Optimizing the compliance circuit with sigmabus

kike · September 19, 2025, 2:43pm

In the RISC0-ARM, the code to show correctness of the compliance units results in large computational traces, which in turn yields large proving times. For example, the computational trace for compliance units with only 2 resources (the smallest possible size) has roughly 2 million cycles. Under the hood, RISC0 splits the trace in two segments and proves each separately. So, proving correctness of compliance units requires producing at least two STARK proofs, three if the segment proofs are aggregated, and four if the aggregation is wrapped into a groth16 proof (the latter is needed for on-chain verification, so it is the most likely case).

The main source of inefficiency are the constraints related to the delta proof, which involve elliptic curve (EC) operations. In general, emulating EC arithmetic in circuits (zkVMs or any other generic SNARK) is costly, as these are typically non-native operations. In this post I will explain how we can offload EC arithmetic from the compliance unit’s code run inside zkVMs using the sigmabus technique. But we warned: offloading EC arithmetic comes with its own drawbacks and limitations, as we shall see.

Notation. I will use \mathbb{G} to denote a cyclic group of prime order p and \mathbb{F} its scalar field (in practice \mathbb{G} is an elliptic curve). Uppercase letters for group elements G\in\mathbb{G}. Lowercase letters for scalars s\in\mathbb{F}. I will use multiplicative notation for the group operation G_3 = G_1\cdot G_2, and denote vector, or matrices, of objects in bold \mathbf{G},\mathbf{s}. The inner product of two \mathbb{F}-vectors \mathbf{x},\mathbf{y} of the same length n is \langle \mathbf{x}, \mathbf{y}\rangle =\sum_{i=1}^n x_iy_j.

Disclaimer. The post is a bit mathy, I tried my best but there might be typos or errors. Apologize in advance.

Delta proof

The kind of a resource is derived from its logic and label by hashing onto the group, Hash(\mathsf{logic},\mathsf{label})=K \in \mathbb{G}. The quantity of the resource is represented as a scalar q\in\mathbb{F}.

Fix a generator H of \mathbb{G}. A delta proof (delta commitment from now on) for a compliance unit with n resources is a Pedersen commitment D to the vector \mathbf{x}\in\mathbb{F}^n under commitment key (\mathbf{K},H)\in\mathbb{G}^{n+1}. Namely:

\begin{equation} D = \prod_{i}^n K_i^{x_i} \cdot H^r, \end{equation}

where r is the commitment randomness. If the i-th resource is consumed x_i = q_i, and if it is created x_i = -q_i. The only public values are the delta commitment D and the generator H.

In a transaction with c compliance units, we can homomorphically add all resource quantities for the same kind using the m delta commitments. If all the quantities per kind add up to zero, then E= \prod_l^c D_l = H^{\sum r_l}. The delta proof of the transaction consists in a valid ECDSA signature, with generator H, on a challenge message. The prover uses as signing key \mathsf{sk} = \sum_j^c r_j, and the public key is \mathsf{pk} = E= H^{\mathsf{sk}}. This is sound because if for some kind the pertaining quantities do not add up to zero, but still the prover can generate a valid signature, then the prover has found a non-trivial relation between the group elements (\mathbf{K},H); which is highly unlikely because each kind K_i is derived via hashing, and therefore its dlog in base H (or in any base other than K_i) is unknown.

The fact that the kinds \mathbf{K} are private (not known to the verifier), and that the prover cannot know their dlogs in base H, are the main reasons in the limitations of adapting sigmabus in the compliance circuit. More on this later.

Sigmabus

Given a circuit \mathsf{C} that, among other things, exponentiates a group element G resulting in Y = G^y. The idea of the sigmabus paper is to replace \mathsf{C} with another circuit \mathsf{C}' that takes Y as public input. This makes \mathsf{C}' much smaller than \mathsf{C}, and hence proving its satisfiability with a generic SNARK faster. Assuming that dlog_G(Y) is indeed the same scalar y used in the original circuit, then both circuits \mathsf{C}, \mathsf{C}' are functionally equivalent.

To remove the assumption, the prover provides a proof of knowledge of the dlog of Y. Which can be done with the Schnorr protocol, an example of a sigma protocol, whose prover is very efficient: its complexity is dominated by a single exponentiation! A verifying transcript of the Schnorr protocol is the triplet

(S= G^s,c,z = s+cy)\in\mathbb{G}\times\mathbb{F}^2,

where y is the witness (secret) dlog of Y, c the verifier’s challenge, and z the prover’s response. The verifier checks

\begin{equation} G^z \stackrel{?}{=} S\cdot Y^c \end{equation}

Now, to enforce the same y is used in the sigma protocol and in the circuit \mathsf{C}' the following is also done:

the response z and challenge c are passed as public input to \mathsf{C}', and the random scalar s as witness. The additional constraint z \stackrel{?}{=} s+cy over the scalar field \mathbb{F} is enforced in the circuit,
the prover could however still compute Y' = G^{y'} for incorrect y' \neq y, run honestly the Schnorr protocol using y' for Y', and pass Y',y',s' = z-y'c to the circuit \mathsf{C}'. To rule out this and other misbehaviours, the prover must commit to y,s (via hashing, using a random salt), and generate the challenge e using the commitments \mathsf{c}_y,\mathsf{c}_s. The commitments are also passed as public inputs to \mathsf{C}' to enforce correct hashing (the salts passed as witness).

The authors also note that their technique can be naturally extended to check linear combination in the exponent, not just exponentiations.

Sigmabus for the compliance circuit

What first comes to mind is to use sigmabus to enforce the linear combination of Eq. (1) above. This would remove EC arithmetic from the compliance circuit. The problem is that if we do so, the kinds \mathbf{K} must be known to the verifier, as they become the basis in the sigma protocol: the verifier needs them to check Eq. (2) with G=K_i.

We could try to use a sigma protocol that treats the basis as witnesses. In principle it is possible, but the obvious way of doing it (at least to me) requires a sigma response Z living in the group not in the scalar field. Since the response is constrained, we’d be back with EC arithmetic in the circuit \mathsf{C}', which is what we are trying to avoid. (I gave up on this direction, but I may be missing something…)

The other possibility is that we change how kinds are generated. So now we are going to hash onto the scalar field. The kind is:

Hash(\mathsf{logic},\mathsf{label}) = k \in\mathbb{F},

and we set K = G^{k} for some fixed generator. Which means the delta commitment for a compliance unit with n resources in Eq. (1) becomes:

D = G^{\sum_i^n k_i x_i} H^r

Now it is possible to use the sigmabus technique. We prove knowledge of the scalar y committed in D with a sigma protocol (hashing witnesses and prover’s randomness as described above), and then enforce the inner product constraint y \stackrel{?}{=} \sum_i^n k_i x_i in the compliance circuit using the kind and quantities .

Wait… this is not secure. The dlogs of the basis \mathbf{K} are known. A malicious prover can simply find a non-zero linear combination for all the kinds involved in the final transaction, and derive the quantities from there. In other words, can make an unbalanced transaction pass as balanced.

Adding redundancy

To fix this, we use redundancy. Unfortunately, this means we need to impose an upper bound in the number of resources that participate in a transaction. Say there are up to u resources. For each compliance unit, the prover generates u+1 delta commitments. In the j-th commitment it uses \mathbf{k}^j = (k_1^j,\ldots,k_n^j) to derive the committed scalar y_j:

y_j = \langle \mathbf{k}^j,\mathbf{x}\rangle , \quad D_j = G^{y_j} H^{r_j}\quad \ \forall j = 0,\ldots, u

Recall k_1,\ldots,k_n are the kinds for the n resources of the compliance unit.

If the transaction contains c compliance units, each with delta commitments vector \mathbf{D}_l= (D_{l,0},\ldots, D_{l,u}) for l\leq c, we combine the j-th commitments from each unit the same way as before:

\begin{align} E_0 &= \prod_{l=1}^c D_{l,0} \qquad(= G^{\langle \mathbf{1},\mathbf{x}\rangle} H^{\sum_{l=1}^c r_{l,0}})\\ E_1 &= \prod_{l=1}^c D_{l,1} \qquad(= G^{\langle \mathbf{k},\mathbf{x}\rangle} H^{\sum_{l=1}^c r_{l,1}})\\ \vdots & \\ E_u &= \prod_{l=1}^c D_{l,u} \qquad(= G^{\langle \mathbf{k}^u,\mathbf{x}\rangle} H^{\sum_{l=1}^c r_{l,u}}) \end{align}

Since all inner products should vanish, an honest prover knows the dlog of all the E_j's in base H. Therefore, they know the dlog of any public linear combination of the E_j's. So, they hash e=Hash(E_1,\ldots,E_u)\in\mathbb{F}, and sign the challenge message with the signing key corresponding to public key E = \prod_{j=0}^{u} E_j^{e^{j+1}}.

Later we will see why the delta proof is sound.

The point is that for each compliance unit, the commitments vector \mathbf{D} = (D_0,\ldots,D_u) is generated off-circuit. The compliance circuit receives them as input, along with their purportedly dlogs and enforces a bunch of inner products constraints between the (positive or negative) quantities and the j-th power of the kinds. These are all constraints over \mathbb{F}.

We have eliminated EC arithmetic in the compliance circuit and replace it with inner product constraints and hashing

Code and proof format

Prover

For each compliance unit the prover runs code inside and outside what will be proved with the generic SNARK. u is a fixed upper bound, n the number of participating resources in the unit.

Outside the compliance circuit (sigmabus prover)

The prover first computes the u+1 delta commitments. Let us write D_j = G^{y_j}H^{r_j}. It then runs the following non-interactive sigma protocol to prove knowledge of the scalars y_j committed in D_j.

Input:

public: generators G,H, delta commitments \mathbf{D}\in\mathbb{G}^{u+1}
private: dlogs \mathbf{y} and randomness \mathbf{r} both in \mathbb{F}^{u+1}

Steps:

sample \mathbf{y}',\mathbf{r}'\stackrel{\$}{\gets} \mathbb{F}^{u+1}
compute S_j = G^{y'_j}H^{r'_j}, for j=0,\ldots,u
commit to \mathbf{y}_j,\mathbf{r}_j,\mathbf{y}'_j,\mathbf{r}'_j in \mathsf{comm}, by hashing with a random salt \rho.
compute c = Hash(G,H,\mathbf{D},\mathbf{S},\mathsf{comm})\in\mathbb{F} // verifier’s challenge
compute \mathbf{z}_1 = \mathbf{y}'+c\mathbf{y} and \mathbf{z}_2 = \mathbf{r}'+c\mathbf{r}
the sigmabus proof \pi is \mathsf{comm} and (c,\mathbf{z}_1,\mathbf{z}_2)\in\mathbb{F}^{2u+3}

We have described the communication-efficient version where the first prover’s message (\mathbf{S}) is omitted from the proof \pi.

Inside the compliance circuit

We only list the parts affecting the delta proof. Everything else remains as implemented now.

Input

public: delta commitments \mathbf{D}, sigmabus proof \pi=(\mathsf{comm},c,\mathbf{z}_1,\mathbf{z}_2)
private:
dlogs \mathbf{y} and randomness \mathbf{r}
sigmabus prover’s randomness \mathbf{y}',\mathbf{r}' and salt \rho
logics, labels, and quantities of the n resources

Steps:

compute kinds k_i = Hash(\mathsf{logic}_i,\mathsf{label}_i)\in\mathbb{F} for i = 1,\ldots, n
compute k_i^j for j=0,\ldots u. Let \mathbf{k}^j = (k_1^j,\ldots,k_n^j)
for the i-th quantity q_i\in\mathbb{F}, if its resource is consumed set x_i = q_i, else set x_i = -q_i
enforce y_j \stackrel{?}{=} \langle \mathbf{k}^j,\mathbf{x} \rangle for j=0,\ldots u.
enforce \mathsf{comm} \stackrel{?}{=} \mathsf{hash}(\mathbf{y}_j,\mathbf{r}_j,\mathbf{y}'_j,\mathbf{r}'_j,\rho)
enforce \mathbf{z}_1 \stackrel{?}{=} \mathbf{y}'+c\mathbf{y} and \mathbf{z}_2 = \mathbf{r}'+c\mathbf{r}
(other constraints unrelated to delta proof)

Deriving the signing key

Let r_{l,j} be the randomness used to generate the j-th delta commitment \mathbf{D}_{l,j} in the l-th compliance unit. The signing key is derived as:

compute the group elements E_1,\ldots, E_u as in Eq. 3.
compute e = Hash(\mathbf{E})\in\mathbb{F}.
the signing key is \mathsf{sk} = \sum_{j=0}^{u} e^{j+1}(\sum_{l=1}^c r_{l,j})

Verifier

In addition to verify all the compliance proofs, the verifier also verifies the sigmabus proofs (attached in the transaction) and the signature.

Sigmabus verifier

Inputs:

generators G,H, delta commitments \mathbf{D}\in\mathbb{G}^{u+1},
sigmabus proof \pi is \mathsf{comm} and (c,\mathbf{z}_1,\mathbf{z}_2)\in\mathbb{F}^{2u+3}

Steps:

recompute first messages: S_j = G^{z_{1,j}}H^{z_{2,j}}D_j^{-c} for j = 0,\ldots u
check c \stackrel{?}{=} Hash(G,H,\mathbf{D},\mathbf{S},\mathsf{comm})
if the check passes accept, else reject

Signature verification

Input:

all delta commitment vectors \mathbf{D}_1,\ldots,\mathbf{D}_c from the c compliance units
the signature \delta
the signed message \mathsf{m}

Steps

compute the group elements E_1,\ldots, E_u as in Eq. 3.
compute e = Hash(\mathbf{E})\in\mathbb{F}.
compute public key \mathsf{pk} = \prod_{j=0}^u E_j^{e^{j+1}}
verify \delta on \mathsf{m} using \mathsf{pk}

The new delta proof works and it is sound

We have changed the delta proof. It is in fact a generalization of what we have currently implemented. The main difference is that the exponents of the kind group elements K_i are known. Next we show completeness and soundness for the new delta proof.

Take a transaction with r\leq u resources, and suppose there are d \leq r distinct kinds k_1,\ldots, k_d across these r resources. For each distinct kind k_j, let s_j be the sum of the (positive or negative) resource quantities associated to it.

Why it works

Using linear algebra, it is not difficult to see that after combining each of the u+1 delta commitments from each compliance unit as in Eq. 3, we obtain the following linear system in the exponent of G:

\begin{equation} \begin{pmatrix} y_0 \\ y_1 \\ \vdots \\ \vdots \\ y_u \end{pmatrix} = \underbrace{ \begin{pmatrix} 1 & 1 & \cdots & 1 \\ k_1 & k_2 & \cdots & k_d \\ k_1^2 & k_2^2 & \cdots & k_d^2\\ \vdots & \ddots & & \vdots \\ \vdots & & & \vdots \\k_1 ^u & k_2^u & \cdots & k_d^u \end{pmatrix} }_{\mathbf{V}} \begin{pmatrix} s_1 \\ s_2 \\ \vdots \\ s_d \end{pmatrix} \end{equation}

For balanced transactions (honest provers), \mathbf{s} = \mathbf{0}, so also \mathbf{y}=\mathbf{0}, and everything works fine.

Why it is sound

It is sound for the following reasons:

If the signature on the linear combination E= \prod_{j=0}^u E_j^{e^{j+1}} is valid, then \mathbf{y}=\mathbf{0}. This follows because the valid signature proves the exponent of E in base G is zero. If it were not, the prover either has found a non-zero dlog relation for G,H, which is believed to be a computational hard problem,or has forged a signature.
Now, recall e = Hash(E_0,\ldots,E_u). Thus E is a random linear combination known after the individual E_j's are computed. The probability that any individual y_j = dlog_G(E_j)\neq 0 but dlog_G(E)=0 is u/p by Schwartz-Zippel. (This is a standard argument.) This probability is tiny for a large enough p.
The linear system from Eq. 4 defines a map f: \mathbb{F}^d\rightarrow\mathbb{F}^u given by f(\mathbf{s}) = \mathbf{V}\mathbf{s}. Now, s_j truly is the sum of the quantities for a single kind (kind k_j), provided different logics/labels map to different kinds. The latter is true with overwhelming probability as the kinds are generated with a collision-resistant hash function.
The linear map f is injective, which means the only preimage of \mathbf{0} is also the zero vector \mathbf{s}=\mathbf{0}. f is injective by construction (and the reason we need to add redundancy). The matrix \mathbf{V} is a Vandermonde matrix, which has rank d because the kinds k_1,\ldots,k_d are pairwise different by definition.

Note the argument above to show the new Delta proof is sound does not degrade security. I mean, it does not introduce new computational assumptions. The new part (second and fourth bullet points) is information-theoretic.

Conclusion

In this post I have explained how to offload EC arithmetic from the compliance circuit. The key idea is defining resource’s kind by hashing to the scalar field instead of hashing to elliptic curve directly, and then add redundancy to argue soundness. We would need to prototype the proposal to confirm it is indeed more efficient than what we currently have.

A final thought: can we avoid redundancy?

Generating u delta commitments per compliance unit is too limiting. Mainly because u is fixed in advance. Can we avoid it?

For soundness, the question is how easy is to find a non-trivial linear combination \langle \mathbf{k},\mathbf{x}\rangle = 0 with \mathbf{x}\neq \mathbf{0}. The vector \mathbf{x} is derived from the quantities, if the quantities are small, say 32-bit integers (currently they are 128-bit integers) it might not be that easy. We could explore further this line of thought.

xuyang · October 27, 2025, 12:50pm

Thank you for the post!

The sigmabus is a promising approach to offload non-native EC operations from circuits by leveraging efficient sigma protocols. Similar techniques exist that shift costly computations to other proof systems (e.g., SNARKs/STARKs) while verifying consistency of public inputs.

In our context, particularly within the RISC0 system, the main goal is eliminating finite field operations in circuits—since EC operations rely on finite fields and involve expensive bigint arithmetic. Your proposal moves EC operations into a sigma protocol, which helps, but introduces additional finite field operations in the circuit, especially when redundancy is added. Moreover, it requires sigma proof verification on the verifier side. While sigma verification is generally fast—and can be further evaluated in PA, i’m not sure the costs in Ethereum contracts. It may be worth benchmarking it in practice.

The security of the current delta design (binding signature) relies heavily on the hash_to_curve primitive. The binding signature is simple—explainable in three lines—with clear soundness. Switching to hash_to_scalar would break this in the binding signature. I learned your redundancy mechanism attempts to address the issue. I’m not sure it can avoid the issue. For instance, if an action contains only one resource (kind: k1, quantity: x1), and another resource with zero quantity is assumed, a malicious actor(or the owner of resource 1) could balance the delta using a second resource (k2 = x1, x2 = k1), or any (k2, x2) such that k2 * x2 = k1 * x1. I might have missed some details if I didn’t fully understand it.

kike · October 28, 2025, 6:50am

I would say the main goal is making faster the compliance circuit. I don’t think we can eliminate bigint operations entirely, given delta commitments are EC points. However, the evil is in the details. Enforcing a single EC scalar multiplication requires at least \log q bigint operations where \mathbb F_q is the base field of the curve. That is, at least r\log q bigint operations in a transaction with r resources. The sigmabus approach, in the worst case, needs at most 2u^2 bigint operations, where u is the upper bound in the resources. Whenever u \leq \sqrt{\log q / 2}, the sigmabus approach will be more efficient. Also, note that the number of bigints enforced in circuit grows faster if EC arithmetic is in the circuit, the constanst is \log q\approx 256 in secp256k1, something that can be seen in the benchmarks, where for large actions it is twice slower.

One thing is clear, nothing is for free: it’s hard to have a have fast prover and a fast verifier. I have implemented a batch sigma verifier that requires O(u+c) EC scalar multiplications instead of O(uc) in a transaction with c compliance units. You can keep u low, e.g. u=32. Groth16 also requires as many scalar multiplications as public input wires (on top of the three pairings). But you are right, this should be benchmarked.

I understand simple (mathematical) proofs are easy to assess. But that the fact it is more complex it doesn’t make it any worse. The proof must be sound (which I’m convinced), and ideally it should not introduce extra computational assumptions. The proof of the sigmabus approach it does not – the new bits are information-theoretic.

The proof essentially boils down to write down an homogeneous system of u+1 linear equations on at most u+1 unknowns, in the exponent. The unknowns are the sum of the quantities for each kind. The system is given by a Vandermonde matrix, and hence it is injective. Meaning that the only possible solution is the zero vector.

By ‘breaking’ I guess you mean the delta proof is changed. In code, instead of having u+1 delta commitments per compliance unit we have just one. (Replace standard Pedersen commitments with a vector Pedersen commitment). This means that delta derivation for actions and transactions and the delta proof is exactly the same as what we have now.

You are missing the other 2 inner product constraints. If we only allow 3 resources in the transaction, then we will have:

\begin{align} k_2 -k_1 = 0\\ k_1k_2 - k_2k_1 =0\\ k^2_1k_2 -k^2_2k_1 = 0 \\ k^3_1k_2 -k^3_2k_1 = 0 \end{align}

The only solution to this system is k_1=k_2=0*, which happens with negligible probability because k_i is a hashed scalar (not controlled by the prover).

(*) The system has a unique solution, with high probability, because it can be expressed in matrix form as:

\begin{equation} \underbrace{ \begin{pmatrix} 1 & 1 \\ k_1 & k_2 \\ k_1^2 & k_2^2 \\ k_1^3 & k_2^3 & \end{pmatrix} }_{\mathbf{V}} \begin{pmatrix} k_1 \\ k_2 \\ \end{pmatrix} = \begin{pmatrix} 0 \\ 0 \\ \end{pmatrix} \end{equation}

and the matrix \mathbf V is invertible if k_1\neq k_2, which again, it is true because they are hashed scalars.

xuyang · October 28, 2025, 8:36am

Are the two resources in the same action or compliance? In my example, they are in different ones. Since resource_k1 and resource_k2 cannot see each other, do the inner product constraints still apply? Specifically, resource_k1 is in action_1 and compliance_1, while resource_k2 is in the action_2.

kike · October 28, 2025, 9:48am

Yes, the inner product constraints ‘apply’ across different compliance units. What I mean is that we are playing with linear algebra, switching from row perspective (inside each compliance unit) to column perspective (in the final transaction). Let me work out the example to see if it makes sense, I’m slightly adjusting notation:

Compliance unit \mathsf{C}:

Resource \mathsf{R}_1: Kind k_1, and (signed) quantity x_1
Resource \mathsf{R}_2: Kind k_1, and (signed) quantity x_2 = 0 // The ephemeral resource.

Compliance unit \mathsf{C}':

Resource \mathsf{R}_3: Kind k_2, and (signed) quantity x_3

The malicious prover sets x_1 = k_2 and x_3 = k_1.

In \mathsf{C} (two resources) it is enforced:

\begin{align} y_0 = x_1 + x_2\\ y_1 = x_1 k_1 + x_2 k_1\\ y_2 = x_1 k_1^2 + x_2 k_1^2\\ y_3 = x_1 k_1^3 + x_2 k_1^3\\ \end{align}

In the other unit \mathsf{C}' (one resource) it is enforced:

\begin{align} y'_0 = x_3\\ y'_1 = x_3 k_2 \\ y'_2 = x_3 k_2^2 \\ y'_3 = x_3 k_2^3 \\ \end{align}

To make it simpler, I’ll go with the optimization done in code (one delta commitment per unit): in each unit, the prover commits to vectors \mathbf y, \mathbf y':

\begin{align} \mathbf{D} = G_0^{y_0} G_1^{y_1} G_2^{y_2} G_3^{y_3} H^r\qquad \text{// for unit }\mathsf{C}\\ \mathbf{D}' = G_0^{y'_0} G_1^{y'_1} G_2^{y'_2} G_3^{y'_3} H^{r'}\qquad \text{// for unit }\mathsf{C}'\\ \end{align}

The delta commitment of the transaction is

\mathbf{D}_{\mathsf{tx}} = D D' = G_0^{y_0+y'_0} G_1^{y_1+y'_1} G_2^{y_2+y'_2} G_2^{y_3+y'_3} H^{r+r'} = \mathsf{com}(\mathbf{y}+\mathbf{y}';r+r')

To pass the delta signature check with public key \mathbf{D}_{\mathsf{tx}} and generator H, it must be that \mathbf{y}+\mathbf{y}' = 0. This is for the same reason we have now, i.e. down to the hardness of finding dlogs relations. (The commitment key \mathbf{G},H are constants in code generated via hashing to the curve.)

Now, let the Vandermonde matrix

\mathbf V = \begin{pmatrix} 1 & 1 &\\ k_1 & k_2 \\ k_1^2 & k_2^2 \\ k_1^3 & k_2^3 \end{pmatrix}

If the signature check passes, we can assume that \mathbf{0} = \mathbf{y}+\mathbf{y}', so we can write:

\mathbf{0} = \mathbf{y}+\mathbf{y}' = \mathbf V \begin{pmatrix} x_1+x_2\\ 0\\ \end{pmatrix} + \mathbf V \begin{pmatrix} 0\\ x_3 \end{pmatrix} = \mathbf V \begin{pmatrix} x_1+x_2\\ x_3 \end{pmatrix}

\mathbf V has rank 2 with high probability, (subject to k_1\neq k_2), i.e. we have an injective mapping. Then, the fact that signature check passes implies x_1+x_2=x_3=0, which is highly unlikely if x_1 = k_3, x_2 =0, x_3 =k_1 because they are hashed scalars.

[Edit: I changed the above to show sum of quantities for same kind k_1]

xuyang · October 28, 2025, 11:09am

ah, I see. Thank you for the explanation. I initially mistook u as the number of resources.

Could you clarify how u is determined in practice? It sets the maximum resources in a transaction: if too small, it limits resource availability in a tx; if too large, it harms circuit performance due to exponential computations involving u. Is my understanding correct?

kike · October 28, 2025, 11:48am

Currently u is a constant in the code TX_MAX_RESOURCES. The exact value must be settled (e.g. 16, 32, 64, 128…). It can be made dynamic, but that would generate problems i think (unbalanced transactions with different u could not be assembled together into a final tx.)

Topic		Replies	Views
Binding signature in RM terms RM/AVM	0	40	January 28, 2025
Variable compliance units & comparisons RM/AVM	6	22	October 13, 2025
Minimum viable abstract VM Protocol Design	8	282	September 26, 2023
ZKVM Compilers: Goals Cryptography Zoo	0	228	January 31, 2024
Clarifying proof structures RM/AVM	8	64	December 16, 2024