Zero Knowledge: BlindFold

Jolt achieves zero-knowledge natively via the BlindFold protocol — a folding-based scheme that makes all sumcheck proofs ZK without SNARK composition. Unlike approaches that require per-round sigma protocols or expensive homomorphic operations on commitments, BlindFold defers all verification to a single small R1CS instance proved via Nova folding + Spartan, keeping most of the work in the field arithmetic layer.

The core idea: instead of the prover sending sumcheck round polynomial coefficients in the clear, it sends Pedersen commitments to them. The sumcheck verifier's algebraic consistency checks are encoded into a small verifier R1CS circuit, and a single Nova fold + Spartan proof over this R1CS proves all rounds were executed correctly without revealing the witness.

Background

In standard (non-ZK) Jolt, each sumcheck round reveals the round polynomial's coefficients — typically 4 field elements per round for degree-3 sumchecks. The verifier checks:

Round consistency: $g_{j} (0) + g_{j} (1) = claim_{j}$
Chaining: $claim_{j + 1} = g_{j} (r_{j})$
Final binding: the last round's evaluation matches a claimed polynomial opening

These checks are purely algebraic — linear and quadratic relations over field elements. This makes them amenable to R1CS encoding.

The ZK challenge is: how do we let the verifier perform these checks without seeing the coefficients?

Protocol overview

BlindFold proceeds in six phases, executed after all of Jolt's sumcheck stages (Spartan, instruction lookups, RAM/register checking, bytecode, claim reductions) complete.

Phase 1: ZK sumcheck rounds

During each of the 7 sumcheck stages, prove_zk replaces the standard sumcheck prover:

Per round, the prover:

Computes the batched univariate polynomial as usual
Commits to all coefficients via Pedersen: $C_{j} = \sum_{i} c_{j, i} \cdot G_{i} + ρ_{j} \cdot H$
Appends $C_{j}$ (not the coefficients) to the Fiat-Shamir transcript
Derives the challenge $r_{j}$ from the transcript
Saves coefficients $c_{j, i}$ , blinding $ρ_{j}$ , and commitment $C_{j}$ for later R1CS witness construction

The verifier receives only commitments. It derives the same challenges (since it hashes the same commitments) but cannot check round consistency without knowing the coefficients. That verification is deferred to BlindFold.

Uni-skip first rounds (used in Spartan outer and product sumchecks) follow the same pattern: commit, derive challenge, cache.

Phase 2: Verifier R1CS construction

Both prover and verifier deterministically construct a sparse R1CS that encodes the sumcheck verifier's checks. The R1CS operates over a witness vector $Z$ with a Hyrax grid layout:

$Z = [u, W_{0}, W_{1}, \dots]$

where $u$ is the relaxation scalar (1 for non-relaxed instances) and $W$ is the witness arranged as an $R^{'} \times C$ grid:

Rows $0 \dots R_{coeff}$ : coefficient rows (one per sumcheck round, zero-padded to $C$ columns)
Rows $R_{coeff} \dots R^{'}$ : non-coefficient values (next claims, Horner intermediates, opening evaluations)

Constraints encoded per sumcheck round:

For standard sumcheck ( $g$ of degree $d$ ):

Sum constraint: $2 c_{0} + c_{1} + c_{2} + \dots + c_{d} = claim$
Chain constraint: $g (r_{j}) = next_claim$ , computed via Horner's method with auxiliary variables

For uni-skip rounds:

Power-sum constraint: $\sum_{k} PowerSum [k] \cdot c_{k} = claim$ , where $PowerSum [k] = \sum_{t \in D} t^{k}$ over the symmetric evaluation domain $D$

Additional constraints:

Final output binding: At chain end, $final_claim = \sum_{j} α_{j} \cdot y_{j}$ relates the last sumcheck claim to batched polynomial evaluations
Input claim binding: At chain start, verifies the initial claim is correctly derived from prior stage openings via sum-of-products constraints
PCS evaluation binding: Relates Dory evaluation commitments to witness variables

Baked public inputs: Fiat-Shamir-derived values (challenges $r_{j}$ , initial claims, batching coefficients) are embedded directly into R1CS matrix coefficients rather than appearing as witness variables. Both prover and verifier derive these identically from the transcript, so the resulting matrices $A$ , $B$ , $C$ are identical. This keeps the witness vector minimal.

Phase 3: Nova folding

The prover holds a satisfying witness $Z_{1}$ for the verifier R1CS. To hide it:

Sample random instance: Generate a random satisfying pair $(Z_{2}, E_{2})$ for the same R1CS (with random coefficients and consistent constraints)
Compute cross-term: $T = (A Z_{1}) \circ (B Z_{2}) + (A Z_{2}) \circ (B Z_{1}) - u_{1} \cdot (C Z_{2}) - u_{2} \cdot (C Z_{1})$
Commit cross-term rows: Commit each row of $T$ (in $R_{E} \times C_{E}$ grid) with Pedersen
Derive folding challenge: $r \leftarrow Transcript$
Fold: $Z^{'} = Z_{1} + r \cdot Z_{2}$ , $E^{'} = E_{1} + r \cdot T + r^{2} \cdot E_{2}$ , $u^{'} = u_{1} + r \cdot u_{2}$

The folded instance satisfies relaxed R1CS:

$(A \cdot Z^{'}) \circ (B \cdot Z^{'}) = u^{'} \cdot (C \cdot Z^{'}) + E^{'}$

The random instance acts as a one-time pad: knowing $Z^{'}$ alone reveals nothing about $Z_{1}$ .

Row commitments fold homomorphically. The round commitments from Phase 1 serve as the real instance's coefficient-row commitments, so no additional group operations are needed for those rows.

Phase 4: Spartan outer sumcheck

Proves the folded relaxed R1CS is satisfied via the standard Spartan sumcheck:

$x \in {0, 1}^{l o g m} \sum eq (τ, x) \cdot [A z (x) \cdot B z (x) - u^{'} \cdot C z (x) - E (x)] = 0$

where $τ$ is a verifier challenge and the sum is over all $m$ constraints (padded to a power of two). The round polynomial has degree 3 ( $eq \cdot A z \cdot B z$ is the cubic term).

After $lo g m$ rounds, the verifier holds evaluation claims $A z (r_{x})$ , $B z (r_{x})$ , $C z (r_{x})$ at the challenge point $r_{x}$ , plus $E (r_{x})$ .

Phase 5: Spartan inner sumcheck

Each of $A z (r_{x})$ , $B z (r_{x})$ , $C z (r_{x})$ decomposes as a public contribution (from the $u$ column and baked constants) plus a witness contribution. The inner sumcheck reduces the witness contributions to a single evaluation $W (r_{y})$ :

$r_{a} \cdot w_{A z} + r_{b} \cdot w_{B z} + r_{c} \cdot w_{C z} = j \in {0, 1}^{l o g ∣ W ∣} \sum L_{w} (j) \cdot W (j)$

where $L_{w}$ is a structured polynomial derived from the sparse R1CS matrices and outer challenges $r_{x}$ , and $r_{a}, r_{b}, r_{c}$ are verifier challenges. The round polynomial has degree 2.

After $lo g ∣ W ∣$ rounds, the verifier needs $W (r_{y})$ .

Phase 6: Hyrax-style openings

The witness $W$ and error $E$ are committed row-wise (as Pedersen commitments over the Hyrax grid). To prove evaluations at points $r_{y}$ and $r_{x}$ respectively:

For $W (r_{y})$ : Split $r_{y} = (r_{row}, r_{col})$ where $r_{row} \in F^{l o g R^{'}}$ , $r_{col} \in F^{l o g C}$ .

Compute the combined row: $\overset{w}{ˉ} = \sum_{i = 0}^{R^{'} - 1} eq (r_{row}, i) \cdot row_{i}$ and combined blinding $\overset{ρ}{ˉ}$
Send $\overset{w}{ˉ}$ and $\overset{ρ}{ˉ}$ to verifier
Verifier checks: $\sum_{i} eq (r_{row}, i) \cdot C_{i} = ? Ped (\overset{w}{ˉ}, \overset{ρ}{ˉ})$
Verifier computes: $W (r_{y}) = \sum_{j} eq (r_{col}, j) \cdot \overset{w}{ˉ}_{j}$

The $E$ opening follows the same pattern over the $R_{E} \times C_{E}$ grid.

The coefficient-row commitments $C_{0}, \dots, C_{R_{coeff} - 1}$ are exactly the Pedersen commitments from Phase 1 — no additional commitments needed.

Integration with Jolt

BlindFold sits at Stage 8 of the Jolt prover pipeline, after all sumcheck stages complete:

Stage	Protocol	BlindFold role
1	Spartan outer (uni-skip)	Collect round commitments, stage configs
2	RAM read-write, product virtual, instruction claim reduction, RAM RAF eval, output check (uni-skip)	Collect round commitments, stage configs
3	Spartan shift, instruction input, registers claim reduction	Collect round commitments, stage configs
4	Registers read-write, RAM val evaluation, RAM val final	Collect round commitments, stage configs
5	Instruction read-RAF, RAM RA reduction, registers val evaluation	Collect round commitments, stage configs
6	Bytecode read-RAF, booleanity, Hamming booleanity, RA virtual, inc reduction, advice reduction	Collect round commitments, stage configs
7	Hamming weight claim reduction, advice reduction (address phase)	Collect round commitments, stage configs
8	Batched opening proof + BlindFold	Build R1CS, fold, prove

Each stage contributes:

Round commitments: Pedersen commitments to sumcheck polynomial coefficients
Stage configs: Round count, polynomial degree, chain structure, uni-skip power sums, output/input constraints

The ProverOpeningAccumulator collects ZkStageData — coefficients, blindings, challenges — across all stages.

Dory ZK evaluation commitments

The Dory polynomial commitment scheme is extended with ZK evaluation commitments. Instead of revealing the polynomial evaluation $v = \tilde{f} (r)$ in the clear, the prover sends a Pedersen commitment $y_{com} = v \cdot G_{0} + ρ \cdot H$ and proves consistency within the Dory opening proof.

BlindFold's extra constraints verify that $y_{com}$ matches the folded evaluation and blinding values, binding the PCS to the BlindFold witness.

Verification

The verifier:

Derives challenges from round commitments (same Fiat-Shamir transcript)
Constructs the verifier R1CS deterministically from stage configs and baked public inputs
Reconstructs the real instance from round commitments (proof data) with $u = 1$ , $E = 0$
Absorbs the random instance from the proof
Folds the two instances using the cross-term commitments and derived challenge $r$
Verifies Spartan outer sumcheck ( $lo g m$ rounds, degree-3 polynomials)
Verifies Spartan inner sumcheck ( $lo g ∣ W ∣$ rounds, degree-2 polynomials)
Checks Hyrax openings: verifies $E (r_{x})$ and $W (r_{y})$ against folded row commitments
Checks evaluation commitments: verifies $y_{com}$ consistency for each PCS opening

The verifier never sees polynomial coefficients, intermediate claims, or evaluation values from any sumcheck stage.

Security

Hiding: Pedersen commitments are computationally hiding under the discrete logarithm assumption. The prover's sumcheck messages reveal no information about the witness polynomials.
Binding: Pedersen commitments are computationally binding. A malicious prover cannot open a commitment to different coefficients.
Folding soundness: The folded instance satisfies relaxed R1CS if and only if both constituent instances do (with overwhelming probability over the folding challenge).
Extraction: An extractor can recover the real witness from two accepting transcripts with different folding challenges (via rewinding).

References

Hyrax — Matrix-commitment-based polynomial evaluation proofs (Wahby et al., 2018)
Nova — Recursive SNARKs via folding (Kothapalli, Setty, Tzialla, 2022)
Spartan — Sumcheck-based R1CS proving (Setty, 2020)
Proofs, Arguments, and Zero-Knowledge, Section 13.2 — ZK sumcheck via Pedersen commitments (Thaler, 2022)
Vega — Low-latency zero-knowledge proofs over existing credentials (Kaviani, Setty, 2025)
BlindFold interactive explainer

JoltBook