New Protocol Version

We divide the protocol into Setup, Prover Computation, Verifier Challenge, and Proof & Verification phases.

1. Setup Phase

(Both) Agree on the public parameters $(S_{1}, S_{2})$ .
(Verifier) Publicly specifies the maximum polynomial degree $d$ , if needed.
(Trusted Ceremony / Setup) Generates a secret $τ$ and produces $(S_{1}, S_{2})$ .
After this step, $τ$ (the toxic waste) must be discarded to maintain security.

2. Prover Computation Phase

(Prover) Interpolates the column polynomials $a (x), b (x), c (x)$ .
(Prover) Constructs quotient polynomials $Q (x), Q_{1} (x), Q_{2} (x)$ with respect to the vanishing polynomials $Z (x), Z_{1} (x)$ .
(Prover) Commits to each polynomial by computing $c_{a} = commit (a), c_{b} = commit (b), c_{c} = commit (c), c_{Q} = commit (Q), \dots$ and sends these commitments to the Verifier.

3. Verifier Challenge Phase

(Verifier) Samples random challenges $γ_{1}, γ_{2}, γ_{3}$ .
(Verifier) Sends the challenges to the Prover.

4. Proof & Verification Phase

(Prover) Evaluates each committed polynomial at its corresponding challenge. For example,
$a (γ_{1}), b (γ_{1}), c (γ_{1}), Q (γ_{1}) .$
Then constructs proofs $π_{a}, π_{b}, π_{c}, π_{Q}$ via the KZG evaluation method. The Prover sends
$(a (γ_{1}), b (γ_{1}), c (γ_{1}), Q (γ_{1}))$
and
$(π_{a}, π_{b}, π_{c}, π_{Q})$
to the Verifier.
(Verifier) Uses the commitments $(c_{a}, c_{b}, c_{c}, c_{Q})$ and the proofs $π_{a}, π_{b}, π_{c}, π_{Q}$ to verify each polynomial evaluation.
It then checks the constraint
$a (γ_{1}) + b (γ_{1}) - c (γ_{1}) = Q (γ_{1}) \cdot Z (γ_{1}) .$
Since the Verifier can construct $Z (x)$ itself, it only needs to check $t (γ_{1}) = Q (γ_{1}) Z (γ_{1})$ , where $t (x) = q L (x) \cdot a (x) + q R (x) \cdot b (x) + q M (x) \cdot (a (x) \cdot b (x)) - c (x)$ .
(Verifier) Repeats a similar check for the recursive constraints:
$a (γ_{2} + 1) - b (γ_{2}) = Q_{1} (γ_{2}) \cdot Z_{1} (γ_{2}),$ $b (γ_{3} + 1) - c (γ_{3}) = Q_{2} (γ_{3}) \cdot Z_{1} (γ_{3}) .$
(Verifier) If all these checks pass, the Verifier accepts. Otherwise, it rejects.

As you can see, both the number of message exchanges and the operations performed by the Verifier are now almost constant. In other words, the Verifier can ask the Prover to compute $F_{6}^{2}$ or $F_{1000}^{2}$ and still carry out about the same number of computations. The only operation dependent on the number of rows of the circuit on the verifier's side is the computation of the vanishing polynomials $Z$ and $Z_{1}$ .

Protocol Diagram

The following diagram visually represents the four main phases of the protocol:

Phase 1: Setup
- Both parties agree on the public parameters $(S_{1}, S_{2})$ .
- The Verifier may specify the maximum polynomial degree $d$ .
- A trusted ceremony generates the secret $τ$ , then discards it, while producing the public parameters $(S_{1}, S_{2})$ .
Phase 2: Prover Computation
- The Prover interpolates the circuit columns (e.g., Fibonacci) into polynomials $a (x), b (x), c (x)$ .
- Constructs the quotient polynomials $Q (x), Q_{1} (x), Q_{2} (x)$ relative to vanishing polynomials $Z, Z_{1}$ .
- Commits to these polynomials (e.g., $c_{a}, c_{b}, c_{c}, c_{Q}, \dots$ ) and sends the commitments to the Verifier.
Phase 3: Verifier Challenge
- The Verifier randomly samples challenges $γ_{1}, γ_{2}, γ_{3}$ .
- Sends these challenges to the Prover.
Phase 4: Proof & Verification
- The Prover evaluates each committed polynomial at the corresponding $γ$ value and constructs proofs (e.g., $π_{a}, π_{b}$ ).
- Sends the polynomial evaluations and proofs to the Verifier.
- The Verifier checks that the evaluations match the commitments, confirming equations like $t (γ_{1}) = Q (γ_{1}) \cdot Z (γ_{1}) .$
- If all checks pass, the Verifier accepts; otherwise, it rejects.