Darlin: A proof carrying data scheme based on Marlin
share
In this document we describe the Darlin proof carrying data scheme for the distributed computation of block and epoch proofs in a Latus sidechain of Zendoo (arxive:2002.01847). Recursion as well as base proofs rest on Marlin (Chiesa et al. EUROCRYPT 2020) using the Pasta cycle of curves and the "dlog" polynomial commitment scheme from Bootle et al. We apply the amortization technique from Halo (Bowe et al., IACR eprint 2019/1021) to the non-succinct parts of the verifier, and we adapt their strategy for bivariate circuit encoding polynomials to aggregate Marlin's inner sumchecks across the nodes of the proof carrying data scheme. Regarding performance, the advantage of Darlin over a scheme without inner sumcheck aggregation is about 30 scenario as ours, and beyond when applied to linear recursion.
READ FULL TEXT