I'm following ZK MOOC: https://zk-learning.org/
After some previous readings about these topics, I was believing to have understood that, stated that non-interactivity isn't attainable in standard/plain model, there were to alternatives B-plans:
- Fiat-Shamir heuristic for public coin IPs requiring the acceptance of ROM (Random Oracle Model)
- or CRS (Common Reference/Random String) assuming a trusted setup.
Now, in lecture 2 of the MOOC Dan Boneh says that modern recipe to construct a SNARK is to use a Functional Commitment "inside" an IOP (where with "inside" I mean using commitments as IOP's oracles).
Functional Commitment can require a trusted setup or not (KZG for example needs a trusted setup, IPA is transparent), but Fiat-Shamir seems to always be used to make IOP non-interactive, so I wonder if isn't it overkill in someway? I mean, both ROM and trusted setup could be annoying in some way, shouldn't the preferred general recipe exclude the case in which both of them are required?
On the course Discord some guys explained me that Halo2 (IPA+IOP) needs only ROM while its fork by Scroll project use KZG for efficiency reasons, so it needs ROM+trusted setup.
So.. any SNARKs out there just requiring trusted setup but not needing ROM/Fiat-Shamir? (I guess avoiding IOP maybe?)
And, in your opinion, why Prof. Boneh has given a recipe in which Fiat Shamir is always needed?
