Can Cryptographic Proofs Directly Attest to Function Call Results?

Question

In systems where computations are performed in remote or potentially untrusted environments(e.g. Ethereum NaaS providers such as Infura), how can we gain confidence in the accuracy of the results? Zero-knowledge proofs (ZKPs) provide an intriguing solution for verifying specific aspects of computation.

My focus:

• Proofs for Function Outputs: Can we generate a ZKP that directly verifies the output (return value) of a function call, given its inputs and any relevant contextual state?
• Beyond State Transitions: While ZKPs in blockchains often prove state transitions, I'm interested in the specifics of attesting to a singular function result.
• Challenges and Approaches: What are the cryptographic considerations, potential circuit design patterns, and trade-offs in constructing proofs for function call outputs?

Questions:

1. Are there theoretical limitations to proving arbitrary function results, or are there classes of functions that are well-suited?
2. How would the process of generating and verifying such a proof look in practice?
3. What are the potential efficiency bottlenecks (proof size, computation time) to consider?

Answer 1

1. No, there are no theoretical limitations to proving the correctness of the result of some function $f$ as long as this function is computable by a polynomial-size boolean circuit. I'm not sure why zero-knowledge is relevant here; if you have access to both the output and input of the function, you can verify the computation by running it. If instead you want a succinct way of verifying computation (i.e. that takes strictly less time than computing $f$), there are also results for that. The theory behind succinct proofs is based on the PCP Theorem. If you only know the output $y$ and some part $x$ of the input and want to check that there is $w$ such that $f(x,w)=y$, then this is indeed possible to verify this in zero-knowledge (hiding $w$) since the question is framed as an NP statement.
2. The most generic way of proving NP statements about boolean circuits that I am aware of is the MPC-in-the-Head framework. The proofs can be made non-interactive through the Fiat-Shamir transform.
3. There is a lot of research activity around making the MPC-in-the-Head technique more efficient since it is used for many candidate post-quantum signature schemes. You can check out the candidates in NIST's most recent call to have an idea of the efficiency.