Zero Knowledge Proofs

The Plonk SNARK

Instructors: Dan Boneh, Shafi Goldwasser, Dawn Song, Justin Thaler, Yupeng Zhang
 Let’s build an efficient SNARK
A polynomial
commitment
scheme
SNARK for
general circuits
A polynomial
interactive
oracle proof (IOP)

ZKP MOOC
First, a review of polynomial commitments
(≤𝑑)
Prover commits to a polynomial 𝑓(𝑋) in 𝔽𝑝 𝑋
 eval: for public 𝑢, 𝑣 ∈ 𝔽𝑝 , prover can convince the verifier that
committed poly satisfies
𝑓(𝑢) = 𝑣 and deg 𝑓 ≤ 𝑑. verifier has (𝑑, comf , 𝑢, 𝑣)

 Eval proof size and verifier time should be 𝑂𝜆 (log 𝒅)

ZKP MOOC
The KZG poly-commit scheme (Kate-Zaverucha-Goldberg’2010)

Group 𝔾 ≔ { 0, 𝐺, 2 ⋅ 𝐺, 3 ⋅ 𝐺 , … , 𝑝 − 1 ⋅ 𝐺 } of order 𝑝.
setup(1𝜆 ) ⇾ gp:
 Sample random 𝜏 ∈ 𝔽𝑝
 gp =
 delete 𝜏 !! (trusted setup)
commit(gp, 𝑓) ⇾ comf where comf ≔ 𝑓 𝜏 ⋅ G ∈ 𝔾

 𝑓 𝑋 = 𝑓0 + 𝑓1 𝑋 + ⋯ + 𝑓𝑑 𝑋 𝑑 ⇒ comf = 𝑓0 ⋅ 𝐻0 + ⋯ + 𝑓𝑑 ⋅ 𝐻𝑑

ZKP MOOC
The KZG poly-commit scheme (Kate-Zaverucha-Goldberg’2010)

Group 𝔾 ≔ { 0, 𝐺, 2 ⋅ 𝐺, 3 ⋅ 𝐺 , … , 𝑝 − 1 ⋅ 𝐺 } of order 𝑝.
setup(1𝜆 ) ⇾ gp: a binding commitment,
 Sample random 𝜏 ∈ 𝔽𝑝 but not hiding
 gp =
 delete 𝜏 !! (trusted setup)
commit(gp, 𝑓) ⇾ comf where comf ≔ 𝑓 𝜏 ⋅ G ∈ 𝔾

 𝑓 𝑋 = 𝑓0 + 𝑓1 𝑋 + ⋯ + 𝑓𝑑 𝑋 𝑑 ⇒ comf = 𝑓0 ⋅ 𝐻0 + ⋯ + 𝑓𝑑 ⋅ 𝐻𝑑

ZKP MOOC
The KZG poly-commit scheme (Kate-Zaverucha-Goldberg’2010)

commit(gp, 𝑓) ⇾ comf where comf = 𝑓 𝜏 ⋅ 𝐺 ∈ 𝔾

eval: Prover(gp, f, u, v) Verifier(gp, comf , u, v)
Goal: prove 𝑓(𝑢) = 𝑣
𝑓(𝑢) = 𝑣 ⇔ 𝑢 is a root of 𝑓 ≔ f−𝑣 ⇔ (X-𝑢) divides 𝑓
⇔ exists q ∈ 𝔽𝑝 [𝑋] s.t. q(X)⋅(X-𝑢) = f(X)−𝑣

compute q(X) 𝜋 ≔ comq ∈ 𝔾 accept if

and comq=q(𝜏)⋅G (proof size indep. of deg. d) (𝜏 −𝑢)⋅comq = comf − 𝑣 ⋅G

ZKP MOOC
The KZG poly-commit scheme (Kate-Zaverucha-Goldberg’2010)

commit(gp, 𝑓) ⇾ comf where comf = 𝑓 𝜏 ⋅ 𝐺 ∈ 𝔾

eval: Prover(gp, f, u, v) Verifier(gp, comf , u, v)
Goal: prove 𝑓(𝑢) = 𝑣
𝑓(𝑢) = 𝑣 ⇔ (𝜏𝑢−𝑢) (𝜏) ⋅G
is a qroot of 𝑓≟≔( f−𝑣 ⇔) ⋅G
f (𝜏)−v (X-𝑢) divides 𝑓
⇔ exists q ∈ 𝔽𝑝 [𝑋] s.t. q(X)⋅(X-𝑢) = f(X)−𝑣

compute q(X) 𝜋 ≔ comq ∈ 𝔾 accept if

and comq=q(𝜏)⋅G (proof size indep. of deg. d) (𝜏 −𝑢)⋅comq = comf − 𝑣 ⋅G

ZKP MOOC
The KZG poly-commit scheme (Kate-Zaverucha-Goldberg’2010)

How to prove
commit(gp, 𝑓) ⇾ that
com this
f
iswhere
a secure PCS?
comf Not
= f today
𝜏 ⋅ G… ∈ 𝔾
eval: Prover(gp, f, u, v) Verifier(gp, comf , u, v)
Goal: prove 𝑓(𝑢) = 𝑣
An expensive computation
𝑓(𝑢) =
for𝑣large
⇔ 𝑑 𝑢 is a root of 𝑓 Verifier
≔ f−𝑣 does⇔ not know
(X-𝑢) 𝜏 ⇒𝑓uses a “pairing”
divides
⇔ exists (and
q ∈ 𝔽only
𝑝[𝑋] s.t. 𝐻
needs 0 , 𝐻1 from
q(X)⋅(X-𝑢) = gp)
f(X)−𝑣

compute q(X) 𝜋 ≔ comq ∈ 𝔾 accept if

and comq=q(𝜏)⋅G (proof size indep. of deg. d) (𝜏 −𝑢)⋅comq = comf − 𝑣 ⋅G

ZKP MOOC
The KZG poly-commit scheme (Kate-Zaverucha-Goldberg’2010)

Generalizations:
 Can also use KZG to commit to k-variate polynomials [PST’13]

 Batch proofs:
 suppose verifier has commitments comf1 , … comfn
 prover wants to prove 𝑓𝑖 𝑢𝑖,𝑗 = 𝑣𝑖,𝑗 for 𝑖 ∈ [𝑛], 𝑗 ∈ [𝑚]

⇒ batch proof 𝜋 is only one group element !

ZKP MOOC
 Properties of KZG: linear time commitment
(≤𝑑)
Two ways to represent a polynomial 𝑓(𝑋) in 𝔽𝑝 𝑋 :

 Coefficient representation: 𝑓(𝑋) = 𝑓0 + 𝑓1 𝑋 + ⋯ + 𝑓𝑑 𝑋 𝑑

⇒ computing comf = 𝑓0 ⋅ 𝐻0 + ⋯ + 𝑓𝑑 ⋅ 𝐻𝑑 takes linear time in 𝑑

 Point-value representation: 𝑎0 , 𝑓 𝑎0 , … , 𝑎𝑑 , 𝑓 𝑎𝑑
computing comf naively: construct coefficients 𝑓0 , 𝑓1 , … , 𝑓𝑑
⇒ time 𝑂(𝑑 log 𝑑) using Num. Th. Transform (NTT)

ZKP MOOC
 Properties of KZG: linear time commitment
Point-value representation: a better way to compute comf
𝑑
Lagrange interpolation: 𝑓(𝜏) = 𝑖=0 𝜆𝑖 𝜏 ∙ 𝑓(𝑎𝑖 ) where

 Idea: transform 𝑔𝑝 into Lagrange form (a linear map)

𝑔𝑝 =

 Now, comf = 𝑓 𝜏 ⋅ G = 𝑓(𝑎0 ) ⋅ 𝐻0 + ⋯ + 𝑓(𝑎𝑑 ) ⋅ 𝐻𝑑

⇒ linear time in 𝑑. (better than O(𝑑 log 𝑑) )

ZKP MOOC
 KZG fast multi-point proof generation
(≤𝑑)
Prover has some 𝑓(𝑋) in 𝔽𝑝 𝑋 . Let Ω ⊆ 𝔽𝑝 and |Ω| = 𝑑

Suppose prover needs evaluation proofs 𝜋𝑎 ∈ 𝐺 for all 𝑎 ∈ Ω

 Naively, takes time 𝑂(𝑑 2 ): 𝑑 proofs each takes time 𝑂 𝑑

 Feist-Khovratovich (FK) algorithm (2020):
 if Ω is a multiplicative subgroup: time 𝑂(𝑑 log 𝑑)
 otherwise: time 𝑂(𝑑 log 2 𝑑)

ZKP MOOC
 The Dory polynomial commitment (eprint/2020/1274)

Difficulties with KZG: trusted setup for gp, and gp size is linear in d.
Dory:
 transparent setup: no secret randomness in setup
 comf is a single group element (independent of degree 𝑑)
(≤𝑑)
 eval proof size for 𝑓 ∈ 𝔽𝑝 𝑋 is O(log 𝑑) group elements
 eval verify time is O(log 𝑑) Prover time: 𝑂(𝑑)

ZKP MOOC
 PCS have many applications
Example: vector commitment (a drop-in replacement for Merkle trees)
(≤𝑑)
Bob: vector 𝑢1 , … , 𝑢𝑘 ∈ 𝔽𝑝 Alice

interpolate poly 𝒇 s.t.: com𝒇 ≔ commit(gp, 𝒇)

𝒇 𝑖 = 𝑢𝑖 for 𝑖 = 1, … , 𝑘

𝜋 ≔ eval proof that 𝒇(2) = 𝑎, 𝒇(4) = 𝑏 prove 𝑢2 = 𝑎, 𝑢4 = 𝑏

(KZG: 𝜋 is a single group element) 𝜋 ∈ 𝔾 accept or
shorter than a Merkle proof! reject

ZKP MOOC
 Proving properties of
committed polynomials

ZKP MOOC
Credit: Faithie/Shutterstock
 Proving properties of committed polynomials

Prover P(𝑓, 𝑔) Verifier V( 𝑓 , 𝑔 )

(≤𝑑)
Goal: convince verifier that 𝑓, 𝑔 ∈ 𝔽𝑝 [𝑋] satisfy some properties
Proof systems presented as an IOP:
𝑟 $
𝑟 ⇽ 𝔽𝑝
𝑞

query 𝑓 𝑋 , 𝑔(𝑋), 𝑞(𝑋) at some points in 𝔽𝑝

[ V sends 𝑥 to P who responds with 𝑓(𝑥) and eval proof 𝜋 ] accept or reject

ZKP MOOC
 Recall: polynomial equality testing
Suppose 𝑝 ≈ 2256 and 𝑑 ≤ 240 so that 𝑑/𝑝 is negligible
(≤𝑑)
Let 𝑓, 𝑔 ∈ 𝔽𝑝 [𝑋].

For 𝑟⇽$ 𝔽𝑝 , if 𝑓(𝑟) = 𝑔(𝑟) then 𝑓=𝑔 w.h.p

𝑓(𝑟) − 𝑔(𝑟) = 0 ⇒ 𝑓 − 𝑔 = 0 w.h.p

⇒ a simple equality test for two committed polynomials

ZKP MOOC
 Review: the proof system as an IOP
Prover Verifier
𝒇, 𝒈 𝑓 𝑔
$
𝑟 ⇽ 𝔽𝑝
query 𝑓(X) and 𝑔 𝑋 at 𝑟
learn 𝑓 𝑟 , g(𝑟)

accept if:
𝑓 𝑟 = g(𝑟)

ZKP MOOC
 Review: the compiled proof system
Prover Verifier
𝒇, 𝒈 𝑓 𝑔

𝑟 𝑟 ⇽ 𝔽𝑝
$

𝑦 ⇽ 𝑓(𝑟)
𝑦 ′ ⇽ 𝑔(𝑟)
𝑦, 𝜋𝑓 𝑦′, 𝜋𝑔 accept if:
(i) 𝑦 = 𝑦’, and
(ii) 𝜋𝑓, 𝜋𝑔 are
proof that proof that valid
𝑦 = 𝑓(𝑟) 𝑦′ = 𝑔(𝑟)

ZKP MOOC
 Review: the compiled proof system
Prover Make Verifier
A public coin
𝒇, 𝒈 non-interactive 𝑓 𝑔
protocol
using Fiat-Shamir
𝑟 𝑟 ⇽ 𝔽𝑝
$

𝑦 ⇽ 𝑓(𝑟)
𝑦 ′ ⇽ 𝑔(𝑟)
𝑦, 𝜋𝑓 𝑦′, 𝜋𝑔 accept if:
(i) 𝑦 = 𝑦’, and
(ii) 𝜋𝑓, 𝜋𝑔 are
proof that proof that valid
𝑦 = 𝑓(𝑟) 𝑦′ = 𝑔(𝑟)

ZKP MOOC
 Polynomial equality testing with KZG
For KZG: 𝑓 = 𝑔 ⟺ com𝑓 = com𝑔
⇒ verifier can tell if 𝑓 = 𝑔 on its own

But prover is needed to test equality of computed polynomials

(≤𝑑)
 Example: verifier has 𝑓 , 𝑔1 , 𝑔2 , 𝑔3 where all four are in 𝔽𝑝 𝑋
$
to test if 𝑓 = 𝑔1 𝑔2 𝑔3 : V queries all four poly. at 𝑟 ⇽ 𝔽𝑝 and tests equality

 Complete and sound assuming 3𝑑/𝑝 is negligible ( deg(𝑔1 𝑔2 𝑔3 ) ≤ 3𝑑 )

ZKP MOOC
 Important proof gadgets for univariates
Let Ω be some subset of 𝔽𝑝 of size 𝑘.
(≤𝑑)
Let 𝑓 ∈ 𝔽𝑝 [𝑋] (𝑑 ≥ 𝑘) Verifier has 𝑓

Let us construct efficient Poly-IOPs for the following tasks:

Task 1 (ZeroTest): prove that 𝑓 is identically zero on Ω
Task 2 (SumCheck): prove that 𝑎∈Ω 𝑓 𝑎 =0
Task 3 (ProdCheck): prove that 𝑎∈Ω 𝑓(𝑎) =1

ZKP MOOC
 The vanishing polynomial
Let Ω be some subset of 𝔽𝑝 of size 𝑘.

Def: the vanishing polynomial of Ω is 𝑍Ω (𝑋) ≔ 𝑎∈Ω(𝑋 − 𝑎)

deg(𝑍Ω ) = 𝑘

Let 𝜔 ∈ 𝔽𝑝 be a primitive 𝑘-th root of unity (so that 𝜔𝑘 = 1).

 if Ω = { 1, 𝜔, 𝜔2, …, 𝜔𝑘-1 } ⊆ 𝔽𝑝 then 𝑍Ω 𝑋 = 𝑋 𝑘 − 1
⇒ for 𝑟 ∈ 𝔽𝑝 , evaluating 𝑍Ω 𝑟 takes ≤2 log 2 𝑘 field operations

ZKP MOOC
 (1) ZeroTest on Ω (Ω = { 1, 𝜔, 𝜔2, …, 𝜔𝑘-1 } )
Prover P(𝑓) Verifier V( 𝑓 )
𝑞(𝑋) ⇽ 𝑓(𝑋)/𝑍Ω (𝑋) (≤𝑑)
𝑞 ∈ 𝔽𝑝 𝑋 verifier evaluates
$
𝑟 ⇽ 𝔽𝑝 𝑍Ω (𝑟) by itself
query 𝑞(𝑋) and 𝑓(𝑋) at 𝑟
learn 𝑞 𝑟 , 𝑓(𝑟)

Lemma: 𝑓 is zero on Ω if and only if accept if 𝑓 𝑟 ≟ 𝑞(𝑟) ⋅ 𝑍Ω (𝑟)

𝑓 𝑋 is divisible by 𝑍Ω (𝑋) (implies that 𝑓(𝑋) = 𝑞 𝑋 ∙ 𝑍Ω 𝑋 w.h.p)

Thm: this protocol is complete and sound, assuming 𝑑/𝑝 is negligible.

ZKP MOOC
 (1) ZeroTest on Ω (Ω = { 1, 𝜔, 𝜔2, …, 𝜔𝑘-1 } )
Prover P(𝑓) Verifier V( 𝑓 )
𝑞(𝑋) ⇽ 𝑓(𝑋)/𝑍Ω (𝑋) (≤𝑑)
𝑞 ∈ 𝔽𝑝 𝑋 verifier evaluates
𝑟 ⇽$ 𝔽𝑝 𝑍Ω (𝑟) by itself
query 𝑞(𝑋) and 𝑓(𝑋) at 𝑟
learn 𝑞 𝑟 , 𝑓(𝑟)
accept if 𝑓 𝑟 ≟ 𝑞(𝑟) ⋅ 𝑍Ω (𝑟)

Verifier time: O(log 𝑘) and two poly queries (but can be done in one)
Prover time: dominated by the time to compute 𝑞(𝑋) and then commit to 𝑞(𝑋)

ZKP MOOC
(3) Product check on Ω : 𝑎∈Ω 𝑓(𝑎) =1
(≤𝑘)
Set 𝑡 ∈ 𝔽𝑝 [𝑋] to be the degree-𝑘 polynomial:
𝑠
𝑡(1) = 𝑓(1), 𝑡(𝜔s) = i
𝑖=0 𝑓( 𝜔 ) for 𝑠 = 1, … , 𝑘 − 1

Then t(𝜔) = 𝑓(1) ∙ 𝑓(𝜔), t(𝜔2 ) = 𝑓(1) ∙ 𝑓(𝜔) ∙ 𝑓(𝜔2 ) , …

t(𝜔𝑘−1 ) = 𝑎∈Ω 𝑓(𝑎) =1

and 𝑡(𝜔 ⋅ x) = 𝑡(𝑥) ⋅ 𝑓(𝜔 ⋅ x) for all 𝑥 ∈ Ω (including at 𝑥 = 𝜔𝑘−1 )

ZKP MOOC
(3) Product check on Ω : 𝑎∈Ω 𝑓(𝑎) =1
(≤𝑘)
Set 𝑡 ∈ 𝔽𝑝 [𝑋] to be the degree-𝑘 polynomial:
𝑠
𝑡(1) = 𝑓(1), 𝑡(𝜔s) = i
𝑖=0 𝑓( 𝜔 ) for 𝑠 = 1, … , 𝑘 − 1

Lemma: if (i) 𝑡(𝜔𝑘−1 ) = 1 and

(ii) 𝑡 𝜔 ⋅ x − 𝑡 𝑥 ⋅ 𝑓 𝜔 ⋅ x = 0 for all 𝑥 ∈ Ω
then 𝑎∈Ω 𝑓(𝑎) =1

ZKP MOOC
 (3) Product check on Ω (unoptimized)
Prover P(𝑓) Verifier V( 𝑓 )
(≤𝑘)
construct 𝑡 𝑋 ∈ 𝔽𝑝 and 𝑡1(𝑋) = 𝑡(𝜔 ⋅ 𝑋) − 𝑡(𝑋) ⋅ 𝑓(𝜔 ⋅ 𝑋)
(≤𝑑)
set q(𝑋) = 𝑡1(𝑋)/(𝑋 𝑘 − 1) ∈ 𝔽𝑝 𝑡1 (𝑋) should be zero on Ω
𝑡 𝑞
𝑟 ⇽$ 𝔽𝑝
query 𝑡(𝑋) at 𝜔𝑘−1 , 𝑟, 𝜔𝑟
learn 𝑡(𝜔𝑘−1 ), t(r), 𝑡(𝜔𝑟), 𝑞(𝑟), 𝑓(𝜔𝑟)
query 𝑞 𝑋 at 𝑟 , and 𝑓(𝑋) at 𝜔𝑟
accept if 𝑡(𝜔𝑘−1 ) ≟ 1 and
proves that 𝑡1(Ω) = 0: 𝑡 𝜔𝑟 − 𝑡(𝑟)𝑓(𝜔𝑟) ≟ 𝑞(𝑟) ⋅ (𝑟 𝑘 − 1)

ZKP MOOC
 (3) Product check on Ω (unoptimized)
Prover P(𝑓) Verifier V( 𝑓 )
(≤𝑘)
construct 𝑡 𝑋 ∈ 𝔽𝑝 and 𝑡1(𝑋) = 𝑡(𝜔 ⋅ 𝑋) − 𝑡(𝑋) ⋅ 𝑓(𝜔 ⋅ 𝑋)
(≤𝑑)
set q(𝑋) = 𝑡1(𝑋)/(𝑋 𝑘 − 1) ∈ 𝔽𝑝 A public coin
𝑡 𝑞 protocol
$
𝑟⇽ 𝔽𝑝
query 𝑡(𝑋) at 𝜔𝑘−1 , 𝑟, 𝜔𝑟
learn 𝑡(𝜔𝑘−1 ), t(r), 𝑡(𝜔𝑟), 𝑞(𝑟), 𝑓(𝜔𝑟)
query 𝑞 𝑋 at 𝑟 , and 𝑓(𝑋) at 𝜔𝑟

Proof size: two commits, five evals. Verifier time: 𝑂 log 𝑘 . Prover time: 𝑂(𝑘 log 𝑘).

ZKP MOOC
 Same works for rational functions: 𝑎∈Ω(𝑓/𝑔)(𝑎) =1
Prover P(𝑓, 𝑔) Verifier V( 𝑓 , 𝑔 )
(≤𝑘)
Set 𝑡 ∈ 𝔽𝑝 [𝑋] to be the degree-𝑘 polynomial:
𝑠
𝑡(1) = 𝑓(1)/𝑔(1), 𝑡(𝜔s) = i i
𝑖=0 𝑓( 𝜔 )/𝑔(𝜔 ) for 𝑠 = 1, … , 𝑘 − 1

Lemma: if (i) 𝑡(𝜔𝑘−1 ) = 1 and

(ii) 𝑡 𝜔⋅x ⋅𝑔 𝜔⋅x =𝑡 𝑥 ⋅𝑓 𝜔⋅x for all 𝑥 ∈ Ω
then 𝑎∈Ω 𝑓(𝑎)/𝑔(𝑎) =1

ZKP MOOC
 (4) Another useful gadget: permutation check
(≤𝑑)
Let 𝑓, 𝑔 be polynomials in 𝔽𝑝 𝑋. Verifier has 𝑓 , 𝑔 .

Goal: prover wants to prove that ( 𝑓 1 , 𝑓 𝜔 , 𝑓 𝜔2 , … , 𝑓(𝜔𝑘−1 ) ) ∈ 𝔽𝑘𝑝

is a permutation of ( 𝑔 1 , 𝑔 𝜔 , 𝑔 𝜔2 , … , 𝑔(𝜔𝑘−1) ) ∈ 𝔽𝑘𝑝

⇒ Proves that 𝑔(Ω) is the same as 𝑓(Ω), just permuted

ZKP MOOC
 (4) Another useful gadget: permutation check
Prover P(𝑓, 𝑔) Verifier V( 𝑓 , 𝑔 )

Let 𝑓 𝑋 = 𝑎∈Ω(𝑋 −𝑓 𝑎 ) and 𝑔 𝑋 = 𝑎∈Ω(𝑋 −𝑔 𝑎 )

Then: 𝑓 𝑋 = 𝑔 𝑋 ⟺ 𝑔 is a permutation of 𝑓 A public coin

protocol
𝑟 $
𝑟⇽ 𝔽𝑝
prove that 𝑓 𝑟 = 𝑔 𝑟
prod-check:
implies 𝑓 𝑋 = 𝑔 𝑋 w.h.p
[two commits, six evals] accept or reject
[Lipton’s trick, 1989]

ZKP MOOC
 (5) final gadget: prescribed permutation check
𝑊: Ω ⇾ Ω is a permutation of Ω if ∀𝑖 ∈ 𝑘 : 𝑊(𝜔𝑖 ) = 𝜔 𝑗 is a bijection
example (𝑘 = 3): 𝑊 𝜔0 = 𝜔2 , 𝑊 𝜔1 = 𝜔0 , 𝑊(𝜔2 ) = 𝜔1

(≤𝑑)
Let 𝑓, 𝑔 be polynomials in 𝔽𝑝 [𝑋] . Verifier has 𝑓 , 𝑔 , 𝑊 .

Goal: prover wants to prove that 𝑓(𝑦) = 𝑔(𝑊(𝑦)) for all 𝑦 ∈ Ω

⇒ Proves that 𝑔(Ω) is the same as 𝑓(Ω), permuted by the prescribed 𝑊

ZKP MOOC
 Prescribed permutation check
How? Use a zero-test to prove 𝑓 𝑦 − 𝑔 𝑊 𝑦 = 0 on Ω

The problem: the polynomial 𝑓 𝑦 − 𝑔 𝑊 𝑦 has degree k2

⇒ prover would need to manipulate polynomials of degree k2
⇒ quadratic time prover !! (goal: linear time prover)

Let’s reduce this to a prod-check on a polynomial of degree 2𝑘 (not 𝑘 2 )

ZKP MOOC
 Prescribed permutation check
Observation:
if 𝑊(𝑎), 𝑓 𝑎 𝑎∈Ω
is a permutation of 𝑎, 𝑔 𝑎 𝑎∈Ω

then 𝑓(𝑦) = 𝑔(𝑊(𝑦)) for all 𝑦 ∈ Ω

Proof by example: 𝑊 𝜔0 = 𝜔2 , 𝑊 𝜔1 = 𝜔0 , 𝑊(𝜔2 ) = 𝜔1

Right tuple: (ω0,g(ω0)), (ω1,g(ω1)), (ω2,g(ω2))

Left tuple: (ω2 ,f(ω0)), (ω0 ,f(ω1)), (ω1,f(ω2))

ZKP MOOC
 Prescribed permutation check
Prover P(𝑓, 𝑔, 𝑊) Verifier V( 𝑓 , 𝑔 , W )

Let 𝑓 𝑋, 𝑌 = 𝑎∈Ω (𝑋 − 𝑌 ∙ 𝑊 𝑎 − 𝑓 𝑎 ) and

𝑔 𝑋, 𝑌 = 𝑎∈Ω (𝑋 − 𝑌 ∙ 𝑎 − 𝑔 𝑎 )

(bivariate polynomials of total degree 𝑘)

Lemma: 𝑓 𝑋, 𝑌 = 𝑔 𝑋, 𝑌 ⟺ 𝑊(𝑎), 𝑓 𝑎 𝑎∈Ω

is a perm. of 𝑎, 𝑔 𝑎 𝑎∈Ω
To prove, use the fact that 𝔽𝑝 𝑋, 𝑌 is a unique factorization domain

ZKP MOOC
 The complete protocol
Prover P(𝑓, 𝑔, 𝑊) Verifier V( 𝑓 , 𝑔 , W )
𝑟, 𝑠 𝑟, 𝑠 ⇽$ 𝔽𝑝

prove that 𝑓 𝑟, 𝑠 = 𝑔 𝑟, 𝑠 :
by Schwartz-
ProdCheck: Zippel

implies 𝑓 𝑋, 𝑌 = 𝑔 𝑋, 𝑌 w.h.p

Complete and sound, assuming 2𝑑/𝑝 is negligible. accept or reject

ZKP MOOC
Summary of proof gadgets
polynomial equality testing

zero test on Ω

product check, sum check

permutation check

prescribed permutation check

ZKP MOOC
 The PLONK IOP
for general circuits

eprint/2019/953
ZKP MOOC
Credit: Faithie/Shutterstock
 PLONK: widely used in practice
polynomial commitment scheme SNARK system

KZG’10 Aztec, JellyFish

(pairings)

The Plonk Bulletproofs Halo2

IOP (no pairings) (slow verifier)
(no trusted setup)

FRI Plonky2
(hashing) (no trusted setup)

ZKP MOOC
 PLONK: a poly-IOP for a general circuit 𝐶(𝑥, 𝑤)
Step 1: compile circuit to a computation trace (gate fan-in = 2)
(𝑥1 + 𝑥2)(𝑥2 + 𝑤1) The computation trace (arithmetization):
77 inputs: 5, 6, 1
(Gate 2)
× Gate 0: 5, 6, 11
11 7
Gate 1: 6, 1, 7
(Gate 1)
(Gate 0) + + Gate 2: 11, 7, 77
5 6 1
6
𝑥1 𝑥2 𝑤1
left right outputs
5 6 1 example input inputs inputs

ZKP MOOC
 Encoding the trace as a polynomial
|𝐶| ≔ total # of gates in 𝐶 , |𝐼| ≔ |𝐼𝑥 | + |𝐼𝑤 | = # inputs to 𝐶

let 𝑑 ≔ 3 𝐶 + |𝐼| (in example, 𝑑 = 12) and Ω ≔ { 1, 𝜔, 𝜔2, …, 𝜔𝑑−1 }

The plan: inputs: 5, 6, 1

(≤𝑑)
prover interpolates a polynomial 𝑇 ∈ 𝔽𝑝 [X] Gate 0: 5, 6, 11
that encodes the entire trace. Gate 1: 6, 1, 7
Gate 2: 11, 7, 77
Let’s see how …

ZKP MOOC
 Encoding the trace as a polynomial
(≤𝑑)
The plan: Prover interpolates 𝑇 ∈ 𝔽𝑝 [X] such that
(1) 𝑻 encodes all inputs: T(𝜔 −𝑗 ) = input #𝑗 for 𝑗 = 1, …, |𝐼|
(2) 𝑻 encodes all wires: ∀ 𝑙 = 0, … , 𝐶 − 1:
 T(𝜔3𝑙): left input to gate #𝑙 inputs: 5, 6, 1
Gate 0: 5, 6, 11
 T(𝜔3𝑙+1): right input to gate #𝑙 Gate 1: 6, 1, 7
Gate 2: 11, 7, 77
 T(𝜔3𝑙+2): output of gate #𝑙

ZKP MOOC
 Encoding the trace as a polynomial
In our example, Prover interpolates 𝑇(𝑋) such that:
inputs: T(𝜔−1 ) = 5, T(𝜔−2 ) = 6, T(𝜔−3 ) = 1,
gate 0: T(𝜔0 ) = 5, T(𝜔1 ) = 6, T(𝜔2 ) = 11, degree(𝑇) = 11
gate 1: T(𝜔3 ) = 6, T(𝜔4 ) = 1, T(𝜔5 ) = 7,
gate 2: T(𝜔6 ) = 11, T(𝜔7 ) = 7, T(𝜔8 ) = 77
inputs: 5, 6, 1
Prover can use FFT to compute the coefficients of T Gate 0: 5, 6, 11
in time O(𝑑 log 𝑑) Gate 1: 6, 1, 7
Gate 2: 11, 7, 77

ZKP MOOC
 Step 2: proving validity of T
Prover P(𝑆𝑝, 𝒙, 𝐰) Verifier V(𝑆𝑣 , 𝒙)

(≤𝑑)
𝑇
build T(𝑋) ∈ 𝔽𝑝 [X]

Prover needs to prove that T is a correct computation trace:

(1) T encodes the correct inputs, (wiring constraints)
(2) every gate is evaluated correctly, inputs: 5, 6, 1
(3) the wiring is implemented correctly, Gate 0: 5, 6 , 11
(4) the output of last gate is 0 Gate 1: 6, 1, 7
Gate 2: 11, 7, 77
Proving (4) is easy: prove 𝑇(𝜔 3 𝐶 −1 ) = 0

ZKP MOOC
 Proving (1): T encodes the correct inputs
(≤|𝐼𝑥 |)
Both prover and verifier interpolate a polynomial 𝑣(𝑋) ∈ 𝔽𝑝 [X]
that encodes the 𝑥-inputs to the circuit:
for 𝑗 = 1, . . . , |𝐼𝑥 |: 𝑣(𝜔 −𝑗 ) = input #j

In our example: 𝑣 𝜔−1 = 5, 𝑣 𝜔−2 = 6 . (𝑣 is linear)

constructing 𝑣(𝑋) takes time proportional to the size of input 𝑥

⇒ verifier has time do this

ZKP MOOC
 Proving (1): T encodes the correct inputs
(≤|𝐼𝑥 |)
Both prover and verifier interpolate a polynomial 𝑣(𝑋) ∈ 𝔽𝑝 [X]
that encodes the 𝑥-inputs to the circuit:
for 𝑗 = 1, . . . , |𝐼𝑥 |: 𝑣(𝜔 −𝑗 ) = input #j

Let Ωinp ≔ { 𝜔−1 , 𝜔−2 , … , 𝜔 − 𝐼𝑥 } ⊆ Ω (points encoding the input)

Prover proves (1) by using a ZeroTest on Ωinp to prove that

T(y) − 𝑣(y) = 0 ∀ y ∈ Ωinp

ZKP MOOC
 Proving (2): every gate is evaluated correctly
Idea: encode gate types using a selector polynomial S(X)
(≤𝑑)
define S(X) ∈ 𝔽𝑝 [X] such that ∀ 𝑙 = 0, … , 𝐶 − 1:
S(𝜔3𝑙 ) = 1 if gate #𝑙 is an addition gate
S(𝜔3𝑙 ) = 0 if gate #𝑙 is a multiplication gate
× (Gate 2)
inputs: 5, 6, 1 𝑆(𝑋)
(Gate 0) + + (Gate 1) Gate 0 (𝜔0): 5 , 6 , 11 1 (+)
Gate 1 (𝜔3): 6 , 1 , 7 1 (+)
𝑥1 𝑥2 𝑤1 Gate 2 (𝜔6): 11, 7, 77 0 (×)

ZKP MOOC
Proving (2): every gate is evaluated correctly
Idea: encode gate types using a selector polynomial S(X)
(≤𝑑)
define S(X) ∈ 𝔽𝑝 [X] such that ∀ 𝑙 = 0, … , 𝐶 − 1:
S(𝜔3𝑙 ) = 1 if gate #𝑙 is an addition gate
S(𝜔3𝑙 ) = 0 if gate #𝑙 is a multiplication gate

Then ∀ y ∈ Ωgates ≔ { 1, 𝜔3, 𝜔6, 𝜔9, …, 𝜔 3( 𝐶 −1) } :

S(y)⋅[T(y) + T(𝝎𝐲)] + (1 – S(y))⋅T(y)⋅T(𝝎𝐲) = T(𝜔2y)

left input right input left input right input output

ZKP MOOC
Proving (2): every gate is evaluated correctly
Setup(𝐶) ⇾ 𝑝𝑝≔S and 𝑣𝑝≔ ( S )

Prover P(𝑝𝑝, 𝒙, 𝐰) Verifier V(𝑣𝑝, 𝒙)

(≤𝑑)
𝑇
build T(𝑋) ∈ 𝔽𝑝 [X]

Prover uses ZeroTest to prove that for all ∀ y ∈ Ωgates :

S(y)⋅[T(y) + T(𝜔y)] + (1 – S(y))⋅T(y)⋅T(𝜔y) − T(𝜔2y) = 0

ZKP MOOC
 Proving (3): the wiring is correct
Step 4: encode the wires of 𝐶: example: x1=5, x2=6 , 𝑤1=1
T(𝜔-2) = T(𝜔1) = T(𝜔3) 𝜔-1, 𝜔-2, 𝜔-3 : 5, 6, 1
T(𝜔-1) = T(𝜔0) 0: 𝜔0, 𝜔1, 𝜔2 : 5, 6, 11
T(𝜔2) = T(𝜔6) 1: 𝜔3, 𝜔4, 𝜔5 : 6, 1, 7
T(𝜔-3) = T(𝜔4) 2: 𝜔6, 𝜔7, 𝜔8 : 11, 7, 77
Define a polynomial W: Ω ⇾ Ω that implements a rotation:
W(𝜔-2, 𝜔1 , 𝜔3) = (𝜔1, 𝜔3, 𝜔-2 ) , W(𝜔-1, 𝜔0) = (𝜔0 , 𝜔-1) , …
Lemma: ∀ 𝑦∈Ω : T(𝑦) = T(W(𝑦)) ⇒ wire constraints are satisfied

ZKP MOOC
 Proving (3): the wiring is correct
Step 4: encode the wires of 𝐶: example: x1=5, x2=6 , 𝑤1=1
T(𝜔-2) = T(𝜔1) = T(𝜔3) 𝜔-1, 𝜔-2, 𝜔-3 : 5, 6, 1
T(𝜔-1) = T(𝜔0) 0: 𝜔0, 𝜔1, 𝜔2 : 5, 6, 11
T(𝜔 2) = T(𝜔6)
Proved using a prescribed permutation
1: 𝜔3, 𝜔check
4, 𝜔 5 : 6, 1, 7

T(𝜔-3) = T(𝜔4) 2: 𝜔6, 𝜔7, 𝜔8 : 11, 7, 77

Define a polynomial W: Ω ⇾ Ω that implements a rotation:

W(𝜔-2, 𝜔1 , 𝜔3) = (𝜔1, 𝜔3, 𝜔-2 ) , W(𝜔-1, 𝜔0) = (𝜔0 , 𝜔-1) , …
Lemma: ∀ 𝑦∈Ω : T(𝑦) = T(W(𝑦)) ⇒ wire constraints are satisfied

ZKP MOOC
 The complete Plonk Poly-IOP (and SNARK)

Setup(𝐶) ⇾ 𝑝𝑝 ≔ (𝑆,𝑊) and 𝑣𝑝 ≔ ( 𝑆 and 𝑊 ) (untrusted)

Prover P(𝑝𝑝, 𝒙, 𝐰) Verifier V(𝑣𝑝, 𝒙)

(≤𝑑) 𝑇 (≤|𝐼𝑥 |)
build T(𝑋) ∈ 𝔽𝑝 [X] build 𝑣(𝑋) ∈ 𝔽𝑝 [X]
Prover proves:
gates: (1) S(y)⋅[T(y) + T(𝜔y)] + (1 – S(y))⋅T(y)⋅T(𝜔y) − T(𝜔2y) = 0 ∀ y ∈ Ωgates
inputs: (2) T(y) − 𝑣(y) = 0 ∀ y ∈ Ωinp
wires: (3) T(y) − T(𝑊(y)) = 0 (using prescribed perm. check) ∀y∈Ω
output: (4) T(𝜔 3 𝐶 −1 ) = 0 (output of last gate = 0)

ZKP MOOC
 The complete Plonk Poly-IOP (and SNARK)

Setup(𝐶) ⇾ 𝑝𝑝 ≔ (S,W) and 𝑣𝑝 ≔ ( S and W )

Prover P(𝑝𝑝, 𝒙, 𝐰) Verifier V(𝑣𝑝, 𝒙)
(≤𝑑)
𝑇
(≤|𝐼𝑥 |)
build T(𝑋) ∈ 𝔽𝑝 [X] build 𝑣(𝑋) ∈ 𝔽𝑝 [X]

Thm: The Plonk Poly-IOP is complete and knowledge sound,

assuming 7|𝐶|/𝑝 is negligible
(eprint/2019/953)

ZKP MOOC
 Many extensions …
 Plonk proof: a short proof (O(1) commitments), fast verifier
 The SNARK can easily be made into a zk-SNARK

Main challenge: reduce prover time

 Hyperplonk: replace Ω with 0,1 𝑡 ( where 𝑡 = log 2 |Ω| )
 The polynomial T is now a multilinear polynomial in 𝑡 variables
 ZeroTest is replaced by a multilinear SumCheck (linear time)

ZKP MOOC
 A generalization: plonkish arithmetization
Plonk for circuits with gates other than + and × on rows:
u1 v1 w1 t1 r1 s1
Plonkish computation trace: (also used in AIR) u2 v2 w2 t2 r2 s2
u3 v3 w3 t3 r3 s3
An example custom gate:
u4 v4 w4 t4 r4 s4
∀ 𝑦 ∈ Ωgates : 𝑣 𝑦𝜔 + 𝑤(𝑦) ∙ 𝑡(𝑦) − 𝑡 𝑦𝜔 = 0 u5 v5 w5 t5 r5 s5

All such gate checks are included in the gate check u6 v6 w6 t6 r6 s6

u7 v7 w7 t7 r7 s7
u8 v8 w8 t8 r8 s8
Plookup: ensure some values are in a pre-defined list
output

ZKP MOOC
 END OF LECTURE

Next lecture:
More polynomial commitments

ZKP MOOC
Credit: Faithie/Shutterstock