova, which nearly eliminates the need for deferred arithmetic when
instantiated with a cycle of elliptic curves.
As an additional contribution, we describe nlookup, a lookup argument,
that is particularly suited for recursive arguments based on folding schemes.
Specifically, at a particular step in an incremental computation, for m lookups
into a table of size n (m << n), the prover’s work is dominated by O(n)
finite field operations and it requires only O(m · log n) degree-2 constraints
and O(log n) hash evaluations in the incremental computation. nlookup is
currently not suitable for efficiently encoding bitwise operations, but it provides
a powerful tool for efficiently encoding (large) finite state machines and proving
their transitions with recursive SNARKs.
1 Introduction
This paper continues a recent line of work that began with Nova [KST22] (and
its generalization SuperNova [KS22]) to build prover-efficient succinct arguments.
There are two somewhat different ways of interpreting results from this line of
work. On the one hand, they provide the fastest succinct argument for semi-
structured, non-deterministic computations where the computation to be proven
can be decomposed into multiple steps (different steps do not need to have the
same circuit representation) [Dra22]. On the other hand, they also provide the
most efficient recursive argument scheme, with the lowest recursion overheads.
(Super)Nova’s computational model allows incremental computations where a
particular step invokes one of the pre-defined “instructions”. This model captures
many structured and semi-structured statements that arise frequently in practice.
For example, in VDFs, there is only one instruction and it verifies that a certain
iterations of a delay function (e.g., MinRoot [KMT22]) was executed correctly. As
a more complex example, in the so-called “ZKVMs”, at each step, the incremental
computation invokes one of the pre-defined instructions. Concretely, in the case
of Ethereum’s virtual machine (EVM), an instruction might perform operations
like add/mul, or an elliptic curve scalar multiplication over the BN-254 curve.
To prove such incremental computations, Nova provides an inexpensive mecha-
nism, called a folding scheme, to (recursively) transform the task of proving N
steps of a program execution into the task of proving a single step of the program
execution. It then applies a general-purpose zkSNARK to prove that single step.
This approach builds on a recent line of work to achieve efficient recursive argu-
ments [BCTV14,BGH19,BCMS20,BDFG21,BCL+ 21], but it differs from them
in that Nova does not rely on zkSNARKs or even (non-succinct) NARKs.
Compared to directly employing a general-purpose zkSNARK, built from from
polynomial IOPs and polynomial commitment schemes (e.g., Spartan [Set20],
Plonk [GWC19], Marlin [CHM+ 20], HyperPlonk [CBBZ23]), to prove the entire
incremental computation, Nova’s approach is substantially cheaper (as long as
each step is sufficiently large, to offset recursion overheads). Specifically, at each
incremental step, Nova’s prover incurs only two MSMs of size proportional to
the size of the circuit proven. Whereas, general-purpose zkSNARKs need many
more MSMs (e.g., Marlin [CHM+ 20, Fig 1] reports 22 MSMs and many more
FFTs of size proportional to the circuit size).
In addition, by design, Nova’s proof generation is incremental (i.e., it produces a
proof for each step and then uses recursion capabilities to produce a single proof),
so it can be more easily distributed and parallelized than with a non-recursive
zkSNARK where one must unroll program executions into monolithic circuits.
The latter rules out applications where one cannot statically unroll program
executions (e.g., VDF) or makes it inconvenient (e.g., program executions on
machines such as EVM or RISC-V). As presented, Nova does not immediately
support parallel proof generation. There exists a generic compiler [BCCT13] to
transform constructions such as Nova to support parallel proving.
Problem statement. In Nova, each step of an incremental computation is
expressed with R1CS, an NP-complete problem that generalizes arithmetic
circuits and is implicit in the QAPs formalism [GGPR13]. In practice, when
monolithic zkSNARKs (e.g., Plonk) are applied to large program executions,
practitioners often use custom constraint systems (e.g., Plonkish) that are tailored
to particular classes of applications. In particular, constraints in Plonkish are
multivariate high-degree polynomials, so they allow gates that can compute
custom high-degree polynomials. In contrast, R1CS is restricted to checking
quadratic constraints in a specific form.
A key question is whether one can build a recursive argument for Plonkish,
with Nova-like performance characteristics. In particular, our goal is to prove
CCS [STW23], a customizable constraint system that simultaneously generalizes
Plonkish, R1CS, and AIR without overheads.
In more detail, for any solution that handles high-degree constraints, we require
the prover’s cryptographic work to be independent of the degree of constraints
supported. That is, the number of MSMs (or their sizes) performed by the prover
must not depend on the degree of the supported constraints. This requirement is
crucial because otherwise one can simply lower the degree of constraints to two
and use Nova rather than attempting to use high-degree constraints.
Prior approaches and challenges.
Halo2 [BGH20] replaces the polynomial IOP in Halo [BGH19] from Sonic [MBKM19]
to Plonk [GWC19], and its widely used implementation supports Plonkish. Unfor-
tunately, it incurs substantial prover costs as the prover must necessarily produce
a SNARK using Plonk at each step of the program execution. Furthermore, the
prover incurs O(n · d) cryptographic operations, where n is the size of the circuit
at each step and d is the maximum degree of constraints proven. Switching
from Plonk to HyperPlonk [CBBZ23] would reduce the prover’s cryptographic
operations to O(n), but it does not avoid the need to produce a SNARK.
Split accumulation [BCL+ 21] reduces the recursion overheads of Halo-type ap-
proaches. It also avoids the need for succinct arguments to construct recursive
SNARKs. Unfortunately, the existing construction of recursive SNARKs from
split accumulation [BCL+ 21] is limited to R1CS. It is not clear how to extend
their approach to handle Plonkish without making the prover incur O(n · d)
cryptographic operations, which, as noted above, is undesirable.
Sangria [Moh23] shows that Nova’s folding scheme for R1CS can be easily adapted
to handle Plonkish. However, the number of cross-terms that the prover must
commit to increases linearly with d. Furthermore, the prover must incur O(n · d)
cryptographic operations to commit to O(d) cross-terms. As a result, in general,
it is cheaper to lower the constraints to degree-2 and prove them with Nova than
use higher-degree constraints with Sangria.
Concretely, a single iteration of the MinRoot delay function [KMT22] can be
represented with a single degree-5 constraint in Plonkish [Zha23]. Whereas, with
R1CS, one would need three constraints. However, if Sangria is applied to prove
MinRoot in degree-5 Plonkish, it incurs more work for the prover than when
Nova is applied to prove MinRoot in R1CS.
1.1 Our approach: HyperNova
This section provides a high-level overview of HyperNova’s ingredients. As noted
earlier, HyperNova’s target is to prove incremental computations where each step
of the incremental computation is expressed with CCS [STW23], a customizable
constraint system that simultaneously generalizes Plonkish, R1CS, and AIR
without overheads. However, if we naively build a folding scheme for CCS,
perhaps for a “relaxed” variant of CCS (analogous to relaxed R1CS in Nova), it
will have the efficiency issues noted above for Sangria.
To avoid those issues, HyperNova takes a different approach that involves leverag-
ing the power of the sum-check protocol [LFKN90], as done in Spartan [Set20] and
its recent extension to handle CCS called SuperSpartan [STW23]. In particular,
we provide two instantiations, one that directly builds HyperNova, and another
that uses Nova as a black box. Both variants can be instantiated efficiently using
cycles of elliptic curves and they both have the same prover efficiency. The second
variant however has minimal “deferred arithmetic” (i.e., arithmetic that must be
passed to the other curve in the curve cycle for efficiency) that shows up when
implementing recursive arguments using cycles of elliptic curves.

Remark 1. Given that CCS is a strict generalization of Plonkish, we focus on

describing HyperNova for CCS. HyperNova for CCS can be easily translated to
HyperNova for Plonkish, with the same efficiency guarantees.

(1) Multi-folding schemes. To construct HyperNova, we introduce a general-

ization of folding schemes, and we refer to it as multi-folding schemes. Recall
that a folding scheme for a relation R is a protocol between a prover and verifier
in which the prover and the verifier reduce the task of checking two instances
in R with the same structure s into the task of checking a single instance in
R with structure s. A multi-folding scheme is defined with respect to a pair of
relations (R1 , R2 ). It is an interactive protocol between a prover and a verifier
in which the prover and the verifier reduce the task of checking an instance in
R1 and an instance in R2 that both share the same structure s into the task
of checking a single instance in R1 with structure s. The paragraphs ahead will
clarify how this generalization unlocks additional power for constructing IVC.

Remark 2. Multi-folding schemes are related to split-accumulation schemes [BCL+ 21].

However, multi-folding schemes use the language of NP relations and are specified
in the standard interactive model. For example, our definitions do not require
an auxiliary decider algorithm and the associated complexity. Furthermore, by
using the language of NP relations, the split between a witness and instance is
immediate in the context of folding schemes and multi-folding schemes. Overall,
our definitions, security notions, and proofs are conceptually simpler.
(2) A multi-folding scheme for CCS. Our starting point to construct a multi-
folding scheme for CCS is the following observation. We observe that the Spartan
proof system [Set20] (more specifically its generalization to handle CCS called
SuperSpartan [STW23]) transforms the task of checking the satisfiability of a CCS
instance into the task of checking if a multivariate polynomial g of total degree
d + 1, where d is the degree of the CCS constraints, sums to zero over a suitable
Boolean hypercube. Spartan then invokes the sum-check protocol [LFKN90] to
prove that claim about g. At the end of the sum-check invocation, the prover
and the verifier are left with checking certain claims. Fortunately, these claims
concern a restricted form of CCS (we formalize this restricted form of CCS and
refer to it as linearized CCS ). Note Spartan then proves those claims about the
restricted form of CCS with an additional invocation of the sum-check protocol.
While an “early stopping” version of Spartan (the one with a single invocation of
the sum-check protocol) provides a reduction of knowledge [KP22] from CCS to
linearized CCS, it is not a folding (or a multi-folding) scheme. So, our second
idea is to redefine the polynomial g to additionally include claims from a running
linearized CCS instance using a random challenge from the verifier. This is
possible as long as the running instance and the CCS instance that is being
folded share the same structure (e.g., the same CCS matrices).
As a result, we obtain a public-coin multi-folding scheme that can fold a CCS
instance with structure s into a linearized CCS instance with structure s to get a
new linearized CCS instance with structure s. The prover’s work in the folding
scheme is a linear number of finite field operations (the prover does not commit
to any cross-terms!), and the verifier’s work is a logarithmic number of finite
field operations. Since the multi-folding scheme is public coin, we make it non-
interactive in the random oracle model using the Fiat-Shamir transform [FS86]
and heuristically instantiate it in the plain model using a concrete cryptographic
hash function.

Remark 3. Our multi-folding scheme for CCS is more powerful than described it
thus far: it can take µ running linearized CCS instances and ν CCS instances
that all share the same structure and output a single linearized CCS instance. So,
our definition of multi-folding schemes is additionally parameterized by µ and ν.

(3) IVC and its generalizations from multi-folding schemes. Recall that
Nova constructs IVC [Val08] from non-interactive folding schemes. Similarly, we
show how to construct an IVC scheme from non-interactive multi-folding schemes
such as the non-interactive version of the multi-folding scheme for CCS discussed
above. Our construction and security proofs follow the same blueprint. The prover
initializes a “default” running instance. Then, at each step of the incremental
computation, the prover commits to the witness for an augmented CCS instance
(the augmented CCS not only runs a step of the incremental computation, but it
also runs the verifier of the non-interactive multi-folding scheme). The prover
then runs the non-interactive multi-folding scheme to fold that CCS instance
into a running instance. The prover then sends the CCS instance and the output
of the multi-folding instance as input to the next invocation of the augmented
circuit, to prove the next step of the incremental computation.
As in Nova, in the “end” (or at any point in the incremental computation), the
prover is left with a running instance U (which in the case of HyperNova is a
linearized CCS instance) and a CCS instance u that represents the last step
of the incremental computation augmented with a verifier circuit. The prover
folds U and u to get U0 with an invocation of the multi-folding scheme for CCS,
and suppose that the prover’s output in the folding scheme is πfs . HyperNova’s
recursive proof is then π = (U, u, πfs , w) where w is a purported witness to U0 .
HyperNova’s prover can then send π to a verifier, but the size of the proof is
linear in the size of the step of an incremental computation. Thus, as in Nova,
HyperNova’s prover can use a general zkSNARK to prove the knowledge of a
valid π. In particular, Spartan excluding the first sum-check invocation provides
a necessary zkSNARK. Of course, other proof systems can also be used as long
as they can prove the knowledge of a valid π.

Remark 4. A multi-folding scheme folds µ running instances and ν incoming

instances into a single running instance, so it easily provides a natural general-
ization of IVC [Val08] called proof-carrying data [BCCT13]. However, we focus
on IVC for its conceptual simplicity.

(4) A construction of IVC with a black box use of Nova In addition to

the direct construction of IVC from a non-interactive multi-folding scheme for
CCS, we describe an approach that leverages Nova as a black box. In particular,
the high-level idea is to express the verifier of the non-interactive multi-folding
scheme for CCS as a step circuit in Nova (i.e., with R1CS). The step circuit, as
part of its public IO, stores a running instance (which in our case is a linearized
CCS instance). At each step, the prover first represents a step of the incremental
computation as a CCS instance u. It folds that into a running instance U to
obtain a new running instance U0 (and the associated witnesses) and a proof
πfs . The prover then runs Nova where the step circuit takes as non-deterministic
input (u, πfs ). The step circuit then folds u into a running instance that it tracks
via its public IO using πfs . In the “end” or at any point in the incremental
computation, a verifier can verify the Nova proof associated with the incremental
computation and check that the running instance in the public IO of the step
circuit is indeed satisfying using a purported witness from the prover. As with
the direct construction discussed above, the prover can compress such a recursive
proof into a succinct proof using a general zkSNARK.
The primary advantage of this version of HyperNova is that it only needs to
implement a step circuit. Furthermore, much of the work in representing the
verifier of the non-interactive folding scheme is a logarithmic number of finite
field operations and hash evaluations, both of which can be encoded natively
and efficiently with R1CS (e.g., with a SNARK-friendly hash function). The step
circuit will have to perform a single group scalar multiplication, but when using
a cycle of elliptic curves, this task can be easily (and with minimal public IO) be
deferred to the other curve in the curve cycle.

2 Preliminaries
We use λ to denote the security parameter and F to denote a finite field (e.g., the
prime field Fp for a large prime p). We use negl(λ) to denote a negligible function
in λ. Throughout the paper, the depicted asymptotics depend on λ, but we elide
this for brevity. We use “PPT algorithms” to refer to probabilistic polynomial
time algorithms.

2.1 Polynomials and low-degree extensions

We adapt this subsection from prior work [Set20].

We recall a few basic facts about polynomials.

• A polynomial g over F is an expression consisting of a sum of monomials

where each monomial is the product of a constant from F and powers of one
or more variables; all arithmetic is performed over F.

• The degree of a monomial in a polynomial is the sum of the exponents of

variables in the monomial; the degree of a polynomial g is the maximum
degree of any monomial in g.

• The degree of a polynomial g in a particular variable xi is the maximum

exponent that xi takes in any of the monomials in g.

• A multivariate polynomial is a polynomial with more than one variable;

otherwise it is called a univariate polynomial.

Definition 1 (Multilinear polynomial). A multivariate polynomial is called

a multilinear polynomial if the degree of the polynomial in each variable is at
most one.

Definition 2 (Low-degree polynomial). A multivariate polynomial g over a

finite field F is called low-degree polynomial if the degree of g in each variable is
exponentially smaller than |F|.

Low-degree extensions (LDEs). Suppose g : {0, 1}` → F is a function that

maps `-bit elements into an element of F. A polynomial extension of g is a
low-degree ell-variate polynomial ge such that ge(x) = g(x) for all x ∈ {0, 1}` .

A multilinear polynomial extension (or simply, a multilinear extension, or MLE) is

a low-degree polynomial extension where the extension is a multilinear polynomial
(i.e., the degree of each variable in ge is at most one). Given a function Z : {0, 1}` →
F, the multilinear extension of Z is the unique multilinear polynomial Ze : F` → F.
It can be computed as follows.

X `
Y
Z(x
e 1 , . . . , x` ) = Z(e) · (xi · ei + (1 − xi ) · (1 − ei ))
e∈{0,1}` i=1
X
= Z(e) · eq(x,
e e)
e∈{0,1}`

= h(Z(0), . . . , Z(2` − 1)), (eq(x,

e 0), . . . , eq(x,
e 2` − 1)i

Q`
Note that eq(x,
e e) = i=1 (ei · xi + (1 − ei ) · (1 − xi )), which is the MLE of the
following function:
(
1 if x = e
eq(x, e) =
0 otherwise

For any r ∈ F` , Z(r)

e can be computed in O(2` ) operations in F [VSBW13,Tha13].
Dense representation for multilinear polynomials. Since the MLE of a
function is unique, it offers the following method to represent any multilinear
polynomial. Given a multilinear polynomial g : F` → F, it can be represented
uniquely by the list of tuples L such that for all i ∈ {0, 1}` , (to-field(i), g(i)) ∈ L
if and only if g(i) 6= 0, where to-field is the canonical injection from {0, 1}` to F.
We denote such a representation of g as DenseRepr(g).

Definition 3. A multilinear polynomial g in ` variables is a sparse multilinear

polynomial if |DenseRepr(g)| is sub-linear in O(2` ). Otherwise, it is a dense
multilinear polynomial.

As an example, suppose g : F2s → F. Suppose |DenseRepr(g)| = O(2s ), then g(·)

is a sparse multilinear polynomial because O(2s ) is sublinear in O(22s ).

Lemma 1 (Sums over evaluations). Consider size ` ∈ N. For multilinear

polynomial P ∈ F[X1 , . . . , X` ] we have that
X
P (X) = eq(X,
e x) · P (x).
x∈{0,1}`

P
Proof. Let Q(X) = x∈{0,1}` eq(X,
e x) · P (x) By the definition of eq,
e we have
that
P (x) = Q(x)
`
for all x ∈ {0, 1} . However, because P ∈ F[X1 , . . . , X` ] is multilinear it is
completely determined by 2` evaluation points. The same is holds for Q. Because
P and Q agree on 2` points, they must be the same polynomial.
2.2 Schwartz-Zippel lemma
Lemma 2. let g : F` → F be an `-variate polynomial of total degree at most d.
Then, on any finite set S ⊆ F,

Pr [g(x) = 0] ≤ d/|S|
x←S `

2.3 The sum-check protocol

Suppose there is an `-variate low-degree polynomial, g, where the degree of each
variable in g is at most d. Suppose that a verifier V is interested in checking a
claim of the following form by an untrusted prover P:
X X X
T = ... g(x1 , x2 , . . . , x` )
x1 ∈{0,1} x2 ∈{0,1} x` ∈{0,1}

Of course, given g, V can deterministically evaluate the above sum and verify
whether the sum is T . But, this computation takes time exponential in `. Lund et
al. [LFKN90] describe the sum-check protocol that requires far less computation
on V’s behalf, but provides a probabilistic guarantee. In the protocol, V takes
as input randomness r ∈ F` and interacts with P over a sequence of ` rounds.
At the end of this interaction, V outputs a claim about the evaluation g(r). We
denote the sum-check protocol as c ← hP, V(r)i(g, `, d, T ).
For any `-variate polynomial g with degree at most d in each variable, the
sum-check protocol satisfies the following properties.
• Completeness. If T =
P
x∈{0,1}` g(x), then for a correct P and for all
r ∈ F` , Prr {hP, V(r)i(g, `, d, T ) = c ∧ c = g(r)} = 1.
• Soundness. If T 6= ? `
P
x∈{0,1}` g(x), then for any P and for all r ∈ F ,
?
Prr {hP , V(r)i(g, `, d, T ) = c ∧ g(r) = c} ≤ ` · d/|F|.
• Succinctness. The communication cost is O(` · d) elements of F.
2.4 Arguments of knowledge and SNARKs
We adapt the definition provided in [KST22].

Definition 4. Consider a relation R over public parameters, structure, instance,

and witness tuples. A non-interactive argument of knowledge for R consists of
PPT algorithms (G, P, V) and deterministic K, denoting the generator, the prover,
the verifier and the encoder respectively with the following interface.
• G(1λ ) → pp: On input security parameter λ, samples public parameters pp.
• K(pp, s) → (pk, vk): On input structure s, representing common structure
among instances, outputs the prover key pk and verifier key vk.
 • P(pk, u, w) → π: On input instance u and witness w, outputs a proof π
proving that (pp, s, u, w) ∈ R.
• V(vk, u, π) → {0, 1}: On input the verifier key vk, instance u, and a proof π,
outputs 1 if the instance is accepting and 0 otherwise.
A non-interactive argument of knowledge satisfies completeness if for any PPT
adversary A

 pp ← G(1λ ),
 

  (s, (u, w)) ← A(pp), 
  
Pr  V(vk, u, π) = 1  (pp, s, u, w) ∈ R,
  = 1.

  (pk, vk) ← K(pp, s), 

 π ← P(pk, u, w)

A non-interactive argument of knowledge satisfies knowledge soundness if for all

PPT adversaries A there exists a PPT extractor E such that for all randomness
ρ 
 pp ← G(1λ ),
 

 V(vk, u, π) = 1,  (s, u, π) ← A(pp; ρ), 
Pr 
 (pp, s, u, w) 6∈ R  (pk, vk) ← K(pp, s),  = negl(λ).
 

 w ← E(pp, ρ)

A non-interactive argument of knowledge is succinct if the size of the proof π

and the time to verify it are at most polylogarithmic in the size of the statement
proven.

2.5 Incrementally Verifiable Computation

Definition 5 (Incrementally verifiable computation (IVC)). An incre-
mentally verifiable computation (IVC) scheme is defined by PPT algorithms
(G, P, V) and deterministic K denoting the generator, the prover, the verifier,
and the encoder respectively, with the following interface
• G(1λ ) → pp: on input security parameter λ, samples public parameters pp.
• K(pp, F ) → (pk, vk): on input public parameters pp, and polynomial-time
function F , deterministically produces a prover key pk and a verifier key vk.
• P(pk, (i, z0 , zi ), ωi , Πi ) → Πi+1 : on input a prover key pk, a counter i, an
initial input z0 , a claimed output after i iterations zi , a non-deterministic
advice ωi , and an IVC proof Πi attesting to zi , produces a new proof Πi+1
attesting to zi+1 = F (zi , ωi ).
• V(vk, (i, z0 , zi ), Πi ) → {0, 1}: on input a verifier key vk, a counter i, an initial
input z0 , a claimed output after i iterations zi , and an IVC proof Πi attesting
to zi , outputs 1 if Πi is accepting, and 0 otherwise.
An IVC scheme (G, K, P, V) satisfies the following requirements.
 1. Perfect Completeness: For any PPT adversary A

 pp ← G(1λ ),
 

  F, (i, z0 , zi , Πi ) ← A(pp), 
  
  (pk, vk) ← K(pp, F ), 
Pr  V(vk, (i + 1, z0 , zi+1 ), Πi+1 ) = 1 
  
 z
 i+1 ← F (z i , ωi ), 

  V(vk, i, z0 , zi , Πi ) = 1, 

 Πi+1 ← P(pk, (i, z0 , zi ), ωi , Πi )

where F is a polynomial-time computable function.

2. Knowledge Soundness: Consider constant n ∈ N. For all expected polynomial-
time adversaries P ∗ there exists an expected polynomial-time extractor E such
that over all randomness ρ

 pp ← G(1λ ),
 
 (F, (z0 , zi ), Π) ← P ∗ (pp, ρ), 

 zn = z where
  
Pr  zi+1 ← F (zi , ωi )  (pk, vk) ← K(pp, F ),
  ≈ 1.

 ∀i ∈ {0, . . . , n − 1}  V(vk, (n, z0 , z), Π) = 1, 

 (ω0 , . . . , ωn−1 ) ← E(pp, ρ)

3. Succinctness: The size of an IVC proof Π is independent of the number of

iterations n.

2.6 Polynomial commitment scheme

We adapt the definition from [BFS20]. A polynomial commitment scheme for mul-
tilinear polynomials is a tuple of four protocols PC = (Gen, Commit, Open, Eval):
• pp ← Gen(1λ , `): takes as input ` (the number of variables in a multilinear
polynomial); produces public parameters pp.
• C ← Commit(pp, g): takes as input a `-variate multilinear polynomial over a
finite field g ∈ F[`]; produces a commitment C.
• b ← Open(pp, C, g): verifies the opening of commitment C to the `-variate
multilinear polynomial g ∈ F[`]; outputs b ∈ {0, 1}.
• b ← Eval(pp, C, r, v, `, g) is a protocol between a PPT prover P and verifier
V. Both V and P hold a commitment C, the number of variables `, a scalar
v ∈ F, and r ∈ F` . P additionally knows an `-variate multilinear polynomial
g ∈ F[`]. P attempts to convince V that g(r) = v. At the end of the protocol,
V outputs b ∈ {0, 1}.

Definition 6. A tuple of four protocols (Gen, Commit, Open, Eval) is an extractable

polynomial commitment scheme for multilinear polynomials over a finite field F
if the following conditions hold.
• Completeness. For any `-variate multilinear polynomial g ∈ F[`],
pp ← Gen(1λ , `); C ← Commit(pp, g):
 
Pr ≥ 1 − negl(λ)
Eval(pp, C, r, v, `, g) = 1 ∧ v = g(r)
 • Binding. For any PPT adversary A, size parameter ` ≥ 1,
 
 pp ← Gen(1λ , m); (C, g0 , g1 ) = A(pp); 
Pr b0 ← Open(pp, C, g0 ); b1 ← Open(pp, C, g1 ): ≤ negl(λ)
b0 = b1 6= 0 ∧ g0 6= g1
 

• Knowledge soundness. Eval is a succinct argument of knowledge for the

following NP relation given pp ← Gen(1λ , `).

REval (pp) = {h(C, r, v), (g)i : g ∈ F[`] ∧ g(r) = v ∧ Open(pp, C, g) = 1}

Definition 7. A polynomial commitment scheme for multilinear polynomials

PC = (Gen, Commit, Open, Eval) is additively homomorphic if for all ` and public
parameters pp produced from Gen(1λ , `), and for any g1 , g2 ∈ F[`], Commit(pp, g1 )+
Commit(pp, g2 ) = Commit(pp, g1 + g2 ).

3 Multi-folding schemes
Recall that a folding scheme [KST22] for a relation R is a protocol between
a prover and verifier in which the prover and the verifier reduce the task of
checking two instances in R with the same structure s into the task of checking
a single instance in R with structure s.
We introduce a generalization of folding schemes, which we refer to as multi-
folding schemes. A multi-folding scheme is defined with respect to a pair of
relations (R1 , R2 ) and size parameters µ and ν. It is an interactive protocol
between a prover and a verifier in which the prover and the verifier reduce the
task of checking a collection of µ instances in R1 and a collection of ν instances in
R2 that all share the same structure s into the task of checking a single instance
in R1 with structure s. Below, we formally define multi-folding schemes.

Definition 8 (Multi-folding schemes). Consider relations R1 and R2 over

public parameters, structure, instance, and witness tuples such that R1 and R2
share the same structure, and size parameters µ, ν ∈ N. A multi-folding scheme for
(R1 , R2 , µ, ν) consists of a PPT generator algorithm G, a deterministic encoder
algorithm K, and a pair of PPT algorithms P and V denoting the prover and the
verifier respectively, with the following interface:
• G(1λ ) → pp: on input security parameter λ, samples public parameters pp.
• K(pp, s) → (pk, vk): on input pp, and a common structure s among the
instances to be folded, outputs a prover key pk and a verifier key vk.
• P(pk, (u~1 , w~1 ), (u~2 , w~2 )) → (u, w): on input a vector of instances u~1 in R1
of size µ and a vector of instances u~2 in R2 of size ν all with the same
structure s, and corresponding witness vectors w~1 and w~2 outputs a folded
instance-witness pair (u, w) in R1 .
 • V(vk, u~1 , u~2 ) → u: on input a vector of instances u~1 and a vector of instances
u~2 outputs a new instance u.
Let hP, Vi denote the interaction between P and V. We treat hP, Vi as a func-
tion that takes as input ((pk, vk), (u~1 , u~2 ), (w~1 , w~2 )) and runs the interaction on
prover input (pk, (u~1 , u~2 ), (w~1 , w~2 )) and verifier input (vk, (u~1 , u~2 )). At the end of
interaction hP, Vi outputs (u, w) where u is the verifier’s output folded instance,
and w is the prover’s output folded witness.
Let R(n) be the relation such that (pp, s,~u, w
~ ) ∈ R(n) if and only if (pp, s,~ui , w
~ i) ∈
R for all i ∈ [n]. A multi-folding scheme for (R1 , R2 , µ, ν) satisfies the following
requirements.
1. Perfect Completeness: For all PPT adversaries A, we have that

 pp ← G(1λ ),
  

  (s, (u~1 , u~2 ), (w~1 , w~2 )) ← A(pp), 
(µ) (ν) 
  
Pr  (pp, s, u, w) ∈ R1  (pp, s, u~1 , w~1 ) ∈ R1 , (pp, s, u~2 , w~2 ) ∈ R2 ,  = 1.
 
  (pk, vk) ← K(pp, s), 

 (u, w) ← hP, Vi((pk, vk), (u~1 , u~2 ), (w~1 , w~2 ))

2. Knowledge Soundness: For any expected polynomial-time adversaries A and

P ∗ there is an expected polynomial-time extractor E such that over all ran-
domness ρ
  λ

(µ)  pp ← G(1 ),
(pp, s, u~1 , w~1 ) ∈ R1 , 
Pr  (ν) (s, (u ~1 , u~2 ), st) ← A(pp, ρ),  ≈
(pp, s, u~2 , w~2 ) ∈ R2  (w~ , w~ ) ← E(pp, ρ)
1 2

 pp ← G(1λ ),
 

  (s, (u~1 , u~2 ), st) ← A(pp, ρ), 
 (pp, s, u, w) ∈ R1  (pk, vk) ← K(pp, s),
Pr   

 (u, w) ← hP ∗ , Vi((pk, vk), (u~1 , u~2 ), st)


3. Efficiency: The communication costs and V’s computation are lower in the
case where V participates in the multi-folding scheme and then checks a witness
sent by P for the folded instance than the case where V checks witnesses sent
by P for each of the original instances.
A multi-folding scheme is secure in the random oracle model if the above require-
ments hold when all parties are provided access to a random oracle.

Definition 9 (Zero-knowledge). Let trace(hP, Vi, input) denote the non-deterministic

function which takes as input an interaction function hP, Vi and a prescribed in-
put input, and produces an interaction transcript between P and V on input input.
A multi-folding scheme (G, K, P, V) for (R1 , R2 , µ, ν) satisfies zero-knowledge if
there exists a PPT simulator S such that for all PPT adversaries A and V ∗ , and
input randomness ρ

 pp ← G(1λ ),
  

  



  (s, (u~1 , w~1 ), (u~2 , w~2 )) ← A(pp), 


(µ) (ν) ∼

(pp, s, (u~1 , u~2 ), tr, ρ)  (pp, s, u~1 , w~1 ) ∈ R1 , (pp, s, u~2 , w~2 ) ∈ R2 ,
 =
(pk, vk) ← K(pp, s),

  


  

  tr ← trace(hP, Vi, ((pk, vk), (u~1 , u~2 ), (w~1 , w~2 ))) 
  
  pp ← G(1λ ), 
  


  (s, (u~1 , w~1 ), (u~2 , w~2 )) ← A(pp), 



(pp, s, (u~1 , u~2 ), tr, ρ)  (pp, s, u~1 , w~1 ) ∈ R1 , (pp, s, u~2 , w~2 ) ∈ R2 ,



  (pk, vk) ← K(pp, s), 


  
  tr ← S(pp, s, (u~1 , u~2 ), ρ) 

Definition 10 (Non-interactive). A multi-folding scheme (G, K, P, V) is non-

interactive if the interaction between P and V consists of a single message from
P to V. This single message is denoted as P’s output and as V’s input.

Definition 11 (Public coin). A multi-folding scheme (G, K, P, V) is called

public coin if all the messages sent from V to P are sampled from a uniform
distribution.

3.1 Achieving non-interactivity for multi-folding schemes

Construction 1 (Fiat-Shamir transformation for multi-folding schemes).
Consider a public-coin multi-folding scheme Π = (G, K, P, V) for (R1 , R2 , µ, ν)
with ` rounds. Let ρ denote a random oracle. We construct a non-interactive
multi-folding scheme Π 0 = (G 0 , K0 , P 0 , V 0 ) for (R1 , R2 , µ, ν) in the random oracle
model as follows.
• G 0 (1λ ) → pp: Compute and output pp ← G(1λ ).
• K0 (pp, s) → pp:
1. Compute (pk, vk) ← K(pp, s).
2. Compute hs ← ρ(pp, s).
3. Output (pk0 , vk0 ) ← ((pk, hs), (vk, hs)).
• P 0 (pk0 , (~u1 , ~u2 ), (w
~ 1, w
~ 2 )):
1. Parse pk0 as (pk, hs)
2. Run P(pk, (~u1 , ~u2 ), (w
~ 1, w
~ 2 )). On the ith message mi , respond with veri-
fier randomness ri+1 ← ρ(mi , ri ) where r1 = hs. Let (u, w) be the output
of P and let π = (m1 , . . . , m` ) consist of messages from P.
3. Send π to the verifier.
4. Output (u, w).
 • V 0 (vk0 , (~u1 , ~u2 )):
1. Parse vk0 as (vk, hs)
2. Recieve π = (m1 , . . . , m` ) from the prover. Compute ri+1 ← ρ(mi , ri ) for
r1 = hs.
3. Run V(vk, (~u1 , ~u2 )) with randomness (r1 , . . . , r`+1 ). In round i, send the
prover message mi . Let u be the output of V.
4. Output u.

Lemma 3 (Fiat-Shamir transformation for multi-folding schemes). Con-

struction 1 transforms a public-coin multi-folding scheme for (R1 , R2 , µ, ν) into
a non-interactive multi-folding scheme for (R1 , R2 , µ, ν) in the random oracle
model.

4 Customizable constraint systems

Setty et al. [STW23] recently introduced customizable constraint systems (CCS),
a constraint system that simultaneously generalizes R1CS, Plonkish, and AIR
without overheads. We first recall its definition and then describe variants that
sections ahead will show are amenable to constructing multi-folding schemes. The
definitions below are characterized by a finite field F, but we leave this implicit.

Definition 12 (CCS [STW23]). We define the customizable constraint system

(CCS) relation RCCS as follows. Let the public parameter consists of size bounds
m, n, N, `, t, q, d ∈ N where n > `.
An RCCS structure s consists of:
• a sequence of matrices M1 , . . . , Mt ∈ Fm×n with at most N = Ω(max(m, n))
non-zero entries in total;
• a sequence of q multisets [S1 , . . . , Sq ], where an element in each multiset is
from the domain {1, . . . , t} and the cardinality of each multiset is at most d.
• a sequence of q constants [c1 , . . . , cq ], where each constant is from F.
An RCCS instance consists of public input x ∈ F` . An RCCS witness consists of
a vector w ∈ Fn−`−1 . An RCCS structure-instance tuple (s, x) is satisfied by an
RCCS witness w if
q
X
ci · j∈Si Mj · z = 0,
i=1
n
where z = (w, 1, x) ∈ F , Mj · z denotes matrix-vector multiplication, denotes
the Hadamard product between vectors, and 0 is an m-sized vector with entries
equal to the the additive identity in F.
4.1 Committed CCS
Consider a CCS structure sCCS = (m, n, N, `, t, q, d, [M1 , . . . , Mt ], [S1 , . . . , St ], [c1 , . . . , ct ]).
Let s = log m and s0 = log n. We interpret each Mi (for i ∈ [t]) as functions
0
with the following signature: {0, 1}s × {0, 1}s → F. For i ∈ [t], let M fi denote
the MLE of Mi i.e., M fi is the unique multilinear polynomial in log m + log n
0
variables such that ∀x ∈ {0, 1}s , y ∈ {0, 1}s , M
fi (x, y) = Mi (x, y). Similarly, for
n−`−1
a purported witness w ∈ F let w
e denote the unique MLE of w viewed as a
function. WLOG, below, we let |w| = ` + 1.

Definition 13 (Committed CCS). Let PC = (Gen, Commit, Open, Eval) de-

note an additively-homomorphic polynomial commitment scheme for multilinear
polynomials over a finite field F.
We define the committed customizable constraint system (CCCS) relation RCCCS
as follows. Let the public parameter consists of size bounds m, n, N, `, t, q, d ∈ N
where n = 2 · (` + 1) and pp ← Gen(1λ , s0 − 1). Let s = log m and s0 = log n.
An RCCCS structure s consists of:
• a sequence of sparse multilinear polynomials in s + s0 variables M
f1 , . . . , M
ft
such that they evaluate to a non-zero value in at most N = Ω(m) locations
0
over the Boolean hypercube {0, 1}s × {0, 1}s ;
• a sequence of q multisets [S1 , . . . , Sq ], where an element in each multiset is
from the domain {1, . . . , t} and the cardinality of each multiset is at most d.
• a sequence of q constants [c1 , . . . , cq ], where each constant is from F.
An RCCCS instance is (C, x), where C is a commitment to a multilinear polynomial
in s0 − 1 variables and x ∈ F` . An RCCCS witness consists of a multilinear
polynomial we in s0 − 1 variables. An RCCCS structure-instance tuple is satisfied
by an RCCCS witness if Commit(pp, w)e = C and if ∀x ∈ {0, 1}s ,
  
q
X X
ci · Πj∈Si  fj (x, y) · ze(y) = 0,
M
i=1 y∈{0,1}log m

where ze is an s0 -variate multilinear polynomial such that ze(x) = (w,

^ 1, x)(x) for
s0
all x ∈ {0, 1} .

4.2 Linearized committed CCS

Definition 14 (Linearized committed CCS). Let PC = (Gen, Commit, Open, Eval)
denote an additively-homomorphic polynomial commitment scheme for multilinear
polynomials over a finite field F.
We define the linearized committed customizable constraint system (LCCS)
relation RLCCCS as follows. Let the public parameter consists of size bounds
m, n, N, `, t, q, d ∈ N where n = 2 · (` + 1) and pp ← Gen(1λ , s0 − 1). Let s = log m
and s0 = log n.
An RLCCCS structure s consists of:
• a sequence of sparse multilinear polynomials in s + s0 variables M
f1 , . . . , M
ft
such that they evaluate to a non-zero value in at most N = Ω(m) locations
0
over the Boolean hypercube {0, 1}s × {0, 1}s ;
• a sequence of q multisets [S1 , . . . , Sq ], where an element in each multiset is
from the domain {1, . . . , t} and the cardinality of each multiset is at most d.
• a sequence of q constants [c1 , . . . , cq ], where each constant is from F.
An RLCCCS instance is (C, u, x, r, v1 , . . . , vt ), where u ∈ F, x ∈ F` , r ∈ Fs , vi ∈ F
for all i ∈ [t], and C is a commitment to a multilinear polynomial in s0 − 1
variables. An RLCCCS witness is a multilinear polynomial w e in s0 − 1 variables.
An RLCCCS structure-instance tuple is satisfied by an RLCCCS witness if Commit(pp, w)e =
0
P
C and if for all i ∈ [t], vi = y∈{0,1}s Mi (r, y) · ze(y), where ze is an s -variate
0 f
0
multilinear polynomial such that z(x) = (w, ^ u, x)(x) for all x ∈ {0, 1}s .

5 A multi-folding scheme for CCS

This section describes a multi-folding scheme for CCS. In particular, we provide a
multi-folding scheme for R1 = RLCCCS and R2 = RCCCS . To keep the description
simple, we describe and prove the case of µ = ν = 1. However, we stress that
both the construction and proofs easily generalize to the case of arbitrary values
of µ and ν. In particular, the generalized version simply uses more powers of a
random challenge when combining claims.
Construction 2 (A multi-folding scheme for CCS). We construct a multi-
folding scheme for (RLCCCS , RCCCS , µ = 1, ν = 1). Let PC = (Gen, Commit, Open, Eval)
denote an additively-homomorphic polynomial commitment scheme for multilin-
ear polynomials.
We define the generator and the encoder as follows.

G(1λ ) → pp:
1. Sample size bounds m, n, N, `, t, q, d ∈ N with n = 2 · (` + 1)
2. ppPC ← Gen(1λ , log n − 1)
3. Output (m, n, N, `, t, q, d, ppPC )

K(pp, ([M ft ], [S1 , . . . , Sq ], [c1 , . . . , cq ])) → (pk, vk):

f1 , . . . , M

1. pk ← (pp, ([M
f1 , . . . , M
ft ], [S1 , . . . , Sq ], [c1 , . . . , cq ]))

2. vk ← ⊥
 3. Output (pk, vk)

The verifier V takes a linearized committed CCS instance (C1 , u, x1 , rx , v1 , . . . , vt ).

and a committed CCS instance (C2 , x2 ) and the prover P, in addition to the two
instances, takes witnesses to both instances, w
f1 and wf2 .

Let s = log m and s0 = log n. Let ze1 = (w^ ^

1 , u, x1 ) and ze2 = (w2 , 1, x2 ).

The prover and the verifier proceed as follows.

$ $
1. V → P: V samples γ ← F, β ← Fs , and sends them to P.
$
2. V: Sample rx0 ← Fs .

3. V ↔ P: Run the sum-check protocol c ← hP, V(rx0 )i(g, s, d + 1, γ j · vj ),

P
j∈[t]
where:
 
X
g(x) :=  γ j · Lj (x) + γ t+1 · Q(x)
j∈[t]
 
X
e x , x) · 
Lj (x) := eq(r fj (x, y) · ze1 (y)
M
y∈{0,1} s0
  
q
X Y X
Q(x) := eq(β,
e x) ·  ci ·  fj (x, y) · ze2 (y)
M
i=1 j∈Si y∈{0,1} s0

4. P → V: ((σ1 , . . . , σt ), (θ1 , . . . , θt )), where for all i ∈ [t]:

X
σi = fi (r0 , y) · ze1 (y)
M x
y∈{0,1} s0
X
θi = fi (rx0 , y) · ze2 (y)
M
y∈{0,1}s0

e x , rx0 ) and e2 ← eq(β,

5. V: Compute e1 ← eq(r e rx0 ), and abort if:
  
X Xq Y
c 6=  γ j · e1 · σj + γ t+1 · e2 ·  ci · θj 
j∈[t] i=1 j∈Si

$
6. V → P: V samples ρ ← F and sends it to P.
 7. V, P: Output the folded linearized committed CCS instance (C 0 , u0 , x0 , rx0 , v10 , . . . , vt0 ),
where for all i ∈ [t]:

C 0 ← C1 + ρ · C2
u0 ← u + ρ · 1
x0 ← x1 + ρ · x2
vi0 ← σi + ρ · θi

e0 ← w
8. P: Output the folded witness w e1 + ρ · w
e2 .

Theorem 1 (A multi-folding scheme for CCS). Construction 2 is a public-

coin multi-folding scheme for (RLCCCS , RCCCS , µ = 1, ν = 1) with perfect com-
pleteness and knowledge soundness.

Lemma 4 (Perfect Completeness). Construction 2 satisfies perfect com-

pleteness.

Proof. Consider public parameters pp = (m, n, N, `, t, q, d, ppPC ) ← G(1λ ) and

let s = log m and s0 = log n. Consider arbitrary structure

S = (M ft ), (S1 , . . . , Sq ), (c1 , . . . , cq ) ← A(pp).

f1 , . . . , M

Consider prover and verifier key (pk, vk) ← K(pp, S). Suppose the prover and
verifier are provided a linearized committed CCS instance

(C1 , u, x1 , rx , v1 , . . . , vt )

and committed CCS instance

(C2 , x2 ).
Suppose the prover additionally is provided the the corresponding satisfying
witnesses w
e1 and w
e2 .
Because the input linearized committed CCS instance-witness pair is satisfying,
we have, for ze1 = (w^
1 , u, x1 ), that
X
vj = fj (rx , y) · ze1 (y)
M By precondition.
y∈{0,1}s0
 
X X
= e x , x) · 
eq(r M
fj (x, y) By Lemma 1
x∈{0,1}s y∈{0,1} s0
X
= Lj (x) By construction.
x∈{0,1}s
Moreover, because the input committed CCS instance-witness pair is satisfying,
we have, for all x ∈ {0, 1}s and for ze2 (x) = (w,
^ 1, x)(x), that
 
X q Y X
0= ci  fj (x, y) · ze2 (y)
M
i=1 j∈Si y∈{0,1}s0

Treating the right-hand side of the above equation as a polynomial in x, because

it is multilinear and vanishes on all x ∈ {0, 1}s , we have that it must be the zero
polynomial. Therefore, we have, for β sampled by the verifier, that
 
Xq Y X
0= ci  fj (β, y) · ze2 (y)
M
i=1 j∈Si y∈{0,1}s0
 
X q
X Y X
= eq(β,
e x) · ci  fj (x, y) · ze2 (y)
M By Lemma 1.
x∈{0,1}s i=1 j∈Si y∈{0,1}s0
X
= Q(x) By construction.
x∈{0,1}s

Therefore, for γ sampled by the verifier, by linearity, we have that

  
X X X
γ j · vj =  γ j · Lj (x) + γ t+1 · Q(x)
j∈[t] x∈{0,1}s j∈[t]
X
= g(x) By construction.
x∈{0,1}s

Therefore, by the perfect completeness of the sum-check protocol, we have for

e x , rx0 ), e2 = eq(β,
e1 = eq(r e rx0 ) and
X X
σi = fi (rx0 , y) · ze1 (y) and θi =
M fi (rx0 , y) · ze2 (y)
M
y∈{0,1}s0 y∈{0,1}s0

that

c = g(rx0 )
  
X
=  γ j · Lj (rx0 ) + γ t+1 · Q(rx0 )
j∈[t]
  
X X Y
=  γ j · e1 · σj  + γ t+1 · e2 ci · θj  .
j∈[t] i∈[q] j∈Si

This implies that the verifier will not abort.

Now, consider the linearized CCS instance

(C2 , 1, x2 , rx0 , θ1 , . . . , θt ).

By the precondition that the committed CCS instance (C2 , x2 ) is satisfied by w e2

and by the definition of θ1 , . . . , θt we have that this linearized CCS instance is
satisfied by the witness w
e2 .
Therefore, for random ρ sampled by the verifier, and for C 0 = C1 + ρ · C2 ,
u0 = u + ρ · 1, x0 = x1 + ρ · x2 , vi0 = σi + ρ · θi , we have that the output linearized
CCS instance
(C 0 , u0 , x0 , rx0 , v10 , . . . , vt0 )
e0 = w
is satisfied by the witness w e1 + ρ · w
e2 by the linearity and the additive
homomorphism property of the commitment scheme.

Some of our probabilistic analysis below is adapted from the proof of forking
lemma for folding schemes [KST22], which itself builds on the proof of the forking
lemma for interactive arguments [BCC+ 16].

Lemma 5 (Knowledge Soundness). Construction 2 satisfies knowledge

soundness.

Proof. Consider an adversary A that adaptively picks the structure and instances,
and a malicious prover P ∗ that succeeds with probability . Let pp ← G(1λ ).
Suppose on input pp and random tape ρ, the adversary A picks a CCS structure

s = ([M1 , . . . , Mt ], [S1 , . . . , Sq ], [c1 , · · · , cq ]),

a linearized committed CCS instance

ϕ1 = (C1 , u, x1 , rx , v1 , . . . , vt ),

a committed CCS instance

ϕ2 = (C2 , x2 ),
and some auxiliary state st.
We construct an expected-polynomial time extractor E that succeeds with proba-
bility  − negl(λ) in obtaining satisfying witnesses for the original instances as
follows.

E(pp, ρ):
1. Obtain the output tuple from A:

(s, ϕ1 , ϕ2 , st) ← A(pp, ρ).

2. Compute (pk, vk) ← K(pp, s).

 3. Run the interaction

e(1) ) ← hP ∗ , Vi((pk, vk), ϕ1 , ϕ2 , st)

(ϕ(1) , w
$
once with the final verifier challenge ρ(1) ← F.
4. Abort if (pp, s, ϕ(1) , w
e(1) ) 6∈ RLCCCS .
5. Rerun the interaction

e(2) ) ← hP ∗ , Vi((pk, vk), ϕ1 , ϕ2 , st)

(ϕ(2) , w
$
with a different verifier’s final challenge ρ(2) ← F while maintaining the same
prior randomness. Keep doing so until (pp, s, ϕ(2) , we(2) ) ∈ RLCCCS .
6. Abort if ρ(1) = ρ(2) .
7. Interpolating points (ρ(1) , w
e(1) ) and (ρ(2) , w
e(2) ), retrieve the witness polyno-
mials w
e1 and we2 such that for i ∈ {1, 2}

e1 + ρ(i) · w
w e(i) .
e2 = w (1)

8. Output (w
e1 , w
e2 ).
We first demonstrate that the extractor E runs in expected polynomial time.
Observe that E runs the interaction once, and if it does not abort, keeps rerunning
the interaction until P ∗ succeeds, Thus, the expected number of times E runs
the interaction is
1 1
1 + Pr[First call to hP ∗ , Vi succeeds] · = 1 +  · = 2.
Pr[hP ∗ , Vi succeeds] 
Therefore, we have that the extractor runs in expected polynomial-time.
We now analyze E’s success probability. We must demonstrate that E succeeds
in producing w
e1 and w
e2 such that

e1 ) ∈ RLCCCS
(pp, s, ϕ1 , w and e2 ) ∈ RCCCS
(pp, s, ϕ2 , w

with probability  − negl(λ).

To do so, we first show that thep extractor successfully produces some output
(i.e., does not abort) in under 3 |F| rewinding steps with probability  − negl(λ).
Indeed, by the malicious prover’s success probability, we have that the extractor
does not abort in step (4) with probability . Given that the extractor does not
abort in stepp (4), by Markov’s inequality, pwe have that the extractor rewinds
more than 3 |F| times with probability 2/ 3 |F|. Thus, the probability
p that the
extractorp does not abort in step (4) and requires less than 3
|F| rewinds is
(1 − 2/ |F|) · .
3

Now suppose
p that that the extractor does not abort in step (4) and p
requires less
than 3 |F| rewinds. This ensures that the extractor tests at most 3 |F| values
 p 2
for ρ. Thus, the probability that ρ(1) =
6 ρ(2) is 1 − 3 |F| /|F|. Thus, assuming
p 2
3
|F| ≥ 2, we have
p that the probability the extractor successfully produces some
output in under 3 |F| rewinding steps is
! p 2!
2 3
|F|
1− p ·· 1− =  − negl(λ).
3
|F| |F|

Next, if the extractor does not abort, we show that the extractor succeeds in
producing satisfying witnesses with probability 1−negl(λ). This brings the overall
extractor success probability to  − negl(λ).
(i) (i) (i)
Indeed, for i ∈ {1, 2}, let ϕ(i) = (C (i) , u(i) , x(i) , rx , v1 , . . . , vt ). We first show
that the retrieved polynomials are valid openings to the corresponding commit-
ments in the instance. For i ∈ {1, 2}, because w e(i) is a satisfying witness, by
construction,

e1 ) + ρ(i) · Commit(pp, w
Commit(pp, w e2 )
e1 + ρ(i) · w
= Commit(pp, w e2 ) By additive homomorphism.
(i)
= Commit(pp, w
e ) By Equation (1).
= C (i) e(i) is a satisfying opening.
Witness w
= C1 + ρ(i) · C2 By the verifier’s computation.

Interpolating, we have that

Commit(pp, w
e1 ) = C1 (2)
Commit(pp, w
e2 ) = C2 . (3)

Next, we must argue that w e1 and we2 satisfy the remainder of the instances ϕ1
and ϕ2 respectively under the structure s.
Indeed, consider (σ1 , . . . , σt ) and (θ1 , . . . , θt ) sent by the prover which by the
extractor’s construction are identical across all executions of the interaction. By
the verifier’s computation we have that for i ∈ {1, 2} and all j ∈ [t]
(i)
σj + ρ(i) · θj = vj (4)

e(i) is a satisfying witness, for i ∈ {1, 2} we have for all j ∈ [t] that
Now, because w
(i)
X
vj = fj (rx0 , y) · ze(i) (y),
M
y∈{0,1}s0

where ze(i) = (w(i)^

, u(i) , x(i) ).
However, by Equations (1) and (4), for i ∈ {1, 2} and j ∈ [t], this implies that
X X
σj + ρ(i) · θj = Mfj (r0 , y) · ze1 (y) + ρ(i) · fj (r0 , y) · ze2 (y),
M
x x
y∈{0,1}s0 y∈{0,1}s0

where ze1 = (w^ ^

1 , u, x1 ) and ze2 = (w2 , 1, x2 ). Interpolating, we have that, for all
j ∈ [t]
X
σj = Mfj (rx0 , y) · ze1 (y)
y∈{0,1}s0
X
θj = fj (rx0 , y) · ze2 (y)
M
y∈{0,1}s0

Thus, because that the verifier does not abort, we have that
   
X X Y
c= γ j · e1 · σj  + γ t+1 · e2 · ci · θj 
j∈t i∈[q] j∈Si
   
X X Y
= e x , rx0 ) · σj  + γ t+1 · eq(β,
γ j · eq(r e rx0 ) · ci · θj 
j∈t i∈[q] j∈Si
 
X X
= e x , rx0 ) ·
γ j · eq(r fj (rx0 , y) · ze1 (y) +
M
j∈t y∈{0,1}s0
 
X Y X
γ t+1 · eq(β,
e rx0 ) · ci · fj (rx0 , y) · ze2 (y)
M
i∈[q] j∈Si y∈{0,1}s0
X
= γj · Lj (rx0 ) + γ t+1 · Q(rx0 )
j∈[t]

= g(rx0 )

by the soundness of the sum-check protocol, this implies that with probability
1 − O(d · s)/|F| = 1 − negl(λ) over the choice of rx0 ,
X X
γ j · vj + γ t+1 · 0 = g(x)
j∈[t] x∈{0,1}s
 
X X
=  γ j · Lj (x) + γ t+1 · Q(x)
x∈{0,1}s j∈[t]
 
X X X
= γj ·  Lj (x) + γ t+1 · Q(x)
j∈[t] x∈{0,1}s x∈{0,1}s
By the Schwartz-Zippel lemma [Sch80], this implies that with probability 1 −
O(t)/|F| = 1 − negl(λ) over the choice of γ, we have
X
vj = Lj (x)
x∈{0,1}s

for all j ∈ [t] and

X
0= Q(x).
x∈{0,1}s

Now, for all j ∈ [t], we have

X
vj = Lj (x)
x∈{0,1}s
 
X X
= e x , x) · 
eq(r Mj (x, y) · ze1 (y)
x∈{0,1}s y∈{0,1}s0
X
= Mj (rx , y) · ze1 (y)
y∈{0,1}s0

This implies that w

f1 is a satisfying witness to ϕ1 .
Finally, we have that
X
0= Q(x)
x∈{0,1}s
  
X Xq Y X
= eq(β,
e x) ·  ci ·  fj (x, y) · ze2 (y)
M
x∈{0,1}s i=1 j∈Si y∈{0,1}s0
 
q
X Y X
= ci ·  fj (β, y) · ze2 (y)
M
i=1 j∈Si y∈{0,1}s0

By the Schwartz-Zippel lemma, this implies that with probability 1 − s/|F| =

1 − negl(λ) over the choice of β, we have that for all x ∈ {0, 1}s
 
Xq Y X
0= ci ·  fj (x, y) · ze2 (y)
M
i=1 j∈Si y∈{0,1}s0

This implies that w

f2 is a satisfying witness to ϕ2 .
Thus, if the extractor does not abort, it succeeds in producing satisfying witness
(f f2 ) with probability 1 − negl(λ).
w1 , w
Assumption 1 (Non-Interactive Multi-Folding Scheme). There exists a
non-interactive multi-folding scheme for (RLCCCS , RCCCS , 1, 1) in the plain model.

Justification. By applying the Fiat-Shamir transformation in the Construction 1

to the multi-folding scheme in Construction 2, we obtain a non-interactive multi-
folding scheme for (RLCCCS , RCCCS , 1, 1) in the random oracle model. By instantiat-
ing the random oracle with an appropriate cryptographic hash function, we heuris-
tically obtain a non-interactive multi-folding scheme for (RLCCCS , RCCCS , 1, 1) in
the plain model.

6 HyperNova: IVC from multi-folding schemes

We now describe HyperNova, a prover-efficient and recursive zkSNARK for
proving incremental computations where each step is expressed with committed
CCS. For simplicity, we focus on constructing an IVC scheme, but our construction
extends easily to provide a natural extension of IVC to distributed computations
called proof-carrying data (PCD) [BCCT13]. We leave a full specification and an
analysis of HyperNova’s PCD scheme to the near-term future work.
As noted earlier, we provide two constructions, one that directly builds on our non-
interactive multi-folding scheme for CCS, and another that uses the multi-folding
scheme in conjunction with Nova as a black box.

6.1 A direct approach

This section provides a direct construction of IVC using the non-interactive
multi-folding scheme. Our construction below is an adaptation of Nova’s IVC
scheme to the case of multi-folding schemes.
Construction 3 (A direct construction of HyperNova’s IVC). Let NIFS
be the non-interactive multi-folding scheme for (RLCCCS , RCCCS , 1, 1). Let (u⊥ , w⊥ )
be a default trivially satisfying RLCCCS instance-witness pair for any structure
and public parameters. We construct an IVC scheme as follows.
Consider a polynomial-time function F that takes non-deterministic input and a
cryptographic hash function hash. We define our augmented function F 0 , where
all input arguments are taken as non-deterministic advice, as follows.

F 0 (vk, Ui , ui , (i, z0 , zi ), ωi , π) → x:
1. If i = 0, output hash(vk, 1, z0 , F (z0 , ω0 ), u⊥ )
2. Otherwise:
(a) Check that ui .x = hash(vk, i, z0 , zi , Ui ), where ui .x is the public IO of ui
(b) Compute Ui+1 ← NIFS.V(vk, Ui , ui , π)
(c) Output hash(vk, i + 1, z0 , F (zi , ωi ), Ui+1 )
Because F 0 can be computed in polynomial time, it can be represented as a
RCCCS structure. Let

(ui+1 , wi+1 ) ← trace(F 0 , (vk, Ui , ui , (i, z0 , zi ), ωi , π))

denote the satisfying RCCCS instance-witness pair (ui+1 , wi+1 ) for the execution
of F 0 on non-deterministic advice (vk, Ui , ui , (i, z0 , zi ), ωi , π).
We define the IVC scheme (G, K, P, V) as follows.

G(1λ ) → pp: Output NIFS.G(1λ ).

K(pp, F ) → (pk, vk):

1. Compute (pkfs , vkfs ) ← NIFS.K(pp, F 0 )
2. Output (pk, vk) ← ((F, pkfs ), (F, vkfs )).
P(pk, (i, z0 , zi ), ωi , Πi ) → Πi+1 :
1. Parse Πi as ((Ui , Wi ), (ui , wi ))
2. (Ui+1 , Wi+1 , π) ← if i = 0 {(u⊥ , w⊥ , ⊥)} else {NIFS.P(pk, (Ui , Wi ), (ui , wi ))}
3. Compute (ui+1 , wi+1 ) ← trace(F 0 , (vk, Ui , ui , (i, z0 , zi ), ωi , π))
4. Output Πi+1 ← ((Ui+1 , Wi+1 ), (ui+1 , wi+1 ))
V(vk, (i, z0 , zi ), Πi ) → {0, 1}:
1. If i = 0, check that zi = z0
2. Otherwise:
(a) Parse Πi as ((Ui , Wi ), (ui , wi ))
(b) Check that ui .x = hash(vk, i, z0 , zi , Ui )
(c) Check that Wi and wi are satisfying witnesses to Ui and ui respectively

Theorem 2 (A direct construction of HyperNova’s IVC). Construction 3

is an IVC scheme.

Lemma 6 (Completeness). Construction 3 is an IVC scheme that satisfies

completeness.

Proof. Consider (F, i + 1, z0 , zi+1 ) and the corresponding inputs (zi , ωi ) such that

zi+1 = F (zi , ωi )

Let pp ← G(1λ ), and let (pk, vk) ← K(pp, F ). Now consider a proof Πi such that

V(vk, i, z0 , zi , Πi ) = 1
We must show that given

Πi+1 ← P(pk, (i, z0 , zi ), ωi , Πi )

that

V(vk, i + 1, z0 , zi+1 , Πi+1 ) = 1

with probability 1. We show this by induction on i.

Base Case (i = 0): Suppose the prover is provided Π0 such that

V(vk, 0, z0 , z0 , Π0 ) = 1.

By the base case of P and F 0 , we have

Π1 = ((u⊥ , w⊥ ), (u1 , w1 ))

for some (u1 , w1 ). By definition, the instance-witness pair (u⊥ , w⊥ ) is satisfying.

Moreover, by construction, (u1 , w1 ) must also be satisfying. Additionally, by the
construction of F 0 , we have

u1 .x = hash(vk, 1, z0 , F (z0 , w0 ), u⊥ ).

Therefore, we have

V(pp, 1, z0 , z1 , Π1 ) = 1.

Inductive Step (i ≥ 1): Assume that for

Πi = ((Ui , Wi ), (ui , wi ))

we have that

V(vk, i, z0 , zi , Πi ) = 1

and suppose that

Πi+1 = ((Ui+1 , Wi+1 ), (ui+1 , wi+1 )) ← P(pk, (i, z0 , zi ), ωi , Πi ).

By the construction of P, we have that

(Ui+1 , Wi+1 , π) ← NIFS.P(pk, (Ui , Wi ), (ui , wi )).

Thus, by the completeness of the underlying folding scheme, and the premise
that (ui , wi ) and (Ui , Wi ) are satisfying instance-witness pairs, we have that
(Ui+1 , Wi+1 ) is a satisfying instance-witness pair. Additionally, by the premise,
we have that ui .x = hash(vk, i, z0 , zi , Ui ). Therefore, P can construct a satisfying
instance-witness pair (ui+1 , wi+1 ) that represents the correct execution of F 0 on
input (U, u, (i, z0 , zi ), ωi , π). By construction, this particular input implies that

ui+1 .x = hash(vk, ui .i + 1, ui .z0 , F (zi , wi ), NIFS.V(vk, Ui , ui , π))

(5)
= hash(vk, ui .i + 1, ui .z0 , zi+1 , Ui+1 )

by the correctness of the underlying folding scheme. Thus, by Equation (5) we

have

V(vk, i + 1, z0 , zi+1 , Πi+1 ) = 1.

Lemma 7 (Knowledge Soundness). Construction 3 is an IVC scheme that

satisfies knowledge soundness.

Proof. Our approach is inspired by a recursive extraction technique described by

Bünz et al [BCL+ 21]. Let pp ← G(1λ ). Consider an expected polynomial-time
adversary P ∗ that outputs a function F on input pp, and let (pk, vk) ← K(pp, F ).
Suppose that, for a constant n, P ∗ additionally outputs (z0 , z, Π) such that

V(vk, n, z0 , z, Π) = 1

with probability . We must construct an expected polynomial-time extractor E

that with input (pp, z0 , z), outputs (ω0 , . . . , ωn−1 ) such that by computing

zi ← F (zi−1 , ωi−1 )

we have that zn = z with probability  − negl(λ).

We show inductively that E can construct an expected polynomial-time extractor
Ei (pp) that outputs ((zi , . . . , zn−1 ), (ωi , . . . , ωn−1 ), Πi ) such that for all j ∈ {i +
1, . . . , n},

zj = F (zj−1 , ωj−1 )

and

V(vk, i, z0 , zi , Πi ) = 1 (6)

for zn = z with probability  − negl(λ). Then, because in the base case when i = 0,
V checks that z0 = zi , the values (ω0 , . . . , ωn−1 ) retrieved by E0 (pp) are such that
computing zi+1 = F (zi , ωi ) for all i ≥ 1 gives zn = z. At a high level, to construct
an extractor Ei−1 , we first assume the existence of Ei that satisfies the inductive
hypothesis. We then use Ei (pp) to construct an adversary for the non-interactive
folding scheme (which we denote as P ei−1 ). This in turn guarantees an extractor
for the non-interactive folding scheme, which we denote as Eei−1 . We then use
Eei−1 to construct Ei−1 that satisfies the inductive hypothesis.
In the base case, for i = n, let En (pp; ρ) output (⊥, ⊥, Πn ) where Πn is the
output of P ∗ (pp; ρ). By the premise, En succeeds with probability  in expected
polynomial-time.
For i ≥ 1, suppose E can construct an expected polynomial-time extractor Ei
that outputs ((zi , . . . , zn−1 ), (ωi , . . . , ωn−1 )), and Πi that satisfies the inductive
hypothesis. To construct an extractor Ei−1 , E first constructs an adversary P ei−1
for the non-interactive folding scheme as follows:

P
ei−1 (pp; ρ):

1. Let ((zi , . . . , zn−1 ), (ωi , . . . , ωn−1 ), Πi ) ← Ei (pp; ρ).

2. Parse Πi as ((Ui , Wi ), (ui , wi )).
3. Parse wi to retrieve (Ui−1 , ui−1 , πi−1 ).
4. Output (Ui−1 , ui−1 ) and ((Ui , Wi ), πi−1 ).
By the inductive hypothesis, we have that V(vk, i, z0 , zi , Πi ) = 1, where Πi ←
Ei (pp) with probability  − negl(λ). Therefore, by the the verifier’s checks we
have that (ui , wi ) and (Ui , Wi ) are satisfying instance-witness pairs, and that

ui .x = hash(vk, i, z0 , zi , Ui ).

Therefore, we have that wi is indeed a satisfying assignment for F 0 (and not just
a trivially satisfying witness). Then, by the construction of F 0 and the binding
property of the hash function, we have that

Ui = NIFS.V(vk, Ui−1 , ui−1 , πi−1 )

with probability  − negl(λ). Thus, P ei−1 succeeds in producing an accepting

folded instance-witness pair (Ui , Wi ), for instances (Ui−1 , ui−1 ), with probability
 − negl(λ) in expected polynomial-time.
Then, by the knowledge soundness of the underlying non-interactive multi-folding
scheme (Assumption 1) there exists an extractor Eei−1 that outputs (wi−1 , Wi−1 )
such that (ui−1 , wi−1 ) and (Ui−1 , Wi−1 ) satisfy F 0 with probability  − negl(λ)
in expected polynomial-time.
Given an expected polynomial-time P
ei−1 and an expected polynomial-time Eei−1 ,
E constructs an expected polynomial time Ei−1 as follows

Ei−1 (pp; ρ):

1. ((Ui−1 , ui−1 ), (Ui , Wi ), πi−1 ) ← P

ei−1 (pp; ρ)

2. Retrieve ((zi , . . . , zn−1 ), (ωi , . . . , ωn−1 ), Πi ) from the internal state of P

ei−1 .

3. Parse Πi .wi to retrieve zi−1 and ωi−1

4. Let (wi−1 , Wi−1 ) ← Eei−1 (pp).
 5. Let Πi−1 ← ((Ui−1 , Wi−1 ), (ui−1 , wi−1 )).
6. Output ((zi−1 , . . . , zn−1 ), (ωi−1 , . . . , ωn−1 ), Πi−1 ).
We first reason that the output (zi−1 , . . . , zn−1 ), and (ωi−1 , . . . , ωn−1 ) are valid.
By the inductive hypothesis, we already have that for all j ∈ {i + 1, . . . , n},

zj = F (zj−1 , ωj−1 ),

and that V(vk, i, z0 , zi , (Ui , Wi ), (ui , wi )) = 1 with probability −negl(λ). Because

V additionally checks that

ui .x = hash(vk, i, z0 , zi , Ui ) (7)

by the construction of F 0 and the binding property of the hash function, we have

F (zi−1 , ωi−1 ) = zi

with probability  − negl(λ). Next, we argue that Πi−1 is valid. Because (ui , wi )
satisfies F 0 , and (Ui−1 , ui−1 ) were retrieved from wi , by the binding property of
the hash function, and by Equation (7), we have that

ui−1 .x = hash(vk, i − 1, z0 , zi−1 , Ui−1 )

Additionally, in the case where i = 1, by the base case check of F 0 , we have that
zi−1 = z0 . Because Eei−1 succeeds with probability  − negl(λ), we have that

V(vk, i − 1, z0 , zi−1 , Πi−1 ) = 1

with probability  − negl(λ).

Lemma 8 (Efficiency). When instantiated with the Pedersen commitment

scheme, we have that |F 0 | = |F | + o(G + 2 · H + d · log m · F + log m · R), where |F |
denotes the number of CCS constraints to encode a function F , G is the number
of constraints required to encode a group scalar multiplication, H is the number
of constraints required to encode hash, F is the number of constraints to encode
field operations, and R is the number of constraints to encode the RO ρ.

Proof. On input instances U and u, NIFS.V computes U.C ← U.C + ρ · u.C, which
costs a single group scalar multiplication. Verifying the non-interactive sum-check
proof in the non-interactive multi-folding scheme proof requires the verifier to
perform O(d · log m) finite field operations and O(log m calls to the RO to obtain
challenges in the sum-check protocol. Finally, F 0 makes two additional calls to
hash (details are in the description of F 0 ).

6.2 A simple approach to build HyperNova: Use Nova as a black box

We design a step circuit for Nova that runs the verifier’s logic in the non-interactive
multi-folding scheme for RLCCCS and RCCCS . The step circuit is encoded with
R1CS (a popular NP-complete constraint system [GGPR13]) and proven incre-
mentally with Nova, but the step circuit is only in charge of running the verifier
of the non-interactive multi-folding scheme, in addition to simple bookkeeping.
As a result, this provides an IVC scheme, where each step of the incremental
computation is expressed with committed CCS. Furthermore, we achieve this
with a black box use of an IVC scheme for R1CS.
In Nova, each step circuit takes as input the output of the previous step and
produces the output for the current step. In HyperNova, besides the application’s
IO, we augment them with the latest running instance. At each recursive step,
the step circuit gets as non-deterministic input a purported instance u in RCCCS
and π, where π is the prover’s output in the non-interactive multi-folding scheme.
The step circuit checks that the public input of u matches the application’s input
provided to the step circuit. If so, it runs the verifier of the non-interactive folding
scheme on (vk, U, u, π), where vk is the verifier’s key and U is the latest running
instance passed from the prior step. It then provides uses the public output of u
and the output of the folding scheme verifier to construct the step’s output.
Construction 4 (A step circuit for Nova). Let NIFS be the non-interactive
multi-folding scheme for (RLCCCS , RCCCS , 1, 1). Let IVC denote the Nova’s IVC
scheme for functions expressed as R1CS constraints.
We first define a non-deterministic polynomial-time function step, represented as
an R1CS structure, that iteratively folds instances expressed in RCCCS .

step(vk, Ui , zi ; (u, π)) → (vk, Ui+1 , zi+1 )

1. Parse u.x as (in, out)
2. Check that in = zi
3. Compute Ui+1 ← NIFS.V(vk, Ui , u, π)
4. Output (vk, Ui+1 , out)
Given F , expressed as an RCCCS structure, we define the corresponding IVC
scheme (G, K, P, V), which uses Nova in a black-box manner.

G(1λ ) → pp: Output (NIFS.G(1λ ), IVC.G(1λ ))

K((ppNIFS , ppIVC ), F ) → (pk, vk):

1. Compute (pkNIFS , vkNIFS ) ← NIFS.K(ppNIFS , F )
2. Compute (pkIVC , vkIVC ) ← IVC.K(ppIVC , step)
3. Output (pk, vk) ← ((F, pkNIFS , vkNIFS , pkIVC ), (step, ppNIFS , vkNIFS , vkIVC )).
P(pk, (i, z0 , zi ), ωi , Πi ) → Πi+1 :

1. Parse Πi as (Πi0 , Ui , Wi )
 2. Compute (ui , wi ) ← trace(F, (zi , ωi )) (where trace is defined as in Construc-
tion 3)
3. Compute (Ui+1 , Wi+1 , πi+1 ) ← NIFS.P(pkNIFS , (Ui , Wi ), (ui , wi ))
0
4. Compute Πi+1 ← IVC.P(pkIVC , i, (vkNIFS , u⊥ , z0 ), (vkNIFS , Ui , zi ), (ui , πi+1 ), Πi0 )
0
5. Output Πi+1 = (Πi+1 , Ui+1 , Wi+1 )
V(vk, (i, z0 , zi ), Πi ) → {0, 1}:
1. Parse Πi as (Πi0 , Ui , Wi ).
2. Check that IVC.V(vkIVC , i, (vkNIFS , u⊥ , z0 ), (vkNIFS , Ui , zi ), Πi0 ) = 1
3. Check that (ppNIFS , step, Ui , Wi ) ∈ RLCCCS

Theorem 3 (A simple construction for IVC). Construction 4 is an IVC

scheme.

7 nlookup: A lookup argument for Nova

This section describes a lookup argument, which we refer to as nlookup, that is
suitable for use in recursive arguments such as Nova, HyperNova, and others.
Suppose that there is a table T of size n. Now consider m variables v1 , . . . , vm in
a CCS instance and we wish to enforce that those values are contained in T .
A classic approach is to store T as a Merkle tree for which the circuit gets
as public input a commitment. Then to prove that a certain value is in T ,
the prover could supply as non-deterministic advice to the circuit a Merkle
proof of inclusion, and the circuit verifies the Merkle proof of inclusion. This
unfortunately requires O(m · log n) hash evaluations inside the circuit, which
is prohibitive. Plookup [GW20] provides an approach where the number of
constraints is O(max(m, n)), which is acceptable when m ≈ n. It is unsuitable
in the context of recursive SNARKs such as Nova where a particular recursive
step may perform m << n lookup operations. A recent flurry of works (e.g., see
cq [EFG22] for the latest in this line of work) consider the case where m << n,
but it is unclear how to adapt them to the setting of recursive SNARKs without
incurring high recursion overheads.
We provide a conceptually simple and yet efficient lookup argument, that we
refer to as nlookup. For m lookups on a table of size n entries, nlookup requires
O(m log n) multiplications and O(log n) hash operations inside a circuit (with
small constants) and the prover performs O(n) finite field operations. In partic-
ular, the prover does not commit to any additional polynomials. This lookup
argument is not suitable for accelerating bitwise operations in the circuit model of
computation, but it is a perfect tool for expressing finite state machines efficiently
with Nova and HyperNova (e.g., see [Sol23, §2.4]).
nlookup in a nutshell. Without loss of generality, assume that n = 2` . We
can view T as a function from {0, 1}` → F. Furthermore, let Te denote the
unique multilinear extension of the function T . In other words, Te is a multilinear
polynomial in ` variables where the entries in the table are evaluations of Te
over the Boolean hypercube {0, 1}` . To prove m lookup operations, the prover
specifies m evaluation points q1 , . . . , qm over the Boolean hypercube such that
Te(qi ) = vi for all i ∈ [m]. This requires O(m log n) Booleanity checks in the
circuit to ensure that qi ∈ {0, 1}` for all i ∈ [m].
We now devise a multi-folding scheme where the prover and the verifier fold the
task of checking the correctness of m lookup operations into task of checking
an evaluation of Te at a single point in its domain. Furthermore, in our context,
the circuit maintains a running claim about an evaluation of Te and the folding
scheme folds incoming lookup claims into this running claim.
?
Suppose that the running claim is Te(qr ) = vr for some qr ∈ Flog n and vr ∈ F.
At initialization, qr can be arbitrary and vr ← Te(qr ). Now, the folding scheme
reduces the following claim to an evaluation of Te, where ρ ∈ F is picked by the
verifier at random.
?
X
vr + ρ i · vi =
i={1,...,m}
X X X
e r , j) · Te(j) +
eq(q ρi · e i , j) · Te(j)
eq(q
j∈{0,1}log n i={1,...,m} j∈{0,1}log n

The folding scheme applies the sum-check protocol and outputs a new claim
?
about Te(qr0 ) = vr0 . The prover’s work in the folding scheme is O(n) finite field
operations. The verifier’s work in the non-interactive folding scheme is O(log n)
hash and field operations. Furthermore, at the end of the sum-check protocol (i.e.,
inside the folding scheme), the verifier computes evaluations of m eq
e polynomials
at a random point, this takes O(m · log n) multiplications.

7.1 Details and security proofs

Definition 15 (Polynomial Evaluation Relation). We define the polyno-
mial evaluation relation Rpoly as follows. Let the public parameters consist of size
parameter ` ∈ N. An Rpoly structure consists of Te, a multilinear polynomial in `
variables. An Rpoly instance is (r, v) ∈ (F` , F) where r is an evaluation point and
v is a claimed evaluation. An Rpoly witness is ⊥. We define Rpoly as follows.
(  )
 ` ∈ N, Te ∈ F[X1 , . . . , X` ], (r, v) ∈ (F` , F)

Rpoly = ((`, T ), (r, v), ⊥)  e
e .
 T (r) = v

Definition 16 (Lookup Relation). We define the lookup relation Rlookup as

follows. Let the public parameters consist of size parameter ` ∈ N. For vector
T ∈ Fn (where n = 2` ), an Rlookup structure consists of the corresponding
multilinear extension in ` variables, Te. An Rlookup instance consists of value
v ∈ F. An Rlookup witness consists of index q ∈ {0, 1}` . We define Rlookup as
follows.
(  )

` ∈ N, e ∈ F[X1 , . . . , X` ], v ∈ F, q ∈ {0, 1}`
T
Rlookup = ((`, Te), v, q)  e .

 T (q) = v

We now provide a multi-folding between two relations, a polynomial evaluation

instance and a collection of lookup instances.
Construction 5 (A multi-folding scheme for lookup instances). We con-
struct a multi-folding scheme for (Rpoly , Rlookup , µ = 1, ν) for arbitrary ν ∈ N.
We define the generator and the encoder as follows.
• G(1λ ) → pp:
– Sample size bound ` ∈ N.
– Output pp = `.
• K(pp, Te ∈ F[pp]) → (pk, vk): Output (pk, vk) = ((pp, Te), pp).
The prover takes as input pk = (pp = `, Te) and the verifier take as input
vk = pp = `. The verifier V takes a polynomial evaluation instance (qr , vr ) and a
vector of lookup instances (v1 , . . . , vm ) The prover P, in addition to the instances,
takes witnesses to the lookup instances (q1 , . . . , qm ).
The prover and the verifier proceed as follows.
1. P → V: (q1 , . . . , qm ).
2. V: Check that for all i ∈ [m], qi ∈ {0, 1}` .
$
3. V → P: V samples ρ ← F and send it to P.
$
4. V: Sample qr0 ← Fs .
5. V ↔ P: Run the sum-check protocol c ← hP, V(qr0 )i(g, `, 2, vr + i∈[m] ρi · vi ),
P
where:
X
e r , x) · Te(x) +
g(x) := eq(q ρi · eq(q
e i , x) · Te(x)
i∈[m]

6. P → V: vr0 , where vr0 = Te(qr0 ).

e r , qr0 ) and ei ← eq(q
7. V: Compute e ← eq(q e i , qr0 ) for all i ∈ [m]. Abort if
X
c 6= e · vr0 + ρi · ei · vr0 .
i∈[m]

8. V, P: Output the folded polynomial evaluation instance (qr0 , vr0 ).

Theorem 4. Construction 5 is a public-coin multi-folding scheme for (Rpoly , Rlookup , µ =
1, ν) for arbitrary ν ∈ N.

Lemma 9 (Perfect Completeness). Construction 5 satisfies perfect complete-

ness.

Proof. Consider public parameters pp = ` ← G(1λ ). Consider arbitrary structure

Te ∈ F[X1 , . . . , X` ]. Consider prover and verifier key (pk, vk) = (Te, ⊥) ← K(pp, Te).
Suppose the prover and verifier are provided Rpoly instance
(qr , vr )
and a vector of Rlookup instances
(v1 , . . . , vm ).
Suppose the prover is additionally provided the corresponding satisfying witnesses
for the Rlookup instances
(q1 , . . . , qm ).

By the satisfiability of the input instances we have that vr = Te(qr ) and vi = Te(qi )
for all i ∈ [m]
Therefore, for ρ ∈ F we have that
X X
vr + ρi · vi = Te(qr ) + ρi · Te(qi ) By precondition.
i∈[m] i∈[m]
 
X X
= e r , x) · Te(x) +
eq(q ρi · eq(q
e i , x) · Te(x) By Lemma 1
x∈{0,1}` i∈[m]

= g(x) By definition.

Therefore, by the completeness of the sum-check protocol, we have that c = g(qr0 )

Thus, for vr0 = Te(qr0 ), e = eq(q
e r , qr0 ), and ei = eq(q
e i , qr0 ) for all i ∈ [m], we have
that
c = g(qr0 )
X
e r , qr0 ) · Te(qr0 ) +
= eq(q e i , qr0 ) · Te(qr0 )
ρi · eq(q
i∈[m]
X
= e · vr0 + ρi · ei · vr0
i∈[m]

Therefore, we have that the verifier does not abort.

By construction, we have that vr0 = Te(qr0 ). Therefore, the folded polynomial
evaluation instance is satisfying.
Lemma 10 (Knowledge Soundness). Construction 5 satisfies knowledge
soundness assuming that |F| = Θ(2λ ).

Proof. Consider an adversary A that adaptively picks the structure and instances,
and a malicious prover P ∗ that succeeds with probability . Let pp = ` ← G(1λ ).
Suppose on input pp and random tape ρ, the adversary A picks a structure Te ∈
F[X1 , . . . , X` ], an Rpoly instance (qr , vr ), a vector of Rlookup instances (v1 , . . . , vm ),
and some auxiliary state st.
We construct an extractor E that succeeds with probability −negl(λ) in obtaining
satisfying witnesses for the original instances. It works as follows. On input pp
and ρ, E first obtains the following tuple from A:

(Te, (qr , vr ), (v1 , . . . , vm ), st) ← A(pp, ρ).

E then computes (pk, vk) ← K(pp, Te). Next, E runs

((qr0 , vr0 ), ⊥) ← hP ∗ , Vi((pk, vk), (qr , vr ), (v1 , . . . , vm ), st)

and obtains the first message (q1 , . . . , qm ) from P ∗ by parsing the corresponding
transcript. The extractor E outputs (⊥, (q1 , . . . , qm )) as the witness. Because the
extractor only runs P ∗ once, it runs in expected polynomial-time.
We must argue that ⊥ is a satisfying Rpoly witness for (qr , vr ), and that (q1 , . . . , qm )
are satisfying Rlookup witnesses for the input instances (v1 , . . . , vm ) with proba-
bility  − negl(λ).
Suppose we have that the witness ⊥ output by P ∗ is satisfying for the corre-
sponding verifier’s output (qr0 , vr0 ) with probability . By definition, this means
that

vr0 = Te(qr0 ) (8)

with probability . Moreover, this means that the verifier does not abort with
probability at least , and thus we have the following:
X
c = e · vr0 + ρi · ei · vr0
i∈[m]
X
= e r , qr0 )
eq(q · vr0 + e i , qr0 ) · vr0
ρi · eq(q By the verifiers computation.
i∈[m]
X
e r , qr0 ) · Te(qr0 ) +
= eq(q e i , qr0 ) · Te(qr0 )
ρi · eq(q By Equation 8.
i∈[m]

= g(qr0 ) By definition.

with probability .
Then, by the soundness of the sum-check protocol, we must have that
X X
vr + ρ i · vi = g(x)
i∈[m] x∈{0,1}`
 
X X
= e r , x) · Te(x) +
eq(q ρi · eq(q
e i , x) · Te(x) By definition.
x∈{0,1}` i∈[m]
X
= Te(qr ) + ρi · Te(qi ) By Lemma 1
i∈[m]

with probability  − negl(λ). By the Schwartz-Zippel lemma over ρ, this implies

that vr = Te(qr ) and vi = Te(qi ) for all i ∈ [m] with probability  − negl(λ).
Moreover, by the verifier’s initial check we have that qi ∈ {0, 1}` for all i ∈ [m].
Therefore, we have that

(pp, Te, (qr , vr ), ⊥) ∈ Rpoly

and
(m)
(pp, Te, (v1 , . . . , vm ), (q1 , . . . , qm )) ∈ Rlookup .
with probability  − negl(λ). Because the extractor E outputs the initial message
from the prover, we have that the extractor succeeds with probability  −
negl(λ).

Acknowledgments
We thank Justin Drake, Ariel Gabizon, Justin Thaler, and Ioanna Tzialla for helpful
conversations and comments on a prior version of this paper.
References
BCC+ 16. Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Jens Groth, and
Christophe Petit. Efficient zero-knowledge arguments for arithmetic circuits
in the discrete log setting. In EUROCRYPT, 2016.
BCCT13. Nir Bitansky, Ran Canetti, Alessandro Chiesa, and Eran Tromer. Recursive
composition and bootstrapping for SNARKs and proof-carrying data. In
STOC, 2013.
BCL+ 21. Benedikt Bünz, Alessandro Chiesa, William Lin, Pratyush Mishra, and
Nicholas Spooner. Proof-carrying data without succinct arguments. In
CRYPTO, 2021.
BCMS20. Benedikt Bünz, Alessandro Chiesa, Pratyush Mishra, and Nicholas Spooner.
Proof-carrying data from accumulation schemes. In TCC, 2020.
BCTV14. Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. Scal-
able zero knowledge via cycles of elliptic curves. In CRYPTO, 2014.
BDFG21. Dan Boneh, Justin Drake, Ben Fisch, and Ariel Gabizon. Halo Infinite:
Recursive zk-SNARKs from any Additive Polynomial Commitment Scheme.
In CRYPTO, 2021.
BFS20. Benedikt Bünz, Ben Fisch, and Alan Szepieniec. Transparent SNARKs
from DARK compilers. In EUROCRYPT, 2020.
BGH19. Sean Bowe, Jack Grigg, and Daira Hopwood. Halo: Recursive proof composi-
tion without a trusted setup. Cryptology ePrint Archive, Report 2019/1021,
2019.
BGH20. Sean Bowe, Jack Grigg, and Daira Hopwood. Halo2, 2020. https://github.
com/zcash/halo2.
CBBZ23. Binyi Chen, Benedikt Bünz, Dan Boneh, and Zhenfei Zhang. Hyperplonk:
Plonk with linear-time prover and high-degree custom gates. In EURO-
CRYPT, 2023.
CHM+ 20. Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah
Vesely, and Nicholas Ward. Marlin: Preprocessing zkSNARKs with universal
and updatable SRS. In EUROCRYPT, 2020.
Dra22. Justin Drake. ZK Whiteboard Sessions – Module Fourteen: Nova
Crash Course with Justin Drake. https://www.youtube.com/watch?v=
SwonTtOQzAk, 2022.
EFG22. Liam Eagen, Dario Fiore, and Ariel Gabizon. cq: Cached quotients for fast
lookups. Cryptology ePrint Archive, 2022.
FS86. Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to
identification and signature problems. In CRYPTO, pages 186–194, 1986.
GGPR13. Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova.
Quadratic span programs and succinct NIZKs without PCPs. In EU-
ROCRYPT, 2013.
GW20. Ariel Gabizon and Zachary J Williamson. plookup: A simplified polynomial
protocol for lookup tables. Cryptology ePrint Archive, 2020.
GWC19. Ariel Gabizon, Zachary J. Williamson, and Oana Ciobotaru. PLONK:
Permutations over Lagrange-bases for oecumenical noninteractive arguments
of knowledge. ePrint Report 2019/953, 2019.
KMT22. Dmitry Khovratovich, Mary Maller, and Pratyush Ranjan Tiwari. MinRoot:
candidate sequential function for Ethereum VDF. Cryptology ePrint Archive,
Paper 2022/1626, 2022.
KP22. Abhiram Kothapalli and Bryan Parno. Algebraic reductions of knowledge.
Cryptology ePrint Archive, Paper 2022/009, 2022.
KS22. Abhiram Kothapalli and Srinath Setty. SuperNova: Proving universal
machine executions without universal circuits. Cryptology ePrint Archive,
2022.
KST22. Abhiram Kothapalli, Srinath Setty, and Ioanna Tzialla. Nova: Recursive
Zero-Knowledge Arguments from Folding Schemes. In CRYPTO, 2022.
LFKN90. Carsten Lund, Lance Fortnow, Howard Karloff, and Noam Nisan. Algebraic
methods for interactive proof systems. In FOCS, October 1990.
MBKM19. Mary Maller, Sean Bowe, Markulf Kohlweiss, and Sarah Meiklejohn. Sonic:
Zero-knowledge SNARKs from linear-size universal and updateable struc-
tured reference strings. In CCS, 2019.
Moh23. Nicolas Mohnblatt. Sangria: a folding scheme for PLONK. https://
geometry.xyz/notebook/sangria-a-folding-scheme-for-plonk, 2023.
Sch80. Jacob T Schwartz. Fast probabilistic algorithms for verification of polyno-
mial identities. Journal of the ACM, 27(4), 1980.
Set20. Srinath Setty. Spartan: Efficient and general-purpose zkSNARKs without
trusted setup. In CRYPTO, 2020.
Sol23. Tomer Solberg. A brief history of lookup arguments. https://github.com/
ingonyama-zk/papers/blob/main/lookups.pdf, 2023.
STW23. Srinath Setty, Justin Thaler, and Riad Wahby. Customizable constraint
systems for succinct arguments. Cryptology ePrint Archive, 2023.
Tha13. Justin Thaler. Time-optimal interactive proofs for circuit evaluation. In
CRYPTO, 2013.
Val08. Paul Valiant. Incrementally verifiable computation or proofs of knowledge
imply time/space efficiency. In TCC, pages 552–576, 2008.
VSBW13. Victor Vu, Srinath Setty, Andrew J. Blumberg, and Michael Walfish. A
hybrid architecture for verifiable computation. In S&P, 2013.
Zha23. Zhenfei Zhang. Origami: Fold a Plonk for Ethereum’s VDF. Cryptology
ePrint Archive, 2023.