Nexus Virtual Machine

The Nexus Virtual Machine (Nexus VM or NVM) is a reduced instruction set computer (RISC) with a byte-addressable random-access memory and a private input tape. This virtual machine abstraction is comparable to others used in the zero-knowledge research space, such as the TinyRAM architecture specification (opens in a new tab). The advantage of using such random-access machines is that they abstract away details of the underlying hardware or operating system and provide a convenient tool for generating claims and proofs about the correctness of a computation.

ℹ️

The NVM architecture has not yet stabilized. The following specification describes the architecture as of the Nexus zkVM 0.2.0 release.

Nexus Virtual Machine Architecture

The Nexus Virtual Machine has a von Neumann architecture, storing instructions and data in the same read-write memory space. The machine has 32 registers and a read-write memory with addresses in the range $\{0\ldots 2^{32}-1\}$ . The state of the machine is defined as a four-tuple, $(pc;M;R;I)$ , where

$pc$ denotes the program counter register;
$M$ denotes the memory;
$R$ denotes the state of registers;
$I$ is the private input.

An abstraction of the Nexus Virtual Machine

Both $M$ and $R$ are finite maps. The keys of $M$ are addresses in the range $\{0,\ldots, 2^{32}-1\}$ . The values of $M$ are 8-bit bytes. The keys of $R$ are register selectors from the set $\{x_0\ldots x_{31}\}$ . The values of $R$ are 32-bit words. A word (resp. a halfword) is represented as four (resp. two) consecutive bytes in little endian. By design, updates to register $x_0$ are ignored and the value of $R[x_0]$ is always zero.

The current implementation of the Nexus VM does not yet support providing public inputs at runtime. Also, we remark that during compilation the Nexus VM may be configured to use memory sizes smaller than $2^{32}$ for efficiency reasons.

At initialization, all the general-purpose registers are set to 0. The program counter $pc$ is set to $\mathtt{0x0000}$ . The private input tape contains the byte-encoded private input for the program. Since $pc$ is initially $\mathtt{0x0000}$ , the first instruction to be executed will be the one stored at the position $\mathtt{0x0000}$ of the memory. Since the program code resides in the same area as the data, the initial memory can contain not only the program code but also some initial public input data for the program.

The program counter $pc$ is always advanced by 4 bytes after the execution of each instruction, unless the instruction itself sets the value of $pc$ . Moreover, the Nexus VM enforces 4-byte memory alignment for the program counter by checking that $pc$ is a multiple of 4 when reading an instruction.

Nexus Virtual Machine Instruction Set

The Nexus VM instruction set contains 41 instructions in total, as summarized in table below. Each instruction is specified via an mnemonic and can take some arguments, typically register selectors and an immediate value. The exact format of each instruction is defined as follows:

$\textbf{mnemonic}$ is a string name of the instruction;
$rd$ is a register selector specifying the destination register;
$rs_1$ is a register selector specifying the first operand;
$rs_2$ is a register selector specifying the second operand; and
$i$ is an immediate value, whose size varies according to instructions.

Table: Summary of the Nexus Virtual Machine Instruction Set, where operations are mod $2^{32}$ .

Instruction mnemonic	Arguments	Description of functionality
$\textbf{lui}$	$rd$ $i$	sets $R[rd]$ to $i$
$\textbf{auipc}$	$rd$ $i$	sets $R[rd]$ to $pc+i$
$\textbf{add}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to $R[rs_1] + R[rs_2]$
$\textbf{addi}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to $R[rs_1] + i$
$\textbf{sub}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to $R[rs_1] - R[rs_2]$
$\textbf{slt}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to $(R[rs_1] < R[rs_2])$ (signed comparison)
$\textbf{slti}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to $(R[rs_1] < i)$ (signed comparison)
$\textbf{sltu}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to $(R[rs_1] < R[rs_2])$ (unsigned comparison)
$\textbf{sltui}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to $(R[rs_1] < i)$ (unsigned comparison)
$\textbf{sll}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to $R[rs_1] \ll R[rs_2] \mathbin{\&} \mathtt{0x1F}$
$\textbf{slli}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to $R[rs_1] \ll i \mathbin{\&} \mathtt{0x1F}$
$\textbf{srl}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to $R[rs_1] \gg R[rs_2] \mathbin{\&} \mathtt{0x1F}$ (with zero extension)
$\textbf{srli}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to $R[rs_1] \gg i \mathbin{\&} \mathtt{0x1F}$ (with zero extension)
$\textbf{sra}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to $R[rs_1] \gg R[rs_2] \mathbin{\&} \mathtt{0x1F}$ (with sign extension)
$\textbf{srai}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to $R[rs_1] \gg i \mathbin{\&} \mathtt{0x1F}$ (with sign extension)
$\textbf{xor}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to the bitwise XOR of $R[rs_1]$ and $R[rs_2]$
$\textbf{xori}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to the bitwise XOR of $R[rs_1]$ and $i$
$\textbf{and}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to the bitwise AND of $R[rs_1]$ and $R[rs_2]$
$\textbf{andi}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to the bitwise AND of $R[rs_1]$ and $i$
$\textbf{or}$	$rd$ $rs_1$ $rs_2$	sets $R[rd]$ to the bitwise OR of $R[rs_1]$ and $R[rs_2]$
$\textbf{ori}$	$rd$ $rs_1$ $i$	sets $R[rd]$ to the bitwise OR of $R[rs_1]$ and $i$
$\textbf{beq}$	$rs_1$ $rs_2$ $i$	branches to $pc+i$ if $(R[rs_1] = R[rs_2])$
$\textbf{bne}$	$rs_1$ $rs_2$ $i$	branches to $pc+i$ if $(R[rs_1] \not= R[rs_2])$
$\textbf{blt}$	$rs_1$ $rs_2$ $i$	branches to $pc+i$ if $(R[rs_1] < R[rs_2])$ (signed comparison)
$\textbf{bge}$	$rs_1$ $rs_2$ $i$	branches to $pc+i$ if $(R[rs_1] \geq R[rs_2])$ (signed comparison)
$\textbf{bltu}$	$rs_1$ $rs_2$ $i$	branches to $pc+i$ if $(R[rs_1] < R[rs_2])$ (unsigned comparison)
$\textbf{bgeu}$	$rs_1$ $rs_2$ $i$	branches to $pc+i$ if $(R[rs_1] \geq R[rs_2])$ (unsigned comparison)
$\textbf{lb}$	$rd$ $rs_1$ $i$	loads the sign extension of the byte at $M[R[rs_1] + i]$ into $R[rd]$
$\textbf{lh}$	$rd$ $rs_1$ $i$	loads the sign extension of the half-word at $M[R[rs_1] + i]$ into $R[rd]$
$\textbf{lw}$	$rd$ $rs_1$ $i$	loads the word at $M[R[rs_1] + i]$ into $R[rd]$
$\textbf{lbu}$	$rd$ $rs_1$ $i$	loads the zero extension of the byte at $M[R[rs_1] + i]$ into $R[rd]$
$\textbf{lhu}$	$rd$ $rs_1$ $i$	loads the zero extension of the half-word at $M[R[rs_1] + i]$ into $R[rd]$
$\textbf{sb}$	$rs_1$ $rs_2$ $i$	stores the least significant byte of $R[rs_2]$ at $M[R[rs_1] + i]$
$\textbf{sh}$	$rs_1$ $rs_2$ $i$	stores the less significant half-word of $R[rs_2]$ at $M[R[rs_1] + i]$
$\textbf{sw}$	$rs_1$ $rs_2$ $i$	stores $R[rs_2]$ at $M[R[rs_1] + i]$
$\textbf{jal}$	$rd$ $i$	jumps to $pc+i$ and stores $pc+4$ into $R[rd]$
$\textbf{jalr}$	$rd$ $rs_1$ $i$	jumps to $R[rs_1] + i$ and stores $pc+4$ into $R[rd]$
$\textbf{fence}$		No operation
$\textbf{ecall}$	$rd$	system call
$\textbf{ebreak}$	$rd$	system call
$\textbf{unimp}$		jumps to $pc$ ; in effect looping forever at the current program counter

The Nexus VM also enforces 2-byte and 4-byte memory alignments for the instructions operating on half-words and words.

Each instruction is encoded as a 32-bit-long string, ending with 7-bit-long $\textbf{opcode}$ string, preceded by a 5-bit-long register selector in many cases, and other data depending on the operation.

Table: Binary Encoding of Nexus Virtual Machine Instructions, where $*^m$ denotes any binary string of $m$ bits, and $\langle d \rangle$ , $\langle s_1 \rangle$ , $\langle s_2 \rangle$ denote respectively the binary representation of the 5-bit-long register selectors $rd$ , $rs_1$ , $rs_2$ .

The notation $\langle i_x \rangle$ each denote immediate values, interpreted the same way as $x$ -immediate values of 32-bit RISC-V architecture. Some immediate values (type B and S) occupy discontiguous positions, so their fragments are written as $\langle i_\texttt{x0} \rangle$ and $\langle i_\texttt{x1} \rangle$ . $\langle i_\texttt{SH} \rangle$ denotes a 5-bit long immediate value.

$\langle i_\texttt{U}\rangle$ and $\langle i_\texttt{J}\rangle$ contain 20 bits. $\langle i_\texttt{I}\rangle$ contains 12 bits. $\langle i_\texttt{S0}\rangle$ and $\langle i_\texttt{B0}\rangle$ contain 5 bits. $\langle i_\texttt{S1}\rangle$ and $\langle i_\texttt{B1}\rangle$ contain 7 bits.

Instruction mnemonic	Arguments	Binary Encodings (left: most significant bit)
$\textbf{lui}$	$rd$ $i$	$\begin{array}{lll} \langle i_\texttt{U} \rangle & \langle d \rangle & \texttt{0b\_011\_0111} \end{array}$
$\textbf{auipc}$	$rd$ $i$	$\begin{array}{lll} \langle i_\texttt{U} \rangle & \langle d \rangle & \texttt{0b\_001\_0111} \end{array}$
$\textbf{jal}$	$rd$ $i$	$\begin{array}{lll} \langle i_\texttt{J} \rangle & \langle d \rangle & \texttt{0b\_110\_1111} \end{array}$
$\textbf{jalr}$	$rd$ $rs_1$ $i$	$\begin{array}{llllll} \langle i_\texttt{I} \rangle & \langle s_1 \rangle & \mathtt{0b\_000} & \langle d \rangle & \texttt{0b\_110\_0111} \end{array}$
$\textbf{beq}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{B1} \rangle & \langle s_2 \rangle&\langle s_1 \rangle &\texttt{0b\_000} &\langle i_\texttt{B0} \rangle \;\ &\texttt{0b\_110\_0011}\end{array}$
$\textbf{bne}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{B1} \rangle & \langle s_2 \rangle &\langle s_1 \rangle & \texttt{0b\_001} & \langle i_\texttt{B0} \rangle \;\ &\texttt{0b\_110\_0011}\end{array}$
$\textbf{blt}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{B1} \rangle & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_100} & \langle i_\texttt{B0} \rangle \;\ &\texttt{0b\_110\_0011}\end{array}$
$\textbf{bge}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{B1} \rangle & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_101} & \langle i_\texttt{B0} \rangle \;\ &\texttt{0b\_110\_0011}\end{array}$
$\textbf{bltu}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{B1} \rangle & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_110} & \langle i_\texttt{B0} \rangle \;\ &\texttt{0b\_110\_0011}\end{array}$
$\textbf{bgeu}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{B1} \rangle & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_111} & \langle i_\texttt{B0} \rangle \;\ &\texttt{0b\_110\_0011}\end{array}$
$\textbf{lb}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll} \langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_000} & \langle d \rangle &\texttt{0b\_000\_0011}\end{array}$
$\textbf{lh}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll} \langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_001} & \langle d \rangle &\texttt{0b\_000\_0011}\end{array}$
$\textbf{lw}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll} \langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_010} & \langle d \rangle &\texttt{0b\_000\_0011}\end{array}$
$\textbf{lbu}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll} \langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_011} & \langle d \rangle &\texttt{0b\_000\_0011}\end{array}$
$\textbf{lhu}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll} \langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_100} & \langle d \rangle &\texttt{0b\_000\_0011}\end{array}$
$\textbf{sb}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{S1} \rangle & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_000} & \langle i_\texttt{S0} \rangle & \texttt{0b\_010\_0011}\end{array}$
$\textbf{sh}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{S1} \rangle & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_001} & \langle i_\texttt{S0} \rangle & \texttt{0b\_010\_0011}\end{array}$
$\textbf{sw}$	$rs_1$ $rs_2$ $i$	$\begin{array}{llllll} \langle i_\texttt{S1} \rangle & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_010} & \langle i_\texttt{S0} \rangle & \texttt{0b\_010\_0011}\end{array}$
$\textbf{addi}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll}\langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_000} & \langle d \rangle & \texttt{0b\_001\_0011} \end{array}$
$\textbf{slli}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll}\langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_001} & \langle d \rangle & \texttt{0b\_001\_0011} \end{array}$
$\textbf{slti}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll}\langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_010} & \langle d \rangle & \texttt{0b\_001\_0011} \end{array}$
$\textbf{sltui}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll}\langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_011} & \langle d \rangle & \texttt{0b\_001\_0011} \end{array}$
$\textbf{xori}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll}\langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_100} & \langle d \rangle & \texttt{0b\_001\_0011}\end{array}$
$\textbf{srli}$	$rd$ $rs_1$ $i$	$\begin{array}{llllll}\texttt{0b\_000\_0000} & \langle i_\texttt{SH} \rangle & \langle s_1 \rangle & \texttt{0b\_101} & \langle d \rangle & \texttt{0b\_001\_0011} \end{array}$
$\textbf{srai}$	$rd$ $rs_1$ $i$	$\begin{array}{llllll}\texttt{0b\_010\_0000} & \langle i_\texttt{SH} \rangle & \langle s_1 \rangle & \texttt{0b\_101} & \langle d \rangle & \texttt{0b\_001\_0011} \end{array}$
$\textbf{ori}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll}\langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_110} & \langle d \rangle & \texttt{0b\_001\_0011} \end{array}$
$\textbf{andi}$	$rd$ $rs_1$ $i$	$\begin{array}{lllll}\langle i_\texttt{I} \rangle & \langle s_1 \rangle & \texttt{0b\_111} & \langle d \rangle & \texttt{0b\_001\_0011} \end{array}$
$\textbf{add}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\mathtt{0b\_000\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_000} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{sub}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\texttt{0b\_010\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_000} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{sll}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\mathtt{0b\_000\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_001} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{slt}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\mathtt{0b\_000\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_010} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{sltu}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\mathtt{0b\_000\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_011} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{xor}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\mathtt{0b\_000\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_100} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{srl}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\texttt{0b\_000\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_101} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{sra}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\texttt{0b\_010\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_101} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{or}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\mathtt{0b\_000\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_110} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{and}$	$rd$ $rs_1$ $rs_2$	$\begin{array}{llllll}\mathtt{0b\_000\_0000} & \langle s_2 \rangle & \langle s_1 \rangle & \texttt{0b\_111} & \langle d \rangle & \texttt{0b\_011\_0011} \end{array}$
$\textbf{fence}$		$\begin{array}{ll} \mathtt{*^{25}} & \texttt{0b\_000\_1111} \end{array}$
$\textbf{ecall}$	$rd$	$\begin{array}{lll} \texttt{0x00000} & \langle d \rangle & \texttt{0b\_111\_0011} \end{array}$
$\textbf{ebreak}$	$rd$	$\begin{array}{lll} \texttt{0x00100} & \langle d \rangle & \texttt{0b\_111\_0011} \end{array}$
$\textbf{unimp}$		$\begin{array}{lll} \texttt{0xc0001} & \mathtt{*^5} & \texttt{0b\_111\_0011} \end{array}$

The current architecture does not specify an output tape. Nevertheless, one can easily return arbitrary strings as output by encoding that string in some specific region of the memory.

Nexus Virtual Machine Initialization

Initially, the memory is assumed to only contain zero values and all the general-purpose registers are set to 0. The program counter $pc$ is also set to $\mathtt{0x0000}$ . The program itself is provided to the Nexus VM via a file in an Executable and Linkable Format (ELF) encoded according to the RV32I Instruction Set in the Volume I, Unprivileged Specification version 20191213 in the The RISC-V Instruction Set Manual (opens in a new tab).

Each instruction in the program is loaded one at a time into the memory starting at address $\mathtt{0x0000}$ .

Nexus Virtual Machine Extensions

While the universality of the current instruction set allows for executing any program on the Nexus VM, writing a program for the VM may yield inefficient programs due to the limited instruction set of the Nexus VM. As a result, proving the correctness of such computations within the Nexus zkVM may become infeasible for more complex programs. The cost of such an abstraction may be multiplied by more than a $1000$ factor for functions such as the SHA-256 circuit.

To deal with such scenarios, the Nexus Virtual Machine is being designed with extensibility in mind in order to enable the addition of custom instructions for more complex functions, such as hashing and signature verification.

Currently, the Nexus Virtual Machine uses universal circuits to simulate the whole CPU and this unfortunately increases the complexity of the Nexus Proof System with each additional instruction.

Nevertheless, we will soon be switching to a non-uniform computation model based on recent advances in folding and accumulation techniques (e.g., [KS22], [BC23]), via the concept of zkVM precompiles. In the new model, the cost of proving custom precompile extensions of the NVM instruction set only occurs when that particular precompile is executed by the program.

The main advantage of using precompiles is that it maintains a developer-friendly CPU abstraction while efficiently allowing for the addition of more complex functions.

We intend to eventually support user-defined precompiles that could be provided as extensions of the Nexus zkVM. We expect to first implement these special functions as part of the Nexus VM instruction set.

References

[BBHR19 (opens in a new tab)] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. “Scalable zero knowledge with no trusted setup”. In CRYPTO 2019.

[BC23 (opens in a new tab)] Benedikt Bünz and Binyi Chen. “Protostar: Generic efficient accumulation/folding for special sound protocols”. In: Cryptology ePrint Archive (2023)

[BCKL22 (opens in a new tab)] Eli Ben-Sasson, Dan Carmon, Swastik Kopparty, and David Levit. “Scalable and transparent proofs over all large fields, via elliptic curves”. In: Electronic Colloquium on Computational Complexity, Report. Vol. 110. 2022, p. 2022

[CBBZ23 (opens in a new tab)] Binyi Chen, Benedikt Bünz, Dan Boneh, and Zhenfei Zhang. “Hyperplonk: Plonk with linear-time prover and high-degree custom gates”. In EUROCRYPT 2023.

[GGPR13 (opens in a new tab)] Rosario Gennaro, Craig Gentry, Bryan Parno, and Mariana Raykova. “Quadratic span programs and succinct NIZKs without PCPs”. In EUROCRYPT 2013.

[GWC19 (opens in a new tab)] Ariel Gabizon, Zachary J Williamson, and Oana Ciobotaru. “Plonk: Permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge”. In: Cryptology ePrint Archive (2019)

[KS22 (opens in a new tab)] Abhiram Kothapalli and Srinath Setty. “SuperNova: Proving universal machine executions without universal circuits”. In: Cryptology ePrint Archive (2022)

[Sta21 (opens in a new tab)] StarkWare. ethSTARK Documentation. Cryptology ePrint Archive, Paper 2021/582.

[STW23 (opens in a new tab)] Srinath Setty, Justin Thaler, and Riad Wahby. “Customizable constraint systems for succinct arguments”. In: Cryptology ePrint Archive (2023)

Nexus zkVM Overview Nexus Proof System