[lavrov]

Coda seems interesting, but I don’t understand how a single feature (fast light client syncing) can be enough of an advantage to launch a new chain - what prevents a new chain from incorporating recursive snarks as well as some new X in the future? Also, I think that the security of recursively computed snarks decreases as the recursion depth increases so for a state transition in a sufficiently long chain, you might only have a few bits of security, but I’m not sure what “sufficiently long” means concretely.

[dlubarov]

> I think that the security of recursively computed snarks decreases as the recursion depth increases

These proof systems are parameterized to ensure a certain soundness error, like 2^-128. So as long as certain cryptographic assumptions hold (in the case of SNARKs, the hardness of knowledge-of-exponent and commitments), it would take an attacker an expected 2^128 brute force attempts to generate an invalid proof. That should remain the same no matter how deep the recursion goes.

[lavrov]

Yes, I agree that the top-level SNARK will obviously have a high level of security wrt soundness, but suppose that I have a SNARK recursively computing 2^128 SNARKs, you’re claiming that the lowest level SNARK would have the same knowledge soundness guarantees? That seems incorrect given the constant size of the top-level SNARK

[dlubarov]

I don't quite understand where the doubt is coming from; why would recursion depth affect security?

[lavrov]

The security proof for SNARKs requires constant-depth compliance predicates, otherwise the proof doesn’t follow because the extractor size could blow up. I would have to read the coda whitepaper to see what their assumptions are for their security proof. I was just curious whether the equivalent of a birthday attack would be possible for some state transition if the depth was increased, since I’m not aware of a formal proof of soundness (and I heard in passing that recursion depth would affect security properties of nested snarks, but hearsay!)

[dlubarov]

I don't think circuit depth matters for SNARKs? Though there are other proof systems where AND depth matters.

Also, though I haven't read the CODA paper either, I think they would only need a single fixed circuit containing a SNARK verifier. Since for a given security level, SNARK sizes and verification steps are constant.