How is succinct verification for transparent SNARKs possible?

Question

I am a bit confused as to how succinct verification is possible with transparent SNARKs (i.e., SNARKs without trusted setup).

As I understand it, a transparent SNARK proof $\pi$ allows a verifier given a circuit $C$ and an input $x$ to verify that there exists an input $w$ such that $C(x, w)=1$. Succinctness should mean, in particular, that the time to verify $\pi$ is much smaller than $|C|$. But doesn't the verfier at least need to read the description of $C$? And doesn't that require at least time $|C|$?

(Note: with trusted setup, there is a verification key $vk$ that depends on $C$; the verifier takes $vk$ as input in addition to $\pi$. So I understand how succinct verification is possible there, since $vk$ ``encodes'' $C$. My question is specifically about the transparent setting.)

score 0 · Answer 1 · answered Aug 28 '24 at 11:49

$C$ can have a description much shorter than $|C|$, for the same reason that a short piece of code can run for a very long time. The size of $C$ accounts for all operations performed during a computation (on a worst-case choice of input). Consider for example an arithmetic circuit that computes $x^{2^t} \bmod n$ on input $x$: it took me one line to describe it, but the circuit has $t$ squaring steps$^*$, where $t$ could be arbitrarily large.

$*$: there's a circuit with less operations but it requires knowing the factorization of $n$.

How is succinct verification for transparent SNARKs possible?

1 Answers1